My Oracle Support Banner

Preventing Big Data Appliance dnsmasq Update Vulnerability (CVE-1999-0184) on Exposed DNS TCP/UDP port 53 (Doc ID 1996737.1)

Last updated on DECEMBER 03, 2019

Applies to:

Big Data Appliance Integrated Software - Version 4.1.0 and later
Linux x86-64


The goal of the document is to prevent the dnsmasq update vulnerability (CVE-1999-0184) on exposed DNS TCP/UDP port 53 on the Oracle Big Data Appliance (BDA).

General Background

dnsmasq is a lightweight Domain Name Server (DNS), TFTP, PXE, router advertisement and Dynamic Host Configuration Protocol (DHCP) server.  It is intended to provide coupled DNS and DHCP service to a LAN.

The Big Data Appliance uses dnsmasq locally as a host file and DNS cache.  On the BDA dnsmasq only needs to be available to the localhost / lo interface.

The dnsmasq process listens on TCP and UDP port 53. By default it listens and responds to any requests from any interface. The dnsmasq process makes full use of
RFC-2136 because it is a dynamic cache for DNS.  It builds its cache through receiving domain data from requests on UDP port 53.  The dnsmasq opens a UDP port to listen on after a request is made and captures the data. The risk to a publicly open port for dnsmasq is that it could be compromised  through cache poisoning / spoofing  by injecting wrong IP data for cached A records.

General Solution

On the BDA dnsmasq can be secured by updating /etc/dnsmasq.conf with these directives:


The above directive settings for interface, listen-address, and bind-interface force dnsmasq to only respond to a request if it comes from the “lo” interface. The directives bind-interfaces and interface=lo will hide the DNS TCP and UDP port 53 completely from outside sources. Disabling the DHCP capability with "no-dhcp-interface" (even though DHCP is not used or enabled on the BDA) provides an extra margin of safety. 

As a breakdown:

1. interface=lo: dnsmasq listens for DHCP and DNS requests only on the loopback interface.
2. no-dhcp-interface=lo: dnsmasq provide only DNS service on the interface.  DHCP is disabled on the interface.
With both interface=lo and no-dhcp-interface=lo dnsmasq listens for DNS request only on the loopback interface.

3. listen-address= Listen on
4. bind-interfaces:  The bind-interfaces directive instructs dnsmasq to bind only to the network interface specified in the listen-address directive.
With both listen-address= and bind-interfaces dnsmasq binds to (localhost).


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
 General Background
 General Solution

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.