Dynamic DNS Question

Dean Anderson dean at av8.com
Sat Nov 10 00:03:37 CET 2007 

Hi, all


On Fri, 9 Nov 2007, Alan DeKok wrote:

> David Mitchell wrote:
> > We've run into a potential problem with our FreeRadius setup. We
> > currently use per-client keys for security. We have begun testing
> > dynamic DNS updates and have run into the problem of having the radius
> > server fail to start because an entry in clients.conf refers to a DNS
> > entry which doesn't exist. We could use only IP addresses in
> > clients.conf, but that means we can't have dynamic addresses for
> > clients. We could also use per-subnet keys but we really want to keep
> > the increase in security afforded by having unique keys for each host.
> 
>   Is it difficult to configure the clients with static IP's?  If so, why?

I imagine that wifi hubs on Verizon DSL would have issues with this, 
because they don't have static IPs.

>   This would mean that an attacker can send you packets where the source
> IP has no DNS entry.  The RADIUS server would then try to resolve DNS,
> and fail, potentially causing a DoS attack.

Attackers usually have no choice of whether they have reverse DNS or
not.  In the case where they do have control over reverse DNS, (and you
do DNS 'authentication checking'), then attack is much worse because
they can make the PTR be a.b.c.d.e.f.g.h.i.j.k.l.m.... (256 characters)
and that can take a long, long time to resolve to an IP address.

>   Remember, it has to do the right thing both for the cases you want
> it to work, AND for the cases where you don't want it to die.

I suggest a custom module to configure the clients in the server
dynamically, and then a way to update the client database (rather just
like some dynamic DNS is updated with a http query)

>   I would suggest having a two-level client definition.  One, define a
> network/mask for such dynamic clients.  Two, define a mapping of
> secrets, based on the attributes in the packet.

I can't speak for this poster, but that won't work for the guy using 
certain providers' DSL lines.

		--Dean

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000

More information about the Freeradius-Devel mailing list