Listen only localhost in default configuration
Require manual configuration to enable either local-service for any connected networks or interface to listen all hosts on interface.
This commit is contained in:
parent
4c831af38b
commit
744ba31be7
79
dnsmasq-2.81-configuration.patch
Normal file
79
dnsmasq-2.81-configuration.patch
Normal file
@ -0,0 +1,79 @@
|
|||||||
|
From d07d1bcdd739da00d0acb8c4561c33bc4d27a0da Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||||
|
Date: Tue, 30 Jun 2020 18:06:29 +0200
|
||||||
|
Subject: [PATCH] Modify upstream configuration to safe defaults
|
||||||
|
|
||||||
|
Most important change would be to listen only on localhost. Default
|
||||||
|
configuration should not listen to request from remote hosts. Match also
|
||||||
|
user and paths to directories shipped in Fedora.
|
||||||
|
---
|
||||||
|
dnsmasq.conf.example | 18 ++++++++++++++----
|
||||||
|
1 file changed, 14 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
|
||||||
|
index bf19424..a130118 100644
|
||||||
|
--- a/dnsmasq.conf.example
|
||||||
|
+++ b/dnsmasq.conf.example
|
||||||
|
@@ -22,7 +22,7 @@
|
||||||
|
|
||||||
|
# Uncomment these to enable DNSSEC validation and caching:
|
||||||
|
# (Requires dnsmasq to be built with DNSSEC option.)
|
||||||
|
-#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
|
||||||
|
+#conf-file=/usr/share/dnsmasq/trust-anchors.conf
|
||||||
|
#dnssec
|
||||||
|
|
||||||
|
# Replies which are not DNSSEC signed may be legitimate, because the domain
|
||||||
|
@@ -96,14 +96,16 @@
|
||||||
|
|
||||||
|
# If you want dnsmasq to change uid and gid to something other
|
||||||
|
# than the default, edit the following lines.
|
||||||
|
-#user=
|
||||||
|
-#group=
|
||||||
|
+user=dnsmasq
|
||||||
|
+group=dnsmasq
|
||||||
|
|
||||||
|
# If you want dnsmasq to listen for DHCP and DNS requests only on
|
||||||
|
# specified interfaces (and the loopback) give the name of the
|
||||||
|
# interface (eg eth0) here.
|
||||||
|
# Repeat the line for more than one interface.
|
||||||
|
#interface=
|
||||||
|
+# Listen only on localhost by default
|
||||||
|
+interface=lo
|
||||||
|
# Or you can specify which interface _not_ to listen on
|
||||||
|
#except-interface=
|
||||||
|
# Or which to listen on by address (remember to include 127.0.0.1 if
|
||||||
|
@@ -114,6 +116,10 @@
|
||||||
|
# disable DHCP and TFTP on it.
|
||||||
|
#no-dhcp-interface=
|
||||||
|
|
||||||
|
+# Serve DNS and DHCP only to networks directly connected to this machine.
|
||||||
|
+# Any interface= line will override it.
