On 01/08/14 19:31, Ben Cundiff wrote: > Thanks for the reply. To clarify, would the no-resolv option prevent > the server running dnsmasq from referencing its own /etc/resolv.conf, > or would that also effect the behavior of clients?
Just the server. > I don' think it's > possible the rogue DHCP server provided any of our other servers wtih > a DHCP lease-- none of our servers with dnsmasq have the > isc-dhcp-client package installed, and the Windows server was set up > on a separate VLAN from any of our servers. Would there be another > way that the unauthorized DHCP/DNS server could have answered queries > for our domain? Thanks again, the rogue DHCP server could affect the clients' idea of their upstream server without giving them a lease, via replies to DHCPINFO requests. If it didn't do that, it's difficult to see how it could answer queries sent to the correct server. (Actually, this is a well-known attack, but it's much more specialised than a rogue DHCP server.) Simon. > > Ben Cundiff Associate Sysadmin X-ES Inc. bcund...@xes-inc.com > > ----- Original Message ----- > > From: "Simon Kelley" <si...@thekelleys.org.uk> To: > dnsmasq-disc...@thekelleys.org.uk Sent: Wednesday, July 30, 2014 > 4:30:15 PM Subject: Re: [Dnsmasq-discuss] Locking Down DNS Queries to > Correct Servers > > > Your config doesn't include > > no-resolv > > so dnsmasq will be reading /etc/resolv.conf looking for servers > there, as well as the ones you've defined. If a DHCP client on the > machine got a DHCP lease from the rogue server, it could have put the > DNS server address from that DHCP lease in /etc/resolv.conf That > would get queries NOT in *.example.com sent to the rogue server. > > > Cheers, > > Simon. > > > > _______________________________________________ Dnsmasq-discuss > mailing list Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss