DNSMasq bind-dynamic

Submitted by -
Status: New Idea

Feature request:

Enable DNSMasq bind-dynamic. Disable DNSMasq binding to 0.0.0.0 (all interfaces). Only bind to listen-on interfaces and do not bind to excluded interfaces.

 

Business case:

Need to run split horizon DNS with two DNS servers: DNSMasq serving internal network and other DNS product like acme-dns serving Internet requests.

 

Technical details:

Standard OS-agnostic behavior for DNSMasq is binding to all interfaces (0.0.0.0) even if it is only accepting requests from a specific subset of interfaces. Current versions of DNSMasq support a new command line option that only works on Linux and prevents binding to excluded interfaces while still supporting binding to interfaces that are not up at the time DNSMasq is started. There is no reason not to use this option on Linux.

 

Proposed changes:

 

/etc/init.d/dnsmasq

Old config

Spoiler
# This tells dnsmasq to ignore DNS requests that don't come from a local network.
# It's automatically ignored if  --interface --except-interface, --listen-address 
# or --auth-server exist in the configuration, so for most installations, it will
# have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
# from being vulnerable to DNS-reflection attacks.

DNSMASQ_OPTS="$DNSMASQ_OPTS --local-service
# If the dns-root-data package is installed, then the trust anchors will be 
# available in $ROOT_DS, in BIND zone-file format. Reformat as dnsmasq
# --trust-anchor options.

New config

Spoiler
# This tells dnsmasq to ignore DNS requests that don't come from a local network.
# It's automatically ignored if  --interface --except-interface, --listen-address 
# or --auth-server exist in the configuration, so for most installations, it will
# have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
# from being vulnerable to DNS-reflection attacks.

DNSMASQ_OPTS="$DNSMASQ_OPTS --local-service --bind-dynamic"

# If the dns-root-data package is installed, then the trust anchors will be 
# available in $ROOT_DS, in BIND zone-file format. Reformat as dnsmasq
# --trust-anchor options.

The proposed config retains the current functionality while allowing to run other DNS products on interfaces excluded from DNSMasq,

Comments
by
‎01-07-2019 11:16 AM - edited ‎01-07-2019 11:17 AM

Something happened with CODE section. 

 

/etc/init.d/dnsmasq

Existing config

# This tells dnsmasq to ignore DNS requests that don't come from a local network.
# It's automatically ignored if  --interface --except-interface, --listen-address 
# or --auth-server exist in the configuration, so for most installations, it will
# have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
# from being vulnerable to DNS-reflection attacks.

DNSMASQ_OPTS="$DNSMASQ_OPTS --local-service"

# If the dns-root-data package is installed, then the trust anchors will be 
# available in $ROOT_DS, in BIND zone-file format. Reformat as dnsmasq
# --trust-anchor options.

Proposed config

# This tells dnsmasq to ignore DNS requests that don't come from a local network.
# It's automatically ignored if  --interface --except-interface, --listen-address 
# or --auth-server exist in the configuration, so for most installations, it will
# have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
# from being vulnerable to DNS-reflection attacks.

DNSMASQ_OPTS="$DNSMASQ_OPTS --local-service --bind-dynamic"

# If the dns-root-data package is installed, then the trust anchors will be 
# available in $ROOT_DS, in BIND zone-file format. Reformat as dnsmasq
# --trust-anchor options.