diff options
-rw-r--r-- | debian/changelog | 6 | ||||
-rw-r--r-- | debian/init | 8 | ||||
-rw-r--r-- | src/dnsmasq.c | 3 |
3 files changed, 17 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index a6d372d..6854de8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,12 @@ dnsmasq (2.69-1) unstable; urgency=low * New upstream. + * Set --local-service. (closes: #732610) + This tells dnsmasq to ignore DNS requests that don't come from a local network. + It's automatically ignored if --interface --except-interface, --listen-address + or --auth-server exist in the configuration, so for most installations, it will + have no effect, but for otherwise-unconfigured installations, it stops dnsmasq + from being vulnerable to DNS-reflection attacks. -- Simon Kelley <simon@thekelleys.org.uk> Tue, 4 Feb 2014 16:28:12 +0000 diff --git a/debian/init b/debian/init index df4dc08..6f35dd1 100644 --- a/debian/init +++ b/debian/init @@ -90,6 +90,14 @@ if [ ! "$DNSMASQ_USER" ]; then DNSMASQ_USER="dnsmasq" fi +# This tells dnsmasq to ignore DNS requests that don't come from a local network. +# It's automatically ignored if --interface --except-interface, --listen-address +# or --auth-server exist in the configuration, so for most installations, it will +# have no effect, but for otherwise-unconfigured installations, it stops dnsmasq +# from being vulnerable to DNS-reflection attacks. + +DNSMASQ_OPTS="$DNSMASQ_OPTS --local-service" + start() { # Return diff --git a/src/dnsmasq.c b/src/dnsmasq.c index 937fb2b..9ac1a37 100644 --- a/src/dnsmasq.c +++ b/src/dnsmasq.c @@ -661,6 +661,9 @@ int main (int argc, char **argv) my_syslog(LOG_INFO, _("DBus support enabled: bus connection pending")); } #endif + + if (option_bool(OPT_LOCAL_SERVICE)) + my_syslog(LOG_INFO, _("DNS service limited to local subnets")); #ifdef HAVE_DNSSEC if (option_bool(OPT_DNSSEC_VALID)) |