Listen only on lo device (#1852373)
Dnsmasq now accepts in default configuration queries only from localhost. It received queries from any interface on the computer before. It just dropped queries coming from wrong interfaces. This change makes it listen only on specified interfaces. Queries coming from different interfaces would receive ICMP error right away. Makes it easier to understand why dnsmasq is not answering to those queries.
This commit is contained in:
Petr Menšík
parent
a02f732ecb
commit
549005c787
|
|
@ -1,4 +1,4 @@
|
|||
From d07d1bcdd739da00d0acb8c4561c33bc4d27a0da Mon Sep 17 00:00:00 2001
|
||||
From 3a593d133f91c5126105efd03246b3f61f103dd4 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Tue, 30 Jun 2020 18:06:29 +0200
|
||||
Subject: [PATCH] Modify upstream configuration to safe defaults
|
||||
|
|
@ -7,11 +7,11 @@ Most important change would be to listen only on localhost. Default
|
|||
configuration should not listen to request from remote hosts. Match also
|
||||
user and paths to directories shipped in Fedora.
|
||||
---
|
||||
dnsmasq.conf.example | 18 ++++++++++++++----
|
||||
1 file changed, 14 insertions(+), 4 deletions(-)
|
||||
dnsmasq.conf.example | 24 +++++++++++++++++++-----
|
||||
1 file changed, 19 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
|
||||
index bf19424..a130118 100644
|
||||
index bf19424..36fba33 100644
|
||||
--- a/dnsmasq.conf.example
|
||||
+++ b/dnsmasq.conf.example
|
||||
@@ -22,7 +22,7 @@
|
||||
|
|
@ -53,7 +53,20 @@ index bf19424..a130118 100644
|
|||
# On systems which support it, dnsmasq binds the wildcard address,
|
||||
# even when it is listening on only some interfaces. It then discards
|
||||
# requests that it shouldn't reply to. This has the advantage of
|
||||
@@ -535,7 +541,7 @@
|
||||
@@ -121,7 +127,11 @@
|
||||
# want dnsmasq to really bind only the interfaces it is listening on,
|
||||
# uncomment this option. About the only time you may need this is when
|
||||
# running another nameserver on the same machine.
|
||||
-#bind-interfaces
|
||||
+#
|
||||
+# To listen only on localhost and do not receive packets on other
|
||||
+# interfaces, bind only to lo device. Comment out to bind on single
|
||||
+# wildcard socket.
|
||||
+bind-interfaces
|
||||
|
||||
# If you don't want dnsmasq to read /etc/hosts, uncomment the
|
||||
# following line.
|
||||
@@ -535,7 +545,7 @@
|
||||
# The DHCP server needs somewhere on disk to keep its lease database.
|
||||
# This defaults to a sane location, but if you want to change it, use
|
||||
# the line below.
|
||||
|
|
@ -62,7 +75,7 @@ index bf19424..a130118 100644
|
|||
|
||||
# Set the DHCP server to authoritative mode. In this mode it will barge in
|
||||
# and take over the lease for any client which broadcasts on the network,
|
||||
@@ -673,7 +679,11 @@
|
||||
@@ -673,7 +683,11 @@
|
||||
# Include all files in a directory which end in .conf
|
||||
#conf-dir=/etc/dnsmasq.d/,*.conf
|
||||
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@
|
|||
|
||||
Name: dnsmasq
|
||||
Version: 2.82
|
||||
Release: 2%{?extraversion:.%{extraversion}}%{?dist}
|
||||
Release: 3%{?extraversion:.%{extraversion}}%{?dist}
|
||||
Summary: A lightweight DHCP/caching DNS server
|
||||
|
||||
License: GPLv2 or GPLv3
|
||||
|
|
@ -184,6 +184,10 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
|
|||
%{_mandir}/man1/dhcp_*
|
||||
|
||||
%changelog
|
||||
* Wed Sep 30 2020 Petr Menšík <pemensik@redhat.com> - 2.82-3
|
||||
- Listen only on localhost interface, return port unreachable on all others
|
||||
(#1852373)
|
||||
|
||||
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.82-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue