I have configured my dnsmasq server to provide both DHCP and DNS
services for my network, which includes
a few VLANs. It works flawlessly, except that users on the guest VLAN
can do direct and reverse queries of
machines on different VLANs, and obtain meaningful replies from dnsmasq.
While the above requires knowldege of the other VLANs' subnets and/or
the names of machines on more
private, and of course iptables keeps good guard that no packets are
exchanged between the guest VLAN
and the more private ones, I feel a determined attacker may easily guess
the other subnets, and possibly
the names of some machines on the other VLANs, weakening my configuration.
Hence: can dnsmasq be configured to drop queries about different private
subnets? Thanks for your time.
The backbone of my dnsmasq.conf follows:
Dnsmasq-discuss mailing list