[Dnsmasq-discuss] Locking Down DNS Queries to Correct Servers

[Simon Kelley]

On 01/08/14 19:31, Ben Cundiff wrote:
> Thanks for the reply. To clarify, would the no-resolv option prevent
> the server running dnsmasq from referencing its own /etc/resolv.conf,
> or would that also effect the behavior of clients?

Just the server.

> I don' think it's
> possible the rogue DHCP server provided any of our other servers wtih
> a DHCP lease-- none of our servers with dnsmasq have the
> isc-dhcp-client package installed, and the Windows server was set up
> on a separate VLAN from any of our servers. Would there be another
> way that the unauthorized DHCP/DNS server could have answered queries
> for our domain? Thanks again,

the rogue DHCP server could affect the clients' idea of their upstream
server without giving them a lease, via replies to DHCPINFO requests. If
it didn't do that, it's difficult to see how it could answer queries
sent to the correct server. (Actually, this is a well-known attack, but
it's much more specialised than a rogue DHCP server.)

Simon.

> 
> Ben Cundiff Associate Sysadmin X-ES Inc. bcundiff at xes-inc.com
> 
> ----- Original Message -----
> 
> From: "Simon Kelley" <simon at thekelleys.org.uk> To:
> dnsmasq-discuss at thekelleys.org.uk Sent: Wednesday, July 30, 2014
> 4:30:15 PM Subject: Re: [Dnsmasq-discuss] Locking Down DNS Queries to
> Correct Servers
> 
> 
> Your config doesn't include
> 
> no-resolv
> 
> so dnsmasq will be reading /etc/resolv.conf looking for servers
> there, as well as the ones you've defined. If a DHCP client on the
> machine got a DHCP lease from the rogue server, it could have put the
> DNS server address from that DHCP lease in /etc/resolv.conf That
> would get queries NOT in *.example.com sent to the rogue server.
> 
> 
> Cheers,
> 
> Simon.
> 
> 
> 
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk 
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
>