Re: [Dnsmasq-discuss] CERT Vulnerability VU#598349

[klondike]

Hi Simon,

El 08/09/18 a las 19:17, Simon Kelley escribió:
> The question is, should the above configuration be "baked in" to the code?

Yes. In general it is considered against good practice to provide insane
defaults and in this case this entails software and not configuration
defaults.

Keep in mind that dnsmasq is used by a wide variety of users nowadays,
not only home routers and embedded  but also as a simple DHCP/DNS server
in NAT setups, for example by NetworkManager or libvirt. Getting all of
these users to update the way in which they generate dnsmasq
configurations may be impractical as oposed to the rare case of allowing
the names in such a blacklist.

Because of this it would be best to let dnsmasq to default to safe
behaviour (filtering known bad names like wpad) and allowing users to
disable this behaviour via a configuration/command line directive. That
way the next update will fix the problem for the majority of users out
of the box whilst still allowing the few with a legitimate interest in
allowing overriding of entries like wpad to do so.

If you need help writting such a patch I can try to get some time to do so.

Sincerely,

Klondike




signature.asc
Description: OpenPGP digital signature
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] clients of DHCPv6 with constructed IPv6 address range are not notified on address range change

[Simon Kelley]

Dnsmasq doesn't implement RECONFIGURE. It probably should. The main
problem, from a quick look at the RFC, is that RECONFIGURE mandates use
of security mechanism, and dnsmasq doesn't implement that either!

The intention is that address change is a gradual process. The old
address gets deprecated whilst the new one is added, and after a while
the old address disappears. DHCP lease times are shorter than the time
taken for an address to disappear. This gives time for hosts to move to
the new address.

What's happening in your case seems a bit brutal. Even if you can push
the change to all the clients fast, you're still going to break every
on-going connection at address-change time.


Cheers,

Simon.



On 09/09/18 22:07, Andrey Vakhitov wrote:
> Thanks for a great dnsmasq software.
> 
>  
> 
> I’m using dnsmasq 2.79 in combination with IPv6 prefix delegation. The
> prefixes are changing daily due to daily reconnect of upstream router.
> Dhcpcd is used to handle prefix delegation on external interface and
> apply new address to internal interface (dmz0). Dnsmasq picks up the
> prefix assigned to the internal interface by dhcpcd and server RA and
> DHCPv6 server.
> 
>  
> 
> dhcp-range=set:dmz6,::,constructor:dmz0,ra-stateless,ra-names
> 
> dhcp-host=id:00:02:00:00:ab:11:9b:74:21:c0:e9:5d:1c:18,set:dmzfix6,[::56],dmzhost
> 
>  
> 
> Initially the host gets IPv6 address via DHCPv6 correctly, DNS
> resolution works as expected, everything seems to be ok. But after
> reconnect (and according prefix change) the client stays with the IPv6
> address from old prefix and doesn’t update it. I’ve used tcpdump to
> monitor DHCP-related traffic and could not see DHCPv6 RECONFIGURE
> message sent by dnsmasq to clients on prefix change. I assume that this
> is the cause of the problem: DHCP clients are not aware of changed
> prefix and can’t act without corresponding notification from server.
> 
> As dhcp client I use build-in DHCP client from system-networkd, just for
> info, maybe it matters…
> 
>  
> 
> If I’m wrong with my assumption I’d appreciate any explanation helping
> me to configure dnsmasq and DHCP client properly.
> 
>  
> 
> Best regards,
> 
> --
> 
> Andrey Vakhitov
> 
>  
> 
> E-Mail:  and...@vakhitov.net    
> Stuttgart, Germany
> 
>  
> 
> 
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] CERT Vulnerability VU#598349

[Uwe Schindler]

Hey,
> > The question is, should the above configuration be "baked in" to the code?
> 
> As I understand, this vulnerability arises from the Web Proxy Automatic
> Discovery (WPAD) protocol, not from dnsmasq itself.  And, dnsmasq
> configuration provides - or will provide - a configuration mechanism to
> obviate the shortcomings of the WPAD protocol.  My inclination would be to
> *not* change the code, on the off-chance that someone might consider this
> specific function of the WPAD protocol to be a "feature", and instead, to rely
> upon the proper dnsmasq configuration, which would make overt to the
> network administrator just how the "wpad" sub-domain is being handled.
> And then, for instance, as you say,
> dhcp-name-match=set:wpad-ignore,wpad
> dhcp-ignore-names=tag:wpad-ignore
> could be recommended in the default dnsmasq configuration file.
> 
> Also, the CERT note says "Other autodiscovery names, such as, ISATAP,
> autodiscovery and autoconf may also be exploitable."  And dnsmasq could
> be playing "wack-a-mole" with sub-domain names in the code, if handled
> that way.  It's easier to play "wack-a-mole" from the configuration file.

I fully agree with this. IMHO, the new 2.80 config settings for name matches to 
ignore should maybe added to default config.

dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore

By the way, I'd also like to "ignore" the name "localhost", as exposed by 
Samsung SmartTVs. This is annoying, as it registers "localhost" as a domain 
name. It should just ignore that hostname, if provided by the DHCP client. If 
the above option helps to provide this "ignores", then we can add more 
hostnames like this that cannot be taken by DHCP clients.

Uwe



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] clients of DHCPv6 with constructed IPv6 address range are not notified on address range change

[Andrey Vakhitov]

Thanks for a great dnsmasq software.

 

I'm using dnsmasq 2.79 in combination with IPv6 prefix delegation. The
prefixes are changing daily due to daily reconnect of upstream router.
Dhcpcd is used to handle prefix delegation on external interface and apply
new address to internal interface (dmz0). Dnsmasq picks up the prefix
assigned to the internal interface by dhcpcd and server RA and DHCPv6
server.

 

dhcp-range=set:dmz6,::,constructor:dmz0,ra-stateless,ra-names

dhcp-host=id:00:02:00:00:ab:11:9b:74:21:c0:e9:5d:1c:18,set:dmzfix6,[::56],dm
zhost

 

Initially the host gets IPv6 address via DHCPv6 correctly, DNS resolution
works as expected, everything seems to be ok. But after reconnect (and
according prefix change) the client stays with the IPv6 address from old
prefix and doesn't update it. I've used tcpdump to monitor DHCP-related
traffic and could not see DHCPv6 RECONFIGURE message sent by dnsmasq to
clients on prefix change. I assume that this is the cause of the problem:
DHCP clients are not aware of changed prefix and can't act without
corresponding notification from server.

As dhcp client I use build-in DHCP client from system-networkd, just for
info, maybe it matters.

 

If I'm wrong with my assumption I'd appreciate any explanation helping me to
configure dnsmasq and DHCP client properly.

 

Best regards,

--

Andrey Vakhitov

 

E-Mail:    and...@vakhitov.net
Stuttgart, Germany

 

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss