Improving Dnsmasq
Posted in Security with tags ddos dns dnssec -Besides having critique on DNS I also try to improve things, both for DNS as well as for the Internet as a whole. Just a few weeks ago I contacted the Dnsmasq community to improve it. The new release is available now for testing and hopefully released soon.
Dnsmasq is a lightweight DNS forwarder and DHCP server. It is used in things like OpenWRT but is also included by default in recent versions of Ubuntu. Dnsmasq provides for great service in a small network, but has been a problem when used on publicly accessible servers; the DNS forwarding service is publicly accessible by default. This means that it has been a ready target for use in DDoS attacks.
The release candidate of Dnsmasq has a new option (--local-service
) to restrict the default recursive resolving to the local network. The Debian package maintainer has already weighed in that he will enable this by default. I will work actively with other Dnsmasq package maintainers to also enable this by default. This will hopefully have a positive impact on the global DDOS traffic.