Discussion:
[Dnsmasq-discuss] cross-queries from VLANs.
mario
2017-07-05 16:54:20 UTC
Permalink
Hello,

I have configured my dnsmasq server to provide both DHCP and DNS
services for my network, which includes
a few VLANs. It works flawlessly, except that users on the guest VLAN
can do direct and reverse queries of
machines on different VLANs, and obtain meaningful replies from dnsmasq.

While the above requires knowldege of the other VLANs' subnets and/or
the names of machines on more
private, and of course iptables keeps good guard that no packets are
exchanged between the guest VLAN
and the more private ones, I feel a determined attacker may easily guess
the other subnets, and possibly
the names of some machines on the other VLANs, weakening my configuration.


Hence: can dnsmasq be configured to drop queries about different private
subnets? Thanks for your time.

mario


The backbone of my dnsmasq.conf follows:


localise-queries
domain-needed
bogus-priv
dhcp-authoritative
no-dhcp-interface=tun0
no-resolv
stop-dns-rebind
interface=eth0
interface=eth0.10
interface=eth0.20
interface=eth0.30
interface=tun0
server=/GCTlab.lan/192.168.11.1
local=/faculty.lan/students.lan/administration.lan/guest.lan/
server=8.8.8.8
server=8.8.4.4
expand-hosts
domain=faculty.lan,192.168.73.0/24
domain=students.lan,10.0.73.0/24
.....
dhcp-range=interface:eth0,192.168.73.32,192.168.73.90,12h
dhcp-range=interface:eth0.10,10.0.73.32,10.0.73.90,12h
......
Petr Menšík
2017-07-07 14:38:04 UTC
Permalink
Hi Mario,

I think you should use bind-dynamic and spawn more instances of dnsmasq
for each interface instead. Each would contain only information it can
know about.

One instance could have server= entries pointing to dynamic allocated
domains of other instances, so queries to that one would know all the
names. Others would know only their own domains and public internet.

I think you are requesting something like views. It seems against idea
of dnsmasq to me.
Post by mario
Hello,
I have configured my dnsmasq server to provide both DHCP and DNS
services for my network, which includes
a few VLANs. It works flawlessly, except that users on the guest VLAN
can do direct and reverse queries of
machines on different VLANs, and obtain meaningful replies from dnsmasq.
While the above requires knowldege of the other VLANs' subnets and/or
the names of machines on more
private, and of course iptables keeps good guard that no packets are
exchanged between the guest VLAN
and the more private ones, I feel a determined attacker may easily guess
the other subnets, and possibly
the names of some machines on the other VLANs, weakening my configuration.
Hence: can dnsmasq be configured to drop queries about different private
subnets? Thanks for your time.
mario
localise-queries
domain-needed
bogus-priv
dhcp-authoritative
no-dhcp-interface=tun0
no-resolv
stop-dns-rebind
interface=eth0
interface=eth0.10
interface=eth0.20
interface=eth0.30
interface=tun0
server=/GCTlab.lan/192.168.11.1
local=/faculty.lan/students.lan/administration.lan/guest.lan/
server=8.8.8.8
server=8.8.4.4
expand-hosts
domain=faculty.lan,192.168.73.0/24
domain=students.lan,10.0.73.0/24
.....
dhcp-range=interface:eth0,192.168.73.32,192.168.73.90,12h
dhcp-range=interface:eth0.10,10.0.73.32,10.0.73.90,12h
......
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Loading...