aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>2018-10-08 20:40:36 +0100
committerKevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>2018-10-09 09:45:16 +0100
commita45f4f50e16cd2d0370a4470c3ede0c6c7754ba9 (patch)
tree0ea5e1900b54fa8ef5863b2a100c66aaf6962f3b
parent3925298f3ca9bcd854571367d98bb6ca07f4e66e (diff)
downloadupstream-a45f4f50e16cd2d0370a4470c3ede0c6c7754ba9.tar.gz
upstream-a45f4f50e16cd2d0370a4470c3ede0c6c7754ba9.tar.bz2
upstream-a45f4f50e16cd2d0370a4470c3ede0c6c7754ba9.zip
dnsmasq: add dhcp-ignore-names support - CERT VU#598349
dnsmasq v2.80test8 adds the ability to ignore dhcp client's requests for specific hostnames. Clients claiming certain hostnames and thus claiming DNS namespace represent a potential security risk. e.g. a malicious host could claim 'wpad' for itself and redirect other web client requests to it for nefarious purpose. See CERT VU#598349 for more details. Some Samsung TVs are claiming the hostname 'localhost', it is believed not (yet) for nefarious purposes. /usr/share/dnsmasq/dhcpbogushostname.conf contains a list of hostnames in correct syntax to be excluded. e.g. dhcp-name-match=set:dhcp_bogus_hostname,localhost Inclusion of this file is controlled by uci option dhcpbogushostname which is enabled by default. To be absolutely clear, DHCP leases to these requesting hosts are still permitted, but they do NOT get to claim ownership of the hostname itself and hence put into DNS for other hosts to be confused/manipulate by. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
-rw-r--r--package/network/services/dnsmasq/Makefile3
-rw-r--r--package/network/services/dnsmasq/files/dhcpbogushostname.conf8
-rw-r--r--package/network/services/dnsmasq/files/dnsmasq.init8
3 files changed, 18 insertions, 1 deletions
diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile
index f1daac397c..287edf5791 100644
--- a/package/network/services/dnsmasq/Makefile
+++ b/package/network/services/dnsmasq/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=dnsmasq
PKG_VERSION:=2.80test8
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/test-releases
@@ -166,6 +166,7 @@ define Package/dnsmasq/install
$(INSTALL_DIR) $(1)/etc/hotplug.d/tftp
$(INSTALL_DATA) ./files/dnsmasqsec.hotplug $(1)/etc/hotplug.d/ntp/25-dnsmasqsec
$(INSTALL_DIR) $(1)/usr/share/dnsmasq
+ $(INSTALL_DATA) ./files/dhcpbogushostname.conf $(1)/usr/share/dnsmasq/
$(INSTALL_DATA) ./files/rfc6761.conf $(1)/usr/share/dnsmasq/
$(INSTALL_DIR) $(1)/usr/lib/dnsmasq
$(INSTALL_BIN) ./files/dhcp-script.sh $(1)/usr/lib/dnsmasq/dhcp-script.sh
diff --git a/package/network/services/dnsmasq/files/dhcpbogushostname.conf b/package/network/services/dnsmasq/files/dhcpbogushostname.conf
new file mode 100644
index 0000000000..e83b6975d0
--- /dev/null
+++ b/package/network/services/dnsmasq/files/dhcpbogushostname.conf
@@ -0,0 +1,8 @@
+# dhcpbogushostname.conf included configuration file for dnsmasq
+#
+# includes a list of hostnames that should not be associated with dhcp leases
+# in response to CERT VU#598349
+# file included by default, option dhcpbogushostname 0 to disable
+
+dhcp-name-match=set:dhcp_bogus_hostname,localhost
+dhcp-name-match=set:dhcp_bogus_hostname,wpad
diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init
index de15552424..0c786e82c7 100644
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -16,6 +16,7 @@ BASEHOSTFILE="/tmp/hosts/dhcp"
TRUSTANCHORSFILE="/usr/share/dnsmasq/trust-anchors.conf"
TIMEVALIDFILE="/var/state/dnsmasqsec"
BASEDHCPSTAMPFILE="/var/run/dnsmasq"
+DHCPBOGUSHOSTNAMEFILE="/usr/share/dnsmasq/dhcpbogushostname.conf"
RFC6761FILE="/usr/share/dnsmasq/rfc6761.conf"
DHCPSCRIPT="/usr/lib/dnsmasq/dhcp-script.sh"
@@ -956,6 +957,13 @@ dnsmasq_start()
config_foreach filter_dnsmasq host dhcp_host_add "$cfg"
echo >> $CONFIGFILE_TMP
+
+ config_get_bool dhcpbogushostname "$cfg" dhcpbogushostname 1
+ [ "$dhcpbogushostname" -gt 0 ] && {
+ xappend "--dhcp-ignore-names=tag:dhcp_bogus_hostname"
+ [ -r "$DHCPBOGUSHOSTNAMEFILE" ] && xappend "--conf-file=$DHCPBOGUSHOSTNAMEFILE"
+ }
+
config_foreach filter_dnsmasq boot dhcp_boot_add "$cfg"
config_foreach filter_dnsmasq mac dhcp_mac_add "$cfg"
config_foreach filter_dnsmasq tag dhcp_tag_add "$cfg"