Modify

Opened 3 years ago

Closed 3 years ago

#18763 closed defect (duplicate)

dnsmasq listens on 0.0.0.0, exposing DNS services to public Internet

Reported by: hoelzro Owned by: developers
Priority: normal Milestone:
Component: packages Version: Barrier Breaker 14.07
Keywords: dnsmasq configuration Cc:

Description

Hi OpenWRT devs,

I was using my home network a short while ago when I noticed that the network was extremely slow. Through debugging, I discovered that DNS queries to dnsmasq on my router were taking a very long time, while external DNS services were prompt in responding and traffic moved quickly after a connection was established. Using tcpdump, I discovered that people on the public Internet were throwing a large volume of DNS requests at my router, which bogged down dnsmasq and prevented it from responding to LAN DNS requests in a timely manner.

I have since reconfigured dnsmasq to only listen on my LAN, but I felt a LAN-only setup for dnsmasq should be the default configuration. I'm running Attitude Adjustment on my home router, but I booted up Barrier Breaker in a VM and saw that this persists in the default configuration there. I feel that the default configuration should change to LAN-only for a variety of reasons:

  • Public internet users can flood dnsmasq with requests, slowing down an OpenWRT user's network
  • There is no reason to have this open to the public Internet, to my knowledge
  • While I don't know of any, a vulnerability in dnsmasq could lead to exploiting an OpenWRT router
  • OpenWRT routers could participate in DNS amplication attacks against others

Please let me know if there's any more information I can provide regarding this matter.

-Rob

Attachments (0)

Change History (1)

comment:1 Changed 3 years ago by jow

  • Resolution set to duplicate
  • Status changed from new to closed

Dupe of #14951, #17964 - also port 53 is firewalled by default.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.