Modify

Opened 3 years ago

Last modified 3 years ago

#18991 new defect

dnsmasq does not reply to dns requests from wan over its specified port

Reported by: Ingram Owned by: developers
Priority: normal Milestone:
Component: packages Version: Trunk
Keywords: Cc:

Description

I used to have a working setup where I used my home network's dnsmasq as a dns server over wan. For that I simply made a port forwarding rule for <remote-host>:53 to 192.168.1.1:53, which worked.

Now that I updated my router (tl-1043nd) to the latest trunk build (it has been months since last update), this does not work anymore. When localservice option is disabled, it allows connecting from wan via any other port than the one specified under "port" setting. For example if it is left default (53) then connections from wan which come via port 53 are ignored, but if port 54 is forwarded to local 53, then the server will reply. If the port in dnsmasq is changed, then that port will become the defective one, that will not work over wan.

Attachments (0)

Change History (2)

comment:1 follow-up: Changed 3 years ago by w1zz4

Being an Openresolver is a really bad thing and allow people to exploit you router in massive DDoS attacks... It's certainly why it's blocked by default. you probably can reactivate DNS resolution on wan interface, but please if you do so make sure to enforce mitigation processes...

comment:2 in reply to: ↑ 1 Changed 3 years ago by Ingram

I agree that having an open resolver is generally a bad thing. However the firewall and recently introduced localservice option are supposed to do protect you from that already.

The issue is not that it can't reply to requests from wan interface - it surely can, just not from the port it is configured to run on. If someone had dnsmasq running on port... 33333 and made a port forward 53->33333, we'd have a working open resolver (assuming localservice is turned off). In that case forwarding 33333->33333 wouldn't work though.

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.