[Dnsmasq-discuss] Locking Down DNS Queries to Correct Servers

Simon Kelley simon at thekelleys.org.uk
Wed Jul 30 22:30:15 BST 2014


On 29/07/14 17:11, Ben Cundiff wrote:
> Hi, 
> We have two DHCP/DNS servers running Ubuntu 12.04 and dnsmasq-server 2.590-4ubuntu0.1. The other day, we had a user set up a Windows Server 2012 computer on our development network for testing. This user chose to set up his Windows server as DC, DHCP server, DNS server, and more, for a new domain that he gave the same name as our production domain (let's say both domains are named "example.com"). One of our servers, while still using a DHCP lease from our legitimate DHCP servers, somehow began using the Windows server for DNS queries for hosts on the example.com domain, though our server network and the development network are on separate VLANs and in different broadcast domains. Is there something in our servers' dnsmasq.conf that would have allowed any of our DHCP servers to forward requests to the unauthorized servers? 
> Here's what dnsmasq.conf looks like on our primary DHCP server. We've set it up so that the three DCs handle all DNS queries for example.com 
> server=//
> server=/example.com/###.###.###.1
> server=/example.com/###.###.###.2
> server=/example.com/###.###.###.3
> local-ttl=1
> localise-queries
> all-servers
> rebind-localhost-ok
> stop-dns-rebind
> dns-forward-max=5000
> cache-size=10000
> rebind-domain-ok=/example.com/ 
> 

Your config doesn't include

no-resolv

so dnsmasq will be reading /etc/resolv.conf looking for servers there,
as well as the ones you've defined. If a DHCP client on the machine got
a DHCP lease from the rogue server, it could have put the DNS server
address from that DHCP lease in /etc/resolv.conf That would get queries
NOT in *.example.com sent to the rogue server.


Cheers,

Simon.





More information about the Dnsmasq-discuss mailing list