Re: LXD packages - feedback and suggestion related to lxd-agent and dnsmasq

To: debian-go@lists.debian.org
Cc: tarjaizaid@gmail.com, Mathias Gibbens <gibmat@debian.org>
Subject: Re: LXD packages - feedback and suggestion related to lxd-agent and dnsmasq
From: Carsten Brandt <cb@cebe.cloud>
Date: Fri, 16 Dec 2022 16:52:50 +0100
Message-id: <[🔎] 8aa031f7-038f-963b-e640-e4d8fbd43b2f@cebe.cloud>
In-reply-to: <[🔎] CADJ1h1TOf=FYbeqDws+jcuUwA+veRXmrke-WOBxVaDteuw4pxw@mail.gmail.com>
References: <[🔎] CADJ1h1Q_4cC88fWHczSFvhvL7FPLs98hCL2oy9EEZXaFE8vttw@mail.gmail.com> <[🔎] 3372ead56323c595e3e9f08bfcdfc378a017dd49.camel@debian.org> <[🔎] CADJ1h1TOf=FYbeqDws+jcuUwA+veRXmrke-WOBxVaDteuw4pxw@mail.gmail.com>

Hi all,

I have another note about dnsmasq that may be considered a security problem.

I have installed LXD which installs dnsmasq by default (as a dependencybefore, but now as far as I see as recommended package).

The default configuration of dnsmasq makes it listen on all IPaddresses. So it opens a DNS resolver to the public internet, which canbe used in DDoS attacks. [1]

If I install dnsmasq explicitly myself I might be aware of that. Havinginstalled lxd I did not think of this and expected dnsmasq to be usedonly locally.

Not sure how to deal with this issue. Is it possible to adjust dnsmasqconfig defaults when it becomes installed along with lxd?If not, it should be mentioned as a warning in package documentationsomehow.


What do you think?

best regards,
Carsten

[1]:https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Reaktion/CERT-Bund/CERT-Bund-Reports/HowTo/Offene-DNS-Resolver/Offene-DNS-Resolver_node.html




Am 04.12.22 um 23:09 schrieb Sylvain Tgz:

Hello Mathias,

Thank you for your reply.
The bug is opened for dnsmasq suggestion.

@Clément, I just saw (by mailing list archive) that you had also
answered but I have not received your email. (I'm not subscribed to
debian-go mailing ling). Mathias did not have the same problem. I
think you have an issue ;)

Thank a lot

Sylvain


--
Viele Grüße,

Carsten Brandt

--
cebe.cloud - Carsten Brandt

cb@cebe.cloud
https://cebe.cloud/

Tel.: +49 5181 284 998 51

cebe Internet GmbH
Leinstr. 3
31061 Alfeld (Leine)
Germany

Geschäftsführer: Carsten Brandt
Registriergericht: Amtsgericht Hildesheim
Registernummer: HRB 20 59 19

Reply to:

Follow-Ups:
- Re: LXD packages - feedback and suggestion related to lxd-agent and dnsmasq
  - From: Mathias Gibbens <gibmat@debian.org>

References:
- LXD packages - feedback and suggestion related to lxd-agent and dnsmasq
  - From: Sylvain Tgz <tarjaizaid@gmail.com>
- Re: LXD packages - feedback and suggestion related to lxd-agent and dnsmasq
  - From: Mathias Gibbens <gibmat@debian.org>
- Re: LXD packages - feedback and suggestion related to lxd-agent and dnsmasq
  - From: Sylvain Tgz <tarjaizaid@gmail.com>

Prev by Date: Re: Help fixing gobgp FTBFS
Next by Date: Bug#1026272: ITP: golang-github-go-ozzo-ozzo-validation.v4 -- idiomatic Go (golang) validation package.
Previous by thread: Re: LXD packages - feedback and suggestion related to lxd-agent and dnsmasq
Next by thread: Re: LXD packages - feedback and suggestion related to lxd-agent and dnsmasq
Index(es):
- Date
- Thread