[Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on
the lan
Rune Kock
rune.kock at gmail.com
Thu Aug 21 18:23:25 BST 2008
On Thu, Aug 21, 2008 at 18:28, Eric Thibodeau <kyron at neuralbs.com> wrote:
> Rune Kock wrote:
>> How would enterprise-grade equipment help?
>
> I would suspect such equipment can tell you on which port XYZ MAC address is
> connected, which makes identifying the culprit much MUCH easier.
Yes, Paul mentioned a Dell switch with that functionality.
> And, a
> really cool thing with dnsmasq, you could even trigger an alarm when an
> unknown MAC is added to the network or if a given MAC address matches
> certain a criterion such as manufacturer (ie: your network only has 3COM
> nics and a Cisco/Linksys MAC address suddenly appears, the script sounds a
> BEEP on the server and sends an administrative alert).
Well, that is great when you want tight control of your network. My
network is mostly used by people in their homes, and I would prefer
not to get involved in whatever equipment they attach -- beyond what's
necessary to keep the network running, that is.
>> - drop DHCP, and configure all clients statically. Not fun.
>
> At worst, long leases with static assignments in the dnsmasq
> configuration...
Yes, long leases would help a bit. I don't think assigning the static
IPs from dnsmasq would be any better than dynamic IPs -- in both
cases, the clients are susceptible to a rogue DHCP-server.
Maybe a mix is an idea: configuring the most important computers
statically, and using DHCP for the rest.
> Funny how I'm working on a script that can build the
> initial configuration (an poking at Mr. Kelly for incremental IP assignments
> but that's only a wish and I don't want him to break his code ;oP )
>
>> - use some kind of software-firewall or access program (PPPoE?) on the
>> clients. Definitely not fun.
>
> Nah. But I seem to remember seeing some sort of "secure" DHCP somewhere but
> I wouldn't go there...
Any solution would have to work on a wide range of different client
machines. So I agree that some non-standard secure DHCP is probably
out of the question.
>> - split the lan into small segments. Doable, but will only confine
>>the problem to one segment, not remove it.
>
> I don't really see how this would really help unless the segments are
> physical (broadcast domain) segments.
True, I was thinking about physical segments.
>> In the end, perhaps the only way is to shout DON'T DO THAT to the
>> users, and hope they listen...
>
> This is the right answer IMHO, a net admin sometimes has to be authoritative
> and "put your foot down". As a consultant, I charge extra for "user did
> stupid thing" problems and it's in the contract and _not_ in small print so
> that the customer thinks more than twice before plugging anything into
> network.
Yes, if a technical fix isn't possible, I'll have to make the users
aware of the situation.
Rune
More information about the Dnsmasq-discuss
mailing list