F21 System Wide Change: Default Local DNS Resolver
Dan Williams
dcbw at redhat.com
Wed Apr 30 20:55:59 UTC 2014
On Wed, 2014-04-30 at 16:12 -0400, Chuck Anderson wrote:
> On Wed, Apr 30, 2014 at 01:06:51PM -0700, Andrew Lutomirski wrote:
> > On Wed, Apr 30, 2014 at 1:02 PM, Dan Williams <dcbw at redhat.com> wrote:
> > > On Wed, 2014-04-30 at 15:36 -0400, Paul Wouters wrote:
> > >> On Wed, 30 Apr 2014, Simo Sorce wrote:
> > >>
> > >> > Why would you care for the domain name as provided by dhcp ?
> > >>
> > >> internal DNS views, eg server.internal.corp.com where the search domain
> > >> gets set to "internal.corp.com" and "server.corp.com" does not exist.
> > >>
> > >> > By default you wouldn't want that as you roam with a fedora laptop on
> > >> > completely untrusted dhcp networks that can push whatever crap as a
> > >> > search path.
> > >>
> > >> Yes, which is why we tentatively came to the conclusion the best
> > >> compromise for this is "if the user authorizes to connect to this
> > >> network, allow it". Eg using physical cable or WPA secrets.
> > >
> > > Note that with NetworkManager, no WiFi connection is ever made (even
> > > open) without the user explicitly requesting it. If you have the
> > > NetworkManager-config-server RPM installed, then no ethernet connection
> > > is ever made without the user explicitly configuring it. So I'm not
> > > sure the description quite fits...
> >
> > Except for that network called "linksys" that everyone has requested
> > at some point.
>
> If I once connected to an open network called "MyFavoriteCoffeeShop"
> then later on someone creates a network with the same name but with
> malicous intent, will NetworkManager connect to it automatically?
If it uses the same SSID and compatible security settings, then yes.
That's the nature of 802.11. However, if the malicious user doesn't
know the password that you have saved on your machine, or the network's
CA certificate does not validate, then the attempt will fail.
Furthermore, if the user creates a network of a different type (eg,
Ad-Hoc but yours is infrastructure), NM will not attempt to connect to
it.
Yes, there are ways to game the system, so you are correct that there
are some cases where NetworkManager could automatically attempt to
connect to a malicious network that mimics a known network, the same as
with most other OSs and phones.
Dan
More information about the devel
mailing list