[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 3/3] network: use dnsmasq --bind-dynamic when available

On 11/21/2012 09:55 PM, Laine Stump wrote:
This bug resolves CVE-2012-3411, which is described in the following
bugzilla report:


The following report is specifically for libvirt on Fedora:


In short, a dnsmasq instance run with the intention of listening for
DHCP/DNS requests only on a libvirt virtual network (which is
constructed using a Linux host bridge) would also answer queries sent
from outside the virtualization host.

This patch takes advantage of a new dnsmasq option "--bind-dynamic",
which will cause the listening socket to be setup such that it will
only receive those requests that actually come in via the bridge
interface. In order for this behavior to actually occur, not only must
"--bind-interfaces" be replaced with "--bind-dynamic", but also all
"--listen-address" options must be replaced with a single
"--interface" option. Fully:

    --bind-interfaces --except-interface lo --listen-address x.x.x.x ...

(with --listen-address possibly repeated) is replaced with:

    --bind-dynamic --interface virbrX
I have some questions about this change.

1. If I correctly understand the problem being addressed (not a given), a dnsmasq instance providing a dns service to a virtual network interface was responding to queries on other network interfaces (virtual or real). Obviously (to me) this is not desired and should be considered a security problem. This series of patches is intended to address this problem while continuing to support older versions of dnsmasq which do not support bind-dynamic.

[If I understand correctly then, while this is a problem for IPv4, it could be even more critical for IPv6.]

2. I assume that this change still supports queries originating on the virtualization host and directed to the virtual network interface.

3.  I assume that dnsmasq's support of DHCP continues as before.

[I will be implementing this update and testing it over the next couple of days. For one thing, I need to integrate my DHCPv6, etc. patches with this. For one thing, I need to pick up the dnsmasq version implemented by this patch.]

4. What about the situation where an "Internet publically available" service is implemented on a virtual (guest) system. I assume that the dnsmasq instance for the virtual network interface will not be directly available for external queries. How about if the virtualization host is running yet another instance of dnsmasq (not started by libvirt) which forwards queries to the dnsmasq instance started by libvirt (the query would be sent to an address on the virtual network interface).

5. I assume dnsmasq will respond to queries on any IPv4 or IPv6 (gateway) address defined on a virtual network interface.

6. I assume that, if no IPv4 or IPv6 (gateway) addresses are defined on an interface, dnsmasq will not be started for that interface.

7. Are there any conditions where bind-interface would still be preferable to bind-dynamic? [Maybe I need to ask Simon Kelley this question.]

Comment: You sure did put a lot of effort into making sure that libvirt would still work with older versions of dnsmasq which did not support bind-dynamic.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]