dnsmasq, as shipped with Fedora and Red Hat Enterprise Linux, has a default configuration that makes it listen on any interface and accept queries from addresses outside of its local subnet. In particular, the option `local-service` is not enabled. Users that enable dnsmasq on their system with its default configuration may inadvertently make it an open resolver accessible from any address on the internet, potentially being involved in Distributed Denial of Service (DDoS) attacks against a victim.
Mitigation: To restrict the DNS server to queries coming from the local subnet, add `local-service` to your /etc/dnsmasq.conf file or in a file in /etc/dnsmasq.d. A firewall can be configured for additional protection against undesired traffic.
Acknowledgments: Name: bdrpc
Created dnsmasq tracking bugs for this issue: Affects: fedora-all [bug 1852373]
Statement: Even though Red Hat Enterprise Linux 8 and Fedora do not ship a secure default, they have firewalld service enabled by default, which denies incoming DNS queries, preventing this potential attack vector. In Red Hat OpenStack Platform 13, the dnsmasq package is pulled directly from the RHEL channel and not the RHOSP channel. RHOSP is therefore unaffected, but please ensure that the underlying Red Hat Enterprise Linux dnsmasq package is current.
So far this issue has been fixed in dnsmasq-2.81-4.fc32 and dnsmasq-2.80-16.fc31 .