[Dnsmasq-discuss] dnsmasq-discuss at lists.thekelleys.org.uk.

Simon Kelley simon at thekelleys.org.uk
Tue Apr 17 21:18:57 BST 2012 

On 17/04/12 18:51, Alkis Georgopoulos wrote:
> Hello,
> 
> I proposed using dnsmasq as the default DHCP/TFTP server for LTSP
> instead of isc-dhcp/tftpd-hpa, but the following problems were
> mentioned, and I was wondering if there are plans to solve them in the
> future, or if there are ways around them.
> 
> 1) From http://www.thekelleys.org.uk/dnsmasq/docs/FAQ:
> "The wait for a reply is between two and three
> seconds. Because the DHCP server is not re-entrant, it cannot serve
> other DHCP requests during this time. To avoid dropping requests,
> the address probe may be skipped when dnsmasq is under heavy load."
> 
> Specifically, a user reported that he couldn't boot all his 100 clients
> at once because their PXE stack "only" waited for 15 seconds for a DHCP
> lease. Since in LTSP it's too risky to use the --no-ping option, is
> there any way to use dnsmasq to boot e.g. >20 clients simultaneously?

Why is using --no-ping risky for LTSP? DHCP clients will still do
address-in-use checks and dnsmasq handles DHCPDECLINE messages resulting
from those checks happily.

I've had reports of successfully netbooting hundreds of machines with
--no-ping set.

> 
> 2) A user wanted to dynamically create TFTP files with a hook script,
> and while tftpd-hpa gave him that ability, he wasn't able to find a way
> to do it with dnsmasq.

I can't trivially find documentation for this feature in tftp-hpa. What
exactly does the script do?

> 
> 3) Optionally, we'd like to use dnsmasq as a caching DNS server for LTSP
> clients too, but a problem with cache poisoning was mentioned. Could
> this be a TODO item as well?

Dnsmasq uses source-port randomisation, so it's no more prone to cache
poisoning attacks than any other DNS cache. Note that the situation is
different when using a DNS cache on the local machine (I believe this is
Ubuntu's issue.) There, any process can see which ports are in use by
doing the equivalent of netstat, so a cache poison attack is trivial:
send query, do netstat to see which ports the cache is listening on,
send poisoned answer to those ports. This doesn't apply when the DNS
server is not the local machine, which is likely for LTSP. It also
doesn't apply for non multi-user machines, since it only allows an
attack on others using the same machine.





Cheers,

Simon.

More information about the Dnsmasq-discuss mailing list