[Resolvconf-devel] Bug#318464: Bug#318464: conditional use of given dns server
Jamie McClelland
jm at mayfirst.org
Thu Aug 2 13:43:20 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>
> Hrm. If you don't trust the DHCP on your local network, you probably
> also don't trust the immediate upstream router. In this situation,
> the upstream router can easily spoof responses to your DNS requests
> (unless you're using DNSSEC).
Yes - that's a good point that I didn't fully consider. It's possible that
this request will be a lot of work for only a marginal security gain.
> then again, you won't know if you want to trust the value of
> domain-name-servers until you see the rest of the DHCP response
> either, so i'm not sure how to handle it either.
>
> I'm open to suggestions.
However... if it were to be done, one way of doing would be:
* Maintain a config file somewhere that lists IP/MAC address pairs of trusted
networks
* Tweak the dnscache script to test for a trusted network and only update the
forward name servers if the network is listed.
This is far from perfect - MAC address of course can be spoofed. I wonder if
there is a more secure way to test whether or not you are on a given trusted
network?
jamie
- --
Jamie McClelland
718-303-3204 ext. 101
May First/People Link
Growing networks to build a just world
http://www.mayfirst.org
Members Local 1180, Communications Workers of America, AFL-CIO
PGP Key: http://mayfirst.org/jamie-pgp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGsd94nq83YnbMBX0RAqHcAKCyYMuAhmdsnb6o86IphKSahHdYBwCdGBpZ
nxNlEVlY5XWIfAH+/4iszc4=
=t2DU
-----END PGP SIGNATURE-----
More information about the Resolvconf-devel
mailing list