[Dnsmasq-discuss] cross-queries from VLANs.

Petr Menšík pemensik at redhat.com
Fri Jul 7 15:38:04 BST 2017


Hi Mario,

I think you should use bind-dynamic and spawn more instances of dnsmasq
for each interface instead. Each would contain only information it can
know about.

One instance could have server= entries pointing to dynamic allocated
domains of other instances, so queries to that one would know all the
names. Others would know only their own domains and public internet.

I think you are requesting something like views. It seems against idea
of dnsmasq to me.

Dne 5.7.2017 v 18:54 mario napsal(a):
> Hello,
> 
> I have configured my dnsmasq server to provide both DHCP and DNS
> services for my network, which includes
> a few VLANs. It works flawlessly, except that users on the guest VLAN
> can do direct and reverse queries of
> machines on different VLANs, and obtain meaningful replies from dnsmasq.
> 
> While the above requires knowldege of the other VLANs' subnets and/or
> the names of machines on more
> private, and of course iptables keeps good guard that no packets are
> exchanged between the guest VLAN
> and the more private ones, I feel a determined attacker may easily guess
> the other subnets, and possibly
> the names of some machines on the other VLANs, weakening my configuration.
> 
> 
> Hence: can dnsmasq be configured to drop queries about different private
> subnets? Thanks for your time.
> 
> mario
> 
> 
> The backbone of my dnsmasq.conf follows:
> 
> 
> localise-queries
> domain-needed
> bogus-priv
> dhcp-authoritative
> no-dhcp-interface=tun0
> no-resolv
> stop-dns-rebind
> interface=eth0
> interface=eth0.10
> interface=eth0.20
> interface=eth0.30
> interface=tun0
> server=/GCTlab.lan/192.168.11.1
> local=/faculty.lan/students.lan/administration.lan/guest.lan/
> server=8.8.8.8
> server=8.8.4.4
> expand-hosts
> domain=faculty.lan,192.168.73.0/24
> domain=students.lan,10.0.73.0/24
> .....
> dhcp-range=interface:eth0,192.168.73.32,192.168.73.90,12h
> dhcp-range=interface:eth0.10,10.0.73.32,10.0.73.90,12h
> ......
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 



More information about the Dnsmasq-discuss mailing list