dnsmasq listens on 0.0.0.0, exposing DNS services to public Internet

[hoelzro]

Hi OpenWRT devs,

I was using my home network a short while ago when I noticed that the network was extremely slow. Through debugging, I discovered that DNS queries to dnsmasq on my router were taking a very long time, while external DNS services were prompt in responding and traffic moved quickly after a connection was established. Using tcpdump, I discovered that people on the public Internet were throwing a large volume of DNS requests at my router, which bogged down dnsmasq and prevented it from responding to LAN DNS requests in a timely manner.

I have since reconfigured dnsmasq to only listen on my LAN, but I felt a LAN-only setup for dnsmasq should be the default configuration. I'm running Attitude Adjustment on my home router, but I booted up Barrier Breaker in a VM and saw that this persists in the default configuration there. I feel that the default configuration should change to LAN-only for a variety of reasons:

• Public internet users can flood dnsmasq with requests, slowing down an OpenWRT user's network
• There is no reason to have this open to the public Internet, to my knowledge
• While I don't know of any, a vulnerability in dnsmasq could lead to exploiting an OpenWRT router
• OpenWRT routers could participate in DNS amplication attacks against others

Please let me know if there's any more information I can provide regarding this matter.

-Rob

[jow]

Dupe of #14951, #17964 - also port 53 is firewalled by default.