Re: LXD packages - feedback and suggestion related to lxd-agent and dnsmasq

To: Carsten Brandt <cb@cebe.cloud>, debian-go@lists.debian.org
Cc: tarjaizaid@gmail.com
Subject: Re: LXD packages - feedback and suggestion related to lxd-agent and dnsmasq
From: Mathias Gibbens <gibmat@debian.org>
Date: Tue, 20 Dec 2022 01:10:51 +0000
Message-id: <[🔎] 6c6a3a5181524a8aa36f448555d834059e460784.camel@debian.org>
In-reply-to: <[🔎] 8aa031f7-038f-963b-e640-e4d8fbd43b2f@cebe.cloud>
References: <[🔎] CADJ1h1Q_4cC88fWHczSFvhvL7FPLs98hCL2oy9EEZXaFE8vttw@mail.gmail.com> <[🔎] 3372ead56323c595e3e9f08bfcdfc378a017dd49.camel@debian.org> <[🔎] CADJ1h1TOf=FYbeqDws+jcuUwA+veRXmrke-WOBxVaDteuw4pxw@mail.gmail.com> <[🔎] 8aa031f7-038f-963b-e640-e4d8fbd43b2f@cebe.cloud>

Hi Carsten,

On Fri, 2022-12-16 at 16:52 +0100, Carsten Brandt wrote:
> Hi all,
> 
> I have another note about dnsmasq that may be considered a security
> problem.
> 
> I have installed LXD which installs dnsmasq by default (as a
> dependency before, but now as far as I see as recommended package).

  Correct -- as of lxd 5.0.1-3, dnsmasq is Recommended.

> 
> The default configuration of dnsmasq makes it listen on all IP 
> addresses. So it opens a DNS resolver to the public internet, which
> can be used in DDoS attacks. [1]
> 
> If I install dnsmasq explicitly myself I might be aware of that.
> Having installed lxd I did not think of this and expected dnsmasq to
> be used only locally.
> 
> Not sure how to deal with this issue. Is it possible to adjust
> dnsmasq config defaults when it becomes installed along with lxd?
> If not, it should be mentioned as a warning in package documentation 
> somehow.
> 
> What do you think?

  I spent some time looking into this over the weekend, and in reading
the dnsmasq documentation realized that just dnsmasq-base would be
sufficient for LXD's use, very much like libvirt's packaging. That will
pull in the dnsmasq binary for LXD's use, but not setup a system-wide
service. I've done some testing this afternoon, and things seem to work
properly, so the change of Recommending dnsmasq -> dnsmasq-base will be
included in the next LXD upload.

  More generally, if you're concerned about the default configuration
of dnsmasq, please open a bug against that package. I would hope end-
users will have some sort of firewall between their systems and the
wider Internet to block unintended access to a DNS resolver. It would
be inappropriate for another package (lxd) to try to directly modify
dnsmasq's configuration.

Mathias

> 
> best regards,
> Carsten
> 
> [1]: 
>  
> https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Reaktion/CERT-Bund/CERT-Bund-Reports/HowTo/Offene-DNS-Resolver/Offene-DNS-Resolver_node.html

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Re: LXD packages - feedback and suggestion related to lxd-agent and dnsmasq
  - From: Carsten Brandt <cb@cebe.cloud>

References:
- LXD packages - feedback and suggestion related to lxd-agent and dnsmasq
  - From: Sylvain Tgz <tarjaizaid@gmail.com>
- Re: LXD packages - feedback and suggestion related to lxd-agent and dnsmasq
  - From: Mathias Gibbens <gibmat@debian.org>
- Re: LXD packages - feedback and suggestion related to lxd-agent and dnsmasq
  - From: Sylvain Tgz <tarjaizaid@gmail.com>
- Re: LXD packages - feedback and suggestion related to lxd-agent and dnsmasq
  - From: Carsten Brandt <cb@cebe.cloud>

Prev by Date: Bug#1026274: ITP: golang-github-vmihailenco-msgpack.v5 -- MessagePack (msgpack.org) encoding for Golang
Next by Date: Re: Help fixing gobgp FTBFS
Previous by thread: Re: LXD packages - feedback and suggestion related to lxd-agent and dnsmasq
Next by thread: Re: LXD packages - feedback and suggestion related to lxd-agent and dnsmasq
Index(es):
- Date
- Thread