From rtylerdunn at hotmail.com Wed Jul 2 05:12:42 2008 From: rtylerdunn at hotmail.com (Tyler Dunn) Date: Wed Jul 2 05:13:03 2008 Subject: [Dnsmasq-discuss] dnsmasq not answering other LAN computers Message-ID: I set up dnsmasq on a Ubuntu server and it appears to be working locally (will resolve hostnames, using dig I see that the machine is caching properly). However, I'm not getting the response that I expected from other machines on the LAN. From another Linux box (Centos), I put the dnsmasq IP address in the /etc/resolv.conf file, but a ping command returns an error and a host command works properly. (gerbil is a local machine listed in the dnsmasq server's /etc/hosts file.) The host command didn't work either until I commented out the listen-address=127.0.0.1 line in /etc/dnsmasq.conf. root@pbx:~ $ ping gerbil ping: unknown host gerbil root@pbx:~ $ host gerbil gerbil has address 192.168.1.112 root@pbx:~ $ Also, when I set the DNS server on gerbil to the dnsmasq server's IP address (192.168.1.121), it wouldn't return anything when I pinged gerbil (or www.yahoo.com for that matter). It also wouldn't resolve the names when I put them into a Firefox browser on gerbil. gerbil is a win XP machine and I set the DNS server in the Network control panel. My dnsmasq.conf file only has two lines uncommented: server=/localnet/192.168.0.1 local=/localnet/ My dnsmasq server is pointing to my ISP's DNS servers in the /etc/resolv.conf file. (127.0.0.1 is the first nameserver listed). The other linux boxes point this file to the dsnmasq server IP. The Windows machines point their DNS server to the dnsmasq server IP. The /etc/hosts file on the dnsmasq server has a listing for each local machine and the nickname that I want to use to access it. /etc/hosts 127.0.0.1 localhost 192.168.1.112 laptop plus all other local machines I hope this is a simple fix. dnsmasq is supposed to be easy to setup and I've reviewed several how to's to try and find the problem. I would appreciate any pointers and suggestions on how to troubleshoot this issue. I would like to get it fixed so that I don't have to type the IP address when I access local machines on the LAN. I don't want to update all the hosts file anytime the network changes. Thanks in advance for any pointers. _________________________________________________________________ Need to know now? Get instant answers with Windows Live Messenger. http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL_messenger_072008 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080701/480106d0/attachment.htm From gypsy at iswest.com Thu Jul 3 03:07:18 2008 From: gypsy at iswest.com (gypsy) Date: Thu Jul 3 03:07:40 2008 Subject: [Dnsmasq-discuss] dnsmasq not answering other LAN computers References: Message-ID: <486C3456.544913E8@iswest.com> Tyler Dunn wrote: > > I set up dnsmasq on a Ubuntu server and it appears to be working > locally (will resolve hostnames, using dig I see that the machine is > caching properly). However, I'm not getting the response that I > expected from other machines on the LAN. From another Linux box > (Centos), I put the dnsmasq IP address in the /etc/resolv.conf file, > but a ping command returns an error and a host command works > properly. (gerbil is a local machine listed in the dnsmasq server's > /etc/hosts file.) The host command didn't work either until I > commented out the listen-address=127.0.0.1 line in /etc/dnsmasq.conf. > > root@pbx:~ $ ping gerbil > ping: unknown host gerbil > root@pbx:~ $ host gerbil > gerbil has address 192.168.1.112 > root@pbx:~ $ > > Also, when I set the DNS server on gerbil to the dnsmasq server's IP > address (192.168.1.121), it wouldn't return anything when I pinged > gerbil (or www.yahoo.com for that matter). It also wouldn't resolve > the names when I put them into a Firefox browser on gerbil. gerbil is > a win XP machine and I set the DNS server in the Network control > panel. > > My dnsmasq.conf file only has two lines uncommented: > server=/localnet/192.168.0.1 Is this a typo? That is surely NOT your local network. Why not try this on the DNSMasq machine?: resolv.conf search YOURDOMAIN.TLD nameserver 127.0.0.1 dnsmasq.conf (remark the two lines above) domain-needed log-queries no-resolv server=UPSTREAM.DNS.SERVER.IP Make sure that works on the DNSMasq machine and then ping yahoo from gerbil. > I would like to get it fixed so that I don't have to type the IP > address when I access local machines on the LAN. I don't want to update > all the hosts file anytime the network changes. There is no easy way that I know to be able to use DHCP and still resolve local machines, but I can't use DNSMasq where I need that (Windows) so I've never dug into that part. Perhaps a search of this mailing list will provide you an answer. From rtylerdunn at hotmail.com Fri Jul 4 06:20:01 2008 From: rtylerdunn at hotmail.com (Tyler Dunn) Date: Fri Jul 4 06:20:20 2008 Subject: [Dnsmasq-discuss] dnsmasq not answering other LAN computers In-Reply-To: <486C3456.544913E8@iswest.com> References: <486C3456.544913E8@iswest.com> Message-ID: Thanks for the response. I still can't get dnsmasq to respond as desired when resolving a local name from a Windows box. I would like to map my computers' names to their IP addresses in my dnsmasq server's /etc/hosts file and then be able to access them through the web by typing the plain name in to the web browser instead of typing the IP address. For example, in /etc/hosts I have 192.168.1.123 gerbil I would like to type "gerbil" into the address bar of Firefox on my XP machine and access the gerbil web server. The only way that I have been able to work around the current problems is to put the following text in my /etc/hosts file 192.168.1.123 gerbil.com When I type gerbil.com in my browser address window, the gerbil default web page is accessible. I would rather not have to always type the .com after each machine name. Is there a way to configure dnsmasq to work with Windows as described? Right now I am forcing a ".com" at the end of DNS queries by using the command "search com" in /etc/resolv.conf. I also have expand-hosts and domain-com in my /etc/dnsmasq.conf file to force a ".com" to the ends of the /etc/hosts entries. I think this is a Windows XP issue and and not a Firefox issue because I get an error message when trying to ping gerbil from the command line on the XP box. "Ping request could not find host gerbil. Please check the name and try again." Thanks. > Date: Wed, 2 Jul 2008 19:07:18 -0700 > From: gypsy@iswest.com > To: dnsmasq-discuss@thekelleys.org.uk > CC: rtylerdunn@hotmail.com > Subject: Re: [Dnsmasq-discuss] dnsmasq not answering other LAN computers > > Tyler Dunn wrote: > > > > I set up dnsmasq on a Ubuntu server and it appears to be working > > locally (will resolve hostnames, using dig I see that the machine is > > caching properly). However, I'm not getting the response that I > > expected from other machines on the LAN. From another Linux box > > (Centos), I put the dnsmasq IP address in the /etc/resolv.conf file, > > but a ping command returns an error and a host command works > > properly. (gerbil is a local machine listed in the dnsmasq server's > > /etc/hosts file.) The host command didn't work either until I > > commented out the listen-address=127.0.0.1 line in /etc/dnsmasq.conf. > > > > root@pbx:~ $ ping gerbil > > ping: unknown host gerbil > > root@pbx:~ $ host gerbil > > gerbil has address 192.168.1.112 > > root@pbx:~ $ > > > > Also, when I set the DNS server on gerbil to the dnsmasq server's IP > > address (192.168.1.121), it wouldn't return anything when I pinged > > gerbil (or www.yahoo.com for that matter). It also wouldn't resolve > > the names when I put them into a Firefox browser on gerbil. gerbil is > > a win XP machine and I set the DNS server in the Network control > > panel. > > > > My dnsmasq.conf file only has two lines uncommented: > > server=/localnet/192.168.0.1 > > Is this a typo? That is surely NOT your local network. > > Why not try this on the DNSMasq machine?: > resolv.conf > search YOURDOMAIN.TLD > nameserver 127.0.0.1 > > dnsmasq.conf > (remark the two lines above) > domain-needed > log-queries > no-resolv > server=UPSTREAM.DNS.SERVER.IP > > Make sure that works on the DNSMasq machine and then ping yahoo from > gerbil. > > > I would like to get it fixed so that I don't have to type the IP > > address when I access local machines on the LAN. I don't want to update > > all the hosts file anytime the network changes. > > There is no easy way that I know to be able to use DHCP and still > resolve local machines, but I can't use DNSMasq where I need that > (Windows) so I've never dug into that part. Perhaps a search of this > mailing list will provide you an answer. _________________________________________________________________ Don't get caught with egg on your face. Play chicktionary! http://club.live.com/chicktionary.aspx?icid=chick_wlhmtextlink1_feb -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080703/57300091/attachment.htm From john at johnbirchfield.com Fri Jul 4 14:29:03 2008 From: john at johnbirchfield.com (John Birchfield) Date: Fri Jul 4 14:29:25 2008 Subject: [Dnsmasq-discuss] RE: dnsmasq not answering other LAN computers In-Reply-To: References: Message-ID: <486E259F.2020303@johnbirchfield.com> An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080704/5bf5278f/attachment.htm From john at johnbirchfield.com Sat Jul 5 16:45:03 2008 From: john at johnbirchfield.com (John Birchfield) Date: Sat Jul 5 16:45:33 2008 Subject: [Dnsmasq-discuss] RE: dnsmasq not answering other LAN computers - 2d try In-Reply-To: References: Message-ID: <486F96FF.8070709@johnbirchfield.com> I think you want to look at the tcp/ip properties for the adapter you are using on your Windows box. Specifically the Advanced TCP/IP settings and the DNS tab. You may add DNS suffixes to try and resolve. At home I use a Buffalo wireless router with OpenWRT and dnsmasq. My config file looks like ... domain-needed bogus-priv filterwin2k localise-queries # allow /etc/hosts and dhcp lookups via *.home local=/jb.home/ domain=jb.home expand-hosts no-negcache resolv-file=/tmp/resolv.conf.auto dhcp-authoritative dhcp-leasefile=/tmp/dhcp.leases read-ethers I tell windows to append the jb.home suffix. Any query of a bare name returns the fully qualified name. thus fs1 becomes fs1.jb.home etc. john dnsmasq-discuss-request@lists.thekelleys.org.uk wrote: > Today's Topics: > > 1. RE: dnsmasq not answering other LAN computers (Tyler Dunn) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 3 Jul 2008 23:20:01 -0600 > From: Tyler Dunn > Subject: RE: [Dnsmasq-discuss] dnsmasq not answering other LAN > computers > To: gypsy , , > > Message-ID: > Content-Type: text/plain; charset="iso-8859-1" > > > Thanks for the response. I still can't get dnsmasq to respond as desired when resolving a local name from a Windows box. I would like to map my computers' names to their IP addresses in my dnsmasq server's /etc/hosts file and then be able to access them through the web by typing the plain name in to the web browser instead of typing the IP address. For example, in /etc/hosts I have > > 192.168.1.123 gerbil > > I would like to type "gerbil" into the address bar of Firefox on my XP machine and access the gerbil web server. The only way that I have been able to work around the current problems is to put the following text in my /etc/hosts file > 192.168.1.123 gerbil.com > > When I type gerbil.com in my browser address window, the gerbil default web page is accessible. I would rather not have to always type the .com after each machine name. Is there a way to configure dnsmasq to work with Windows as described? > > Right now I am forcing a ".com" at the end of DNS queries by using the command "search com" in /etc/resolv.conf. I also have expand-hosts and domain-com in my /etc/dnsmasq.conf file to force a ".com" to the ends of the /etc/hosts entries. > > I think this is a Windows XP issue and and not a Firefox issue because I get an error message when trying to ping gerbil from the command line on the XP box. "Ping request could not find host gerbil. Please check the name and try again." > > Thanks. > > > >> Date: Wed, 2 Jul 2008 19:07:18 -0700 >> From: gypsy@iswest.com >> To: dnsmasq-discuss@thekelleys.org.uk >> CC: rtylerdunn@hotmail.com >> Subject: Re: [Dnsmasq-discuss] dnsmasq not answering other LAN computers >> >> Tyler Dunn wrote: >> >>> I set up dnsmasq on a Ubuntu server and it appears to be working >>> locally (will resolve hostnames, using dig I see that the machine is >>> caching properly). However, I'm not getting the response that I >>> expected from other machines on the LAN. From another Linux box >>> (Centos), I put the dnsmasq IP address in the /etc/resolv.conf file, >>> but a ping command returns an error and a host command works >>> properly. (gerbil is a local machine listed in the dnsmasq server's >>> /etc/hosts file.) The host command didn't work either until I >>> commented out the listen-address=127.0.0.1 line in /etc/dnsmasq.conf. >>> >>> root@pbx:~ $ ping gerbil >>> ping: unknown host gerbil >>> root@pbx:~ $ host gerbil >>> gerbil has address 192.168.1.112 >>> root@pbx:~ $ >>> >>> Also, when I set the DNS server on gerbil to the dnsmasq server's IP >>> address (192.168.1.121), it wouldn't return anything when I pinged >>> gerbil (or www.yahoo.com for that matter). It also wouldn't resolve >>> the names when I put them into a Firefox browser on gerbil. gerbil is >>> a win XP machine and I set the DNS server in the Network control >>> panel. >>> >>> My dnsmasq.conf file only has two lines uncommented: >>> server=/localnet/192.168.0.1 >>> >> Is this a typo? That is surely NOT your local network. >> >> Why not try this on the DNSMasq machine?: >> resolv.conf >> search YOURDOMAIN.TLD >> nameserver 127.0.0.1 >> >> dnsmasq.conf >> (remark the two lines above) >> domain-needed >> log-queries >> no-resolv >> server=UPSTREAM.DNS.SERVER.IP >> >> Make sure that works on the DNSMasq machine and then ping yahoo from >> gerbil. >> >> >>> I would like to get it fixed so that I don't have to type the IP >>> address when I access local machines on the LAN. I don't want to update >>> all the hosts file anytime the network changes. >>> >> There is no easy way that I know to be able to use DHCP and still >> resolve local machines, but I can't use DNSMasq where I need that >> (Windows) so I've never dug into that part. Perhaps a search of this >> mailing list will provide you an answer. >> > > _________________________________________________________________ > Don't get caught with egg on your face. Play chicktionary! > http://club.live.com/chicktionary.aspx?icid=chick_wlhmtextlink1_feb > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080703/57300091/attachment.html > > ------------------------------ > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > End of Dnsmasq-discuss Digest, Vol 38, Issue 3 > ********************************************** > > From simon at thekelleys.org.uk Mon Jul 7 16:52:51 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Mon Jul 7 16:53:13 2008 Subject: [Dnsmasq-discuss] dnsmasq 2.43 release candidate Message-ID: <48723BD3.1000605@thekelleys.org.uk> rc1 is now available at: http://thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.43rc1.tar.gz The changelog from 2.42 looks like this. Updated Polish translation. Thanks to Jan Psota. Flag errors when configuration options are repeated illegally. Further tweaks for GNU/kFreeBSD Add --no-wrap to msgmerge call - provides nicer .po file format. Honour lease-time spec in dhcp-host lines even for BOOTP. The user is assumed to known what they are doing in this case. (Hosts without the time spec still get infinite leases for BOOTP, over-riding the default in the dhcp-range.) Thanks to Peter Katzmann for uncovering this. Fix problem matching relay-agent ids. Thanks to Michael Rack for the bug report. Add --naptr-record option. Suggestion from Johan Bergquist. Implement RFC 5107 server-id-override DHCP relay agent option. Apply patches from Stefan Kruger for compilation on Solaris 10 under Sun studio. Yet more tweaking of Linux capability code, to suppress pointless wingeing from kernel 2.6.25 and above. Improve error checking during startup. Previously, some errors which occurred during startup would be worked around, with dnsmasq still starting up. Some were logged, some silent. Now, they all cause a fatal error and dnsmasq terminates with a non-zero exit code. The errors are those associated with changing uid and gid, setting process capabilities and writing the pidfile. Thanks to Uwe Gansert and the Suse security team for pointing out this improvement, and Bill Reimers for good implementation suggestions. I'll be away for a couple of weeks, and plan to make a 2.43 release when I return, so please, anyone who can, try out the 2.43rc1 tarball. You know it makes sense. Cheers, Simon. From stephane.billiart at gmail.com Mon Jul 7 20:32:23 2008 From: stephane.billiart at gmail.com (Stephane Billiart) Date: Mon Jul 7 20:32:48 2008 Subject: [Dnsmasq-discuss] dnsmasq 2.43 release candidate In-Reply-To: <48723BD3.1000605@thekelleys.org.uk> References: <48723BD3.1000605@thekelleys.org.uk> Message-ID: <20080707193223.GA12928@salusa.home.net> 2.43rc1 does not compile in my uClibc environment without large file support because of a change that was done before 2.42 was released. The attached patch solves the issue by introducing a new define NO_LFS for users who do not have LFS, like we already have NO_IPV6, NO_TFTP... Please review and consider including it. Thanks, -- St?phane Billiart http://perso.orange.fr/billiart/ -------------- next part -------------- --- src/dnsmasq.h.orig 2008-07-07 15:22:43.000000000 -0400 +++ src/dnsmasq.h 2008-07-07 15:23:07.000000000 -0400 @@ -17,8 +17,10 @@ #define COPYRIGHT "Copyright (C) 2000-2008 Simon Kelley" /* Ensure we can use files >2GB (log files may grow this big) */ +#ifndef NO_LFS #define _LARGEFILE_SOURCE 1 #define _FILE_OFFSET_BITS 64 +#endif /* Get linux C library versions. */ #ifdef __linux__ From rizwank at uwink.com Tue Jul 8 02:52:24 2008 From: rizwank at uwink.com (Rizwan Kassim @ uWink) Date: Tue Jul 8 02:52:41 2008 Subject: [Dnsmasq-discuss] DNSMasq assigning hostnames Message-ID: Is it possible for DNSMasq to render hostnames based upon the ipaddress or macaddress of the machine getting the lease? If not, I could create a file that had a static list of 10.0.0.1 dnsmasq-1-0-0-10.local for instance - how would I get DNSMasq to read that and use that for hostnames (while using it's already existing behavior when it came to actually assigning the ip addresses?) Thanks! Rizwan Kassim Software and Systems Engineer, uWink Interactive Bistro http://www.geekymedia.com If there is any great secret of success in life, it lies in the ability to put yourself in the other's place and to see things from his point of view -- as well as your own. -- Henry Ford From simon at thekelleys.org.uk Tue Jul 8 11:41:35 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Tue Jul 8 11:41:46 2008 Subject: [Dnsmasq-discuss] dnsmasq 2.43 release candidate In-Reply-To: <20080707193223.GA12928@salusa.home.net> References: <48723BD3.1000605@thekelleys.org.uk> <20080707193223.GA12928@salusa.home.net> Message-ID: <4873445F.3070303@thekelleys.org.uk> Stephane Billiart wrote: > 2.43rc1 does not compile in my uClibc environment without large file > support because of a change that was done before 2.42 was released. > > The attached patch solves the issue by introducing a new define NO_LFS > for users who do not have LFS, like we already have NO_IPV6, NO_TFTP... > Please review and consider including it. > Thanks for that: I've extended it by adding HAVE_LARGEFILE to the config options, and setting it automatically based on __UCLIBC_HAS_LFS__, so it should just work for any version of uclibc. http://thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.43rc2.tar.gz or http://thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.43rc2.tar.lzma Cheers, Simon. From g.esp at free.fr Wed Jul 9 10:20:07 2008 From: g.esp at free.fr (Gilles Espinasse) Date: Wed Jul 9 10:26:52 2008 Subject: [Dnsmasq-discuss] Impact of CVE-2008-1447 forgery resilience? Message-ID: <1215595207.487482c72e40b@imp.free.fr> An important flaw in dns protocol has been announced yesterday. http://www.kb.cert.org/vuls/id/800113 http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php As the result, bind is delivering patched version that will implement a forgery resilience extension (per-query source port randomization). What is the consequence for dnsmasq (short and long term)? I understand Simon position on dnssec stated on december http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2007q4/001704.html Gilles From simon at thekelleys.org.uk Wed Jul 9 11:02:50 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Wed Jul 9 11:03:05 2008 Subject: [Dnsmasq-discuss] Impact of CVE-2008-1447 forgery resilience? In-Reply-To: <1215595207.487482c72e40b@imp.free.fr> References: <1215595207.487482c72e40b@imp.free.fr> Message-ID: <48748CCA.3070306@thekelleys.org.uk> Gilles Espinasse wrote: > An important flaw in dns protocol has been announced yesterday. > http://www.kb.cert.org/vuls/id/800113 > http://www.isc.org/index.pl?/sw/bind/forgery-resilience.php > > As the result, bind is delivering patched version that will implement a forgery > resilience extension (per-query source port randomization). > > What is the consequence for dnsmasq (short and long term)? > > I understand Simon position on dnssec stated on december > http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2007q4/001704.html > > Good question. I wasn't contacted in advance about this, and no patch for dnsmasq has been released. Since the exact nature of the new vulnerability has not (as far as I know) been announced, I don't know if dnsmasq is vulnerable. My current plan is to implement query-port randomization, and I'm working on that right now. If all goes well, it will go into 2.43, and be released ASAP. To help with this, I'd like to gather as many testers as possible. The changes are quite intrusive, and to be confident about releasing them quickly, I'd like to get as many people as I can testing. Since query-port randomisation is potentially quite resource-heavy (it needs a socket per query), and will break many firewall configs, the current plan is to make it optional, and not the default behaviour. Cheers, Simon. From simon at thekelleys.org.uk Wed Jul 9 21:26:17 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Wed Jul 9 21:29:22 2008 Subject: [Dnsmasq-discuss] dnsmasq-2.43rc3 available. Message-ID: <48751EE9.7000807@thekelleys.org.uk> 2.43rc3 is available here. http://www.thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.43rc3.tar.gz This is a reaction to the DNS security farago of the last few days. I'm still not completely clear if dnsmasq is affected, since it doesn't do recursive name resolution, but this significantly strengthens the resistance to spoofing attacks anyway. It implements the same countermeasures as the patches to BIND et al, as far as I am aware. The default behaviour now becomes to randomise the source port for upstream queries. Each query will get a new, randomly allocated port. Under very heavy load, this degenerates into choosing a port from a constantly-rotating pool of 64 random ports. --query-port and the source-port specifications in --server are still honoured. Setting --source-port=0 reverts to the historical behavior, using a single port allocated by the OS. Additionally, the random number generator has been changed. *BSD platforms still use arc4random() but everything else, which used to use the rand() or random() libc functions now use the SURF RNG from djbdns-1.05 This is quite a large change, and there's some time pressure to release, so I'd appreciate it if as many people as possible could try this out as soon as possible and get back to me with results. Cheers, Simon. From jasiu at belsznica.pl Wed Jul 9 23:50:53 2008 From: jasiu at belsznica.pl (Jan Psota) Date: Wed Jul 9 23:51:14 2008 Subject: [Dnsmasq-discuss] dnsmasq-2.43rc3 pl.po In-Reply-To: <48751EE9.7000807@thekelleys.org.uk> References: <48751EE9.7000807@thekelleys.org.uk> Message-ID: <20080710005053.79f22b90@gandalf> Don't You think it would be much more readable if every message die(_("It shouldn't happen. :-(")) writes be prefixed with "ERROR: " --> ERROR: it shouldn't happen :-( or "ERROR! " --> ERROR! It shouldn't happen. :-( Cheerful holiday! :-) -- jasiu -------------- next part -------------- A non-text attachment was scrubbed... Name: pl.po Type: text/x-gettext-translation Size: 37989 bytes Desc: not available Url : http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080710/3c1f83f3/pl-0001.bin -------------- next part -------------- ____________________________________________________________________________ Gotowe Serwisy WWW Atrakcyjne ceny! Testuj za darmo! www.nazwa.pl From chutzpah at gentoo.org Thu Jul 10 00:50:10 2008 From: chutzpah at gentoo.org (Patrick McLean) Date: Thu Jul 10 00:50:33 2008 Subject: [Dnsmasq-discuss] dnsmasq-2.43rc3 available. In-Reply-To: <48751EE9.7000807@thekelleys.org.uk> References: <48751EE9.7000807@thekelleys.org.uk> Message-ID: <48754EB2.2010804@gentoo.org> On Linux 2.6.24 (Gentoo kernel, though I don't see why it wouldn't happen on other distros), starting this release with the user set to anything other than root fails with this message: dnsmasq: setting capabilities failed: Operation not permitted Simon Kelley wrote: > 2.43rc3 is available here. > > http://www.thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.43rc3.tar.gz > > > This is a reaction to the DNS security farago of the last few days. I'm > still not completely clear if dnsmasq is affected, since it doesn't do > recursive name resolution, but this significantly strengthens the > resistance to spoofing attacks anyway. It implements the same > countermeasures as the patches to BIND et al, as far as I am aware. > > > The default behaviour now becomes to randomise the source port for > upstream queries. Each query will get a new, randomly allocated port. > Under very heavy load, this degenerates into choosing a port from a > constantly-rotating pool of 64 random ports. --query-port and the > source-port specifications in --server are still honoured. Setting > --source-port=0 reverts to the historical behavior, using a single port > allocated by the OS. > > Additionally, the random number generator has been changed. *BSD > platforms still use arc4random() but everything else, which used to use > the rand() or random() libc functions now use the SURF RNG from djbdns-1.05 > > This is quite a large change, and there's some time pressure to release, > so I'd appreciate it if as many people as possible could try this out as > soon as possible and get back to me with results. > > > Cheers, > > Simon. > > > > > > > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss From simon at thekelleys.org.uk Thu Jul 10 07:24:35 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Jul 10 07:24:53 2008 Subject: [Dnsmasq-discuss] dnsmasq-2.43rc3 available. In-Reply-To: <48754EB2.2010804@gentoo.org> References: <48751EE9.7000807@thekelleys.org.uk> <48754EB2.2010804@gentoo.org> Message-ID: <4875AB23.4010209@thekelleys.org.uk> Patrick McLean wrote: > On Linux 2.6.24 (Gentoo kernel, though I don't see why it wouldn't > happen on other distros), starting this release with the user set to > anything other than root fails with this message: > > dnsmasq: setting capabilities failed: Operation not permitted > Hmm, would it be possible to revert to an earlier version of dnsmasq, and check the log messages at startup? I suspect that you will find that dnsmasq was logging a winge about the same thing, and then running as root anyway. This (former) behaviour is seen as a security hole and so has changed. The thing which I know can cause the problem is a kernel configuration. The dnsmasq FAQ states that the solution is "either deselect CONFIG_SECURITY_or_ select CONFIG_SECURITY_CAPABILITIES" but I suspect that it may be more complicated than that. An strace would be useful (use strace -f, from dnsmasq with the -k flag) and a close look at how Gentoo configures security in its kernel. Cheers, Simon. From Hullen at t-online.de Thu Jul 10 08:01:00 2008 From: Hullen at t-online.de (Helmut Hullen) Date: Thu Jul 10 08:03:27 2008 Subject: [Dnsmasq-discuss] dnsmasq-2.43rc3 available. In-Reply-To: <48751EE9.7000807@thekelleys.org.uk> Message-ID: Hallo, Simon, Du (simon) meintest am 09.07.08: > 2.43rc3 is available here. > http://www.thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.43r > c3.tar.gz Compiling works (but why does it ask for "nawk" - I haven't installed "nawk"). When I start the new dnsmasq it works in another way than 2.41. I append "conf-dir=/etc/dnsmasq.d" to "/etc/dnsmasq.conf" and do all my local changes in special files in this subdirectory. It's better to see the changes in a small special file than in the original "dnsmasq.conf" with its nearly 500 lines. The files in the subdirectory overwrite the options in "dnsmasq.conf" - it's a fine and simple way. But 2.43rc3 doesn't like duplicate options - and I may not change the behaviour of 2.41. Viele Gruesse! Helmut From simon at thekelleys.org.uk Thu Jul 10 08:23:49 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Jul 10 08:24:07 2008 Subject: [Dnsmasq-discuss] dnsmasq-2.43rc3 available. In-Reply-To: <48754EB2.2010804@gentoo.org> References: <48751EE9.7000807@thekelleys.org.uk> <48754EB2.2010804@gentoo.org> Message-ID: <4875B905.50403@thekelleys.org.uk> Patrick McLean wrote: > On Linux 2.6.24 (Gentoo kernel, though I don't see why it wouldn't > happen on other distros), starting this release with the user set to > anything other than root fails with this message: > > dnsmasq: setting capabilities failed: Operation not permitted > I think I may have been guilty of answering the question I expected in my last reply. Its valid if what you are talking about is running (as root) dnsmasq --user if you are actually starting dnsmasq as (presumably listening on a high port) then I can see that changing the capability error from soft to hard is a problem. The solution is not to attempt any of that stuff if the original process uid is non-zero. I'll fix that before a final release. Cheers, Simon. From simon at thekelleys.org.uk Thu Jul 10 09:15:57 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Jul 10 09:16:10 2008 Subject: [Dnsmasq-discuss] dnsmasq-2.43rc3 available. In-Reply-To: References: Message-ID: <4875C53D.4080304@thekelleys.org.uk> Helmut Hullen wrote: > Hallo, Simon, > > Du (simon) meintest am 09.07.08: > >> 2.43rc3 is available here. > >> http://www.thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.43r >> c3.tar.gz > > Compiling works (but why does it ask for "nawk" - I haven't installed > "nawk"). > > When I start the new dnsmasq it works in another way than 2.41. > > I append "conf-dir=/etc/dnsmasq.d" to "/etc/dnsmasq.conf" and do all my > local changes in special files in this subdirectory. It's better to see > the changes in a small special file than in the original "dnsmasq.conf" > with its nearly 500 lines. > > The files in the subdirectory overwrite the options in "dnsmasq.conf" - > it's a fine and simple way. > > But 2.43rc3 doesn't like duplicate options - and I may not change the > behaviour of 2.41. > > Viele Gruesse! > Helmut > Thanks for the report. The intention of this was to prohibit configuration with undefined behaviour. There are some options (eg --server) which can be meaningfully repeated and some (eg --user) which can't. It's never been specified what the effect of doing --user twice was, so I wanted to flag it as an error rather than doing something undefined. Note that it is possible to give a flag on the command line and in the config file: (the file always overrides the command line). That behaviour is documented and has not changed. I'm sympathetic that this could be changed again to define what overrides what in config files, but in view of the current security panic, I'm not planning to delay this release to do it. For people doing the same thing as Helmut, they will have to work-around: I'm guessing it's very few. Cheers, Simon. From jasiu at belsznica.pl Thu Jul 10 09:19:55 2008 From: jasiu at belsznica.pl (Jan Psota) Date: Thu Jul 10 09:20:20 2008 Subject: [Dnsmasq-discuss] dnsmasq-2.43rc3 caps failed In-Reply-To: <4875B905.50403@thekelleys.org.uk> References: <48751EE9.7000807@thekelleys.org.uk> <48754EB2.2010804@gentoo.org> <4875B905.50403@thekelleys.org.uk> Message-ID: <20080710101955.76106334@gandalf> > > On Linux 2.6.24 (Gentoo kernel, though I don't see why it wouldn't > > happen on other distros), starting this release with the user set > > to anything other than root fails with this message: > > > > dnsmasq: setting capabilities failed: Operation not permitted > > > > I think I may have been guilty of answering the question I expected > in my last reply. Its valid if what you are talking about is running > (as root) > > dnsmasq --user > > if you are actually starting dnsmasq as (presumably > listening on a high port) then I can see that changing the capability > error from soft to hard is a problem. The solution is not to attempt > any of that stuff if the original process uid is non-zero. > > I'll fix that before a final release. ? I use kernel 2.6.25 on recent Gentoo, and have no such problem (and never before had). I never cared of using capabilities (I don't know much about it, but enough to remove capabilities setting from kernel tun driver -- it does not let run qemu -net tun as normal user). On Gentoo dnsmasq is started that way: start-stop-daemon --start --exec /usr/sbin/dnsmasq \ --pidfile /var/run/dnsmasq.pid -- -x /var/run/dnsmasq.pid \ ${DNSMASQ_OPTS} # ="" so it runs as nobody, as he likes. Running: dnsmasq --user nobody as root goes without problems and as normal user I must use: /usr/sbin/dnsmasq -u jasiu --dhcp-alternate-port 1067 -d -p 1053 and disable TFTP server because of port numbers. All on 2.43rc3. Kernel compiled for my machine. Dnsmasq runs well. -- jasiu ____________________________________________________________________________ Firmowy Serwis WWW Setki projektow! Darmowy test przez 14 dni! www.nazwa.pl From simon at thekelleys.org.uk Thu Jul 10 09:26:41 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Jul 10 09:26:50 2008 Subject: [Dnsmasq-discuss] dnsmasq-2.43rc3 caps failed In-Reply-To: <20080710101955.76106334@gandalf> References: <48751EE9.7000807@thekelleys.org.uk> <48754EB2.2010804@gentoo.org> <4875B905.50403@thekelleys.org.uk> <20080710101955.76106334@gandalf> Message-ID: <4875C7C1.6020908@thekelleys.org.uk> Jan Psota wrote: >>> On Linux 2.6.24 (Gentoo kernel, though I don't see why it wouldn't >>> happen on other distros), starting this release with the user set >>> to anything other than root fails with this message: >>> >>> dnsmasq: setting capabilities failed: Operation not permitted >>> >> I think I may have been guilty of answering the question I expected >> in my last reply. Its valid if what you are talking about is running >> (as root) >> >> dnsmasq --user >> >> if you are actually starting dnsmasq as (presumably >> listening on a high port) then I can see that changing the capability >> error from soft to hard is a problem. The solution is not to attempt >> any of that stuff if the original process uid is non-zero. >> >> I'll fix that before a final release. > ? > I use kernel 2.6.25 on recent Gentoo, and have no such problem (and > never before had). I never cared of using capabilities (I don't know > much about it, but enough to remove capabilities setting from kernel > tun driver -- it does not let run qemu -net tun as normal user). > On Gentoo dnsmasq is started that way: > start-stop-daemon --start --exec /usr/sbin/dnsmasq \ > --pidfile /var/run/dnsmasq.pid -- -x /var/run/dnsmasq.pid \ > ${DNSMASQ_OPTS} # ="" > so it runs as nobody, as he likes. Running: > dnsmasq --user nobody > as root goes without problems and as normal user I must use: > /usr/sbin/dnsmasq -u jasiu --dhcp-alternate-port 1067 -d -p 1053 > and disable TFTP server because of port numbers. > All on 2.43rc3. Kernel compiled for my machine. Dnsmasq runs well. > OK, that's good info, thanks. It looks like the original problem is just running dnsmasq as an ordinary user. You're not seeing the problem because you're using the '-d' flag, which suppresses all uid-munging. If you remove -d, I guess you'll see the same problem as the OP. It will be fixed for the final release. Cheers, Simon. From simon at thekelleys.org.uk Thu Jul 10 09:30:48 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Jul 10 09:30:57 2008 Subject: [Dnsmasq-discuss] dnsmasq-2.43rc3 pl.po In-Reply-To: <20080710005053.79f22b90@gandalf> References: <48751EE9.7000807@thekelleys.org.uk> <20080710005053.79f22b90@gandalf> Message-ID: <4875C8B8.3030002@thekelleys.org.uk> Jan Psota wrote: > Don't You think it would be much more readable if every message > die(_("It shouldn't happen. :-(")) writes be prefixed with "ERROR: " > --> ERROR: it shouldn't happen :-( > or "ERROR! " > --> ERROR! It shouldn't happen. :-( > > Cheerful holiday! :-) > Many thanks. It does log FAILED to start up on the next line. Is that loud enough? Cheers, Simon. From Hullen at t-online.de Thu Jul 10 09:42:00 2008 From: Hullen at t-online.de (Helmut Hullen) Date: Thu Jul 10 10:00:02 2008 Subject: [Dnsmasq-discuss] dnsmasq-2.43rc3 available. In-Reply-To: <4875C53D.4080304@thekelleys.org.uk> Message-ID: Hallo, Simon, Du meintest am 10.07.08 zum Thema Re: [Dnsmasq-discuss] dnsmasq-2.43rc3 available.: >> When I start the new dnsmasq it works in another way than 2.41. [...] >> The files in the subdirectory overwrite the options in >> "dnsmasq.conf" - it's a fine and simple way. >> >> But 2.43rc3 doesn't like duplicate options - and I may not change >> the behaviour of 2.41. > The intention of this was to prohibit configuration with undefined > behaviour. There are some options (eg --server) which can be > meaningfully repeated and some (eg --user) which can't. 2.43rc3 doesn't accept a second "expand hosts", and it doesn't accept a second "filterwin2k". Then I stopped the further examination ... In a shell script the lines var1=abcde var1=12345 var1=ab12e lead to "var1=ab12e" - that's the behaviour of dnsmasq 2.41 too. It simplifies working with included configuration files. Please restore the old behaviour - thank you! By the way: 2.43rc3 can recognise doublettes - it should be able to sort these doublettes in another way than "allowed" or "not allowed". Viele Gruesse! Helmut From simon at thekelleys.org.uk Thu Jul 10 10:07:57 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Jul 10 10:08:10 2008 Subject: [Dnsmasq-discuss] 2.43rc4 Message-ID: <4875D16D.2050905@thekelleys.org.uk> I've put http://www.thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.43rc4.tar.gz in place. It fixes the "can't be run as non-root user" problem and includes Jan's updated translation. It's there for completeness: results from testing rc3 are almost as valuable as those from rc4. Cheers, Simon. From jamie.riden at gmail.com Thu Jul 10 12:35:48 2008 From: jamie.riden at gmail.com (Jamie Riden) Date: Thu Jul 10 12:36:07 2008 Subject: [Dnsmasq-discuss] 2.43rc4 In-Reply-To: <4875D16D.2050905@thekelleys.org.uk> References: <4875D16D.2050905@thekelleys.org.uk> Message-ID: <17b0fcab0807100435ia2c9afdw3c0eba3d3ed53571@mail.gmail.com> We're running a fairly cut-down linux, almost certainly without capabilities. Only works if it doesn't try to drop privs. # dnsmasq -k --log-facility=/dev/console Jul 10 00:05:15 dnsmasq[6078]: setting capabilities failed: Operation not permitted Jul 10 00:05:15 dnsmasq[6078]: FAILED to start up But runs OK as: # dnsmasq -k -u root though, so no problem for us. Source port randomisation looks great. cheers, Jamie 2008/7/10 Simon Kelley : > I've put > > http://www.thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.43rc4.tar.gz > > in place. It fixes the "can't be run as non-root user" problem and > includes Jan's updated translation. It's there for completeness: results > from testing rc3 are almost as valuable as those from rc4. > > Cheers, > > Simon. > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss From jw5-dns at os.inf.tu-dresden.de Thu Jul 10 12:42:38 2008 From: jw5-dns at os.inf.tu-dresden.de (Jean Wolter) Date: Thu Jul 10 12:42:56 2008 Subject: [Dnsmasq-discuss] dnsmasq-2.43rc3 available. In-Reply-To: <4875B905.50403@thekelleys.org.uk> (Simon Kelley's message of "Thu, 10 Jul 2008 08:23:49 +0100") References: <48751EE9.7000807@thekelleys.org.uk> <48754EB2.2010804@gentoo.org> <4875B905.50403@thekelleys.org.uk> Message-ID: <86y74aklsh.fsf@erwin.inf.tu-dresden.de> Simon Kelley writes: > Patrick McLean wrote: >> On Linux 2.6.24 (Gentoo kernel, though I don't see why it wouldn't >> happen on other distros), starting this release with the user set to >> anything other than root fails with this message: >> dnsmasq: setting capabilities failed: Operation not permitted >> > > I think I may have been guilty of answering the question I expected in > my last reply. Its valid if what you are talking about is running (as > root) > > dnsmasq --user > > if you are actually starting dnsmasq as (presumably > listening on a high port) then I can see that changing the capability > error from soft to hard is a problem. The solution is not to attempt > any of that stuff if the original process uid is non-zero. I tried dnsmaq *rc4 - on 2.6.16.60 - with SECURITY* disabled in its config zcat /proc/config.gz | grep SECURITY # CONFIG_SECURITY is not set - started with uid 0 and it fails to drop priviledges. From an strace: 2302 capset(0x19980330, -1208317308, {CAP_SETUID|CAP_NET_ADMIN|CAP_NET_RAW, CAP_SETUID|CAP_NET_ADMIN|CAP_NET_RAW, CAP_SETUID|CAP_NET_ADMIN|CAP_NET_RAW}) = -1 EPERM (Operation not permitted) 2302 write(9, "\f\0\0\0\1\0\0\0", 8 2298 <... read resumed> "\f\0\0\0\1\0\0\0", 8) = 8 2302 <... write resumed> ) = 8 2298 write(2, "\n", 1 2302 _exit(0) = ? 2298 <... write resumed> ) = 1 2298 getpid() = 2298 2298 write(2, "dnsmasq: ", 9) = 9 2298 write(2, "setting capabilities failed: ", 29) = 29 2298 write(2, "Operation not permitted", 23) = 23 2298 write(2, "\n", 1) = 1 # getuid/geteuid added for debugging purposes 2298 geteuid() = 0 2298 getuid() = 0 It looks like this happens due to some uninitialized values (pid -1208317308); dnsmasq tries to set capabilities for arbitrary process ids. If I add the following, capset succeeds: --- dnsmasq-2.43rc4/src/dnsmasq.c.orig 2008-07-10 13:08:59.000000000 +0200 +++ dnsmasq-2.43rc4/src/dnsmasq.c 2008-07-10 12:58:16.000000000 +0200 @@ -383,6 +383,7 @@ (1 << CAP_NET_ADMIN) | (1 << CAP_NET_RAW) | (1 << CAP_SETUID); /* Tell kernel to not clear capabilities when dropping root */ + hdr->pid = getpid(); if (capset(hdr, data) == -1 || prctl(PR_SET_KEEPCAPS, 1) == -1) bad_capabilities = errno; 2334 capset(0x19980330, 2334, {CAP_SETUID|CAP_NET_ADMIN|CAP_NET_RAW, CAP_SETUID|CAP_NET_ADMIN|CAP_NET_RAW, CAP_SETUID|CAP_NET_ADMIN|CAP_NET_RAW}) = 0 2334 capset(0x19980330, 2334, {CAP_NET_ADMIN|CAP_NET_RAW, CAP_NET_ADMIN|CAP_NET_RAW, 0}) = 0 dnsmasq starts and resolves names. regards, Jean From weizen_42 at ipcop-forum.de Thu Jul 10 12:50:09 2008 From: weizen_42 at ipcop-forum.de (Olaf Westrik) Date: Thu Jul 10 12:50:29 2008 Subject: [Dnsmasq-discuss] dnsmasq-2.43rc3 available. In-Reply-To: <86y74aklsh.fsf@erwin.inf.tu-dresden.de> References: <48751EE9.7000807@thekelleys.org.uk> <48754EB2.2010804@gentoo.org> <4875B905.50403@thekelleys.org.uk> <86y74aklsh.fsf@erwin.inf.tu-dresden.de> Message-ID: <4875F771.1080808@ipcop-forum.de> Jean Wolter wrote: > I tried dnsmaq *rc4 > - on 2.6.16.60 > - with SECURITY* disabled in its config > zcat /proc/config.gz | grep SECURITY > # CONFIG_SECURITY is not set > - started with uid 0 > and it fails to drop priviledges. From an strace: Same here for rc2,rc3 and rc4. dnsmasq 2.42 is OK, so is using dnsmasq -u root Running on kernel 2.6.24.7, CONFIG_SECURITY is not set My strace looks very similar to Jean's. Olaf From simon at thekelleys.org.uk Thu Jul 10 13:23:44 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Jul 10 13:23:59 2008 Subject: [Dnsmasq-discuss] dnsmasq-2.43rc3 available. In-Reply-To: <86y74aklsh.fsf@erwin.inf.tu-dresden.de> References: <48751EE9.7000807@thekelleys.org.uk> <48754EB2.2010804@gentoo.org> <4875B905.50403@thekelleys.org.uk> <86y74aklsh.fsf@erwin.inf.tu-dresden.de> Message-ID: <4875FF50.8090504@thekelleys.org.uk> Jean Wolter wrote: > Simon Kelley writes: > >> Patrick McLean wrote: >>> On Linux 2.6.24 (Gentoo kernel, though I don't see why it wouldn't >>> happen on other distros), starting this release with the user set to >>> anything other than root fails with this message: >>> dnsmasq: setting capabilities failed: Operation not permitted >>> >> I think I may have been guilty of answering the question I expected in >> my last reply. Its valid if what you are talking about is running (as >> root) >> >> dnsmasq --user >> >> if you are actually starting dnsmasq as (presumably >> listening on a high port) then I can see that changing the capability >> error from soft to hard is a problem. The solution is not to attempt >> any of that stuff if the original process uid is non-zero. > > I tried dnsmaq *rc4 > - on 2.6.16.60 > - with SECURITY* disabled in its config > zcat /proc/config.gz | grep SECURITY > # CONFIG_SECURITY is not set > - started with uid 0 > and it fails to drop priviledges. From an strace: > > 2302 capset(0x19980330, -1208317308, > {CAP_SETUID|CAP_NET_ADMIN|CAP_NET_RAW, CAP_SETUID|CAP_NET_ADMIN|CAP_NET_RAW, > CAP_SETUID|CAP_NET_ADMIN|CAP_NET_RAW}) = -1 EPERM (Operation not permitted) > 2302 write(9, "\f\0\0\0\1\0\0\0", 8 > 2298 <... read resumed> "\f\0\0\0\1\0\0\0", 8) = 8 > 2302 <... write resumed> ) = 8 > 2298 write(2, "\n", 1 > 2302 _exit(0) = ? > 2298 <... write resumed> ) = 1 > 2298 getpid() = 2298 > 2298 write(2, "dnsmasq: ", 9) = 9 > 2298 write(2, "setting capabilities failed: ", 29) = 29 > 2298 write(2, "Operation not permitted", 23) = 23 > 2298 write(2, "\n", 1) = 1 > # getuid/geteuid added for debugging purposes > 2298 geteuid() = 0 > 2298 getuid() = 0 > > It looks like this happens due to some uninitialized values (pid > -1208317308); dnsmasq tries to set capabilities for arbitrary process > ids. If I add the following, capset succeeds: > > --- dnsmasq-2.43rc4/src/dnsmasq.c.orig 2008-07-10 13:08:59.000000000 +0200 > +++ dnsmasq-2.43rc4/src/dnsmasq.c 2008-07-10 12:58:16.000000000 +0200 > @@ -383,6 +383,7 @@ > (1 << CAP_NET_ADMIN) | (1 << CAP_NET_RAW) | (1 << CAP_SETUID); > > /* Tell kernel to not clear capabilities when dropping root */ > + hdr->pid = getpid(); > if (capset(hdr, data) == -1 || prctl(PR_SET_KEEPCAPS, 1) == -1) > bad_capabilities = errno; > > > 2334 capset(0x19980330, 2334, {CAP_SETUID|CAP_NET_ADMIN|CAP_NET_RAW, > CAP_SETUID|CAP_NET_ADMIN|CAP_NET_RAW, > CAP_SETUID|CAP_NET_ADMIN|CAP_NET_RAW}) = 0 > 2334 capset(0x19980330, 2334, {CAP_NET_ADMIN|CAP_NET_RAW, > CAP_NET_ADMIN|CAP_NET_RAW, 0}) = 0 > > dnsmasq starts and resolves names. > Kudos! Thanks for spotting that. The bug that causes this is more subtle but more dangerous: hdr->pid is supposed to be zero, which means "the current process", but the memset that clears hdr to zero got lost when the code for determining the capability ABI version was moved to earlier in the file. I also found that the memset zeroing the capability data had args 2 and 3 swapped. New rc soon...... Cheers, Simon. From Hullen at t-online.de Thu Jul 10 13:44:00 2008 From: Hullen at t-online.de (Helmut Hullen) Date: Thu Jul 10 13:47:05 2008 Subject: [Dnsmasq-discuss] 2.43rc4 References: <4875D16D.2050905@thekelleys.org.uk> Message-ID: Hallo, Simon, Du meintest am 10.07.08 zum Thema [Dnsmasq-discuss] 2.43rc4: > I've put > http://www.thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.43r > c4.tar.gz > in place. Compiling works well (Slackware 12.1, Kernel 2.6.25.2). http://arktur.shuttle.de/CD/5.0/Patches/dnsmasq-2.43rc4-i486-1hln.tgz (Works under Slackware 11.0, 12.0 and 12.1) It runs on one machine without any warning, on another machine (same Slackware, same Kernel) it tells "setting capabilities failed: ..." Same failure on a machine with Slackware 11 and Kernel 2.6.22.6 Kernel 2.6.25.2 compiling options (home brewed kernel): CONFIG_SECURITY_CAPABILITIES=y CONFIG_SECURITY_FILE_CAPABILITIES=y Adding the option "-d" in the "start" sequence in "/etc/rc.d/rc.dnsmasq" avoids the message (and presumably the error), but that's no solution. Adding "--user=root" is another quick but dirty solution. -------------------------------------- There is a problem with the dnsmasq options, still (stopping instead of overwriting if there is some option defined twice). But it may be a more slackware related problem - slackware doesn't delete the *.new configuration files, and "dnsmasq" reads every file under the "conf-dir=xyz" subdirectory (where I put my special local configuration files). I'll clear that problem on my side. Putting options in the command line is no good advice at least for slackware: "/etc/rc.d/rc.dnsmasq start" has no place for such options. Viele Gruesse! Helmut From simon at thekelleys.org.uk Thu Jul 10 13:47:40 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Jul 10 13:47:52 2008 Subject: [Dnsmasq-discuss] 2.43rc5 Message-ID: <487604EC.6090406@thekelleys.org.uk> Is there. This (I hope) fixes the capabilties bug seen by Jean, Olaf and Jamie. It also relaxes the new checks on repeated options, so that setting binary flags (--expand-hosts, --no-negcache, etc) can be repeated, but not value-setting things like --user --group, since the order that configuration files are read in is notionally underfined, and also practically underfined when using --conf-dir. Cheers, Simon. From simon at thekelleys.org.uk Thu Jul 10 13:50:16 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Jul 10 13:50:30 2008 Subject: [Dnsmasq-discuss] 2.43rc4 In-Reply-To: References: <4875D16D.2050905@thekelleys.org.uk> Message-ID: <48760588.7050405@thekelleys.org.uk> Helmut Hullen wrote: > Hallo, Simon, > > Du meintest am 10.07.08 zum Thema [Dnsmasq-discuss] 2.43rc4: > >> I've put > >> http://www.thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.43r >> c4.tar.gz > >> in place. > > Compiling works well (Slackware 12.1, Kernel 2.6.25.2). > > http://arktur.shuttle.de/CD/5.0/Patches/dnsmasq-2.43rc4-i486-1hln.tgz > > (Works under Slackware 11.0, 12.0 and 12.1) > > It runs on one machine without any warning, on another machine (same > Slackware, same Kernel) it tells "setting capabilities failed: ..." > Same failure on a machine with Slackware 11 and Kernel 2.6.22.6 > > Kernel 2.6.25.2 compiling options (home brewed kernel): > > CONFIG_SECURITY_CAPABILITIES=y > CONFIG_SECURITY_FILE_CAPABILITIES=y > > > Adding the option "-d" in the "start" sequence in "/etc/rc.d/rc.dnsmasq" > avoids the message (and presumably the error), but that's no solution. > > Adding "--user=root" is another quick but dirty solution. Should be fixed in 2.43rc5 > > -------------------------------------- > > There is a problem with the dnsmasq options, still (stopping instead of > overwriting if there is some option defined twice). > That's relaxed to allow binary flags to be repeated in 2.43rc5 > But it may be a more slackware related problem - slackware doesn't > delete the *.new configuration files, and "dnsmasq" reads every file > under the "conf-dir=xyz" subdirectory (where I put my special local > configuration files). > I'll clear that problem on my side. > > Putting options in the command line is no good advice at least for > slackware: "/etc/rc.d/rc.dnsmasq start" has no place for such options. > > Cheers, Simon. From Hullen at t-online.de Thu Jul 10 14:45:00 2008 From: Hullen at t-online.de (Helmut Hullen) Date: Thu Jul 10 14:46:53 2008 Subject: [Dnsmasq-discuss] 2.43rc5 In-Reply-To: <487604EC.6090406@thekelleys.org.uk> Message-ID: Hallo, Simon, Du (simon) meintest am 10.07.08: > Is there. This (I hope) fixes the capabilties bug seen by Jean, Olaf > and Jamie. Works under Slackware 11.0 and 12.1 - thank you! Viele Gruesse! Helmut From jima at beer.tclug.org Thu Jul 10 15:19:05 2008 From: jima at beer.tclug.org (Jima) Date: Thu Jul 10 15:19:47 2008 Subject: [Dnsmasq-discuss] 2.43rc5 In-Reply-To: <487604EC.6090406@thekelleys.org.uk> References: <487604EC.6090406@thekelleys.org.uk> Message-ID: On Thu, 10 Jul 2008, Simon Kelley wrote: > Is there. This (I hope) fixes the capabilties bug seen by Jean, Olaf and > Jamie. Testing now on my Fedora setups. Jima From weizen_42 at ipcop-forum.de Thu Jul 10 15:30:21 2008 From: weizen_42 at ipcop-forum.de (Olaf Westrik) Date: Thu Jul 10 15:30:40 2008 Subject: [Dnsmasq-discuss] 2.43rc5 In-Reply-To: References: Message-ID: <48761CFD.3010707@ipcop-forum.de> >> Is there. This (I hope) fixes the capabilties bug seen by Jean, Olaf >> and Jamie. > > Works under Slackware 11.0 and 12.1 - thank you! Works for me too. Thx. Randomize works, fixing query port works, reverting to old behavior works too. Olaf (who is a happy camper now) PS: in the rc3 announcement a --source-port=0 parameter was mentioned. That should probably read --query-port=0 ;-) From chutzpah at gentoo.org Thu Jul 10 15:53:54 2008 From: chutzpah at gentoo.org (Patrick McLean) Date: Thu Jul 10 15:54:14 2008 Subject: [Dnsmasq-discuss] 2.43rc5 In-Reply-To: <487604EC.6090406@thekelleys.org.uk> References: <487604EC.6090406@thekelleys.org.uk> Message-ID: <48762282.3060509@gentoo.org> Simon Kelley wrote: > Is there. This (I hope) fixes the capabilties bug seen by Jean, Olaf and > Jamie. > Fixes it for me as well. I have added this version to the Gentoo portage tree so there should be a couple of thousand testers within a day or two. From cmorse at unm.edu Thu Jul 10 16:02:43 2008 From: cmorse at unm.edu (Caleb Morse) Date: Thu Jul 10 16:03:04 2008 Subject: [Dnsmasq-discuss] Problem with dnsmasq and Dell 1650 Message-ID: I'm getting a weird error TFTP booting a Dell 1650 I have. I'm running version 1.38 of dnsmasq and the latest version of the Dell BIOS. Here's a screenshot of the error: http://cid-e78c66ec0a11df6a.skydrive.live.com/self.aspx/Public/screenshot.jpg Here's a dump from wireshark: http://cid-e78c66ec0a11df6a.skydrive.live.com/self.aspx/Public/capture-good I can PXE boot from other computers without any problems. -- Caleb -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080710/aa971ec2/attachment.htm From simon at thekelleys.org.uk Thu Jul 10 17:03:19 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Jul 10 17:03:31 2008 Subject: [Dnsmasq-discuss] 2.43rc6 Message-ID: <487632C7.3000007@thekelleys.org.uk> It's looking good. One last change (hopes!) This adds a config option --min-port= to tell dnsmasq not to use ports below to select random ports. That way I can again block external access to all the scary udp-listening daemons on my server without getting in the way of dnsmasq I run --min-port=4096 Just releasing this for Jan, since it has a couple more messages and an man-page entry and he'd never forgive me if the final release was incomplete in Polish! Cheers, Simon. From simon at thekelleys.org.uk Thu Jul 10 17:08:42 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Jul 10 17:08:55 2008 Subject: [Dnsmasq-discuss] Problem with dnsmasq and Dell 1650 In-Reply-To: References: Message-ID: <4876340A.60300@thekelleys.org.uk> Caleb Morse wrote: > I'm getting a weird error TFTP booting a Dell 1650 I have. I'm running > version 1.38 of dnsmasq and the latest version of the Dell BIOS. > > Here's a screenshot of the error: > http://cid-e78c66ec0a11df6a.skydrive.live.com/self.aspx/Public/screenshot.jpg > > Here's a dump from wireshark: > http://cid-e78c66ec0a11df6a.skydrive.live.com/self.aspx/Public/capture-good > > I can PXE boot from other computers without any problems. That's wierd, the packet capture shows a perfectly normal DHCP, loading PXElinux and the pxelinux config file, which doesn't seem to fit at all with what's on the screen. Are you sure your capturing the traffic from that computer? Cheers, Simon. > > -- Caleb > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss From cmorse at unm.edu Thu Jul 10 17:13:13 2008 From: cmorse at unm.edu (Caleb Morse) Date: Thu Jul 10 17:13:33 2008 Subject: [Dnsmasq-discuss] Problem with dnsmasq and Dell 1650 In-Reply-To: <4876340A.60300@thekelleys.org.uk> References: <4876340A.60300@thekelleys.org.uk> Message-ID: I'm absolutely sure it's coming from that computer as they are the only two computers connected to that switch. -- Caleb On Thu, Jul 10, 2008 at 10:08, Simon Kelley wrote: > Caleb Morse wrote: > > I'm getting a weird error TFTP booting a Dell 1650 I have. I'm running > > version 1.38 of dnsmasq and the latest version of the Dell BIOS. > > > > Here's a screenshot of the error: > > > http://cid-e78c66ec0a11df6a.skydrive.live.com/self.aspx/Public/screenshot.jpg > > > > Here's a dump from wireshark: > > > http://cid-e78c66ec0a11df6a.skydrive.live.com/self.aspx/Public/capture-good > > > > I can PXE boot from other computers without any problems. > > That's wierd, the packet capture shows a perfectly normal DHCP, loading > PXElinux and the pxelinux config file, which doesn't seem to fit at all > with what's on the screen. Are you sure your capturing the traffic from > that computer? > > Cheers, > > Simon. > > > > > -- Caleb > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Dnsmasq-discuss mailing list > > Dnsmasq-discuss@lists.thekelleys.org.uk > > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080710/77427a54/attachment.htm From jima at beer.tclug.org Thu Jul 10 17:36:37 2008 From: jima at beer.tclug.org (Jima) Date: Thu Jul 10 17:37:13 2008 Subject: [Dnsmasq-discuss] 2.43rc6 In-Reply-To: <487632C7.3000007@thekelleys.org.uk> References: <487632C7.3000007@thekelleys.org.uk> Message-ID: On Thu, 10 Jul 2008, Simon Kelley wrote: > It's looking good. One last change (hopes!) This adds a config option > > --min-port= No --max-port? *ducks* Will spin up shortly. Jima From g.esp at free.fr Thu Jul 10 18:38:31 2008 From: g.esp at free.fr (Gilles Espinasse) Date: Thu Jul 10 18:36:10 2008 Subject: [Dnsmasq-discuss] Problem with dnsmasq and Dell 1650 References: <4876340A.60300@thekelleys.org.uk> Message-ID: <03b201c8e2b3$c58c78c0$f9b5a8c0@pii350> ----- Original Message ----- From: Caleb Morse To: Simon Kelley Cc: dnsmasq-discuss@lists.thekelleys.org.uk Sent: Thursday, July 10, 2008 6:13 PM Subject: Re: [Dnsmasq-discuss] Problem with dnsmasq and Dell 1650 > I'm getting a weird error TFTP booting a Dell 1650 I have. I'm running > version 1.38 of dnsmasq and the latest version of the Dell BIOS. > Boot-agent 1.8.14 is very old. I have v4.1.19 in all my Intel nic I can update. 4.1.19 is old too but I have not problems, so as it run,... Is it a motherboard include nic, so depending of bios for the boot agent? If this is not the case, I would suggest updating the boot agent, that's easy with a dos floppy and Intel program. Gilles From steven at springl.ukfsn.org Thu Jul 10 18:36:48 2008 From: steven at springl.ukfsn.org (Steven Jan Springl) Date: Thu Jul 10 18:37:07 2008 Subject: [Dnsmasq-discuss] 2.43rc5 In-Reply-To: <487604EC.6090406@thekelleys.org.uk> References: <487604EC.6090406@thekelleys.org.uk> Message-ID: <200807101836.48303.steven@springl.ukfsn.org> Simon I have tested it on the following systems: Debian Etch with supplied kernel Debian Etch with kernel 2.6.26.rc9 Ubuntu 7.10 with supplied kernel and with each of the following query-port settings: query-port=0 query-port=1153 query-port not set They all works as expected. Steven. From g.esp at free.fr Thu Jul 10 22:53:01 2008 From: g.esp at free.fr (Gilles Espinasse) Date: Thu Jul 10 22:50:40 2008 Subject: [Dnsmasq-discuss] Problem with dnsmasq and Dell 1650 References: <4876340A.60300@thekelleys.org.uk> <03b201c8e2b3$c58c78c0$f9b5a8c0@pii350> Message-ID: <040301c8e2d7$5311a350$f9b5a8c0@pii350> ----- Original Message ----- From: Caleb Morse To: Gilles Espinasse Sent: Thursday, July 10, 2008 10:40 PM Subject: Re: [Dnsmasq-discuss] Problem with dnsmasq and Dell 1650 > Actually, it's boot-agent 1.0.14. It's a little hard to read with the picture. > > The nic is built into the motherboard. > I have tried to find a place to download the updated boot agent but I have > been unable to find it. Do you have a link? > http://downloadcenter.intel.com/Product_Search.aspx?Prod_nm=proboot But with nic built-in the motherboard, the boot agent is include the bios and that could be very hard to update the boot agent without a bios update. That's at least very hackish to extract the different parts of the bios to replace only the boot agent part. I should say I don't know how to do that. You probably should fix the double / in the path of tftp in /var/lib/perceus//tftp/pxelinux.cfg It may disturb the pxe stack. You should try with pxelinux.0 from 3.70 (you have 3.36) You may try with another tftp server or in 3.70 to boot from http server with gpxe. Gilles From carlos at fisica.ufpr.br Fri Jul 11 00:15:50 2008 From: carlos at fisica.ufpr.br (Carlos Carvalho) Date: Fri Jul 11 00:16:45 2008 Subject: [Dnsmasq-discuss] 2.43rc6 In-Reply-To: <487632C7.3000007@thekelleys.org.uk> References: <487632C7.3000007@thekelleys.org.uk> Message-ID: <18550.38950.661555.149282@fisica.ufpr.br> Tried rc5 with kernel 2.6.25.10 without using query-port and setting it to zero without problems. It's started as root with -u user. I don't use the capability stuff though. I'll continue to use quey-port=0 to save something because I use dnscache on the same machine to do the resolving. However I doubt it makes a difference. I noticed that dnscache uses less cpu than dnsmasq, even though its query load is much higher. The difference seems to be in the time-stamping of logs; dnsmasq generates the timestamps, while dnscache doesn't. For dnscache they're done by syslog-ng, which in turn uses quite more cpu... I didn't turn off logging in dnsmasq to test it because it's not important and not worth losing the logs. From chutzpah at gentoo.org Thu Jul 10 15:34:17 2008 From: chutzpah at gentoo.org (Patrick McLean) Date: Fri Jul 11 07:17:10 2008 Subject: [Dnsmasq-discuss] dnsmasq-2.43rc3 available. In-Reply-To: <4875AB23.4010209@thekelleys.org.uk> References: <48751EE9.7000807@thekelleys.org.uk> <48754EB2.2010804@gentoo.org> <4875AB23.4010209@thekelleys.org.uk> Message-ID: <48761DE9.7080900@gentoo.org> Simon Kelley wrote: > Patrick McLean wrote: >> On Linux 2.6.24 (Gentoo kernel, though I don't see why it wouldn't >> happen on other distros), starting this release with the user set to >> anything other than root fails with this message: >> >> dnsmasq: setting capabilities failed: Operation not permitted >> > > Hmm, would it be possible to revert to an earlier version of dnsmasq, > and check the log messages at startup? I suspect that you will find that > dnsmasq was logging a winge about the same thing, and then running as > root anyway. This (former) behaviour is seen as a security hole and so > has changed. dnsmasq 2.42 starts up fine running as root with the --user option. There are no errors about setting capabilities in the log file. Also, running ps reveals that dnsmasq is running as the specified non-root user. > The thing which I know can cause the problem is a kernel configuration. > The dnsmasq FAQ states that the solution is "either deselect > CONFIG_SECURITY_or_ select CONFIG_SECURITY_CAPABILITIES" but I suspect > that it may be more complicated than that. I have CONFIG_SECURITY deselected in my kernel. I also (replying to your other message) am running dnsmasq as root with the --user option in the config file. > An strace would be useful (use strace -f, from dnsmasq with the -k flag) > and a close look at how Gentoo configures security in its kernel. There is a strace attached to this message, Gentoo actually does not configure kernels by default, kernel configuration is left up to the user (there are some preset configs that the user can start from, though). -------------- next part -------------- execve("/usr/sbin/dnsmasq", ["dnsmasq", "-k"], [/* 26 vars */]) = 0 brk(0) = 0x9571000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=15119, ...}) = 0 mmap2(NULL, 15119, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fbf000 close(3) = 0 open("/lib/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`[\1\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1639733, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fbe000 mmap2(NULL, 1369576, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e6f000 mmap2(0xb7fb8000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x149) = 0xb7fb8000 mmap2(0xb7fbb000, 9704, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7fbb000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e6e000 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e6e6c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 mprotect(0xb7fb8000, 8192, PROT_READ) = 0 mprotect(0x8066000, 4096, PROT_READ) = 0 mprotect(0xb7fe1000, 4096, PROT_READ) = 0 munmap(0xb7fbf000, 15119) = 0 getrlimit(RLIMIT_NOFILE, {rlim_cur=1024, rlim_max=1024}) = 0 rt_sigaction(SIGUSR1, {0x8056e30, [], 0}, NULL, 8) = 0 rt_sigaction(SIGUSR2, {0x8056e30, [], 0}, NULL, 8) = 0 rt_sigaction(SIGHUP, {0x8056e30, [], 0}, NULL, 8) = 0 rt_sigaction(SIGTERM, {0x8056e30, [], 0}, NULL, 8) = 0 rt_sigaction(SIGALRM, {0x8056e30, [], 0}, NULL, 8) = 0 rt_sigaction(SIGCHLD, {0x8056e30, [], 0}, NULL, 8) = 0 rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0 umask(022) = 022 brk(0) = 0x9571000 brk(0x9592000) = 0x9592000 open("/etc/dnsmasq.conf", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=18919, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fc2000 read(3, "# Configuration file for dnsmasq"..., 4096) = 4096 read(3, "n\'t want dnsmasq to read /etc/ho"..., 4096) = 4096 read(3, "re=#known\n\n# Send extra options "..., 4096) = 4096 read(3, ". See\n# http://technet2.microsof"..., 4096) = 4096 read(3, "ese lines if you want dnsmasq to"..., 4096) = 2535 read(3, "", 4096) = 0 close(3) = 0 munmap(0xb7fc2000, 4096) = 0 close(3) = -1 EBADF (Bad file descriptor) close(4) = -1 EBADF (Bad file descriptor) close(5) = -1 EBADF (Bad file descriptor) close(6) = -1 EBADF (Bad file descriptor) close(7) = -1 EBADF (Bad file descriptor) close(8) = -1 EBADF (Bad file descriptor) close(9) = -1 EBADF (Bad file descriptor) close(10) = -1 EBADF (Bad file descriptor) close(11) = -1 EBADF (Bad file descriptor) close(12) = -1 EBADF (Bad file descriptor) close(13) = -1 EBADF (Bad file descriptor) close(14) = -1 EBADF (Bad file descriptor) close(15) = -1 EBADF (Bad file descriptor) close(16) = -1 EBADF (Bad file descriptor) close(17) = -1 EBADF (Bad file descriptor) close(18) = -1 EBADF (Bad file descriptor) close(19) = -1 EBADF (Bad file descriptor) close(20) = -1 EBADF (Bad file descriptor) close(21) = -1 EBADF (Bad file descriptor) close(22) = -1 EBADF (Bad file descriptor) close(23) = -1 EBADF (Bad file descriptor) close(24) = -1 EBADF (Bad file descriptor) close(25) = -1 EBADF (Bad file descriptor) close(26) = -1 EBADF (Bad file descriptor) close(27) = -1 EBADF (Bad file descriptor) close(28) = -1 EBADF (Bad file descriptor) close(29) = -1 EBADF (Bad file descriptor) close(30) = -1 EBADF (Bad file descriptor) close(31) = -1 EBADF (Bad file descriptor) close(32) = -1 EBADF (Bad file descriptor) close(33) = -1 EBADF (Bad file descriptor) close(34) = -1 EBADF (Bad file descriptor) close(35) = -1 EBADF (Bad file descriptor) close(36) = -1 EBADF (Bad file descriptor) close(37) = -1 EBADF (Bad file descriptor) close(38) = -1 EBADF (Bad file descriptor) close(39) = -1 EBADF (Bad file descriptor) close(40) = -1 EBADF (Bad file descriptor) close(41) = -1 EBADF (Bad file descriptor) close(42) = -1 EBADF (Bad file descriptor) close(43) = -1 EBADF (Bad file descriptor) close(44) = -1 EBADF (Bad file descriptor) close(45) = -1 EBADF (Bad file descriptor) close(46) = -1 EBADF (Bad file descriptor) close(47) = -1 EBADF (Bad file descriptor) close(48) = -1 EBADF (Bad file descriptor) close(49) = -1 EBADF (Bad file descriptor) close(50) = -1 EBADF (Bad file descriptor) close(51) = -1 EBADF (Bad file descriptor) close(52) = -1 EBADF (Bad file descriptor) close(53) = -1 EBADF (Bad file descriptor) close(54) = -1 EBADF (Bad file descriptor) close(55) = -1 EBADF (Bad file descriptor) close(56) = -1 EBADF (Bad file descriptor) close(57) = -1 EBADF (Bad file descriptor) close(58) = -1 EBADF (Bad file descriptor) close(59) = -1 EBADF (Bad file descriptor) close(60) = -1 EBADF (Bad file descriptor) close(61) = -1 EBADF (Bad file descriptor) close(62) = -1 EBADF (Bad file descriptor) close(63) = -1 EBADF (Bad file descriptor) close(64) = -1 EBADF (Bad file descriptor) close(65) = -1 EBADF (Bad file descriptor) close(66) = -1 EBADF (Bad file descriptor) close(67) = -1 EBADF (Bad file descriptor) close(68) = -1 EBADF (Bad file descriptor) close(69) = -1 EBADF (Bad file descriptor) close(70) = -1 EBADF (Bad file descriptor) close(71) = -1 EBADF (Bad file descriptor) close(72) = -1 EBADF (Bad file descriptor) close(73) = -1 EBADF (Bad file descriptor) close(74) = -1 EBADF (Bad file descriptor) close(75) = -1 EBADF (Bad file descriptor) close(76) = -1 EBADF (Bad file descriptor) close(77) = -1 EBADF (Bad file descriptor) close(78) = -1 EBADF (Bad file descriptor) close(79) = -1 EBADF (Bad file descriptor) close(80) = -1 EBADF (Bad file descriptor) close(81) = -1 EBADF (Bad file descriptor) close(82) = -1 EBADF (Bad file descriptor) close(83) = -1 EBADF (Bad file descriptor) close(84) = -1 EBADF (Bad file descriptor) close(85) = -1 EBADF (Bad file descriptor) close(86) = -1 EBADF (Bad file descriptor) close(87) = -1 EBADF (Bad file descriptor) close(88) = -1 EBADF (Bad file descriptor) close(89) = -1 EBADF (Bad file descriptor) close(90) = -1 EBADF (Bad file descriptor) close(91) = -1 EBADF (Bad file descriptor) close(92) = -1 EBADF (Bad file descriptor) close(93) = -1 EBADF (Bad file descriptor) close(94) = -1 EBADF (Bad file descriptor) close(95) = -1 EBADF (Bad file descriptor) close(96) = -1 EBADF (Bad file descriptor) close(97) = -1 EBADF (Bad file descriptor) close(98) = -1 EBADF (Bad file descriptor) close(99) = -1 EBADF (Bad file descriptor) close(100) = -1 EBADF (Bad file descriptor) close(101) = -1 EBADF (Bad file descriptor) close(102) = -1 EBADF (Bad file descriptor) close(103) = -1 EBADF (Bad file descriptor) close(104) = -1 EBADF (Bad file descriptor) close(105) = -1 EBADF (Bad file descriptor) close(106) = -1 EBADF (Bad file descriptor) close(107) = -1 EBADF (Bad file descriptor) close(108) = -1 EBADF (Bad file descriptor) close(109) = -1 EBADF (Bad file descriptor) close(110) = -1 EBADF (Bad file descriptor) close(111) = -1 EBADF (Bad file descriptor) close(112) = -1 EBADF (Bad file descriptor) close(113) = -1 EBADF (Bad file descriptor) close(114) = -1 EBADF (Bad file descriptor) close(115) = -1 EBADF (Bad file descriptor) close(116) = -1 EBADF (Bad file descriptor) close(117) = -1 EBADF (Bad file descriptor) close(118) = -1 EBADF (Bad file descriptor) close(119) = -1 EBADF (Bad file descriptor) close(120) = -1 EBADF (Bad file descriptor) close(121) = -1 EBADF (Bad file descriptor) close(122) = -1 EBADF (Bad file descriptor) close(123) = -1 EBADF (Bad file descriptor) close(124) = -1 EBADF (Bad file descriptor) close(125) = -1 EBADF (Bad file descriptor) close(126) = -1 EBADF (Bad file descriptor) close(127) = -1 EBADF (Bad file descriptor) close(128) = -1 EBADF (Bad file descriptor) close(129) = -1 EBADF (Bad file descriptor) close(130) = -1 EBADF (Bad file descriptor) close(131) = -1 EBADF (Bad file descriptor) close(132) = -1 EBADF (Bad file descriptor) close(133) = -1 EBADF (Bad file descriptor) close(134) = -1 EBADF (Bad file descriptor) close(135) = -1 EBADF (Bad file descriptor) close(136) = -1 EBADF (Bad file descriptor) close(137) = -1 EBADF (Bad file descriptor) close(138) = -1 EBADF (Bad file descriptor) close(139) = -1 EBADF (Bad file descriptor) close(140) = -1 EBADF (Bad file descriptor) close(141) = -1 EBADF (Bad file descriptor) close(142) = -1 EBADF (Bad file descriptor) close(143) = -1 EBADF (Bad file descriptor) close(144) = -1 EBADF (Bad file descriptor) close(145) = -1 EBADF (Bad file descriptor) close(146) = -1 EBADF (Bad file descriptor) close(147) = -1 EBADF (Bad file descriptor) close(148) = -1 EBADF (Bad file descriptor) close(149) = -1 EBADF (Bad file descriptor) close(150) = -1 EBADF (Bad file descriptor) close(151) = -1 EBADF (Bad file descriptor) close(152) = -1 EBADF (Bad file descriptor) close(153) = -1 EBADF (Bad file descriptor) close(154) = -1 EBADF (Bad file descriptor) close(155) = -1 EBADF (Bad file descriptor) close(156) = -1 EBADF (Bad file descriptor) close(157) = -1 EBADF (Bad file descriptor) close(158) = -1 EBADF (Bad file descriptor) close(159) = -1 EBADF (Bad file descriptor) close(160) = -1 EBADF (Bad file descriptor) close(161) = -1 EBADF (Bad file descriptor) close(162) = -1 EBADF (Bad file descriptor) close(163) = -1 EBADF (Bad file descriptor) close(164) = -1 EBADF (Bad file descriptor) close(165) = -1 EBADF (Bad file descriptor) close(166) = -1 EBADF (Bad file descriptor) close(167) = -1 EBADF (Bad file descriptor) close(168) = -1 EBADF (Bad file descriptor) close(169) = -1 EBADF (Bad file descriptor) close(170) = -1 EBADF (Bad file descriptor) close(171) = -1 EBADF (Bad file descriptor) close(172) = -1 EBADF (Bad file descriptor) close(173) = -1 EBADF (Bad file descriptor) close(174) = -1 EBADF (Bad file descriptor) close(175) = -1 EBADF (Bad file descriptor) close(176) = -1 EBADF (Bad file descriptor) close(177) = -1 EBADF (Bad file descriptor) close(178) = -1 EBADF (Bad file descriptor) close(179) = -1 EBADF (Bad file descriptor) close(180) = -1 EBADF (Bad file descriptor) close(181) = -1 EBADF (Bad file descriptor) close(182) = -1 EBADF (Bad file descriptor) close(183) = -1 EBADF (Bad file descriptor) close(184) = -1 EBADF (Bad file descriptor) close(185) = -1 EBADF (Bad file descriptor) close(186) = -1 EBADF (Bad file descriptor) close(187) = -1 EBADF (Bad file descriptor) close(188) = -1 EBADF (Bad file descriptor) close(189) = -1 EBADF (Bad file descriptor) close(190) = -1 EBADF (Bad file descriptor) close(191) = -1 EBADF (Bad file descriptor) close(192) = -1 EBADF (Bad file descriptor) close(193) = -1 EBADF (Bad file descriptor) close(194) = -1 EBADF (Bad file descriptor) close(195) = -1 EBADF (Bad file descriptor) close(196) = -1 EBADF (Bad file descriptor) close(197) = -1 EBADF (Bad file descriptor) close(198) = -1 EBADF (Bad file descriptor) close(199) = -1 EBADF (Bad file descriptor) close(200) = -1 EBADF (Bad file descriptor) close(201) = -1 EBADF (Bad file descriptor) close(202) = -1 EBADF (Bad file descriptor) close(203) = -1 EBADF (Bad file descriptor) close(204) = -1 EBADF (Bad file descriptor) close(205) = -1 EBADF (Bad file descriptor) close(206) = -1 EBADF (Bad file descriptor) close(207) = -1 EBADF (Bad file descriptor) close(208) = -1 EBADF (Bad file descriptor) close(209) = -1 EBADF (Bad file descriptor) close(210) = -1 EBADF (Bad file descriptor) close(211) = -1 EBADF (Bad file descriptor) close(212) = -1 EBADF (Bad file descriptor) close(213) = -1 EBADF (Bad file descriptor) close(214) = -1 EBADF (Bad file descriptor) close(215) = -1 EBADF (Bad file descriptor) close(216) = -1 EBADF (Bad file descriptor) close(217) = -1 EBADF (Bad file descriptor) close(218) = -1 EBADF (Bad file descriptor) close(219) = -1 EBADF (Bad file descriptor) close(220) = -1 EBADF (Bad file descriptor) close(221) = -1 EBADF (Bad file descriptor) close(222) = -1 EBADF (Bad file descriptor) close(223) = -1 EBADF (Bad file descriptor) close(224) = -1 EBADF (Bad file descriptor) close(225) = -1 EBADF (Bad file descriptor) close(226) = -1 EBADF (Bad file descriptor) close(227) = -1 EBADF (Bad file descriptor) close(228) = -1 EBADF (Bad file descriptor) close(229) = -1 EBADF (Bad file descriptor) close(230) = -1 EBADF (Bad file descriptor) close(231) = -1 EBADF (Bad file descriptor) close(232) = -1 EBADF (Bad file descriptor) close(233) = -1 EBADF (Bad file descriptor) close(234) = -1 EBADF (Bad file descriptor) close(235) = -1 EBADF (Bad file descriptor) close(236) = -1 EBADF (Bad file descriptor) close(237) = -1 EBADF (Bad file descriptor) close(238) = -1 EBADF (Bad file descriptor) close(239) = -1 EBADF (Bad file descriptor) close(240) = -1 EBADF (Bad file descriptor) close(241) = -1 EBADF (Bad file descriptor) close(242) = -1 EBADF (Bad file descriptor) close(243) = -1 EBADF (Bad file descriptor) close(244) = -1 EBADF (Bad file descriptor) close(245) = -1 EBADF (Bad file descriptor) close(246) = -1 EBADF (Bad file descriptor) close(247) = -1 EBADF (Bad file descriptor) close(248) = -1 EBADF (Bad file descriptor) close(249) = -1 EBADF (Bad file descriptor) close(250) = -1 EBADF (Bad file descriptor) close(251) = -1 EBADF (Bad file descriptor) close(252) = -1 EBADF (Bad file descriptor) close(253) = -1 EBADF (Bad file descriptor) close(254) = -1 EBADF (Bad file descriptor) close(255) = -1 EBADF (Bad file descriptor) close(256) = -1 EBADF (Bad file descriptor) close(257) = -1 EBADF (Bad file descriptor) close(258) = -1 EBADF (Bad file descriptor) close(259) = -1 EBADF (Bad file descriptor) close(260) = -1 EBADF (Bad file descriptor) close(261) = -1 EBADF (Bad file descriptor) close(262) = -1 EBADF (Bad file descriptor) close(263) = -1 EBADF (Bad file descriptor) close(264) = -1 EBADF (Bad file descriptor) close(265) = -1 EBADF (Bad file descriptor) close(266) = -1 EBADF (Bad file descriptor) close(267) = -1 EBADF (Bad file descriptor) close(268) = -1 EBADF (Bad file descriptor) close(269) = -1 EBADF (Bad file descriptor) close(270) = -1 EBADF (Bad file descriptor) close(271) = -1 EBADF (Bad file descriptor) close(272) = -1 EBADF (Bad file descriptor) close(273) = -1 EBADF (Bad file descriptor) close(274) = -1 EBADF (Bad file descriptor) close(275) = -1 EBADF (Bad file descriptor) close(276) = -1 EBADF (Bad file descriptor) close(277) = -1 EBADF (Bad file descriptor) close(278) = -1 EBADF (Bad file descriptor) close(279) = -1 EBADF (Bad file descriptor) close(280) = -1 EBADF (Bad file descriptor) close(281) = -1 EBADF (Bad file descriptor) close(282) = -1 EBADF (Bad file descriptor) close(283) = -1 EBADF (Bad file descriptor) close(284) = -1 EBADF (Bad file descriptor) close(285) = -1 EBADF (Bad file descriptor) close(286) = -1 EBADF (Bad file descriptor) close(287) = -1 EBADF (Bad file descriptor) close(288) = -1 EBADF (Bad file descriptor) close(289) = -1 EBADF (Bad file descriptor) close(290) = -1 EBADF (Bad file descriptor) close(291) = -1 EBADF (Bad file descriptor) close(292) = -1 EBADF (Bad file descriptor) close(293) = -1 EBADF (Bad file descriptor) close(294) = -1 EBADF (Bad file descriptor) close(295) = -1 EBADF (Bad file descriptor) close(296) = -1 EBADF (Bad file descriptor) close(297) = -1 EBADF (Bad file descriptor) close(298) = -1 EBADF (Bad file descriptor) close(299) = -1 EBADF (Bad file descriptor) close(300) = -1 EBADF (Bad file descriptor) close(301) = -1 EBADF (Bad file descriptor) close(302) = -1 EBADF (Bad file descriptor) close(303) = -1 EBADF (Bad file descriptor) close(304) = -1 EBADF (Bad file descriptor) close(305) = -1 EBADF (Bad file descriptor) close(306) = -1 EBADF (Bad file descriptor) close(307) = -1 EBADF (Bad file descriptor) close(308) = -1 EBADF (Bad file descriptor) close(309) = -1 EBADF (Bad file descriptor) close(310) = -1 EBADF (Bad file descriptor) close(311) = -1 EBADF (Bad file descriptor) close(312) = -1 EBADF (Bad file descriptor) close(313) = -1 EBADF (Bad file descriptor) close(314) = -1 EBADF (Bad file descriptor) close(315) = -1 EBADF (Bad file descriptor) close(316) = -1 EBADF (Bad file descriptor) close(317) = -1 EBADF (Bad file descriptor) close(318) = -1 EBADF (Bad file descriptor) close(319) = -1 EBADF (Bad file descriptor) close(320) = -1 EBADF (Bad file descriptor) close(321) = -1 EBADF (Bad file descriptor) close(322) = -1 EBADF (Bad file descriptor) close(323) = -1 EBADF (Bad file descriptor) close(324) = -1 EBADF (Bad file descriptor) close(325) = -1 EBADF (Bad file descriptor) close(326) = -1 EBADF (Bad file descriptor) close(327) = -1 EBADF (Bad file descriptor) close(328) = -1 EBADF (Bad file descriptor) close(329) = -1 EBADF (Bad file descriptor) close(330) = -1 EBADF (Bad file descriptor) close(331) = -1 EBADF (Bad file descriptor) close(332) = -1 EBADF (Bad file descriptor) close(333) = -1 EBADF (Bad file descriptor) close(334) = -1 EBADF (Bad file descriptor) close(335) = -1 EBADF (Bad file descriptor) close(336) = -1 EBADF (Bad file descriptor) close(337) = -1 EBADF (Bad file descriptor) close(338) = -1 EBADF (Bad file descriptor) close(339) = -1 EBADF (Bad file descriptor) close(340) = -1 EBADF (Bad file descriptor) close(341) = -1 EBADF (Bad file descriptor) close(342) = -1 EBADF (Bad file descriptor) close(343) = -1 EBADF (Bad file descriptor) close(344) = -1 EBADF (Bad file descriptor) close(345) = -1 EBADF (Bad file descriptor) close(346) = -1 EBADF (Bad file descriptor) close(347) = -1 EBADF (Bad file descriptor) close(348) = -1 EBADF (Bad file descriptor) close(349) = -1 EBADF (Bad file descriptor) close(350) = -1 EBADF (Bad file descriptor) close(351) = -1 EBADF (Bad file descriptor) close(352) = -1 EBADF (Bad file descriptor) close(353) = -1 EBADF (Bad file descriptor) close(354) = -1 EBADF (Bad file descriptor) close(355) = -1 EBADF (Bad file descriptor) close(356) = -1 EBADF (Bad file descriptor) close(357) = -1 EBADF (Bad file descriptor) close(358) = -1 EBADF (Bad file descriptor) close(359) = -1 EBADF (Bad file descriptor) close(360) = -1 EBADF (Bad file descriptor) close(361) = -1 EBADF (Bad file descriptor) close(362) = -1 EBADF (Bad file descriptor) close(363) = -1 EBADF (Bad file descriptor) close(364) = -1 EBADF (Bad file descriptor) close(365) = -1 EBADF (Bad file descriptor) close(366) = -1 EBADF (Bad file descriptor) close(367) = -1 EBADF (Bad file descriptor) close(368) = -1 EBADF (Bad file descriptor) close(369) = -1 EBADF (Bad file descriptor) close(370) = -1 EBADF (Bad file descriptor) close(371) = -1 EBADF (Bad file descriptor) close(372) = -1 EBADF (Bad file descriptor) close(373) = -1 EBADF (Bad file descriptor) close(374) = -1 EBADF (Bad file descriptor) close(375) = -1 EBADF (Bad file descriptor) close(376) = -1 EBADF (Bad file descriptor) close(377) = -1 EBADF (Bad file descriptor) close(378) = -1 EBADF (Bad file descriptor) close(379) = -1 EBADF (Bad file descriptor) close(380) = -1 EBADF (Bad file descriptor) close(381) = -1 EBADF (Bad file descriptor) close(382) = -1 EBADF (Bad file descriptor) close(383) = -1 EBADF (Bad file descriptor) close(384) = -1 EBADF (Bad file descriptor) close(385) = -1 EBADF (Bad file descriptor) close(386) = -1 EBADF (Bad file descriptor) close(387) = -1 EBADF (Bad file descriptor) close(388) = -1 EBADF (Bad file descriptor) close(389) = -1 EBADF (Bad file descriptor) close(390) = -1 EBADF (Bad file descriptor) close(391) = -1 EBADF (Bad file descriptor) close(392) = -1 EBADF (Bad file descriptor) close(393) = -1 EBADF (Bad file descriptor) close(394) = -1 EBADF (Bad file descriptor) close(395) = -1 EBADF (Bad file descriptor) close(396) = -1 EBADF (Bad file descriptor) close(397) = -1 EBADF (Bad file descriptor) close(398) = -1 EBADF (Bad file descriptor) close(399) = -1 EBADF (Bad file descriptor) close(400) = -1 EBADF (Bad file descriptor) close(401) = -1 EBADF (Bad file descriptor) close(402) = -1 EBADF (Bad file descriptor) close(403) = -1 EBADF (Bad file descriptor) close(404) = -1 EBADF (Bad file descriptor) close(405) = -1 EBADF (Bad file descriptor) close(406) = -1 EBADF (Bad file descriptor) close(407) = -1 EBADF (Bad file descriptor) close(408) = -1 EBADF (Bad file descriptor) close(409) = -1 EBADF (Bad file descriptor) close(410) = -1 EBADF (Bad file descriptor) close(411) = -1 EBADF (Bad file descriptor) close(412) = -1 EBADF (Bad file descriptor) close(413) = -1 EBADF (Bad file descriptor) close(414) = -1 EBADF (Bad file descriptor) close(415) = -1 EBADF (Bad file descriptor) close(416) = -1 EBADF (Bad file descriptor) close(417) = -1 EBADF (Bad file descriptor) close(418) = -1 EBADF (Bad file descriptor) close(419) = -1 EBADF (Bad file descriptor) close(420) = -1 EBADF (Bad file descriptor) close(421) = -1 EBADF (Bad file descriptor) close(422) = -1 EBADF (Bad file descriptor) close(423) = -1 EBADF (Bad file descriptor) close(424) = -1 EBADF (Bad file descriptor) close(425) = -1 EBADF (Bad file descriptor) close(426) = -1 EBADF (Bad file descriptor) close(427) = -1 EBADF (Bad file descriptor) close(428) = -1 EBADF (Bad file descriptor) close(429) = -1 EBADF (Bad file descriptor) close(430) = -1 EBADF (Bad file descriptor) close(431) = -1 EBADF (Bad file descriptor) close(432) = -1 EBADF (Bad file descriptor) close(433) = -1 EBADF (Bad file descriptor) close(434) = -1 EBADF (Bad file descriptor) close(435) = -1 EBADF (Bad file descriptor) close(436) = -1 EBADF (Bad file descriptor) close(437) = -1 EBADF (Bad file descriptor) close(438) = -1 EBADF (Bad file descriptor) close(439) = -1 EBADF (Bad file descriptor) close(440) = -1 EBADF (Bad file descriptor) close(441) = -1 EBADF (Bad file descriptor) close(442) = -1 EBADF (Bad file descriptor) close(443) = -1 EBADF (Bad file descriptor) close(444) = -1 EBADF (Bad file descriptor) close(445) = -1 EBADF (Bad file descriptor) close(446) = -1 EBADF (Bad file descriptor) close(447) = -1 EBADF (Bad file descriptor) close(448) = -1 EBADF (Bad file descriptor) close(449) = -1 EBADF (Bad file descriptor) close(450) = -1 EBADF (Bad file descriptor) close(451) = -1 EBADF (Bad file descriptor) close(452) = -1 EBADF (Bad file descriptor) close(453) = -1 EBADF (Bad file descriptor) close(454) = -1 EBADF (Bad file descriptor) close(455) = -1 EBADF (Bad file descriptor) close(456) = -1 EBADF (Bad file descriptor) close(457) = -1 EBADF (Bad file descriptor) close(458) = -1 EBADF (Bad file descriptor) close(459) = -1 EBADF (Bad file descriptor) close(460) = -1 EBADF (Bad file descriptor) close(461) = -1 EBADF (Bad file descriptor) close(462) = -1 EBADF (Bad file descriptor) close(463) = -1 EBADF (Bad file descriptor) close(464) = -1 EBADF (Bad file descriptor) close(465) = -1 EBADF (Bad file descriptor) close(466) = -1 EBADF (Bad file descriptor) close(467) = -1 EBADF (Bad file descriptor) close(468) = -1 EBADF (Bad file descriptor) close(469) = -1 EBADF (Bad file descriptor) close(470) = -1 EBADF (Bad file descriptor) close(471) = -1 EBADF (Bad file descriptor) close(472) = -1 EBADF (Bad file descriptor) close(473) = -1 EBADF (Bad file descriptor) close(474) = -1 EBADF (Bad file descriptor) close(475) = -1 EBADF (Bad file descriptor) close(476) = -1 EBADF (Bad file descriptor) close(477) = -1 EBADF (Bad file descriptor) close(478) = -1 EBADF (Bad file descriptor) close(479) = -1 EBADF (Bad file descriptor) close(480) = -1 EBADF (Bad file descriptor) close(481) = -1 EBADF (Bad file descriptor) close(482) = -1 EBADF (Bad file descriptor) close(483) = -1 EBADF (Bad file descriptor) close(484) = -1 EBADF (Bad file descriptor) close(485) = -1 EBADF (Bad file descriptor) close(486) = -1 EBADF (Bad file descriptor) close(487) = -1 EBADF (Bad file descriptor) close(488) = -1 EBADF (Bad file descriptor) close(489) = -1 EBADF (Bad file descriptor) close(490) = -1 EBADF (Bad file descriptor) close(491) = -1 EBADF (Bad file descriptor) close(492) = -1 EBADF (Bad file descriptor) close(493) = -1 EBADF (Bad file descriptor) close(494) = -1 EBADF (Bad file descriptor) close(495) = -1 EBADF (Bad file descriptor) close(496) = -1 EBADF (Bad file descriptor) close(497) = -1 EBADF (Bad file descriptor) close(498) = -1 EBADF (Bad file descriptor) close(499) = -1 EBADF (Bad file descriptor) close(500) = -1 EBADF (Bad file descriptor) close(501) = -1 EBADF (Bad file descriptor) close(502) = -1 EBADF (Bad file descriptor) close(503) = -1 EBADF (Bad file descriptor) close(504) = -1 EBADF (Bad file descriptor) close(505) = -1 EBADF (Bad file descriptor) close(506) = -1 EBADF (Bad file descriptor) close(507) = -1 EBADF (Bad file descriptor) close(508) = -1 EBADF (Bad file descriptor) close(509) = -1 EBADF (Bad file descriptor) close(510) = -1 EBADF (Bad file descriptor) close(511) = -1 EBADF (Bad file descriptor) close(512) = -1 EBADF (Bad file descriptor) close(513) = -1 EBADF (Bad file descriptor) close(514) = -1 EBADF (Bad file descriptor) close(515) = -1 EBADF (Bad file descriptor) close(516) = -1 EBADF (Bad file descriptor) close(517) = -1 EBADF (Bad file descriptor) close(518) = -1 EBADF (Bad file descriptor) close(519) = -1 EBADF (Bad file descriptor) close(520) = -1 EBADF (Bad file descriptor) close(521) = -1 EBADF (Bad file descriptor) close(522) = -1 EBADF (Bad file descriptor) close(523) = -1 EBADF (Bad file descriptor) close(524) = -1 EBADF (Bad file descriptor) close(525) = -1 EBADF (Bad file descriptor) close(526) = -1 EBADF (Bad file descriptor) close(527) = -1 EBADF (Bad file descriptor) close(528) = -1 EBADF (Bad file descriptor) close(529) = -1 EBADF (Bad file descriptor) close(530) = -1 EBADF (Bad file descriptor) close(531) = -1 EBADF (Bad file descriptor) close(532) = -1 EBADF (Bad file descriptor) close(533) = -1 EBADF (Bad file descriptor) close(534) = -1 EBADF (Bad file descriptor) close(535) = -1 EBADF (Bad file descriptor) close(536) = -1 EBADF (Bad file descriptor) close(537) = -1 EBADF (Bad file descriptor) close(538) = -1 EBADF (Bad file descriptor) close(539) = -1 EBADF (Bad file descriptor) close(540) = -1 EBADF (Bad file descriptor) close(541) = -1 EBADF (Bad file descriptor) close(542) = -1 EBADF (Bad file descriptor) close(543) = -1 EBADF (Bad file descriptor) close(544) = -1 EBADF (Bad file descriptor) close(545) = -1 EBADF (Bad file descriptor) close(546) = -1 EBADF (Bad file descriptor) close(547) = -1 EBADF (Bad file descriptor) close(548) = -1 EBADF (Bad file descriptor) close(549) = -1 EBADF (Bad file descriptor) close(550) = -1 EBADF (Bad file descriptor) close(551) = -1 EBADF (Bad file descriptor) close(552) = -1 EBADF (Bad file descriptor) close(553) = -1 EBADF (Bad file descriptor) close(554) = -1 EBADF (Bad file descriptor) close(555) = -1 EBADF (Bad file descriptor) close(556) = -1 EBADF (Bad file descriptor) close(557) = -1 EBADF (Bad file descriptor) close(558) = -1 EBADF (Bad file descriptor) close(559) = -1 EBADF (Bad file descriptor) close(560) = -1 EBADF (Bad file descriptor) close(561) = -1 EBADF (Bad file descriptor) close(562) = -1 EBADF (Bad file descriptor) close(563) = -1 EBADF (Bad file descriptor) close(564) = -1 EBADF (Bad file descriptor) close(565) = -1 EBADF (Bad file descriptor) close(566) = -1 EBADF (Bad file descriptor) close(567) = -1 EBADF (Bad file descriptor) close(568) = -1 EBADF (Bad file descriptor) close(569) = -1 EBADF (Bad file descriptor) close(570) = -1 EBADF (Bad file descriptor) close(571) = -1 EBADF (Bad file descriptor) close(572) = -1 EBADF (Bad file descriptor) close(573) = -1 EBADF (Bad file descriptor) close(574) = -1 EBADF (Bad file descriptor) close(575) = -1 EBADF (Bad file descriptor) close(576) = -1 EBADF (Bad file descriptor) close(577) = -1 EBADF (Bad file descriptor) close(578) = -1 EBADF (Bad file descriptor) close(579) = -1 EBADF (Bad file descriptor) close(580) = -1 EBADF (Bad file descriptor) close(581) = -1 EBADF (Bad file descriptor) close(582) = -1 EBADF (Bad file descriptor) close(583) = -1 EBADF (Bad file descriptor) close(584) = -1 EBADF (Bad file descriptor) close(585) = -1 EBADF (Bad file descriptor) close(586) = -1 EBADF (Bad file descriptor) close(587) = -1 EBADF (Bad file descriptor) close(588) = -1 EBADF (Bad file descriptor) close(589) = -1 EBADF (Bad file descriptor) close(590) = -1 EBADF (Bad file descriptor) close(591) = -1 EBADF (Bad file descriptor) close(592) = -1 EBADF (Bad file descriptor) close(593) = -1 EBADF (Bad file descriptor) close(594) = -1 EBADF (Bad file descriptor) close(595) = -1 EBADF (Bad file descriptor) close(596) = -1 EBADF (Bad file descriptor) close(597) = -1 EBADF (Bad file descriptor) close(598) = -1 EBADF (Bad file descriptor) close(599) = -1 EBADF (Bad file descriptor) close(600) = -1 EBADF (Bad file descriptor) close(601) = -1 EBADF (Bad file descriptor) close(602) = -1 EBADF (Bad file descriptor) close(603) = -1 EBADF (Bad file descriptor) close(604) = -1 EBADF (Bad file descriptor) close(605) = -1 EBADF (Bad file descriptor) close(606) = -1 EBADF (Bad file descriptor) close(607) = -1 EBADF (Bad file descriptor) close(608) = -1 EBADF (Bad file descriptor) close(609) = -1 EBADF (Bad file descriptor) close(610) = -1 EBADF (Bad file descriptor) close(611) = -1 EBADF (Bad file descriptor) close(612) = -1 EBADF (Bad file descriptor) close(613) = -1 EBADF (Bad file descriptor) close(614) = -1 EBADF (Bad file descriptor) close(615) = -1 EBADF (Bad file descriptor) close(616) = -1 EBADF (Bad file descriptor) close(617) = -1 EBADF (Bad file descriptor) close(618) = -1 EBADF (Bad file descriptor) close(619) = -1 EBADF (Bad file descriptor) close(620) = -1 EBADF (Bad file descriptor) close(621) = -1 EBADF (Bad file descriptor) close(622) = -1 EBADF (Bad file descriptor) close(623) = -1 EBADF (Bad file descriptor) close(624) = -1 EBADF (Bad file descriptor) close(625) = -1 EBADF (Bad file descriptor) close(626) = -1 EBADF (Bad file descriptor) close(627) = -1 EBADF (Bad file descriptor) close(628) = -1 EBADF (Bad file descriptor) close(629) = -1 EBADF (Bad file descriptor) close(630) = -1 EBADF (Bad file descriptor) close(631) = -1 EBADF (Bad file descriptor) close(632) = -1 EBADF (Bad file descriptor) close(633) = -1 EBADF (Bad file descriptor) close(634) = -1 EBADF (Bad file descriptor) close(635) = -1 EBADF (Bad file descriptor) close(636) = -1 EBADF (Bad file descriptor) close(637) = -1 EBADF (Bad file descriptor) close(638) = -1 EBADF (Bad file descriptor) close(639) = -1 EBADF (Bad file descriptor) close(640) = -1 EBADF (Bad file descriptor) close(641) = -1 EBADF (Bad file descriptor) close(642) = -1 EBADF (Bad file descriptor) close(643) = -1 EBADF (Bad file descriptor) close(644) = -1 EBADF (Bad file descriptor) close(645) = -1 EBADF (Bad file descriptor) close(646) = -1 EBADF (Bad file descriptor) close(647) = -1 EBADF (Bad file descriptor) close(648) = -1 EBADF (Bad file descriptor) close(649) = -1 EBADF (Bad file descriptor) close(650) = -1 EBADF (Bad file descriptor) close(651) = -1 EBADF (Bad file descriptor) close(652) = -1 EBADF (Bad file descriptor) close(653) = -1 EBADF (Bad file descriptor) close(654) = -1 EBADF (Bad file descriptor) close(655) = -1 EBADF (Bad file descriptor) close(656) = -1 EBADF (Bad file descriptor) close(657) = -1 EBADF (Bad file descriptor) close(658) = -1 EBADF (Bad file descriptor) close(659) = -1 EBADF (Bad file descriptor) close(660) = -1 EBADF (Bad file descriptor) close(661) = -1 EBADF (Bad file descriptor) close(662) = -1 EBADF (Bad file descriptor) close(663) = -1 EBADF (Bad file descriptor) close(664) = -1 EBADF (Bad file descriptor) close(665) = -1 EBADF (Bad file descriptor) close(666) = -1 EBADF (Bad file descriptor) close(667) = -1 EBADF (Bad file descriptor) close(668) = -1 EBADF (Bad file descriptor) close(669) = -1 EBADF (Bad file descriptor) close(670) = -1 EBADF (Bad file descriptor) close(671) = -1 EBADF (Bad file descriptor) close(672) = -1 EBADF (Bad file descriptor) close(673) = -1 EBADF (Bad file descriptor) close(674) = -1 EBADF (Bad file descriptor) close(675) = -1 EBADF (Bad file descriptor) close(676) = -1 EBADF (Bad file descriptor) close(677) = -1 EBADF (Bad file descriptor) close(678) = -1 EBADF (Bad file descriptor) close(679) = -1 EBADF (Bad file descriptor) close(680) = -1 EBADF (Bad file descriptor) close(681) = -1 EBADF (Bad file descriptor) close(682) = -1 EBADF (Bad file descriptor) close(683) = -1 EBADF (Bad file descriptor) close(684) = -1 EBADF (Bad file descriptor) close(685) = -1 EBADF (Bad file descriptor) close(686) = -1 EBADF (Bad file descriptor) close(687) = -1 EBADF (Bad file descriptor) close(688) = -1 EBADF (Bad file descriptor) close(689) = -1 EBADF (Bad file descriptor) close(690) = -1 EBADF (Bad file descriptor) close(691) = -1 EBADF (Bad file descriptor) close(692) = -1 EBADF (Bad file descriptor) close(693) = -1 EBADF (Bad file descriptor) close(694) = -1 EBADF (Bad file descriptor) close(695) = -1 EBADF (Bad file descriptor) close(696) = -1 EBADF (Bad file descriptor) close(697) = -1 EBADF (Bad file descriptor) close(698) = -1 EBADF (Bad file descriptor) close(699) = -1 EBADF (Bad file descriptor) close(700) = -1 EBADF (Bad file descriptor) close(701) = -1 EBADF (Bad file descriptor) close(702) = -1 EBADF (Bad file descriptor) close(703) = -1 EBADF (Bad file descriptor) close(704) = -1 EBADF (Bad file descriptor) close(705) = -1 EBADF (Bad file descriptor) close(706) = -1 EBADF (Bad file descriptor) close(707) = -1 EBADF (Bad file descriptor) close(708) = -1 EBADF (Bad file descriptor) close(709) = -1 EBADF (Bad file descriptor) close(710) = -1 EBADF (Bad file descriptor) close(711) = -1 EBADF (Bad file descriptor) close(712) = -1 EBADF (Bad file descriptor) close(713) = -1 EBADF (Bad file descriptor) close(714) = -1 EBADF (Bad file descriptor) close(715) = -1 EBADF (Bad file descriptor) close(716) = -1 EBADF (Bad file descriptor) close(717) = -1 EBADF (Bad file descriptor) close(718) = -1 EBADF (Bad file descriptor) close(719) = -1 EBADF (Bad file descriptor) close(720) = -1 EBADF (Bad file descriptor) close(721) = -1 EBADF (Bad file descriptor) close(722) = -1 EBADF (Bad file descriptor) close(723) = -1 EBADF (Bad file descriptor) close(724) = -1 EBADF (Bad file descriptor) close(725) = -1 EBADF (Bad file descriptor) close(726) = -1 EBADF (Bad file descriptor) close(727) = -1 EBADF (Bad file descriptor) close(728) = -1 EBADF (Bad file descriptor) close(729) = -1 EBADF (Bad file descriptor) close(730) = -1 EBADF (Bad file descriptor) close(731) = -1 EBADF (Bad file descriptor) close(732) = -1 EBADF (Bad file descriptor) close(733) = -1 EBADF (Bad file descriptor) close(734) = -1 EBADF (Bad file descriptor) close(735) = -1 EBADF (Bad file descriptor) close(736) = -1 EBADF (Bad file descriptor) close(737) = -1 EBADF (Bad file descriptor) close(738) = -1 EBADF (Bad file descriptor) close(739) = -1 EBADF (Bad file descriptor) close(740) = -1 EBADF (Bad file descriptor) close(741) = -1 EBADF (Bad file descriptor) close(742) = -1 EBADF (Bad file descriptor) close(743) = -1 EBADF (Bad file descriptor) close(744) = -1 EBADF (Bad file descriptor) close(745) = -1 EBADF (Bad file descriptor) close(746) = -1 EBADF (Bad file descriptor) close(747) = -1 EBADF (Bad file descriptor) close(748) = -1 EBADF (Bad file descriptor) close(749) = -1 EBADF (Bad file descriptor) close(750) = -1 EBADF (Bad file descriptor) close(751) = -1 EBADF (Bad file descriptor) close(752) = -1 EBADF (Bad file descriptor) close(753) = -1 EBADF (Bad file descriptor) close(754) = -1 EBADF (Bad file descriptor) close(755) = -1 EBADF (Bad file descriptor) close(756) = -1 EBADF (Bad file descriptor) close(757) = -1 EBADF (Bad file descriptor) close(758) = -1 EBADF (Bad file descriptor) close(759) = -1 EBADF (Bad file descriptor) close(760) = -1 EBADF (Bad file descriptor) close(761) = -1 EBADF (Bad file descriptor) close(762) = -1 EBADF (Bad file descriptor) close(763) = -1 EBADF (Bad file descriptor) close(764) = -1 EBADF (Bad file descriptor) close(765) = -1 EBADF (Bad file descriptor) close(766) = -1 EBADF (Bad file descriptor) close(767) = -1 EBADF (Bad file descriptor) close(768) = -1 EBADF (Bad file descriptor) close(769) = -1 EBADF (Bad file descriptor) close(770) = -1 EBADF (Bad file descriptor) close(771) = -1 EBADF (Bad file descriptor) close(772) = -1 EBADF (Bad file descriptor) close(773) = -1 EBADF (Bad file descriptor) close(774) = -1 EBADF (Bad file descriptor) close(775) = -1 EBADF (Bad file descriptor) close(776) = -1 EBADF (Bad file descriptor) close(777) = -1 EBADF (Bad file descriptor) close(778) = -1 EBADF (Bad file descriptor) close(779) = -1 EBADF (Bad file descriptor) close(780) = -1 EBADF (Bad file descriptor) close(781) = -1 EBADF (Bad file descriptor) close(782) = -1 EBADF (Bad file descriptor) close(783) = -1 EBADF (Bad file descriptor) close(784) = -1 EBADF (Bad file descriptor) close(785) = -1 EBADF (Bad file descriptor) close(786) = -1 EBADF (Bad file descriptor) close(787) = -1 EBADF (Bad file descriptor) close(788) = -1 EBADF (Bad file descriptor) close(789) = -1 EBADF (Bad file descriptor) close(790) = -1 EBADF (Bad file descriptor) close(791) = -1 EBADF (Bad file descriptor) close(792) = -1 EBADF (Bad file descriptor) close(793) = -1 EBADF (Bad file descriptor) close(794) = -1 EBADF (Bad file descriptor) close(795) = -1 EBADF (Bad file descriptor) close(796) = -1 EBADF (Bad file descriptor) close(797) = -1 EBADF (Bad file descriptor) close(798) = -1 EBADF (Bad file descriptor) close(799) = -1 EBADF (Bad file descriptor) close(800) = -1 EBADF (Bad file descriptor) close(801) = -1 EBADF (Bad file descriptor) close(802) = -1 EBADF (Bad file descriptor) close(803) = -1 EBADF (Bad file descriptor) close(804) = -1 EBADF (Bad file descriptor) close(805) = -1 EBADF (Bad file descriptor) close(806) = -1 EBADF (Bad file descriptor) close(807) = -1 EBADF (Bad file descriptor) close(808) = -1 EBADF (Bad file descriptor) close(809) = -1 EBADF (Bad file descriptor) close(810) = -1 EBADF (Bad file descriptor) close(811) = -1 EBADF (Bad file descriptor) close(812) = -1 EBADF (Bad file descriptor) close(813) = -1 EBADF (Bad file descriptor) close(814) = -1 EBADF (Bad file descriptor) close(815) = -1 EBADF (Bad file descriptor) close(816) = -1 EBADF (Bad file descriptor) close(817) = -1 EBADF (Bad file descriptor) close(818) = -1 EBADF (Bad file descriptor) close(819) = -1 EBADF (Bad file descriptor) close(820) = -1 EBADF (Bad file descriptor) close(821) = -1 EBADF (Bad file descriptor) close(822) = -1 EBADF (Bad file descriptor) close(823) = -1 EBADF (Bad file descriptor) close(824) = -1 EBADF (Bad file descriptor) close(825) = -1 EBADF (Bad file descriptor) close(826) = -1 EBADF (Bad file descriptor) close(827) = -1 EBADF (Bad file descriptor) close(828) = -1 EBADF (Bad file descriptor) close(829) = -1 EBADF (Bad file descriptor) close(830) = -1 EBADF (Bad file descriptor) close(831) = -1 EBADF (Bad file descriptor) close(832) = -1 EBADF (Bad file descriptor) close(833) = -1 EBADF (Bad file descriptor) close(834) = -1 EBADF (Bad file descriptor) close(835) = -1 EBADF (Bad file descriptor) close(836) = -1 EBADF (Bad file descriptor) close(837) = -1 EBADF (Bad file descriptor) close(838) = -1 EBADF (Bad file descriptor) close(839) = -1 EBADF (Bad file descriptor) close(840) = -1 EBADF (Bad file descriptor) close(841) = -1 EBADF (Bad file descriptor) close(842) = -1 EBADF (Bad file descriptor) close(843) = -1 EBADF (Bad file descriptor) close(844) = -1 EBADF (Bad file descriptor) close(845) = -1 EBADF (Bad file descriptor) close(846) = -1 EBADF (Bad file descriptor) close(847) = -1 EBADF (Bad file descriptor) close(848) = -1 EBADF (Bad file descriptor) close(849) = -1 EBADF (Bad file descriptor) close(850) = -1 EBADF (Bad file descriptor) close(851) = -1 EBADF (Bad file descriptor) close(852) = -1 EBADF (Bad file descriptor) close(853) = -1 EBADF (Bad file descriptor) close(854) = -1 EBADF (Bad file descriptor) close(855) = -1 EBADF (Bad file descriptor) close(856) = -1 EBADF (Bad file descriptor) close(857) = -1 EBADF (Bad file descriptor) close(858) = -1 EBADF (Bad file descriptor) close(859) = -1 EBADF (Bad file descriptor) close(860) = -1 EBADF (Bad file descriptor) close(861) = -1 EBADF (Bad file descriptor) close(862) = -1 EBADF (Bad file descriptor) close(863) = -1 EBADF (Bad file descriptor) close(864) = -1 EBADF (Bad file descriptor) close(865) = -1 EBADF (Bad file descriptor) close(866) = -1 EBADF (Bad file descriptor) close(867) = -1 EBADF (Bad file descriptor) close(868) = -1 EBADF (Bad file descriptor) close(869) = -1 EBADF (Bad file descriptor) close(870) = -1 EBADF (Bad file descriptor) close(871) = -1 EBADF (Bad file descriptor) close(872) = -1 EBADF (Bad file descriptor) close(873) = -1 EBADF (Bad file descriptor) close(874) = -1 EBADF (Bad file descriptor) close(875) = -1 EBADF (Bad file descriptor) close(876) = -1 EBADF (Bad file descriptor) close(877) = -1 EBADF (Bad file descriptor) close(878) = -1 EBADF (Bad file descriptor) close(879) = -1 EBADF (Bad file descriptor) close(880) = -1 EBADF (Bad file descriptor) close(881) = -1 EBADF (Bad file descriptor) close(882) = -1 EBADF (Bad file descriptor) close(883) = -1 EBADF (Bad file descriptor) close(884) = -1 EBADF (Bad file descriptor) close(885) = -1 EBADF (Bad file descriptor) close(886) = -1 EBADF (Bad file descriptor) close(887) = -1 EBADF (Bad file descriptor) close(888) = -1 EBADF (Bad file descriptor) close(889) = -1 EBADF (Bad file descriptor) close(890) = -1 EBADF (Bad file descriptor) close(891) = -1 EBADF (Bad file descriptor) close(892) = -1 EBADF (Bad file descriptor) close(893) = -1 EBADF (Bad file descriptor) close(894) = -1 EBADF (Bad file descriptor) close(895) = -1 EBADF (Bad file descriptor) close(896) = -1 EBADF (Bad file descriptor) close(897) = -1 EBADF (Bad file descriptor) close(898) = -1 EBADF (Bad file descriptor) close(899) = -1 EBADF (Bad file descriptor) close(900) = -1 EBADF (Bad file descriptor) close(901) = -1 EBADF (Bad file descriptor) close(902) = -1 EBADF (Bad file descriptor) close(903) = -1 EBADF (Bad file descriptor) close(904) = -1 EBADF (Bad file descriptor) close(905) = -1 EBADF (Bad file descriptor) close(906) = -1 EBADF (Bad file descriptor) close(907) = -1 EBADF (Bad file descriptor) close(908) = -1 EBADF (Bad file descriptor) close(909) = -1 EBADF (Bad file descriptor) close(910) = -1 EBADF (Bad file descriptor) close(911) = -1 EBADF (Bad file descriptor) close(912) = -1 EBADF (Bad file descriptor) close(913) = -1 EBADF (Bad file descriptor) close(914) = -1 EBADF (Bad file descriptor) close(915) = -1 EBADF (Bad file descriptor) close(916) = -1 EBADF (Bad file descriptor) close(917) = -1 EBADF (Bad file descriptor) close(918) = -1 EBADF (Bad file descriptor) close(919) = -1 EBADF (Bad file descriptor) close(920) = -1 EBADF (Bad file descriptor) close(921) = -1 EBADF (Bad file descriptor) close(922) = -1 EBADF (Bad file descriptor) close(923) = -1 EBADF (Bad file descriptor) close(924) = -1 EBADF (Bad file descriptor) close(925) = -1 EBADF (Bad file descriptor) close(926) = -1 EBADF (Bad file descriptor) close(927) = -1 EBADF (Bad file descriptor) close(928) = -1 EBADF (Bad file descriptor) close(929) = -1 EBADF (Bad file descriptor) close(930) = -1 EBADF (Bad file descriptor) close(931) = -1 EBADF (Bad file descriptor) close(932) = -1 EBADF (Bad file descriptor) close(933) = -1 EBADF (Bad file descriptor) close(934) = -1 EBADF (Bad file descriptor) close(935) = -1 EBADF (Bad file descriptor) close(936) = -1 EBADF (Bad file descriptor) close(937) = -1 EBADF (Bad file descriptor) close(938) = -1 EBADF (Bad file descriptor) close(939) = -1 EBADF (Bad file descriptor) close(940) = -1 EBADF (Bad file descriptor) close(941) = -1 EBADF (Bad file descriptor) close(942) = -1 EBADF (Bad file descriptor) close(943) = -1 EBADF (Bad file descriptor) close(944) = -1 EBADF (Bad file descriptor) close(945) = -1 EBADF (Bad file descriptor) close(946) = -1 EBADF (Bad file descriptor) close(947) = -1 EBADF (Bad file descriptor) close(948) = -1 EBADF (Bad file descriptor) close(949) = -1 EBADF (Bad file descriptor) close(950) = -1 EBADF (Bad file descriptor) close(951) = -1 EBADF (Bad file descriptor) close(952) = -1 EBADF (Bad file descriptor) close(953) = -1 EBADF (Bad file descriptor) close(954) = -1 EBADF (Bad file descriptor) close(955) = -1 EBADF (Bad file descriptor) close(956) = -1 EBADF (Bad file descriptor) close(957) = -1 EBADF (Bad file descriptor) close(958) = -1 EBADF (Bad file descriptor) close(959) = -1 EBADF (Bad file descriptor) close(960) = -1 EBADF (Bad file descriptor) close(961) = -1 EBADF (Bad file descriptor) close(962) = -1 EBADF (Bad file descriptor) close(963) = -1 EBADF (Bad file descriptor) close(964) = -1 EBADF (Bad file descriptor) close(965) = -1 EBADF (Bad file descriptor) close(966) = -1 EBADF (Bad file descriptor) close(967) = -1 EBADF (Bad file descriptor) close(968) = -1 EBADF (Bad file descriptor) close(969) = -1 EBADF (Bad file descriptor) close(970) = -1 EBADF (Bad file descriptor) close(971) = -1 EBADF (Bad file descriptor) close(972) = -1 EBADF (Bad file descriptor) close(973) = -1 EBADF (Bad file descriptor) close(974) = -1 EBADF (Bad file descriptor) close(975) = -1 EBADF (Bad file descriptor) close(976) = -1 EBADF (Bad file descriptor) close(977) = -1 EBADF (Bad file descriptor) close(978) = -1 EBADF (Bad file descriptor) close(979) = -1 EBADF (Bad file descriptor) close(980) = -1 EBADF (Bad file descriptor) close(981) = -1 EBADF (Bad file descriptor) close(982) = -1 EBADF (Bad file descriptor) close(983) = -1 EBADF (Bad file descriptor) close(984) = -1 EBADF (Bad file descriptor) close(985) = -1 EBADF (Bad file descriptor) close(986) = -1 EBADF (Bad file descriptor) close(987) = -1 EBADF (Bad file descriptor) close(988) = -1 EBADF (Bad file descriptor) close(989) = -1 EBADF (Bad file descriptor) close(990) = -1 EBADF (Bad file descriptor) close(991) = -1 EBADF (Bad file descriptor) close(992) = -1 EBADF (Bad file descriptor) close(993) = -1 EBADF (Bad file descriptor) close(994) = -1 EBADF (Bad file descriptor) close(995) = -1 EBADF (Bad file descriptor) close(996) = -1 EBADF (Bad file descriptor) close(997) = -1 EBADF (Bad file descriptor) close(998) = -1 EBADF (Bad file descriptor) close(999) = -1 EBADF (Bad file descriptor) close(1000) = -1 EBADF (Bad file descriptor) close(1001) = -1 EBADF (Bad file descriptor) close(1002) = -1 EBADF (Bad file descriptor) close(1003) = -1 EBADF (Bad file descriptor) close(1004) = -1 EBADF (Bad file descriptor) close(1005) = -1 EBADF (Bad file descriptor) close(1006) = -1 EBADF (Bad file descriptor) close(1007) = -1 EBADF (Bad file descriptor) close(1008) = -1 EBADF (Bad file descriptor) close(1009) = -1 EBADF (Bad file descriptor) close(1010) = -1 EBADF (Bad file descriptor) close(1011) = -1 EBADF (Bad file descriptor) close(1012) = -1 EBADF (Bad file descriptor) close(1013) = -1 EBADF (Bad file descriptor) close(1014) = -1 EBADF (Bad file descriptor) close(1015) = -1 EBADF (Bad file descriptor) close(1016) = -1 EBADF (Bad file descriptor) close(1017) = -1 EBADF (Bad file descriptor) close(1018) = -1 EBADF (Bad file descriptor) close(1019) = -1 EBADF (Bad file descriptor) close(1020) = -1 EBADF (Bad file descriptor) close(1021) = -1 EBADF (Bad file descriptor) close(1022) = -1 EBADF (Bad file descriptor) close(1023) = -1 EBADF (Bad file descriptor) socket(PF_NETLINK, SOCK_RAW, 0) = 3 bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000040}, 12) = 0 open("/dev/urandom", O_RDONLY|O_LARGEFILE) = 4 read(4, "\244\20\30\334J\221\326\262\252\205F-\301\202\353\264~\240\207B0tO\20\235:\351\304\5\215\23\211"..., 128) = 128 read(4, "@\347\206\347\331t]\320\333m%C\245\323H\255\4O\372\253\351\10\373\326g\31\4\326\231\\\266\245"..., 48) = 48 close(4) = 0 time(NULL) = 1215697395 open("/var/lib/misc/dnsmasq.leases", O_RDWR|O_CREAT|O_APPEND|O_LARGEFILE, 0666) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fc2000 _llseek(4, 0, [0], SEEK_SET) = 0 read(4, "", 4096) = 0 socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP) = 5 fcntl64(5, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(5, F_SETFL, O_RDWR|O_NONBLOCK) = 0 setsockopt(5, SOL_IP, IP_MTU_DISCOVER, [0], 4) = 0 setsockopt(5, SOL_IP, IP_PKTINFO, [1], 4) = 0 setsockopt(5, SOL_SOCKET, SO_BROADCAST, [1], 4) = 0 bind(5, {sa_family=AF_INET, sin_port=htons(67), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 sendto(3, "\24\0\0\0\26\0\5\3\1\0\0\0\0\0\0\0\2\32\376\277", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20 recvmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"8\0\0\0\24\0\2\0\1\0\0\0x_\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 200}], msg_controllen=0, msg_flags=MSG_TRUNC}, MSG_PEEK) = 200 recvmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"8\0\0\0\24\0\2\0\1\0\0\0x_\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 300}], msg_controllen=0, msg_flags=MSG_TRUNC}, MSG_PEEK) = 300 recvmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"8\0\0\0\24\0\2\0\1\0\0\0x_\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 400}], msg_controllen=0, msg_flags=0}, MSG_PEEK) = 396 recvmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"8\0\0\0\24\0\2\0\1\0\0\0x_\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 400}], msg_controllen=0, msg_flags=0}, 0) = 396 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 6 ioctl(6, SIOCGIFNAME, {ifr_index=1, ifr_name="lo"}) = 0 ioctl(6, SIOCGIFFLAGS, {ifr_name="lo", ifr_flags=IFF_UP|IFF_LOOPBACK|IFF_RUNNING}) = 0 close(6) = 0 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 6 ioctl(6, SIOCGIFNAME, {ifr_index=3, ifr_name="wired"}) = 0 ioctl(6, SIOCGIFFLAGS, {ifr_name="wired", ifr_flags=IFF_UP|IFF_BROADCAST|IFF_RUNNING|IFF_MULTICAST}) = 0 close(6) = 0 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 6 ioctl(6, SIOCGIFNAME, {ifr_index=4, ifr_name="wireless"}) = 0 ioctl(6, SIOCGIFFLAGS, {ifr_name="wireless", ifr_flags=IFF_UP|IFF_BROADCAST|IFF_RUNNING|IFF_MULTICAST}) = 0 close(6) = 0 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 6 ioctl(6, SIOCGIFNAME, {ifr_index=5, ifr_name="printer"}) = 0 ioctl(6, SIOCGIFFLAGS, {ifr_name="printer", ifr_flags=IFF_UP|IFF_BROADCAST|IFF_MULTICAST}) = 0 close(6) = 0 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 6 ioctl(6, SIOCGIFNAME, {ifr_index=7, ifr_name="tun0"}) = 0 ioctl(6, SIOCGIFFLAGS, {ifr_name="tun0", ifr_flags=IFF_UP|IFF_POINTOPOINT|IFF_RUNNING|IFF_NOARP|IFF_MULTICAST}) = 0 close(6) = 0 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 6 ioctl(6, SIOCGIFNAME, {ifr_index=8, ifr_name="tun1"}) = 0 ioctl(6, SIOCGIFFLAGS, {ifr_name="tun1", ifr_flags=IFF_UP|IFF_POINTOPOINT|IFF_RUNNING|IFF_NOARP|IFF_MULTICAST}) = 0 close(6) = 0 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 6 ioctl(6, SIOCGIFNAME, {ifr_index=9, ifr_name="ppp0"}) = 0 ioctl(6, SIOCGIFFLAGS, {ifr_name="ppp0", ifr_flags=IFF_UP|IFF_POINTOPOINT|IFF_RUNNING|IFF_NOARP|IFF_MULTICAST}) = 0 close(6) = 0 recvmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"\24\0\0\0\3\0\2\0\1\0\0\0x_\0\0\0\0\0\0\1\0\0\0\10\0\1\0\177\0\0\1"..., 400}], msg_controllen=0, msg_flags=0}, MSG_PEEK) = 20 recvmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{"\24\0\0\0\3\0\2\0\1\0\0\0x_\0\0\0\0\0\0\1\0\0\0\10\0\1\0\177\0\0\1"..., 400}], msg_controllen=0, msg_flags=0}, 0) = 20 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 6 socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 7 setsockopt(7, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 bind(7, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 listen(7, 5) = 0 fcntl64(7, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(7, F_SETFL, O_RDWR|O_NONBLOCK) = 0 setsockopt(6, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 fcntl64(6, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(6, F_SETFL, O_RDWR|O_NONBLOCK) = 0 setsockopt(6, SOL_IP, IP_PKTINFO, [1], 4) = 0 bind(6, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 mmap2(NULL, 147456, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e4a000 socket(PF_FILE, SOCK_STREAM, 0) = 8 fcntl64(8, F_SETFL, O_RDWR|O_NONBLOCK) = 0 connect(8, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(8) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 8 fcntl64(8, F_SETFL, O_RDWR|O_NONBLOCK) = 0 connect(8, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(8) = 0 open("/etc/nsswitch.conf", O_RDONLY) = 8 fstat64(8, {st_mode=S_IFREG|0644, st_size=500, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fc1000 read(8, "# /etc/nsswitch.conf:\n# $Header:"..., 4096) = 500 read(8, "", 4096) = 0 close(8) = 0 munmap(0xb7fc1000, 4096) = 0 open("/etc/ld.so.cache", O_RDONLY) = 8 fstat64(8, {st_mode=S_IFREG|0644, st_size=15119, ...}) = 0 mmap2(NULL, 15119, PROT_READ, MAP_PRIVATE, 8, 0) = 0xb7e46000 close(8) = 0 open("/lib/libnss_files.so.2", O_RDONLY) = 8 read(8, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360\31\0\0004\0\0\0"..., 512) = 512 fstat64(8, {st_mode=S_IFREG|0755, st_size=47265, ...}) = 0 mmap2(NULL, 41588, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 8, 0) = 0xb7e3b000 mmap2(0xb7e44000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 8, 0x8) = 0xb7e44000 close(8) = 0 mprotect(0xb7e44000, 4096, PROT_READ) = 0 munmap(0xb7e46000, 15119) = 0 open("/etc/passwd", O_RDONLY) = 8 fcntl64(8, F_GETFD) = 0 fcntl64(8, F_SETFD, FD_CLOEXEC) = 0 fstat64(8, {st_mode=S_IFREG|0644, st_size=1387, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fc1000 read(8, "root:x:0:0:bahamut root:/root:/b"..., 4096) = 1387 close(8) = 0 munmap(0xb7fc1000, 4096) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 8 fcntl64(8, F_SETFL, O_RDWR|O_NONBLOCK) = 0 connect(8, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(8) = 0 socket(PF_FILE, SOCK_STREAM, 0) = 8 fcntl64(8, F_SETFL, O_RDWR|O_NONBLOCK) = 0 connect(8, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(8) = 0 open("/etc/group", O_RDONLY) = 8 fcntl64(8, F_GETFD) = 0 fcntl64(8, F_SETFD, FD_CLOEXEC) = 0 fstat64(8, {st_mode=S_IFREG|0644, st_size=688, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fc1000 read(8, "root::0:root\nbin::1:root,bin,dae"..., 4096) = 688 close(8) = 0 munmap(0xb7fc1000, 4096) = 0 capget(0x20080522, -1208241680, NULL) = -1 EINVAL (Invalid argument) pipe([8, 9]) = 0 fcntl64(9, F_GETFL) = 0x1 (flags O_WRONLY) fcntl64(9, F_SETFL, O_WRONLY|O_NONBLOCK) = 0 fcntl64(8, F_GETFL) = 0 (flags O_RDONLY) fcntl64(8, F_SETFL, O_RDONLY|O_NONBLOCK) = 0 write(9, "\1\0\0\0\0\0\0\0", 8) = 8 chdir("/") = 0 open("/var/run/dnsmasq.pid", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 10 getpid() = 24440 fstat64(10, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fc1000 write(10, "24440\n", 6) = 6 close(10) = 0 munmap(0xb7fc1000, 4096) = 0 open("/dev/null", O_RDWR|O_LARGEFILE) = 10 dup2(10, 1) = 1 dup2(10, 2) = 2 dup2(10, 0) = 0 close(10) = 0 socket(PF_FILE, SOCK_DGRAM, 0) = 10 getuid32() = 0 setgroups32(0, []) = 0 setgid32(65533) = 0 capset(0x20080522, -1208241680, {CAP_SETUID|CAP_NET_ADMIN|CAP_NET_RAW, CAP_SETUID|CAP_NET_ADMIN|CAP_NET_RAW, CAP_SETUID|CAP_NET_ADMIN|CAP_NET_RAW}) = -1 EPERM (Operation not permitted) write(2, "\n", 1) = 1 write(2, "dnsmasq: ", 9) = 9 write(2, "setting capabilities failed: Ope"..., 52) = 52 write(2, "\n", 1) = 1 time(NULL) = 1215697395 open("/etc/localtime", O_RDONLY) = 11 fstat64(11, {st_mode=S_IFREG|0644, st_size=3477, ...}) = 0 fstat64(11, {st_mode=S_IFREG|0644, st_size=3477, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fc1000 read(11, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"..., 4096) = 3477 close(11) = 0 munmap(0xb7fc1000, 4096) = 0 write(10, "<26>Jul 10 09:43:15 dnsmasq[2444"..., 89) = -1 ENOTCONN (Transport endpoint is not connected) connect(10, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0 write(10, "<26>Jul 10 09:43:15 dnsmasq[2444"..., 89) = 89 time(NULL) = 1215697395 write(10, "<26>Jul 10 09:43:15 dnsmasq[2444"..., 55) = 55 fcntl64(10, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(10, F_SETFL, O_RDWR) = 0 close(10) = 0 exit_group(5) = ? From g.esp at free.fr Fri Jul 11 08:20:48 2008 From: g.esp at free.fr (Gilles Espinasse) Date: Fri Jul 11 08:18:29 2008 Subject: [Dnsmasq-discuss] 2.43rc6 References: <487632C7.3000007@thekelleys.org.uk> Message-ID: <052301c8e326$a480b560$f9b5a8c0@pii350> ----- Original Message ----- From: "Simon Kelley" To: "dnsmasq discussion list" Sent: Thursday, July 10, 2008 6:03 PM Subject: [Dnsmasq-discuss] 2.43rc6 > It's looking good. One last change (hopes!) This adds a config option > dnsmasq behave differently (unrelated to randomized ports) when no user is specified I think users should be warned to check how they want to run dnsmasq this is with kernel 2.4.36 root@ipcop:~ # dnsmasq --version Dnsmasq version 2.38 Copyright (C) 2000-2007 Simon Kelley Compile time options no-IPv6 GNU-getopt ISC-leasefile no-DBus no-I18N TFTP netstat -anpe | grep dnsmasq tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 0 333850 29165/dnsmasq udp 0 0 0.0.0.0:1025 0.0.0.0:* 103 333856 29165/dnsmasq udp 0 0 0.0.0.0:53 0.0.0.0:* 0 333849 29165/dnsmasq unix 2 [ ] DGRAM 333854 29165/dnsmasq dnsmasq run as user 103 dnsmasq --version Dnsmasq version 2.43rc6 Copyright (C) 2000-2008 Simon Kelley Compile time options no-IPv6 GNU-getopt ISC-leasefile no-DBus no-I18N TFTP netstat -anpe | grep dnsmasq tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 0 13473 1127/dnsmasq udp 0 0 0.0.0.0:53 0.0.0.0:* 0 13472 1127/dnsmasq unix 2 [ ] DGRAM 13478 1127/dnsmasq same script but dnsmasq run as user 0 Gilles From simon at thekelleys.org.uk Fri Jul 11 09:18:56 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Fri Jul 11 09:19:10 2008 Subject: [Dnsmasq-discuss] 2.43rc6 In-Reply-To: <052301c8e326$a480b560$f9b5a8c0@pii350> References: <487632C7.3000007@thekelleys.org.uk> <052301c8e326$a480b560$f9b5a8c0@pii350> Message-ID: <48771770.9070103@thekelleys.org.uk> Gilles Espinasse wrote: > ----- Original Message ----- > From: "Simon Kelley" > To: "dnsmasq discussion list" > Sent: Thursday, July 10, 2008 6:03 PM > Subject: [Dnsmasq-discuss] 2.43rc6 > > >> It's looking good. One last change (hopes!) This adds a config option >> > dnsmasq behave differently (unrelated to randomized ports) when no user is > specified > I think users should be warned to check how they want to run dnsmasq > this is with kernel 2.4.36 > > root@ipcop:~ # dnsmasq --version > Dnsmasq version 2.38 Copyright (C) 2000-2007 Simon Kelley > Compile time options no-IPv6 GNU-getopt ISC-leasefile no-DBus no-I18N TFTP > > netstat -anpe | grep dnsmasq > tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN > 0 333850 29165/dnsmasq > udp 0 0 0.0.0.0:1025 0.0.0.0:* > 103 333856 29165/dnsmasq > udp 0 0 0.0.0.0:53 0.0.0.0:* > 0 333849 29165/dnsmasq > unix 2 [ ] DGRAM 333854 29165/dnsmasq > > dnsmasq run as user 103 > > dnsmasq --version > Dnsmasq version 2.43rc6 Copyright (C) 2000-2008 Simon Kelley > Compile time options no-IPv6 GNU-getopt ISC-leasefile no-DBus no-I18N TFTP > netstat -anpe | grep dnsmasq > tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN > 0 13473 1127/dnsmasq > udp 0 0 0.0.0.0:53 0.0.0.0:* > 0 13472 1127/dnsmasq > unix 2 [ ] DGRAM 13478 1127/dnsmasq > > same script but dnsmasq run as user 0 This made me scratch my head for a while, but I have the explanation now. The uids shown by netstat are the uid of the process which created the socket _when_it_was_created_. You can see in the first example that the port 53 udp and tcp sockets show uid 0. They were created before dnsmasq dropped root (they have to be, to bind a low port) The third socket in the first example is the socket dnsmasq uses to talk to the upstream server, which is created after dnsmasq drops root and so shows uid 103. The difference in the second example is that the third socket is just missing. That's expected: to use random source ports dnsmasq now creates such sockets on the fly. If you could catch dnsmasq whilst it was active, you'd see one or more udp sockets. Just to reiterate, the behaviour of dnsmasq when started as root and without a configured user is still (nearly) the same. It changes to user "nobody". The only difference is that version 2.42 and below would continue to run as root if the change-uid process failed, whilst logging a polite message. Version 2.43 fails to start with an error if that happens. Cheers, Simon. From simon at thekelleys.org.uk Fri Jul 11 11:19:34 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Fri Jul 11 11:19:49 2008 Subject: [Dnsmasq-discuss] dnsmasq version 2.43 released. Message-ID: <487733B6.3000003@thekelleys.org.uk> Dnsmmasq version 2.43 is now available at: http://thekelleys.org.uk/dnsmasq/dnsmasq-2.43.tar.gz http://thekelleys.org.uk/dnsmasq/dnsmasq-2.43.tar.lzma This release includes the fixes needed to secure dnsmasq against the security problems described in CERT VU#800113 http://www.kb.cert.org/vuls/id/800113 The changes from 2.42 are as follows. Updated Polish translation. Thanks to Jan Psota. Flag errors when configuration options are repeated illegally. Further tweaks for GNU/kFreeBSD Add --no-wrap to msgmerge call - provides nicer .po file format. Honour lease-time spec in dhcp-host lines even for BOOTP. The user is assumed to known what they are doing in this case. (Hosts without the time spec still get infinite leases for BOOTP, over-riding the default in the dhcp-range.) Thanks to Peter Katzmann for uncovering this. Fix problem matching relay-agent ids. Thanks to Michael Rack for the bug report. Add --naptr-record option. Suggestion from Johan Bergquist. Implement RFC 5107 server-id-override DHCP relay agent option. Apply patches from Stefan Kruger for compilation on Solaris 10 under Sun studio. Yet more tweaking of Linux capability code, to suppress pointless wingeing from kernel 2.6.25 and above. Improve error checking during startup. Previously, some errors which occurred during startup would be worked around, with dnsmasq still starting up. Some were logged, some silent. Now, they all cause a fatal error and dnsmasq terminates with a non-zero exit code. The errors are those associated with changing uid and gid, setting process capabilities and writing the pidfile. Thanks to Uwe Gansert and the Suse security team for pointing out this improvement, and Bill Reimers for good implementation suggestions. Provide NO_LARGEFILE compile option to switch off largefile support when compiling against versions of uclibc which don't support it. Thanks to Stephane Billiart for the patch. Implement random source ports for interactions with upstream nameservers. New spoofing attacks have been found against nameservers which do not do this, though it is not clear if dnsmasq is vulnerable, since to doesn't implement recursion. By default dnsmasq will now use a different source port (and socket) for each query it sends upstream. This behaviour can suppressed using the --query-port option, and the old default behaviour restored using --query-port=0. Explicit source-port specifications in --server configs are still honoured. Replace the random number generator, for better security. On most BSD systems, dnsmasq uses the arc4random() RNG, which is secure, but on other platforms, it relied on the C-library RNG, which may be guessable and therefore allow spoofing. This release replaces the libc RNG with the SURF RNG, from Daniel J. Berstein's DJBDNS package. Don't attempt to change user or group or set capabilities if dnsmasq is run as a non-root user. Without this, the change from soft to hard errors when these fail causes problems for non-root daemons listening on high ports. Thanks to Patrick McLean for spotting this. Updated French translation. Thanks to Gildas Le Nadan. In addition to those people mentioned in the changelog, many thanks are due to the members of the dnsmasq-discuss mailing list who did the rapid testing needed to get this release out in a timely manner. Cheers, Simon. From simon at thekelleys.org.uk Fri Jul 11 11:26:06 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Fri Jul 11 11:26:19 2008 Subject: [Dnsmasq-discuss] Thanks. Message-ID: <4877353E.9000907@thekelleys.org.uk> I just wanted to thank everybody on here who's helped with the testing of version 2.43 and also Uwe Gansert and Thomas Biege at Suse. I'm happy that it's going to work for people, and secure us against the Bad Guys. Me? Tomorrow morning I'm going on holiday. If there's a cellphone signal, I might be in contact, but not promises. Your dnsmasq maintainer will be boating: http://thekelleys.org.uk/pics/melly.jpg Cheers, Simon. From carlos at fisica.ufpr.br Fri Jul 11 19:20:42 2008 From: carlos at fisica.ufpr.br (Carlos Carvalho) Date: Fri Jul 11 19:21:16 2008 Subject: [Dnsmasq-discuss] dnsmasq rc5 segfault Message-ID: <18551.42106.124701.276929@fisica.ufpr.br> Today dnsmasq died. It was the first time since I use it :-( In its log there's no sign of problems. The last entry is for a DHCPNAK; it's the only such record with 2.43. The kernel log says Jul 11 14:27:38 hoggar dnsmasq[11797]: segfault at 10 ip 08061e91 sp bfffe770 error 4 in dnsmasq[8048000+22000] The kernel is compiled with several PAX protections, in particular non-executable pages. Any ideas on how to debug this? All I can imagine demand a significant amount of work here :-( From simon at thekelleys.org.uk Fri Jul 11 19:40:35 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Fri Jul 11 19:43:37 2008 Subject: [Dnsmasq-discuss] dnsmasq rc5 segfault In-Reply-To: <18551.42106.124701.276929@fisica.ufpr.br> References: <18551.42106.124701.276929@fisica.ufpr.br> Message-ID: <4877A923.7030906@thekelleys.org.uk> Carlos Carvalho wrote: > Today dnsmasq died. It was the first time since I use it :-( > > In its log there's no sign of problems. The last entry is for a > DHCPNAK; it's the only such record with 2.43. The kernel log says > > Jul 11 14:27:38 hoggar dnsmasq[11797]: segfault at 10 ip 08061e91 sp bfffe770 error 4 in dnsmasq[8048000+22000] > > The kernel is compiled with several PAX protections, in particular > non-executable pages. > > Any ideas on how to debug this? All I can imagine demand a significant > amount of work here :-( > Best bet is to be ready to catch the next one. 1) rebuild dnsmasq with make CFLAGS=-g 2) enable coredumps and move to a directory where they can be written ulimit -c unlimited 3) run dnsmasq in the foreground dnsmasq -d If it crashes again, send me the core dump and the executable file. Cheers, Simon. From redbully at cc.fh-luh.de Fri Jul 11 20:47:49 2008 From: redbully at cc.fh-luh.de (Jan 'RedBully' Seiffert) Date: Fri Jul 11 20:48:10 2008 Subject: [Dnsmasq-discuss] dnsmasq rc5 segfault In-Reply-To: <18551.42106.124701.276929@fisica.ufpr.br> References: <18551.42106.124701.276929@fisica.ufpr.br> Message-ID: <4877B8E5.9000406@cc.fh-luh.de> Carlos Carvalho wrote: > Today dnsmasq died. It was the first time since I use it :-( > > In its log there's no sign of problems. The last entry is for a > DHCPNAK; it's the only such record with 2.43. The kernel log says > > Jul 11 14:27:38 hoggar dnsmasq[11797]: segfault at 10 ip 08061e91 sp bfffe770 error 4 in dnsmasq[8048000+22000] > > The kernel is compiled with several PAX protections, in particular > non-executable pages. > > Any ideas on how to debug this? All I can imagine demand a significant > amount of work here :-( > How long did it run before crashing? Anything special at that time? (like begin of work in the morning or such thing) With significant amount you mean? So no chance for a core-file? I could dig up some code to get a backtrace on crash, but its dead ugly code and dangerous with additional risk of not getting a usable backtrace. And yeah, dnsmasq has to crash first and you have to capture the output somehow (no, will not reach the logs). Greetings Jan > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -- C++ : an octopus made by nailing extra legs onto a dog. From carlos at fisica.ufpr.br Sat Jul 12 00:11:34 2008 From: carlos at fisica.ufpr.br (Carlos Carvalho) Date: Sat Jul 12 00:22:38 2008 Subject: [Dnsmasq-discuss] dnsmasq rc5 segfault In-Reply-To: <4877A923.7030906@thekelleys.org.uk> References: <18551.42106.124701.276929@fisica.ufpr.br> <4877A923.7030906@thekelleys.org.uk> Message-ID: <18551.59558.448676.179219@fisica.ufpr.br> Simon Kelley (simon@thekelleys.org.uk) wrote on 11 July 2008 19:40: >Carlos Carvalho wrote: >> Today dnsmasq died. It was the first time since I use it :-( >> >> In its log there's no sign of problems. The last entry is for a >> DHCPNAK; it's the only such record with 2.43. The kernel log says >> >> Jul 11 14:27:38 hoggar dnsmasq[11797]: segfault at 10 ip 08061e91 sp bfffe770 error 4 in dnsmasq[8048000+22000] >> >> The kernel is compiled with several PAX protections, in particular >> non-executable pages. >> >> Any ideas on how to debug this? All I can imagine demand a significant >> amount of work here :-( >> > >Best bet is to be ready to catch the next one. > >1) rebuild dnsmasq with > >make CFLAGS=-g Done. >2) enable coredumps and move to a directory where they can be written > >ulimit -c unlimited Done. >3) run dnsmasq in the foreground > >dnsmasq -d D... ops, sorry, I can't run a segfaulting program as root in the central server of the department... I ran it normally and sent it a quit signal but it didn't produce a core; it works for other programs. I changed the chdir / in dnsmasq.c to "/tmp" to no avail (it does the chdir). Why doesn't it produce a core? From DNSMasq at RevRagnarok.com Sat Jul 12 05:23:01 2008 From: DNSMasq at RevRagnarok.com (RevRagnarok) Date: Sat Jul 12 05:23:23 2008 Subject: [Dnsmasq-discuss] Build on ancient gcc In-Reply-To: References: Message-ID: I have a virtual machine that I am trying to put the latest DNSMasq (2.43) onto. It currently has 1.14 installed from RPM (yes, its base install is from the PREVIOUS time there was a Red Hat 7). The gcc on it is ancient, 2.96. Anyway, I am getting an error "dnsmasq.h:545: array size is missing in 'filename'" Has anybody seen this before? I checked the subjects of the most recent two archives. I know I need to upgrade that machine, but was hoping this wouldn't be hopeless. Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080712/b1cd78f2/attachment.htm From redbully at cc.fh-luh.de Sat Jul 12 06:37:15 2008 From: redbully at cc.fh-luh.de (Jan 'RedBully' Seiffert) Date: Sat Jul 12 06:37:37 2008 Subject: [Dnsmasq-discuss] Build on ancient gcc In-Reply-To: References: Message-ID: <4878430B.60507@cc.fh-luh.de> RevRagnarok wrote: > I have a virtual machine that I am trying to put the latest DNSMasq (2.43) > onto. It currently has 1.14 installed from RPM (yes, its base install is > from the PREVIOUS time there was a Red Hat 7). The gcc on it is ancient, > 2.96. > > Anyway, I am getting an error "dnsmasq.h:545: array size is missing in > 'filename'" > struct tftp_file { int refcount, fd; off_t size; dev_t dev; ino_t inode; char filename[]; }; This? This is a C99 "variable-size-array" GCC 2.96 doesn't fully support C99, but it can be worked around. These early gcc had an extension which basicaly does the same, only little different syntax. Put a zero between the two square brackets, like this: struct tftp_file { int refcount, fd; off_t size; dev_t dev; ino_t inode; char filename[0]; }; maybe you also have to add "-std=gnu9x" to the CFLAGS. > Has anybody seen this before? I checked the subjects of the most recent two > archives. I know I need to upgrade that machine, but was hoping this > wouldn't be hopeless. Thanks! > Greeting Jan -- Theres only 2 requirements in life, WD40 and Duck Tape. If if doesnt move and it should use the WD40 If it moves and it shouldnt use the Duck Tape From simon at thekelleys.org.uk Sat Jul 12 08:09:48 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Sat Jul 12 08:12:50 2008 Subject: [Dnsmasq-discuss] dnsmasq rc5 segfault In-Reply-To: <18551.59558.448676.179219@fisica.ufpr.br> References: <18551.42106.124701.276929@fisica.ufpr.br> <4877A923.7030906@thekelleys.org.uk> <18551.59558.448676.179219@fisica.ufpr.br> Message-ID: <487858BC.50700@thekelleys.org.uk> Carlos Carvalho wrote: > Simon Kelley (simon@thekelleys.org.uk) wrote on 11 July 2008 19:40: > >Carlos Carvalho wrote: > >> Today dnsmasq died. It was the first time since I use it :-( > >> > >> In its log there's no sign of problems. The last entry is for a > >> DHCPNAK; it's the only such record with 2.43. The kernel log says > >> > >> Jul 11 14:27:38 hoggar dnsmasq[11797]: segfault at 10 ip 08061e91 sp bfffe770 error 4 in dnsmasq[8048000+22000] > >> > >> The kernel is compiled with several PAX protections, in particular > >> non-executable pages. > >> > >> Any ideas on how to debug this? All I can imagine demand a significant > >> amount of work here :-( > >> > > > >Best bet is to be ready to catch the next one. > > > >1) rebuild dnsmasq with > > > >make CFLAGS=-g > > Done. > > >2) enable coredumps and move to a directory where they can be written > > > >ulimit -c unlimited > > Done. > > >3) run dnsmasq in the foreground > > > >dnsmasq -d > > D... ops, sorry, I can't run a segfaulting program as root in the > central server of the department... > > I ran it normally and sent it a quit signal but it didn't produce a > core; it works for other programs. I changed the chdir / in dnsmasq.c > to "/tmp" to no avail (it does the chdir). Why doesn't it produce a core? > If you're changing code, try making if (daemon->options & OPT_DEBUG) prctl(PR_SET_DUMPABLE, 1); in dnsmasq.c unconditional Cheers Simon. From g.esp at free.fr Sat Jul 12 08:38:02 2008 From: g.esp at free.fr (Gilles Espinasse) Date: Sat Jul 12 08:35:44 2008 Subject: [Dnsmasq-discuss] Build on ancient gcc References: Message-ID: <064801c8e3f2$37d02dc0$f9b5a8c0@pii350> ----- Original Message ----- From: RevRagnarok To: dnsmasq-discuss@lists.thekelleys.org.uk Sent: Saturday, July 12, 2008 6:23 AM Subject: [Dnsmasq-discuss] Build on ancient gcc > I have a virtual machine that I am trying to put the latest DNSMasq (2.43) onto. > It currently has 1.14 installed from RPM (yes, its base install is from the PREVIOUS > time there was a Red Hat 7). The gcc on it is ancient, 2.96. > > Anyway, I am getting an error "dnsmasq.h:545: array size is missing in 'filename'" > > Has anybody seen this before? I checked the subjects of the most recent two archives. > I know I need to upgrade that machine, but was hoping this wouldn't be hopeless. > Thanks! > A simple and not futurproof change is to put a size for the longest path you would use with tftp, something like char filename[200]; -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080712/b0f13698/attachment.htm From DNSMasq at RevRagnarok.com Sat Jul 12 14:20:58 2008 From: DNSMasq at RevRagnarok.com (RevRagnarok) Date: Sat Jul 12 14:21:19 2008 Subject: [Dnsmasq-discuss] Build on ancient gcc In-Reply-To: <4878430B.60507@cc.fh-luh.de> References: <4878430B.60507@cc.fh-luh.de> Message-ID: Thank you for all your suggestions. Since I don't plan to use the DHCP server portion of the code, hard coding a size seemed the simplest solution. Now it failed in a few new places, and figured I would document them here for future reference. dnsmasq.c: In function `main': dnsmasq.c:252: parse error before `int' dnsmasq.c:263: `capsize' undeclared (first use in this function) dnsmasq.c:263: (Each undeclared identifier is reported only once dnsmasq.c:263: for each function it appears in.) dnsmasq.c:267: warning: unreachable code at beginning of switch statement dnsmasq.c:388: `PR_SET_KEEPCAPS' undeclared (first use in this function) dnsmasq.c:447: `PR_SET_DUMPABLE' undeclared (first use in this function) make[1]: *** [dnsmasq.o] Error 1 make[1]: Leaving directory `/tmp/dnsmasq-2.43/src' make: *** [dnsmasq] Error 2 For some reason, it was just being a pain and I had to swap lines 252 and 253 so that the "capsize" declaration was the first thing within the if block. To fix the PR_SET macros, I had to manually include on the cc command line -I/usr/src/linux-`uname -r`/include for dnsmasq.c - this is likely because this machine is very screwed up with both RPM and hand-built kernels all over the place. I had the similar array size problems in tftp.c on lines 487, 515, 538, but again I don't use DHCP server so by disabling TFTP in config.h, they were ignored. Thanks again for the help, I now have 2.43 running on my ancient machine. - RR -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080712/5317fc41/attachment.htm From carlos at fisica.ufpr.br Sat Jul 12 22:59:35 2008 From: carlos at fisica.ufpr.br (Carlos Carvalho) Date: Sat Jul 12 23:01:05 2008 Subject: [Dnsmasq-discuss] dnsmasq rc5 segfault In-Reply-To: <487858BC.50700@thekelleys.org.uk> References: <18551.42106.124701.276929@fisica.ufpr.br> <4877A923.7030906@thekelleys.org.uk> <18551.59558.448676.179219@fisica.ufpr.br> <487858BC.50700@thekelleys.org.uk> Message-ID: <18553.10567.33913.841917@fisica.ufpr.br> Simon Kelley (simon@thekelleys.org.uk) wrote on 12 July 2008 08:09: >Carlos Carvalho wrote: >> Simon Kelley (simon@thekelleys.org.uk) wrote on 11 July 2008 19:40: >> >Carlos Carvalho wrote: >> >> Today dnsmasq died. It was the first time since I use it :-( >> >> >> >> In its log there's no sign of problems. The last entry is for a >> >> DHCPNAK; it's the only such record with 2.43. The kernel log says >> >> >> >> Jul 11 14:27:38 hoggar dnsmasq[11797]: segfault at 10 ip 08061e91 sp bfffe770 error 4 in dnsmasq[8048000+22000] >> >> >> >> The kernel is compiled with several PAX protections, in particular >> >> non-executable pages. >> >> >> >> Any ideas on how to debug this? All I can imagine demand a significant >> >> amount of work here :-( >> >> >> > >> >Best bet is to be ready to catch the next one. >> > >> >1) rebuild dnsmasq with >> > >> >make CFLAGS=-g >> >> Done. >> >> >2) enable coredumps and move to a directory where they can be written >> > >> >ulimit -c unlimited >> >> Done. >> >> >3) run dnsmasq in the foreground >> > >> >dnsmasq -d >> >> D... ops, sorry, I can't run a segfaulting program as root in the >> central server of the department... >> >> I ran it normally and sent it a quit signal but it didn't produce a >> core; it works for other programs. I changed the chdir / in dnsmasq.c >> to "/tmp" to no avail (it does the chdir). Why doesn't it produce a core? >> >If you're changing code, try making > > if (daemon->options & OPT_DEBUG) > prctl(PR_SET_DUMPABLE, 1); > >in dnsmasq.c > >unconditional Worked! I had seen it but didn't understand the reason, so I tried without it. It's the setuid that avoids it, and it's a linux specific behavior. I really should have rtFm, sorry... It's now ready for the bug to show up. To answer Jan, the crash happened after about 22h of operation, so it's not in the new startup code. It was running with query-port=0, so it's not in the new dns code either. I don't use the new naptr nor server-id-override functions. So I don't see a direct relation to the changes in 2.43... From carlos at fisica.ufpr.br Mon Jul 14 19:12:33 2008 From: carlos at fisica.ufpr.br (Carlos Carvalho) Date: Mon Jul 14 19:13:18 2008 Subject: [Dnsmasq-discuss] dnsmasq rc5 segfault In-Reply-To: <487858BC.50700@thekelleys.org.uk> References: <18551.42106.124701.276929@fisica.ufpr.br> <4877A923.7030906@thekelleys.org.uk> <18551.59558.448676.179219@fisica.ufpr.br> <487858BC.50700@thekelleys.org.uk> Message-ID: <18555.38673.284604.578905@fisica.ufpr.br> Carlos Carvalho wrote: > Today dnsmasq died. It was the first time since I use it :-( > > In its log there's no sign of problems. The last entry is for a > DHCPNAK; it's the only such record with 2.43. The kernel log says > > Jul 11 14:27:38 hoggar dnsmasq[11797]: segfault at 10 ip 08061e91 sp bfffe770 error 4 in dnsmasq[8048000+22000] It died again today. Again, the last line in the log was a DHCPNAK: Jul 14 13:19:18 dnsmasq[6873]: DHCP packet: transaction-id is 2892506353 Jul 14 13:19:18 dnsmasq[6873]: Available DHCP subnet: 192.168.25.1/255.255.255.0 Jul 14 13:19:18 dnsmasq[6873]: Vendor class: MSFT 5.0 Jul 14 13:19:18 dnsmasq[6873]: DHCPREQUEST(eth0.25) 10.1.1.6 00:50:c2:50:81:15 Jul 14 13:19:18 dnsmasq[6873]: DHCPNAK(eth0.25) 10.1.1.6 00:50:c2:50:81:15 wrong network It's the second time it segfaults after this. There are no other NAKs in the logs, so maybe it's reproducible. gdb says it stopped at Program terminated with signal 11, Segmentation fault. [New process 6873] #0 0x080640df in server_id (context=0x0, override={s_addr = 0}) at rfc2131.c:968 968 return context->local; This is the stack: #0 0x080640df in server_id (context=0x0, override={s_addr = 0}) at rfc2131.c:968 #1 0x08063463 in dhcp_reply (context=0x0, iface_name=0xbffff234 "eth0.25", int_index=25, sz=300, now=1216052358, unicast_dest=0, is_inform=0xbffff1f8) at rfc2131.c:779 #2 0x0805d933 in dhcp_packet (now=1216052358) at dhcp.c:231 #3 0x0805bdd4 in main (argc=Cannot access memory at address 0xb ) at dnsmasq.c:617 In 2.42 option_put(mess, end, OPTION_SERVER_IDENTIFIER,...) tests for context being null, 2.43 doesn't. Maybe this is why 2.42 survives, which doesn't mean it's correct however. From simon at thekelleys.org.uk Mon Jul 14 20:12:08 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Mon Jul 14 20:13:17 2008 Subject: [Dnsmasq-discuss] dnsmasq rc5 segfault In-Reply-To: <18555.38673.284604.578905@fisica.ufpr.br> References: <18551.42106.124701.276929@fisica.ufpr.br> <4877A923.7030906@thekelleys.org.uk> <18551.59558.448676.179219@fisica.ufpr.br> <487858BC.50700@thekelleys.org.uk> <18555.38673.284604.578905@fisica.ufpr.br> Message-ID: <487BA508.7060507@thekelleys.org.uk> Carlos Carvalho wrote: > Carlos Carvalho wrote: >> Today dnsmasq died. It was the first time since I use it :-( >> >> In its log there's no sign of problems. The last entry is for a >> DHCPNAK; it's the only such record with 2.43. The kernel log says >> >> Jul 11 14:27:38 hoggar dnsmasq[11797]: segfault at 10 ip 08061e91 sp bfffe770 error 4 in dnsmasq[8048000+22000] > > It died again today. Again, the last line in the log was a DHCPNAK: > Excellent! Please try out 2.44test1, in the usual place. But be cautious, I've not been able to test it at all whilst at the end of a cellphone link. I believe this fixes Carlos's problem, another I found by inspection, and it also changes the random-port selection code. The last change means that others using port randomisation could usefully test. The DHCP bugs were introduced in 2.43 in the RFC 5107 server-id-override stuff. Details in changelog. Cheers, Simon. From simon-dnsmasq at uc.org Mon Jul 14 22:05:11 2008 From: simon-dnsmasq at uc.org (simon-dnsmasq@uc.org) Date: Mon Jul 14 22:06:49 2008 Subject: [Dnsmasq-discuss] randomly stops resolving and handling dhcp requests Message-ID: Hi, I'm having an intermittent issue where dnsmasq stops responding to DNS and DHCP requests and does not recover until I kill the process and restart. It can go for weeks without surfacing, and then happen repeatedly in the span of a few hours. I have a bridge, br0, which is between a wired and wireless network, no firewall rules on it. Any ideas how I might track down the trigger, or more useful information I should be grabbing when it occurs? Cheers, Simon P. Ditner Config: ------ kernel 2.6.20-16-generic dnsmasq version 2.41 /etc/dnsmasq.conf: domain-needed bogus-priv interface=br0 dhcp-range=192.168.100.100,192.168.100.254,24h dhcp-lease-max=50 dhcp-authoritative dhcp-mac=linksys,00:0E:08:*:*:* dhcp-option=linksys,66,"192.168.100.1" Failures: -------- Example 1: strace: 15:53:07.351736 time(NULL) = 1213213987 15:53:07.351927 stat64("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=58, ...}) = 0 15:53:07.352246 recvmsg(4, {msg_name(16)={sa_family=AF_INET, sin_port=htons(60831), sin_addr=inet_addr("192.168.100.60")}, msg_iov(1)=[{"\266\236\1\0\0\1\0\0\0\0\0\0\nbannerfarm\3ace\vadve"..., 1280}], msg_controllen=24, {cmsg_len=24, cmsg_level=SOL_IP, cmsg_type=, ...}, msg_flags=0}, 0) = 48 15:53:07.352640 ioctl(4, SIOCGIFNAME, {ifr_index=17, ifr_name="br0"}) = 0 15:53:07.352909 sendto(11, "\376\203\1\0\0\1\0\0\0\0\0\0\nbannerfarm\3ace\vadve"..., 48, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("64.71.255.198")}, 16) = 48 15:53:07.353317 select(12, [3 4 5 6 8 11], [], [], NULL) = 1 (in [11]) 15:53:07.362387 time(NULL) = 1213213987 15:53:07.362578 recvfrom(11, "\376\203\201\2 15:55:00.845955 +++ killed by SIGKILL +++ dnsmasq: DHCPDISCOVER(br0) 192.168.100.203 52:54:00:12:34:56 dnsmasq: DHCPOFFER(br0) 192.168.100.201 52:54:00:12:34:56 dnsmasq: DHCPREQUEST(br0) 192.168.100.201 52:54:00:12:34:56 dnsmasq: DHCPACK(br0) 192.168.100.201 52:54:00:12:34:56 gateway dnsmasq: not giving name gateway to the DHCP lease of 192.168.100.201 because the name exists in /etc/hosts with address 127.0.1.1 Example 2: strace: 16:33:08.572298 time(NULL) = 1213216388 16:33:08.572501 recvfrom(11, "\n\320\201\200\0\1\0\4\0\t\0\t\7content\10worldnow\3co"..., 1280, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("64.71.255.198")}, [16]) = 453 16:33:08.572924 time(NULL) = 1213216388 16:33:08.573083 stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1252, ...}) = 0 16:33:08.573391 stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1252, ...}) = 0 16:33:08.573673 stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1252, ...}) = 0 16:33:08.573971 writev(2, [{"dnsmasq: reply content.worldnow."..., 46}, {"\n", 1}], 2) = 47 16:33:08.574234 send(10, "<135>Jun 11 16:33:08 dnsmasq: re"..., 67, MSG_NOSIGNAL) = 67 16:36:11.278393 +++ killed by SIGKILL +++ dnsmasq: reply a1528.g.akamai.net is 24.153.19.145 dnsmasq: reply a1528.g.akamai.net is 24.153.19.154 dnsmasq: query[A] content.worldnow.com from 192.168.100.60 dnsmasq: forwarded content.worldnow.com to 64.71.255.198 dnsmasq: reply content.worldnow.com is Example 3: strace: 17:21:15.252922 time(NULL) = 1213219275 17:21:15.253079 stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1252, ...}) = 0 17:21:15.253382 stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1252, ...}) = 0 17:21:15.253659 stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1252, ...}) = 0 17:21:15.253948 writev(2, [{"dnsmasq: reply thekelleys.org.uk"..., 49}, {"\n", 1}], 2) = 50 17:21:15.254278 send(10, "<135>Jun 11 17:21:15 dnsmasq: re"..., 70, MSG_NOSIGNAL) = 70 17:21:15.254704 sendmsg(4, {msg_name(16)={sa_family=AF_INET, sin_port=htons(34573), sin_addr=inet_addr("192.168.100.60")}, msg_iov(1)=[{"\36\236\205\200\0\1\0\2\0\5\0\0\3www\nthekelleys\3org\2"..., 171}], msg_controllen=24, {cmsg_len=24, cmsg_level=SOL_IP, cmsg_type=, ...}, msg_flags=0}, 0) = 171 17:21:15.255239 select(12, [3 4 5 6 8 11], [], [], NULL) = ? ERESTARTNOHAND (To be restarted) 17:21:15.904756 +++ killed by SIGKILL +++ dnsmasq: reply www.l.google.com is 72.14.205.104 dnsmasq: query[A] www.thekelleys.org.uk from 192.168.100.60 dnsmasq: forwarded www.thekelleys.org.uk to 64.71.255.198 dnsmasq: reply www.thekelleys.org.uk is dnsmasq: reply thekelleys.org.uk is 86.14.238.176 From carlos at fisica.ufpr.br Mon Jul 14 22:20:08 2008 From: carlos at fisica.ufpr.br (Carlos Carvalho) Date: Mon Jul 14 22:20:30 2008 Subject: [Dnsmasq-discuss] dnsmasq rc5 segfault In-Reply-To: <487BA508.7060507@thekelleys.org.uk> References: <18551.42106.124701.276929@fisica.ufpr.br> <4877A923.7030906@thekelleys.org.uk> <18551.59558.448676.179219@fisica.ufpr.br> <487858BC.50700@thekelleys.org.uk> <18555.38673.284604.578905@fisica.ufpr.br> <487BA508.7060507@thekelleys.org.uk> Message-ID: <18555.49928.915479.979701@fisica.ufpr.br> Simon Kelley (simon@thekelleys.org.uk) wrote on 14 July 2008 20:12: >Carlos Carvalho wrote: >> Carlos Carvalho wrote: >>> Today dnsmasq died. It was the first time since I use it :-( >>> >>> In its log there's no sign of problems. The last entry is for a >>> DHCPNAK; it's the only such record with 2.43. The kernel log says >>> >>> Jul 11 14:27:38 hoggar dnsmasq[11797]: segfault at 10 ip 08061e91 sp bfffe770 error 4 in dnsmasq[8048000+22000] >> >> It died again today. Again, the last line in the log was a DHCPNAK: >> > >Excellent! Please try out 2.44test1, in the usual place. Thanks a lot for the impressively fast support. It's running, compiled with debugging and core dump support. Let's see how it behaves. From steven at springl.ukfsn.org Mon Jul 14 23:25:47 2008 From: steven at springl.ukfsn.org (Steven Jan Springl) Date: Mon Jul 14 23:26:08 2008 Subject: [Dnsmasq-discuss] dnsmasq rc5 segfault In-Reply-To: <487BA508.7060507@thekelleys.org.uk> References: <18551.42106.124701.276929@fisica.ufpr.br> <18555.38673.284604.578905@fisica.ufpr.br> <487BA508.7060507@thekelleys.org.uk> Message-ID: <200807142325.48009.steven@springl.ukfsn.org> On Monday 14 July 2008 20:12, Simon Kelley wrote: > Excellent! Please try out 2.44test1, in the usual place. But be > cautious, I've not been able to test it at all whilst at the end of a > cellphone link. I believe this fixes Carlos's problem, another I found > by inspection, and it also changes the random-port selection code. The > last change means that others using port randomisation could usefully test. > > The DHCP bugs were introduced in 2.43 in the RFC 5107 > server-id-override stuff. > > Details in changelog. > > Cheers, > > Simon. > > _______________________________________________ Simon I have tested it on the following systems: Debian Etch with supplied kernel Debian Etch with kernel 2.6.26 Debian Lenny with supplied kernel Ubuntu 7.10 with supplied kernel using: min-port=64000 and with each of the following query-port settings: query-port=0 query-port=1153 query-port not set They all work as expected. Steven. From hurga-dnsmasq at tigress.com Tue Jul 15 03:32:06 2008 From: hurga-dnsmasq at tigress.com (Hanno Foest) Date: Tue Jul 15 03:32:23 2008 Subject: [Dnsmasq-discuss] Multiple entries in /etc/ethers with same IP not working Message-ID: <20080715023205.GH1369@tigress.com> Hi, I tried to use static entries in /etc/ethers today, and I thought it would be a good idea to assign the same IP to both MACs of my laptop (for WLAN and ethernet), so that the computer gets the same IP/host name no matter which network connection I use. Unfortunately it didn't work. The logs indicated that /etc/ethers was being read, but it had no effect, I still got dynamic IPs assigned. But as soon as I deleted the line for the other MAC, or gave it a different IP, things started to work as expected. Question: Is this a bug, or is this behaviour intentional? (Why?) I'm running dnsmasq 2.35-1 on OpenWRT 0.9 (Whiterussian). Hanno From hurga-dnsmasq at tigress.com Tue Jul 15 17:15:38 2008 From: hurga-dnsmasq at tigress.com (Hanno Foest) Date: Tue Jul 15 17:26:06 2008 Subject: [Dnsmasq-discuss] Multiple entries in /etc/ethers with same IP not working In-Reply-To: <2e59e6970807150627m626f92bo7ae3711b8169799b@mail.gmail.com> References: <20080715023205.GH1369@tigress.com> <2e59e6970807150627m626f92bo7ae3711b8169799b@mail.gmail.com> Message-ID: <20080715161538.GN1369@tigress.com> On Tue, Jul 15, 2008 at 01:27:54PM +0000, richardvoigt@gmail.com wrote: > If there is already a valid lease for a particular IP address, the DHCP > forbids handing it out to a different NIC, because the first one can > continue using it up until lease expiration without contacting the DHCP > server again. I noticed that when experimenting, so I removed the dynamic lease before doing more tests. So this isn't the source of the problem I see. > A better way to do this might be to bridge the two interfaces on the laptop, > so that only one MAC address is reported to the outside world (and dnsmasq) > regardless of which physical medium is used. You'd then rely on spanning > tree to choose one of the two interfaces when both connect. Sure, I could do that. But that would mean considerable extra work for every computer I want to hook up to my home network, when in theory one extra line in /etc/ethers should achieve something similar. I can work around the problem I see, sure, but I'd prefer a bug fix. > > I'm running dnsmasq 2.35-1 on OpenWRT 0.9 (Whiterussian). > > You might start by upgrading, that version is 8 or 9 releases out of date. All I'm asking is if what I'm seeing is expected behaviour. There's little point in upgrading if there's no bug to fix. Hanno From simon at thekelleys.org.uk Tue Jul 15 18:37:24 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Tue Jul 15 18:37:43 2008 Subject: [Dnsmasq-discuss] randomly stops resolving and handling dhcp requests In-Reply-To: References: Message-ID: <487CE054.4040703@thekelleys.org.uk> simon-dnsmasq@uc.org wrote: > Hi, > > I'm having an intermittent issue where dnsmasq stops responding to > DNS and DHCP requests and does not recover until I kill the process > and restart. It can go for weeks without surfacing, and then happen > repeatedly in the span of a few hours. I have a bridge, br0, which is > between a wired and wireless network, no firewall rules on it. > > Any ideas how I might track down the trigger, or more useful > information I should be grabbing when it occurs? > > Cheers, Simon P. Ditner > > Config: ------ > > kernel 2.6.20-16-generic dnsmasq version 2.41 This may well be a known bug in 2.41: from the changelog: Fix subtle bug in cache code which could cause dnsmasq to lock spinning CPU in rare circumstances. Thanks to Alex Chekholko for bug reports and help debugging. Best course of action is probably upgrade to 2.43 and see if that fixes things. Cheers, Simon. From simon at thekelleys.org.uk Tue Jul 15 19:54:47 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Tue Jul 15 19:55:03 2008 Subject: [Dnsmasq-discuss] Update on DNS spoofing hole. Message-ID: <487CF277.7070405@thekelleys.org.uk> Dnsmasq users: There has been some confusion about the exact nature of the newly-discovered DNS hole, and if dnsmasq is affected. I just talked to Dan Kaminsky and can confirm that dnsmasq is potentially vulnerable. All users should therefore upgrade. Ensure that the --query-port option (which will disable query-port randomisation) is _not_ used except on tightly-controlled networks. Also note that version 2.43, which was rushed out to fix this hole, has a crash bug in unrelated DHCP code. This is only triggered in rare circumstances. Distribution authors may like to wait for version 2.44, due next week, which fixes this problem. Cheers, Simon. From carlos at fisica.ufpr.br Tue Jul 15 21:11:46 2008 From: carlos at fisica.ufpr.br (Carlos Carvalho) Date: Tue Jul 15 21:12:15 2008 Subject: [Dnsmasq-discuss] Multiple entries in /etc/ethers with same IP not working In-Reply-To: <20080715023205.GH1369@tigress.com> References: <20080715023205.GH1369@tigress.com> Message-ID: <18557.1154.452237.314242@fisica.ufpr.br> Hanno Foest (hurga-dnsmasq@tigress.com) wrote on 15 July 2008 04:32: >I tried to use static entries in /etc/ethers today, and I thought it >would be a good idea to assign the same IP to both MACs of my laptop >(for WLAN and ethernet), so that the computer gets the same IP/host name >no matter which network connection I use. > >Unfortunately it didn't work. Yes, that's not possible because the server doesn't know that it's the same machine, so it cannot give the same IP. You have to tell it by making the client send a client-id. Then you can configure dnsmasq to give an IP based on the client-id instead of the ethernet address. From hurga-dnsmasq at tigress.com Wed Jul 16 13:08:17 2008 From: hurga-dnsmasq at tigress.com (Hanno Foest) Date: Wed Jul 16 13:08:39 2008 Subject: [Dnsmasq-discuss] Multiple entries in /etc/ethers with same IP not working Message-ID: <20080716120817.GT1369@tigress.com> Carlos Carvalho (carlos@fisica.ufpr.br) wrote on 15 July 2008 21:11: > Yes, that's not possible because the server doesn't know that it's the > same machine, so it cannot give the same IP. I'd have thought that I just told the server that by giving both MACs with the same IP in /etc/ethers :) > You have to tell it by > making the client send a client-id. Then you can configure dnsmasq to > give an IP based on the client-id instead of the ethernet address. Sounds like a good workaround, thanks. I'll look into it. -Hanno From jw5-dns at os.inf.tu-dresden.de Wed Jul 16 23:26:53 2008 From: jw5-dns at os.inf.tu-dresden.de (Jean Wolter) Date: Wed Jul 16 23:27:15 2008 Subject: [Dnsmasq-discuss] 2.44test1 crashes after HUP and route changes Message-ID: <86hcapjwia.fsf@erwin.inf.tu-dresden.de> Hello, it looks like there is a bug in 2.44test1. It crashed in nl_routechange, aparrently while dereferencing daemon->srv_save->sfd, which is set to zero in reload_servers(). Information from the core file: Core was generated by `dnsmasq --min-port=4096'. Program terminated with signal 11, Segmentation fault. #0 0x0805afa9 in nl_routechange (h=0x10) at netlink.c:245 245 while(sendto(daemon->srv_save->sfd->fd, daemon->packet, daemon->packet_len, 0, 246 &daemon->srv_save->addr.sa, sa_len(&daemon->srv_save->addr)) == -1 && retry_send()); 0x0805af87 : mov 0x8062e78,%eax 0x0805af8c : pushl 0x118(%eax) # &daemon->srv_save->addr.sa 0x0805af92 : push $0x0 # 0 0x0805af94 : pushl 0x11c(%eax) # daemon->packet_len 0x0805af9a : pushl 0xf0(%eax) # daemon->packet 0x0805afa0 : mov 0x118(%eax),%eax 0x0805afa6 : mov 0x4c(%eax),%eax 0x0805afa9 : pushl (%eax) # daemon->srv_save->sfd->fd, with sfd == 0 0x0805afab : call 0x8049958 (gdb) i r eax 0x0 0 eax is zero, dereferencing it leads to a SEGV. It looks like dnsmasq received a HUP to re-read its config files and detected a route change shortly after that. It tries to re-send the last request, and derefences daemon->srv_save->sfd, which was set to 0 while re-reading the config files. regards, Jean From davidgilman1 at gmail.com Thu Jul 17 07:03:00 2008 From: davidgilman1 at gmail.com (David Gilman) Date: Thu Jul 17 07:03:20 2008 Subject: [Dnsmasq-discuss] dnsmasq 2.43 regression: unable to build on MacOS X + patch! Message-ID: <2ecc919e0807162303k4d42b103sa85e117cbd991bd6@mail.gmail.com> Building a vanilla 2.43 dnsmasq on MacOS X 10.5 dies with this error: rfc1035.c: In function 'answer_request': rfc1035.c:1480: error: 'T_NAPTR' undeclared (first use in this function) rfc1035.c:1480: error: (Each undeclared identifier is reported only once rfc1035.c:1480: error: for each function it appears in.) After screwing around with it I've got a patch that makes it build. --- src/config.h.old 2008-07-17 01:50:13.000000000 -0400 +++ src/config.h 2008-07-17 01:50:30.000000000 -0400 @@ -245,8 +245,6 @@ #define HAVE_SOCKADDR_SA_LEN /* Define before sys/socket.h is included so we get socklen_t */ #define _BSD_SOCKLEN_T_ -/* This is not defined in Mac OS X arpa/nameserv.h */ -#define IN6ADDRSZ 16 #elif defined(__NetBSD__) #define HAVE_BSD_NETWORK --- src/dnsmasq.h.old 2008-07-17 01:52:39.000000000 -0400 +++ src/dnsmasq.h 2008-07-17 01:53:58.000000000 -0400 @@ -33,10 +33,11 @@ #include #ifdef __APPLE__ -/* need this before arpa/nameser.h */ -# define BIND_8_COMPAT +# include +# include +#else +# include #endif -#include /* and this. */ #include -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080717/7862ff15/attachment.htm From abnormaliti at clivepeeters.com.au Thu Jul 17 09:01:55 2008 From: abnormaliti at clivepeeters.com.au (Ben) Date: Thu Jul 17 09:02:21 2008 Subject: [Dnsmasq-discuss] feature request: multiple domain support Message-ID: <487EFC73.40203@clivepeeters.com.au> I would like request that multiple "domain" options be supported. I have read through the archives and know and understand the backward compatibility issues it would raise but it has been requested several times before and would obviously be useful for many users. I would see the support being along the lines of supporting multiple lease files to avoid modifying the lease file format. Example: dhcp-range=lan1,192.168.1.100,192.168.1.150,255.255.255.0,24h dhcp-range=lan2,192.168.2.100,192.168.2.150,255.255.255.0,24h dhcp-leasefile=net:lan1,/var/lib/dnsmasq/dnsmasq-lan1.leases dhcp-leasefile=net:lan2,/var/lib/dnsmasq/dnsmasq-lan2.leases domain=net:lan1,demo1.example.com domain=net:lan2,demo2.example.com This would allow the lease file to keep its syntax and only the daemon would need to know that names or ips resolved from the lease files are associated with particular domain names depending on the lease file they came from. What do you think? Ben From simon at thekelleys.org.uk Thu Jul 17 18:22:27 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Jul 17 18:22:47 2008 Subject: [Dnsmasq-discuss] 2.44test1 crashes after HUP and route changes In-Reply-To: <86hcapjwia.fsf@erwin.inf.tu-dresden.de> References: <86hcapjwia.fsf@erwin.inf.tu-dresden.de> Message-ID: <487F7FD3.8060508@thekelleys.org.uk> Jean Wolter wrote: > Hello, > > it looks like there is a bug in 2.44test1. It crashed in > nl_routechange, aparrently while dereferencing daemon->srv_save->sfd, > which is set to zero in reload_servers(). > > Information from the core file: > > Core was generated by `dnsmasq --min-port=4096'. Program terminated > with signal 11, Segmentation fault. #0 0x0805afa9 in nl_routechange > (h=0x10) at netlink.c:245 245 > while(sendto(daemon->srv_save->sfd->fd, daemon->packet, > daemon->packet_len, 0, 246 > &daemon->srv_save->addr.sa, sa_len(&daemon->srv_save->addr)) == -1 && > retry_send()); > > 0x0805af87 : mov 0x8062e78,%eax 0x0805af8c > : pushl 0x118(%eax) # > &daemon->srv_save->addr.sa 0x0805af92 : push > $0x0 # 0 0x0805af94 : pushl > 0x11c(%eax) # daemon->packet_len 0x0805af9a : > pushl 0xf0(%eax) # daemon->packet 0x0805afa0 > : mov 0x118(%eax),%eax 0x0805afa6 > : mov 0x4c(%eax),%eax 0x0805afa9 > : pushl (%eax) # > daemon->srv_save->sfd->fd, with sfd == 0 0x0805afab > : call 0x8049958 > > (gdb) i r eax 0x0 0 > > eax is zero, dereferencing it leads to a SEGV. > > It looks like dnsmasq received a HUP to re-read its config files and > detected a route change shortly after that. It tries to re-send the > last request, and derefences daemon->srv_save->sfd, which was set to > 0 while re-reading the config files. > Many thanks, yes, that's an unintended side-effect of the random-port changes in 2.43. I'll post a fixed version ASAP Cheers, Simon. From simon at thekelleys.org.uk Thu Jul 17 19:14:23 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Jul 17 19:14:48 2008 Subject: [Dnsmasq-discuss] 2.44test2 Message-ID: <487F8BFF.9030904@thekelleys.org.uk> Is in the normal place. This applies David's patch, and fixes (I hope) Jean's crash. Cheers, Simon. From troy at piggo.com Fri Jul 18 00:54:24 2008 From: troy at piggo.com (Troy Piggins) Date: Fri Jul 18 00:54:50 2008 Subject: [Dnsmasq-discuss] using squid with dnsmasq and hosts file Message-ID: <20080718091127@troy.piggo.com> Not sure if this is a squid or dnsmasq problem, so hope you don't mind me asking same question in 2 lists. I'm using squid3 as a transparent proxy by redirecting port 80 in iptables, and dnsmasq as well. This all works fine. But now I'm trying to utilise the mvps hosts file to block malicious URLs and am having trouble getting squid to recognise this hosts file. On a previous installation I had the mvps hosts file saved as /etc/hosts.mvps and set up dnsmasq to read this file as an additional hosts file. I changed the IP addresses in the mvps hosts file from 127.0.0.1 to 192.168.0.100 and set up a virtual IP address and web page so that if a browser on the network wanted to connect to a URL that was in the hosts file, the user would get a locally served page saying "sorry, malicious site blocked" or something like that. I thought that was all pretty cool. So now I have the same setup, but have installed squid as this transparent proxy. It is all working fine... except that squid seems to be bypassing the /etc/hosts.mvps file. So normal pages are viewed fine. And if I ping one of the mvps hosts from the commandline it correctly returns the IP address 192.168.0.100. And if I put the URL 192.168.0.100 in a browser I get the correct blocked site message. But from a browser if I try to view a website listed in the mvps hosts file, I don't get the blocked site message page, I get the real (malicious) one. IIUC squid should be reading /etc/resolv.conf for DNS? Mine is nameserver 127.0.0.1 search isp.invalid And so if it's using localhost and DNS, that's dnsmasq and the mvps hosts file should come into play. What am I missing? As an alternative, I've seen reference to using mvps entries somehow in squid.conf acls or rules, but haven't found a good explanation of /how/ to do this or examples. Any pointers there if that's the better way to go? Hope I've provided enough details. -- Troy Piggins From richardvoigt at gmail.com Fri Jul 18 06:15:57 2008 From: richardvoigt at gmail.com (richardvoigt@gmail.com) Date: Fri Jul 18 06:16:17 2008 Subject: [Dnsmasq-discuss] using squid with dnsmasq and hosts file In-Reply-To: <20080718091127@troy.piggo.com> References: <20080718091127@troy.piggo.com> Message-ID: <2e59e6970807172215l41c9818ey8e96deea40b2c9c3@mail.gmail.com> On Thu, Jul 17, 2008 at 11:54 PM, Troy Piggins wrote: > Not sure if this is a squid or dnsmasq problem, so hope you don't > mind me asking same question in 2 lists. > > I'm using squid3 as a transparent proxy by redirecting port 80 > in iptables, and dnsmasq as well. This all works fine. But now > I'm trying to utilise the mvps hosts file to block malicious > URLs and am having trouble getting squid to recognise this hosts > file. > > On a previous installation I had the mvps hosts file saved as > /etc/hosts.mvps and set up dnsmasq to read this file as an > additional hosts file. I changed the IP addresses in the mvps > hosts file from 127.0.0.1 to 192.168.0.100 and set up a virtual > IP address and web page so that if a browser on the network > wanted to connect to a URL that was in the hosts file, the user > would get a locally served page saying "sorry, malicious site > blocked" or something like that. I thought that was all pretty > cool. > > So now I have the same setup, but have installed squid as this > transparent proxy. It is all working fine... except that squid > seems to be bypassing the /etc/hosts.mvps file. > So normal pages are viewed fine. > And if I ping one of the mvps hosts from the commandline it > correctly returns the IP address 192.168.0.100. > And if I put the URL 192.168.0.100 in a browser I get the correct > blocked site message. > But from a browser if I try to view a website listed in the mvps > hosts file, I don't get the blocked site message page, I get the > real (malicious) one. > > IIUC squid should be reading /etc/resolv.conf for DNS? Mine is > > nameserver 127.0.0.1 > search isp.invalid > > And so if it's using localhost and DNS, that's dnsmasq and the > mvps hosts file should come into play. > > What am I missing? I don't know a whole lot about squid, just that it is a caching proxy. And as a result, as alternative configurations you tried might not have been properly tested if you didn't wipe the cache. If you intend to troubleshoot, I'd suggest clearing the squid cache and then running wireshark, listening to udp and tcp port 53 while you browse to one of the blocked pages. > > > As an alternative, I've seen reference to using mvps entries > somehow in squid.conf acls or rules, but haven't found a good > explanation of /how/ to do this or examples. Any pointers there > if that's the better way to go? > > Hope I've provided enough details. > > -- > Troy Piggins > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080718/e513eeed/attachment.htm From troy at piggo.com Fri Jul 18 06:34:36 2008 From: troy at piggo.com (Troy Piggins) Date: Fri Jul 18 06:34:59 2008 Subject: [Dnsmasq-discuss] Re: using squid with dnsmasq and hosts file In-Reply-To: <2e59e6970807172215l41c9818ey8e96deea40b2c9c3@mail.gmail.com> References: <20080718091127@troy.piggo.com> <2e59e6970807172215l41c9818ey8e96deea40b2c9c3@mail.gmail.com> Message-ID: <20080718153137@troy.piggo.com> * richardvoigt@gmail.com wrote : >* Troy Piggins wrote: > >> Not sure if this is a squid or dnsmasq problem, so hope you don't >> mind me asking same question in 2 lists. >> >> I'm using squid3 as a transparent proxy by redirecting port 80 >> in iptables, and dnsmasq as well. This all works fine. But now >> I'm trying to utilise the mvps hosts file to block malicious >> URLs and am having trouble getting squid to recognise this hosts >> file. >> >> On a previous installation I had the mvps hosts file saved as >> /etc/hosts.mvps and set up dnsmasq to read this file as an >> additional hosts file. I changed the IP addresses in the mvps >> hosts file from [2]127.0.0.1 to [3]192.168.0.100 and set up a virtual >> IP address and web page so that if a browser on the network >> wanted to connect to a URL that was in the hosts file, the user >> would get a locally served page saying "sorry, malicious site >> blocked" or something like that. I thought that was all pretty >> cool. >> >> So now I have the same setup, but have installed squid as this >> transparent proxy. It is all working fine... except that squid >> seems to be bypassing the /etc/hosts.mvps file. >> So normal pages are viewed fine. >> And if I ping one of the mvps hosts from the commandline it >> correctly returns the IP address [4]192.168.0.100. >> And if I put the URL [5]192.168.0.100 in a browser I get the correct >> blocked site message. >> But from a browser if I try to view a