Curiosity fueled a couple of tests on this. In checking 2 common
scenarios, at least one use case confirms.
Aside from this confirmation, a bigger-picture question could be: in
principle, how is 53 being open and interactive by default any different
than 80, 22, or 137-139 being open and interactive by default, when
dnsmasq is not installed by default? If a user chooses to add a
service, whether that is ssh, samba, apache, dnsmasq, or others, in what
scenarios are we to protect the user against him/herself? One could
argue that all of those protocols are subject to abuse. In other words
- this could be a slippery slope.
Having said that little devil's advocate bit, I am *all for* making sure
our default behavior is to not have an open recursive DNS server.
Here's what I found:
[test0]: Trusty default server install + "Virtual Machine Host" package
selection (ok)
[test1]: Trusty default server install + install dnsmasq (CONFIRMS open
recursive DNS condition)
##### [test0] #####
Trusty default server install + "Virtual Machine Host" package selection
* This method does not result in an open recursive DNS server.
* The default ip interface layout follows; eth0 is connected and has
obtained an address via dhcp; libvirt has created virbr0 interface, and
dnsmasq is listening only on the virbr0 interface (192.168.122.1).
rbeisner@isotest0:~$ sudo ip addr | grep gl
inet 10.4.5.132/24 brd 10.4.5.255 scope global eth0
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
rbeisner@isotest0:~$ sudo netstat -taupn | egrep ':22|:53'
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN
1148/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
852/sshd
tcp6 0 0 :::22 :::* LISTEN
852/sshd
udp 0 0 192.168.122.1:53 0.0.0.0:*
1148/dnsmasq
* The default iptables firewall rules for this use case follow;
Destination ports 53 tcp & udp are explicitly allowed in the virbr0
interface. DNS ports are not disallowed anywhere, and there isn't a
default drop or reject rule in the input chain. But because dnsmasq is
only bound to the virbr0 interface, it should not be accessible on any
other interface, even if all iptables rules are flushed.
beisner@isotest0:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 19526 packets, 29M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0
udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0
udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0
tcp dpt:67
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * virbr0 0.0.0.0/0
192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0
reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 10169 packets, 592K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0
udp dpt:68
* Flush iptables, all traffic allowed:
rbeisner@isotest0:~$ sudo iptables -F
rbeisner@isotest0:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 39 packets, 2712 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 20 packets, 1792 bytes)
pkts bytes target prot opt in out source destination
* Port scans from a neighboring node confirm that tcp and udp 53 are
closed on the world-facing interface:
rbeisner@bcu:~$ sudo nmap -sU -p 53 10.4.5.132 | grep 53
53/udp closed domain
rbeisner@bcu:~$ sudo nmap -sT -p 53 10.4.5.132 | grep 53
53/tcp closed domain
rbeisner@bcu:~$ sudo nmap -sT -p 22 10.4.5.132 | grep 22
22/tcp open ssh
...
##### [test1] #####
Trusty default server install + install dnsmasq (CONFIRMS open recursive DNS
condition)
* CONFIRMS the default condition to be an open recursive DNS server /!\.
* DNS query from a neighboring host succeeds:
rbeisner@isotest0:~$ dig @10.4.5.143 thekelleys.org.uk +short
213.138.109.107
* Port scans from a neighboring node confirm that tcp and udp 53 are
open on the world-facing interface:
rbeisner@isotest0:~$ sudo nmap -sU -p 53 10.4.5.143 | grep 53
53/udp open domain
rbeisner@isotest0:~$ sudo nmap -sT -p 53 10.4.5.143 | grep 53
53/tcp open domain
* dnsmasq is listening on all ip interfaces, also iptables isn't
restricting it:
rbeisner@isotest1:~$ sudo netstat -taupn | egrep ':22|:53'
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
2581/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
2142/sshd
tcp6 0 0 :::53 :::* LISTEN
2581/dnsmasq
tcp6 0 0 :::22 :::* LISTEN
2142/sshd
udp 0 0 0.0.0.0:53 0.0.0.0:*
2581/dnsmasq
udp6 0 0 :::53 :::*
2581/dnsmasq
rbeisner@isotest1:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 30200 packets, 42M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15576 packets, 1024K bytes)
pkts bytes target prot opt in out source destination
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1306646
Title:
dnsmasq provides recursive answers to the Internet by default
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1306646/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
