Reply
New Member
Posts: 9
Registered: ‎12-31-2013
Kudos: 5

Re: Resisting DNS Hijacking

[ Edited ]

You cant actually tell a DHCP or PPP client which settings to request. When a request is made the server just returns all settings that it has been configured to send for that user or device.

The client can then pick and choose the settings it wants/needs and ignore the rest.

edit: might have to eat my own words there, seems that required parameters can be specified as part of a DHCP request.

In any case, all that needs to be done is determine whether or not the user wants ISP supplied settings, and that sounds like its on the cards.

IMO you shouldnt mix the two, it should be either or. You either want to use your ISPs DNS servers, or you want to use your own. The reason being that the two will likely have different operational characteristics, and its best to have a consistent operation.

Regular Member
Posts: 413
Registered: ‎12-25-2013
Kudos: 417
Solutions: 11

Re: Resisting DNS Hijacking

[ Edited ]

@faye 

What I meant is this -- DHCP can give you more than just DNS address. For example it can give you parameters for booting a device over the network making it install modified firmware, or make your device install static route entries which can redirect traffic for certain IP addresses or ranges to their gateways for a MITM attack, or spoof your time source thus working around time limit firewall rules, etc. It is a bit naive to trust DHCP except to provide DNS IP. If you think someone is out to get you they will just use a different method which will be less noticeable than a fake website.

 Note that I don't think that your request does not have merit. I agree that there should be ignore option.

Veteran Member
Posts: 5,433
Registered: ‎03-12-2011
Kudos: 2727
Solutions: 129

Re: Resisting DNS Hijacking


@dragon2611 wrote:

also the PPP client config needs a simular option if it's not already there (I can't remember if it was).


This feature already exists for PPPoE at least:

[edit]
nvx@ERL# set interfaces ethernet eth2 pppoe 0 name-server
Possible completions:
  auto          Use name server entries provided by peer
  none          Do not use name server entries provided by peer

Probably worth making the dhcp client configuration have the same name for consistency.

Member
Posts: 109
Registered: ‎08-09-2013
Kudos: 60
Solutions: 2

Re: Resisting DNS Hijacking

[ Edited ]

I know that DHCP dan do all this, but it depends on what information you want to use from the DHCP, that edgemax pulls DNS with me not able to stop it is a problem. I want to use DHCP for one thing, and one thing only, getting an IP address.

My router will NOT boot from an image provided by dhcp if its not configured to do son, neither get a time source. Im not addressing all the exploits possible here, mearly wanting to have controll over what DNS my networtk uses.

And if you think that adding more DNS servers automaticly, when some already have been added manually, we just have to agree to disagree. On my side, its still wrong.

Established Member
Posts: 924
Registered: ‎05-28-2012
Kudos: 190
Solutions: 6

Re: Resisting DNS Hijacking

Perhaps you can get away with setting the Interface to static or no IP then calling dhclient manually with the options you desire?

I used to have to do something similar to pass Auth credentials via option 61 when my ISP was Sky

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3131
Solutions: 945
Contributions: 16

Re: Resisting DNS Hijacking

[ Edited ]

@faye wrote:

I know that DHCP dan do all this, but it depends on what information you want to use from the DHCP, that edgemax pulls DNS with me not able to stop it is a problem. I want to use DHCP for one thing, and one thing only, getting an IP address.


I think this is something we should implement, but until then the hack An-Cheng mentioned in #18 should work as a work-around.

EdgeMAX Router Software Development
Member
Posts: 109
Registered: ‎08-09-2013
Kudos: 60
Solutions: 2

Re: Resisting DNS Hijacking

Great that you are looking into changing this. Will try the workaround until then.

Highlighted
Established Member
Posts: 1,580
Registered: ‎05-15-2013
Kudos: 620
Solutions: 19

Re: Resisting DNS Hijacking

Is this resolved in 1.4? It sounds a bit like the second bullet on the 1.4 release notes, but not 100%.

Thanks!
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5467
Solutions: 1656
Contributions: 2

Re: Resisting DNS Hijacking

No this is not in 1.4 yet since that was already close to the end of the beta cycle, so we'll see what can be done in the next release.

Member
Posts: 159
Registered: ‎12-07-2013
Kudos: 86
Solutions: 3

Re: Resisting DNS Hijacking

If you make this change don't forget to edit the /etc/resolv.conf file to remove the ISP name servers from it. I forgot that bit on the 1.4.0 to 1.4.1 update.


@UBNT-ancheng wrote:

Yeah as discussed this is inherited from "upstream", and we do plan to look into making this configurable instead. For now, a possible workaround may be to change the "/sbin/dhclient-script" script (find the "make_resolv_conf()" function and add a "return" as the first line of that function). (Note that it would disable updating resolv.conf from DHCP completely, so it would not work if that is still needed of course.)


