dnsmasq/dnsmasq-2.81-configuration.patch

From cba77f08dbded8af45de2ee985200b12de7c8d13 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 30 Jun 2020 18:06:29 +0200
Subject: [PATCH] Modify upstream configuration to safe defaults

Most important change would be to listen only on localhost. Default
configuration should not listen to request from remote hosts. Match also
user and paths to directories shipped in Fedora.
---
 dnsmasq.conf.example | 28 ++++++++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)

diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
index 0cbf572..6c47c3c 100644
--- a/dnsmasq.conf.example
+++ b/dnsmasq.conf.example
@@ -22,7 +22,7 @@
 
 # Uncomment these to enable DNSSEC validation and caching:
 # (Requires dnsmasq to be built with DNSSEC option.)
-#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
+#conf-file=/usr/share/dnsmasq/trust-anchors.conf
 #dnssec
 
 # Replies which are not DNSSEC signed may be legitimate, because the domain
@@ -106,8 +106,8 @@
 
 # If you want dnsmasq to change uid and gid to something other
 # than the default, edit the following lines.
-#user=
-#group=
+user=dnsmasq
+group=dnsmasq
 
 # If you want dnsmasq to listen for DHCP and DNS requests only on
 # specified interfaces (and the loopback) give the name of the
@@ -124,6 +124,14 @@
 # disable DHCP and TFTP on it.
 #no-dhcp-interface=
 
+# Serve DNS and DHCP only to networks directly connected to this machine.
+# Any interface= line will override it.
+#local-service
+# Accept queries in default configuration only from localhost
+# Comment out following option or explicitly configure interfaces or
+# listen-address
+local-service=host
+
 # On systems which support it, dnsmasq binds the wildcard address,
 # even when it is listening on only some interfaces. It then discards
 # requests that it shouldn't reply to. This has the advantage of
@@ -131,7 +139,15 @@
 # want dnsmasq to really bind only the interfaces it is listening on,
 # uncomment this option. About the only time you may need this is when
 # running another nameserver on the same machine.
+#
+# To listen only on localhost and do not receive packets on other
+# interfaces, bind only to lo device. Comment out to bind on single
+# wildcard socket.
 #bind-interfaces
+# Comment out above line and uncoment following 2 lines.
+# Update interface name, use ip link to get its name.
+#bind-dynamic
+#interface=eno1
 
 # If you don't want dnsmasq to read /etc/hosts, uncomment the
 # following line.
@@ -545,7 +561,7 @@
 # The DHCP server needs somewhere on disk to keep its lease database.
 # This defaults to a sane location, but if you want to change it, use
 # the line below.
-#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
+#dhcp-leasefile=/var/lib/dnsmasq/dnsmasq.leases
 
 # Set the DHCP server to authoritative mode. In this mode it will barge in
 # and take over the lease for any client which broadcasts on the network,
@@ -683,7 +699,11 @@
 # Include all files in a directory which end in .conf
 #conf-dir=/etc/dnsmasq.d/,*.conf
 
+# Include all files in /etc/dnsmasq.d except RPM backup files
+conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig
+
 # If a DHCP client claims that its name is "wpad", ignore that.
 # This fixes a security hole. see CERT Vulnerability VU#598349
 #dhcp-name-match=set:wpad-ignore,wpad
 #dhcp-ignore-names=tag:wpad-ignore
+
-- 
2.43.0
Use local-service=host for initial configuration (#2258062) Use just specialized local-service option, which would deactivate as soon as any interface= or listen-address= options are used. Update default configuration to use it. 2024-01-12 16:13:36 +00:00			`From cba77f08dbded8af45de2ee985200b12de7c8d13 Mon Sep 17 00:00:00 2001`
Listen only localhost in default configuration Require manual configuration to enable either local-service for any connected networks or interface to listen all hosts on interface. 2020-06-30 11:35:53 +00:00			`From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>`
			`Date: Tue, 30 Jun 2020 18:06:29 +0200`
			`Subject: [PATCH] Modify upstream configuration to safe defaults`

