93 lines
3.3 KiB
Diff
93 lines
3.3 KiB
Diff
From 3a593d133f91c5126105efd03246b3f61f103dd4 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
|
Date: Tue, 30 Jun 2020 18:06:29 +0200
|
|
Subject: [PATCH] Modify upstream configuration to safe defaults
|
|
|
|
Most important change would be to listen only on localhost. Default
|
|
configuration should not listen to request from remote hosts. Match also
|
|
user and paths to directories shipped in Fedora.
|
|
---
|
|
dnsmasq.conf.example | 24 +++++++++++++++++++-----
|
|
1 file changed, 19 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
|
|
index bf19424..36fba33 100644
|
|
--- a/dnsmasq.conf.example
|
|
+++ b/dnsmasq.conf.example
|
|
@@ -22,7 +22,7 @@
|
|
|
|
# Uncomment these to enable DNSSEC validation and caching:
|
|
# (Requires dnsmasq to be built with DNSSEC option.)
|
|
-#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
|
|
+#conf-file=/usr/share/dnsmasq/trust-anchors.conf
|
|
#dnssec
|
|
|
|
# Replies which are not DNSSEC signed may be legitimate, because the domain
|
|
@@ -96,14 +96,16 @@
|
|
|
|
# If you want dnsmasq to change uid and gid to something other
|
|
# than the default, edit the following lines.
|
|
-#user=
|
|
-#group=
|
|
+user=dnsmasq
|
|
+group=dnsmasq
|
|
|
|
# If you want dnsmasq to listen for DHCP and DNS requests only on
|
|
# specified interfaces (and the loopback) give the name of the
|
|
# interface (eg eth0) here.
|
|
# Repeat the line for more than one interface.
|
|
#interface=
|
|
+# Listen only on localhost by default
|
|
+interface=lo
|
|
# Or you can specify which interface _not_ to listen on
|
|
#except-interface=
|
|
# Or which to listen on by address (remember to include 127.0.0.1 if
|
|
@@ -114,6 +116,10 @@
|
|
# disable DHCP and TFTP on it.
|
|
#no-dhcp-interface=
|
|
|
|
+# Serve DNS and DHCP only to networks directly connected to this machine.
|
|
+# Any interface= line will override it.
|
|
+#local-service
|
|
+
|
|
# On systems which support it, dnsmasq binds the wildcard address,
|
|
# even when it is listening on only some interfaces. It then discards
|
|
# requests that it shouldn't reply to. This has the advantage of
|
|
@@ -121,7 +127,11 @@
|
|
# want dnsmasq to really bind only the interfaces it is listening on,
|
|
# uncomment this option. About the only time you may need this is when
|
|
# running another nameserver on the same machine.
|
|
-#bind-interfaces
|
|
+#
|
|
+# To listen only on localhost and do not receive packets on other
|
|
+# interfaces, bind only to lo device. Comment out to bind on single
|
|
+# wildcard socket.
|
|
+bind-interfaces
|
|
|
|
# If you don't want dnsmasq to read /etc/hosts, uncomment the
|
|
# following line.
|
|
@@ -535,7 +545,7 @@
|
|
# The DHCP server needs somewhere on disk to keep its lease database.
|
|
# This defaults to a sane location, but if you want to change it, use
|
|
# the line below.
|
|
-#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
|
|
+#dhcp-leasefile=/var/lib/dnsmasq/dnsmasq.leases
|
|
|
|
# Set the DHCP server to authoritative mode. In this mode it will barge in
|
|
# and take over the lease for any client which broadcasts on the network,
|
|
@@ -673,7 +683,11 @@
|
|
# Include all files in a directory which end in .conf
|
|
#conf-dir=/etc/dnsmasq.d/,*.conf
|
|
|
|
+# Include all files in /etc/dnsmasq.d except RPM backup files
|
|
+conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig
|
|
+
|
|
# If a DHCP client claims that its name is "wpad", ignore that.
|
|
# This fixes a security hole. see CERT Vulnerability VU#598349
|
|
#dhcp-name-match=set:wpad-ignore,wpad
|
|
#dhcp-ignore-names=tag:wpad-ignore
|
|
+
|
|
--
|
|
2.26.2
|
|
|