Project

General

Profile

Bug #24053

Avatar?id=14398&size=22x22

Security issue: open DNS Resolver (port 53)

Added by Nicholas Martin over 3 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Nice to have
Assignee:
Kris Moore
Category:
Middleware
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

https://forums.freenas.org/index.php?threads/freenas-11-rc1-and-rc2-both-have-an-open-dns-resolver-port-53.54614/

FreeNAS 11 RC1 and RC2 both have an open DNS Resolver (port 53). Our local security team are advising that this is a security risk and are threatening to block ports ;)

FN9.10U3 (e1497f269) does NOT have this service open.

We believe this is NOT intentional and likely due to the local DNS resolver being unbound.

Associated revisions

Revision 8ba99738 (diff)
Added by Kris Moore over 3 years ago

Disable dnsmasq by default right now. Will need to make this an optional feature to enable via the UI when using consul services at a later point. Ticket: #24053

Revision e6c4d5ea (diff)
Added by Kris Moore over 3 years ago

Disable dnsmasq by default right now. Will need to make this an optional feature to enable via the UI when using consul services at a later point. Ticket: #24053

History

#1 Updated by William Grzybowski over 3 years ago

  • Assignee changed from William Grzybowski to Kris Moore

Kris, you added dnsmasq, right? Any problems in making it only listen to localhost?

#2 Avatar?id=14398&size=24x24 Updated by Kris Moore over 3 years ago

  • Status changed from Unscreened to Needs Developer Review
  • Assignee changed from Kris Moore to William Grzybowski
  • Priority changed from No priority to Nice to have
  • Target version set to 11.0

This was let on while we tested consul functionality. I've disabled dnsmasq by default now, but we will revisit making it a UI option to enable at some point down the road in order to use consul-based failover functionality.

#3 Updated by William Grzybowski over 3 years ago

  • Status changed from Needs Developer Review to Reviewed
  • Assignee changed from William Grzybowski to Kris Moore

LGTM

#4 Updated by Vaibhav Chauhan over 3 years ago

  • Target version changed from 11.0 to 11.0-RC3

#5 Updated by Vaibhav Chauhan over 3 years ago

  • Status changed from Reviewed to Merged

#6 Updated by Vaibhav Chauhan over 3 years ago

  • Status changed from Merged to Resolved

Also available in: Atom PDF