All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
DNSMasq -> BIND - Security risk?
Hello everybody,
I have a question regarding a setup I have. I would like to know if it represents a security risk or it is potentially exploitable as it is configured right now.
Please take a look at its architecture:
This is slightly modified from: https://github.com/corporate-gadfly/Tunlr-Clone
All I do is set as DNS Server the IP of "My VPS". This VPS has DNSMasq and all it does is redircting the traffic to the actual bind server, if the site is in the "accepted sites list", otherwise it just uses Google DNS to resolve.
Example:
server=/nbc.com/nbcuni.com/199.x.x.x (actual IP of BIND server in other country)
server=/pandora.com/193.x.x.x (actual IP of BIND server in even another country)
server=/ip2location.com/199.x.x.x
espn3
server=/broadband.espn.go.com/199.x.x.x
Google
server=8.8.8.8
server=8.8.4.4
I am sure that the bind server is configured properly and securely. The problem is the DNSMasq server, that is wide open on port 53 and everyone can use it if the IP is known.
So the question is: Does the Setup represent a risk as it is right now? If yes, do you have any idea how could DNSMasq be secured without restricting the port to specific IPs. If this is not possible, could you please suggest alternatives to DNSMasq?
Thank you very much in forward for any help!
Comments
Yes, No, and No. DNS has no authentication mechanism so you're kind of stuck with ip-based authentication, i.e. iptables.
Hi petris,
First of all, thanks for your answer.
Could you please elaborate on how this can be considered a security risk? E.g. are all public DNS Servers potentially dangerous? Thank you!
https://www.us-cert.gov/ncas/alerts/TA13-088A
Thanks again
As far as I can tell, this kind of attack is in fact not possible to successfully execute on DNSMasq, as:
-0, --dns-forward-max=
Set the maximum number of concurrent DNS queries. The default value is 150, which should be fine for most setups. The only known situation where this needs to be increased is when using web-server log file resolvers, which can generate large numbers of concurrent queries.
Should in fact be limiting this (150 request) and can be even further limited. Am I wrong? Thanks!
Why don't you setup the DNS server within your LAN? It's bad practice anyway to resolve all DNS queries through a remote server which is (potentially) far away from your home location (latency-wise).
I'm using this in non-SNI mode which works great on my PS 3:
https://github.com/trick77/tunlr-style-dns-unblocking/
What do you mean? You are asking how to setup dnsmasq to listen only on ip 123.45.67.89 on port 53? Or you'd like to limit only to some inbound clients?
You could limit which IPs can connect to port 53 with IPtables as a start. In addition to that, I believe you can have dnsmasq only respond to certain IP addresses, but I'm not sure about that.
I believe these IPtable rules will be sufficient:
Replace 192.0.2.150 with the IP you're connecting from.
For more information on IPtables, please see: http://lowendbox.com/blog/introduction-to-iptables/
Thanks for the many replies. This is actually exactly what I'd like to avoid. I'd like to keep it public, but without DNSMasq resulting in a security thread.
@hausarzt I know this is bad practice, but it is not supposed to be only accessible to me, that's why it has to be a public VPS.
I hope you don't mind me saying this, but that's a bit contradictory. If it's public, it's usually more of a security thread than when it's private.
If you really want it to be public, rate limiting it would at least be damage control in case everything goes south.
Other than that, you could of course put it inside a VPN, but it's more work and you'd always need to be connected to the VPN, which would usually result in most data going through the VPN (depending on your setup).
Even with "just" 150 concurrent connections, there is a lot of room to use your public DNS server for amp attacks. It will also kill legitimate traffic once the limit has been hit. You should use BIND with a rate-limiter patch and tight rate-limiter settings. It basically switches to TCP DNS mode (for the source IP) once a given source IP starts hammering the DNS server. This will filter most unwanted requests without dropping any.