From 3a593d133f91c5126105efd03246b3f61f103dd4 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>

Date: Tue, 30 Jun 2020 18:06:29 +0200

Subject: [PATCH] Modify upstream configuration to safe defaults

Most important change would be to listen only on localhost. Default

configuration should not listen to request from remote hosts. Match also

user and paths to directories shipped in Fedora.

---

 dnsmasq.conf.example | 24 +++++++++++++++++++-----

 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example

index bf19424..36fba33 100644

--- a/dnsmasq.conf.example

+++ b/dnsmasq.conf.example

@@ -22,7 +22,7 @@

 # Uncomment these to enable DNSSEC validation and caching:

 # (Requires dnsmasq to be built with DNSSEC option.)

-#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf

+#conf-file=/usr/share/dnsmasq/trust-anchors.conf

 #dnssec

 # Replies which are not DNSSEC signed may be legitimate, because the domain

@@ -96,14 +96,16 @@

 # If you want dnsmasq to change uid and gid to something other

 # than the default, edit the following lines.

-#user=

-#group=

+user=dnsmasq

+group=dnsmasq

 # If you want dnsmasq to listen for DHCP and DNS requests only on

 # specified interfaces (and the loopback) give the name of the

 # interface (eg eth0) here.

 # Repeat the line for more than one interface.

 #interface=

+# Listen only on localhost by default

+interface=lo

 # Or you can specify which interface _not_ to listen on

 #except-interface=

 # Or which to listen on by address (remember to include 127.0.0.1 if

@@ -114,6 +116,10 @@

 # disable DHCP and TFTP on it.

 #no-dhcp-interface=

+# Serve DNS and DHCP only to networks directly connected to this machine.

+# Any interface= line will override it.

+#local-service

+

 # On systems which support it, dnsmasq binds the wildcard address,

 # even when it is listening on only some interfaces. It then discards

 # requests that it shouldn't reply to. This has the advantage of

@@ -121,7 +127,11 @@

 # want dnsmasq to really bind only the interfaces it is listening on,

 # uncomment this option. About the only time you may need this is when

 # running another nameserver on the same machine.

-#bind-interfaces

+#

+# To listen only on localhost and do not receive packets on other

+# interfaces, bind only to lo device. Comment out to bind on single

+# wildcard socket.

+bind-interfaces

 # If you don't want dnsmasq to read /etc/hosts, uncomment the

 # following line.

@@ -535,7 +545,7 @@

 # The DHCP server needs somewhere on disk to keep its lease database.

 # This defaults to a sane location, but if you want to change it, use

 # the line below.

-#dhcp-leasefile=/var/lib/misc/dnsmasq.leases

+#dhcp-leasefile=/var/lib/dnsmasq/dnsmasq.leases

 # Set the DHCP server to authoritative mode. In this mode it will barge in

 # and take over the lease for any client which broadcasts on the network,

@@ -673,7 +683,11 @@

 # Include all files in a directory which end in .conf

 #conf-dir=/etc/dnsmasq.d/,*.conf

+# Include all files in /etc/dnsmasq.d except RPM backup files

+conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig

+

 # If a DHCP client claims that its name is "wpad", ignore that.

 # This fixes a security hole. see CERT Vulnerability VU#598349

 #dhcp-name-match=set:wpad-ignore,wpad

 #dhcp-ignore-names=tag:wpad-ignore

+

-- 

2.26.2