From owner-freebsd-ports-bugs@FreeBSD.ORG  Sun Apr 13 10:10:03 2014
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@smarthost.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 82D40859
 for <freebsd-ports-bugs@smarthost.ysv.freebsd.org>;
 Sun, 13 Apr 2014 10:10:03 +0000 (UTC)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 454321CB7
 for <freebsd-ports-bugs@smarthost.ysv.freebsd.org>;
 Sun, 13 Apr 2014 10:10:03 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.8/8.14.8) with ESMTP id s3DAA33v093631
 for <freebsd-ports-bugs@freefall.freebsd.org>; Sun, 13 Apr 2014 10:10:03 GMT
 (envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.8/8.14.8/Submit) id s3DAA28d093630;
 Sun, 13 Apr 2014 10:10:02 GMT (envelope-from gnats)
Resent-Date: Sun, 13 Apr 2014 10:10:02 GMT
Resent-Message-Id: <201404131010.s3DAA28d093630@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
 Jeroen van der Ham <jeroen@1sand0s.nl>
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id D2C50819
 for <freebsd-gnats-submit@FreeBSD.org>; Sun, 13 Apr 2014 10:01:23 +0000 (UTC)
Received: from cgiserv.freebsd.org (cgiserv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:4])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id C09DF1C86
 for <freebsd-gnats-submit@FreeBSD.org>; Sun, 13 Apr 2014 10:01:23 +0000 (UTC)
Received: from cgiserv.freebsd.org ([127.0.1.6])
 by cgiserv.freebsd.org (8.14.8/8.14.8) with ESMTP id s3DA1N1U021034
 for <freebsd-gnats-submit@FreeBSD.org>; Sun, 13 Apr 2014 10:01:23 GMT
 (envelope-from nobody@cgiserv.freebsd.org)
Received: (from nobody@localhost)
 by cgiserv.freebsd.org (8.14.8/8.14.8/Submit) id s3DA1N6E021019;
 Sun, 13 Apr 2014 10:01:23 GMT (envelope-from nobody)
Message-Id: <201404131001.s3DA1N6E021019@cgiserv.freebsd.org>
Date: Sun, 13 Apr 2014 10:01:23 GMT
From: Jeroen van der Ham <jeroen@1sand0s.nl>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Subject: ports/188548: Prevent dnsmasq from becoming an open recursive resolver
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports-bugs>, 
 <mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs/>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
 <mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Apr 2014 10:10:03 -0000


>Number:         188548
>Category:       ports
>Synopsis:       Prevent dnsmasq from becoming an open recursive resolver
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Apr 13 10:10:02 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator:     Jeroen van der Ham
>Release:        
>Organization:
>Environment:
>Description:
dnsmasq has been updated to version 2.69 recently to include DNSSEC support, but also has a new flag  --local-service. This flag changes the behaviour of the DNS resolver part of dnsmasq so that it only answers to queries made from the same subnet as it is in. Previous versions of dnsmasq were configured by default to respond to any dns query, making it an easy target to use in DDoS attacks.

So please enable the  --local-service flag by default?
>How-To-Repeat:

>Fix:
Set the default configuration to use the  --local-service flag by default.

>Release-Note:
>Audit-Trail:
>Unformatted: