f599c15e33
Currently any dhcp agent instance will work as an open resolver. For deployments using publicly routed addresses for tenant networks, this allows the agent being abused in dDoS attacks, see [1]. By setting the `--local-service` option dnsmasq will filter DNS queries and reply only to queries from directly attached networks. [1] https://bugs.launchpad.net/neutron/+bug/1501206 Conflicts: neutron/cmd/sanity_check.py Closes-Bug: 1501206 Change-Id: I76d810aad2ce0f15a88bd798963012fa0efca74e (cherry picked from commit 0fce3ca2c1641fbcfb8327a86d7225e2c3972263)
9 lines
376 B
YAML
9 lines
376 B
YAML
---
|
|
fixes:
|
|
- |
|
|
Fixes bug `1501206 <https://bugs.launchpad.net/neutron/+bug/1501206>`_.
|
|
This ensures that DHCP agent instances running dnsmasq as a DNS server
|
|
can no longer be exploited as DNS amplifiers when the tenant network is
|
|
using publicly routed IP addresses by adding an option that will allow
|
|
them to only serve DNS requests from local networks.
|