Opened 3 years ago
Closed 3 years ago
#18763 closed defect (duplicate)
dnsmasq listens on 0.0.0.0, exposing DNS services to public Internet
Reported by: | hoelzro | Owned by: | developers |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | packages | Version: | Barrier Breaker 14.07 |
Keywords: | dnsmasq configuration | Cc: |
Description
Hi OpenWRT devs,
I was using my home network a short while ago when I noticed that the network was extremely slow. Through debugging, I discovered that DNS queries to dnsmasq on my router were taking a very long time, while external DNS services were prompt in responding and traffic moved quickly after a connection was established. Using tcpdump, I discovered that people on the public Internet were throwing a large volume of DNS requests at my router, which bogged down dnsmasq and prevented it from responding to LAN DNS requests in a timely manner.
I have since reconfigured dnsmasq to only listen on my LAN, but I felt a LAN-only setup for dnsmasq should be the default configuration. I'm running Attitude Adjustment on my home router, but I booted up Barrier Breaker in a VM and saw that this persists in the default configuration there. I feel that the default configuration should change to LAN-only for a variety of reasons:
- Public internet users can flood dnsmasq with requests, slowing down an OpenWRT user's network
- There is no reason to have this open to the public Internet, to my knowledge
- While I don't know of any, a vulnerability in dnsmasq could lead to exploiting an OpenWRT router
- OpenWRT routers could participate in DNS amplication attacks against others
Please let me know if there's any more information I can provide regarding this matter.
-Rob
Attachments (0)
Change History (1)
comment:1 Changed 3 years ago by jow
- Resolution set to duplicate
- Status changed from new to closed
Dupe of #14951, #17964 - also port 53 is firewalled by default.