website listed in the mvps >> hosts file, I don't get the blocked site message page, I get the >> real (malicious) one. >> >> IIUC squid should be reading /etc/resolv.conf for DNS? Mine is >> >> nameserver [6]127.0.0.1 >> search isp.invalid >> >> And so if it's using localhost and DNS, that's dnsmasq and the >> mvps hosts file should come into play. >> >> What am I missing? > > I don't know a whole lot about squid, just that it is a caching proxy. > And as a result, as alternative configurations you tried might not have > been properly tested if you didn't wipe the cache. > > If you intend to troubleshoot, I'd suggest clearing the squid cache and > then running wireshark, listening to udp and tcp port 53 while you browse > to one of the blocked pages. Thanks for the tips. I'm trying a squid-based solution. -- Troy Piggins From simon at thekelleys.org.uk Sun Jul 20 15:20:09 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Sun Jul 20 15:23:07 2008 Subject: [Dnsmasq-discuss] dnsmasq 2.44 available. Message-ID: <48834999.4010401@thekelleys.org.uk> I've released dnsmasq version 2.44. This is a stability release. It fixes crash problems in 2.43. The crashes occur when a DHCP client renews a non-existant lease for an invalid subnet, when a DHCP client which does not have a lease does DHCPINFORM and a crash which can occur when network configuration changes. Thanks to bug reporters and testers who found these problems in the (somewhat rushed) 2.43 release. http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.44.tar.gz http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.44.tar.lzma Full Changelog: version 2.44 Fix crash when unknown client attempts to renew a DHCP lease, problem introduced in version 2.43. Thanks to Carlos Carvalho for help chasing this down. Fix potential crash when a host which doesn't have a lease does DHCPINFORM. Again introduced in 2.43. This bug has never been reported in the wild. Fix crash in netlink code introduced in 2.43. Thanks to Jean Wolter for finding this. Change implementation of min_port to work even if min-port as large. Patch to enable compilation of latest Mac OS X. Thanks to David Gilman. Cheers, Simon. From simon at thekelleys.org.uk Sun Jul 20 15:36:33 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Sun Jul 20 15:39:27 2008 Subject: [Dnsmasq-discuss] feature request: multiple domain support In-Reply-To: <487EFC73.40203@clivepeeters.com.au> References: <487EFC73.40203@clivepeeters.com.au> Message-ID: <48834D71.2080306@thekelleys.org.uk> Ben wrote: > I would like request that multiple "domain" options be supported. > > I have read through the archives and know and understand the backward > compatibility issues it would raise but it has been requested several > times before and would obviously be useful for many users. > > I would see the support being along the lines of supporting multiple > lease files to avoid modifying the lease file format. > > Example: > > dhcp-range=lan1,192.168.1.100,192.168.1.150,255.255.255.0,24h > dhcp-range=lan2,192.168.2.100,192.168.2.150,255.255.255.0,24h > > dhcp-leasefile=net:lan1,/var/lib/dnsmasq/dnsmasq-lan1.leases > dhcp-leasefile=net:lan2,/var/lib/dnsmasq/dnsmasq-lan2.leases > > domain=net:lan1,demo1.example.com > domain=net:lan2,demo2.example.com > > > This would allow the lease file to keep its syntax and only the daemon > would need to know that names or ips resolved from the lease files are > associated with particular domain names depending on the lease file they > came from. > > What do you think? > I think it could actually be simpler than this: if one is willing to accept that the domain-in-use is controlled by a tag, (lan1, lan2 in your example) then it doesn't have to be stored anywhere in the lease database, so the elaboration of multiple lease files is not needed. The domain in use comes from the set of tags, and probably, most likely from the subnet, as in your example. I'll look at implementing this, soon, but I've spent way too much time on dnsmasq in the last couple of weeks, so it may be a little while. Ben, please feel free to prod me again if it slips my mind and you don't hear back. Cheers, Simon. From g.esp at free.fr Sun Jul 20 16:01:43 2008 From: g.esp at free.fr (Gilles Espinasse) Date: Sun Jul 20 15:59:41 2008 Subject: [Dnsmasq-discuss] dnsmasq 2.44 available. References: <48834999.4010401@thekelleys.org.uk> Message-ID: <16da01c8ea79$85d880c0$f9b5a8c0@pii350> ----- Original Message ----- From: "Simon Kelley" To: "dnsmasq discussion list" Sent: Sunday, July 20, 2008 4:20 PM Subject: [Dnsmasq-discuss] dnsmasq 2.44 available. ... > Change implementation of min_port to work even if min-port > as large. > Thank again for this release. Should there not have in the futur a limit check on min-port value? It look to accept any value I try, even something greater than 65536. (tested on 2.43) Gilles From bod at bod.org Sun Jul 20 16:16:25 2008 From: bod at bod.org (Paul Chambers) Date: Sun Jul 20 16:16:44 2008 Subject: [Dnsmasq-discuss] dnsmasq 2.44 available. In-Reply-To: <48834999.4010401@thekelleys.org.uk> References: <48834999.4010401@thekelleys.org.uk> Message-ID: <488356C9.2020502@bod.org> The .gz URL isn't working for me, either with wget or firefox. I'm getting a '302 Object Moved' to 'http://dnsmasq/dnsmasq-2.44.tat.gz' (as reported by wget) http://www.thekellys.org.uk/dnsmasq redirects to http://dnsmasq.com which is probably related ;) Paul Simon Kelley wrote: > I've released dnsmasq version 2.44. This is a stability release. It > fixes crash problems in 2.43. The crashes occur when a DHCP client > renews a non-existant lease for an invalid subnet, when a DHCP client > which does not have a lease does DHCPINFORM and a crash which can > occur when network configuration changes. Thanks to bug reporters and > testers who found these problems in the (somewhat rushed) 2.43 release. > > http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.44.tar.gz > http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.44.tar.lzma From g.esp at free.fr Sun Jul 20 16:26:54 2008 From: g.esp at free.fr (Gilles Espinasse) Date: Sun Jul 20 16:24:53 2008 Subject: [Dnsmasq-discuss] dnsmasq 2.44 available. References: <48834999.4010401@thekelleys.org.uk> <488356C9.2020502@bod.org> Message-ID: <16f701c8ea7d$0ade1fc0$f9b5a8c0@pii350> ----- Original Message ----- From: "Paul Chambers" To: "dnsmasq discussion list" Sent: Sunday, July 20, 2008 5:16 PM Subject: Re: [Dnsmasq-discuss] dnsmasq 2.44 available. > The .gz URL isn't working for me, either with wget or firefox. I'm > getting a '302 Object Moved' to 'http://dnsmasq/dnsmasq-2.44.tat.gz' (as > reported by wget) > > http://www.thekellys.org.uk/dnsmasq redirects to http://dnsmasq.com > which is probably related ;) > > Paul > Cyber-squatter. Fix your url with s/kellys/kelleys/ that give a better result. Gilles From carlos at fisica.ufpr.br Sun Jul 20 16:24:58 2008 From: carlos at fisica.ufpr.br (Carlos Carvalho) Date: Sun Jul 20 16:25:23 2008 Subject: [Dnsmasq-discuss] dnsmasq 2.44 available. In-Reply-To: <488356C9.2020502@bod.org> References: <48834999.4010401@thekelleys.org.uk> <488356C9.2020502@bod.org> Message-ID: <18563.22730.188801.691422@fisica.ufpr.br> Paul Chambers (bod@bod.org) wrote on 20 July 2008 08:16: >The .gz URL isn't working for me, either with wget or firefox. I'm >getting a '302 Object Moved' to 'http://dnsmasq/dnsmasq-2.44.tat.gz' (as >reported by wget) > >http://www.thekellys.org.uk/dnsmasq redirects to http://dnsmasq.com >which is probably related ;) Everything works fine for me, at Dom Jul 20 15:24:44 UTC 2008. From weizen_42 at ipcop-forum.de Sun Jul 20 16:56:55 2008 From: weizen_42 at ipcop-forum.de (Olaf Westrik) Date: Sun Jul 20 16:57:17 2008 Subject: [Dnsmasq-discuss] dnsmasq 2.44 available. In-Reply-To: <488356C9.2020502@bod.org> References: <48834999.4010401@thekelleys.org.uk> <488356C9.2020502@bod.org> Message-ID: <48836047.70303@ipcop-forum.de> Paul Chambers wrote: > The .gz URL isn't working for me, either with wget or firefox. I'm > getting a '302 Object Moved' to 'http://dnsmasq/dnsmasq-2.44.tat.gz' (as > reported by wget) > > http://www.thekellys.org.uk/dnsmasq redirects to http://dnsmasq.com > which is probably related ;) I get the same error, but only when using kellys instead of kelleys in the URL ;-) Olaf From steven at midlink.org Sun Jul 20 18:44:26 2008 From: steven at midlink.org (Steven Barth) Date: Sun Jul 20 18:44:43 2008 Subject: [Dnsmasq-discuss] Dnsmasq 2.44 refuses DNS-Queries from LAN clients Message-ID: <200807201944.26559.steven@midlink.org> Hello, it looks like there is an issue with the latest 2.44 version of Dnsmasq. I recently upgraded the Dnsmasq on my router from 2.43 to 2.44 and it started to refuse DNS-Queries from PCs in the LAN. Downgrading to 2.43 made it work again. This is the output of host on a PC in the LAN: > host -v kernel.org 192.168.2.1 > Trying "kernel.org" > Received 28 bytes from 192.168.2.1#53 in 14 ms > Trying "kernel.org" > Using domain server: > Name: 192.168.2.1 > Address: 192.168.2.1#53 > Aliases: > > Host kernel.org not found: 5(REFUSED) > Received 28 bytes from 192.168.2.1#53 in 12 ms The same request on the router running Dnsmasq itself worked flawlessly: > root@OpenWrt:/# nslookup kernel.org 192.168.2.1 > Server: 192.168.2.1 > Address 1: 192.168.2.1 > > Name: kernel.org > Address 1: 204.152.191.5 pub1.kernel.org > Address 2: 204.152.191.37 pub2.kernel.org Running dnsmasq -qd for debug purposes: the host-call produced the following output on the router: > dnsmasq: query[A] kernel.org from 192.168.2.2 > dnsmasq: query[A] kernel.org from 192.168.2.2 the nslookup-call: > dnsmasq: query[PTR] 1.2.168.192.in-addr.arpa from 127.0.0.1 > dnsmasq: query[PTR] 1.2.168.192.in-addr.arpa from 127.0.0.1 > dnsmasq: query[PTR] 1.2.168.192.in-addr.arpa from 127.0.0.1 > dnsmasq: query[AAAA] kernel.org from 127.0.0.1 > dnsmasq: query[AAAA] kernel.org from 127.0.0.1 > dnsmasq: query[AAAA] kernel.org from 127.0.0.1 This behaviour occured on both a Linksys WRT54GL (OpenWRT Kamikaze, MIPSel, Linux 2.4/uclibc) and a Netgear WGT634U (OpenWRT Kamikaze, MIPSel, Linux 2.6/uclibc). It seems that setting --min-port to anything from 1 to 65535 works around this but I think this is not expected behaviour. The following patches have been applied before building (after being refreshed): https://dev.openwrt.org/cgi-bin/trac.fcgi/browser/trunk/package/dnsmasq/patches/101-ipv6.patch https://dev.openwrt.org/cgi-bin/trac.fcgi/browser/trunk/package/dnsmasq/patches/102-rtnetlink.patch compile time options: IPv6 GNU-getopt ISC-leasefile no-DBus no-I18N TFTP Greetings Steven From grant_lkml at dodo.com.au Sun Jul 20 19:18:37 2008 From: grant_lkml at dodo.com.au (Grant Coady) Date: Sun Jul 20 19:19:44 2008 Subject: [Dnsmasq-discuss] dnsmasq 2.44 available. In-Reply-To: <48834999.4010401@thekelleys.org.uk> References: <48834999.4010401@thekelleys.org.uk> Message-ID: <6mv68458bvkjrb842uklo552uk1m2bcupk@4ax.com> On Sun, 20 Jul 2008 15:20:09 +0100, Simon Kelley wrote: >I've released dnsmasq version 2.44. This is a stability release. It >fixes crash problems in 2.43. The crashes occur when a DHCP client >renews a non-existant lease for an invalid subnet, when a DHCP client >which does not have a lease does DHCPINFORM and a crash which can occur >when network configuration changes. Thanks to bug reporters and testers >who found these problems in the (somewhat rushed) 2.43 release. > >http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.44.tar.gz It's bust for me :( returns '5(REFUSED)' for host lookups, reverting to 2.43 fixes the problem. Slackware Linux 11.0 with 2.6.25.11 kernel. The /var/log/debug file just shows the queries not being forwarded, the var/log/messages looks normal: Jul 21 04:01:03 deltree dnsmasq[22844]: started, version 2.44 cachesize 150 Jul 21 04:01:03 deltree dnsmasq[22844]: compile time options: IPv6 GNU-getopt no-ISC-leasefile no-DBus no-I18N TFTP Jul 21 04:01:03 deltree dnsmasq[22844]: DHCP, IP range 192.168.2.101 -- 192.168.2.109, lease time 2h Jul 21 04:01:03 deltree dnsmasq[22844]: DHCP, IP range 192.168.1.101 -- 192.168.1.109, lease time 2h Jul 21 04:01:03 deltree dnsmasq[22844]: using local addresses only for domain mire.mine.nu Jul 21 04:01:03 deltree dnsmasq[22844]: reading /etc/ppp/resolv.conf Jul 21 04:01:03 deltree dnsmasq[22844]: using nameserver 122.148.1.5#53 Jul 21 04:01:03 deltree dnsmasq[22844]: using nameserver 123.2.6.197#53 Jul 21 04:01:03 deltree dnsmasq[22844]: using local addresses only for domain mire.mine.nu Jul 21 04:01:03 deltree dnsmasq[22844]: read /etc/hosts - 2 addresses Jul 21 04:01:03 deltree dnsmasq[22844]: read /usr/local/etc/hosts - 26 addresses Jul 21 04:04:51 deltree dnsmasq[22844]: exiting on receipt of SIGTERM Jul 21 04:05:35 deltree dnsmasq[23123]: started, version 2.43 cachesize 150 Jul 21 04:05:35 deltree dnsmasq[23123]: compile time options: IPv6 GNU-getopt no-ISC-leasefile no-DBus no-I18N TFTP Jul 21 04:05:35 deltree dnsmasq[23123]: DHCP, IP range 192.168.2.101 -- 192.168.2.109, lease time 2h Jul 21 04:05:35 deltree dnsmasq[23123]: DHCP, IP range 192.168.1.101 -- 192.168.1.109, lease time 2h Jul 21 04:05:35 deltree dnsmasq[23123]: using local addresses only for domain mire.mine.nu Jul 21 04:05:35 deltree dnsmasq[23123]: reading /etc/ppp/resolv.conf Jul 21 04:05:35 deltree dnsmasq[23123]: using nameserver 122.148.1.5#53 Jul 21 04:05:35 deltree dnsmasq[23123]: using nameserver 123.2.6.197#53 Jul 21 04:05:35 deltree dnsmasq[23123]: using local addresses only for domain mire.mine.nu Jul 21 04:05:35 deltree dnsmasq[23123]: read /etc/hosts - 2 addresses Jul 21 04:05:35 deltree dnsmasq[23123]: read /usr/local/etc/hosts - 26 addresses Though I should disable IPv6 as it is not turned on in the kernel? Grant. From simon at thekelleys.org.uk Sun Jul 20 19:24:26 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Sun Jul 20 19:24:45 2008 Subject: [Dnsmasq-discuss] dnsmasq 2.44 available. In-Reply-To: <6mv68458bvkjrb842uklo552uk1m2bcupk@4ax.com> References: <48834999.4010401@thekelleys.org.uk> <6mv68458bvkjrb842uklo552uk1m2bcupk@4ax.com> Message-ID: <488382DA.6030202@thekelleys.org.uk> Grant Coady wrote: > On Sun, 20 Jul 2008 15:20:09 +0100, Simon Kelley wrote: > >> I've released dnsmasq version 2.44. This is a stability release. It >> fixes crash problems in 2.43. The crashes occur when a DHCP client >> renews a non-existant lease for an invalid subnet, when a DHCP client >> which does not have a lease does DHCPINFORM and a crash which can occur >> when network configuration changes. Thanks to bug reporters and testers >> who found these problems in the (somewhat rushed) 2.43 release. >> >> http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.44.tar.gz > > It's bust for me :( returns '5(REFUSED)' for host lookups, reverting to > 2.43 fixes the problem. Slackware Linux 11.0 with 2.6.25.11 kernel. > > The /var/log/debug file just shows the queries not being forwarded, the > var/log/messages looks normal: > > Jul 21 04:01:03 deltree dnsmasq[22844]: started, version 2.44 cachesize 150 > Jul 21 04:01:03 deltree dnsmasq[22844]: compile time options: IPv6 GNU-getopt no-ISC-leasefile no-DBus no-I18N TFTP > Jul 21 04:01:03 deltree dnsmasq[22844]: DHCP, IP range 192.168.2.101 -- 192.168.2.109, lease time 2h > Jul 21 04:01:03 deltree dnsmasq[22844]: DHCP, IP range 192.168.1.101 -- 192.168.1.109, lease time 2h > Jul 21 04:01:03 deltree dnsmasq[22844]: using local addresses only for domain mire.mine.nu > Jul 21 04:01:03 deltree dnsmasq[22844]: reading /etc/ppp/resolv.conf > Jul 21 04:01:03 deltree dnsmasq[22844]: using nameserver 122.148.1.5#53 > Jul 21 04:01:03 deltree dnsmasq[22844]: using nameserver 123.2.6.197#53 > Jul 21 04:01:03 deltree dnsmasq[22844]: using local addresses only for domain mire.mine.nu > Jul 21 04:01:03 deltree dnsmasq[22844]: read /etc/hosts - 2 addresses > Jul 21 04:01:03 deltree dnsmasq[22844]: read /usr/local/etc/hosts - 26 addresses > Jul 21 04:04:51 deltree dnsmasq[22844]: exiting on receipt of SIGTERM > Jul 21 04:05:35 deltree dnsmasq[23123]: started, version 2.43 cachesize 150 > Jul 21 04:05:35 deltree dnsmasq[23123]: compile time options: IPv6 GNU-getopt no-ISC-leasefile no-DBus no-I18N TFTP > Jul 21 04:05:35 deltree dnsmasq[23123]: DHCP, IP range 192.168.2.101 -- 192.168.2.109, lease time 2h > Jul 21 04:05:35 deltree dnsmasq[23123]: DHCP, IP range 192.168.1.101 -- 192.168.1.109, lease time 2h > Jul 21 04:05:35 deltree dnsmasq[23123]: using local addresses only for domain mire.mine.nu > Jul 21 04:05:35 deltree dnsmasq[23123]: reading /etc/ppp/resolv.conf > Jul 21 04:05:35 deltree dnsmasq[23123]: using nameserver 122.148.1.5#53 > Jul 21 04:05:35 deltree dnsmasq[23123]: using nameserver 123.2.6.197#53 > Jul 21 04:05:35 deltree dnsmasq[23123]: using local addresses only for domain mire.mine.nu > Jul 21 04:05:35 deltree dnsmasq[23123]: read /etc/hosts - 2 addresses > Jul 21 04:05:35 deltree dnsmasq[23123]: read /usr/local/etc/hosts - 26 addresses > > Though I should disable IPv6 as it is not turned on in the kernel? > Rats. Workaround is to set min-port=1. (Thanks to Steven Barth for spotting this.) New release on the way. Apologies to all...... Cheers, Simon. From simon at thekelleys.org.uk Sun Jul 20 19:25:22 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Sun Jul 20 19:25:42 2008 Subject: [Dnsmasq-discuss] Dnsmasq 2.44 refuses DNS-Queries from LAN clients In-Reply-To: <200807201944.26559.steven@midlink.org> References: <200807201944.26559.steven@midlink.org> Message-ID: <48838312.1080306@thekelleys.org.uk> Steven Barth wrote: > Hello, > > it looks like there is an issue with the latest 2.44 version of Dnsmasq. > I recently upgraded the Dnsmasq on my router from 2.43 to 2.44 and it started > to refuse DNS-Queries from PCs in the LAN. Downgrading to 2.43 made it work > again. > > This is the output of host on a PC in the LAN: >> host -v kernel.org 192.168.2.1 >> Trying "kernel.org" >> Received 28 bytes from 192.168.2.1#53 in 14 ms >> Trying "kernel.org" >> Using domain server: >> Name: 192.168.2.1 >> Address: 192.168.2.1#53 >> Aliases: >> >> Host kernel.org not found: 5(REFUSED) >> Received 28 bytes from 192.168.2.1#53 in 12 ms > > > The same request on the router running Dnsmasq itself worked flawlessly: >> root@OpenWrt:/# nslookup kernel.org 192.168.2.1 >> Server: 192.168.2.1 >> Address 1: 192.168.2.1 >> >> Name: kernel.org >> Address 1: 204.152.191.5 pub1.kernel.org >> Address 2: 204.152.191.37 pub2.kernel.org > > > Running dnsmasq -qd for debug purposes: > the host-call produced the following output on the router: >> dnsmasq: query[A] kernel.org from 192.168.2.2 >> dnsmasq: query[A] kernel.org from 192.168.2.2 > > the nslookup-call: >> dnsmasq: query[PTR] 1.2.168.192.in-addr.arpa from 127.0.0.1 >> dnsmasq: query[PTR] 1.2.168.192.in-addr.arpa from 127.0.0.1 >> dnsmasq: query[PTR] 1.2.168.192.in-addr.arpa from 127.0.0.1 >> dnsmasq: query[AAAA] kernel.org from 127.0.0.1 >> dnsmasq: query[AAAA] kernel.org from 127.0.0.1 >> dnsmasq: query[AAAA] kernel.org from 127.0.0.1 > > > > This behaviour occured on both a Linksys WRT54GL (OpenWRT Kamikaze, MIPSel, > Linux 2.4/uclibc) and a Netgear WGT634U (OpenWRT Kamikaze, MIPSel, Linux > 2.6/uclibc). > > It seems that setting --min-port to anything from 1 to 65535 works around this > but I think this is not expected behaviour. It's not, but it takes straight to the problem; thanks. Expect a new release soon. Cheers, Simon. > > The following patches have been applied before building (after being > refreshed): > https://dev.openwrt.org/cgi-bin/trac.fcgi/browser/trunk/package/dnsmasq/patches/101-ipv6.patch > https://dev.openwrt.org/cgi-bin/trac.fcgi/browser/trunk/package/dnsmasq/patches/102-rtnetlink.patch > > compile time options: IPv6 GNU-getopt ISC-leasefile no-DBus no-I18N TFTP > > Greetings > Steven > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > From simon at thekelleys.org.uk Sun Jul 20 20:27:52 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Sun Jul 20 20:30:47 2008 Subject: [Dnsmasq-discuss] dnsmasq 2.45 released. Message-ID: <488391B8.80801@thekelleys.org.uk> dnsmasq 2.45 is now available. This fixes a regression in 2.44 which breaks DNS unless min-port is set. I'm removing the 2.44 tarball from the website to avoid confusion. The breakage was caused by some last-minute code designed to avoid problems when min-port was set high, creating a shortage of available ports. Apologies for the inconvenience and thanks to Steven and Grant for the bug reports. http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.45.tar.gz http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.45.tar.lzma version 2.45 Fix total DNS failure in release 2.44 unless --min-port specified. Thanks to Steven Barth and Grant Coady for bugreport. Also reject out-of-range port spec, which could break things too: suggestion from Gilles Espinasse. Cheers, Simon. From grant_lkml at dodo.com.au Sun Jul 20 21:46:58 2008 From: grant_lkml at dodo.com.au (Grant Coady) Date: Sun Jul 20 21:48:01 2008 Subject: [Dnsmasq-discuss] dnsmasq 2.45 released. In-Reply-To: <488391B8.80801@thekelleys.org.uk> References: <488391B8.80801@thekelleys.org.uk> Message-ID: On Sun, 20 Jul 2008 20:27:52 +0100, Simon Kelley wrote: >dnsmasq 2.45 is now available. This fixes a regression in 2.44 which >breaks DNS unless min-port is set. I'm removing the 2.44 tarball from >the website to avoid confusion. > >The breakage was caused by some last-minute code designed to avoid >problems when min-port was set high, creating a shortage of available >ports. Apologies for the inconvenience and thanks to Steven and Grant >for the bug reports. > >http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.45.tar.gz Works for me :) Cheers, Grant. From dnsmasq at pebble.org.uk Sun Jul 20 21:56:47 2008 From: dnsmasq at pebble.org.uk (Ainsley Pereira) Date: Sun Jul 20 21:57:06 2008 Subject: [Dnsmasq-discuss] Problem with resolving some names Message-ID: <20080720205647.GB8416@snowplains.org> Hi, I have dnsmasq 2.41 running on a wireless access point, and I'm having a problem with with resolving some names, but not others. For example: (From a machine with dnsmasq as its only nameserver in /etc/resolv.conf) $ dig www.mozilla.org ; <<>> DiG 9.4.2-P1 <<>> www.mozilla.org ;; global options: printcmd ;; connection timed out; no servers could be reached $ dig @195.74.113.58 www.mozilla.org ; <<>> DiG 9.4.2-P1 <<>> @195.74.113.58 www.mozilla.org ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11822 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.mozilla.org. IN A ;; ANSWER SECTION: www.mozilla.org. 9 IN CNAME www-mozilla-org.geo.mozilla.com. www-mozilla-org.geo.mozilla.com. 857 IN CNAME www-mozilla-org.glb.mozilla.com. www-mozilla-org.glb.mozilla.com. 5 IN A 63.245.213.14 ;; AUTHORITY SECTION: glb.mozilla.com. 600 IN NS ns01.nllb.nl.mozilla.com. glb.mozilla.com. 600 IN NS ns01.nslb.sj.mozilla.com. glb.mozilla.com. 600 IN NS ns01.anycast.mozilla.com. ;; Query time: 37 msec ;; SERVER: 195.74.113.58#53(195.74.113.58) ;; WHEN: Sun Jul 20 21:51:19 2008 ;; MSG SIZE rcvd: 209 On the wireless ap itself, /etc/resolv.conf contains nameserver 195.74.113.58 nameserver 195.74.113.62 and the dnsmasq.conf is: dhcp-authoritative dhcp-range=br0,192.168.44.10,192.168.44.14,255.255.255.0,1440m dhcp-broadcast=br0 dhcp-option=3,192.168.44.1 dhcp-option=6,192.168.44.1 dhcp-host=00:0e:2e:d6:8b:3b,192.168.44.4 dhcp-host=00:19:c5:f2:9b:20,192.168.44.2 dhcp-host=00:14:0B:23:07:36,192.168.44.3 dhcp-option=119,sunnydale domain-needed expand-hosts domain=sunnydale log-async=5 log-queries all-servers mx-host=pebble.org.uk,snowdrift.snowplains.org,50 (That last line was added because the records returned by dnsmasq didn't seem to include the MX otherwise, perhaps related to this problem?) dnsmasq's log from those queries: Sun, 2008-07-20 20:46:27 - forwarded www.mozilla.org to 195.74.113.58 Sun, 2008-07-20 20:46:27 - forwarded www.mozilla.org to 195.74.113.62 Sun, 2008-07-20 20:46:27 - reply www.mozilla.org is Sun, 2008-07-20 20:46:27 - reply www-mozilla-org.geo.mozilla.com is Sun, 2008-07-20 20:46:27 - reply www-mozilla-org.glb.mozilla.com is 63.245.213.14 Sun, 2008-07-20 20:46:32 - cached www.mozilla.org is Sun, 2008-07-20 20:46:32 - cached www-mozilla-org.geo.mozilla.com is Sun, 2008-07-20 20:46:32 - forwarded www.mozilla.org to 195.74.113.58 Sun, 2008-07-20 20:46:32 - forwarded www.mozilla.org to 195.74.113.62 Sun, 2008-07-20 20:46:32 - reply www.mozilla.org is Sun, 2008-07-20 20:46:32 - reply www-mozilla-org.geo.mozilla.com is Sun, 2008-07-20 20:46:32 - reply www-mozilla-org.glb.mozilla.com is 63.245.213.14 Sun, 2008-07-20 20:46:37 - cached www.mozilla.org is Sun, 2008-07-20 20:46:37 - cached www-mozilla-org.geo.mozilla.com is Sun, 2008-07-20 20:46:37 - forwarded www.mozilla.org to 195.74.113.58 Sun, 2008-07-20 20:46:37 - forwarded www.mozilla.org to 195.74.113.62 Sun, 2008-07-20 20:46:37 - reply www.mozilla.org is Sun, 2008-07-20 20:46:37 - reply www-mozilla-org.geo.mozilla.com is Sun, 2008-07-20 20:46:37 - reply www-mozilla-org.glb.mozilla.com is 63.245.213.12 Upgrading the firmware to the current version of dnsmasq isn't straightforward, but I will if that's the problem. If I have a configuration problem that'd be easier to fix though! Any ideas? Thanks, Ainsley From clintonlee.taylor at gmail.com Mon Jul 21 13:37:46 2008 From: clintonlee.taylor at gmail.com (Clinton Lee Taylor) Date: Mon Jul 21 13:38:10 2008 Subject: [Dnsmasq-discuss] Re:dnsmasq 2.45 released. Message-ID: Greetings ... > > dnsmasq 2.45 is now available. This fixes a regression in 2.44 which > breaks DNS unless min-port is set. I'm removing the 2.44 tarball from > the website to avoid confusion. Wicked! Thanks for all the hard work. Mailed LeeT -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080721/fa23e6dc/attachment.htm From xerces8 at butn.net Mon Jul 21 15:26:44 2008 From: xerces8 at butn.net (xerces8) Date: Mon Jul 21 15:27:09 2008 Subject: [Dnsmasq-discuss] dnsmasq 2.45 released. In-Reply-To: <488391B8.80801@thekelleys.org.uk> References: <488391B8.80801@thekelleys.org.uk> Message-ID: Simon Kelley wrote : > I'm removing the 2.44 tarball from the website to avoid confusion. To avoid even more confusion, I suggest putting there a file named dnsmasq-2.43-REMOVED.txt with a content of few statements explaining the above. Regards, David From simon at thekelleys.org.uk Mon Jul 21 15:58:24 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Mon Jul 21 15:58:23 2008 Subject: [Dnsmasq-discuss] dnsmasq 2.45 released. In-Reply-To: References: <488391B8.80801@thekelleys.org.uk> Message-ID: <4884A410.6000600@thekelleys.org.uk> xerces8 wrote: > Simon Kelley wrote : > >> I'm removing the 2.44 tarball from the website to avoid confusion. > > To avoid even more confusion, I suggest putting there a file named > dnsmasq-2.43-REMOVED.txt with a content of few statements explaining > the above. > Good suggestion. Done, Cheers, Simon From xerces8 at butn.net Mon Jul 21 16:14:21 2008 From: xerces8 at butn.net (xerces8) Date: Mon Jul 21 16:14:46 2008 Subject: [Dnsmasq-discuss] dnsmasq 2.45 released. In-Reply-To: <4884A410.6000600@thekelleys.org.uk> References: <488391B8.80801@thekelleys.org.uk> <4884A410.6000600@thekelleys.org.uk> Message-ID: Simon Kelley wrote: > xerces8 wrote: > > Simon Kelley wrote : > > > >> I'm removing the 2.44 tarball from the website to avoid confusion. > > > > To avoid even more confusion, I suggest putting there a file named > > dnsmasq-2.43-REMOVED.txt with a content of few statements explaining > > the above. > > > Good suggestion. Done, Spot the error : Simon Kelley 21/07/1008 :-D From richardvoigt at gmail.com Tue Jul 22 04:47:00 2008 From: richardvoigt at gmail.com (richardvoigt@gmail.com) Date: Tue Jul 22 04:47:25 2008 Subject: [Dnsmasq-discuss] dnsmasq 2.45 released. In-Reply-To: References: <488391B8.80801@thekelleys.org.uk> <4884A410.6000600@thekelleys.org.uk> Message-ID: <2e59e6970807212047o34cc4depa94e44b1460105d5@mail.gmail.com> dnsmasq, like most things, was better back in the eleventh century... On Mon, Jul 21, 2008 at 3:14 PM, xerces8 wrote: > Simon Kelley wrote: > > > xerces8 wrote: > > > Simon Kelley wrote : > > > > > >> I'm removing the 2.44 tarball from the website to avoid confusion. > > > > > > To avoid even more confusion, I suggest putting there a file named > > > dnsmasq-2.43-REMOVED.txt with a content of few statements explaining > > > the above. > > > > > Good suggestion. Done, > > Spot the error : > > Simon Kelley > 21/07/1008 > > :-D > > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080722/7f708db2/attachment.htm From ranceh at gmail.com Tue Jul 22 14:51:12 2008 From: ranceh at gmail.com (Rance Hall) Date: Tue Jul 22 14:51:36 2008 Subject: [Dnsmasq-discuss] new isp with new setup, how to change dnsmasq to accomodate Message-ID: <845c0f80807220651y2285056cu8a34c7a4a7001515@mail.gmail.com> hey gang: I got a new ISP yesterday and the network setup is slightly different, and now my dnsmasq doesnt work the way I want it to. BRIEF SETUP DESCRIPTION --- OLD WAY all ethernet adapters on my home firewall/internal dhcp/dns server are static private ips the dsl modem has the public ip address. the machine that runs dnsmasq has a /etc/resolv.conf file that points to itself for name resolution. the real name servers are in a file called /etc/resolv.conf.dnsmasq and dnsmasq is configured to read this file instead of /etc/resolv.conf This is so that the server itself resolves names in the same way that the clients do. BRIEF SETUP --- NEW WAY public ip address is acquired by eth0 using dhcp client on my server (new modem operates in bridge mode and does not have its own ip) the dhcp client overwrite /etc/resolv.conf and dnsmasq is set to use that file for upstream name resolution. ------------------------------------------- I want to restore the ability to have the server resolv names the same way the clients to (meaning that the internal domain name can be resolved on the gateway server itself. This is essential for ssh tunneling, etc. so, as I see it I can write a dhclient-exit-hooks script (to preserve future upgrade capability) that does the following: 1) copies the new /etc/resolv.conf file to /etc/resolv.conf.dnsmasq 2) copies a static /etc/resolv.conf.perm to /etc/resolv.conf 3) sends dnsmasq a reload/reread config files instruction 4) if needed, reloads other network services that need to be restarted/reconfigured is there a another/better way to do what Im trying to do? From b-morgan at concentric.net Tue Jul 22 16:36:12 2008 From: b-morgan at concentric.net (Brad Morgan) Date: Tue Jul 22 16:36:52 2008 Subject: [Dnsmasq-discuss] new isp with new setup, how to change dnsmasq to accomodate In-Reply-To: <845c0f80807220651y2285056cu8a34c7a4a7001515@mail.gmail.com> References: <845c0f80807220651y2285056cu8a34c7a4a7001515@mail.gmail.com> Message-ID: <00ad01c8ec10$ad9e8c60$08dba520$@net> > 1) copies the new /etc/resolv.conf file to /etc/resolv.conf.dnsmasq > 2) copies a static /etc/resolv.conf.perm to /etc/resolv.conf > 3) sends dnsmasq a reload/reread config files instruction > 4) if needed, reloads other network services that need to be > restarted/reconfigured > is there a another/better way to do what Im trying to do? After studying man dhclient.conf I added the following to my /etc/dhclient-eth0.conf: supersede domain-name "morgan.local"; supersede domain-name-servers 127.0.0.1,208.67.222.222,208.67.220.220; #OpenDNS I think you can also use "prepend domain-name-servers 127.0.0.1" While not exactly the same as you had before, I think it gives the results you want and should be easier than what you propose with an dhclient-exit-hooks script. Regards, Brad From agcme at hotmail.com Tue Jul 22 17:55:48 2008 From: agcme at hotmail.com (A C) Date: Tue Jul 22 17:56:09 2008 Subject: [Dnsmasq-discuss] Question about DNS vunlerabiltiy in dnsmasq Message-ID: I'm running dnsmasq 2.35 but it's on an embedded system and the package manager hasn't created a new version yet. I wanted to know how vulnerable I was to the recent security alert regarding DNS and whether there's a potential workaround that I could put in place for now. Thanks, Alex _________________________________________________________________ Use video conversation to talk face-to-face with Windows Live Messenger. http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL_Refresh_messenger_video_072008 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080722/16a7f92e/attachment.htm From simon at thekelleys.org.uk Tue Jul 22 18:05:27 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Tue Jul 22 18:08:18 2008 Subject: [Dnsmasq-discuss] Question about DNS vunlerabiltiy in dnsmasq In-Reply-To: References: Message-ID: <48861357.20402@thekelleys.org.uk> A C wrote: > I'm running dnsmasq 2.35 but it's on an embedded system and the package > manager hasn't created a new version yet. I wanted to know how > vulnerable I was to the recent security alert regarding DNS and whether > there's a potential workaround that I could put in place for now. > "How vulnerable" is a difficult question. AFAIK, the attack hasn't been seen in the wild, and it's assumed that the Bad Guys don't know it, so you're absolutely safe until Dan Kaminsky spills the beans (August?) Does that give you enough time to get a new version in place? Simon. From redbully at cc.fh-luh.de Tue Jul 22 18:29:55 2008 From: redbully at cc.fh-luh.de (Jan 'RedBully' Seiffert) Date: Tue Jul 22 18:30:19 2008 Subject: [Dnsmasq-discuss] Question about DNS vunlerabiltiy in dnsmasq In-Reply-To: <48861357.20402@thekelleys.org.uk> References: <48861357.20402@thekelleys.org.uk> Message-ID: <48861913.5010500@cc.fh-luh.de> Simon Kelley wrote: > A C wrote: >> I'm running dnsmasq 2.35 but it's on an embedded system and the >> package manager hasn't created a new version yet. I wanted to know >> how vulnerable I was to the recent security alert regarding DNS and >> whether there's a potential workaround that I could put in place for now. >> > > "How vulnerable" is a difficult question. AFAIK, the attack hasn't been > seen in the wild, and it's assumed that the Bad Guys don't know it, so > you're absolutely safe until Dan Kaminsky spills the beans (August?) > *cough* to late... http://www.heise-online.co.uk/news/DNS-security-problem-details-released--/111145 > Does that give you enough time to get a new version in place? > > Simon. > Greetings Jan -- "Der Kopf ist rund, damit das Denken die Richtung wechseln kann." Francis Picabi From bcook at poughkeepsieschools.org Wed Jul 23 00:02:26 2008 From: bcook at poughkeepsieschools.org (B. Cook) Date: Wed Jul 23 00:02:51 2008 Subject: [Dnsmasq-discuss] dnsmasq settings for authoritative dns server.. Message-ID: <213DFB51-0F3D-499D-84D1-9A5FC494F657@poughkeepsieschools.org> Hello All, I have been trying to figure out how I can use dnsmasq as a dns server (shock) to serve A,PTR,NS,TXT, etc entries for a local domain.. I have it working as a dhcp server, but can not seem to make it serve correctly.. egrep -v "^#|dhcp" dnsmasq.conf bind-interfaces cache-size=1024 domain-needed domain=at.home except-interface=lo0 filterwin2k group=nobody interface=fxp0 log-facility=/var/log/dnsmasq.log no-negcache resolv-file=/usr/local/etc/resolv.conf user=nobody address=/gw.at.home/172.16.64.1 ptr-record=gw.at.home,172.16.64.1 #### (dnsmasq is running on the 172.16.64.25 host) host 172.16.64.1 172.16.64.25 Using domain server: Name: 172.16.64.25 Address: 172.16.64.25#53 Aliases: Host 1.64.16.172.in-addr.arpa. not found: 3(NXDOMAIN) #### When I had tinydns serving authorative data I had these entries.. #server=/64.16.172.in-addr.arpa/127.53.0.1 #server=/at.home/127.53.0.1 and all worked. what am I missing? Thanks in advance. From agcme at hotmail.com Wed Jul 23 00:30:26 2008 From: agcme at hotmail.com (A C) Date: Wed Jul 23 00:30:49 2008 Subject: [Dnsmasq-discuss] Question about DNS vunlerabiltiy in dnsmasq In-Reply-To: <48861357.20402@thekelleys.org.uk> References: <48861357.20402@thekelleys.org.uk> Message-ID: > Date: Tue, 22 Jul 2008 18:05:27 +0100 > From: simon@thekelleys.org.uk > To: agcme@hotmail.com > CC: dnsmasq-discuss@lists.thekelleys.org.uk > Subject: Re: [Dnsmasq-discuss] Question about DNS vunlerabiltiy in dnsmasq > > A C wrote: > > I'm running dnsmasq 2.35 but it's on an embedded system and the package > > manager hasn't created a new version yet. I wanted to know how > > vulnerable I was to the recent security alert regarding DNS and whether > > there's a potential workaround that I could put in place for now. > > > > "How vulnerable" is a difficult question. AFAIK, the attack hasn't been > seen in the wild, and it's assumed that the Bad Guys don't know it, so > you're absolutely safe until Dan Kaminsky spills the beans (August?) > > Does that give you enough time to get a new version in place? > > Simon. Well, not really. I don't have the ability to generate a package for the embedded system so I'm at the mercy of the package maintainer. I've already mailed them to see if they'll update but it may be a while and I was hoping there was a reasonable workaround that could be implemented in the interim or until I can get a replacement router in place that doesn't require package management. _________________________________________________________________ Use video conversation to talk face-to-face with Windows Live Messenger. http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL_Refresh_messenger_video_072008 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080722/ac5a6040/attachment.htm From b-morgan at concentric.net Wed Jul 23 01:37:43 2008 From: b-morgan at concentric.net (Brad Morgan) Date: Wed Jul 23 01:38:23 2008 Subject: [Dnsmasq-discuss] new isp with new setup, how to change dnsmasq to accomodate In-Reply-To: <845c0f80807220939ia4ce704j8d5ab9aec41364c@mail.gmail.com> References: <845c0f80807220651y2285056cu8a34c7a4a7001515@mail.gmail.com> <00ad01c8ec10$ad9e8c60$08dba520$@net> <845c0f80807220939ia4ce704j8d5ab9aec41364c@mail.gmail.com> Message-ID: <00c801c8ec5c$53937c20$faba7460$@net> >> /etc/dhclient-eth0.conf: >> supersede domain-name "morgan.local"; >> supersede domain-name-servers 127.0.0.1,208.67.222.222,208.67.220.220; >> #OpenDNS >> >> I think you can also use "prepend domain-name-servers 127.0.0.1" > This makes sense and I thought of it, the only real problem I had with > this is that larger commercial isp's (of which this is one) tend to > assign new DNS servers with changes in ip addresses, (load balancing > issues, I assume) > anyway, hardcoding the dnsservers seems like overkill, but the prepend > option might just work, prepend the one I need first so that its first > in line, and then the others will take over when mine fails, I'll have > to experiment and see if it gives the desired effect. > if the /etc/resolv.conf changes doesn't dnsmasq need to be reloaded to > rescan the setup files? > so either way I go I have to have "something" in dhclient-exit-hooks right? My example showed what I am doing to use the OpenDNS servers. In the past I've also used just the "prepend 127.0.0.1" line to get the dnsmasq server in the firewall's chain of lookups. I didn't make any other changes (like an exit-hook) and it works just fine for me. By default, dnsmasq polls /etc/resolv.conf for changes. You can also send it a SIGHUP to clear the cache and reload /etc/hosts, etc. Regards, Brad From cmp at cmpalmer.org Wed Jul 23 02:52:38 2008 From: cmp at cmpalmer.org (=?UTF-8?Q?Crist=C3=B3bal_Palmer?=) Date: Wed Jul 23 12:23:05 2008 Subject: [Dnsmasq-discuss] Question about DNS vunlerabiltiy in dnsmasq In-Reply-To: References: <48861357.20402@thekelleys.org.uk> Message-ID: <39e2ba090807221852n5aa5bf49i667316310c7f2461@mail.gmail.com> On Tue, Jul 22, 2008 at 7:30 PM, A C wrote: >> >> Does that give you enough time to get a new version in place? >> >> Simon. > > Well, not really. I don't have the ability to generate a package for the > embedded system so I'm at the mercy of the package maintainer. I've already > mailed them to see if they'll update but it may be a while and I was hoping > there was a reasonable workaround that could be implemented in the interim > or until I can get a replacement router in place that doesn't require > package management. > If possible with your system, setting OpenDNS [0] as your upstream DNS might be a decent mitigation strategy. Have you contacted your current provider? Cheers, -- Crist?bal M. Palmer "Small acts of humanity amid the chaos of inhumanity provide hope. But small acts are insufficient." -- Paul Rusesabagina [0] http://blog.opendns.com/2008/07/08/opendns-keeping-you-safe/ From agcme at hotmail.com Wed Jul 23 02:55:31 2008 From: agcme at hotmail.com (A C) Date: Wed Jul 23 12:39:29 2008 Subject: [Dnsmasq-discuss] Question about DNS vunlerabiltiy in dnsmasq In-Reply-To: <39e2ba090807221852n5aa5bf49i667316310c7f2461@mail.gmail.com> References: <48861357.20402@thekelleys.org.uk> <39e2ba090807221852n5aa5bf49i667316310c7f2461@mail.gmail.com> Message-ID: > Date: Tue, 22 Jul 2008 21:52:38 -0400 > From: cmp@cmpalmer.org > To: agcme@hotmail.com > Subject: Re: [Dnsmasq-discuss] Question about DNS vunlerabiltiy in dnsmasq > CC: dnsmasq-discuss@lists.thekelleys.org.uk > > On Tue, Jul 22, 2008 at 7:30 PM, A C wrote: > >> > >> Does that give you enough time to get a new version in place? > >> > >> Simon. > > > > Well, not really. I don't have the ability to generate a package for the > > embedded system so I'm at the mercy of the package maintainer. I've already > > mailed them to see if they'll update but it may be a while and I was hoping > > there was a reasonable workaround that could be implemented in the interim > > or until I can get a replacement router in place that doesn't require > > package management. > > > > If possible with your system, setting OpenDNS [0] as your upstream DNS > might be a decent mitigation strategy. Have you contacted your current > provider? At the moment my provider is my university so I am using their DNS servers as my upstream servers. But I'll be graduating so I'm just trying to plan ahead. OpenDNS looks like one way to do it. Thanks for that info. _________________________________________________________________ Keep your kids safer online with Windows Live Family Safety. http://www.windowslive.com/family_safety/overview.html?ocid=TXT_TAGLM_WL_family_safety_072008 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080722/3bac132d/attachment.html From b-morgan at concentric.net Wed Jul 23 21:11:13 2008 From: b-morgan at concentric.net (Brad Morgan) Date: Wed Jul 23 21:12:02 2008 Subject: [Dnsmasq-discuss] Where does the complete dump go? Message-ID: <009801c8ed00$42b4b0a0$c81e11e0$@net> Quoting from the man page: When it receives a SIGUSR1, dnsmasq writes statistics to the system log. It writes the cache size, the number of names which have had to removed from the cache before they expired in order to make room for new names and the total number of names that have been inserted into the cache. For each upstream server it gives the number of queries sent, and the number which resulted in an error. In --no-daemon mode or when full logging is enabled (-q), a complete dump of the contents of the cache is made. I've started dnsmasq with -q and send it a SIGUSR1. I see in /var/log/messages the statistics, but I don't see any of the queries or the complete dump of the cache. I also tried log-queries in the dnsmasq.conf file. Do I have to specify a log file and not use syslog? Regards, Brad From carlos at fisica.ufpr.br Wed Jul 23 21:52:24 2008 From: carlos at fisica.ufpr.br (Carlos Carvalho) Date: Wed Jul 23 21:53:11 2008 Subject: [Dnsmasq-discuss] Where does the complete dump go? In-Reply-To: <009801c8ed00$42b4b0a0$c81e11e0$@net> References: <009801c8ed00$42b4b0a0$c81e11e0$@net> Message-ID: <18567.39432.437628.955973@fisica.ufpr.br> Brad Morgan (b-morgan@concentric.net) wrote on 23 July 2008 14:11: >I've started dnsmasq with -q and send it a SIGUSR1. I see in >/var/log/messages the statistics, but I don't see any of the queries or the >complete dump of the cache. > >I also tried log-queries in the dnsmasq.conf file. > >Do I have to specify a log file and not use syslog? No. Note that the default facility is daemon. From bod at bod.org Wed Jul 23 21:59:25 2008 From: bod at bod.org (Paul Chambers) Date: Wed Jul 23 22:00:27 2008 Subject: [Dnsmasq-discuss] Where does the complete dump go? In-Reply-To: <009801c8ed00$42b4b0a0$c81e11e0$@net> References: <009801c8ed00$42b4b0a0$c81e11e0$@net> Message-ID: <48879BAD.2030000@bod.org> IIRC, the stats and cache dump are logged at a lower priority than the usual dnsmasq messages, and it's below the cutoff usually defined for /var/log/messages in syslog.conf, so you won't see them there without making changes to syslog.conf. Three options come to mind; either 1) drop that threshold in syslog.conf, 2) add a line to syslog.conf to log all messages logged to the DAEMON facility (or whatever you've set with log-facility) to another file. Be aware that the default changes to LOCAL0 if you run dnsmasq -d. 3) switch to file-based logging. Paul Brad Morgan wrote: > Quoting from the man page: > > When it receives a SIGUSR1, dnsmasq writes statistics to the > system > log. It writes the cache size, the number of names which have had > to > removed from the cache before they expired in order to make room > for > new names and the total number of names that have been inserted > into > the cache. For each upstream server it gives the number of > queries > sent, and the number which resulted in an error. In --no-daemon mode > or > when full logging is enabled (-q), a complete dump of the contents > of > the cache is made. > > I've started dnsmasq with -q and send it a SIGUSR1. I see in > /var/log/messages the statistics, but I don't see any of the queries or the > complete dump of the cache. > > I also tried log-queries in the dnsmasq.conf file. > > Do I have to specify a log file and not use syslog? > > Regards, > > Brad > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > From timewind at hotmail.com Thu Jul 24 15:33:02 2008 From: timewind at hotmail.com (Stefan Sundberg) Date: Thu Jul 24 15:33:48 2008 Subject: [Dnsmasq-discuss] the hosts file Message-ID: Hello! I have started to use dnsmasq on a freebsd 6.x router/nat machine where it is used as dns for my connected windows clients. I have a problem with the dns server which I have not been able to resolve. I have an entry in my hosts file for each of the clients and it look something like this: 192.168.0.1 computer1 192.168.0.2 computer2 and so on. The problem is that dnsmasq does not resolve "computer1". I need to use "computer1.lan" or the local domain I may have chosen and configured dnsmasq to use. Is it possible to configure dnsmasq so it resolves the "simple names" directly as they are written in the hosts file? Regards Stefan Sundberg _________________________________________________________________ Skaffa Messenger i mobilen! http://windowslivemobile.msn.com/Homepage.aspx?lang=se-se -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080724/251da784/attachment.htm From simon at thekelleys.org.uk Thu Jul 24 15:36:33 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Jul 24 15:37:29 2008 Subject: [Dnsmasq-discuss] the hosts file In-Reply-To: References: Message-ID: <48889371.5030304@thekelleys.org.uk> Stefan Sundberg wrote: > Hello! > > I have started to use dnsmasq on a freebsd 6.x router/nat machine > where it is used as dns for my connected windows clients. I have a > problem with the dns server which I have not been able to resolve. I > have an entry in my hosts file for each of the clients and it look > something like this: > > 192.168.0.1 computer1 192.168.0.2 computer2 > > and so on. The problem is that dnsmasq does not resolve "computer1". > I need to use "computer1.lan" or the local domain I may have chosen > and configured dnsmasq to use. Is it possible to configure dnsmasq so > it resolves the "simple names" directly as they are written in the > hosts file? > ' The problem is not dnsmasq, it's probably the computer's resolver code, which isn't sending simple names to the DNS. You can normally configure the correct behaviour, "man resolv.conf" will give you the details. Cheers, Simon. From b-morgan at concentric.net Thu Jul 24 17:00:18 2008 From: b-morgan at concentric.net (Brad Morgan) Date: Thu Jul 24 17:01:10 2008 Subject: [Dnsmasq-discuss] Where does the complete dump go? In-Reply-To: <48879BAD.2030000@bod.org> References: <009801c8ed00$42b4b0a0$c81e11e0$@net> <48879BAD.2030000@bod.org> Message-ID: <000901c8eda6$5ffc3f60$1ff4be20$@net> > Three options come to mind; either > 1) drop that threshold in syslog.conf, > 2) add a line to syslog.conf to log all messages logged to the DAEMON > facility (or whatever you've set with log-facility) to another file. Be > aware that the default changes to LOCAL0 if you run dnsmasq -d. > 3) switch to file-based logging. Thanks! I was able to figure out where the messages are going and after some experimentation, I've decided to switch to file-based logging. I expect that these logs could become quite large but before I dive into the writing of logrotate scripts, does anyone have an example I could start with? Regards, Brad From timewind at hotmail.com Thu Jul 24 17:50:49 2008 From: timewind at hotmail.com (Stefan Sundberg) Date: Thu Jul 24 17:51:35 2008 Subject: [Dnsmasq-discuss] the hosts file Message-ID: My dnsmasq.conf file looks like this: interface=fxp1 interface=tun0 local=/lan/ domain=lan dhcp-range=192.168.0.128,192.168.0.254,3h Stefan > From: bcook@poughkeepsieschools.org > To: timewind@hotmail.com > Subject: Re: [Dnsmasq-discuss] the hosts file > Date: Thu, 24 Jul 2008 11:28:10 -0400 > > what does your config look like? > > egrep -v '^#|^$' /usr/local/etc/dnsmasq.conf > > > On Jul 24, 2008, at 10:33 AM, Stefan Sundberg wrote: > > > > > Hello! > > > > I have started to use dnsmasq on a freebsd 6.x router/nat machine > > where it is used as dns for my connected windows clients. I have a > > problem with the dns server which I have not been able to resolve. I > > have an entry in my hosts file for each of the clients and it look > > something like this: > > > > 192.168.0.1 computer1 > > 192.168.0.2 computer2 > > > > and so on. The problem is that dnsmasq does not resolve 'computer1'. > > I need to use 'computer1.lan' or the local domain I may have chosen > > and configured dnsmasq to use. Is it possible to configure dnsmasq > > so it resolves the 'simple names' directly as they are written in > > the hosts file? > > > > Regards > > Stefan Sundberg > > > > > > > > _________________________________________________________________ > > Skaffa Messenger i mobilen! > > http://windowslivemobile.msn.com/Homepage.aspx?lang=se-se_______________________________________________ > > Dnsmasq-discuss mailing list > > Dnsmasq-discuss@lists.thekelleys.org.uk > > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > -- > B. Cook > Network Analyst > Poughkeepsie City School District > Mobile: 845.264.5827 | Desk: 845.451.4791 > _________________________________________________________________ Tr?tt p? jobbet? Hitta nya utmaningar h?r! http://msn.jobbguiden.se/jobseeker/resumes/postresumenew/postresumestart.aspx?sc_cmp2=JS_INT_SEMSN_NLPCV -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080724/275c2b61/attachment.htm From grant_lkml at dodo.com.au Thu Jul 24 18:34:37 2008 From: grant_lkml at dodo.com.au (Grant Coady) Date: Thu Jul 24 18:36:07 2008 Subject: [Dnsmasq-discuss] Where does the complete dump go? In-Reply-To: <000901c8eda6$5ffc3f60$1ff4be20$@net> References: <009801c8ed00$42b4b0a0$c81e11e0$@net> <48879BAD.2030000@bod.org> <000901c8eda6$5ffc3f60$1ff4be20$@net> Message-ID: On Thu, 24 Jul 2008 10:00:18 -0600, "Brad Morgan" wrote: >> Three options come to mind; either >> 1) drop that threshold in syslog.conf, >> 2) add a line to syslog.conf to log all messages logged to the DAEMON >> facility (or whatever you've set with log-facility) to another file. Be >> aware that the default changes to LOCAL0 if you run dnsmasq -d. >> 3) switch to file-based logging. > >Thanks! I was able to figure out where the messages are going and after some >experimentation, I've decided to switch to file-based logging. I expect that >these logs could become quite large but before I dive into the writing of >logrotate scripts, does anyone have an example I could start with? man logrotate --> you only need to specify the rules and it will be done for you automagically, here (slackware) I have /etc/logrotate.d/ for extra log configuration files. Grant. From bod at bod.org Thu Jul 24 18:46:17 2008 From: bod at bod.org (Paul Chambers) Date: Thu Jul 24 18:47:04 2008 Subject: [Dnsmasq-discuss] Where does the complete dump go? In-Reply-To: <000901c8eda6$5ffc3f60$1ff4be20$@net> References: <009801c8ed00$42b4b0a0$c81e11e0$@net> <48879BAD.2030000@bod.org> <000901c8eda6$5ffc3f60$1ff4be20$@net> Message-ID: <4888BFE9.8030507@bod.org> Brad Morgan wrote: >> Three options come to mind; either >> 1) drop that threshold in syslog.conf, >> 2) add a line to syslog.conf to log all messages logged to the DAEMON >> facility (or whatever you've set with log-facility) to another file. Be >> aware that the default changes to LOCAL0 if you run dnsmasq -d. >> 3) switch to file-based logging. >> > > Thanks! I was able to figure out where the messages are going and after some > experimentation, I've decided to switch to file-based logging. I expect that > these logs could become quite large but before I dive into the writing of > logrotate scripts, does anyone have an example I could start with? > > Regards, > > Brad Yes, the logs can get large quite quickly, particularly if you have log-queries on and a mail server on the machine. A while back I ran into a bug in dnsmasq (now fixed) where it ceased working when the log grew to be over 2GB - I had a typo in my logrotate script :) This is what I'm currently using: [root@home logrotate.d]# cat /etc/logrotate.d/dnsmasq /var/log/dnsmasq.log { daily # missingok rotate 7 compress notifempty postrotate /usr/bin/kill -s SIGUSR2 `cat /var/run/dnsmasq.pid` endscript } I'm running Fedora 9, but I doubt it'll need much tweaking for other distributions. Paul -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080724/1a448e50/attachment.htm From simon at thekelleys.org.uk Thu Jul 24 19:05:36 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Jul 24 19:06:21 2008 Subject: [Dnsmasq-discuss] Where does the complete dump go? In-Reply-To: <4888BFE9.8030507@bod.org> References: <009801c8ed00$42b4b0a0$c81e11e0$@net> <48879BAD.2030000@bod.org> <000901c8eda6$5ffc3f60$1ff4be20$@net> <4888BFE9.8030507@bod.org> Message-ID: <4888C470.6070100@thekelleys.org.uk> Paul Chambers wrote: > > [root@home logrotate.d]# cat /etc/logrotate.d/dnsmasq > /var/log/dnsmasq.log { > daily > # missingok > rotate 7 > compress > notifempty > postrotate > /usr/bin/kill -s SIGUSR2 `cat /var/run/dnsmasq.pid` > endscript > } > You should probably have delaycompress in there: Under some circumstances when it closes and re-opens the log files, dnsmasq can keep the old file open and continue to write to it for a couple of minutes. (The exact cicumstance is when a TCP DNS connection is open, the process which is forked to handle the connection won't close and reopen. Such processes have strictly limited lifetime.) Cheers, Simon. From bod at bod.org Thu Jul 24 19:10:57 2008 From: bod at bod.org (Paul Chambers) Date: Thu Jul 24 19:11:42 2008 Subject: [Dnsmasq-discuss] Where does the complete dump go? In-Reply-To: <4888C470.6070100@thekelleys.org.uk> References: <009801c8ed00$42b4b0a0$c81e11e0$@net> <48879BAD.2030000@bod.org> <000901c8eda6$5ffc3f60$1ff4be20$@net> <4888BFE9.8030507@bod.org> <4888C470.6070100@thekelleys.org.uk> Message-ID: <4888C5B1.4090906@bod.org> Added. Thanks for the warning. -- Paul Simon Kelley wrote: > Paul Chambers wrote: >> >> [root@home logrotate.d]# cat /etc/logrotate.d/dnsmasq >> /var/log/dnsmasq.log { >> daily >> # missingok >> rotate 7 >> compress >> delaycompress >> notifempty >> postrotate >> /usr/bin/kill -s SIGUSR2 `cat /var/run/dnsmasq.pid` >> endscript >> } >> > > You should probably have delaycompress in there: Under some > circumstances when it closes and re-opens the log files, dnsmasq can > keep the old file open and continue to write to it for a couple of > minutes. > > (The exact cicumstance is when a TCP DNS connection is open, the > process which is forked to handle the connection won't close and > reopen. Such processes have strictly limited lifetime.) > > Cheers, > > Simon. From b-morgan at concentric.net Thu Jul 24 21:15:46 2008 From: b-morgan at concentric.net (Brad Morgan) Date: Thu Jul 24 21:16:36 2008 Subject: [Dnsmasq-discuss] Where does the complete dump go? In-Reply-To: <4888C5B1.4090906@bod.org> References: <009801c8ed00$42b4b0a0$c81e11e0$@net> <48879BAD.2030000@bod.org> <000901c8eda6$5ffc3f60$1ff4be20$@net> <4888BFE9.8030507@bod.org> <4888C470.6070100@thekelleys.org.uk> <4888C5B1.4090906@bod.org> Message-ID: <000301c8edca$101b9940$3052cbc0$@net> After playing with dnsmasq log-queries for a while, I think there should be a signal that dynamically toggles this option. Stopping and starting dnsmasq doesn't work because it clears the cache and that's what I'm trying to discover... Is the wrong answer coming out of cache or is it coming from the DNS servers themselves and if so, which one if I have more than one to choose from. The particular problem I was having was that one of my email servers became unreachable. This went on for quite a while and upon investigation, the IP address for the server was wrong. I was using the OpenDNS servers and when using their web tools to query, I got a different answer than what was being returned to my client machine. I solved the problem at the time by going back to the DNS servers provided by my ISP but this started the search for how to get more information if it failed again. I'd rather not leave log-queries on all the time as it generates lots of log entries but I would like to turn it on when I have a problem (and off again after resolving the issue). Is this a reasonable request? Is there another way to accomplish this? Regards, Brad From carlos at fisica.ufpr.br Thu Jul 24 21:48:01 2008 From: carlos at fisica.ufpr.br (Carlos Carvalho) Date: Thu Jul 24 21:48:54 2008 Subject: [Dnsmasq-discuss] Where does the complete dump go? In-Reply-To: <000301c8edca$101b9940$3052cbc0$@net> References: <009801c8ed00$42b4b0a0$c81e11e0$@net> <48879BAD.2030000@bod.org> <000901c8eda6$5ffc3f60$1ff4be20$@net> <4888BFE9.8030507@bod.org> <4888C470.6070100@thekelleys.org.uk> <4888C5B1.4090906@bod.org> <000301c8edca$101b9940$3052cbc0$@net> Message-ID: <18568.60033.347928.928546@fisica.ufpr.br> Brad Morgan (b-morgan@concentric.net) wrote on 24 July 2008 14:15: >After playing with dnsmasq log-queries for a while, I think there should be >a signal that dynamically toggles this option. Stopping and starting dnsmasq >doesn't work because it clears the cache and that's what I'm trying to >discover... Is the wrong answer coming out of cache or is it coming from the >DNS servers themselves and if so, which one if I have more than one to >choose from. [removed] >I'd rather not leave log-queries on all the time as it generates lots of log >entries but I would like to turn it on when I have a problem (and off again >after resolving the issue). If you turn logging off after solving it there's no problem in restarting dnsmasq without the cache. The benefit of the signal would be only to preserve the cache. The size of the logs is not a problem if properly managed through rotation and compression. The inconvenience is only the cpu that it takes, apparently mainly for generating and formatting the time stamp. However, you need a really high flux for the cpu consumption to become noticeable. From richardvoigt at gmail.com Fri Jul 25 04:11:25 2008 From: richardvoigt at gmail.com (richardvoigt@gmail.com) Date: Fri Jul 25 04:12:10 2008 Subject: [Dnsmasq-discuss] Where does the complete dump go? In-Reply-To: <18568.60033.347928.928546@fisica.ufpr.br> References: <009801c8ed00$42b4b0a0$c81e11e0$@net> <48879BAD.2030000@bod.org> <000901c8eda6$5ffc3f60$1ff4be20$@net> <4888BFE9.8030507@bod.org> <4888C470.6070100@thekelleys.org.uk> <4888C5B1.4090906@bod.org> <000301c8edca$101b9940$3052cbc0$@net> <18568.60033.347928.928546@fisica.ufpr.br> Message-ID: <2e59e6970807242011o69785d37r75b6875619980a0d@mail.gmail.com> On Thu, Jul 24, 2008 at 8:48 PM, Carlos Carvalho wrote: > Brad Morgan (b-morgan@concentric.net) wrote on 24 July 2008 14:15: > >After playing with dnsmasq log-queries for a while, I think there should > be > >a signal that dynamically toggles this option. Stopping and starting > dnsmasq > >doesn't work because it clears the cache and that's what I'm trying to > >discover... Is the wrong answer coming out of cache or is it coming from > the > >DNS servers themselves and if so, which one if I have more than one to > >choose from. > [removed] > >I'd rather not leave log-queries on all the time as it generates lots of > log > >entries but I would like to turn it on when I have a problem (and off > again > >after resolving the issue). > > If you turn logging off after solving it there's no problem in > restarting dnsmasq without the cache. The benefit of the signal would > be only to preserve the cache. Evidently, it is turning logging *on* that presents the problem, because you can get no information about the state of the cache before dnsmasq was reloaded to enable logging. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080725/32aa6a93/attachment.htm From timewind at hotmail.com Fri Jul 25 07:59:53 2008 From: timewind at hotmail.com (Stefan Sundberg) Date: Fri Jul 25 08:00:41 2008 Subject: [Dnsmasq-discuss] the hosts file In-Reply-To: <48889371.5030304@thekelleys.org.uk> References: <48889371.5030304@thekelleys.org.uk> Message-ID: Hello! But how does the "expand-hosts" function work if the shortnames are not sent to the dns? I do not know how to fix this problem as my external interface is using dhcp from my ISP and overwrites the resolv.conf when the "upstream" DNS server list is updated. If there is no other way to fix this problem, it would be nice if the dns would be able to understand the shortnames if the full hostnames with the local domain added is written in the hosts file. Regards Stefan Sundberg > Date: Thu, 24 Jul 2008 15:36:33 +0100 > From: simon@thekelleys.org.uk > To: timewind@hotmail.com; dnsmasq-discuss@lists.thekelleys.org.uk > Subject: Re: [Dnsmasq-discuss] the hosts file > > Stefan Sundberg wrote: > > Hello! > > > > I have started to use dnsmasq on a freebsd 6.x router/nat machine > > where it is used as dns for my connected windows clients. I have a > > problem with the dns server which I have not been able to resolve. I > > have an entry in my hosts file for each of the clients and it look > > something like this: > > > > 192.168.0.1 computer1 192.168.0.2 computer2 > > > > and so on. The problem is that dnsmasq does not resolve "computer1". > > I need to use "computer1.lan" or the local domain I may have chosen > > and configured dnsmasq to use. Is it possible to configure dnsmasq so > > it resolves the "simple names" directly as they are written in the > > hosts file? > > > ' > The problem is not dnsmasq, it's probably the computer's resolver code, > which isn't sending simple names to the DNS. You can normally configure > the correct behaviour, "man resolv.conf" will give you the details. > > Cheers, > > Simon. _________________________________________________________________ Tr?tt p? jobbet? Hitta nya utmaningar h?r! http://msn.jobbguiden.se/jobseeker/resumes/postresumenew/postresumestart.aspx?sc_cmp2=JS_INT_SEMSN_NLPCV -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080725/5b9fb9cb/attachment.htm From carlos at fisica.ufpr.br Fri Jul 25 14:05:52 2008 From: carlos at fisica.ufpr.br (Carlos Carvalho) Date: Fri Jul 25 14:06:40 2008 Subject: [Dnsmasq-discuss] Where does the complete dump go? In-Reply-To: <2e59e6970807242011o69785d37r75b6875619980a0d@mail.gmail.com> References: <009801c8ed00$42b4b0a0$c81e11e0$@net> <48879BAD.2030000@bod.org> <000901c8eda6$5ffc3f60$1ff4be20$@net> <4888BFE9.8030507@bod.org> <4888C470.6070100@thekelleys.org.uk> <4888C5B1.4090906@bod.org> <000301c8edca$101b9940$3052cbc0$@net> <18568.60033.347928.928546@fisica.ufpr.br> <2e59e6970807242011o69785d37r75b6875619980a0d@mail.gmail.com> Message-ID: <18569.53168.639767.396465@fisica.ufpr.br> richardvoigt@gmail.com (richardvoigt@gmail.com) wrote on 25 July 2008 03:11: >Evidently, it is turning logging *on* that presents the problem, because you >can get no information about the state of the cache before dnsmasq was >reloaded to enable logging. He should leave logging on all the time then, it's cheap enough. I'm against a signal for logging only. What would be interesting is a signal for reloading the config. It'd reload only what is possible of course but it can be done for most settings. From richardvoigt at gmail.com Fri Jul 25 20:15:45 2008 From: richardvoigt at gmail.com (richardvoigt@gmail.com) Date: Fri Jul 25 20:16:31 2008 Subject: [Dnsmasq-discuss] Where does the complete dump go? In-Reply-To: <18569.53168.639767.396465@fisica.ufpr.br> References: <009801c8ed00$42b4b0a0$c81e11e0$@net> <48879BAD.2030000@bod.org> <000901c8eda6$5ffc3f60$1ff4be20$@net> <4888BFE9.8030507@bod.org> <4888C470.6070100@thekelleys.org.uk> <4888C5B1.4090906@bod.org> <000301c8edca$101b9940$3052cbc0$@net> <18568.60033.347928.928546@fisica.ufpr.br> <2e59e6970807242011o69785d37r75b6875619980a0d@mail.gmail.com> <18569.53168.639767.396465@fisica.ufpr.br> Message-ID: <2e59e6970807251215o6c8957ect38be7d2a7d2f6429@mail.gmail.com> On Fri, Jul 25, 2008 at 8:05 AM, Carlos Carvalho wrote: > richardvoigt@gmail.com (richardvoigt@gmail.com) wrote on 25 July 2008 > 03:11: > >Evidently, it is turning logging *on* that presents the problem, because > you > >can get no information about the state of the cache before dnsmasq was > >reloaded to enable logging. > > He should leave logging on all the time then, it's cheap enough. > > I'm against a signal for logging only. What would be interesting is a > signal for reloading the config. It'd reload only what is possible of > course but it can be done for most settings. I think a better solution would be to split the functionality of the log-queries option: *-q, --log-queries* Log the results of DNS queries handled by dnsmasq. Enable a full cache dump on receipt of SIGUSR1. Clearly this controls two separate functions. It would be good to have a flag to enable full cache dump on SIGUSR1 without also logging every query. For that matter, a numeric option that causes the next N queries to be logged in detail following each SIGUSR1. > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080725/18104399/attachment.htm From oudeis at nodomain.invalid Sat Jul 26 15:07:30 2008 From: oudeis at nodomain.invalid (Will Parsons) Date: Sat Jul 26 15:25:50 2008 Subject: [Dnsmasq-discuss] Re: Where does the complete dump go? References: <009801c8ed00$42b4b0a0$c81e11e0$@net> <48879BAD.2030000@bod.org> <000901c8eda6$5ffc3f60$1ff4be20$@net> <4888BFE9.8030507@bod.org> <4888C470.6070100@thekelleys.org.uk> <4888C5B1.4090906@bod.org> <000301c8edca$101b9940$3052cbc0$@net> Message-ID: Brad Morgan wrote: > After playing with dnsmasq log-queries for a while, I think there should be > a signal that dynamically toggles this option. Stopping and starting dnsmasq > doesn't work because it clears the cache and that's what I'm trying to > discover... Is the wrong answer coming out of cache or is it coming from the > DNS servers themselves and if so, which one if I have more than one to > choose from. > > The particular problem I was having was that one of my email servers became > unreachable. This went on for quite a while and upon investigation, the IP > address for the server was wrong. I was using the OpenDNS servers and when > using their web tools to query, I got a different answer than what was being > returned to my client machine. I solved the problem at the time by going > back to the DNS servers provided by my ISP but this started the search for > how to get more information if it failed again. > > I'd rather not leave log-queries on all the time as it generates lots of log > entries but I would like to turn it on when I have a problem (and off again > after resolving the issue). > > Is this a reasonable request? Is there another way to accomplish this? Why not control it from the syslog side? IOW, set (for example) in your dnsmasq.conf: log-queries log-facility=local2 and set logging of local2 messages appropriately in syslog.conf. When you wish to change logging level, adjust syslog.conf appropriately and send syslogd SIGHUP. -- Will From DNSMasq at RevRagnarok.com Sun Jul 27 12:32:07 2008 From: DNSMasq at RevRagnarok.com (RevRagnarok) Date: Sun Jul 27 12:32:56 2008 Subject: [Dnsmasq-discuss] "bad command line options: illegal repeated flag" Message-ID: A friend of mine is having trouble with 2.45, previously had 2.27 installed. When it launches from /etc/init.d/dnsmasq, it reports: Shutting down dnsmasq: [ OK ] Starting dnsmasq: dnsmasq: bad command line options: illegal repeated flag [FAILED] The script with the options is below. Has anybody seen this error? Looking at the script, I don't see any flag repeating. Aaron % cat dnsmasq #!/bin/sh # # Startup script for the DNS caching server # # chkconfig: 2345 99 01 # description: This script starts your DNS caching server # processname: dnsmasq # pidfile: /var/run/dnsmasq.pid # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 dnsmasq=/usr/local/sbin/dnsmasq [ -f $dnsmasq ] || exit 0 # change this line if you want dnsmasq to serve an MX record for # the host it is running on. MAILHOSTNAME="" # change this line if you want dns to get its upstream servers from # somewhere other that /etc/resolv.conf RESOLV_CONF="" # change this if you want dnsmasq to cache any "hostname" or "client-hostname" from # a dhcpd's lease file DHCP_LEASE="/var/lib/dhcp/dhcpd.leases" DOMAIN_SUFFIX=`dnsdomainname` OPTIONS="--domain=middleearth --expand-hosts" if [ ! -z "${MAILHOSTNAME}" ]; then OPTIONS="$OPTIONS -m $MAILHOSTNAME" fi if [ ! -z "${RESOLV_CONF}" ]; then OPTIONS="$OPTIONS -r $RESOLV_CONF" fi if [ ! -z "${DHCP_LEASE}" ]; then OPTIONS="$OPTIONS -l $DHCP_LEASE" fi if [ ! -z "${DOMAIN_SUFFIX}" ]; then OPTIONS="$OPTIONS -s $DOMAIN_SUFFIX" fi RETVAL=0 # See how we were called. case "$1" in start) echo -n "Starting dnsmasq: " daemon $dnsmasq $OPTIONS RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/dnsmasq ;; stop) if test "x`pidof dnsmasq`" != x; then echo -n "Shutting down dnsmasq: " killproc dnsmasq fi RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/dnsmasq /var/run/dnsmasq.pid ;; status) status dnsmasq RETVAL=$? ;; restart|reload) $0 stop $0 start RETVAL=$? ;; condrestart) if test "x`/sbin/pidof dnsmasq`" != x; then $0 stop $0 start RETVAL=$? fi ;; *) echo "Usage: $0 {start|stop|restart|reload|condrestart|status}" exit 1 esac exit $RETVAL -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080727/4b4cd277/attachment.htm From simon at thekelleys.org.uk Sun Jul 27 13:14:21 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Sun Jul 27 13:15:07 2008 Subject: [Dnsmasq-discuss] "bad command line options: illegal repeated flag" In-Reply-To: References: Message-ID: <488C669D.3090903@thekelleys.org.uk> RevRagnarok wrote: > A friend of mine is having trouble with 2.45, previously had 2.27 > installed. When it launches from /etc/init.d/dnsmasq, it reports: > Shutting down dnsmasq: [ OK ] > Starting dnsmasq: > dnsmasq: bad command line options: illegal repeated flag > [FAILED] > > The script with the options is below. Has anybody seen this error? > Looking at the script, I don't see any flag repeating. > running sh -x /etc/init.d/dnsmasq will tell you what's happening. Cheers, Simon. From dnsmasq.list at michaelrack.de Sun Jul 27 14:10:58 2008 From: dnsmasq.list at michaelrack.de (Michael Rack) Date: Sun Jul 27 14:11:18 2008 Subject: [Dnsmasq-discuss] How to disable Reverse-DNS to lookup for hostnames in DHCP Range Message-ID: <488C73E2.7090404@michaelrack.de> Hi list! How to tell DNSMASQ to forward all querys to the upstrem-dns-server? My DNSMASQ provides official IP-Addresses to my network via DHCP. While a machine requests an ip-address, it authenticates against its own hostname e.g. pc-michael. A reverse DNS query inside of the network for a dynamic assigned ip-address, results in the hostname the machine provides. But the real hostname is not the machines-hostname, but rather thats the upstream-dns-server provides. Thank you. Kind regards, Michael Rack From simon at thekelleys.org.uk Sun Jul 27 20:11:29 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Sun Jul 27 20:14:41 2008 Subject: [Dnsmasq-discuss] How to disable Reverse-DNS to lookup for hostnames in DHCP Range In-Reply-To: <488C73E2.7090404@michaelrack.de> References: <488C73E2.7090404@michaelrack.de> Message-ID: <488CC861.2070605@thekelleys.org.uk> Michael Rack wrote: > Hi list! > > How to tell DNSMASQ to forward all querys to the upstrem-dns-server? > > My DNSMASQ provides official IP-Addresses to my network via DHCP. While > a machine requests an ip-address, it authenticates against its own > hostname e.g. pc-michael. > > A reverse DNS query inside of the network for a dynamic assigned > ip-address, results in the hostname the machine provides. > > But the real hostname is not the machines-hostname, but rather thats the > upstream-dns-server provides. > You could try using --dhcp-ignore-names which will tell dnsmasq not to use the name supplied by the DHCP client. This may do more than you want, but it's the closest there is to a feature which does what you are asking for, Cheers, Simon. > Thank you. > > Kind regards, > Michael Rack > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > From Hullen at t-online.de Mon Jul 28 12:58:00 2008 From: Hullen at t-online.de (Helmut Hullen) Date: Mon Jul 28 13:00:43 2008 Subject: [Dnsmasq-discuss] "bad command line options: illegal repeated flag" In-Reply-To: <488C669D.3090903@thekelleys.org.uk> Message-ID: Hallo, Simon, Du (simon) meintest am 27.07.08: >> installed. When it launches from /etc/init.d/dnsmasq, it reports: >> Shutting down dnsmasq: [ OK ] >> Starting dnsmasq: >> dnsmasq: bad command line options: illegal repeated flag >> [FAILED] > running > sh -x /etc/init.d/dnsmasq > will tell you what's happening. I'd prefer sh -x /etc/init.d/dnsmasq start Viele Gruesse! Helmut From simon at thekelleys.org.uk Mon Jul 28 15:19:31 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Mon Jul 28 15:20:19 2008 Subject: [Dnsmasq-discuss] Supporting more than one domain. Message-ID: <488DD573.4010006@thekelleys.org.uk> I've been thinking about this again, prompted by http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2008q3/002208.html I know that it's something many people want. The problem in providing it is that the domain information associated with a DHCP lease is not stored in the leases file. Adding this breaks backward compatibility. Ben's suggestion (multiple lease files) is not something I'm keen on, since it really only disguises the backwards-compatibilty problem and it doesn't address similar problems when the lease database is held in an external database. However, it did light a lightbulb, most people who want multiple domains probably want them associated with particular IP address ranges, (or at least can organise things to make that true.) Given that each lease has to have an IP address, that makes mapping from lease to domain perfectly simple. It also makes use of the domain to expand names in /etc/hosts work well (see the --expand-hosts flag) So, here is a suggestion: Elaborate the "domain=" config option so that, as well as domain=example.org the following are also valid domain=example.org,192.168.100.128,192.168.100.180 domain=subnet.example.org,192.168.100.0/24 domain=anothernet.example.org,2001:db8:100:f101:210:a4ff:fee3:9566/64 Multiple domain lines are now allowed, and the smallest address range which matches will be used. The IPv6 version is useful for /etc/hosts and --expand-hosts, it's clearly not used for DHCP (which is IPv4 only in dnsmasq). This has lots of advantages: it's completely backwards-compatible with existing configs, it's straightforward to use, and straightforward to implement. What do people think, would that be sufficiently useful? As part of implementing this, I'd like to try (again) to remove the long-deprecated ISC lease-file reading code. If I don't remove it, it will need work to fit in with the new facilities. I've tried to remove this code before and had complaints; can I assume by now that that code is dead? Cheers, Simon. From weizen_42 at ipcop-forum.de Mon Jul 28 15:34:02 2008 From: weizen_42 at ipcop-forum.de (Olaf Westrik) Date: Mon Jul 28 15:34:49 2008 Subject: [Dnsmasq-discuss] Supporting more than one domain. In-Reply-To: <488DD573.4010006@thekelleys.org.uk> References: <488DD573.4010006@thekelleys.org.uk> Message-ID: <488DD8DA.4090301@ipcop-forum.de> Simon Kelley wrote: > Elaborate the "domain=" config option so that, as well as > > domain=example.org > > the following are also valid > > domain=example.org,192.168.100.128,192.168.100.180 > domain=subnet.example.org,192.168.100.0/24 > domain=anothernet.example.org,2001:db8:100:f101:210:a4ff:fee3:9566/64 Would it not be better / easier to make that: domain=[net: If you are handing out differing domains, you are likely to hand out other options as well. All requiring network-id. Along a similar line you could also do bootp-dynamic[=]] (probably the last dhcp option that is not net related ;-)) Olaf -- A weizen a day helps keep the doctor away. From simon at thekelleys.org.uk Mon Jul 28 16:15:17 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Mon Jul 28 16:16:06 2008 Subject: [Dnsmasq-discuss] Supporting more than one domain. In-Reply-To: <488DD8DA.4090301@ipcop-forum.de> References: <488DD573.4010006@thekelleys.org.uk> <488DD8DA.4090301@ipcop-forum.de> Message-ID: <488DE285.20402@thekelleys.org.uk> Olaf Westrik wrote: > Simon Kelley wrote: > >> Elaborate the "domain=" config option so that, as well as >> >> domain=example.org >> >> the following are also valid >> >> domain=example.org,192.168.100.128,192.168.100.180 >> domain=subnet.example.org,192.168.100.0/24 >> domain=anothernet.example.org,2001:db8:100:f101:210:a4ff:fee3:9566/64 > > Would it not be better / easier to make that: > domain=[net: > > If you are handing out differing domains, you are likely to hand out > other options as well. All requiring network-id. That was the original suggestion, the problem with it is that the network-id set is generated dynamically during a DHCP transaction. The really difficult time for this is when dnsmasq starts up: at that time it has to populate the DNS using the information in the leases file and the configuration file, generating net-tags during startup is even more difficult than storing the domain directly in the lease file. The advantage of the map-IP-address-to-domain idea is that it just needs the IP address and the config file to find the correct domain. Both of those are available at all times. > > > Along a similar line you could also do > bootp-dynamic[=]] > (probably the last dhcp option that is not net related ;-)) > That's a good idea; I'll do that. Cheers, Simon. From simon at thekelleys.org.uk Mon Jul 28 17:46:45 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Mon Jul 28 17:49:56 2008 Subject: [Dnsmasq-discuss] Re: posting to list In-Reply-To: <20080728161301.GC23675@omniti.com> References: <20080728161301.GC23675@omniti.com> Message-ID: <488DF7F5.4010004@thekelleys.org.uk> Jason Dixon wrote: > Hi Simon: > > Sorry to bother you, but I've sent (and resent) a message to the list > recently. Neither of them are showing in the archives, nor have I > received a copy to suggest they've made it to the list at all. Are > these posts moderated? If not, could you please investigate what might > be happening to my emails? > > Thanks, > Hi Jason, I can see that you're subscribed, and I can see list posts going out to you, but as far as I can see, the email I'm replying to is the first one ever received from you by my system. Are you sure you posting to the correct address Cheers, Simon. From weizen_42 at ipcop-forum.de Mon Jul 28 19:34:03 2008 From: weizen_42 at ipcop-forum.de (Olaf Westrik) Date: Mon Jul 28 19:35:20 2008 Subject: [Dnsmasq-discuss] Supporting more than one domain. In-Reply-To: <488DE285.20402@thekelleys.org.uk> References: <488DD573.4010006@thekelleys.org.uk> <488DD8DA.4090301@ipcop-forum.de> <488DE285.20402@thekelleys.org.uk> Message-ID: <488E111B.8030508@ipcop-forum.de> Simon Kelley wrote: >>> Elaborate the "domain=" config option so that, as well as >>> >>> domain=example.org >>> >>> the following are also valid >>> >>> domain=example.org,192.168.100.128,192.168.100.180 >>> domain=subnet.example.org,192.168.100.0/24 >>> domain=anothernet.example.org,2001:db8:100:f101:210:a4ff:fee3:9566/64 >> Would it not be better / easier to make that: >> domain=[net: >> >> If you are handing out differing domains, you are likely to hand out >> other options as well. All requiring network-id. > > That was the original suggestion, the problem with it is that the > network-id set is generated dynamically during a DHCP transaction. The > really difficult time for this is when dnsmasq starts up: at that time > it has to populate the DNS using the information in the leases file and > the configuration file, generating net-tags during startup is even more > difficult than storing the domain directly in the lease file. ah, sorry I was thinking about the sending of dhcp-options. Probably forgot dnsmasq primary function: resolving names. Of course the domain-name can be send using dhcp-option 15 as is. >> Along a similar line you could also do >> bootp-dynamic[=]] >> (probably the last dhcp option that is not net related ;-)) >> > > That's a good idea; I'll do that. Thank you. That's the only obvious thing I found whilst converting from ISC dhcp to dnsmasq. Olaf -- A weizen a day helps keep the doctor away. From DNSMasq at RevRagnarok.com Mon Jul 28 22:37:54 2008 From: DNSMasq at RevRagnarok.com (RevRagnarok) Date: Mon Jul 28 22:38:46 2008 Subject: [Dnsmasq-discuss] "bad command line options: illegal repeated flag" In-Reply-To: <488C669D.3090903@thekelleys.org.uk> References: <488C669D.3090903@thekelleys.org.uk> Message-ID: Thanks all, Turns out the script was giving both -s and --domain. When he took out -s, it failed with a different error, but with just -s and no --domain it was happy. Thanks for the help! - Aaron + DHCP_LEASE=/var/lib/dhcp/dhcpd.leases ++ dnsdomainname + DOMAIN_SUFFIX=middleearth + OPTIONS='--domain=middleearth --expand-hosts' + '[' '!' -z '' ']' + '[' '!' -z '' ']' + '[' '!' -z /var/lib/dhcp/dhcpd.leases ']' + OPTIONS='--domain=middleearth --expand-hosts -l /var/lib/dhcp/dhcpd.leases' + '[' '!' -z middleearth ']' + OPTIONS='--domain=middleearth --expand-hosts -l /var/lib/dhcp/dhcpd.leases -s middleearth' + RETVAL=0 + case "$1" in + echo -n 'Starting dnsmasq: ' Starting dnsmasq: + daemon /usr/local/sbin/dnsmasq --domain=middleearth --expand-hosts -l /var/lib/dhcp/dhcpd.leases -s middleearth -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080728/dc58b386/attachment.htm From jdixon at omniti.com Fri Jul 25 00:37:41 2008 From: jdixon at omniti.com (Jason Dixon) Date: Mon Jul 28 23:55:01 2008 Subject: [Dnsmasq-discuss] illegal domain in dhcp-config directive Message-ID: <20080724233741.GA21070@omniti.com> Thanks to the recent vulnerability, I'm upgrading an older dnsmasq system from version 2.34 to 2.45. I've installed it and attempted to run it, but I get the following error. dnsmasq: illegal domain 04-06.lab.foobar.com in dhcp-config directive. The same configuration works fine with 2.34, so I presume something has changed in the configuration syntax or default settings. I haven't found anything on Google or in the FAQ about this error, nor do I see any "dhcp-config" directives in our config files or the sample config. Here is the relevant line from our config: dhcp-host=00:0c:29:02:1f:06,ubuntu-8.04-06.lab.foobar.com,172.16.117.105 It doesn't appear to be anything specifically with that line. We have a couple hundred of these loaded by dnsmasq. If I comment out that one, the next preceding one will error. I'm not experienced with dnsmasq, so I'm putting myself at the mercy of this list. Any help will be greatly appreciated. :) Thanks, -- Jason Dixon OmniTI Computer Consulting, Inc. jdixon@omniti.com 443.325.1357 x.241 From jdixon at omniti.com Mon Jul 28 16:46:00 2008 From: jdixon at omniti.com (Jason Dixon) Date: Mon Jul 28 23:55:05 2008 Subject: [Dnsmasq-discuss] illegal domain in dhcp-config directive Message-ID: <20080728154600.GB23675@omniti.com> Thanks to the recent vulnerability, I'm upgrading an older dnsmasq system from version 2.34 to 2.45. I've installed it and attempted to run it, but I get the following error. dnsmasq: illegal domain 04-06.lab.foobar.com in dhcp-config directive. The same configuration works fine with 2.34, so I presume something has changed in the configuration syntax or default settings. I haven't found anything on Google or in the FAQ about this error, nor do I see any "dhcp-config" directives in our config files or the sample config. Here is the relevant line from our config: dhcp-host=00:0c:29:02:1f:06,ubuntu-8.04-06.lab.foobar.com,172.16.117.105 It doesn't appear to be anything specifically with that line. We have a couple hundred of these loaded by dnsmasq. If I comment out that one, the next preceding one will error. I'm not experienced with dnsmasq, so I'm putting myself at the mercy of this list. Any help will be greatly appreciated. :) Thanks, -- Jason Dixon OmniTI Computer Consulting, Inc. jdixon@omniti.com 443.325.1357 x.241 From abnormaliti at clivepeeters.com.au Tue Jul 29 02:43:21 2008 From: abnormaliti at clivepeeters.com.au (Ben) Date: Tue Jul 29 02:44:41 2008 Subject: [Dnsmasq-discuss] Supporting more than one domain. In-Reply-To: <488DD573.4010006@thekelleys.org.uk> References: <488DD573.4010006@thekelleys.org.uk> Message-ID: <488E75B9.6030709@clivepeeters.com.au> Simon