Set --local-service in Debian package startup.

debian/changelog

@@ -1,6 +1,12 @@
 dnsmasq (2.69-1) unstable; urgency=low
 
    * New upstream.
+   * Set --local-service. (closes: #732610)
+     This tells dnsmasq to ignore DNS requests that don't come from a local network.
+     It's automatically ignored if  --interface --except-interface, --listen-address
+     or --auth-server exist in the configuration, so for most installations, it will
+     have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
+     from being vulnerable to DNS-reflection attacks.
 
  -- Simon Kelley <simon@thekelleys.org.uk>  Tue, 4 Feb 2014 16:28:12 +0000
 

debian/init

@@ -90,6 +90,14 @@ if [ ! "$DNSMASQ_USER" ]; then
    DNSMASQ_USER="dnsmasq"
 fi
 
+# This tells dnsmasq to ignore DNS requests that don't come from a local network.
+# It's automatically ignored if  --interface --except-interface, --listen-address 
+# or --auth-server exist in the configuration, so for most installations, it will
+# have no effect, but for otherwise-unconfigured installations, it stops dnsmasq
+# from being vulnerable to DNS-reflection attacks.
+
+DNSMASQ_OPTS="$DNSMASQ_OPTS --local-service"
+
 start()
 {
         # Return

src/dnsmasq.c

@@ -662,6 +662,9 @@ int main (int argc, char **argv)
     }
 #endif
 
+  if (option_bool(OPT_LOCAL_SERVICE))
+    my_syslog(LOG_INFO, _("DNS service limited to local subnets"));
+  
 #ifdef HAVE_DNSSEC
   if (option_bool(OPT_DNSSEC_VALID))
     my_syslog(LOG_INFO, _("DNSSEC validation enabled"));