|
 |
97b69aa |
From 194e7521399048e37c5c2cff18b9c8d442b893ae Mon Sep 17 00:00:00 2001
|
|
|
744ba31 |
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
|
|
744ba31 |
Date: Tue, 30 Jun 2020 18:06:29 +0200
|
|
|
744ba31 |
Subject: [PATCH] Modify upstream configuration to safe defaults
|
|
|
744ba31 |
|
|
|
744ba31 |
Most important change would be to listen only on localhost. Default
|
|
|
744ba31 |
configuration should not listen to request from remote hosts. Match also
|
|
|
744ba31 |
user and paths to directories shipped in Fedora.
|
|
|
744ba31 |
---
|
|
|
97b69aa |
dnsmasq.conf.example | 29 ++++++++++++++++++++++++-----
|
|
|
97b69aa |
1 file changed, 24 insertions(+), 5 deletions(-)
|
|
|
744ba31 |
|
|
|
744ba31 |
diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
|
|
|
97b69aa |
index bf19424..8b85f44 100644
|
|
|
744ba31 |
--- a/dnsmasq.conf.example
|
|
|
744ba31 |
+++ b/dnsmasq.conf.example
|
|
|
744ba31 |
@@ -22,7 +22,7 @@
|
|
|
744ba31 |
|
|
|
744ba31 |
# Uncomment these to enable DNSSEC validation and caching:
|
|
|
744ba31 |
# (Requires dnsmasq to be built with DNSSEC option.)
|
|
|
744ba31 |
-#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
|
|
|
744ba31 |
+#conf-file=/usr/share/dnsmasq/trust-anchors.conf
|
|
|
744ba31 |
#dnssec
|
|
|
744ba31 |
|
|
|
744ba31 |
# Replies which are not DNSSEC signed may be legitimate, because the domain
|
|
|
744ba31 |
@@ -96,14 +96,16 @@
|
|
|
744ba31 |
|
|
|
744ba31 |
# If you want dnsmasq to change uid and gid to something other
|
|
|
744ba31 |
# than the default, edit the following lines.
|
|
|
744ba31 |
-#user=
|
|
|
744ba31 |
-#group=
|
|
|
744ba31 |
+user=dnsmasq
|
|
|
744ba31 |
+group=dnsmasq
|
|
|
744ba31 |
|
|
|
744ba31 |
# If you want dnsmasq to listen for DHCP and DNS requests only on
|
|
|
744ba31 |
# specified interfaces (and the loopback) give the name of the
|
|
|
744ba31 |
# interface (eg eth0) here.
|
|
|
744ba31 |
# Repeat the line for more than one interface.
|
|
|
744ba31 |
#interface=
|
|
|
744ba31 |
+# Listen only on localhost by default
|
|
|
744ba31 |
+interface=lo
|
|
|
744ba31 |
# Or you can specify which interface _not_ to listen on
|
|
|
744ba31 |
#except-interface=
|
|
|
744ba31 |
# Or which to listen on by address (remember to include 127.0.0.1 if
|
|
|
744ba31 |
@@ -114,6 +116,10 @@
|
|
|
744ba31 |
# disable DHCP and TFTP on it.
|
|
|
744ba31 |
#no-dhcp-interface=
|
|
|
744ba31 |
|
|
|
744ba31 |
+# Serve DNS and DHCP only to networks directly connected to this machine.
|
|
|
744ba31 |
+# Any interface= line will override it.
|
|
|
744ba31 |
+#local-service
|
|
|
744ba31 |
+
|
|
|
744ba31 |
# On systems which support it, dnsmasq binds the wildcard address,
|
|
|
744ba31 |
# even when it is listening on only some interfaces. It then discards
|
|
|
744ba31 |
# requests that it shouldn't reply to. This has the advantage of
|
|
|
97b69aa |
@@ -121,7 +127,16 @@
|
|
|
549005c |
# want dnsmasq to really bind only the interfaces it is listening on,
|
|
|
549005c |
# uncomment this option. About the only time you may need this is when
|
|
|
549005c |
# running another nameserver on the same machine.
|
|
|
549005c |
-#bind-interfaces
|
|
|
549005c |
+#
|
|
|
549005c |
+# To listen only on localhost and do not receive packets on other
|
|
|
549005c |
+# interfaces, bind only to lo device. Comment out to bind on single
|
|
|
549005c |
+# wildcard socket.
|
|
|
549005c |
+bind-interfaces
|
|
|
97b69aa |
+
|
|
|
97b69aa |
+# Comment out above line and uncoment following 2 lines.
|
|
|
97b69aa |
+# Update interface name, use ip link to get its name.
|
|
|
97b69aa |
+#bind-dynamic
|
|
|
97b69aa |
+#interface=eno1
|
|
|
549005c |
|
|
|
549005c |
# If you don't want dnsmasq to read /etc/hosts, uncomment the
|
|
|
549005c |
# following line.
|
|
|
97b69aa |
@@ -535,7 +550,7 @@
|
|
|
744ba31 |
# The DHCP server needs somewhere on disk to keep its lease database.
|
|
|
744ba31 |
# This defaults to a sane location, but if you want to change it, use
|
|
|
744ba31 |
# the line below.
|
|
|
744ba31 |
-#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
|
|
|
744ba31 |
+#dhcp-leasefile=/var/lib/dnsmasq/dnsmasq.leases
|
|
|
744ba31 |
|
|
|
744ba31 |
# Set the DHCP server to authoritative mode. In this mode it will barge in
|
|
|
744ba31 |
# and take over the lease for any client which broadcasts on the network,
|
|
|
97b69aa |
@@ -673,7 +688,11 @@
|
|
|
744ba31 |
# Include all files in a directory which end in .conf
|
|
|
744ba31 |
#conf-dir=/etc/dnsmasq.d/,*.conf
|
|
|
744ba31 |
|
|
|
744ba31 |
+# Include all files in /etc/dnsmasq.d except RPM backup files
|
|
|
744ba31 |
+conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig
|
|
|
744ba31 |
+
|
|
|
744ba31 |
# If a DHCP client claims that its name is "wpad", ignore that.
|
|
|
744ba31 |
# This fixes a security hole. see CERT Vulnerability VU#598349
|
|
|
744ba31 |
#dhcp-name-match=set:wpad-ignore,wpad
|
|
|
744ba31 |
#dhcp-ignore-names=tag:wpad-ignore
|
|
|
744ba31 |
+
|
|
|
744ba31 |
--
|
|
|
97b69aa |
2.31.1
|
|
|
744ba31 |
|