 

Member
Posts: 120
Registered: ‎12-08-2013
Kudos: 52
Solutions: 6

Re: Resisting DNS Hijacking

[ Edited ]

In version 1.5.0a1 this is supported:

interfaces {
    ethernet eth0 {
        address dhcp
        dhcp-options {
            name-server no-update
        }
    }
}

 And to show you that it works:

admin@ubnt:~$ show dhcp client leases
interface  : eth0
ip address : xx.250.214.195     [Active]
subnet mask: 255.255.255.0
router     : xx.250.214.1
name server: xx.179.104.196 xx.46.228.196
dhcp server: xx.15.43.129
lease time : 156087
last update: Sun Apr 6 06:52:10 CEST 2014
expiry     : Tue Apr 08 02:13:33 CEST 2014
reason     : BOUND

admin@ubnt:~$ cat /etc/resolv.conf
nameserver      192.168.33.6
domain		lan.local

 Good work guys!

New Member
Posts: 1
Registered: ‎12-14-2014

Re: Resisting DNS Hijacking

[ Edited ]

Did something change with version 1.6? I try and get  

 

set interfaces ethernet eth0 address dhcp name-server no-update
The specified configuration node is not valid
Set failed

 EDIT

 

Never mind, i should have done this instead since my WAN is on eth1:

 

set interfaces ethernet eth1 dhcp-options name-server no-update

 

New Member
Posts: 9
Registered: ‎12-17-2014

Re: Resisting DNS Hijacking

Hello everyone,

 

I've tried to disable the DNS configuration provided by my ISP, but everytime the connection restarts it continues to add the values of the ISP.

 

The command i've used is:

 

set interfaces ethernet eth0 dhcp-options name-server no-update

 

The manual DNS entries which i've set are added correctly.

 

My WAN interface is eth0 and i'm running v1.6.0 of the EdgeMAX firmware.

 

Can someone, please,  tell me what am i missing in order to prevent the auto DNS settings of my ISP?

 

Thank you in advance.

 

Regards.

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3131
Solutions: 945
Contributions: 16

Re: Resisting DNS Hijacking

@alfa42 post your config file.

EdgeMAX Router Software Development
New Member
Posts: 9
Registered: ‎12-17-2014

Re: Resisting DNS Hijacking

@UBNT-stig Hi, thank you for the quick reply.

 

I'm attaching a .txt file with all the config (since it's too large for a post here) of the EdgeRouter.

 

Please, let me know if there is anything i can try and/or test.

 

Regards.

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3131
Solutions: 945
Contributions: 16

Re: Resisting DNS Hijacking

@alfa42 looks like you're getting dns from the pppoe server not dhcp.  So try:

 

configure
set interfaces ethernet eth0 vif 6 pppoe 0 name-server none
commit
save
exit

disconnect interface pppoe0
connect interface pppoe0

 

EdgeMAX Router Software Development
New Member
Posts: 9
Registered: ‎12-17-2014

Re: Resisting DNS Hijacking

You were right, now settings are not updated by the dhcp:

 

root@Magrathea:/# cat /etc/resolv.conf
nameserver      109.69.8.34
nameserver      87.216.170.85

Thank you!

New Member
Posts: 8
Registered: ‎08-12-2014
Kudos: 1
Solutions: 1

Re: Resisting DNS Hijacking

[ Edited ]

Hi!

 

Have TWC, and got fed up with this behaviour as well, and followed this guide, but still have some leftover in my "resolv.conf" file!

 

Standard "resolv.conf" before modifications:

$ cat /etc/resolv.conf
nameserver 4.2.2.1
nameserver 4.2.2.2
nameserver 4.2.2.3 nameserver 209.18.47.61 #nameserver written by /opt/vyatta/sbin/vyatta_update_resolv.pl nameserver 209.18.47.62 #nameserver written by /opt/vyatta/sbin/vyatta_update_resolv.pl search tx.rr.com #line generated by /opt/vyatta/sbin/vyatta_update_resolv.pl $

 

What I did:

 

configure
set interfaces ethernet eth0 dhcp-options name-server no-update
commit
save
exit

Resulting "resolv.conf" file:

$ cat /etc/resolv.conf
nameserver 4.2.2.1
nameserver 4.2.2.2
nameserver 4.2.2.3 search tx.rr.com #line generated by /opt/vyatta/sbin/vyatta_update_resolv.pl $

How do I get rid of that last line of TWC crap! What does it do?

 

 

 

 

Deleted Account
Posts: 0

Re: Resisting DNS Hijacking

 

Login the GUI and I bet you will find it in the config tree !!!!  Delete the entry and your done.

New Member
Posts: 8
Registered: ‎08-12-2014
Kudos: 1
Solutions: 1

Re: Resisting DNS Hijacking

There is nothing added in my "system > domain-search" branch, so nothing to delete, or?

Thinking it is dynamically added by the "/opt/vyatta/sbin/vyatta_update_resolv.pl", and there for needs to be disabled somehow, similar to how the dhcp-options name-server was set to "no-update".

 

Screen Shot 2015-07-19 at 10.09.39 AM.png

Reply