Comment 5 for bug 1306646

Revision history for this message
Jeroen van der Ham (y-ubuntu-b) wrote :

I completely agree that it is difficult and hard to draw the line. My initial approach was to convince the author to change the default behaviour, but unfortunately I did not succeed with that.

Serving DNS requests to only the intended audience is a better alternative. This has been the intended approach of other bug reports, but it is actually very hard to determine from outside of the daemon. Since dnsmasq also usually has the role of DHCP provider, and also has to know about which interfaces it servers on, it is in the perfect position to know about the intended audience. This argument finally won over the author to at least implement the option.

Since I've personally seen dozens of reports of exploited dnsmasq instances, and even experts who overlooked its role in installs, I'm now trying to convince all package maintainers to use the --local-service option by default.