From 513122ae93be9e21fd809a100580ce6fbb4e0ba5 Mon Sep 17 00:00:00 2001 From: Laine Stump Date: Fri, 29 Jul 2011 15:42:04 -0400 Subject: [PATCH] network: don't forward DNS requests from isolated networks This is in response to: https://bugzilla.redhat.com/show_bug.cgi?id=723862 which points out that a guest on an "isolated" network could potentially exploit the DNS forwarding provided by dnsmasq to create a communication channel to the outside. This patch eliminates that possibility by adding the "--no-resolv" argument to the dnsmasq commandline, which tells dnsmasq to not forward on any requests that it can't resolve itself (by looking at its own static hosts files and runtime list of dhcp clients), but to instead return a failure for those requests. This shouldn't cause any undesirable change from current behavior, even in the case where a guest is currently configured with multiple interfaces, one of them being connected to an isolated network, and another to a network that does have connectivity to the outside. If the isolated network's DNS server is queried for a name it doesn't know, it will return "Refused" rather than "Unknown", which indicates to the guest that it should query other servers, so it then queries the connected DNS server, and gets the desired response. --- src/network/bridge_driver.c | 11 ++++++++--- tests/networkxml2argvdata/isolated-network.argv | 3 ++- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index b8c6c97507..0a60bb861a 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -531,10 +531,15 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network, /* If this is an isolated network, set the default route option * (3) to be empty to avoid setting a default route that's - * guaranteed to not work. + * guaranteed to not work, and set --no-resolv so that no dns + * requests are forwarded on to the dns server listed in the + * host's /etc/resolv.conf (since this could be used as a channel + * to build a connection to the outside). */ - if (network->def->forwardType == VIR_NETWORK_FORWARD_NONE) - virCommandAddArg(cmd, "--dhcp-option=3"); + if (network->def->forwardType == VIR_NETWORK_FORWARD_NONE) { + virCommandAddArgList(cmd, "--dhcp-option=3", + "--no-resolv", NULL); + } if (network->def->dns != NULL) { virNetworkDNSDefPtr dns = network->def->dns; diff --git a/tests/networkxml2argvdata/isolated-network.argv b/tests/networkxml2argvdata/isolated-network.argv index f8013965c8..7ea2e94404 100644 --- a/tests/networkxml2argvdata/isolated-network.argv +++ b/tests/networkxml2argvdata/isolated-network.argv @@ -1,5 +1,6 @@ /usr/sbin/dnsmasq --strict-order --bind-interfaces --conf-file= \ ---except-interface lo --dhcp-option=3 --listen-address 192.168.152.1 \ +--except-interface lo --dhcp-option=3 --no-resolv \ +--listen-address 192.168.152.1 \ --dhcp-range 192.168.152.2,192.168.152.254 \ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/private.leases --dhcp-lease-max=253 \ --dhcp-no-override\ -- 2.39.5