dnsmasq is often deployed at the edge (home lab, branch, router). Its risk increases when DNS and DHCP are exposed beyond trusted LAN segments.
Stay current with dnsmasq releases to include security patches:
- CVE-2025-12198 (2025): Heap buffer overflow in
parse_hex() function. Affects versions before 2.92. Exploitable via malformed DHCPv6 packets. Fixed in v2.92. Upgrade immediately.
- CVE-2023-50387 (2023): KeyTrap DNSSEC denial-of-service vulnerability. A recursive resolver validating DNSSEC can enter excessive computation when processing a zone with many overlapping DNSKEY/RRSIG records. Fixed in v2.90.
- CVE-2023-50868 (2023): NSEC3 denial-of-service vulnerability. An attacker can craft responses that trigger excessive NSEC3 record processing. Fixed in v2.90.
Always run the latest stable release (currently v2.92) to benefit from security fixes.
- Bind dnsmasq to specific interfaces (
interface= / listen-address=).
- Disable wildcard listening on internet-facing interfaces.
- Use
bind-interfaces or bind-dynamic to prevent listening on unintended interfaces.
- Allow DNS and DHCP only from trusted networks.
- Keep recursion private.
- Configure upstream resolvers explicitly (
server= directives).
- Block external clients from using your resolver.
- Use firewall rules to restrict port 53 access to LAN subnets.
- Restrict DHCP ranges and lease policies.
- Avoid overlapping ranges with other DHCP servers.
- Use static mappings for critical infrastructure devices (
dhcp-host=).
- Monitor lease files (
/var/lib/misc/dnsmasq.leases) for anomalies.
¶ DNS Rebinding and Spoofing Protection
- Enable anti-rebinding controls (
stop-dns-rebind, rebind-domain=).
- Use DNSSEC validation (
dnssec, dnssec-check-unsigned) when upstream servers support it.
- Enable DNS-0x20 encoding (
dns-0x20, v2.91+) for cache-poisoning protection via query case randomization (default-off, opt-in).
- Avoid insecure upstream DNS over untrusted networks.
- Keep trust anchors current (
trust-anchor=).
- Monitor for DNSSEC-related CVEs (KeyTrap, NSEC3 attacks).
- Use
dnssec-check-unsigned to detect downgrade attacks.
- Consider disabling DNSSEC if upstream resolvers do not support it (but note: unsigned-zone checking helps detect tampering).
¶ Patch and Monitor
- Update dnsmasq regularly due to frequent security fixes.
- Log queries and DHCP events in production environments (
log-queries, log-dhcp).
- Alert on unusual request rates and malformed traffic patterns.
- Monitor
/var/log/dnsmasq.log for anomalies.
- Subscribe to the dnsmasq-announce mailing list for release notifications.
# Allow DNS only from LAN
iptables -A INPUT -p udp --dport 53 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -s 192.168.1.0/24 -j ACCEPT
# Allow DHCP only from LAN
iptables -A INPUT -p udp --dport 67:68 -s 192.168.1.0/24 -j ACCEPT