Looks sensible to me. Very much in the spirit of the original
--local-service option flag.
I'm minded to commit this unless anyone has an objection.
Simon.
On 30/11/2023 17:59, Petr Menšík wrote:
Hello!
I have sent similar proposal already in year 2021 [1]. But I have
reworked that a bit to reuse existing --local-service option and just
add new parameter to it. If --local-service=host is used, dnsmasq will
bind to addresses on lo interface only. It will not even open port on
other interfaces, preventing possible scanning of running service from
outside.
It roughly becomes similar default like other resolvers without
configuration use. BIND9 or unbound will listen also on localhost only.
To avoid regressions, it still becomes inactive when any --interface,
--listen-address or similar is specified at least once. Then you have to
explicitly use --interface=lo to listen *also* on localhost.
The change is related to Fedora bug #1852373 [2], also newly re-opened
CVE-2020-14312 issue for RHEL8 [3]. Having explicitly specified
bind-interfaces & interface=lo in dnsmasq default configuration has
resulted in multiple regressions across different packages, which did
not rewrite distribution provided configuration. I think it could be
useful also for others.
What do you think?
Looking for any feedback!
Regards,
Petr
1.
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q4/015749.html
2. https://bugzilla.redhat.com/show_bug.cgi?id=1852373
3. https://issues.redhat.com/browse/RHEL-9516
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
