-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Hrm. If you don't trust the DHCP on your local network, you probably > also don't trust the immediate upstream router. In this situation, > the upstream router can easily spoof responses to your DNS requests > (unless you're using DNSSEC).
Yes - that's a good point that I didn't fully consider. It's possible that this request will be a lot of work for only a marginal security gain. > then again, you won't know if you want to trust the value of > domain-name-servers until you see the rest of the DHCP response > either, so i'm not sure how to handle it either. > > I'm open to suggestions. However... if it were to be done, one way of doing would be: * Maintain a config file somewhere that lists IP/MAC address pairs of trusted networks * Tweak the dnscache script to test for a trusted network and only update the forward name servers if the network is listed. This is far from perfect - MAC address of course can be spoofed. I wonder if there is a more secure way to test whether or not you are on a given trusted network? jamie - -- Jamie McClelland 718-303-3204 ext. 101 May First/People Link Growing networks to build a just world http://www.mayfirst.org Members Local 1180, Communications Workers of America, AFL-CIO PGP Key: http://mayfirst.org/jamie-pgp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGsd94nq83YnbMBX0RAqHcAKCyYMuAhmdsnb6o86IphKSahHdYBwCdGBpZ nxNlEVlY5XWIfAH+/4iszc4= =t2DU -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
