53807b
From 3a593d133f91c5126105efd03246b3f61f103dd4 Mon Sep 17 00:00:00 2001
53807b
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
53807b
Date: Tue, 30 Jun 2020 18:06:29 +0200
53807b
Subject: [PATCH] Modify upstream configuration to safe defaults
53807b
53807b
Most important change would be to listen only on localhost. Default
53807b
configuration should not listen to request from remote hosts. Match also
53807b
user and paths to directories shipped in Fedora.
53807b
---
53807b
 dnsmasq.conf.example | 24 +++++++++++++++++++-----
53807b
 1 file changed, 19 insertions(+), 5 deletions(-)
53807b
53807b
diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
53807b
index bf19424..36fba33 100644
53807b
--- a/dnsmasq.conf.example
53807b
+++ b/dnsmasq.conf.example
53807b
@@ -22,7 +22,7 @@
53807b
 
53807b
 # Uncomment these to enable DNSSEC validation and caching:
53807b
 # (Requires dnsmasq to be built with DNSSEC option.)
53807b
-#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
53807b
+#conf-file=/usr/share/dnsmasq/trust-anchors.conf
53807b
 #dnssec
53807b
 
53807b
 # Replies which are not DNSSEC signed may be legitimate, because the domain
53807b
@@ -96,14 +96,16 @@
53807b
 
53807b
 # If you want dnsmasq to change uid and gid to something other
53807b
 # than the default, edit the following lines.
53807b
-#user=
53807b
-#group=
53807b
+user=dnsmasq
53807b
+group=dnsmasq
53807b
 
53807b
 # If you want dnsmasq to listen for DHCP and DNS requests only on
53807b
 # specified interfaces (and the loopback) give the name of the
53807b
 # interface (eg eth0) here.
53807b
 # Repeat the line for more than one interface.
53807b
 #interface=
53807b
+# Listen only on localhost by default
53807b
+interface=lo
53807b
 # Or you can specify which interface _not_ to listen on
53807b
 #except-interface=
53807b
 # Or which to listen on by address (remember to include 127.0.0.1 if
53807b
@@ -114,6 +116,10 @@
53807b
 # disable DHCP and TFTP on it.
53807b
 #no-dhcp-interface=
53807b
 
53807b
+# Serve DNS and DHCP only to networks directly connected to this machine.
53807b
+# Any interface= line will override it.
53807b
+#local-service
53807b
+
53807b
 # On systems which support it, dnsmasq binds the wildcard address,
53807b
 # even when it is listening on only some interfaces. It then discards
53807b
 # requests that it shouldn't reply to. This has the advantage of
53807b
@@ -121,7 +127,11 @@
53807b
 # want dnsmasq to really bind only the interfaces it is listening on,
53807b
 # uncomment this option. About the only time you may need this is when
53807b
 # running another nameserver on the same machine.
53807b
-#bind-interfaces
53807b
+#
53807b
+# To listen only on localhost and do not receive packets on other
53807b
+# interfaces, bind only to lo device. Comment out to bind on single
53807b
+# wildcard socket.
53807b
+bind-interfaces
53807b
 
53807b
 # If you don't want dnsmasq to read /etc/hosts, uncomment the
53807b
 # following line.
53807b
@@ -535,7 +545,7 @@
53807b
 # The DHCP server needs somewhere on disk to keep its lease database.
53807b
 # This defaults to a sane location, but if you want to change it, use
53807b
 # the line below.
53807b
-#dhcp-leasefile=/var/lib/misc/dnsmasq.leases
53807b
+#dhcp-leasefile=/var/lib/dnsmasq/dnsmasq.leases
53807b
 
53807b
 # Set the DHCP server to authoritative mode. In this mode it will barge in
53807b
 # and take over the lease for any client which broadcasts on the network,
53807b
@@ -673,7 +683,11 @@
53807b
 # Include all files in a directory which end in .conf
53807b
 #conf-dir=/etc/dnsmasq.d/,*.conf
53807b
 
53807b
+# Include all files in /etc/dnsmasq.d except RPM backup files
53807b
+conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig
53807b
+
53807b
 # If a DHCP client claims that its name is "wpad", ignore that.
53807b
 # This fixes a security hole. see CERT Vulnerability VU#598349
53807b
 #dhcp-name-match=set:wpad-ignore,wpad
53807b
 #dhcp-ignore-names=tag:wpad-ignore
53807b
+
53807b
-- 
53807b
2.26.2
53807b