cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Abhinandan Prateek (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-4675) Virtual Router only with DHCP should not have DNS service
Date Mon, 08 Dec 2014 09:44:12 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-4675?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14237683#comment-14237683
] 

Abhinandan Prateek commented on CLOUDSTACK-4675:
------------------------------------------------

cloud-early-config is the one configuring the services on VR, this will override conf changes
to dnsmasq. 

> Virtual Router only with DHCP should not have DNS service
> ---------------------------------------------------------
>
>                 Key: CLOUDSTACK-4675
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-4675
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Virtual Router
>    Affects Versions: 4.1.1
>            Reporter: France
>
> When one creates a virtual router using only DHCP as service one gets also DNS service,
because dnsmasq.conf service has DNS service enabled. It can be disabled by setting port=0,
but it's not.
> This assumption that there is no open recursive DNS service present, can lead user to
exposing open resursive DNS server to untrusted hosts, which then abuse it for DNS amplification
attack.
> Please actually disable DNS service, if it's not selected when creating network offering.
> As a workaround i've added below commands to rc.local. Fix directly dnsmasql.conf gets
reverted by some cloud init scripts.
> iptables -I INPUT -p udp --dport 53 -j DROP
> iptables -I INPUT -p tcp --dport 53 -j DROP



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message