Comments on: Test dnsmasq available, fix for potential cache poisoning vulnerability

By: pfSense Digest » Blog Archive » DNS vulnerability details now publicly available

Wed, 23 Jul 2008 02:23:05 +0000

[...] own DNS server and haven’t patched yet – now would be the time to do so. The details of the previously mentioned vulnerability were inadvertently made publicly available earlier [...]

By: Ronpfs

Ronpfs — Sat, 12 Jul 2008 16:44:23 +0000

Chris said “don’t access the webGUI by hostname if your client is using that system for its DNS.”

That is exactly what I meant ;o) Not a big thing cause once your client can’t resolve the hostname a few synaps fire and you switch to IP ;o)

Working ok here too

By: Chris Uthe

Chris Uthe — Sat, 12 Jul 2008 00:12:13 +0000

Working great on 1.2 stable here!

By: Chris Buechler

Chris Buechler — Sat, 12 Jul 2008 00:00:25 +0000

Fetching the updated file isn’t relevant to whether or not dnsmasq is running, since the local system uses /etc/resolv.conf.

I think ronpfs means don’t access the webGUI by hostname if your client is using that system for its DNS. That shouldn’t matter either as the DNS cache on your client system should be more than long enough to accommodate doing this, but it’s not bad advice.

By: Adam

Adam — Fri, 11 Jul 2008 23:06:52 +0000

For DNS Resloving in the shell i believe it uses /etc/resolv.conf and asks the DNS servers directly. I killed dnsmasq and was able to ping domain names from the shell all day long. I also did the update with the domain name and it worked fine.

Using the ip can’t hurt

By: Ronpfs

Ronpfs — Fri, 11 Jul 2008 22:09:59 +0000

Remember to use the ip and not the domain name for the WebGUI / Diagnostics -> Command, cause you gonna kill the DNS server during the procedure.

By: Chris Buechler

Chris Buechler — Fri, 11 Jul 2008 19:51:51 +0000

For embedded, you first need to run:

/etc/rc.conf_mount_rw

and when done:

/etc/rc.conf_mount_ro

By: Adam

Adam — Fri, 11 Jul 2008 19:26:45 +0000

Commands do not work via SSH and Console on 1.2 embedded

PFbox:~# killall dnsmasq
PFbox:~# mv /usr/local/sbin/dnsmasq /root/
mv: rename /usr/local/sbin/dnsmasq to /root/dnsmasq: Read-only file system

Confirmed working via WebGUI Command 1.2 embedded

Jul 11 15:16:33 dnsmasq[4339]: started, version 2.43rc3 cachesize 150
Jul 11 15:16:33 dnsmasq[4339]: compile time options: IPv6 GNU-getopt BSD-bridge ISC-leasefile no-DBus no-I18N TFTP
Jul 11 15:16:33 dnsmasq[4339]: reading /etc/resolv.conf
Jul 11 15:16:33 dnsmasq[4339]: using nameserver x.x.x.x#53
Jul 11 15:16:33 dnsmasq[4339]: using nameserver x.x.x.x#53
Jul 11 15:16:33 dnsmasq[4339]: read /etc/hosts – 2 addresses

By: Chris Buechler

Chris Buechler — Fri, 11 Jul 2008 18:24:02 +0000

Thanks for the reports!

A.D.: Read the post. “This is for 1.2-release systems only, those using 1.2.1 or 1.3 snapshots can update by installing a new full update from the snapshot server.”

By: Jonathon

Jonathon — Fri, 11 Jul 2008 18:09:07 +0000

Not much of unix guy/admin, but on my home setup it seems to be working fine, even after rebooting the machine.

Thanks!