How to prevent local host name resolving from DHCP names in OpenWRT/dnsmasq

I have OpenWRT 14.07 running on my home router. It has DNS and DHCP services enabled for the local LAN devices.

However, this also "leaks" the name of each device connected to the router, even if connected to the same router through a different LAN. The entire network is like this:

OpenWRT router @ 192.168.0.1 and 192.168.222.1
 |-- LAN
 |    '-- DesktopComputer @ 192.168.0.99
 '-- Guest LAN
      '-- LaptopComputer @ 192.168.222.88

Running any of the following commands on LaptopComputer:

$ dig  -x  192.168.0.99 @192.168.0.1
$ nslookup 192.168.0.99  192.168.0.1

Returns LaptopComputer.lan. as the result.

This means dnsmasq in OpenWRT is resolving internal IP addresses to internal names based on the names from DHCP negotiation. How can I prevent that?

I want such reverse-resolutions to simply fail (or return NXDOMAIN, or whatever is the appropriate response).

I don't even use local host name resolution, so I'm also accepting a solution that disables it entirely (while still resolving Internet names).

Denilson Sá Maia

Posted 2015-09-01T19:48:10.540

Reputation: 9 603

What I do in a similar situation (no openwrt, but dd-wrt) is add this option top dnsmasq: dhcp-option=br1,6,8.8.8.8 , where br1 is the guest vlan interface, option 6 is the dns server option en 8.8.8.8 is one of google's dns servers. So guests never get to query the internal lan – natxo asenjo – 2015-09-01T20:27:08.463

You understand that the purpose of DNS is to provide name resolution, right? The DNS server/service on the router isn't "leaking" the names. It's resolving the names, as it's intended to. Have you read the documentation for dnsmasq on OpenWRT? You'll probably find your solution there. – joeqwerty – 2015-09-01T20:35:39.613

@joeqwerty: Yes, I understand the purpose. Yes, I read OpenWRT wiki and dnsmasq manpage. The closest option I found was boguspriv, but it still looks in /etc/hosts and DHCP leases.

– Denilson Sá Maia – 2015-09-01T22:31:42.263

Answers

Your option of choice for dnsmasq appears to be:

--dhcp-ignore-names[=tag:[,tag:]] - Ignore hostnames provided by DHCP clients.

When all the given tags appear in the tag set, ignore any hostname provided by the host. Note that, unlike dhcp-ignore, it is permissible to supply no tags, in which case DHCP-client supplied hostnames are always ignored, and DHCP hosts are added to the DNS using only dhcp-host configuration in dnsmasq and the contents of /etc/hosts and /etc/ethers.

This option is available in dnsmasq 2.71, which is part of OpenWrt Barrier Breaker 14.07.

If you don't specify any hosts in /etc/hosts or /etc/ethers (or disable using them completely) no hostname information should "leak" anymore. However, be aware that thare're other tools like ie. Netscan, nbtscan, or the whole lots of Metasploit scanners, that can provide this information if not firewalled tightly.

sam_pan_mariusz

Posted 2015-09-01T19:48:10.540

Reputation: 125

Great idea! Unfortunately, it did not work. I tried adding dhcp-ignore-names to /etc/dnsmasq.conf, but the behavior remained the same. I've even tried editing /etc/init.d/dnsmasq to add --dhcp-ignore-names parameter, and checked using ps that it was used, but still no change in the behavior. (Of course, restarting with /etc/init.d/dnsmasq restart.) – Denilson Sá Maia – 2015-09-01T22:56:45.393

Have you "cleaned" the dhcp-leasefile (default: /tmp/dhcp.leases)? I also use Barrier Breaker for my home network, and dhcp-ignore-names option works as expected for me, but I had to remove the old lease entries or replace host names with asterisks and only then restart. It should also help to wait for the leases to expire. – sam_pan_mariusz – 2015-09-02T11:08:34.430

Okay, it works. However, dnsmasq will still resolve names if you have defined them in Static Leases. It happens because, behind-the-scenes, this option will write * to the DHCP leases; and dnsmasq will always use the leases when resolving names. – Denilson Sá Maia – 2015-09-10T17:26:32.850