			`Most important change would be to listen only on localhost. Default`
			`configuration should not listen to request from remote hosts. Match also`
			`user and paths to directories shipped in Fedora.`
			`---`
Use local-service=host for initial configuration (#2258062) Use just specialized local-service option, which would deactivate as soon as any interface= or listen-address= options are used. Update default configuration to use it. 2024-01-12 16:13:36 +00:00			`dnsmasq.conf.example \| 28 ++++++++++++++++++++++++----`
			`1 file changed, 24 insertions(+), 4 deletions(-)`
Listen only localhost in default configuration Require manual configuration to enable either local-service for any connected networks or interface to listen all hosts on interface. 2020-06-30 11:35:53 +00:00
			`diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example`
Use local-service=host for initial configuration (#2258062) Use just specialized local-service option, which would deactivate as soon as any interface= or listen-address= options are used. Update default configuration to use it. 2024-01-12 16:13:36 +00:00			`index 0cbf572..6c47c3c 100644`
Listen only localhost in default configuration Require manual configuration to enable either local-service for any connected networks or interface to listen all hosts on interface. 2020-06-30 11:35:53 +00:00			`--- a/dnsmasq.conf.example`
			`+++ b/dnsmasq.conf.example`
			`@@ -22,7 +22,7 @@`

			`# Uncomment these to enable DNSSEC validation and caching:`
			`# (Requires dnsmasq to be built with DNSSEC option.)`
			`-#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf`
			`+#conf-file=/usr/share/dnsmasq/trust-anchors.conf`
			`#dnssec`

			`# Replies which are not DNSSEC signed may be legitimate, because the domain`
Use local-service=host for initial configuration (#2258062) Use just specialized local-service option, which would deactivate as soon as any interface= or listen-address= options are used. Update default configuration to use it. 2024-01-12 16:13:36 +00:00			`@@ -106,8 +106,8 @@`
Listen only localhost in default configuration Require manual configuration to enable either local-service for any connected networks or interface to listen all hosts on interface. 2020-06-30 11:35:53 +00:00
			`# If you want dnsmasq to change uid and gid to something other`
			`# than the default, edit the following lines.`
			`-#user=`
			`-#group=`
			`+user=dnsmasq`
			`+group=dnsmasq`

			`# If you want dnsmasq to listen for DHCP and DNS requests only on`
			`# specified interfaces (and the loopback) give the name of the`
Use local-service=host for initial configuration (#2258062) Use just specialized local-service option, which would deactivate as soon as any interface= or listen-address= options are used. Update default configuration to use it. 2024-01-12 16:13:36 +00:00			`@@ -124,6 +124,14 @@`
Listen only localhost in default configuration Require manual configuration to enable either local-service for any connected networks or interface to listen all hosts on interface. 2020-06-30 11:35:53 +00:00			`# disable DHCP and TFTP on it.`
			`#no-dhcp-interface=`

