#17964: dnsmasq answering requests on public interfaces
--------------------------+---------------------------------------
Reporter: anonymous | Owner: developers
Type: defect | Status: new
Priority: highest | Milestone:
Component: base system | Version: Barrier Breaker 14.07
Resolution: | Keywords: dns amplification attacks
--------------------------+---------------------------------------
Comment (by anonymous):
This ticket is false, by default OpenWrt doesn't answer DNS queries from
WAN and it'd require several mistakes by the user to make it do so.
However, since it is possible that more end-users might install the
upcoming BB-14.07, I would suggest enabling dnsmasq's newly introduced
"--local-service" option:
--local-service
Accept DNS queries only from hosts whose address is on a local subnet, ie
a subnet for which an interface exists on the server. This option only has
effect is there are no --interface --except-interface, --listen-address or
--auth-server options. It is intended to be set as a default on
installation, to allow unconfigured installations to be useful but also
safe from being used for DNS amplification attacks.
http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
--
Ticket URL: <https://dev.openwrt.org/ticket/17964#comment:2>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
