-
Type:
Bug
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: 14
-
Fix Version/s: None
-
Component/s: None
-
Labels:
-
ToDo:
-
Asterisk Version:15.5.0
-
Distro Version:14.0.5.25
-
Distro:FreePBX Distro
In default configuration FreePBX comes with an open DNS resolver that is reachable from anywhere. Firewall configuration doesn't contain an option to disable access. Of course one can always add a 'custom service' but that seems counter-intuitive for an out-of-the-box function.
While one can discuss the pros and cons of installing a DNS resolver on a system that doesn't really need it, it is certainly a bad idea to make that resolver accessible from the outside. Especially if the resolver is mDNS which is definitely not meant to be accessible from the internet!
Future versions of FreePBX should have mDNS configured in a way that isn't exploitable for DDNS attacks. To achieve this please consider the following solution:
Add DNS service to Firewall configuration (maybe in the tab 'extra services') and close the port for the internet zone by default. That way FreePBX can continue to offer DNS services to telephones conected through a safe zone (LAN/VPN).
