Is using dnsmasq only on my device safe (and is it like that by default)?

piotrus3g · October 14, 2023, 11:20am

Hello,

In order to prevent dns leaks I had to enable dnsmasq on my system. That was my problem How to fix vpn dns leaks tumbleweed kde Network Manager.
But I’m curious about the security of this approach, as I saw on the internet that dns caching could have some vulnerabilities. But they seem to be related to some older version and running with some nonstandard settings. Should I be worried if I only installed it on my local machine and use default options?
I saw something that I won’t be able to use port 53 as dnsmasq is getting everything through that port, but is it true?
I also saw something about ipv6 dns problems with this approach, but I can’t use ipv6 dns without the server anyway with drill -6 example.com. So it seems that ipv6 doesn’t work by default for dns without dnsmasq.

Thanks for helping

marel · October 14, 2023, 12:23pm

Would be good to share where you got this information so others can review it themselves.

On the documentation for dnsmask I read:

There is a dnsmasq mailing list at http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss which should be the first location for queries, bugreports, suggestions etc.

I think you better of which your queries on that list.

piotrus3g · October 14, 2023, 12:53pm

That’s one of the links https://www.trendmicro.com/en_us/research/17/j/dnsmasq-reality-check-remediation-practices.html, but there are more of them. They seem to apply to dnsmasq older than 2.78, but I have a newer version, so I think it shouldn’t matter for me.