|
||||||
|
+#local-service
|
||||||
|
+
|
||||||
|
# On systems which support it, dnsmasq binds the wildcard address,
|
||||||
|
# even when it is listening on only some interfaces. It then discards
|
||||||
|
# requests that it shouldn't reply to. This has the advantage of
|
||||||
|
@@ -535,7 +541,7 @@
|
||||||
|
# The DHCP server needs somewhere on disk to keep its lease database.
|
||||||
|
# This defaults to a sane location, but if you want to change it, use
|
||||||
|
# the line below.
|
||||||
|
-#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
|
||||||
|
+#dhcp-leasefile=/var/lib/dnsmasq/dnsmasq.leases
|
||||||
|
|
||||||
|
# Set the DHCP server to authoritative mode. In this mode it will barge in
|
||||||
|
# and take over the lease for any client which broadcasts on the network,
|
||||||
|
@@ -673,7 +679,11 @@
|
||||||
|
# Include all files in a directory which end in .conf
|
||||||
|
#conf-dir=/etc/dnsmasq.d/,*.conf
|
||||||
|
|
||||||
|
+# Include all files in /etc/dnsmasq.d except RPM backup files
|
||||||
|
+conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig
|
||||||
|
+
|
||||||
|
# If a DHCP client claims that its name is "wpad", ignore that.
|
||||||
|
# This fixes a security hole. see CERT Vulnerability VU#598349
|
||||||
|
#dhcp-name-match=set:wpad-ignore,wpad
|
||||||
|
#dhcp-ignore-names=tag:wpad-ignore
|
||||||
|
+
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
21
dnsmasq.spec
21
dnsmasq.spec
@ -20,7 +20,7 @@
|
|||||||
|
|
||||||
Name: dnsmasq
|
Name: dnsmasq
|
||||||
Version: 2.81
|
Version: 2.81
|
||||||
Release: 3%{?extraversion:.%{extraversion}}%{?dist}
|
Release: 4%{?extraversion:.%{extraversion}}%{?dist}
|
||||||
Summary: A lightweight DHCP/caching DNS server
|
Summary: A lightweight DHCP/caching DNS server
|
||||||
|
|
||||||
License: GPLv2 or GPLv3
|
License: GPLv2 or GPLv3
|
||||||
@ -38,6 +38,8 @@ Source4: http://www.thekelleys.org.uk/srkgpg.txt
|
|||||||
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1495409
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1495409
|
||||||
Patch1: dnsmasq-2.77-underflow.patch
|
Patch1: dnsmasq-2.77-underflow.patch
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1852373
|
||||||
|
Patch2: dnsmasq-2.81-configuration.patch
|
||||||
Patch3: dnsmasq-2.78-fips.patch
|
Patch3: dnsmasq-2.78-fips.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1728701
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1728701
|
||||||
Patch7: dnsmasq-2.80-rh1728701.patch
|
Patch7: dnsmasq-2.80-rh1728701.patch
|
||||||
@ -106,12 +108,6 @@ for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
|
|||||||
sed -i 's|/var/lib/misc/dnsmasq.leases|/var/lib/dnsmasq/dnsmasq.leases|g' "$file"
|
sed -i 's|/var/lib/misc/dnsmasq.leases|/var/lib/dnsmasq/dnsmasq.leases|g' "$file"
|
||||||
done
|
done
|
||||||
|
|
||||||
# fix the path to the trust anchor
|
|
||||||
sed -i 's|%%%%PREFIX%%%%|%{_prefix}|' dnsmasq.conf.example
|
|
||||||
|
|
||||||
#set dnsmasq user / group
|
|
||||||
sed -i 's|#user=|user=dnsmasq|' dnsmasq.conf.example
|
|
||||||
sed -i 's|#group=|group=dnsmasq|' dnsmasq.conf.example
|
|
||||||
#set default user /group in src/config.h
|
#set default user /group in src/config.h
|
||||||
sed -i 's|#define CHUSER "nobody"|#define CHUSER "dnsmasq"|' src/config.h
|
sed -i 's|#define CHUSER "nobody"|#define CHUSER "dnsmasq"|' src/config.h
|
||||||
sed -i 's|#define CHGRP "dip"|#define CHGRP "dnsmasq"|' src/config.h
|
sed -i 's|#define CHGRP "dip"|#define CHGRP "dnsmasq"|' src/config.h
|
||||||
@ -119,14 +115,6 @@ sed -i 's|#define CHGRP "dip"|#define CHGRP "dnsmasq"|' src/config.h
|
|||||||
# optional parts
|
# optional parts
|
||||||
sed -i 's|^COPTS[[:space:]]*=|\0 -DHAVE_DBUS -DHAVE_LIBIDN2 -DHAVE_DNSSEC|' Makefile
|
sed -i 's|^COPTS[[:space:]]*=|\0 -DHAVE_DBUS -DHAVE_LIBIDN2 -DHAVE_DNSSEC|' Makefile
|
||||||
|
|
||||||
#enable /etc/dnsmasq.d fix bz 526703, ignore RPM backup files
|
|
||||||
cat << EOF >> dnsmasq.conf.example
|
|
||||||
|
|
||||||
# Include all files in /etc/dnsmasq.d except RPM backup files
|
|
||||||
conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig
|
|
||||||
EOF
|
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%make_build CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS"
|
%make_build CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS"
|
||||||
%make_build -C contrib/lease-tools CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS"
|
%make_build -C contrib/lease-tools CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS"
|
||||||
@ -198,6 +186,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
|
|||||||
%{_mandir}/man1/dhcp_*
|
%{_mandir}/man1/dhcp_*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jun 30 2020 Petr Menšík <pemensik@redhat.com> - 2.81-4
|
||||||
|
- Accept queries only from localhost (CVE-2020-14312)
|
||||||
|
|
||||||
* Mon May 11 2020 Petr Menšík <pemensik@redhat.com> - 2.81-3
|
* Mon May 11 2020 Petr Menšík <pemensik@redhat.com> - 2.81-3
|
||||||
- Correct multiple entries with the same mac address (#1834454)
|
- Correct multiple entries with the same mac address (#1834454)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user