On 01/08/14 19:31, Ben Cundiff wrote:
Thanks for the reply. To clarify, would the no-resolv option prevent
the server running dnsmasq from referencing its own /etc/resolv.conf,
or would that also effect the behavior of clients?
Just the server.
I don' think it's
possible the rogue DHCP server provided any of our other servers wtih
a DHCP lease-- none of our servers with dnsmasq have the
isc-dhcp-client package installed, and the Windows server was set up
on a separate VLAN from any of our servers. Would there be another
way that the unauthorized DHCP/DNS server could have answered queries
for our domain? Thanks again,
the rogue DHCP server could affect the clients' idea of their upstream
server without giving them a lease, via replies to DHCPINFO requests. If
it didn't do that, it's difficult to see how it could answer queries
sent to the correct server. (Actually, this is a well-known attack, but
it's much more specialised than a rogue DHCP server.)
Simon.
Ben Cundiff Associate Sysadmin X-ES Inc. bcund...@xes-inc.com
- Original Message -
From: Simon Kelley si...@thekelleys.org.uk To:
dnsmasq-disc...@thekelleys.org.uk Sent: Wednesday, July 30, 2014
4:30:15 PM Subject: Re: [Dnsmasq-discuss] Locking Down DNS Queries to
Correct Servers
Your config doesn't include
no-resolv
so dnsmasq will be reading /etc/resolv.conf looking for servers
there, as well as the ones you've defined. If a DHCP client on the
machine got a DHCP lease from the rogue server, it could have put the
DNS server address from that DHCP lease in /etc/resolv.conf That
would get queries NOT in *.example.com sent to the rogue server.
Cheers,
Simon.
___ Dnsmasq-discuss
mailing list Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss