Re: [Dnsmasq-discuss] Locking Down DNS Queries to Correct Servers
On 01/08/14 19:31, Ben Cundiff wrote: Thanks for the reply. To clarify, would the no-resolv option prevent the server running dnsmasq from referencing its own /etc/resolv.conf, or would that also effect the behavior of clients? Just the server. I don' think it's possible the rogue DHCP server provided any of our other servers wtih a DHCP lease-- none of our servers with dnsmasq have the isc-dhcp-client package installed, and the Windows server was set up on a separate VLAN from any of our servers. Would there be another way that the unauthorized DHCP/DNS server could have answered queries for our domain? Thanks again, the rogue DHCP server could affect the clients' idea of their upstream server without giving them a lease, via replies to DHCPINFO requests. If it didn't do that, it's difficult to see how it could answer queries sent to the correct server. (Actually, this is a well-known attack, but it's much more specialised than a rogue DHCP server.) Simon. Ben Cundiff Associate Sysadmin X-ES Inc. bcund...@xes-inc.com - Original Message - From: Simon Kelley si...@thekelleys.org.uk To: dnsmasq-disc...@thekelleys.org.uk Sent: Wednesday, July 30, 2014 4:30:15 PM Subject: Re: [Dnsmasq-discuss] Locking Down DNS Queries to Correct Servers Your config doesn't include no-resolv so dnsmasq will be reading /etc/resolv.conf looking for servers there, as well as the ones you've defined. If a DHCP client on the machine got a DHCP lease from the rogue server, it could have put the DNS server address from that DHCP lease in /etc/resolv.conf That would get queries NOT in *.example.com sent to the rogue server. Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Locking Down DNS Queries to Correct Servers
Thanks for the reply. To clarify, would the no-resolv option prevent the server running dnsmasq from referencing its own /etc/resolv.conf, or would that also effect the behavior of clients? I don' think it's possible the rogue DHCP server provided any of our other servers wtih a DHCP lease-- none of our servers with dnsmasq have the isc-dhcp-client package installed, and the Windows server was set up on a separate VLAN from any of our servers. Would there be another way that the unauthorized DHCP/DNS server could have answered queries for our domain? Thanks again, Ben Cundiff Associate Sysadmin X-ES Inc. bcund...@xes-inc.com - Original Message - From: Simon Kelley si...@thekelleys.org.uk To: dnsmasq-disc...@thekelleys.org.uk Sent: Wednesday, July 30, 2014 4:30:15 PM Subject: Re: [Dnsmasq-discuss] Locking Down DNS Queries to Correct Servers Your config doesn't include no-resolv so dnsmasq will be reading /etc/resolv.conf looking for servers there, as well as the ones you've defined. If a DHCP client on the machine got a DHCP lease from the rogue server, it could have put the DNS server address from that DHCP lease in /etc/resolv.conf That would get queries NOT in *.example.com sent to the rogue server. Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Locking Down DNS Queries to Correct Servers
On 29/07/14 17:11, Ben Cundiff wrote: Hi, We have two DHCP/DNS servers running Ubuntu 12.04 and dnsmasq-server 2.590-4ubuntu0.1. The other day, we had a user set up a Windows Server 2012 computer on our development network for testing. This user chose to set up his Windows server as DC, DHCP server, DNS server, and more, for a new domain that he gave the same name as our production domain (let's say both domains are named example.com). One of our servers, while still using a DHCP lease from our legitimate DHCP servers, somehow began using the Windows server for DNS queries for hosts on the example.com domain, though our server network and the development network are on separate VLANs and in different broadcast domains. Is there something in our servers' dnsmasq.conf that would have allowed any of our DHCP servers to forward requests to the unauthorized servers? Here's what dnsmasq.conf looks like on our primary DHCP server. We've set it up so that the three DCs handle all DNS queries for example.com server=// server=/example.com/###.###.###.1 server=/example.com/###.###.###.2 server=/example.com/###.###.###.3 local-ttl=1 localise-queries all-servers rebind-localhost-ok stop-dns-rebind dns-forward-max=5000 cache-size=1 rebind-domain-ok=/example.com/ Your config doesn't include no-resolv so dnsmasq will be reading /etc/resolv.conf looking for servers there, as well as the ones you've defined. If a DHCP client on the machine got a DHCP lease from the rogue server, it could have put the DNS server address from that DHCP lease in /etc/resolv.conf That would get queries NOT in *.example.com sent to the rogue server. Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Locking Down DNS Queries to Correct Servers
Hi, We have two DHCP/DNS servers running Ubuntu 12.04 and dnsmasq-server 2.590-4ubuntu0.1. The other day, we had a user set up a Windows Server 2012 computer on our development network for testing. This user chose to set up his Windows server as DC, DHCP server, DNS server, and more, for a new domain that he gave the same name as our production domain (let's say both domains are named example.com). One of our servers, while still using a DHCP lease from our legitimate DHCP servers, somehow began using the Windows server for DNS queries for hosts on the example.com domain, though our server network and the development network are on separate VLANs and in different broadcast domains. Is there something in our servers' dnsmasq.conf that would have allowed any of our DHCP servers to forward requests to the unauthorized servers? Here's what dnsmasq.conf looks like on our primary DHCP server. We've set it up so that the three DCs handle all DNS queries for example.com server=// server=/example.com/###.###.###.1 server=/example.com/###.###.###.2 server=/example.com/###.###.###.3 local-ttl=1 localise-queries all-servers rebind-localhost-ok stop-dns-rebind dns-forward-max=5000 cache-size=1 rebind-domain-ok=/example.com/ Thanks, Ben Cundiff Associate Sysadmin X-ES Inc. bcund...@xes-inc.com ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
