Hello,

I have configured my dnsmasq server to provide both DHCP and DNS services for my network, which includes a few VLANs. It works flawlessly, except that users on the guest VLAN can do direct and reverse queries of
machines on different VLANs, and obtain meaningful replies from dnsmasq.

While the above requires knowldege of the other VLANs' subnets and/or the names of machines on more private, and of course iptables keeps good guard that no packets are exchanged between the guest VLAN and the more private ones, I feel a determined attacker may easily guess the other subnets, and possibly
the names of some machines on the other VLANs, weakening my configuration.


Hence: can dnsmasq be configured to drop queries about different private subnets? Thanks for your time.

mario


The backbone of my dnsmasq.conf follows:


localise-queries
domain-needed
bogus-priv
dhcp-authoritative
no-dhcp-interface=tun0
no-resolv
stop-dns-rebind
interface=eth0
interface=eth0.10
interface=eth0.20
interface=eth0.30
interface=tun0
server=/GCTlab.lan/192.168.11.1
local=/faculty.lan/students.lan/administration.lan/guest.lan/
server=8.8.8.8
server=8.8.4.4
expand-hosts
domain=faculty.lan,192.168.73.0/24
domain=students.lan,10.0.73.0/24
.....
dhcp-range=interface:eth0,192.168.73.32,192.168.73.90,12h
dhcp-range=interface:eth0.10,10.0.73.32,10.0.73.90,12h
......
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to