[Resolvconf-devel] Bug#318464: Bug#318464: conditional use of given dns server

Daniel Kahn Gillmor dkg-debian.org at fifthhorseman.net
Thu Aug 2 00:03:59 UTC 2007 

On Wed 2007-08-01 13:39:58 -0400, Jamie McClelland wrote:

> However, given the bad things that can happen if we use a DNS
> caching server that should not be trusted - and the frequency with
> which I connect to public, untrusted wifi networks, I realized that
> what I really want to do is:
>
> Use my locally configured DNS cache in all cases *except* a few
> given networks that I specify by hand.
>
> As far as I can tell, the dnscache script will always use the DNS
> caching server if one is provided via DHCP.
>
> I'm not sure how this should be done or maybe it already can be done and I
> just don't know how. Hm. But - it would sure be useful.

Hrm.  If you don't trust the DHCP on your local network, you probably
also don't trust the immediate upstream router.  In this situation,
the upstream router can easily spoof responses to your DNS requests
(unless you're using DNSSEC).  So i'm not sure how much security you
gain by asking your local resolver to forward queries somewhere else,
since the queries are going in the clear through the untrusted network
anyway.

But, in light of the recent (yet again) bind vulnerabilities, i can
see why you're more leery about trusting local nameservers in
particular.

However, i believe this is a problem that's not just for the dnscache
scripts: it's valid for any resolvconf action: should you replace the
contents of /etc/resolv.conf itself, based on the suggestion of the
local router?

Could you try configuring your dhcp client to simply not ask for the
domain-name-server info, and then it might not get passed back to any
resolvconf script.  I don't know enough about the various dhcp clients
to know how that'd work based on the network you're in.

But i'm running dhclient3, and i see this:

[0 dkg at squeak ~]$ grep -A2 request /etc/dhcp3/dhclient.conf
request subnet-mask, broadcast-address, time-offset, routers,
	domain-name, domain-name-servers, host-name,
	netbios-name-servers, netbios-scope, interface-mtu;
[0 dkg at squeak ~]$ 

then again, you won't know if you want to trust the value of
domain-name-servers until you see the rest of the DHCP response
either, so i'm not sure how to handle it either.

I'm open to suggestions.

    --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/resolvconf-devel/attachments/20070801/6f44566e/attachment.pgp

More information about the Resolvconf-devel mailing list