On Tue, 26 Mar 2013 13:09:53 -0400, Joe Abley said:
What mobile devices do you support that don't acquire a suitable local DNS resolver using DHCP or PPP?
Pretty much all devices are *able* to acquire a DNS resolver via DHCP.
Honest question. I presume you wouldn't bring it up if it wasn't a real problem.
The problem starts when you don't *trust* DHCP to hand you a pointer to a *working* DNS resolver (anybody who's had a hotel net hand them a DNS that's either busted or MITMs your queries knows what I mean, and I hope I don't have to explain about the fun involved in using wireless anywhere near a DefCon or Black Hat conference). And yes, unless you turn on DNSSEC you don't have much defense against a hotel net or rogue net that decides to spoof replies to your queries to your home DNS server Now in day-to-day production, it's *mostly* a non-issue, because many/most of the people who hard-code our DNS into their mobile configs will also fire up a VPN to our campus. Unfortunately, that leaves us a lot of interesting to diagnose corner cases involving DNS lookups that happen between when they boot the device and when they launch the VPN (for instance, coding a DNS name rather than an IP for the VPN endpoint :)