![Jens Harbott](/assets/img/avatar_default.png)
Currently any dhcp agent instance will work as an open resolver. For deployments using publicly routed addresses for tenant networks, this allows the agent being abused in dDoS attacks, see [1]. By setting the `--local-service` option dnsmasq will filter DNS queries and reply only to queries from directly attached networks. [1] https://bugs.launchpad.net/neutron/+bug/1501206 Closes-Bug: 1501206 Change-Id: I76d810aad2ce0f15a88bd798963012fa0efca74e
9 lines
376 B
YAML
9 lines
376 B
YAML
---
|
|
fixes:
|
|
- |
|
|
Fixes bug `1501206 <https://bugs.launchpad.net/neutron/+bug/1501206>`_.
|
|
This ensures that DHCP agent instances running dnsmasq as a DNS server
|
|
can no longer be exploited as DNS amplifiers when the tenant network is
|
|
using publicly routed IP addresses by adding an option that will allow
|
|
them to only serve DNS requests from local networks.
|