Dns – How to prevent local host name resolving from DHCP names in OpenWRT/dnsmasq

dnsmasqopenwrt

I have OpenWRT 14.07 running on my home router. It has DNS and DHCP services enabled for the local LAN devices.

However, this also "leaks" the name of each device connected to the router, even if connected to the same router through a different LAN. The entire network is like this:

OpenWRT router @ 192.168.0.1 and 192.168.222.1
 |-- LAN
 |    '-- DesktopComputer @ 192.168.0.99
 '-- Guest LAN
      '-- LaptopComputer @ 192.168.222.88

Running any of the following commands on LaptopComputer:

$ dig  -x  192.168.0.99 @192.168.0.1
$ nslookup 192.168.0.99  192.168.0.1

Returns LaptopComputer.lan. as the result.

This means dnsmasq in OpenWRT is resolving internal IP addresses to internal names based on the names from DHCP negotiation. How can I prevent that?

I want such reverse-resolutions to simply fail (or return NXDOMAIN, or whatever is the appropriate response).

I don't even use local host name resolution, so I'm also accepting a solution that disables it entirely (while still resolving Internet names).

Best Answer

Your option of choice for dnsmasq appears to be:

--dhcp-ignore-names[=tag:[,tag:]] - Ignore hostnames provided by DHCP clients.

When all the given tags appear in the tag set, ignore any hostname provided by the host. Note that, unlike dhcp-ignore, it is permissible to supply no tags, in which case DHCP-client supplied hostnames are always ignored, and DHCP hosts are added to the DNS using only dhcp-host configuration in dnsmasq and the contents of /etc/hosts and /etc/ethers.

This option is available in dnsmasq 2.71, which is part of OpenWrt Barrier Breaker 14.07.

If you don't specify any hosts in /etc/hosts or /etc/ethers (or disable using them completely) no hostname information should "leak" anymore. However, be aware that thare're other tools like ie. Netscan, nbtscan, or the whole lots of Metasploit scanners, that can provide this information if not firewalled tightly.

Related Question