network: don't forward DNS requests from isolated networks

This is in response to:

  https://bugzilla.redhat.com/show_bug.cgi?id=723862

which points out that a guest on an "isolated" network could
potentially exploit the DNS forwarding provided by dnsmasq to create a
communication channel to the outside.

This patch eliminates that possibility by adding the "--no-resolv"
argument to the dnsmasq commandline, which tells dnsmasq to not
forward on any requests that it can't resolve itself (by looking at
its own static hosts files and runtime list of dhcp clients), but to
instead return a failure for those requests.

This shouldn't cause any undesirable change from current
behavior, even in the case where a guest is currently configured with
multiple interfaces, one of them being connected to an isolated
network, and another to a network that does have connectivity to the
outside. If the isolated network's DNS server is queried for a name
it doesn't know, it will return "Refused" rather than "Unknown", which
indicates to the guest that it should query other servers, so it then
queries the connected DNS server, and gets the desired response.

diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index b8c6c975072f2ac307b50b2c6af2c098b54c3426..0a60bb861a241518cec7a26c037b89b869c0c5fc 100644 (file)
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -531,10 +531,15 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
 
     /* If this is an isolated network, set the default route option
      * (3) to be empty to avoid setting a default route that's
-     * guaranteed to not work.
+     * guaranteed to not work, and set --no-resolv so that no dns
+     * requests are forwarded on to the dns server listed in the
+     * host's /etc/resolv.conf (since this could be used as a channel
+     * to build a connection to the outside).
      */
-    if (network->def->forwardType == VIR_NETWORK_FORWARD_NONE)
-        virCommandAddArg(cmd, "--dhcp-option=3");
+    if (network->def->forwardType == VIR_NETWORK_FORWARD_NONE) {
+        virCommandAddArgList(cmd, "--dhcp-option=3",
+                             "--no-resolv", NULL);
+    }
 
     if (network->def->dns != NULL) {
         virNetworkDNSDefPtr dns = network->def->dns;

diff --git a/tests/networkxml2argvdata/isolated-network.argv b/tests/networkxml2argvdata/isolated-network.argv
index f8013965c8876de8cc02203491ec7442c6191fb8..7ea2e9440409938dc4ab2ea9c861a8c1218dd017 100644 (file)
--- a/tests/networkxml2argvdata/isolated-network.argv
+++ b/tests/networkxml2argvdata/isolated-network.argv
@@ -1,5 +1,6 @@
 /usr/sbin/dnsmasq --strict-order --bind-interfaces --conf-file= \
---except-interface lo --dhcp-option=3 --listen-address 192.168.152.1 \
+--except-interface lo --dhcp-option=3 --no-resolv \
+--listen-address 192.168.152.1 \
 --dhcp-range 192.168.152.2,192.168.152.254 \
 --dhcp-leasefile=/var/lib/libvirt/dnsmasq/private.leases --dhcp-lease-max=253 \
 --dhcp-no-override\