cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "France (JIRA)" <>
Subject [jira] [Created] (CLOUDSTACK-4675) Virtual Router only with DHCP should not have DNS service
Date Sun, 15 Sep 2013 06:49:51 GMT
France created CLOUDSTACK-4675:

             Summary: Virtual Router only with DHCP should not have DNS service
                 Key: CLOUDSTACK-4675
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: Virtual Router
    Affects Versions: 4.1.1
            Reporter: France

When one creates a virtual router using only DHCP as service one gets also DNS service, because
dnsmasq.conf service has DNS service enabled. It can be disabled by setting port=0, but it's

This assumption that there is no open recursive DNS service present, can lead user to exposing
open resursive DNS server to untrusted hosts, which then abuse it for DNS amplification attack.

Please actually disable DNS service, if it's not selected when creating network offering.

As a workaround i've added below commands to rc.local. Fix directly dnsmasql.conf gets reverted
by some cloud init scripts.
iptables -I INPUT -p udp --dport 53 -j DROP
iptables -I INPUT -p tcp --dport 53 -j DROP

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message