#17964: dnsmasq answering requests on public interfaces
--------------------------+---------------------------------------
Reporter: anonymous | Owner: developers
Type: defect | Status: reopened
Priority: highest | Milestone:
Component: base system | Version: Barrier Breaker 14.07
Resolution: | Keywords: dns amplification attacks
--------------------------+---------------------------------------
Changes (by anonymous):
* status: closed => reopened
* resolution: duplicate =>
Comment:
Since the spam tracker just had a mismatch on a regex, I have to write it
all over again...
This is not a duplicate as long as #14951 is milestone AA and not BB. This
ticket is about BB-rc3.
''This ticket is false, by default OpenWrt doesn't answer DNS queries from
WAN and it'd require several mistakes by the user to make it do so.''
You are probably right in those cases, where OpenWRT gets used as a usual
NAT router with DHCP-Client on WAN. While WAN is in a firewall.
In all other cases dnsmasq is currently unprotected from the moment you
add another interface (wwan, vlan, etc, that is accessible from non
rfc1918 addresses.
Since dnsmasq has a new option that could be used alternately to wildcard
interfaces and notinterface, that would be advisable. Nevertheless that
will not be sufficient for all cases.
--
Ticket URL: <https://dev.openwrt.org/ticket/17964#comment:4>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