			`+# Serve DNS and DHCP only to networks directly connected to this machine.`
			`+# Any interface= line will override it.`
			`+#local-service`
Use local-service=host for initial configuration (#2258062) Use just specialized local-service option, which would deactivate as soon as any interface= or listen-address= options are used. Update default configuration to use it. 2024-01-12 16:13:36 +00:00			`+# Accept queries in default configuration only from localhost`
			`+# Comment out following option or explicitly configure interfaces or`
			`+# listen-address`
			`+local-service=host`
Listen only localhost in default configuration Require manual configuration to enable either local-service for any connected networks or interface to listen all hosts on interface. 2020-06-30 11:35:53 +00:00			`+`
			`# On systems which support it, dnsmasq binds the wildcard address,`
			`# even when it is listening on only some interfaces. It then discards`
			`# requests that it shouldn't reply to. This has the advantage of`
Use local-service=host for initial configuration (#2258062) Use just specialized local-service option, which would deactivate as soon as any interface= or listen-address= options are used. Update default configuration to use it. 2024-01-12 16:13:36 +00:00			`@@ -131,7 +139,15 @@`
Listen only on lo device (#1852373) Dnsmasq now accepts in default configuration queries only from localhost. It received queries from any interface on the computer before. It just dropped queries coming from wrong interfaces. This change makes it listen only on specified interfaces. Queries coming from different interfaces would receive ICMP error right away. Makes it easier to understand why dnsmasq is not answering to those queries. 2020-09-30 22:51:03 +00:00			`# want dnsmasq to really bind only the interfaces it is listening on,`
			`# uncomment this option. About the only time you may need this is when`
			`# running another nameserver on the same machine.`
			`+#`
			`+# To listen only on localhost and do not receive packets on other`
			`+# interfaces, bind only to lo device. Comment out to bind on single`
			`+# wildcard socket.`
Use local-service=host for initial configuration (#2258062) Use just specialized local-service option, which would deactivate as soon as any interface= or listen-address= options are used. Update default configuration to use it. 2024-01-12 16:13:36 +00:00			`#bind-interfaces`
Start before nss-lookup.target, hint modification to listen on IP (#1984618) 2021-07-22 19:12:14 +00:00			`+# Comment out above line and uncoment following 2 lines.`
			`+# Update interface name, use ip link to get its name.`
			`+#bind-dynamic`
			`+#interface=eno1`
Listen only on lo device (#1852373) Dnsmasq now accepts in default configuration queries only from localhost. It received queries from any interface on the computer before. It just dropped queries coming from wrong interfaces. This change makes it listen only on specified interfaces. Queries coming from different interfaces would receive ICMP error right away. Makes it easier to understand why dnsmasq is not answering to those queries. 2020-09-30 22:51:03 +00:00
			`# If you don't want dnsmasq to read /etc/hosts, uncomment the`
			`# following line.`
Use local-service=host for initial configuration (#2258062) Use just specialized local-service option, which would deactivate as soon as any interface= or listen-address= options are used. Update default configuration to use it. 2024-01-12 16:13:36 +00:00			`@@ -545,7 +561,7 @@`
Listen only localhost in default configuration Require manual configuration to enable either local-service for any connected networks or interface to listen all hosts on interface. 2020-06-30 11:35:53 +00:00			`# The DHCP server needs somewhere on disk to keep its lease database.`
			`# This defaults to a sane location, but if you want to change it, use`
			`# the line below.`
			`-#dhcp-leasefile=/var/lib/misc/dnsmasq.leases`
			`+#dhcp-leasefile=/var/lib/dnsmasq/dnsmasq.leases`

			`# Set the DHCP server to authoritative mode. In this mode it will barge in`
			`# and take over the lease for any client which broadcasts on the network,`
Use local-service=host for initial configuration (#2258062) Use just specialized local-service option, which would deactivate as soon as any interface= or listen-address= options are used. Update default configuration to use it. 2024-01-12 16:13:36 +00:00			`@@ -683,7 +699,11 @@`
Listen only localhost in default configuration Require manual configuration to enable either local-service for any connected networks or interface to listen all hosts on interface. 2020-06-30 11:35:53 +00:00			`# Include all files in a directory which end in .conf`
			`#conf-dir=/etc/dnsmasq.d/,*.conf`

			`+# Include all files in /etc/dnsmasq.d except RPM backup files`
			`+conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig`
			`+`
			`# If a DHCP client claims that its name is "wpad", ignore that.`
			`# This fixes a security hole. see CERT Vulnerability VU#598349`
			`#dhcp-name-match=set:wpad-ignore,wpad`
			`#dhcp-ignore-names=tag:wpad-ignore`
			`+`
			`--`
Use local-service=host for initial configuration (#2258062) Use just specialized local-service option, which would deactivate as soon as any interface= or listen-address= options are used. Update default configuration to use it. 2024-01-12 16:13:36 +00:00			`2.43.0`
Listen only localhost in default configuration Require manual configuration to enable either local-service for any connected networks or interface to listen all hosts on interface. 2020-06-30 11:35:53 +00:00