[Dnsmasq-discuss] DNS - preventing escalation to external
fred at damen.org
fred at damen.org
Wed Dec 5 17:12:21 GMT 2012
My feeble understanding is that dnsmasq does not evaluate the validity,
i.e., accessibility of the host, of the DNS name mapping in the /etc/hosts file,
and these mapping will always be resolved. dnsmasq resolves the --dhcp-host
mappings based upon the validity of the mapping, i.e., existence of a DHCP
lease. So, a not so elegant solution is to keep dual copies of the permanent
assignment in both /etc/hosts and dnsmasq.
In the past I have looked for, but did not find, a parameter to set to tell
dnsmasq to revolve --dhcp-host MAC/IP assignment irregardless of a current
DHCP lease. Does this exist?
Hope this helps,
Fred
On Wed, December 5, 2012 8:42 am, Lovelady, Dennis E. wrote:
> Thanks for bearing with me, Richard.
>
> Maybe we know whatâs wrong now (though I still donât get it entirely,
> since as I said, the search entry will be generated by the DHCP client.) But
> thatâs not the point.
>
> So, back to the original question: What can I do to abort this behavior, and
> stop sending network requests to the wrong room?
>
> From: richardvoigt at gmail.com [mailto:richardvoigt at gmail.com]
> Sent: Wednesday, December 05, 2012 9:39 AM
> To: Lovelady, Dennis E.
> Cc: dnsmasq-discuss at lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] DNS - preventing escalation to external
>
> It's the "search Z.com" entry getting involved.
>
> I don't believe that dnsmasq ever rewrites /etc/resolv.conf Other software
> might, such as your DHCP client.
>
> As far as *.Z.com resolving, there's nothing that requires DNS to be a static
> table of pre-existing names. It's a client-server lookup, and the server can
> use any arbitrary algorithm for generating a response, not limited to a table
> lookup. Zone transfers wouldn't match, but I guess records could be hidden
> from zone transfer regardless, or zone transfer could be entirely refused.
>
> On Wed, Dec 5, 2012 at 7:32 AM, Lovelady, Dennis E.
> <dlovelady1 at dtcc.com<mailto:dlovelady1 at dtcc.com>> wrote:
> Thank you, Richard:
>
> Yes, no doubt, /etc/resolv.conf on all these systems contains:
>
> nameserver 192.168.158.2
> search Z.com
> domain Z.com
>
> So are you suggesting that I remove one of these from those /etc/resolv.conf
> entries? Interesting, I hadnât thought to do that. But even if I do that,
> wonât the domain-needed and domain= entries from dnsmasq.conf override that?
> (In fact, wonât they cause overwrite of the /etc/resolv.conf file in most
> cases?) Or what are you suggesting?
>
> Is it my best bet to remove the domain= and domain-needed entries from
> dnsmasq.conf? I hadnât thought to do that either, but now it seems worth a
> try⦠Iâd still like to hear other suggestions, though. Maybe something
> I can/should do in my hosted DNS entries?
>
> I would like to understand how a specific name (like myhostess or
> myhostess.Z.com<http://myhostess.Z.com>) can resolve to a generic name like
> Z.com. I thought DNS strictly avoids that; not true?
>
> Thanks,
> Dennis
>
>
> From: richardvoigt at gmail.com<mailto:richardvoigt at gmail.com>
> [mailto:richardvoigt at gmail.com<mailto:richardvoigt at gmail.com>]
> Sent: Tuesday, December 04, 2012 5:11 PM
> To: Lovelady, Dennis E.
> Cc:
> dnsmasq-discuss at lists.thekelleys.org.uk<mailto:dnsmasq-discuss at lists.thekelleys.org.uk>
> Subject: Re: [Dnsmasq-discuss] DNS - preventing escalation to external
>
> Sounds like a search suffix is getting involved: After failing to find
> myhostess. your resolver looks for myhostess.X.com<http://myhostess.X.com>.
> which finds the alias. /etc/resolv.conf should contain the directives which
> control search suffix.
>
> On Tue, Dec 4, 2012 at 4:44 PM, Lovelady, Dennis E.
