Re: DNS for mobile devices

[Valdis.Kletnieks () vt edu]

On Tue, 26 Mar 2013 13:09:53 -0400, Joe Abley said:

> What mobile devices do you support that don't acquire a suitable local DNS resolver using DHCP or PPP?

Pretty much  all devices are *able* to acquire a DNS resolver via DHCP.

> Honest question. I presume you wouldn't bring it up if it wasn't a real problem.

The problem starts when you don't *trust* DHCP to hand you a pointer to
a *working* DNS resolver (anybody who's had a hotel net hand them a DNS
that's either busted or MITMs your queries knows what I mean, and I hope
I don't have to explain about the fun involved in using wireless anywhere
near a DefCon or Black Hat conference).

And yes, unless you turn on DNSSEC you don't have much defense against
a hotel net or rogue net that decides to spoof replies to your queries
to your home DNS server

Now in day-to-day production, it's *mostly* a non-issue, because many/most of
the people who hard-code our DNS into their mobile configs will also fire up a
VPN to our campus.  Unfortunately, that leaves us a lot of interesting to
diagnose corner cases involving DNS lookups that happen between when they boot
the device and when they launch the VPN (for instance, coding a DNS name
rather than an IP for the VPN endpoint :)

Attachment: _bin
Description: