Re: LXD packages - feedback and suggestion related to lxd-agent and dnsmasq
Hi all,
I have another note about dnsmasq that may be considered a security problem.
I have installed LXD which installs dnsmasq by default (as a dependency
before, but now as far as I see as recommended package).
The default configuration of dnsmasq makes it listen on all IP
addresses. So it opens a DNS resolver to the public internet, which can
be used in DDoS attacks. [1]
If I install dnsmasq explicitly myself I might be aware of that. Having
installed lxd I did not think of this and expected dnsmasq to be used
only locally.
Not sure how to deal with this issue. Is it possible to adjust dnsmasq
config defaults when it becomes installed along with lxd?
If not, it should be mentioned as a warning in package documentation
somehow.
What do you think?
best regards,
Carsten
[1]:
https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Reaktion/CERT-Bund/CERT-Bund-Reports/HowTo/Offene-DNS-Resolver/Offene-DNS-Resolver_node.html
Am 04.12.22 um 23:09 schrieb Sylvain Tgz:
Hello Mathias,
Thank you for your reply.
The bug is opened for dnsmasq suggestion.
@Clément, I just saw (by mailing list archive) that you had also
answered but I have not received your email. (I'm not subscribed to
debian-go mailing ling). Mathias did not have the same problem. I
think you have an issue ;)
Thank a lot
Sylvain
--
Viele Grüße,
Carsten Brandt
--
cebe.cloud - Carsten Brandt
cb@cebe.cloud
https://cebe.cloud/
Tel.: +49 5181 284 998 51
cebe Internet GmbH
Leinstr. 3
31061 Alfeld (Leine)
Germany
Geschäftsführer: Carsten Brandt
Registriergericht: Amtsgericht Hildesheim
Registernummer: HRB 20 59 19
Reply to: