Hi Carsten, On Fri, 2022-12-16 at 16:52 +0100, Carsten Brandt wrote: > Hi all, > > I have another note about dnsmasq that may be considered a security > problem. > > I have installed LXD which installs dnsmasq by default (as a > dependency before, but now as far as I see as recommended package).
Correct -- as of lxd 5.0.1-3, dnsmasq is Recommended. > > The default configuration of dnsmasq makes it listen on all IP > addresses. So it opens a DNS resolver to the public internet, which > can be used in DDoS attacks. [1] > > If I install dnsmasq explicitly myself I might be aware of that. > Having installed lxd I did not think of this and expected dnsmasq to > be used only locally. > > Not sure how to deal with this issue. Is it possible to adjust > dnsmasq config defaults when it becomes installed along with lxd? > If not, it should be mentioned as a warning in package documentation > somehow. > > What do you think? I spent some time looking into this over the weekend, and in reading the dnsmasq documentation realized that just dnsmasq-base would be sufficient for LXD's use, very much like libvirt's packaging. That will pull in the dnsmasq binary for LXD's use, but not setup a system-wide service. I've done some testing this afternoon, and things seem to work properly, so the change of Recommending dnsmasq -> dnsmasq-base will be included in the next LXD upload. More generally, if you're concerned about the default configuration of dnsmasq, please open a bug against that package. I would hope end- users will have some sort of firewall between their systems and the wider Internet to block unintended access to a DNS resolver. It would be inappropriate for another package (lxd) to try to directly modify dnsmasq's configuration. Mathias > > best regards, > Carsten > > [1]: > > https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Reaktion/CERT-Bund/CERT-Bund-Reports/HowTo/Offene-DNS-Resolver/Offene-DNS-Resolver_node.html
signature.asc
Description: This is a digitally signed message part
