[Bug 1306646] Re: dnsmasq provides recursive answers to the Internet by default
Ryan Beisner
1306646 at bugs.launchpad.net
Mon Apr 14 15:02:44 UTC 2014
Curiosity fueled a couple of tests on this. In checking 2 common
scenarios, at least one use case confirms.
Aside from this confirmation, a bigger-picture question could be: in
principle, how is 53 being open and interactive by default any different
than 80, 22, or 137-139 being open and interactive by default, when
dnsmasq is not installed by default? If a user chooses to add a
service, whether that is ssh, samba, apache, dnsmasq, or others, in what
scenarios are we to protect the user against him/herself? One could
argue that all of those protocols are subject to abuse. In other words
- this could be a slippery slope.
Having said that little devil's advocate bit, I am *all for* making sure
our default behavior is to not have an open recursive DNS server.
Here's what I found:
[test0]: Trusty default server install + "Virtual Machine Host" package selection (ok)
[test1]: Trusty default server install + install dnsmasq (CONFIRMS open recursive DNS condition)
##### [test0] #####
Trusty default server install + "Virtual Machine Host" package selection
* This method does not result in an open recursive DNS server.
* The default ip interface layout follows; eth0 is connected and has
obtained an address via dhcp; libvirt has created virbr0 interface, and
dnsmasq is listening only on the virbr0 interface (192.168.122.1).
rbeisner at isotest0:~$ sudo ip addr | grep gl
inet 10.4.5.132/24 brd 10.4.5.255 scope global eth0
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
rbeisner at isotest0:~$ sudo netstat -taupn | egrep ':22|:53'
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1148/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 852/sshd
tcp6 0 0 :::22 :::* LISTEN 852/sshd
udp 0 0 192.168.122.1:53 0.0.0.0:* 1148/dnsmasq
* The default iptables firewall rules for this use case follow;
Destination ports 53 tcp & udp are explicitly allowed in the virbr0
interface. DNS ports are not disallowed anywhere, and there isn't a
default drop or reject rule in the input chain. But because dnsmasq is
only bound to the virbr0 interface, it should not be accessible on any
other interface, even if all iptables rules are flushed.
beisner at isotest0:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 19526 packets, 29M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 10169 packets, 592K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
* Flush iptables, all traffic allowed:
rbeisner at isotest0:~$ sudo iptables -F
rbeisner at isotest0:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 39 packets, 2712 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 20 packets, 1792 bytes)
pkts bytes target prot opt in out source destination
* Port scans from a neighboring node confirm that tcp and udp 53 are
closed on the world-facing interface:
rbeisner at bcu:~$ sudo nmap -sU -p 53 10.4.5.132 | grep 53
53/udp closed domain
rbeisner at bcu:~$ sudo nmap -sT -p 53 10.4.5.132 | grep 53
53/tcp closed domain
rbeisner at bcu:~$ sudo nmap -sT -p 22 10.4.5.132 | grep 22
22/tcp open ssh
...
##### [test1] #####
Trusty default server install + install dnsmasq (CONFIRMS open recursive DNS condition)
* CONFIRMS the default condition to be an open recursive DNS server /!\.
* DNS query from a neighboring host succeeds:
rbeisner at isotest0:~$ dig @10.4.5.143 thekelleys.org.uk +short
213.138.109.107
* Port scans from a neighboring node confirm that tcp and udp 53 are
open on the world-facing interface:
rbeisner at isotest0:~$ sudo nmap -sU -p 53 10.4.5.143 | grep 53
53/udp open domain
rbeisner at isotest0:~$ sudo nmap -sT -p 53 10.4.5.143 | grep 53
53/tcp open domain
* dnsmasq is listening on all ip interfaces, also iptables isn't
restricting it:
rbeisner at isotest1:~$ sudo netstat -taupn | egrep ':22|:53'
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 2581/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2142/sshd
tcp6 0 0 :::53 :::* LISTEN 2581/dnsmasq
tcp6 0 0 :::22 :::* LISTEN 2142/sshd
udp 0 0 0.0.0.0:53 0.0.0.0:* 2581/dnsmasq
udp6 0 0 :::53 :::* 2581/dnsmasq
rbeisner at isotest1:~$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 30200 packets, 42M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 15576 packets, 1024K bytes)
pkts bytes target prot opt in out source destination
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to dnsmasq in Ubuntu.
https://bugs.launchpad.net/bugs/1306646
Title:
dnsmasq provides recursive answers to the Internet by default
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1306646/+subscriptions
More information about the Ubuntu-server-bugs
mailing list