MaraDNS is a lightweight DNS server with a minimal codebase designed for security through simplicity. However, it has known vulnerabilities and requires careful hardening for production use.
Known Vulnerabilities:
| CVE ID | Severity | Description | Fixed Version |
|---|---|---|---|
| CVE-2023-31137 | High | Buffer overflow in zone file parsing | 3.5.0036 |
| CVE-2022-30256 | High | Denial of service via malformed queries | 3.5.0036 |
Impact: These vulnerabilities led to MaraDNS removal from Debian testing (trixie) in 2023. Debian 12 (bookworm) and Ubuntu packages contain vulnerable version 2.0.13.
Recommendation: Always use version 3.5.0036 or later built from source for secure deployments.
# ❌ Avoid: Distribution packages (vulnerable 2.0.13)
sudo apt install maradns # Debian/Ubuntu - VULNERABLE
# ✅ Recommended: Build from source (secure 3.5.0036)
curl -O https://maradns.samiam.org/download/3.5/3.5.0036/maradns-3.5.0036.tar.xz
tar -xJf maradns-3.5.0036.tar.xz
cd maradns-3.5.0036
./configure && make && sudo make install
# Download signature
curl -O https://maradns.samiam.org/download/3.5/3.5.0036/maradns-3.5.0036.tar.xz.sig
# Verify with GPG (if key available)
gpg --verify maradns-3.5.0036.tar.xz.sig maradns-3.5.0036.tar.xz
Never bind to all interfaces unless required:
# ❌ Insecure: Listens on all interfaces
ipv4_bind_addresses = "0.0.0.0"
# ✅ Secure: Specific interfaces only
ipv4_bind_addresses = "127.0.0.1, 192.168.1.10"
Restrict DNS traffic to required sources:
# Allow DNS from trusted networks only
sudo ufw allow from 192.168.1.0/24 to any port 53 proto udp
sudo ufw allow from 192.168.1.0/24 to any port 53 proto tcp
# Block all other DNS traffic
sudo ufw deny 53/udp
sudo ufw deny 53/tcp
If running recursive resolver, restrict access:
# Allow recursion from trusted networks only
recursive_acl = "127.0.0.1/32, 192.168.1.0/24, 10.0.0.0/8"
🔒 Critical: Open recursive resolvers can be abused for DNS amplification DDoS attacks.
MaraDNS supports chroot for isolation:
# Run in chroot jail
chroot_dir = "/etc/maradns"
csv2_chroot_dir = "/etc/maradns"
Set up the chroot environment:
sudo mkdir -p /etc/maradns
sudo chown root:root /etc/maradns
sudo chmod 755 /etc/maradns
# Copy zone files
sudo cp db.example.com /etc/maradns/
sudo cp mararc /etc/maradns/
# Set permissions
sudo chmod 644 /etc/maradns/mararc
sudo chmod 644 /etc/maradns/db.*
Run with minimal privileges:
# Run as unprivileged user (after binding to port 53)
maradns_uid = 65534 # nobody
maradns_gid = 65534 # nogroup
# Restrict zone file access
sudo chown root:maradns /etc/maradns/db.*
sudo chmod 640 /etc/maradns/db.*
# Prevent unauthorized modifications
sudo chattr +i /etc/maradns/db.example.com # Make immutable
Check zone file syntax before deployment:
# Test zone file
maradns_check -f /etc/mararc
# Query test
dig @127.0.0.1 example.com ANY
# Log queries for analysis (use with caution in production)
verbose_level = 1
# Watch for unusual query patterns
sudo tail -f /var/log/syslog | grep maradns
# Detect amplification attempts
sudo tcpdump -i any -n 'port 53 and udp[10] & 0x80 != 0'
# Monitor query rate
watch -n 1 'netstat -anup | grep :53 | wc -l'
Look for suspicious patterns:
When running MaraDNS in Docker:
services:
maradns:
image: maradns:3.5.0036
ports:
- "53:53/udp"
cap_add:
- NET_BIND_SERVICE
read_only: true # Read-only filesystem
security_opt:
- no-new-privileges:true
user: "65534:65534" # Run as nobody
⚠️ Important: MaraDNS does not support DNSSEC by design.
Implications:
Alternatives with DNSSEC:
If you suspect a security incident:
Security consulting available: Our team provides:
Contact us or email office@linux-server-admin.com.