[Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers
on the lan
Eric Thibodeau
kyron at neuralbs.com
Thu Aug 21 17:28:09 BST 2008
Rune Kock wrote:
> On Thu, Aug 21, 2008 at 16:03, Simon Kelley <simon at thekelleys.org.uk> wrote:
>
>> Rune Kock wrote:
>>
>>> I know this is a bit off topic, but maybe someone on the list has some
>>> thoughts on this:
>>>
>>> I'm running a router for a group of people connected by lan. And I
>>> use a dhcp-server (dnsmasq) on the router to configure the clients.
>>>
>>> But increasingly often, someone has connected another router to the
>>> lan, usually to use it as a wifi access point. And since they don't
>>> know what they are doing, they connect their own router's lan-port to
>>> the big lan instead of using the wan-port. And so we get a wrong
>>> dhcp-server competing with dnsmasq.
>>>
>>> Every time this happens, I have to track down the rogue router by
>>> testing each cable of the lan. Quite time consuming, and until I get
>>> it done, the network is very unstable for the users.
>>>
>>> Does anyone have some ideas as how to mitigate this problem?
>>>
>> Talking to the network guys of my aquaintance, it's not an easy problem
>> to fix unless you have enterprise-grade networking kit.
>>
>
> How would enterprise-grade equipment help?
>
I would suspect such equipment can tell you on which port XYZ MAC
address is connected, which makes identifying the culprit much MUCH
easier. And, a really cool thing with dnsmasq, you could even trigger an
alarm when an unknown MAC is added to the network or if a given MAC
address matches certain a criterion such as manufacturer (ie: your
network only has 3COM nics and a Cisco/Linksys MAC address suddenly
appears, the script sounds a BEEP on the server and sends an
administrative alert).
>> You could try something which broadcasts a DHCPDISCOVER packet, that
>> should give you replies from every DHCP server on the net, with their IP
>> addresses.
>>
>
> Yes, that would at least alert me immediately when the thing happens.
> Know any program that can do that, or would I have to write one from
> scratch?
>
> Anyway, thanks for your input. I never expected any easy solution for
> this. My own thoughts have been:
>
> - drop DHCP, and configure all clients statically. Not fun.
>
At worst, long leases with static assignments in the dnsmasq
configuration... Funny how I'm working on a script that can build the
initial configuration (an poking at Mr. Kelly for incremental IP
assignments but that's only a wish and I don't want him to break his
code ;oP )
> - use some kind of software-firewall or access program (PPPoE?) on the
> clients. Definitely not fun.
>
Nah. But I seem to remember seeing some sort of "secure" DHCP somewhere
but I wouldn't go there...
> - split the lan into small segments. Doable, but will only confine
> the problem to one segment, not remove it.
>
I don't really see how this would really help unless the segments are
physical (broadcast domain) segments.
> In the end, perhaps the only way is to shout DON'T DO THAT to the
> users, and hope they listen...
>
This is the right answer IMHO, a net admin sometimes has to be
authoritative and "put your foot down". As a consultant, I charge extra
for "user did stupid thing" problems and it's in the contract and _not_
in small print so that the customer thinks more than twice before
plugging anything into network.
>
> Rune
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080821/59025eb5/attachment.htm
More information about the Dnsmasq-discuss
mailing list