> <dlovelady1 at dtcc.com<mailto:dlovelady1 at dtcc.com>> wrote:
> I run a domain, which Iâll call Z.com. There are two offices
> (atl.Z.com<http://atl.Z.com>, tam.Z.com<http://tam.Z.com>). There is also a
> www.Z.com<http://www.Z.com> hosted outside these networks, and the Hosting
> Provider provides an alias to that, known simply as âZ.com.â All pretty
> simple.
>
> Since each office is independent, I have kept a simple DNSMASQ configuration,
> which you can see below. (There were attempts to set up
> atl.Z.com<http://atl.Z.com> and tam.Z.com<http://tam.Z.com> in each officeâs
> DNSMASQ configuration, but these were met with difficulties now forgotten. I
> think the difficulty was an issue with web server not coming up. If itâs
> important to resolution, I will pursue again and report the issues, but
> letâs get to the heart of the topic.)
>
> Everything works OK until an incorrect hostname (or the name of a host that
> happens to be down) is referenced in either office. For example, if I type
> âssh myhostessâ and there is no âmyhostessâ on the current network,
> then the name is magically resolved to the www.Z.com<http://www.Z.com>
> address, and I get the password prompt from there. Not what Iâd want; Iâd
> prefer the lookup to fail - which would then fail the ssh command - but I
> donât see a way to make that happen.
>
> Is there something I can do in this configuration to cause, for example,
> lists.thekelleys.org.uk<http://lists.thekelleys.org.uk> to be resolved
> externally, but to keep the Z.com stuff between the walls? And would this in
> fact be squared away by pursuing the atl.Z.com<http://atl.Z.com> (etc.)
> concept? (I fear that would not resolve this.) I could remove the alias to
> simply Z.com, and that might do it, but Iâd prefer not to do that, and
> anyway Iâm not sure why it would fix this.
>
> I have the following DNS configuration in each office. The dhcp-boot is not
> used at present, so may not be quite up to snuff.
>
>
> domain-needed
>
> bogus-priv
>
> expand-hosts
>
> domain=Z.com
>
> dhcp-range=192.168.158.10,192.168.158.109,7d
>
> dhcp-host=88:87:17:12:69:4d,canon-8120
>
> dhcp-host=00:23:8b:8a:ad:70,aspire
>
> dhcp-host=00:26:F2:DB:95:0C,stora-0
>
> dhcp-host=C0:3F:0E:BC:43:B9,stora-2
>
> dhcp-host=e0:91:f5:7c:7c:56,stora-3
>
> dhcp-option=option:router,192.168.158.1
>
> dhcp-boot=pxelinux.0
>
> dhcp-boot=aspire-lucid/pxelinux.0
>
> dhcp-match=set:gpxe,175 # gPXE sends a 175 option.
>
> enable-tftp
>
> tftp-root=/home/tftpd
>
>
> _____________________________________________________________
> DTCC DISCLAIMER: This email and any files transmitted with it are confidential
> and intended solely for the use of the individual or entity to whom they are
> addressed. If you have received this email in error, please notify us
> immediately and delete the email and any attachments from your system. The
> recipient should check this email and any attachments for the presence of
> viruses. The company accepts no liability for any damage caused by any virus
> transmitted by this email.
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk<mailto:Dnsmasq-discuss at lists.thekelleys.org.uk>
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
>
> _____________________________________________________________
> DTCC DISCLAIMER: This email and any files transmitted with it are confidential
> and intended solely for the use of the individual or entity to whom they are
> addressed. If you have received this email in error, please notify us
> immediately and delete the email and any attachments from your system. The
> recipient should check this email and any attachments for the presence of
> viruses. The company accepts no liability for any damage caused by any virus
> transmitted by this email.
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk<mailto:Dnsmasq-discuss at lists.thekelleys.org.uk>
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
>
> <BR>_____________________________________________________________
> <FONT size=2><BR>
> DTCC DISCLAIMER: This email and any files transmitted with it are
> confidential and intended solely for the use of the individual or
> entity to whom they are addressed. If you have received this email
> in error, please notify us immediately and delete the email and any
> attachments from your system. The recipient should check this email
> and any attachments for the presence of viruses. The company
> accepts no liability for any damage caused by any virus transmitted
> by this email.</FONT>_______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list