How to disable open recursive dns in dnsmasq?

Question

How do I secure my DNS server (dnsmasq)? According to a testsite, my DNS server can be exploited

score 4 · Accepted Answer · answered Sep 23 '16 at 12:21

4

As far as I know, dnsmasq doesn't support a setting like that. In fact, you shouldn't even use it as an open DNS server, it's not meant for that, dnsmasq is only meant for local networks.

If you want to host your own DNS I would suggest you switch to BIND because then you can set the following under options:

recursion no;
additional-from-cache no;

answered Sep 23 '16 at 12:21

Broco

1,999
13
21

Thanks for the answer. I had somehow the idea to use https://pi-hole.net/ on a cloud server (installation was even possible with the auto installer, no problems). However, when I start to harden it (ssh, ufw,...) I started to check for DNS vulnerabilities. Unfortunately I saw it could be exploited for DNS amplification attacks. I guess I wanted to let it work in a way it was not intended. – oOc Sep 23 '16 at 17:07
Ye. Basically how this works is that an attacker asks your DNS to send its whole cache and all entries on his hosts file instead of just asking for one specific entry. When doing this request he forges his source IP to be that of the victim he wants to attack. So basically he just sends one small request and your DNS server bombards the victim with a big list. That is why you should either block these requests completely or limit them to specific IPs you trust. – Broco Sep 23 '16 at 18:11
1

I see written often that **dnsmasq** is not for open networks but not really a good reason as to why? **dnsmasq** itself is not recursive as it just forwards the request to the upstream DNS. So if anything it's the hosting service's or ISP's DNS server that performs the attack if not setup properly. Anywho, it works fine in our production setting and as per below answer `no-resolv` setting prevents forwarding which is flagged as recursion. – Daniel Sokolowski Feb 11 '19 at 18:09

score 3 · Answer 2 · edited Feb 12 '19 at 08:46

3

alternatively, you can uncomment/add the following to the /etc/dnsmasq.conf file on a Debian/Ubuntu :

no-resolv

edited Feb 12 '19 at 08:46

Daniel Sokolowski

879
7
10

answered May 02 '17 at 18:51

binary.koala

361
2
3

Not work for me, i have this message on redhat 8.2 client : ** server can't find server1:REFUSED I have dnsmasq 2.65 – user2357585 Dec 16 '20 at 16:22

How to disable open recursive dns in dnsmasq?

2 Answers2