After changing my GL.iNet White (GL-AR150 with firmware 3.201-release) into the mode ‘Cable LAN’ via the Web interface → More → Network Mode: Access Point, I still see dnsmasq be offered on all interfaces, even public ones. I checked this with netstat -tulpen on the SSH interface.
@GL.iNet, is it possible to disable that in the network mode Access Point? Or, if dnsmasq is required internally, restrict it to the localhost interfaces? Currently, an attacker on the network could use that DNS proxy to cloak himself, because services exist which allow surfing via DNS.
Jepp, just change from ANYHOST ( 0.0.0.0 and :: ) to LOCALHOST ( 127.0.0.1 and ::1 ) in mode Access Point. And when I change back to mode Router, change to ANYHOST again.
to the file /etc/dnsmasq.conf did the trick. With that, the DNS proxy listens not globally anymore but just locally. Until now, I found no way to do this via UCI.
Any response? Without that trick above, I am having a so called Open DNS Resolver. Could get a real pain not only for others but also for myself, because in a travel scenario I might be in an untrusted network. If each client is isolated, an attacker could browse† via my Open DNS Resolver hiding himself behind my GL.iNet access point.
† There exist HTTP over SSH over DNS services, called DNS Tunneling.
Did you get any answer from the developers? An Open DNS Resolver is considered a security issue. That report is about an IP camera. That report got a medium severity because of possible DNS Amplification Attack. Adding the mentioned DNS Tunneling attack, I even calculated a high severity. I do not want to create/publish a full blown CVE for that …