dnsmasq is often deployed at the edge (home lab, branch, router). Its risk increases when DNS and DHCP are exposed beyond trusted LAN segments.
- Bind dnsmasq to specific interfaces (
interface= / listen-address=).
- Disable wildcard listening on internet-facing interfaces.
- Allow DNS and DHCP only from trusted networks.
- Keep recursion private.
- Configure upstream resolvers explicitly.
- Block external clients from using your resolver.
- Restrict DHCP ranges and lease policies.
- Avoid overlapping ranges with other DHCP servers.
- Use static mappings for critical infrastructure devices.
¶ DNS Rebinding and Spoofing Protection
- Enable anti-rebinding controls where needed.
- Use DNSSEC validation when supported by deployment model.
- Avoid insecure upstream DNS over untrusted networks.
¶ Patch and Monitor
- Update dnsmasq regularly due to frequent security fixes.
- Log queries and DHCP events in production environments.
- Alert on unusual request rates and malformed traffic patterns.