F21 System Wide Change: Default Local DNS Resolver

Dan Williams dcbw at redhat.com
Wed Apr 30 18:38:25 UTC 2014


On Wed, 2014-04-30 at 13:22 -0400, Paul Wouters wrote:
> On Wed, 30 Apr 2014, Robert Marcano wrote:
> 
> > What about domain and search lines? If NetworkManager will always use 
> > 127.0.0.1, it should still modify resolv.conf with the domain name received 
> > from DHCP
> 
> That's actually not always correct from a security point of view.
> 
> If you set your system do have domain "nohats.ca", and you "ssh bofh"
> and then some DHCP changes the domain/search list, you might not be
> going where you think you are going.
> 
> IMHO, DHCP should never touch the domain or search list _unless_ you are
> connecting to a trusted network - where trusted for practical reasons is
> defined as "you plug in a wire or use a wifi WPA secret to connect".

Untrusted networks use WPA too, like coffee shops that don't leave the
network open, but write the WPA key on the chalkboard menu or print it
on standup cards at the tables.  I've seen quite a few of these.

There's really no guessing what's trusted/not-trusted unless you're
using 802.1x/WPA Enterprise, or if the user has told you explicitly to
trust this network.

Dan



More information about the devel mailing list