Preventing Big Data Appliance dnsmasq Update Vulnerability (CVE-1999-0184) on Exposed DNS TCP/UDP port 53
Last updated on JUNE 07, 2017
Applies to:Big Data Appliance Integrated Software - Version 4.1.0 and later
The goal of the document is to prevent the dnsmasq update vulnerability (CVE-1999-0184) on exposed DNS TCP/UDP port 53 on the Oracle Big Data Appliance (BDA).
dnsmasq is a lightweight Domain Name Server (DNS), TFTP, PXE, router advertisement and Dynamic Host Configuration Protocol (DHCP) server. It is intended to provide coupled DNS and DHCP service to a LAN.
The Big Data Appliance uses dnsmasq locally as a host file and DNS cache. On the BDA dnsmasq only needs to be available to the localhost 127.0.0.1 / lo interface.
The dnsmasq process listens on TCP and UDP port 53. By default it listens and responds to any requests from any interface. The dnsmasq process makes full use of
RFC-2136 because it is a dynamic cache for DNS. It builds its cache through receiving domain data from requests on UDP port 53. The dnsmasq opens a UDP port to listen on after a request is made and captures the data. The risk to a publicly open port for dnsmasq is that it could be compromised through cache poisoning / spoofing by injecting wrong IP data for cached A records.
On the BDA dnsmasq can be secured by updating /etc/dnsmasq.conf with these directives:
The above directive settings for interface, listen-address, and bind-interface force dnsmasq to only respond to a request if it comes from the “lo” interface. The directives bind-interfaces and interface=lo will hide the DNS TCP and UDP port 53 completely from outside sources. Disabling the DHCP capability with "no-dhcp-interface" (even though DHCP is not used or enabled on the BDA) provides an extra margin of safety.
As a breakdown:
1. interface=lo: dnsmasq listens for DHCP and DNS requests only on the loopback interface.
2. no-dhcp-interface=lo: dnsmasq provide only DNS service on the interface. DHCP is disabled on the interface.
With both interface=lo and no-dhcp-interface=lo dnsmasq listens for DNS request only on the loopback interface.
3. listen-address=127.0.0.1: Listen on 127.0.0.1
4. bind-interfaces: The bind-interfaces directive instructs dnsmasq to bind only to the network interface specified in the listen-address directive.
With both listen-address=127.0.0.1 and bind-interfaces dnsmasq binds to 127.0.0.1 (localhost).
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
Million Knowledge Articles and hundreds of Community platforms