openstack/neutron
Code Issues Proposed changes
Files
110fed07cb83deb3abd85073cb351066713b6384
neutron/releasenotes/notes/dnsmasq-local-service-c8eaa91894a7d6d4.yaml
Jens Harbott f599c15e33 Secure dnsmasq process against external abuse 
Currently any dhcp agent instance will work as an open resolver. For
deployments using publicly routed addresses for tenant networks, this
allows the agent being abused in dDoS attacks, see [1].

By setting the `--local-service` option dnsmasq will filter DNS queries
and reply only to queries from directly attached networks.

[1] https://bugs.launchpad.net/neutron/+bug/1501206

Conflicts:
    neutron/cmd/sanity_check.py

Closes-Bug: 1501206
Change-Id: I76d810aad2ce0f15a88bd798963012fa0efca74e
(cherry picked from commit 0fce3ca2c1)
2019-01-25 13:58:19 +00:00

9 lines
376 B
YAML
Raw Blame History

---
fixes:
- |
Fixes bug `1501206 <https://bugs.launchpad.net/neutron/+bug/1501206>`_.
This ensures that DHCP agent instances running dnsmasq as a DNS server
can no longer be exploited as DNS amplifiers when the tenant network is
using publicly routed IP addresses by adding an option that will allow
them to only serve DNS requests from local networks.
View Git Blame Copy Permalink