Re: [libvirt] [PATCH] network: don't forward DNS requests from isolated networks

On 07/29/2011 02:35 PM, Laine Stump wrote: > This is in response to: > > https://bugzilla.redhat.com/show_bug.cgi?id=723862 > > which points out that a guest on an "isolated" network could > potentially exploit the DNS forwarding provided by dnsmasq to create a > communication channel to the outside. > > This patch eliminates that possibility by adding the "--no-resolv" > argument to the dnsmasq commandline, which tells dnsmasq to not > forward on any requests that it can't resolv itself (by looking at its s/resolv/resolve/ > own static hosts files and runtime lsit of dhcp clients), but to s/lsit/list/ > instead return a failure for those requests. > > This shouldn't cause any undesirable change from current > behavior, even in the case where a guest is currently configured with > multiple interfaces, one of them being connected to an isolated > network, and another to a network that does have connectivity to the > outside. If the isolated network's DNS server is queried for a name > it doesn't know, it will return "Refused" rather than "Unknown", which > indicates to the guest that it should query other servers, so it then > queries the connected DNS server, and gets the desired response. > --- > src/network/bridge_driver.c | 11 ++++++++--- > tests/networkxml2argvdata/isolated-network.argv | 3 ++- > 2 files changed, 10 insertions(+), 4 deletions(-) A bug fix rather than a feature, and safe enough for inclusion in 0.9.4. > - if (network->def->forwardType == VIR_NETWORK_FORWARD_NONE) > - virCommandAddArg(cmd, "--dhcp-option=3"); > + if (network->def->forwardType == VIR_NETWORK_FORWARD_NONE) { > + virCommandAddArgList(cmd, "--dhcp-option=3", > + "--no-resolv", NULL); > + } ACK.