Fedora has issued an advisory today (July 16): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JUOTZBRLT6KGLOKWMES762MRHG4JKQC6/ They fixed it with this commit: https://src.fedoraproject.org/rpms/dnsmasq/c/744ba31be775c11b1f52104d6285509b06b81035?branch=master Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Patch available from Fedora
Assigning to the registered maintainer!
CC: (none) => geiger.david68210Assignee: bugsquad => julien.moragny
The fedora approach is a bit ham-fisted; restraining to localhost-only is not a good default. I'm not keen on going with the conf-file route since it would only touch completely fresh install and we don't have any other default option configured here. I prefer the debian approach with local-service option on commandline which is overrided by interface/address configuration. The point of contention is that it changes the behavior of existing installations. Given the point above, I can't imagine a situation where it would pose a problem but I welcome other opinions on the subject.
Isn't dnsmasq meant to be a local dns caching responder? I can't imagine why it do anything other than only listen on localhost.
It is local in the sense of local network. It provides a local DNS server and also, DHCP, BOOTP, PXE server and router advertisement.
Do people typically use it to provide those services to the local network or more so for VMs?
I don't have any data on the subject. But at least, Openwrt, dd-wrt and pi-hole use it (and it seems some cisco routers) and based on a quick websearch, a lot of tutorial points to this usage on local network.
Advisory for Fedora 32: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O7HRB5I67RDNHIGK2NIVTCHGBZWGFTAF/
Hello, I submitted a fixed package on cauldron 2 days ago (and a new version one day after that) with local-service added on cmdline in the systemd unit file. The same fix has just been submitted to 7/updates_testing. Here is a tentative advisory: ======================== Updated dnsmasq package fix insecure default configuration potentially making it an open resolver (CVE-2020-14312). In its default configuration, dnsmasq listen and answer query from any address even outside of the local subnet. Thus, it may inadvertently become an open resolver which might be used in Distributed Denial of Service attacks. This update add the option --local-service at startup which limits dnsmasq to listen only to machines on the same local network. This option only works if there aren't any of the following options on cmdline or in dnsmasq.conf (without the double dash): --interface --except-interface --listen-address --auth-server References: https://bugs.mageia.org/show_bug.cgi?id=26964 https://bugzilla.redhat.com/show_bug.cgi?id=1851342 https://bugzilla.redhat.com/show_bug.cgi?id=1852373 ======================== Updated packages in core/updates_testing: ======================== dnsmasq-2.80-5.3.mga7 dnsmasq-utils-2.80-5.3.mga7 Source RPMs: dnsmasq-2.80-5.3.mga7.src.rpm
Hello QA, can you please test and validate this update of dnsmasq. When you launch dnsmasq without any configuration (systemctl start dnsmasq.service) you should the following message in logs/journal: DNS service limited to local subnets dnsmasq should answer query from localhost or from other machine on the local network (physical or virtual). You can use the 'host' program (in bind-utils package) to test: from localhost host mydomain.ext 127.0.0.1 from another machine (with firewall configured to allow DNS query/answer) host mydomain.ext IP_OF_THE_MACHINE_WITH_DNSMASQ You can also test with an interface configured (e.g. interface=lo in dnsmasq.conf) and see that the message isn't present anymore at startup (and dnsmasq only answer to localhost in this example). I've tested it on mga7 x86_64. thanks regards julien
Assignee: julien.moragny => qa-bugsStatus: NEW => ASSIGNEDCC: (none) => julien.moragny
