[
https://issues.apache.org/jira/browse/CLOUDSTACK-4675?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14237683#comment-14237683
]
Abhinandan Prateek commented on CLOUDSTACK-4675:
------------------------------------------------
cloud-early-config is the one configuring the services on VR, this will
override conf changes to dnsmasq.
> Virtual Router only with DHCP should not have DNS service
> ---------------------------------------------------------
>
> Key: CLOUDSTACK-4675
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-4675
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Virtual Router
> Affects Versions: 4.1.1
> Reporter: France
>
> When one creates a virtual router using only DHCP as service one gets also
> DNS service, because dnsmasq.conf service has DNS service enabled. It can be
> disabled by setting port=0, but it's not.
> This assumption that there is no open recursive DNS service present, can lead
> user to exposing open resursive DNS server to untrusted hosts, which then
> abuse it for DNS amplification attack.
> Please actually disable DNS service, if it's not selected when creating
> network offering.
> As a workaround i've added below commands to rc.local. Fix directly
> dnsmasql.conf gets reverted by some cloud init scripts.
> iptables -I INPUT -p udp --dport 53 -j DROP
> iptables -I INPUT -p tcp --dport 53 -j DROP
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
