The version of dnsmasq in 1.1.7 is very old (2.55, from 2010) and vulnerable to a large number of CVEs, including the following (released yesterday by Google Project Zero):

• CVE-2017-14491 (critical; RCE)
• CVE-2017-14495 (medium; OOM/DOS)
• CVE-2017-14496 (medium; OOM/DOS)

And the following (which are also in T403):

• CVE-2015-3294 (medium; heap read/DOS)

There are also a lot of vulnerabilities in the non-DNS parts of dnsmasq, but AFAICT VyOS uses ISC DHCPD for DHCP and never enables the dnsmasq DHCP server. If I'm wrong about that and there's some case where dnsmasq DHCPD will be enabled, let me know and I can add it to this ticket.

There are already reports of active abuse on the Internet, and it would be nice to get an updated dnsmasq package into 1.1.8 (and 1.1.8 out the door soon). If that doesn't happen, maybe it's time to publish an advisory against using DNS services in VyOS (which would be personally inconvenient to me as a user because I don't really want to have to stick another server running another Linux distro with a newer-than-7-years-old dnsmasq in it everywhere I have VyOS).

Otherwise, everybody who has DNS serving enabled on some branch office VyOS device is going to be able to be shelled over port 53.

This ticket was created on the recommendation of @syncer from Q111.