Having an Open DNS resolver (that’s recursive) out there on the internet is a bad thing. Many of you are using DNSMasq as a client-side cache, but the recursion issue effectively turns your machine into a security threat. (Like having an open mail-relay). So here’s how to fix it quickly for your openvpn servers.
All we’re going to do is bind the DNSMasq process to only listen for connections on the tun0 interface. In other words, if you’re not on the VPN, you don’t get to use DNSMasq.
find your DNSMasq.conf file.. In Centos, it’s in /etc
find the following line (or just add it):
listen-address=10.8.0.1 (where 10.8.0.1 is the ip address assigned to your tunnel interface).
Then just restart DNSMasq.
service DNSMasq restart
This can be tested by doing a query to your VPN server on port 53 prior to and after the configuration change. You’ll find that it shouldn’t work / be accessible unless you’re connected to your vpn!
Good Luck PPL!