New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How to secure an open dnsmasq on the Internet?
elwebmaster
Member
in General
I want to setup a couple of open DNS severs, like Google Public DNS, to learn about some technologies. I decided to have them open so I can learn about high availability, performance optimization, etc.
My question is: how do I secure these dnsmasq servers? I know with default settings it is open to recursive queries and DDOS, also cache poisoning, etc. Is there any tutorial about securing such server?
I prefer dnsmasq because it's relatively easy to configure. But if it is too insecure by design, then I guess I could consider "unbound" or some other alternatives (not a big fan).
Comments
Use iptables to limit port 53 access to only your IP.
Thanks. But I don't want to limit the access to only my IP, I want to let random people use it so I can have high load on it. My only concern is to stop malicious use (i.e. DDOS & cache poisoning).
How about this for recursive:
iptables -A INPUT -p udp -m udp --dport 53 -m string --from 50 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery --rsource
iptables -A INPUT -p udp -m udp --dport 53 -m string --from 50 --algo bm --hex-string "|0000FF0001|" -m recent --name dnsanyquery --rcheck --seconds 10 --hitcount 1 -j DROP