Preventing Big Data Appliance dnsmasq Update Vulnerability (CVE-1999-0184) on Exposed DNS TCP/UDP port 53

(Doc ID 1996737.1)

Last updated on JUNE 07, 2017

Applies to:

Big Data Appliance Integrated Software - Version 4.1.0 and later
Linux x86-64

Goal

The goal of the document is to prevent the dnsmasq update vulnerability (CVE-1999-0184) on exposed DNS TCP/UDP port 53 on the Oracle Big Data Appliance (BDA).

General Background

dnsmasq is a lightweight Domain Name Server (DNS), TFTP, PXE, router advertisement and Dynamic Host Configuration Protocol (DHCP) server.  It is intended to provide coupled DNS and DHCP service to a LAN.

The Big Data Appliance uses dnsmasq locally as a host file and DNS cache.  On the BDA dnsmasq only needs to be available to the localhost 127.0.0.1 / lo interface.

The dnsmasq process listens on TCP and UDP port 53. By default it listens and responds to any requests from any interface. The dnsmasq process makes full use of
RFC-2136 because it is a dynamic cache for DNS.  It builds its cache through receiving domain data from requests on UDP port 53.  The dnsmasq opens a UDP port to listen on after a request is made and captures the data. The risk to a publicly open port for dnsmasq is that it could be compromised  through cache poisoning / spoofing  by injecting wrong IP data for cached A records.

General Solution

On the BDA dnsmasq can be secured by updating /etc/dnsmasq.conf with these directives:

interface=lo
no-dhcp-interface=lo
listen-address=127.0.0.1
bind-interfaces


The above directive settings for interface, listen-address, and bind-interface force dnsmasq to only respond to a request if it comes from the “lo” interface. The directives bind-interfaces and interface=lo will hide the DNS TCP and UDP port 53 completely from outside sources. Disabling the DHCP capability with "no-dhcp-interface" (even though DHCP is not used or enabled on the BDA) provides an extra margin of safety. 

As a breakdown:

1. interface=lo: dnsmasq listens for DHCP and DNS requests only on the loopback interface.
2. no-dhcp-interface=lo: dnsmasq provide only DNS service on the interface.  DHCP is disabled on the interface.
With both interface=lo and no-dhcp-interface=lo dnsmasq listens for DNS request only on the loopback interface.

3. listen-address=127.0.0.1: Listen on 127.0.0.1
4. bind-interfaces:  The bind-interfaces directive instructs dnsmasq to bind only to the network interface specified in the listen-address directive.
With both listen-address=127.0.0.1 and bind-interfaces dnsmasq binds to 127.0.0.1 (localhost).

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms