dnsmasq/dnsmasq-2.81-configuration.patch

92 lines
3.3 KiB
Diff
Raw Normal View History

From cba77f08dbded8af45de2ee985200b12de7c8d13 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 30 Jun 2020 18:06:29 +0200
Subject: [PATCH] Modify upstream configuration to safe defaults
Most important change would be to listen only on localhost. Default
configuration should not listen to request from remote hosts. Match also
user and paths to directories shipped in Fedora.
---
dnsmasq.conf.example | 28 ++++++++++++++++++++++++----
1 file changed, 24 insertions(+), 4 deletions(-)
diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
index 0cbf572..6c47c3c 100644
--- a/dnsmasq.conf.example
+++ b/dnsmasq.conf.example
@@ -22,7 +22,7 @@
# Uncomment these to enable DNSSEC validation and caching:
# (Requires dnsmasq to be built with DNSSEC option.)
-#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
+#conf-file=/usr/share/dnsmasq/trust-anchors.conf
#dnssec
# Replies which are not DNSSEC signed may be legitimate, because the domain
@@ -106,8 +106,8 @@
# If you want dnsmasq to change uid and gid to something other
# than the default, edit the following lines.
-#user=
-#group=
+user=dnsmasq
+group=dnsmasq
# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
@@ -124,6 +124,14 @@
# disable DHCP and TFTP on it.
#no-dhcp-interface=
+# Serve DNS and DHCP only to networks directly connected to this machine.
+# Any interface= line will override it.
+#local-service
+# Accept queries in default configuration only from localhost
+# Comment out following option or explicitly configure interfaces or
+# listen-address
+local-service=host
+
# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
@@ -131,7 +139,15 @@
# want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
+#
+# To listen only on localhost and do not receive packets on other
+# interfaces, bind only to lo device. Comment out to bind on single
+# wildcard socket.
#bind-interfaces
+# Comment out above line and uncoment following 2 lines.
+# Update interface name, use ip link to get its name.
+#bind-dynamic
+#interface=eno1
# If you don't want dnsmasq to read /etc/hosts, uncomment the
# following line.
@@ -545,7 +561,7 @@
# The DHCP server needs somewhere on disk to keep its lease database.
# This defaults to a sane location, but if you want to change it, use
# the line below.
-#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
+#dhcp-leasefile=/var/lib/dnsmasq/dnsmasq.leases
# Set the DHCP server to authoritative mode. In this mode it will barge in
# and take over the lease for any client which broadcasts on the network,
@@ -683,7 +699,11 @@
# Include all files in a directory which end in .conf
#conf-dir=/etc/dnsmasq.d/,*.conf
+# Include all files in /etc/dnsmasq.d except RPM backup files
+conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig
+
# If a DHCP client claims that its name is "wpad", ignore that.
# This fixes a security hole. see CERT Vulnerability VU#598349
#dhcp-name-match=set:wpad-ignore,wpad
#dhcp-ignore-names=tag:wpad-ignore
+
--
2.43.0