[Dnsmasq-discuss] Locking Down DNS Queries to Correct Servers
Simon Kelley
simon at thekelleys.org.uk
Wed Aug 13 12:25:29 BST 2014
On 01/08/14 19:31, Ben Cundiff wrote:
> Thanks for the reply. To clarify, would the no-resolv option prevent
> the server running dnsmasq from referencing its own /etc/resolv.conf,
> or would that also effect the behavior of clients?
Just the server.
> I don' think it's
> possible the rogue DHCP server provided any of our other servers wtih
> a DHCP lease-- none of our servers with dnsmasq have the
> isc-dhcp-client package installed, and the Windows server was set up
> on a separate VLAN from any of our servers. Would there be another
> way that the unauthorized DHCP/DNS server could have answered queries
> for our domain? Thanks again,
the rogue DHCP server could affect the clients' idea of their upstream
server without giving them a lease, via replies to DHCPINFO requests. If
it didn't do that, it's difficult to see how it could answer queries
sent to the correct server. (Actually, this is a well-known attack, but
it's much more specialised than a rogue DHCP server.)
Simon.
>
> Ben Cundiff Associate Sysadmin X-ES Inc. bcundiff at xes-inc.com
>
> ----- Original Message -----
>
> From: "Simon Kelley" <simon at thekelleys.org.uk> To:
> dnsmasq-discuss at thekelleys.org.uk Sent: Wednesday, July 30, 2014
> 4:30:15 PM Subject: Re: [Dnsmasq-discuss] Locking Down DNS Queries to
> Correct Servers
>
>
> Your config doesn't include
>
> no-resolv
>
> so dnsmasq will be reading /etc/resolv.conf looking for servers
> there, as well as the ones you've defined. If a DHCP client on the
> machine got a DHCP lease from the rogue server, it could have put the
> DNS server address from that DHCP lease in /etc/resolv.conf That
> would get queries NOT in *.example.com sent to the rogue server.
>
>
> Cheers,
>
> Simon.
>
>
>
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
>
More information about the Dnsmasq-discuss
mailing list