Installed and tested without issues. Tested on a ethernet network and on a wireguard VPN. Tested with multiple clients in multiple OSs (Android, Windows 7/10, Mageia 7/8, WebOS). Tested with VMs and containers. System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.6.14-desktop-2.mga7 #1 SMP Wed May 20 23:14:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep dnsmasq dnsmasq-2.80-5.3.mga7 $ lsof | grep dnsmasq.*IPv dnsmasq 5673 dnsmasq 4u IPv4 121457 0t0 UDP *:domain dnsmasq 5673 dnsmasq 5u IPv4 121458 0t0 TCP *:domain (LISTEN) dnsmasq 5673 dnsmasq 6u IPv6 121459 0t0 UDP *:domain dnsmasq 5673 dnsmasq 7u IPv6 121460 0t0 TCP *:domain (LISTEN) $ resolvectl query tvbox tvbox: 192.168.1.66 SNIP::SNIP (tvbox.local) -- Information acquired via protocol DNS in 3.5ms. -- Data is authenticated: no $ resolvectl query marte marte: 192.168.1.64 SNIP::SNIP (marte.local) -- Information acquired via protocol DNS in 2.4ms. -- Data is authenticated: no $ dig @192.168.1.64 tvbox.local ANY ; <<>> DiG 9.11.6Mageia-1.1.mga7 <<>> @192.168.1.64 tvbox.local ANY ; (1 server found) ;; global options: +cmd ;; Got answer: ;; WARNING: .local is reserved for Multicast DNS ;; You are currently testing what happens when an mDNS query is leaked to DNS ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6408 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;tvbox.local. IN ANY ;; ANSWER SECTION: tvbox.local. 0 IN A 192.168.1.66 tvbox.local. 0 IN AAAA SNIP::SNIP ;; Query time: 0 msec ;; SERVER: 192.168.1.64#53(192.168.1.64) ;; WHEN: qua jul 22 11:05:01 WEST 2020 ;; MSG SIZE rcvd: 84 $ dig @192.168.1.64 marte.local ANY ; <<>> DiG 9.11.6Mageia-1.1.mga7 <<>> @192.168.1.64 marte.local ANY ; (1 server found) ;; global options: +cmd ;; Got answer: ;; WARNING: .local is reserved for Multicast DNS ;; You are currently testing what happens when an mDNS query is leaked to DNS ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26481 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;marte.local. IN ANY ;; ANSWER SECTION: marte.local. 0 IN A 192.168.1.64 marte.local. 0 IN AAAA SNIP::SNIP ;; Query time: 1 msec ;; SERVER: 192.168.1.64#53(192.168.1.64) ;; WHEN: qua jul 22 11:08:13 WEST 2020 ;; MSG SIZE rcvd: 84 $ systemctl status dnsmasq.service ● dnsmasq.service - DNS caching server. Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2020-07-22 11:07:18 WEST; 1s ago Main PID: 5950 (dnsmasq) Tasks: 1 (limit: 4697) Memory: 760.0K CGroup: /system.slice/dnsmasq.service └─5950 /usr/sbin/dnsmasq -k --local-service jul 22 11:07:18 marte systemd[1]: Started DNS caching server.. jul 22 11:07:18 marte dnsmasq[5950]: started, version 2.80 cachesize 150 jul 22 11:07:18 marte dnsmasq[5950]: DNS service limited to local subnets jul 22 11:07:18 marte dnsmasq[5950]: compile time options: IPv6 GNU-getopt DBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify dumpfile jul 22 11:07:18 marte dnsmasq[5950]: using nameserver 192.168.1.1#53 jul 22 11:07:18 marte dnsmasq[5950]: read /etc/hosts - 18 addresses
CC: (none) => mageia
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7Status comment: Patch available from Fedora => (none)
MGA7-64 Plasma on Lenovo B50 No installation issues. Ref test above in Comment 10 and in bug 22694 # systemctl start dnsmasq # systemctl -l status dnsmasq ● dnsmasq.service - DNS caching server. Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2020-07-25 13:57:44 CEST; 13s ago Main PID: 9624 (dnsmasq) Tasks: 1 (limit: 4915) Memory: 924.0K CGroup: /system.slice/dnsmasq.service └─9624 /usr/sbin/dnsmasq -k --local-service Jul 25 13:57:44 mach5.hviaene.thuis systemd[1]: Started DNS caching server.. Jul 25 13:57:44 mach5.hviaene.thuis dnsmasq[9624]: started, version 2.80 cachesize 150 Jul 25 13:57:44 mach5.hviaene.thuis dnsmasq[9624]: DNS service limited to local subnets Jul 25 13:57:44 mach5.hviaene.thuis dnsmasq[9624]: compile time options: IPv6 GNU-getopt DBus i18n IDN2 DHCP DHCPv6 no-Lua TF> Jul 25 13:57:44 mach5.hviaene.thuis dnsmasq[9624]: reading /etc/resolv.conf Jul 25 13:57:44 mach5.hviaene.thuis dnsmasq[9624]: using nameserver 192.168.2.1#53 Jul 25 13:57:44 mach5.hviaene.thuis dnsmasq[9624]: using nameserver 212.71.0.33#53 Jul 25 13:57:44 mach5.hviaene.thuis dnsmasq[9624]: read /etc/hosts - 2 addresses # lsof | grep dnsmasq.*IPv dnsmasq 9624 dnsmasq 4u IPv4 47538 0t0 UDP *:domain dnsmasq 9624 dnsmasq 5u IPv4 47539 0t0 TCP *:domain (LISTEN) dnsmasq 9624 dnsmasq 6u IPv6 47540 0t0 UDP *:domain dnsmasq 9624 dnsmasq 7u IPv6 47541 0t0 TCP *:domain (LISTEN) Looks OK
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating. Advisory information in Comment 8.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0310.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED