Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


DNSMasq -> BIND - Security risk?
New on LowEndTalk? Please Register and read our Community Rules.

DNSMasq -> BIND - Security risk?

DarioXDarioX Member
edited May 2014 in Help

Hello everybody,

I have a question regarding a setup I have. I would like to know if it represents a security risk or it is potentially exploitable as it is configured right now.

Please take a look at its architecture:

This is slightly modified from: https://github.com/corporate-gadfly/Tunlr-Clone

All I do is set as DNS Server the IP of "My VPS". This VPS has DNSMasq and all it does is redircting the traffic to the actual bind server, if the site is in the "accepted sites list", otherwise it just uses Google DNS to resolve.

Example:
server=/nbc.com/nbcuni.com/199.x.x.x (actual IP of BIND server in other country)
server=/pandora.com/193.x.x.x (actual IP of BIND server in even another country)
server=/ip2location.com/199.x.x.x
espn3
server=/broadband.espn.go.com/199.x.x.x

Google
server=8.8.8.8
server=8.8.4.4

I am sure that the bind server is configured properly and securely. The problem is the DNSMasq server, that is wide open on port 53 and everyone can use it if the IP is known.

So the question is: Does the Setup represent a risk as it is right now? If yes, do you have any idea how could DNSMasq be secured without restricting the port to specific IPs. If this is not possible, could you please suggest alternatives to DNSMasq?

Thank you very much in forward for any help!

Comments

  • petrispetris Member

    Yes, No, and No. DNS has no authentication mechanism so you're kind of stuck with ip-based authentication, i.e. iptables.

  • DarioXDarioX Member

    @petris said:
    Yes, No, and No. DNS has no authentication mechanism so you're kind of stuck with ip-based authentication, i.e. iptables.

    Hi petris,

    First of all, thanks for your answer.

    Could you please elaborate on how this can be considered a security risk? E.g. are all public DNS Servers potentially dangerous? Thank you!

  • DarioXDarioX Member

    Thanks again :)

    As far as I can tell, this kind of attack is in fact not possible to successfully execute on DNSMasq, as:

    -0, --dns-forward-max=
    Set the maximum number of concurrent DNS queries. The default value is 150, which should be fine for most setups. The only known situation where this needs to be increased is when using web-server log file resolvers, which can generate large numbers of concurrent queries.

    Should in fact be limiting this (150 request) and can be even further limited. Am I wrong? Thanks!

  • Why don't you setup the DNS server within your LAN? It's bad practice anyway to resolve all DNS queries through a remote server which is (potentially) far away from your home location (latency-wise).

    I'm using this in non-SNI mode which works great on my PS 3:
    https://github.com/trick77/tunlr-style-dns-unblocking/

  • Steve81Steve81 Member
    edited May 2014

    said: If yes, do you have any idea how could DNSMasq be secured without restricting the port to specific IPs

    What do you mean? You are asking how to setup dnsmasq to listen only on ip 123.45.67.89 on port 53? Or you'd like to limit only to some inbound clients?

  • mpkossenmpkossen Member
    edited May 2014

    You could limit which IPs can connect to port 53 with IPtables as a start. In addition to that, I believe you can have dnsmasq only respond to certain IP addresses, but I'm not sure about that.

    I believe these IPtable rules will be sufficient:

    iptables -A INPUT -p udp -m udp --dport 53 -s 192.0.2.150/32 -j ACCEPT
    iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
    

    Replace 192.0.2.150 with the IP you're connecting from.

    For more information on IPtables, please see: http://lowendbox.com/blog/introduction-to-iptables/

  • DarioXDarioX Member

    @mpkossen said:
    You could limit which IPs can connect to port 53 with IPtables as a start. In addition to that, I believe you can have dnsmasq only respond to certain IP addresses, but I'm not sure about that.

    I believe these IPtable rules will be sufficient:

    iptables -A INPUT -p udp -m udp --dport 53 -s 192.0.2.150/32 -j ACCEPT
    iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
    

    Replace 192.0.2.150 with the IP you're connecting from.

    For more information on IPtables, please see: http://lowendbox.com/blog/introduction-to-iptables/

    Thanks for the many replies. This is actually exactly what I'd like to avoid. I'd like to keep it public, but without DNSMasq resulting in a security thread.

    @hausarzt I know this is bad practice, but it is not supposed to be only accessible to me, that's why it has to be a public VPS.

  • DarioX said: Thanks for the many replies. This is actually exactly what I'd like to avoid. I'd like to keep it public, but without DNSMasq resulting in a security thread.

    I hope you don't mind me saying this, but that's a bit contradictory. If it's public, it's usually more of a security thread than when it's private.

    If you really want it to be public, rate limiting it would at least be damage control in case everything goes south.

    Other than that, you could of course put it inside a VPN, but it's more work and you'd always need to be connected to the VPN, which would usually result in most data going through the VPN (depending on your setup).

    Thanked by 1DarioX
  • hausarzthausarzt Member
    edited May 2014

    Even with "just" 150 concurrent connections, there is a lot of room to use your public DNS server for amp attacks. It will also kill legitimate traffic once the limit has been hit. You should use BIND with a rate-limiter patch and tight rate-limiter settings. It basically switches to TCP DNS mode (for the source IP) once a given source IP starts hammering the DNS server. This will filter most unwanted requests without dropping any.

    Thanked by 1DarioX
Sign In or Register to comment.