Set --local-service in Debian package startup.

3 files changed, 17 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index a6d372d..6854de8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,12 @@
 dnsmasq (2.69-1) unstable; urgency=low
 
    * New upstream.
+   * Set --local-service. (closes: #732610)
+     This tells dnsmasq to ignore DNS requests that don't come from a local network.
+     It's automatically ignored if  --interface --except-interface, --listen-address
+     or --auth-server exist in the configuration, so for most installations, it will
+     have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
+     from being vulnerable to DNS-reflection attacks.
 
  -- Simon Kelley <simon@thekelleys.org.uk>  Tue, 4 Feb 2014 16:28:12 +0000
 
diff --git a/debian/init b/debian/init
index df4dc08..6f35dd1 100644
--- a/debian/init
+++ b/debian/init
@@ -90,6 +90,14 @@ if [ ! "$DNSMASQ_USER" ]; then
    DNSMASQ_USER="dnsmasq"
 fi
 
+# This tells dnsmasq to ignore DNS requests that don't come from a local network.
+# It's automatically ignored if  --interface --except-interface, --listen-address 
+# or --auth-server exist in the configuration, so for most installations, it will
+# have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
+# from being vulnerable to DNS-reflection attacks.
+
+DNSMASQ_OPTS="$DNSMASQ_OPTS --local-service"
+
 start()
 {
         # Return
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 937fb2b..9ac1a37 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -661,6 +661,9 @@ int main (int argc, char **argv)
 	my_syslog(LOG_INFO, _("DBus support enabled: bus connection pending"));
     }
 #endif
+
+  if (option_bool(OPT_LOCAL_SERVICE))
+    my_syslog(LOG_INFO, _("DNS service limited to local subnets"));
   
 #ifdef HAVE_DNSSEC
   if (option_bool(OPT_DNSSEC_VALID))