Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How to secure an open dnsmasq on the Internet?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How to secure an open dnsmasq on the Internet?

I want to setup a couple of open DNS severs, like Google Public DNS, to learn about some technologies. I decided to have them open so I can learn about high availability, performance optimization, etc.
My question is: how do I secure these dnsmasq servers? I know with default settings it is open to recursive queries and DDOS, also cache poisoning, etc. Is there any tutorial about securing such server?
I prefer dnsmasq because it's relatively easy to configure. But if it is too insecure by design, then I guess I could consider "unbound" or some other alternatives (not a big fan).

Comments

  • Use iptables to limit port 53 access to only your IP.

  • @sleddog said:
    Use iptables to limit port 53 access to only your IP.

    Thanks. But I don't want to limit the access to only my IP, I want to let random people use it so I can have high load on it. My only concern is to stop malicious use (i.e. DDOS & cache poisoning).

  • How about this for recursive:
    iptables -A INPUT -p udp -m udp --dport 53 -m string --from 50 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery --rsource

    iptables -A INPUT -p udp -m udp --dport 53 -m string --from 50 --algo bm --hex-string "|0000FF0001|" -m recent --name dnsanyquery --rcheck --seconds 10 --hitcount 1 -j DROP

Sign In or Register to comment.