In OpenStack, a dedicated isolated (through network namespaces) port is created to bind dnsmasq. My problem is if I create a public network/subnet (like a network routed on internet or another WAN) with Neutron and activate the IPAM (DHCP & DNS cache) service on it, other network routed with that public network can access to my IPAM port and use it as DNS resolver. And in the case of a network routed on internet, all the word can access it and could use it as an open DNS and unwittingly DDOS other machines.
So my question is 'Can I limit dnsmasq to answer DNS queries only to clients of the subnet served by dnsmasq or to a defined subnet ?'. If not, I will add ACL on the dnsmasq port. Édouard. On Sat, Nov 30, 2013 at 3:34 AM, Jim Alles <kb3...@gmail.com> wrote: > Édouard Thuleau <thul...@gmail.com> wrote: > Nov 28 (1 day ago) > to dnsmasq-discuss > Hi, > > I'm new with dnsmasq and I like to know if we can limit it to answer > DNS queries only to clients of the subnet served by dnsmasq or to a > defined subnet ? > > Regards, > Édouard. > ________________ > > Is it not as simple as this? > > "One you will probably want to do is tell dnsmasq which ethernet > interface it can and cannot listen on, as we really don't want it > listening on the internet. By default dnsmasq offers DNS service on > all the configured interfaces of a host. It's likely that you don't > (for instance) want to offer a DNS service to the world via an > interface connected to ADSL or cable-modem so dnsmasq allows you to > specify which interfaces it will listen on. Use either the interface > or address options to do this. > > If I didn't edit this line, it would also listen on eth0, my internet > connection. I personally wouldn't recommend this, as it gives those > evil guys a few doors to try to break into. > > except-interface=<WAN interface name (ethN)>" > > Peace, > > Jim Alles _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
