[Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on
the lan
Rune Kock
rune.kock at gmail.com
Fri Aug 22 22:32:35 BST 2008
> Well, it sounds like you're running some sort of ISPish service sort of like
> one you'd see as a community service with somewhat "loose" management...btw,
> I am not saying this as an insult I am attempting to picture your actual
> setup and constraints.
Yes, community service is exactly what it is. (See
http://en.wikipedia.org/wiki/Svanholm).
> If you have the luxury of a level2 switch and
> 1-client per port, you could probably deny DHCPOFFER from any ports other
> than your own DHCP (don't quote me on the actual DHCP message, just block
> serve responses is the idea). Even if you have more than 1 client/port you
> should enable such filtering to at least isolate the propagation of invalid
> addresses.
So these switches have a kind of firewall on each port? I've never
used a really high-end switch, so I don't know what it can do. But
this would surely solve the problem. But if we are talking thousands
of dollars, it's probably too expensive.
> Yes, most definitely, configure your servers with a static IP (served by
> DHCP with rather long leases) and keep them on an isolated broadcast network
> (if possible) and try to use an improbable network address base like
> 10.103.42.x/24 for them so chances are they won't come in conflict with
> another router's accidental assignment.
Yes, I'll try to do that.
I really appreciate the feedback from you and the others on the list.
Though a simple fix hasn't turned up (never thought it would), you
have given me a number of approaches to try.
Rune
More information about the Dnsmasq-discuss
mailing list