[Bug 1414887] Re: dns query from localnetwork ignored

Tong Sun 1414887 at bugs.launchpad.net
Sat Jan 31 03:33:59 UTC 2015 

Ah, thanks Thomas. You lead me to the right direction.

As Simon Kelley, the author of dnsmasq said in the new dnsmasq manpag,
`local-service` is intended to be set as a default on installation, to
allow unconfigured installations to be useful...  it will have no
effect, but for otherwise-unconfigured installations, it stops dnsmasq
from being vulnerable to DNS-reflection attacks, I'm changing this bug
report to bear the purpose to have dnsmasq better configured out of box
for Ubuntu (14.10+).

- First, as suggested by the author of dnsmasq, the  `local-service`
should be in the default configuration. However, Ubuntu 14.10 doesn't
have that:

% cat /etc/dnsmasq.conf /etc/dnsmasq.d/network-manager | sed '/^$/d; /^#/d'
bind-interfaces

- Second, unlike its previous version, Ubuntu 14.10 now starts dnsmasq
in a very restricted way. Here is what I found out how dnsmasq is
started in Ubuntu 14.10:

 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-
interfaces --pid-file=/run/sendsigs.omit.d/network-manager.dnsmasq.pid
--listen-address=127.0.1.1 --conf-
file=/var/run/NetworkManager/dnsmasq.conf --cache-size=0 --proxy-dnssec
--enable-dbus=org.freedesktop.NetworkManager.dnsmasq --conf-
dir=/etc/NetworkManager/dnsmasq.d

I.e., that ` --listen-address=127.0.1.1` will willfully ignore any dns
queries from localnetwork. This is the exact reason causing the symptom
that I reported.

I believe this setting should not be there, because

1. for people that need the setting, it is very easy to put it into a conf file under /etc/dnsmasq.d/; 
2. however, it will make it very very difficult for people who don't need it to get rid of it unless altering the package installation.
3. Ubuntu should really ship the default setting of `local-service` instead of `listen-address`, because it is a safer default and not invasive in the meantime.  it will "have no effect" but for an otherwise-unconfigured installation. 

Please consider.

Meanwhile, is there any better way to get rid of  that ` --listen-
address=127.0.1.1`? The least that I want is to altering the package
installation.

Thanks


** Changed in: dnsmasq (Ubuntu)
       Status: Incomplete => New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to dnsmasq in Ubuntu.
https://bugs.launchpad.net/bugs/1414887

Title:
  dns query from localnetwork ignored

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1414887/+subscriptions

More information about the Ubuntu-server-bugs mailing list