Ensure dnsmasq does not act as an open resolver

Question

Ensure dnsmasq does not act as an open resolver

ramereth opened this issue 8 years ago · 0 comments

Due to a design decision, neutron by default will allow dnsmasq to resolve to any IP addresses. This is problematic on public provider networks. As a workaround, we can create IP rules inside fo the network namespace on the controller node similar to this:

iptables -A INPUT -p tcp --dport 53 ! -s 140.211.168.0/24 -j DROP
iptables -A INPUT -p udp --dport 53 ! -s 140.211.168.0/24 -j DROP

We'll need to figure out how to dynamically add this into network namespaced networks. Ideally we could just make this happen on every network based on the subnet information.