[libvirt] [PATCH] network: don't forward DNS requests from isolated networks

Eric Blake eblake at redhat.com
Fri Jul 29 20:43:15 UTC 2011

On 07/29/2011 02:35 PM, Laine Stump wrote:
> This is in response to:
>    https://bugzilla.redhat.com/show_bug.cgi?id=723862
> which points out that a guest on an "isolated" network could
> potentially exploit the DNS forwarding provided by dnsmasq to create a
> communication channel to the outside.
> This patch eliminates that possibility by adding the "--no-resolv"
> argument to the dnsmasq commandline, which tells dnsmasq to not
> forward on any requests that it can't resolv itself (by looking at its


> own static hosts files and runtime lsit of dhcp clients), but to


> instead return a failure for those requests.
> This shouldn't cause any undesirable change from current
> behavior, even in the case where a guest is currently configured with
> multiple interfaces, one of them being connected to an isolated
> network, and another to a network that does have connectivity to the
> outside. If the isolated network's DNS server is queried for a name
> it doesn't know, it will return "Refused" rather than "Unknown", which
> indicates to the guest that it should query other servers, so it then
> queries the connected DNS server, and gets the desired response.
> ---
>   src/network/bridge_driver.c                     |   11 ++++++++---
>   tests/networkxml2argvdata/isolated-network.argv |    3 ++-
>   2 files changed, 10 insertions(+), 4 deletions(-)

A bug fix rather than a feature, and safe enough for inclusion in 0.9.4.

> -    if (network->def->forwardType == VIR_NETWORK_FORWARD_NONE)
> -        virCommandAddArg(cmd, "--dhcp-option=3");
> +    if (network->def->forwardType == VIR_NETWORK_FORWARD_NONE) {
> +        virCommandAddArgList(cmd, "--dhcp-option=3",
> +                             "--no-resolv", NULL);
> +    }


Eric Blake   eblake at redhat.com    +1-801-349-2682
Libvirt virtualization library http://libvirt.org

More information about the libvir-list mailing list