DNSMasq -> BIND - Security risk?
I have a question regarding a setup I have. I would like to know if it represents a security risk or it is potentially exploitable as it is configured right now.
Please take a look at its architecture:
This is slightly modified from: https://github.com/corporate-gadfly/Tunlr-Clone
All I do is set as DNS Server the IP of "My VPS". This VPS has DNSMasq and all it does is redircting the traffic to the actual bind server, if the site is in the "accepted sites list", otherwise it just uses Google DNS to resolve.
server=/nbc.com/nbcuni.com/199.x.x.x (actual IP of BIND server in other country)
server=/pandora.com/193.x.x.x (actual IP of BIND server in even another country)
I am sure that the bind server is configured properly and securely. The problem is the DNSMasq server, that is wide open on port 53 and everyone can use it if the IP is known.
So the question is: Does the Setup represent a risk as it is right now? If yes, do you have any idea how could DNSMasq be secured without restricting the port to specific IPs. If this is not possible, could you please suggest alternatives to DNSMasq?
Thank you very much in forward for any help!