diff options
Diffstat (limited to 'dnsmasq-2.81-configuration.patch')
| -rw-r--r-- | dnsmasq-2.81-configuration.patch | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/dnsmasq-2.81-configuration.patch b/dnsmasq-2.81-configuration.patch new file mode 100644 index 0000000..3b3cadd --- /dev/null +++ b/dnsmasq-2.81-configuration.patch @@ -0,0 +1,92 @@ +From 3a593d133f91c5126105efd03246b3f61f103dd4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> +Date: Tue, 30 Jun 2020 18:06:29 +0200 +Subject: [PATCH] Modify upstream configuration to safe defaults + +Most important change would be to listen only on localhost. Default +configuration should not listen to request from remote hosts. Match also +user and paths to directories shipped in Fedora. +--- + dnsmasq.conf.example | 24 +++++++++++++++++++----- + 1 file changed, 19 insertions(+), 5 deletions(-) + +diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example +index bf19424..36fba33 100644 +--- a/dnsmasq.conf.example ++++ b/dnsmasq.conf.example +@@ -22,7 +22,7 @@ + + # Uncomment these to enable DNSSEC validation and caching: + # (Requires dnsmasq to be built with DNSSEC option.) +-#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf ++#conf-file=/usr/share/dnsmasq/trust-anchors.conf + #dnssec + + # Replies which are not DNSSEC signed may be legitimate, because the domain +@@ -96,14 +96,16 @@ + + # If you want dnsmasq to change uid and gid to something other + # than the default, edit the following lines. +-#user= +-#group= ++user=dnsmasq ++group=dnsmasq + + # If you want dnsmasq to listen for DHCP and DNS requests only on + # specified interfaces (and the loopback) give the name of the + # interface (eg eth0) here. + # Repeat the line for more than one interface. + #interface= ++# Listen only on localhost by default ++interface=lo + # Or you can specify which interface _not_ to listen on + #except-interface= + # Or which to listen on by address (remember to include 127.0.0.1 if +@@ -114,6 +116,10 @@ + # disable DHCP and TFTP on it. + #no-dhcp-interface= + ++# Serve DNS and DHCP only to networks directly connected to this machine. ++# Any interface= line will override it. ++#local-service ++ + # On systems which support it, dnsmasq binds the wildcard address, + # even when it is listening on only some interfaces. It then discards + # requests that it shouldn't reply to. This has the advantage of +@@ -121,7 +127,11 @@ + # want dnsmasq to really bind only the interfaces it is listening on, + # uncomment this option. About the only time you may need this is when + # running another nameserver on the same machine. +-#bind-interfaces ++# ++# To listen only on localhost and do not receive packets on other ++# interfaces, bind only to lo device. Comment out to bind on single ++# wildcard socket. ++bind-interfaces + + # If you don't want dnsmasq to read /etc/hosts, uncomment the + # following line. +@@ -535,7 +545,7 @@ + # The DHCP server needs somewhere on disk to keep its lease database. + # This defaults to a sane location, but if you want to change it, use + # the line below. +-#dhcp-leasefile=/var/lib/misc/dnsmasq.leases ++#dhcp-leasefile=/var/lib/dnsmasq/dnsmasq.leases + + # Set the DHCP server to authoritative mode. In this mode it will barge in + # and take over the lease for any client which broadcasts on the network, +@@ -673,7 +683,11 @@ + # Include all files in a directory which end in .conf + #conf-dir=/etc/dnsmasq.d/,*.conf + ++# Include all files in /etc/dnsmasq.d except RPM backup files ++conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig ++ + # If a DHCP client claims that its name is "wpad", ignore that. + # This fixes a security hole. see CERT Vulnerability VU#598349 + #dhcp-name-match=set:wpad-ignore,wpad + #dhcp-ignore-names=tag:wpad-ignore ++ +-- +2.26.2 + |