Kelley wrote: > However, it did light a lightbulb, most people who want multiple domains > probably want them associated with particular IP address ranges, (or at > least can organise things to make that true.) Given that each lease has > to have an IP address, that makes mapping from lease to domain perfectly > simple. It also makes use of the domain to expand names in /etc/hosts > work well (see the --expand-hosts flag) > > So, here is a suggestion: > > Elaborate the "domain=" config option so that, as well as > > domain=example.org > > the following are also valid > > domain=example.org,192.168.100.128,192.168.100.180 > domain=subnet.example.org,192.168.100.0/24 > domain=anothernet.example.org,2001:db8:100:f101:210:a4ff:fee3:9566/64 > > Multiple domain lines are now allowed, and the smallest address range > which matches will be used. The IPv6 version is useful for /etc/hosts > and --expand-hosts, it's clearly not used for DHCP (which is IPv4 only > in dnsmasq). > > This has lots of advantages: it's completely backwards-compatible with > existing configs, it's straightforward to use, and straightforward to > implement. > > What do people think, would that be sufficiently useful? > That would be fine by me. I would prefer a consistent syntax like "net:network-id" but if that isn't practical then i will survive. > As part of implementing this, I'd like to try (again) to remove the > long-deprecated ISC lease-file reading code. If I don't remove it, it > will need work to fit in with the new facilities. I've tried to remove > this code before and had complaints; can I assume by now that that code > is dead? > Fine by me. So to make sure i am clear a configuration would look like this, right? domain=sub1.example.com.au,192.168.1.0/24 domain=sub2.example.com.au,192.168.2.0/24 local=sub1.example.com.au local=sub2.example.com.au dhcp-range=subnet1,192.168.1.100,192.168.1.254,255.255.255.0,24h dhcp-range=subnet2,192.168.2.100,192.168.2.254,255.255.255.0,24h dhcp-option=subnet1,15,sub1.example.com.au dhcp-option=subnet2,15,sub2.example.com.au dhcp-boot=net:subnet1,/pxelinux.0 While i am at it can i also request that support for the "net:network-id" syntax be supported wherever network-id's can be used? Using the example above i would like to be able to keep things consistent and clearer like this. dhcp-range=net:subnet1,192.168.1.100,192.168.1.254,255.255.255.0,24h dhcp-option=net:subnet1,15,sub1.example.com.au dhcp-boot=net:subnet1,/pxelinux.0 Ben From simon at thekelleys.org.uk Tue Jul 29 07:48:32 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Tue Jul 29 07:49:20 2008 Subject: [Dnsmasq-discuss] illegal domain in dhcp-config directive In-Reply-To: <20080724233741.GA21070@omniti.com> References: <20080724233741.GA21070@omniti.com> Message-ID: <488EBD40.7000002@thekelleys.org.uk> Jason Dixon wrote: > Thanks to the recent vulnerability, I'm upgrading an older dnsmasq > system from version 2.34 to 2.45. I've installed it and attempted to > run it, but I get the following error. > > dnsmasq: illegal domain 04-06.lab.foobar.com in dhcp-config directive. > > The same configuration works fine with 2.34, so I presume something has > changed in the configuration syntax or default settings. I haven't > found anything on Google or in the FAQ about this error, nor do I see > any "dhcp-config" directives in our config files or the sample config. > Here is the relevant line from our config: > > dhcp-host=00:0c:29:02:1f:06,ubuntu-8.04-06.lab.foobar.com,172.16.117.105 > > It doesn't appear to be anything specifically with that line. We have a > couple hundred of these loaded by dnsmasq. If I comment out that one, > the next preceding one will error. I'm not experienced with dnsmasq, so > I'm putting myself at the mercy of this list. Any help will be greatly > appreciated. :) > > Thanks, > As far as I can see, this error can only be occuring because the domain part of the name your applying to that host doesn't match the domain specified for dnsmasq to use by the domain= config option. AFAIK dnsmasq has never allowed you to send a FQDN to a host unless it matches the domain setting (this is to avoid hosts impersonating, eg www.microsoft.com) but the check in this case has been moved from run-time, where it will log an error, to a fatal error at start-up The fix may be as simple as adding domain=04-06.lab.foobar.com (and you can remove the domain parts from all the dhcp-host lines as well, if you wish. If they stay, they must match the domain given) Cheers, Simon. From simon at thekelleys.org.uk Tue Jul 29 11:57:41 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Tue Jul 29 11:58:25 2008 Subject: [Dnsmasq-discuss] Supporting more than one domain. In-Reply-To: <488E75B9.6030709@clivepeeters.com.au> References: <488DD573.4010006@thekelleys.org.uk> <488E75B9.6030709@clivepeeters.com.au> Message-ID: <488EF7A5.2000701@thekelleys.org.uk> Ben wrote: > Simon Kelley wrote: >> However, it did light a lightbulb, most people who want multiple domains >> probably want them associated with particular IP address ranges, (or at >> least can organise things to make that true.) Given that each lease has >> to have an IP address, that makes mapping from lease to domain perfectly >> simple. It also makes use of the domain to expand names in /etc/hosts >> work well (see the --expand-hosts flag) >> >> So, here is a suggestion: >> >> Elaborate the "domain=" config option so that, as well as >> >> domain=example.org >> >> the following are also valid >> >> domain=example.org,192.168.100.128,192.168.100.180 >> domain=subnet.example.org,192.168.100.0/24 >> domain=anothernet.example.org,2001:db8:100:f101:210:a4ff:fee3:9566/64 >> >> Multiple domain lines are now allowed, and the smallest address range >> which matches will be used. The IPv6 version is useful for /etc/hosts >> and --expand-hosts, it's clearly not used for DHCP (which is IPv4 only >> in dnsmasq). >> >> This has lots of advantages: it's completely backwards-compatible with >> existing configs, it's straightforward to use, and straightforward to >> implement. >> >> What do people think, would that be sufficiently useful? >> > That would be fine by me. I would prefer a consistent syntax like > "net:network-id" but if that isn't practical then i will survive. >> As part of implementing this, I'd like to try (again) to remove the >> long-deprecated ISC lease-file reading code. If I don't remove it, it >> will need work to fit in with the new facilities. I've tried to remove >> this code before and had complaints; can I assume by now that that code >> is dead? >> > Fine by me. > > So to make sure i am clear a configuration would look like this, right? > > domain=sub1.example.com.au,192.168.1.0/24 > domain=sub2.example.com.au,192.168.2.0/24 > > local=sub1.example.com.au > local=sub2.example.com.au > > dhcp-range=subnet1,192.168.1.100,192.168.1.254,255.255.255.0,24h > dhcp-range=subnet2,192.168.2.100,192.168.2.254,255.255.255.0,24h > > dhcp-option=subnet1,15,sub1.example.com.au > dhcp-option=subnet2,15,sub2.example.com.au > > dhcp-boot=net:subnet1,/pxelinux.0 > Right, except that the dhcp option 15 lines are superfluous, they specify behaviour which will occur by default. This is just an extension of the existing behaviour: dnsmasq sends the domain automatically. > > While i am at it can i also request that support for the > "net:network-id" syntax be supported wherever network-id's can be used? > Using the example above i would like to be able to keep things > consistent and clearer like this. > > dhcp-range=net:subnet1,192.168.1.100,192.168.1.254,255.255.255.0,24h > dhcp-option=net:subnet1,15,sub1.example.com.au > dhcp-boot=net:subnet1,/pxelinux.0 > You can, seems sensible to me, I'll add it to the list. Cheers, Simon. > > Ben > From jdixon at omniti.com Tue Jul 29 12:40:52 2008 From: jdixon at omniti.com (Jason Dixon) Date: Tue Jul 29 12:41:43 2008 Subject: [Dnsmasq-discuss] illegal domain in dhcp-config directive In-Reply-To: <488EBD40.7000002@thekelleys.org.uk> References: <20080724233741.GA21070@omniti.com> <488EBD40.7000002@thekelleys.org.uk> Message-ID: <20080729114052.GC25322@omniti.com> On Tue, Jul 29, 2008 at 07:48:32AM +0100, Simon Kelley wrote: > Jason Dixon wrote: >> Thanks to the recent vulnerability, I'm upgrading an older dnsmasq >> system from version 2.34 to 2.45. I've installed it and attempted to >> run it, but I get the following error. >> >> dnsmasq: illegal domain 04-06.lab.foobar.com in dhcp-config directive. >> >> The same configuration works fine with 2.34, so I presume something has >> changed in the configuration syntax or default settings. I haven't >> found anything on Google or in the FAQ about this error, nor do I see >> any "dhcp-config" directives in our config files or the sample config. >> Here is the relevant line from our config: >> >> dhcp-host=00:0c:29:02:1f:06,ubuntu-8.04-06.lab.foobar.com,172.16.117.105 >> >> It doesn't appear to be anything specifically with that line. We have a >> couple hundred of these loaded by dnsmasq. If I comment out that one, >> the next preceding one will error. I'm not experienced with dnsmasq, so >> I'm putting myself at the mercy of this list. Any help will be greatly >> appreciated. :) >> >> Thanks, >> > > As far as I can see, this error can only be occuring because the domain > part of the name your applying to that host doesn't match the domain > specified for dnsmasq to use by the domain= config option. > > AFAIK dnsmasq has never allowed you to send a FQDN to a host unless it > matches the domain setting (this is to avoid hosts impersonating, eg > www.microsoft.com) but the check in this case has been moved from > run-time, where it will log an error, to a fatal error at start-up > > The fix may be as simple as adding > > domain=04-06.lab.foobar.com > > (and you can remove the domain parts from all the dhcp-host lines as > well, if you wish. If they stay, they must match the domain given) We have mixed domains in our configuration. I see the following line in the main dnsmasq.conf, which would account for most of the dhcp-host entries: local=/lab.foobar.com/wifi.foobar.com/ I see no domain directives anywhere. I suspect that adding 04-06.lab.foobar.com to the local directive might be sufficient, but I'm just guessing. And yes, this configuration works fine with dnsmasq-2.34. -- Jason Dixon OmniTI Computer Consulting, Inc. jdixon@omniti.com 443.325.1357 x.241 From jboss at cpaaa.org Tue Jul 29 16:30:11 2008 From: jboss at cpaaa.org (jboss@cpaaa.org) Date: Tue Jul 29 16:30:58 2008 Subject: [Dnsmasq-discuss] Setting different default gateway by mac address Message-ID: <1217345411.26349@cpaaa.org> I have a hand full of users on my network that need a different gateway. I would like to override the different gateway by mac address. Here are my config options: dhcp-option=option:router,172.xx.xx.1 # just the different gateway dhcp-host=00:XX:0B:65:XX:58,3,172.xx.xx.254 # Thought this might work but no dhcp-option=3,00:XX:0B:65:XX:58,172.xx.xx.254 # Thought this might work but no Thanks for your help From simon at thekelleys.org.uk Tue Jul 29 16:41:49 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Tue Jul 29 16:42:35 2008 Subject: [Dnsmasq-discuss] Setting different default gateway by mac address In-Reply-To: <1217345411.26349@cpaaa.org> References: <1217345411.26349@cpaaa.org> Message-ID: <488F3A3D.2010208@thekelleys.org.uk> jboss@cpaaa.org wrote: > I have a hand full of users on my network that need a different > gateway. I would like to override the different gateway by mac > address. Here are my config options: > > dhcp-option=option:router,172.xx.xx.1 # just the different gateway > > > dhcp-host=00:XX:0B:65:XX:58,3,172.xx.xx.254 # Thought this might > work but no > > dhcp-option=3,00:XX:0B:65:XX:58,172.xx.xx.254 # Thought this might > work but no > > Thanks for your help > dhcp-host=00:XX:0B:65:XX:58,net:altgateway dhcp-option=net:altgateway,option:router,172.xx.xx.1 The idea is to set the "altgateway" tag for just the relevant hosts, and then send the different gateway just to them. Cheers, Simon. From weizen_42 at ipcop-forum.de Tue Jul 29 16:47:17 2008 From: weizen_42 at ipcop-forum.de (Olaf Westrik) Date: Tue Jul 29 16:48:05 2008 Subject: [Dnsmasq-discuss] Setting different default gateway by mac address In-Reply-To: <1217345411.26349@cpaaa.org> References: <1217345411.26349@cpaaa.org> Message-ID: <488F3B85.9090804@ipcop-forum.de> jboss@cpaaa.org wrote: > I have a hand full of users on my network that need a different gateway. I would like to override the different gateway by mac address. Here are my config options: > > dhcp-option=option:router,172.xx.xx.1 # just the different gateway > > dhcp-host=00:XX:0B:65:XX:58,3,172.xx.xx.254 # Thought this might work but no > > dhcp-option=3,00:XX:0B:65:XX:58,172.xx.xx.254 # Thought this might work but no Have to tried ? dhcp-mac=special1,00:01:02:03:04:05 dhcp-option=special1,option:router,a.b.c.d Olaf -- A weizen a day helps keep the doctor away. From sbolic at gmail.com Wed Jul 30 12:42:02 2008 From: sbolic at gmail.com (sbolic) Date: Wed Jul 30 12:42:53 2008 Subject: [Dnsmasq-discuss] using squid with dnsmasq and hosts file Message-ID: <4890538A.6060202@gmail.com> Hi, I am a new user of dnsmasq using squid on my network. dnsmasq with dhcp works fine and I need help to config dhcp to send proxy parameters to clients to force them to use squid. Can you help me with this or just post your dnsmasq.conf file. Thanks forward SBolic -------------- next part -------------- A non-text attachment was scrubbed... Name: sbolic.vcf Type: text/x-vcard Size: 145 bytes Desc: not available Url : http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080730/c5e99e32/sbolic.vcf From simon at thekelleys.org.uk Wed Jul 30 13:08:34 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Wed Jul 30 13:09:23 2008 Subject: [Dnsmasq-discuss] using squid with dnsmasq and hosts file In-Reply-To: <4890538A.6060202@gmail.com> References: <4890538A.6060202@gmail.com> Message-ID: <489059C2.7030601@thekelleys.org.uk> sbolic wrote: > Hi, > I am a new user of dnsmasq using squid on my network. dnsmasq with > dhcp works fine and I need help to config dhcp to send proxy parameters > to clients to force them to use squid. > Can you help me with this or just post your dnsmasq.conf file. > Thanks forward > SBolic > The keyword to Google for this is "wpad". Wpad can work via DHCP and via DNS. In my experience, the DHCP variant is implemented in Windows, but not Linux. The line I have in dnsmasq.conf looks like this: dhcp-option=252,"http://central/wpad.dat" which points the browser at a file on my web server which looks like this: function FindProxyForURL(url, host) { if (isPlainHostName(host) || isInNet(host, "192.168.0.0", "255.255.252.0")) return "DIRECT"; else return "PROXY central:3128"; } HTH Simon. From troy at piggo.com Wed Jul 30 21:19:57 2008 From: troy at piggo.com (Troy Piggins) Date: Wed Jul 30 21:20:50 2008 Subject: [Dnsmasq-discuss] Re: using squid with dnsmasq and hosts file In-Reply-To: <4890538A.6060202@gmail.com> References: <4890538A.6060202@gmail.com> Message-ID: <20080731061512@troy.piggo.com> * sbolic wrote : > > I am a new user of dnsmasq using squid on my network. dnsmasq with > dhcp works fine and I need help to config dhcp to send proxy parameters > to clients to force them to use squid. > Can you help me with this or just post your dnsmasq.conf file. I have set this up recently using iptables, squid, dnsmasq. It's called a transparent proxy. What version of squid are you using? The solution varies slightly from V2 to V3 I think, and also on your network arrangement - what box are you running squid, iptables, dnsmasq on? On mine, they're all the same box. -- Troy Piggins | http://piggo.com/~troy RLU#415538 ,-O (o- O O ) //\ O `-O V_/_ OOO From cristiano.paris at gmail.com Thu Jul 31 09:46:59 2008 From: cristiano.paris at gmail.com (Cristiano Paris) Date: Thu Jul 31 09:47:45 2008 Subject: [Dnsmasq-discuss] Problems with Samba shares and XP clients Message-ID: Hi, I recently discovered dnsmasq after years of pain with dhcpd and bind in my local network at home. Yesterday I was able to setup dhcp+dns in less than 10 minutes: doing the same with dhcpd+bind would have required me at least two hours :D Anyway, I'm here for a problem. After setting up dhcp, my Windows XP client (my wife's notebook) won't connect to Samba shares on the same server anymore. Here's a description of my configuration and what's going on: 1 - dnsmasq runs in the same server as Samba does. 2 - Manually setting up the network in my XP client makes everything work fine. 3 - Doing a restore on the NIC, now configured to use dhcp, will prompt an alert saying that "NetBT could not be deleted" (or something like that: I'm translating from Italian). From that time on, XP client refuses to connect to the Samba share saying that the network is unreachable. I tried "net use" from command line and it reported a 1231 error. 4 - I tried IP, short name and FQDN name in share location URL: dnsmasq gets queried by the XP client but the error is the same. 5 - I'm using the following dhcp options in dnsmasq: dhcp-option=44,192.168.20.1 dhcp-option=45,192.168.20.1 dhcp-option=46,8 dhcp-option=47 Using these options causes 192.168.20.1 to be set as the WINS server in the client. Consequently, I enabled WINS support in Samba through the option "wins support = yes". Nothing changed. 6 - In my first tests, I was working without the above options: that way, NetBIOS over TCP/IP gets disabled and I had to tweak the XP's registry to re-enable it again. Nevertheless, it didn't work. 7 - As I said, I'm able to go back in the manual configuration set up and have everything work again. Any clue? Cristiano From simon at thekelleys.org.uk Thu Jul 31 11:45:23 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Jul 31 11:46:12 2008 Subject: [Dnsmasq-discuss] Re: can wol mess up mac-based address-assigments? In-Reply-To: References: <487F032D.40102@thekelleys.org.uk> <48834572.5050605@thekelleys.org.uk> Message-ID: <489197C3.4020308@thekelleys.org.uk> pete.dawgg wrote: > hello simon, > any updates on this problem yet? (it's not going away by itself )-: ) > all clients are configured identically and are switched on and off > roughly at the same time. some days only on or two get adresses from > the "free" range, sometimes the whole "free" range is consumed. > dnsmasq always logs that the preconfigured "address was previously > declined" - but why? could it help to delete the clients' local > /var/lib/dchpc/*-files? > cheers > pd > > > 2008/7/21 pete. dawgg : >> hello simon, >> thx for the reply! >>> Looking at your Gentoo post, the key may be in client-ids, which are the >>> last item on the line in dnsmasq.leases. When clients provide client-ids, >>> dnsmasq use that instead of the MAC address to identify the client, so if it >>> provides different client-ids at different times, that will mess things up. >> the clients are not configured to use client-ids; they are identical >> except for the mac-address. >> >>> Are you using different DHCP clients at different points in the boot? >> they clients only use one dhcp-client (there's nothing like netboot or >> pxeboot); their os starts and at some point an initscript starts >> dhcpcd >> >>> The long client-id comes from Gentoo's dhcpcd, the shorter ones which are >>> 01: come from other clients. >> please look at the excerpt from dnsmasq.leases below; the line with >> the long client id is from one client where i installed the latest >> dhcpcd just to make sure it is not a problem of an outdated version. >> all the clients should have addresses between 10.10.1.160 and >> 10.10.1.178, 10.10.1.220-10.10.1.229 is the "free" range. >> >> i have changed the wakeonlan-script so that dnsmasq is off while the >> wake-up-packets are sent but that did not change anything. >> >> excerpt from dnsmasq.leases: >> ========================================== >> 1216655173 00:19:d1:4d:84:da 10.10.1.225 zb-kibue-1 01:00:19:d1:4d:84:da >> 1216655173 00:16:76:90:8b:cc 10.10.1.175 zb-krz-01 >> ff:65:74:68:30:00:01:00:01:10:11:57:35:00:16:76:90:8b:cc >> 1216655176 00:16:76:5a:d4:5f 10.10.1.226 zb-int-01 01:00:16:76:5a:d4:5f >> 1216655179 00:16:76:45:6b:30 10.10.1.227 zb-int-10 01:00:16:76:45:6b:30 >> 1216655180 00:16:76:dc:41:9a 10.10.1.165 zb-int-06 01:00:16:76:dc:41:9a >> >> ========================================== >> >> excerpt from syslog (client gets "wrong" address): >> ========================================== >> Jul 21 09:46:19 orbb dnsmasq[28477]: DHCPREQUEST(eth0) 10.10.1.229 >> 00:16:76:90:7b:62 >> Jul 21 09:46:19 orbb dnsmasq[28477]: DHCPACK(eth0) 10.10.1.229 >> 00:16:76:90:7b:62 zb-int-12 >> Jul 21 09:46:19 orbb dnsmasq[28477]: DHCPDECLINE(eth0) 10.10.1.229 >> 00:16:76:90:7b:62 >> Jul 21 09:46:19 orbb dnsmasq[28477]: not using configured address >> 10.10.1.171 because it was previously declined >> Jul 21 09:46:19 orbb dnsmasq[28477]: DHCPDISCOVER(eth0) 00:16:76:90:7b:62 >> Jul 21 09:46:19 orbb dnsmasq[28477]: DHCPOFFER(eth0) 10.10.1.221 >> 00:16:76:90:7b:62 >> Jul 21 09:46:19 orbb dnsmasq[28477]: not using configured address >> 10.10.1.171 because it was previously declined >> Jul 21 09:46:19 orbb dnsmasq[28477]: DHCPDISCOVER(eth0) 00:16:76:90:7b:62 >> Jul 21 09:46:19 orbb dnsmasq[28477]: DHCPOFFER(eth0) 10.10.1.221 >> 00:16:76:90:7b:62 >> ========================================== >> >> regards, pete >> > > > Sorry, this slipped off my Radar. The DHCPDECLINE is coming from the DHCP client. Essentially, what happening above is that dnsmasq offers the client 10.10.1.229 it accepts it, and then rejects it with a DECLINE. This is very strange DHCP client behaviour. Once the allocated address has been declined, when the client comes back and asks for an address, dnsmasq has to offer is a different one. When it's doing dynamic allocation, that's easy, when a client is nailed down to an address, all it can do is fall-back to a dynamic address and log the message you see. (The effect has a time-out, after 10 minutes or so, the original nailed down address will be available again.) Clients normally decline an address because they've done a probe and found that the address is already in use. In your case, the client seems to be both accepting, and then rejecting the address, so it's probably badly broken and all bets are off as to what it thinks it's doing. Executive summary: the DHCP client is screwy: look there for the problem. Cheers, Simon. From bcook at poughkeepsieschools.org Thu Jul 31 12:54:14 2008 From: bcook at poughkeepsieschools.org (B. Cook) Date: Thu Jul 31 12:54:51 2008 Subject: [Dnsmasq-discuss] settings options per host? Message-ID: <1B860410-6A87-474D-9E73-428A54D9078C@poughkeepsieschools.org> hello all, Working on switching a bigger network from isc to dnsmasq, and so far it is going quite well. I do have the need to set certain parameters per host, like gateways; and can not seem to figure out how it would be done with dnsmasq. This would be the isc entries .. host osxserver { hardware ethernet 00:17:f2:0f:11:22; option routers 10.20.0.23; } host pcsdsnap { hardware ethernet 00:60:08:2a:11:22; fixed-address 10.20.16.11; option routers 10.20.16.128;} What would this look like in dnsmasq? Thanks in advance From simon at thekelleys.org.uk Thu Jul 31 13:15:44 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Jul 31 13:16:33 2008 Subject: [Dnsmasq-discuss] settings options per host? In-Reply-To: <1B860410-6A87-474D-9E73-428A54D9078C@poughkeepsieschools.org> References: <1B860410-6A87-474D-9E73-428A54D9078C@poughkeepsieschools.org> Message-ID: <4891ACF0.7000108@thekelleys.org.uk> B. Cook wrote: > hello all, > > Working on switching a bigger network from isc to dnsmasq, and so far it > is going quite well. > > I do have the need to set certain parameters per host, like gateways; > and can not seem to figure out how it would be done with dnsmasq. > > This would be the isc entries .. > host osxserver { hardware ethernet 00:17:f2:0f:11:22; option > routers 10.20.0.23; } > host pcsdsnap { hardware ethernet 00:60:08:2a:11:22; > fixed-address 10.20.16.11; option routers 10.20.16.128;} > > What would this look like in dnsmasq? > It's a two stage process: first set a tag when the host is seen, then control the options sent based on that tag. Something like dhcp-host=00:17:f2:0f:11:22,10.20.16.11,net:osxserver dhcp-option=osxserver,option:router,10.20.16.128 HTH Simon. From bcook at poughkeepsieschools.org Thu Jul 31 13:24:48 2008 From: bcook at poughkeepsieschools.org (B. Cook) Date: Thu Jul 31 13:25:25 2008 Subject: [Dnsmasq-discuss] settings options per host? In-Reply-To: <4891ACF0.7000108@thekelleys.org.uk> References: <1B860410-6A87-474D-9E73-428A54D9078C@poughkeepsieschools.org> <4891ACF0.7000108@thekelleys.org.uk> Message-ID: <7070888E-7810-40F9-92E9-04386D22302A@poughkeepsieschools.org> On Jul 31, 2008, at 8:15 AM, Simon Kelley wrote: > B. Cook wrote: >> >> This would be the isc entries .. >> host osxserver { hardware ethernet 00:17:f2:0f:11:22; option >> routers 10.20.0.23; } >> >> host pcsdsnap { hardware ethernet 00:60:08:2a:11:22; >> fixed-address 10.20.16.11; option routers 10.20.16.128;} >> >> What would this look like in dnsmasq? >> > > It's a two stage process: first set a tag when the host is seen, then > control the options sent based on that tag. Something like > > dhcp-host=00:17:f2:0f:11:22,10.20.16.11,net:osxserver > dhcp-option=osxserver,option:router,10.20.16.128 > hmm, Only asking .. does it have to be: osxserver,option:router,10.20.16.128 or could it also be osxserver,3,10.20.16.128 ? I agree the option:router would be clearer and more readable.. but I am trying to understand if those options are interchangeable with the other options as well? Thanks for the response. From simon at thekelleys.org.uk Thu Jul 31 13:32:53 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Jul 31 13:33:41 2008 Subject: [Dnsmasq-discuss] settings options per host? In-Reply-To: <7070888E-7810-40F9-92E9-04386D22302A@poughkeepsieschools.org> References: <1B860410-6A87-474D-9E73-428A54D9078C@poughkeepsieschools.org> <4891ACF0.7000108@thekelleys.org.uk> <7070888E-7810-40F9-92E9-04386D22302A@poughkeepsieschools.org> Message-ID: <4891B0F5.30502@thekelleys.org.uk> B. Cook wrote: > > On Jul 31, 2008, at 8:15 AM, Simon Kelley wrote: > >> B. Cook wrote: >>> >>> This would be the isc entries .. >>> host osxserver { hardware ethernet 00:17:f2:0f:11:22; option >>> routers 10.20.0.23; } >>> > >>> host pcsdsnap { hardware ethernet 00:60:08:2a:11:22; >>> fixed-address 10.20.16.11; option routers 10.20.16.128;} >>> >>> What would this look like in dnsmasq? >>> >> >> It's a two stage process: first set a tag when the host is seen, then >> control the options sent based on that tag. Something like >> >> dhcp-host=00:17:f2:0f:11:22,10.20.16.11,net:osxserver >> dhcp-option=osxserver,option:router,10.20.16.128 >> > > hmm, > > Only asking .. does it have to be: > > osxserver,option:router,10.20.16.128 > > or could it also be > > osxserver,3,10.20.16.128 > > ? > > I agree the option:router would be clearer and more readable.. but I am > trying to understand if those options are interchangeable with the other > options as well? > Either, the option: and option-number forms are interchangeable. dnsmasq -w dhcp Will give you a list of the options which dnsmasq knows a name for. Anything else has to use the number form.. Cheers, Simon. From carlos at fisica.ufpr.br Fri Aug 1 14:43:25 2008 From: carlos at fisica.ufpr.br (Carlos Carvalho) Date: Fri Aug 1 14:44:25 2008 Subject: [Dnsmasq-discuss] mixup of tftp-root and boot filename Message-ID: <18579.4861.978323.191872@fisica.ufpr.br> I have tftp-root=/var/remoteboot in dnsmasq.conf. For a machine I have in dhcp-options: ometepe,vl5,67,"/tftpboot/pxelinux.0" In the log there is dnsmasq[16090]: sent size: 21 option: 67:bootfile-name 2f:74:66:74:70:62:6f:6f:74:2f:70:78:65... Checking with the ascii table this looks correct. However, the client says it cannot find /var/remoteboot/tftpboot/pxelinux.0. Removing the tftp-root= setting in dnsmasq.conf makes the client get the correct /tftpboot/pxelinux.0 so the problem seems to be in dnsmasq. In a first look I didn't find any places where this concatenation could happen. Note that the tftp server is not the machine running dnsmasq in this case. The dnsmasq log shows no TFTP request but I vaguely remember Simon saying that these are not logged. From bcook at poughkeepsieschools.org Fri Aug 1 16:50:37 2008 From: bcook at poughkeepsieschools.org (B. Cook) Date: Fri Aug 1 16:51:28 2008 Subject: [Dnsmasq-discuss] Missing something obvious #known Message-ID: Hello All, I thought all of this was working as it should.. but apparently it is not.. from the dnsmasq.log: Aug 1 11:42:56 dnsmasq[32635]: DHCPDISCOVER(em0) 00:0e:7f:3b:ba:2d ignored Aug 1 11:43:11 dnsmasq[32635]: DHCPDISCOVER(em0) 00:0e:7f:3b:ba:2d ignored Aug 1 11:43:14 dnsmasq[32635]: DHCPDISCOVER(em0) 00:0e:7f:3b:ba:2d ignored Aug 1 11:43:21 dnsmasq[32635]: DHCPDISCOVER(em0) 00:0e:7f:3b:ba:2d ignored and from the config: 20 # 100 stuff 21 dhcp-option=net:phsalt,option:router,10.20.100.1 22 dhcp-range=phsalt,10.20.100.2,10.20.100.254,255.255.255.0,5m 23 dhcp-ignore=net:phsalt,#known 24 25 dhcp-host=00:0e:7f:3b:ba:2d,10.20.100.3,net:phsalt # someprinter 26 dhcp-host=00:30:6e:c6:13:e6,10.20.100.57,net:phsalt # hplj1150_hs143 I have tried dhcp-ignore without the net: as well and it does not seem to cause an error either way.. I am trying to only let certain hosts end up in the 100.0/24.. Not sure what I am missing.. can anyone help? From mysql.jorge at decimal.pt Fri Aug 1 19:37:47 2008 From: mysql.jorge at decimal.pt (Jorge Bastos) Date: Fri Aug 1 19:38:29 2008 Subject: [Dnsmasq-discuss] Problems with Samba shares and XP clients In-Reply-To: References: Message-ID: <007001c8f405$b23e4ba0$16bae2e0$@jorge@decimal.pt> Hum, do you have dns proxy = on or off in smb.conf ? > -----Original Message----- > From: dnsmasq-discuss-bounces@lists.thekelleys.org.uk [mailto:dnsmasq- > discuss-bounces@lists.thekelleys.org.uk] On Behalf Of Cristiano Paris > Sent: quinta-feira, 31 de Julho de 2008 9:47 > To: dnsmasq-discuss@lists.thekelleys.org.uk > Subject: [Dnsmasq-discuss] Problems with Samba shares and XP clients > > Hi, > > I recently discovered dnsmasq after years of pain with dhcpd and bind > in my local network at home. Yesterday I was able to setup dhcp+dns in > less than 10 minutes: doing the same with dhcpd+bind would have > required me at least two hours :D > > Anyway, I'm here for a problem. After setting up dhcp, my Windows XP > client (my wife's notebook) won't connect to Samba shares on the same > server anymore. > > Here's a description of my configuration and what's going on: > > 1 - dnsmasq runs in the same server as Samba does. > 2 - Manually setting up the network in my XP client makes everything > work fine. > 3 - Doing a restore on the NIC, now configured to use dhcp, will > prompt an alert saying that "NetBT could not be deleted" (or something > like that: I'm translating from Italian). From that time on, XP client > refuses to connect to the Samba share saying that the network is > unreachable. I tried "net use" from command line and it reported a > 1231 error. > 4 - I tried IP, short name and FQDN name in share location URL: > dnsmasq gets queried by the XP client but the error is the same. > 5 - I'm using the following dhcp options in dnsmasq: > > dhcp-option=44,192.168.20.1 > dhcp-option=45,192.168.20.1 > dhcp-option=46,8 > dhcp-option=47 > > Using these options causes 192.168.20.1 to be set as the WINS server > in the client. Consequently, I enabled WINS support in Samba through > the option "wins support = yes". Nothing changed. > 6 - In my first tests, I was working without the above options: that > way, NetBIOS over TCP/IP gets disabled and I had to tweak the XP's > registry to re-enable it again. Nevertheless, it didn't work. > 7 - As I said, I'm able to go back in the manual configuration set up > and have everything work again. > > Any clue? > > Cristiano > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss From troy at piggo.com Fri Aug 1 21:36:24 2008 From: troy at piggo.com (Troy Piggins) Date: Fri Aug 1 21:37:18 2008 Subject: [Dnsmasq-discuss] Re: using squid with dnsmasq and hosts file In-Reply-To: <4892CED0.7060000@gmail.com> References: <4890538A.6060202@gmail.com> <20080731061512@troy.piggo.com> <4892CED0.7060000@gmail.com> Message-ID: <20080802061929@troy.piggo.com> * sbolic wrote : >* Troy Piggins wrote: >>* sbolic wrote : [ Please don't top-post in technical groups, and please don't email directly to me, keep it in the list. Thanks.] >>> I am a new user of dnsmasq using squid on my network. >>> dnsmasq with dhcp works fine and I need help to config dhcp >>> to send proxy parameters to clients to force them to use >>> squid. Can you help me with this or just post your >>> dnsmasq.conf file. >> >> I have set this up recently using iptables, squid, dnsmasq. >> It's called a transparent proxy. What version of squid are >> you using? The solution varies slightly from V2 to V3 I >> think, and also on your network arrangement - what box are you >> running squid, iptables, dnsmasq on? On mine, they're all the >> same box. > > SuSe 10.2 Squid 2.6 IPTables-1.3.6.-20 Dnsmasq 2.45 all on the > same box.. Small company network (workgroup) with 15 > workstations. Box is the main server which role has to be : > Samba server (as domain controller), Nat router, Proxy and > Firewall and Postfix Mail server. Simon Kelley post me some > ideas for "wpad", I am working on it but i am not familiar with > WebServer/Apache so i need little bit time. Finale gaol is to > setup domain network (Linux server with windows workstations) > same as under Windows server (except Active Directory). > Sending proxy parameters, batch job like maintenance profiles > etc. Please take a look on Simon Kelley post. If you need i > can send you all of my parameter including conf files. I saw Simon's post. I was offering you an alternative solution. I'm using Squid 3. But when I googled it, most solutions on the internet seemed to be for 2.x versions of Squid anyway. I googled "squid transparent proxy iptables" when I was searching. Basically you put a rule like this in your iptables firewall, which redirects any traffic coming from your LAN interface (substitute eth0, eth1 etc for $LAN_IFACE or set it as a variable), destined for port 80 to your squid port 3128 (default). # iptables -t nat -A PREROUTING -p tcp -i $LAN_IFACE --dport 80 -j REDIRECT --to-port 3128 Then you need to adjust your squid conf file. It's a very well documented and commented file. These are the things to adjust, as I understand it, for squid 2.x : httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on Reload/restart squid and I think that's it... Oooooooh, bugger. I just re-read your OP and saw it was for DHCP requests not what I thought. Oh well, I'll leave this hear because it might be handy for you as another solution. -- Troy Piggins From cristiano.paris at gmail.com Fri Aug 1 22:06:39 2008 From: cristiano.paris at gmail.com (Cristiano Paris) Date: Fri Aug 1 22:07:28 2008 Subject: [Dnsmasq-discuss] Problems with Samba shares and XP clients In-Reply-To: <5611410953710584827@unknownmsgid> References: <5611410953710584827@unknownmsgid> Message-ID: On Fri, Aug 1, 2008 at 8:37 PM, Jorge Bastos wrote: > Hum, do you have dns proxy = on or off in smb.conf ? Off. Cristiano From cristiano.paris at gmail.com Sat Aug 2 09:29:11 2008 From: cristiano.paris at gmail.com (Cristiano Paris) Date: Sat Aug 2 09:30:02 2008 Subject: [Dnsmasq-discuss] Problems with Samba shares and XP clients In-Reply-To: References: <5611410953710584827@unknownmsgid> Message-ID: On Fri, Aug 1, 2008 at 11:06 PM, Cristiano Paris wrote: > On Fri, Aug 1, 2008 at 8:37 PM, Jorge Bastos wrote: >> Hum, do you have dns proxy = on or off in smb.conf ? > > Off. I've found a (pretty ugly) workaround to the problem. Few websites mention the fact that NetBIOS over TCP/IP problems are related to this registry entry: HKLM\System\Controlset001\Services\NetBT\Parameters\TransportBindName which should be set to "\Device\". In my XP host this entry is blank. Setting it with that string and rebooting does the trick, even under DHCP NIC's operating mode. After rebooting, even if the shares are working properly and NteBIOS over TCP/IP is active, the registry entry is blank again. Thus, basically, I created a script changing that entry to "\Device\" whenever the system shuts down. Now it works, but it's a dirty trick. I'd like to know what's going on. Also, I've found this article: http://support.microsoft.com/?scid=kb%3Ben-us%3B313314&x=19&y=9 which seems somewhat related, but I can't translate it to dnsmasq settings. Any help is appreciated. Other websites mention the fact that entries in the HKLM\System\Controlset001\Services\NetBT\Parameters are sometimes changed by worms, viruses, spywares and, in some cases, firewalls. Anyhow, the fact that manually settings the network parameters makes everything work leads me to the idea that this is the wrong way to solution. Thanks. Cristiano From richardvoigt at gmail.com Sat Aug 2 17:30:10 2008 From: richardvoigt at gmail.com (richardvoigt@gmail.com) Date: Sat Aug 2 17:31:03 2008 Subject: [Dnsmasq-discuss] Problems with Samba shares and XP clients In-Reply-To: References: <5611410953710584827@unknownmsgid> Message-ID: <2e59e6970808020930l50774dc5x415c1be82e0095e2@mail.gmail.com> On Sat, Aug 2, 2008 at 8:29 AM, Cristiano Paris wrote: > On Fri, Aug 1, 2008 at 11:06 PM, Cristiano Paris > wrote: > > On Fri, Aug 1, 2008 at 8:37 PM, Jorge Bastos > wrote: > >> Hum, do you have dns proxy = on or off in smb.conf ? > > > > Off. > > I've found a (pretty ugly) workaround to the problem. Few websites > mention the fact that NetBIOS over TCP/IP problems are related to this > registry entry: I don't remember for sure, but I don't think you need netbios for cifs to work. Try "\\ip.address\share" ? If that doesn't work then I don't think the problem is with dnsmasq. If that does work, you may have to mess with dns settings on both client and server until "ping servername" works, then "\\servername\share" should also work. > > > HKLM\System\Controlset001\Services\NetBT\Parameters\TransportBindName > > which should be set to "\Device\". In my XP host this entry is blank. > Setting it with that string and rebooting does the trick, even under > DHCP NIC's operating mode. After rebooting, even if the shares are > working properly and NteBIOS over TCP/IP is active, the registry entry > is blank again. > > Thus, basically, I created a script changing that entry to "\Device\" > whenever the system shuts down. Now it works, but it's a dirty trick. > I'd like to know what's going on. > > Also, I've found this article: > > http://support.microsoft.com/?scid=kb%3Ben-us%3B313314&x=19&y=9 > > which seems somewhat related, but I can't translate it to dnsmasq > settings. Any help is appreciated. > > Other websites mention the fact that entries in the > > HKLM\System\Controlset001\Services\NetBT\Parameters > > are sometimes changed by worms, viruses, spywares and, in some cases, > firewalls. Anyhow, the fact that manually settings the network > parameters makes everything work leads me to the idea that this is the > wrong way to solution. > > Thanks. > > Cristiano > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080802/635727cf/attachment.html From cristiano.paris at gmail.com Sat Aug 2 22:00:37 2008 From: cristiano.paris at gmail.com (Cristiano Paris) Date: Sat Aug 2 22:02:00 2008 Subject: [Dnsmasq-discuss] Problems with Samba shares and XP clients In-Reply-To: <2e59e6970808020930l50774dc5x415c1be82e0095e2@mail.gmail.com> References: <5611410953710584827@unknownmsgid> <2e59e6970808020930l50774dc5x415c1be82e0095e2@mail.gmail.com> Message-ID: On Sat, Aug 2, 2008 at 6:30 PM, richardvoigt@gmail.com wrote: > I don't remember for sure, but I don't think you need netbios for cifs to > work. > > Try "\\ip.address\share" ? > > If that doesn't work then I don't think the problem is with dnsmasq. It doesn't work, niether. > If > that does work, you may have to mess with dns settings on both client and > server until "ping servername" works, then "\\servername\share" should also > work. Of course, ping works. Thank you. Cristiano From bcook at poughkeepsieschools.org Sun Aug 3 13:06:44 2008 From: bcook at poughkeepsieschools.org (B. Cook) Date: Sun Aug 3 13:07:36 2008 Subject: [Dnsmasq-discuss] Problems with Samba shares and XP clients In-Reply-To: References: <5611410953710584827@unknownmsgid> <2e59e6970808020930l50774dc5x415c1be82e0095e2@mail.gmail.com> Message-ID: On Aug 2, 2008, at 5:00 PM, Cristiano Paris wrote: > On Sat, Aug 2, 2008 at 6:30 PM, richardvoigt@gmail.com > wrote: >> I don't remember for sure, but I don't think you need netbios for >> cifs to >> work. >> >> Try "\\ip.address\share" ? >> >> If that doesn't work then I don't think the problem is with dnsmasq. > > It doesn't work, niether. > >> If >> that does work, you may have to mess with dns settings on both >> client and >> server until "ping servername" works, then "\\servername\share" >> should also >> work. > > Of course, ping works. Thank you. > > Cristiano > You wouldn't want to share you config would you? dnsmasq and/or samba.. From cristiano.paris at gmail.com Sun Aug 3 17:15:32 2008 From: cristiano.paris at gmail.com (Cristiano Paris) Date: Sun Aug 3 17:16:22 2008 Subject: [Dnsmasq-discuss] Problems with Samba shares and XP clients In-Reply-To: References: <5611410953710584827@unknownmsgid> <2e59e6970808020930l50774dc5x415c1be82e0095e2@mail.gmail.com> Message-ID: On Sun, Aug 3, 2008 at 2:06 PM, B. Cook wrote: > > On Aug 2, 2008, at 5:00 PM, Cristiano Paris wrote: > >> On Sat, Aug 2, 2008 at 6:30 PM, richardvoigt@gmail.com >> wrote: >>> >>> I don't remember for sure, but I don't think you need netbios for cifs to >>> work. >>> >>> Try "\\ip.address\share" ? >>> >>> If that doesn't work then I don't think the problem is with dnsmasq. >> >> It doesn't work, niether. >> >>> If >>> that does work, you may have to mess with dns settings on both client and >>> server until "ping servername" works, then "\\servername\share" should >>> also >>> work. >> >> Of course, ping works. Thank you. >> >> Cristiano >> > You wouldn't want to share you config would you? > > dnsmasq and/or samba.. > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > dnsmasq.conf: resolv-file=/etc/dns.resolv.conf local=/internal.theshire.org/ no-hosts addn-hosts=/etc/dns.hosts domain=internal.theshire.org dhcp-range=10.7.0.3,10.7.0.5,255.255.255.0,12h dhcp-host=00:xx:xx:xx:xx:xx,xx.xx.xx.xx,tuckburrow,infinite dhcp-option=44,10.7.0.2 dhcp-option=45,10.7.0.2 dhcp-option=46,8 dhcp-option=47 smb.conf: [global] workgroup = THESHIRE server string = The Shire internal server security = user load printers = yes log file = /var/log/samba/%m.log max log size = 50 wins support = yes name resolve order = wins lmhosts host bcast unix extensions = no socket options = TCP_NODELAY SO_RCVBUF=524288 SO_SNDBUF=524288 [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes Cristiano From simon at thekelleys.org.uk Sun Aug 3 21:02:58 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Sun Aug 3 21:06:30 2008 Subject: [Dnsmasq-discuss] mixup of tftp-root and boot filename In-Reply-To: <18579.4861.978323.191872@fisica.ufpr.br> References: <18579.4861.978323.191872@fisica.ufpr.br> Message-ID: <48960EF2.8050401@thekelleys.org.uk> Carlos Carvalho wrote: > I have > > tftp-root=/var/remoteboot > > in dnsmasq.conf. For a machine I have in dhcp-options: > > ometepe,vl5,67,"/tftpboot/pxelinux.0" > > In the log there is > > dnsmasq[16090]: sent size: 21 option: 67:bootfile-name 2f:74:66:74:70:62:6f:6f:74:2f:70:78:65... > > Checking with the ascii table this looks correct. However, the client > says it cannot find /var/remoteboot/tftpboot/pxelinux.0. Removing the > tftp-root= setting in dnsmasq.conf makes the client get the correct > /tftpboot/pxelinux.0 so the problem seems to be in dnsmasq. It's behaving as designed: You've set the TFTP root to be /var/remoteboot, so filenames are relative to that root. The client asks for /tftpboot/pxelinux.0 so dnsmasq tries to send /var/remoteboot/tftpboot/pxelinux.0 which doesn't exist, so it returns an error, which inlcudes a message giving the complete pathname. That's what the client it displaying. Note that if the filename includes a leading /, dnsmasq will also try assuming it's an absolute pathname, but only if the first part of the filename matches the tftp-root. > > In a first look I didn't find any places where this concatenation > could happen. Note that the tftp server is not the machine running > dnsmasq in this case. Now I'm confused. What is the TFTP server? > The dnsmasq log shows no TFTP request but I > vaguely remember Simon saying that these are not logged. > File-not-found is not logged, since it clutters up the log with lots of failed attempts by PXELinux to read possible config files. Cheers, Simon. > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > From simon at thekelleys.org.uk Sun Aug 3 21:32:11 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Sun Aug 3 21:35:42 2008 Subject: [Dnsmasq-discuss] Missing something obvious #known In-Reply-To: References: Message-ID: <489615CB.2070303@thekelleys.org.uk> B. Cook wrote: > Hello All, > > I thought all of this was working as it should.. but apparently it is not.. > > from the dnsmasq.log: > Aug 1 11:42:56 dnsmasq[32635]: DHCPDISCOVER(em0) 00:0e:7f:3b:ba:2d ignored > Aug 1 11:43:11 dnsmasq[32635]: DHCPDISCOVER(em0) 00:0e:7f:3b:ba:2d ignored > Aug 1 11:43:14 dnsmasq[32635]: DHCPDISCOVER(em0) 00:0e:7f:3b:ba:2d ignored > Aug 1 11:43:21 dnsmasq[32635]: DHCPDISCOVER(em0) 00:0e:7f:3b:ba:2d ignored > > and from the config: > > 20 # 100 stuff > 21 dhcp-option=net:phsalt,option:router,10.20.100.1 > 22 dhcp-range=phsalt,10.20.100.2,10.20.100.254,255.255.255.0,5m > 23 dhcp-ignore=net:phsalt,#known > 24 > 25 dhcp-host=00:0e:7f:3b:ba:2d,10.20.100.3,net:phsalt # someprinter > 26 dhcp-host=00:30:6e:c6:13:e6,10.20.100.57,net:phsalt # hplj1150_hs143 > > I have tried dhcp-ignore without the net: as well and it does not seem to > cause an error either way.. > > I am trying to only let certain hosts end up in the 100.0/24.. > > Not sure what I am missing.. > > can anyone help? > > You don't need to use dhcp-ignore to achieve what you're trying to do, the "net:phsalt" in the dhcp-range is enough to ensure that the range only gets used for the hosts which set the phsalt tag. However, I'm not sure _why_ the configuration you have is behaving as it does. Please could you set --log-dhcp and send me the information that dnsmasq logs during these DHCP transactions? Cheers, Simon. From carlos at fisica.ufpr.br Sun Aug 3 22:45:43 2008 From: carlos at fisica.ufpr.br (Carlos Carvalho) Date: Sun Aug 3 22:46:58 2008 Subject: [Dnsmasq-discuss] mixup of tftp-root and boot filename In-Reply-To: <48960EF2.8050401@thekelleys.org.uk> References: <18579.4861.978323.191872@fisica.ufpr.br> <48960EF2.8050401@thekelleys.org.uk> Message-ID: <18582.9991.649315.781280@fisica.ufpr.br> Simon Kelley (simon@thekelleys.org.uk) wrote on 3 August 2008 21:02: >Carlos Carvalho wrote: >> I have >> >> tftp-root=/var/remoteboot >> >> in dnsmasq.conf. For a machine I have in dhcp-options: >> >> ometepe,vl5,67,"/tftpboot/pxelinux.0" >> >> In the log there is >> >> dnsmasq[16090]: sent size: 21 option: 67:bootfile-name 2f:74:66:74:70:62:6f:6f:74:2f:70:78:65... >> >> Checking with the ascii table this looks correct. However, the client >> says it cannot find /var/remoteboot/tftpboot/pxelinux.0. Removing the >> tftp-root= setting in dnsmasq.conf makes the client get the correct >> /tftpboot/pxelinux.0 so the problem seems to be in dnsmasq. > >It's behaving as designed: You've set the TFTP root to be >/var/remoteboot, so filenames are relative to that root. The client asks >for /tftpboot/pxelinux.0 so dnsmasq tries to send >/var/remoteboot/tftpboot/pxelinux.0 which doesn't exist, so it returns >an error, which inlcudes a message giving the complete pathname. That's >what the client it displaying. > >Note that if the filename includes a leading /, dnsmasq will also try >assuming it's an absolute pathname, but only if the first part of the >filename matches the tftp-root. >> >> In a first look I didn't find any places where this concatenation >> could happen. Note that the tftp server is not the machine running >> dnsmasq in this case. >Now I'm confused. What is the TFTP server? That's the whole point I don't understand. Here are the options for the machine: ometepe,vl5,3 ometepe,vl5,6 ometepe,vl5,28 ometepe,vl5,15 ometepe,vl5,66,"192.168.5.74" ometepe,vl5,67,"/tftpboot/pxelinux.0" The IP of the machine running dnsmasq is 192.168.5.18. So what should happen is client broadcasts dhcp request 192.168.5.18 answers saying tftp server is 192.168.5.74 client asks /tftpboot/pxelinux.0 to 192.168.5.74 client never heards about /var/remoteboot... That's why I gave the log line with the value of boot-filename above. Hmm... Looking at the log again the whole transaction is: DHCP packet: transaction-id is 3866001293 Available DHCP subnet: 192.168.5.1/255.255.255.0 Vendor class: PXEClient:Arch:00000:UNDI:002001 DHCPREQUEST(eth0.5) 192.168.5.71 00:1e:8c:7f:6e:e6 DHCPACK(eth0.5) 192.168.5.71 00:1e:8c:7f:6e:e6 ometepe requested options: 1:netmask, 2:time-offset, 3:router, 5, 6:dns-server, requested options: 11, 12:hostname, 13:boot-file-size, 15:domain-name, requested options: 16:swap-server, 17:root-path, 18:extension-path, requested options: 43:vendor-encap, 54:server-identifier, 60:vendor-class, requested options: 67:bootfile-name, 128, 129, 130, 131, 132, requested options: 133, 134, 135 server name: 192.168.5.74 tags: vl5, ometepe, known sent size: 1 option: 53:message-type 05 sent size: 4 option: 54:server-identifier c0:a8:05:12 sent size: 4 option: 51:lease-time ff:ff:ff:ff sent size: 4 option: 1:netmask ff:ff:ff:00 sent size: 7 option: 12:hostname 6f:6d:65:74:65:70:65 sent size: 21 option: 67:bootfile-name 2f:74:66:74:70:62:6f:6f:74:2f:70:78:65... So it seems the client isn't requesting option 66 and is asking the dhcp server for pxelinux. If this is the case would --dhcp-option-force help? Would the tftp server be available to pxelinux in the client? >> The dnsmasq log shows no TFTP request but I >> vaguely remember Simon saying that these are not logged. >> >File-not-found is not logged, since it clutters up the log with lots of >failed attempts by PXELinux to read possible config files. But it helps in situations like this one. One can always grep them out, and compression ratio is very high for repetitive parts so it won't fill the disk. From simon at thekelleys.org.uk Mon Aug 4 09:46:40 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Mon Aug 4 09:47:29 2008 Subject: [Dnsmasq-discuss] mixup of tftp-root and boot filename In-Reply-To: <18582.9991.649315.781280@fisica.ufpr.br> References: <18579.4861.978323.191872@fisica.ufpr.br> <48960EF2.8050401@thekelleys.org.uk> <18582.9991.649315.781280@fisica.ufpr.br> Message-ID: <4896C1F0.2050009@thekelleys.org.uk> Carlos Carvalho wrote: > Simon Kelley (simon@thekelleys.org.uk) wrote on 3 August 2008 21:02: > >Carlos Carvalho wrote: > >> I have > >> > >> tftp-root=/var/remoteboot > >> > >> in dnsmasq.conf. For a machine I have in dhcp-options: > >> > >> ometepe,vl5,67,"/tftpboot/pxelinux.0" > >> > >> In the log there is > >> > >> dnsmasq[16090]: sent size: 21 option: 67:bootfile-name 2f:74:66:74:70:62:6f:6f:74:2f:70:78:65... > >> > >> Checking with the ascii table this looks correct. However, the client > >> says it cannot find /var/remoteboot/tftpboot/pxelinux.0. Removing the > >> tftp-root= setting in dnsmasq.conf makes the client get the correct > >> /tftpboot/pxelinux.0 so the problem seems to be in dnsmasq. > > > >It's behaving as designed: You've set the TFTP root to be > >/var/remoteboot, so filenames are relative to that root. The client asks > >for /tftpboot/pxelinux.0 so dnsmasq tries to send > >/var/remoteboot/tftpboot/pxelinux.0 which doesn't exist, so it returns > >an error, which inlcudes a message giving the complete pathname. That's > >what the client it displaying. > > > >Note that if the filename includes a leading /, dnsmasq will also try > >assuming it's an absolute pathname, but only if the first part of the > >filename matches the tftp-root. > >> > >> In a first look I didn't find any places where this concatenation > >> could happen. Note that the tftp server is not the machine running > >> dnsmasq in this case. > >Now I'm confused. What is the TFTP server? > > That's the whole point I don't understand. Here are the options for > the machine: > > ometepe,vl5,3 > ometepe,vl5,6 > ometepe,vl5,28 > ometepe,vl5,15 > ometepe,vl5,66,"192.168.5.74" > ometepe,vl5,67,"/tftpboot/pxelinux.0" > > The IP of the machine running dnsmasq is 192.168.5.18. So what should > happen is > > client broadcasts dhcp request > 192.168.5.18 answers saying tftp server is 192.168.5.74 > client asks /tftpboot/pxelinux.0 to 192.168.5.74 > client never heards about /var/remoteboot... > > That's why I gave the log line with the value of boot-filename above. > > Hmm... Looking at the log again the whole transaction is: > > DHCP packet: transaction-id is 3866001293 > Available DHCP subnet: 192.168.5.1/255.255.255.0 > Vendor class: PXEClient:Arch:00000:UNDI:002001 > DHCPREQUEST(eth0.5) 192.168.5.71 00:1e:8c:7f:6e:e6 > DHCPACK(eth0.5) 192.168.5.71 00:1e:8c:7f:6e:e6 ometepe > requested options: 1:netmask, 2:time-offset, 3:router, 5, 6:dns-server, > requested options: 11, 12:hostname, 13:boot-file-size, 15:domain-name, > requested options: 16:swap-server, 17:root-path, 18:extension-path, > requested options: 43:vendor-encap, 54:server-identifier, 60:vendor-class, > requested options: 67:bootfile-name, 128, 129, 130, 131, 132, > requested options: 133, 134, 135 > server name: 192.168.5.74 > tags: vl5, ometepe, known > sent size: 1 option: 53:message-type 05 > sent size: 4 option: 54:server-identifier c0:a8:05:12 > sent size: 4 option: 51:lease-time ff:ff:ff:ff > sent size: 4 option: 1:netmask ff:ff:ff:00 > sent size: 7 option: 12:hostname 6f:6d:65:74:65:70:65 > sent size: 21 option: 67:bootfile-name 2f:74:66:74:70:62:6f:6f:74:2f:70:78:65... > > So it seems the client isn't requesting option 66 and is asking the > dhcp server for pxelinux. > > If this is the case would --dhcp-option-force help? Would the tftp > server be available to pxelinux in the client? > > >> The dnsmasq log shows no TFTP request but I > >> vaguely remember Simon saying that these are not logged. > >> > >File-not-found is not logged, since it clutters up the log with lots of > >failed attempts by PXELinux to read possible config files. > > But it helps in situations like this one. One can always grep them > out, and compression ratio is very high for repetitive parts so it > won't fill the disk. > > I've come across many PXE ROMS which are buggy, and just don't work if the DHCP server and TFTP server are on different machines. My guess is that you have one of those. Simon. From simon at thekelleys.org.uk Mon Aug 4 10:04:56 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Mon Aug 4 10:05:50 2008 Subject: [Dnsmasq-discuss] multiple domain support - question Message-ID: <4896C638.7080509@thekelleys.org.uk> I have support for multiple domains working, but I've come across a wrinkle. Consider the case that two different DHCP clients claim the same name. With the existing code, only one can have it and the current behaviour is that when a second machine claims a name, the first one loses it. Now, consider the possibility that the two machines claiming the same name are in different domains. By default, the existing behaviour must continue, because the unqualified name is added to the DNS, so that even though the two clients could have "name.domain1.com" and "name.domain2.com", they are still fighting over just plain "name". It would be possible to introduce a new mode, which didn't put the unqualified name into the DNS, and allowed both hosts to keep their name as long as they are in different domains. Would that be useful, or just an confusing complication? Cheers, Simon. From bcook at poughkeepsieschools.org Mon Aug 4 12:17:01 2008 From: bcook at poughkeepsieschools.org (B. Cook) Date: Mon Aug 4 12:17:53 2008 Subject: [Dnsmasq-discuss] Problems with Samba shares and XP clients In-Reply-To: References: <5611410953710584827@unknownmsgid> <2e59e6970808020930l50774dc5x415c1be82e0095e2@mail.gmail.com> Message-ID: On Aug 3, 2008, at 12:15 PM, Cristiano Paris wrote: > On Sun, Aug 3, 2008 at 2:06 PM, B. Cook > wrote: >> >> On Aug 2, 2008, at 5:00 PM, Cristiano Paris wrote: >> >>> On Sat, Aug 2, 2008 at 6:30 PM, richardvoigt@gmail.com >>> wrote: >>>> >>>> I don't remember for sure, but I don't think you need netbios for >>>> cifs to >>>> work. >>>> >>>> Try "\\ip.address\share" ? >>>> >>>> If that doesn't work then I don't think the problem is with >>>> dnsmasq. >>> >>> It doesn't work, niether. >>> >>>> If >>>> that does work, you may have to mess with dns settings on both >>>> client and >>>> server until "ping servername" works, then "\\servername\share" >>>> should >>>> also >>>> work. >>> >>> Of course, ping works. Thank you. >>> >>> Cristiano >>> >> You wouldn't want to share you config would you? >> >> dnsmasq and/or samba.. >> _______________________________________________ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >> > > dnsmasq.conf: > > resolv-file=/etc/dns.resolv.conf > local=/internal.theshire.org/ > no-hosts > addn-hosts=/etc/dns.hosts > domain=internal.theshire.org > dhcp-range=10.7.0.3,10.7.0.5,255.255.255.0,12h > dhcp-host=00:xx:xx:xx:xx:xx,xx.xx.xx.xx,tuckburrow,infinite > dhcp-option=44,10.7.0.2 > dhcp-option=45,10.7.0.2 > dhcp-option=46,8 > dhcp-option=47 > > smb.conf: > > [global] > workgroup = THESHIRE > server string = The Shire internal server > security = user > load printers = yes > log file = /var/log/samba/%m.log > max log size = 50 > wins support = yes > name resolve order = wins lmhosts host bcast > unix extensions = no > socket options = TCP_NODELAY SO_RCVBUF=524288 SO_SNDBUF=524288 > [homes] > comment = Home Directories > browseable = no > writable = yes > [printers] > comment = All Printers > path = /var/spool/samba > browseable = no > guest ok = no > writable = no > printable = yes > > Cristiano For what its worth.. 1 B-node: Broadcast - no WINS 2 P-node: Peer - WINS only 4 M-node: Mixed - broadcast, then WINS 8 H-node: Hybrid - WINS, then broadcast I believe that to be a correct and complete list for dhcp-option=46 (46 netbios-nodetype) I use 2, because I use wins. You might set your log level up a bit in samba and look in your log.nmbd and see if the hosts are actually registering with wins, is your samba server at 10.7.0.2? This is for my samba server @home.. # Global parameters [global] workgroup = WORKGROUP netbios name = THINGONE server string = [SAMBA] log file = /var/log/samba/log.%m name resolve order = wins bcast host lmhosts time server = Yes socket options = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192 logon script = logon path = logon home = domain logons = Yes os level = 65 preferred master = Yes local master = Yes domain master = Yes dns proxy = No wins support = Yes read only = No writeable = Yes case sensitive = No veto oplock files = /*.doc/*.xls/*.mdb/ security = user load printers = yes dns proxy = no load printers = yes printing = cups printcap name = cups and some dnsmasq: bind-interfaces bogus-priv cache-size=1024 dhcp-authoritative dhcp-host=00:01:e6:4b:e3:2e,172.16.64.10,jetdirect dhcp-host=00:0d:93:ed:75:dc,,iancook dhcp-host=00:12:3f:7e:b8:10,172.16.64.19,cswebdevel dhcp-host=00:17:f2:c7:c4:4a,172.16.64.11,imac dhcp-host=00:19:e3:d3:fa:a9,,macbookpro dhcp-host=00:c0:f4:f5:e9:34,172.16.64.1,gw dhcp-leasefile=/var/db/dnsmasq.leases dhcp-option=option:dns-server,0.0.0.0 # DNS dhcp-option=option:domain-name,at.home # Domain dhcp-option=option:netbios-dd,0.0.0.0 # netbios datagram distribution server dhcp-option=option:netbios-nodetype,2 # netbios node type dhcp-option=option:netbios-ns,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) dhcp-option=option:netbios-scope # empty netbios scope. dhcp-option=option:ntp-server,172.16.64.1 # NTP dhcp-option=option:router,172.16.64.1 # Gateway dhcp-option=vendor:MSFT,2,1i dhcp-range=172.16.64.11,172.16.64.25,255.255.255.224,1h domain-needed domain=at.home except-interface=lo0 filterwin2k group=nobody interface=fxp0 log-dhcp log-facility=/var/log/dnsmasq.log no-negcache Again all works great.. (Running FreeBSD 7 on the dnsmasq and samba machines) From fukuta.saori at jp.fujitsu.com Mon Aug 4 12:26:48 2008 From: fukuta.saori at jp.fujitsu.com (Saori Fukuta) Date: Mon Aug 4 12:27:44 2008 Subject: [Dnsmasq-discuss] Question about the error message Message-ID: <20080804202627.E0E0.FUKUTA.SAORI@jp.fujitsu.com> Hello, I got the following message at /var/log/messages, dnsmasq[13884]: no address range available for DHCP request via eth3 when I have the following steps with dnsmasq-2.39-2.el5 (on RHEL-5.2): 1. start the dnsmasq, which is started by libvirt, with the following option. # /usr/sbin/dnsmasq --keep-in-foreground --strict-order --bind-interfaces --pid-file --conf-file --listen-address 192.168.122.1 --except-interface lo --dhcp-leasefile=/var/lib/libvirt/dhcp-default.leases --dhcp-range 192.168.122.2,192.168.122.254 2. change the network address of eth3 to '0.0.0.0'. # ifconfig eth3 0 up 3. dnsmasq receives the DHCPINFORM message from DHCP servers of Windwos 2003 server. # tethereal -i eth3 5.521471 10.123.234.11 -> 255.255.255.255 DHCP DHCP Inform - Transaction ID 0xbe180000 Do you know why the message appeared ? Please tell me the meaning of this message. Regards, Saori Fukuta From bcook at poughkeepsieschools.org Mon Aug 4 13:43:22 2008 From: bcook at poughkeepsieschools.org (B. Cook) Date: Mon Aug 4 13:44:08 2008 Subject: [Dnsmasq-discuss] Missing something obvious #known In-Reply-To: <489615CB.2070303@thekelleys.org.uk> References: <489615CB.2070303@thekelleys.org.uk> Message-ID: <0076E467-3FC3-494F-8C68-7B19358B1E6B@poughkeepsieschools.org> On Aug 3, 2008, at 4:32 PM, Simon Kelley wrote: > B. Cook wrote: >> Hello All, >> I thought all of this was working as it should.. but apparently it >> is not.. >> from the dnsmasq.log: >> Aug 1 11:42:56 dnsmasq[32635]: DHCPDISCOVER(em0) 00:0e:7f:3b:ba:2d >> ignored >> Aug 1 11:43:11 dnsmasq[32635]: DHCPDISCOVER(em0) 00:0e:7f:3b:ba:2d >> ignored >> Aug 1 11:43:14 dnsmasq[32635]: DHCPDISCOVER(em0) 00:0e:7f:3b:ba:2d >> ignored >> Aug 1 11:43:21 dnsmasq[32635]: DHCPDISCOVER(em0) 00:0e:7f:3b:ba:2d >> ignored >> and from the config: >> 20 # 100 stuff >> 21 dhcp-option=net:phsalt,option:router,10.20.100.1 >> 22 dhcp-range=phsalt,10.20.100.2,10.20.100.254,255.255.255.0,5m >> 23 dhcp-ignore=net:phsalt,#known >> 24 >> 25 dhcp-host=00:0e:7f:3b:ba:2d,10.20.100.3,net:phsalt # someprinter >> 26 dhcp-host=00:30:6e:c6:13:e6,10.20.100.57,net:phsalt # >> hplj1150_hs143 >> I have tried dhcp-ignore without the net: as well and it does not >> seem to >> cause an error either way.. >> I am trying to only let certain hosts end up in the 100.0/24.. >> Not sure what I am missing.. >> can anyone help? > > You don't need to use dhcp-ignore to achieve what you're trying to > do, the "net:phsalt" in the dhcp-range is enough to ensure that the > range only gets used for the hosts which set the phsalt tag. > > However, I'm not sure _why_ the configuration you have is behaving > as it does. Please could you set --log-dhcp and send me the > information that dnsmasq logs during these DHCP transactions? > > Cheers, > > Simon. > So you are saying I should be able to have a single dhcp-ignore=#known and that would take care of it for all the subnets? [/usr/local/etc/dnsmasq]# 25 > grep dhcp-range * dnsmasq.cli.dhcp:dhcp-range=cli,10.20.18.2,10.20.19.254,255.255.254.0,4h dnsmasq.kri.dhcp:dhcp-range=kri,10.20.4.2,10.20.5.254,255.255.254.0,4h dnsmasq.phs.dhcp:dhcp-range=phs,10.20.0.17,10.20.1.254,255.255.254.0,4h dnsmasq.phs.dhcp:dhcp-range=phsalt, 10.20.100.2,10.20.100.254,255.255.255.0,5m dnsmasq.smi.dhcp:dhcp-range=smi,10.20.6.2,10.20.7.254,255.255.254.0,4h dnsmasq.war.dhcp:dhcp-range=war,10.20.14.2,10.20.15.254,255.255.254.0,4h [/usr/local/etc/dnsmasq]# 26 > grep \#known * dnsmasq.cli.dhcp:dhcp-ignore=cli,#known dnsmasq.kri.dhcp:dhcp-ignore=kri,#known dnsmasq.phs.dhcp:dhcp-ignore=#known dnsmasq.phs.dhcp:dhcp-ignore=phs,#known dnsmasq.phs.dhcp:dhcp-ignore=phsalt,#known dnsmasq.smi.dhcp:dhcp-ignore=smi,#known dnsmasq.war.dhcp:dhcp-ignore=war,#known From bcook at poughkeepsieschools.org Mon Aug 4 14:16:37 2008 From: bcook at poughkeepsieschools.org (B. Cook) Date: Mon Aug 4 14:17:27 2008 Subject: [Dnsmasq-discuss] Missing something obvious #known In-Reply-To: <489615CB.2070303@thekelleys.org.uk> References: <489615CB.2070303@thekelleys.org.uk> Message-ID: On Sun, August 3, 2008 4:32 pm, Simon Kelley wrote: > B. Cook wrote: >> Hello All, >> >> I thought all of this was working as it should.. but apparently it is >> not.. >> >> from the dnsmasq.log: >> Aug 1 11:42:56 dnsmasq[32635]: DHCPDISCOVER(em0) 00:0e:7f:3b:ba:2d >> ignored >> Aug 1 11:43:11 dnsmasq[32635]: DHCPDISCOVER(em0) 00:0e:7f:3b:ba:2d >> ignored >> Aug 1 11:43:14 dnsmasq[32635]: DHCPDISCOVER(em0) 00:0e:7f:3b:ba:2d >> ignored >> Aug 1 11:43:21 dnsmasq[32635]: DHCPDISCOVER(em0) 00:0e:7f:3b:ba:2d >> ignored >> >> and from the config: >> >> 20 # 100 stuff >> 21 dhcp-option=net:phsalt,option:router,10.20.100.1 >> 22 dhcp-range=phsalt,10.20.100.2,10.20.100.254,255.255.255.0,5m >> 23 dhcp-ignore=net:phsalt,#known >> 24 >> 25 dhcp-host=00:0e:7f:3b:ba:2d,10.20.100.3,net:phsalt # someprinter >> 26 dhcp-host=00:30:6e:c6:13:e6,10.20.100.57,net:phsalt # hplj1150_hs143 >> >> I have tried dhcp-ignore without the net: as well and it does not seem >> to >> cause an error either way.. >> >> I am trying to only let certain hosts end up in the 100.0/24.. >> >> Not sure what I am missing.. >> >> can anyone help? >> >> > > You don't need to use dhcp-ignore to achieve what you're trying to do, > the "net:phsalt" in the dhcp-range is enough to ensure that the range > only gets used for the hosts which set the phsalt tag. > > However, I'm not sure _why_ the configuration you have is behaving as it > does. Please could you set --log-dhcp and send me the information that > dnsmasq logs during these DHCP transactions? > > Cheers, > > Simon. > > So a few strange things.. I removed the dhcp-range=net:phsalt,#known, and still I was not able to get an ip in the 10.20.100.0/24 range. I removed the dhcp-range=#known (for the whole scope of the lan) and I was able to get an ip, dhcp-log'in showed me it was being accepted into the phs range, so thinking that somehow net:phs and net:phsalt was not being matched fully I :%s/phsalt/altphs/g in the configs.. and it is still being matched inside net:phs. Aug 4 09:11:01 dnsmasq[22625]: DHCP packet: transaction-id is 4133013384 Aug 4 09:11:01 dnsmasq[22625]: Available DHCP range: 10.20.0.17 -- 10.20.1.254 Aug 4 09:11:01 dnsmasq[22625]: Vendor class: Hewlett-Packard JetDirect Aug 4 09:11:01 dnsmasq[22625]: DHCPDISCOVER(em0) 00:0e:7f:3b:ba:2d Aug 4 09:11:01 dnsmasq[22625]: DHCPOFFER(em0) 10.20.0.213 00:0e:7f:3b:ba:2d Aug 4 09:11:01 dnsmasq[22625]: requested options: 1:netmask, 3:router, 44:netbios-ns, 6:dns-server, Aug 4 09:11:01 dnsmasq[22625]: requested options: 7:log-server, 12:hostname, 15:domain-name, Aug 4 09:11:01 dnsmasq[22625]: requested options: 22:max-datagram-reassembly, 54:server-identifier, Aug 4 09:11:01 dnsmasq[22625]: requested options: 58:T1, 59:T2, 69:smtp-server, 18:extension-path, Aug 4 09:11:01 dnsmasq[22625]: requested options: 144 Aug 4 09:11:01 dnsmasq[22625]: tags: phs Aug 4 09:11:01 dnsmasq[22625]: sent size: 1 option: 53:message-type 02 Aug 4 09:11:01 dnsmasq[22625]: sent size: 4 option: 54:server-identifier 0a:14:00:10 Aug 4 09:11:01 dnsmasq[22625]: sent size: 4 option: 51:lease-time 00:00:38:40 Aug 4 09:11:01 dnsmasq[22625]: sent size: 4 option: 58:T1 00:00:1c:20 Aug 4 09:11:01 dnsmasq[22625]: sent size: 4 option: 59:T2 00:00:31:38 Aug 4 09:11:01 dnsmasq[22625]: sent size: 4 option: 1:netmask ff:ff:fe:00 Aug 4 09:11:01 dnsmasq[22625]: sent size: 4 option: 28:broadcast 0a:14:01:ff Aug 4 09:11:01 dnsmasq[22625]: sent size: 8 option: 15:domain-name 70:68:73:2e:70:63:73:64 Aug 4 09:11:01 dnsmasq[22625]: sent size: 4 option: 44:netbios-ns 0a:14:00:e6 Aug 4 09:11:01 dnsmasq[22625]: sent size: 4 option: 3:router 0a:14:00:01 Aug 4 09:11:01 dnsmasq[22625]: sent size: 4 option: 6:dns-server 0a:14:00:10 something strange I also noticed, which might also help is this: (this is a different host) Aug 4 09:10:52 dnsmasq[22625]: DHCP packet: transaction-id is 1899741050 Aug 4 09:10:52 dnsmasq[22625]: Available DHCP range: 10.20.0.17 -- 10.20.1.254 Aug 4 09:10:52 dnsmasq[22625]: Vendor class: Hewlett-Packard JetDirect Aug 4 09:10:52 dnsmasq[22625]: DHCPREQUEST(em0) 10.20.0.186 00:1b:78:19:c9:50 Aug 4 09:10:52 dnsmasq[22625]: DHCPACK(em0) 10.20.0.186 00:1b:78:19:c9:50 hp4250-lib Aug 4 09:10:52 dnsmasq[22625]: requested options: 1:netmask, 3:router, 44:netbios-ns, 6:dns-server, Aug 4 09:10:52 dnsmasq[22625]: requested options: 7:log-server, 12:hostname, 15:domain-name, Aug 4 09:10:52 dnsmasq[22625]: requested options: 22:max-datagram-reassembly, 54:server-identifier, Aug 4 09:10:52 dnsmasq[22625]: requested options: 58:T1, 59:T2, 69:smtp-server, 18:extension-path, Aug 4 09:10:52 dnsmasq[22625]: requested options: 144 Aug 4 09:10:52 dnsmasq[22625]: tags: phs, phs, known Aug 4 09:10:52 dnsmasq[22625]: sent size: 1 option: 53:message-type 05 Aug 4 09:10:52 dnsmasq[22625]: sent size: 4 option: 54:server-identifier 0a:14:00:10 Aug 4 09:10:52 dnsmasq[22625]: sent size: 4 option: 51:lease-time 00:00:01:2c Aug 4 09:10:52 dnsmasq[22625]: sent size: 4 option: 58:T1 00:00:00:8a Aug 4 09:10:52 dnsmasq[22625]: sent size: 4 option: 59:T2 00:00:00:f7 Aug 4 09:10:52 dnsmasq[22625]: sent size: 4 option: 1:netmask ff:ff:fe:00 Aug 4 09:10:52 dnsmasq[22625]: sent size: 4 option: 28:broadcast 0a:14:01:ff Aug 4 09:10:52 dnsmasq[22625]: sent size: 10 option: 12:hostname 68:70:34:32:35:30:2d:6c:69:62 Aug 4 09:10:52 dnsmasq[22625]: sent size: 22 option: 81:FQDN 01:ff:ff:68:70:34:32:35:30:2d:6c:69:62... Aug 4 09:10:52 dnsmasq[22625]: sent size: 8 option: 15:domain-name 70:68:73:2e:70:63:73:64 Aug 4 09:10:52 dnsmasq[22625]: sent size: 4 option: 44:netbios-ns 0a:14:00:e6 Aug 4 09:10:52 dnsmasq[22625]: sent size: 4 option: 3:router 0a:14:00:01 Aug 4 09:10:52 dnsmasq[22625]: sent size: 4 option: 6:dns-server 0a:14:00:10 see the tags? phs, phs, known. clues appreciated.. From bcook at poughkeepsieschools.org Mon Aug 4 14:21:15 2008 From: bcook at poughkeepsieschools.org (B. Cook) Date: Mon Aug 4 14:22:06 2008 Subject: [Dnsmasq-discuss] question about logs Message-ID: <70b37aaba1b5802225b2c599ca1b079c.squirrel@mail.poughkeepsieschools.org> Is there a way to put the 'dns' logs somewhere and the 'dhcp' logs somewhere else? If it is not possible at this time.. Having so many requests come in for different things.. it would be nice to seperate them. my .02 From jdixon at omniti.com Mon Aug 4 15:38:53 2008 From: jdixon at omniti.com (Jason Dixon) Date: Mon Aug 4 15:39:51 2008 Subject: [Dnsmasq-discuss] illegal domain in dhcp-config directive In-Reply-To: <20080729114052.GC25322@omniti.com> References: <20080724233741.GA21070@omniti.com> <488EBD40.7000002@thekelleys.org.uk> <20080729114052.GC25322@omniti.com> Message-ID: <20080804143853.GA6180@omniti.com> On Tue, Jul 29, 2008 at 07:40:52AM -0400, Jason Dixon wrote: > On Tue, Jul 29, 2008 at 07:48:32AM +0100, Simon Kelley wrote: > > Jason Dixon wrote: > >> Thanks to the recent vulnerability, I'm upgrading an older dnsmasq > >> system from version 2.34 to 2.45. I've installed it and attempted to > >> run it, but I get the following error. > >> > >> dnsmasq: illegal domain 04-06.lab.foobar.com in dhcp-config directive. > >> > >> The same configuration works fine with 2.34, so I presume something has > >> changed in the configuration syntax or default settings. I haven't > >> found anything on Google or in the FAQ about this error, nor do I see > >> any "dhcp-config" directives in our config files or the sample config. > >> Here is the relevant line from our config: > >> > >> dhcp-host=00:0c:29:02:1f:06,ubuntu-8.04-06.lab.foobar.com,172.16.0.105 > >> > >> It doesn't appear to be anything specifically with that line. We have a > >> couple hundred of these loaded by dnsmasq. If I comment out that one, > >> the next preceding one will error. I'm not experienced with dnsmasq, so > >> I'm putting myself at the mercy of this list. Any help will be greatly > >> appreciated. :) > > > > As far as I can see, this error can only be occuring because the domain > > part of the name your applying to that host doesn't match the domain > > specified for dnsmasq to use by the domain= config option. > > > > AFAIK dnsmasq has never allowed you to send a FQDN to a host unless it > > matches the domain setting (this is to avoid hosts impersonating, eg > > www.microsoft.com) but the check in this case has been moved from > > run-time, where it will log an error, to a fatal error at start-up > > > > The fix may be as simple as adding > > > > domain=04-06.lab.foobar.com > > > > (and you can remove the domain parts from all the dhcp-host lines as > > well, if you wish. If they stay, they must match the domain given) > > We have mixed domains in our configuration. I see the following line in > the main dnsmasq.conf, which would account for most of the dhcp-host > entries: > > local=/lab.foobar.com/wifi.foobar.com/ > > I see no domain directives anywhere. I suspect that adding > 04-06.lab.foobar.com to the local directive might be sufficient, but I'm > just guessing. And yes, this configuration works fine with > dnsmasq-2.34. I tried various changes to our configuration but couldn't find a working set. I'm including a subset of our configuration here so you can see what might be causing the issue. The only bits I've left out include redundant information (e.g. dhcp-host). Just to reiterate, this works under 2.34 but is broken under 2.45. # cat /etc/dnsmasq.conf | grep -v '^$' | grep -v '^\#' filterwin2k local=/lab.foobar.com/wifi.foobar.com/ interface=eth0 expand-hosts dhcp-option=3,172.16.0.1 dhcp-option=42,0.0.0.0 conf-file=/etc/dnsmasq.lab.conf conf-file=/etc/dnsmasq.wifi.conf # cat /etc/dnsmasq.lab.conf | grep -v '^$' | grep -v '^\#' dhcp-range=lab,172.16.0.10,172.16.0.81,12h dhcp-option=lab,15,lab.foobar.com dhcp-host=00:0e:0c:bc:17:70,lab01.lab.foobar.com,172.16.0.10 dhcp-host=00:0c:29:ff:96:a7,solaris.lab.foobar.com,172.16.0.6 dhcp-host=00:0c:29:ff:96:xx,windows.lab.foobar.com,172.16.0.7 dhcp-host=00:0c:29:db:8a:b3,centos.lab.foobar.com,172.16.0.5 dhcp-host=00:0c:29:3c:58:01,centos-4.4-01.lab.foobar.com,172.16.0.82 # cat /etc/dnsmasq.wifi.conf | grep -v '^$' | grep -v '^\#' dhcp-range=wifi,172.16.0.200,172.16.0.250,3d dhcp-option=wifi,15,wifi.foobar.com Thanks, -- Jason Dixon OmniTI Computer Consulting, Inc. jdixon@omniti.com 443.325.1357 x.241 From simon at thekelleys.org.uk Mon Aug 4 16:16:41 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Mon Aug 4 16:20:10 2008 Subject: [Dnsmasq-discuss] illegal domain in dhcp-config directive In-Reply-To: <20080804143853.GA6180@omniti.com> References: <20080724233741.GA21070@omniti.com> <488EBD40.7000002@thekelleys.org.uk> <20080729114052.GC25322@omniti.com> <20080804143853.GA6180@omniti.com> Message-ID: <48971D59.7040706@thekelleys.org.uk> Jason Dixon wrote: > On Tue, Jul 29, 2008 at 07:40:52AM -0400, Jason Dixon wrote: > >>On Tue, Jul 29, 2008 at 07:48:32AM +0100, Simon Kelley wrote: >> >>>Jason Dixon wrote: >>> >>>>Thanks to the recent vulnerability, I'm upgrading an older dnsmasq >>>>system from version 2.34 to 2.45. I've installed it and attempted to >>>>run it, but I get the following error. >>>> >>>>dnsmasq: illegal domain 04-06.lab.foobar.com in dhcp-config directive. >>>> >>>>The same configuration works fine with 2.34, so I presume something has >>>>changed in the configuration syntax or default settings. I haven't >>>>found anything on Google or in the FAQ about this error, nor do I see >>>>any "dhcp-config" directives in our config files or the sample config. >>>>Here is the relevant line from our config: >>>> >>>>dhcp-host=00:0c:29:02:1f:06,ubuntu-8.04-06.lab.foobar.com,172.16.0.105 >>>> >>>>It doesn't appear to be anything specifically with that line. We have a >>>>couple hundred of these loaded by dnsmasq. If I comment out that one, >>>>the next preceding one will error. I'm not experienced with dnsmasq, so >>>>I'm putting myself at the mercy of this list. Any help will be greatly >>>>appreciated. :) >>> >>>As far as I can see, this error can only be occuring because the domain >>>part of the name your applying to that host doesn't match the domain >>>specified for dnsmasq to use by the domain= config option. >>> >>>AFAIK dnsmasq has never allowed you to send a FQDN to a host unless it >>>matches the domain setting (this is to avoid hosts impersonating, eg >>>www.microsoft.com) but the check in this case has been moved from >>>run-time, where it will log an error, to a fatal error at start-up >>> >>>The fix may be as simple as adding >>> >>>domain=04-06.lab.foobar.com >>> >>>(and you can remove the domain parts from all the dhcp-host lines as >>>well, if you wish. If they stay, they must match the domain given) >> >>We have mixed domains in our configuration. I see the following line in >>the main dnsmasq.conf, which would account for most of the dhcp-host >>entries: >> >>local=/lab.foobar.com/wifi.foobar.com/ >> >>I see no domain directives anywhere. I suspect that adding >>04-06.lab.foobar.com to the local directive might be sufficient, but I'm >>just guessing. And yes, this configuration works fine with >>dnsmasq-2.34. > > > I tried various changes to our configuration but couldn't find a working > set. I'm including a subset of our configuration here so you can see > what might be causing the issue. The only bits I've left out include > redundant information (e.g. dhcp-host). Just to reiterate, this works > under 2.34 but is broken under 2.45. > > > # cat /etc/dnsmasq.conf | grep -v '^$' | grep -v '^\#' > filterwin2k > local=/lab.foobar.com/wifi.foobar.com/ > interface=eth0 > expand-hosts > dhcp-option=3,172.16.0.1 > dhcp-option=42,0.0.0.0 > conf-file=/etc/dnsmasq.lab.conf > conf-file=/etc/dnsmasq.wifi.conf > > # cat /etc/dnsmasq.lab.conf | grep -v '^$' | grep -v '^\#' > dhcp-range=lab,172.16.0.10,172.16.0.81,12h > dhcp-option=lab,15,lab.foobar.com > dhcp-host=00:0e:0c:bc:17:70,lab01.lab.foobar.com,172.16.0.10 > dhcp-host=00:0c:29:ff:96:a7,solaris.lab.foobar.com,172.16.0.6 > dhcp-host=00:0c:29:ff:96:xx,windows.lab.foobar.com,172.16.0.7 > dhcp-host=00:0c:29:db:8a:b3,centos.lab.foobar.com,172.16.0.5 > dhcp-host=00:0c:29:3c:58:01,centos-4.4-01.lab.foobar.com,172.16.0.82 > > # cat /etc/dnsmasq.wifi.conf | grep -v '^$' | grep -v '^\#' > dhcp-range=wifi,172.16.0.200,172.16.0.250,3d > dhcp-option=wifi,15,wifi.foobar.com > > > Thanks, > Are the names in your dhcp-host entries _all_ ".lab.foobar.com"? If so, the simply adding domain=lab.foobar.com will fix things. I imagine that under 2.34 you will have seen lots of complaints logged about this, 2.45 has turned soft errors into hard ones. If there are names in more than one domain, the problem in more complicated to fix: you may need to try the new "multi-domain" code. Cheers, Simon. From jdixon at omniti.com Mon Aug 4 16:27:38 2008 From: jdixon at omniti.com (Jason Dixon) Date: Mon Aug 4 16:28:34 2008 Subject: [Dnsmasq-discuss] illegal domain in dhcp-config directive In-Reply-To: <48971D59.7040706@thekelleys.org.uk> References: <20080724233741.GA21070@omniti.com> <488EBD40.7000002@thekelleys.org.uk> <20080729114052.GC25322@omniti.com> <20080804143853.GA6180@omniti.com> <48971D59.7040706@thekelleys.org.uk> Message-ID: <20080804152738.GB6180@omniti.com> On Mon, Aug 04, 2008 at 04:16:41PM +0100, Simon Kelley wrote: > Jason Dixon wrote: >> >> I tried various changes to our configuration but couldn't find a working >> set. I'm including a subset of our configuration here so you can see >> what might be causing the issue. The only bits I've left out include >> redundant information (e.g. dhcp-host). Just to reiterate, this works >> under 2.34 but is broken under 2.45. >> >> >> # cat /etc/dnsmasq.conf | grep -v '^$' | grep -v '^\#' >> filterwin2k >> local=/lab.foobar.com/wifi.foobar.com/ >> interface=eth0 >> expand-hosts >> dhcp-option=3,172.16.0.1 >> dhcp-option=42,0.0.0.0 >> conf-file=/etc/dnsmasq.lab.conf >> conf-file=/etc/dnsmasq.wifi.conf >> >> # cat /etc/dnsmasq.lab.conf | grep -v '^$' | grep -v '^\#' >> dhcp-range=lab,172.16.0.10,172.16.0.81,12h >> dhcp-option=lab,15,lab.foobar.com >> dhcp-host=00:0e:0c:bc:17:70,lab01.lab.foobar.com,172.16.0.10 >> dhcp-host=00:0c:29:ff:96:a7,solaris.lab.foobar.com,172.16.0.6 >> dhcp-host=00:0c:29:ff:96:xx,windows.lab.foobar.com,172.16.0.7 >> dhcp-host=00:0c:29:db:8a:b3,centos.lab.foobar.com,172.16.0.5 >> dhcp-host=00:0c:29:3c:58:01,centos-4.4-01.lab.foobar.com,172.16.0.82 >> >> # cat /etc/dnsmasq.wifi.conf | grep -v '^$' | grep -v '^\#' >> dhcp-range=wifi,172.16.0.200,172.16.0.250,3d >> dhcp-option=wifi,15,wifi.foobar.com > > Are the names in your dhcp-host entries _all_ ".lab.foobar.com"? > If so, the simply adding > > domain=lab.foobar.com > > will fix things. I imagine that under 2.34 you will have seen lots of > complaints logged about this, 2.45 has turned soft errors into hard ones. > > If there are names in more than one domain, the problem in more > complicated to fix: you may need to try the new "multi-domain" code. Yes, adding the "domain=lab.foobar.com" and changing the last section of dhcp-host's to remove the unwanted extra subdomain ".4-0." fixes the error. Thanks for your help! -- Jason Dixon OmniTI Computer Consulting, Inc. jdixon@omniti.com 443.325.1357 x.241 From e1-7n32-h2qw-w2h3 at snugmail.com Mon Aug 4 18:46:12 2008 From: e1-7n32-h2qw-w2h3 at snugmail.com (L Forrister) Date: Mon Aug 4 18:47:04 2008 Subject: My Emailiases: [Dnsmasq-discuss] multiple domain support - question In-Reply-To: <4896C638.7080509@thekelleys.org.uk> References: <4896C638.7080509@thekelleys.org.uk> Message-ID: <48974064.8090301@snugmail.com> Simon Kelley (simon@thekelleys.org.uk) (Emailias: REPLY-MASKED) wrote: > Original Sender: > Given To: lists.thekelleys.org.uk: Dnsmasq-discuss Info Page > http://www.emailias.com/mailclick/?id=243457 > <--------------------end emailias header--------------------> > > I have support for multiple domains working, but I've come across a wrinkle. > > Consider the case that two different DHCP clients claim the same name. > With the existing code, only one can have it and the current behaviour > is that when a second machine claims a name, the first one loses it. > > Now, consider the possibility that the two machines claiming the same > name are in different domains. By default, the existing behaviour must > continue, because the unqualified name is added to the DNS, so that even > though the two clients could have "name.domain1.com" and > "name.domain2.com", they are still fighting over just plain "name". > > It would be possible to introduce a new mode, which didn't put the > unqualified name into the DNS, and allowed both hosts to keep their name > as long as they are in different domains. Would that be useful, or just > an confusing complication? > > > I don't see anything confusing about it. What good is multiple domain support if you're forced to maintain unique host names across all domains. I've never quite understood why dnsmasq can't allow the duplicate names in the first place. Why must it be so. Consider a client machine with two interfaces. Both dhcp. They'll both get leases. Both ip's will be active. But the dns will only return one (name and ip) depending on which was most recently renewed. But its not just the dns, because when you check the leases file there's only one lease listed. ~~L.Forrister From simon at thekelleys.org.uk Mon Aug 4 20:09:26 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Mon Aug 4 20:12:56 2008 Subject: My Emailiases: [Dnsmasq-discuss] multiple domain support - question In-Reply-To: <48974064.8090301@snugmail.com> References: <4896C638.7080509@thekelleys.org.uk> <48974064.8090301@snugmail.com> Message-ID: <489753E6.4000608@thekelleys.org.uk> L Forrister wrote: > Simon Kelley (simon@thekelleys.org.uk) (Emailias: REPLY-MASKED) wrote: > >>Original Sender: >>Given To: lists.thekelleys.org.uk: Dnsmasq-discuss Info Page >>http://www.emailias.com/mailclick/?id=243457 >><--------------------end emailias header--------------------> >> >>I have support for multiple domains working, but I've come across a wrinkle. >> >>Consider the case that two different DHCP clients claim the same name. >>With the existing code, only one can have it and the current behaviour >>is that when a second machine claims a name, the first one loses it. >> >>Now, consider the possibility that the two machines claiming the same >>name are in different domains. By default, the existing behaviour must >>continue, because the unqualified name is added to the DNS, so that even >>though the two clients could have "name.domain1.com" and >>"name.domain2.com", they are still fighting over just plain "name". >> >>It would be possible to introduce a new mode, which didn't put the >>unqualified name into the DNS, and allowed both hosts to keep their name >>as long as they are in different domains. Would that be useful, or just >>an confusing complication? >> >> >> > > > I don't see anything confusing about it. What good is multiple domain > support if you're forced to maintain unique host names across all domains. > > > I've never quite understood why dnsmasq can't allow the duplicate names > in the first place. Why must it be so. Consider a client machine with > two interfaces. Both dhcp. They'll both get leases. Both ip's will be > active. But the dns will only return one (name and ip) depending on > which was most recently renewed. But its not just the dns, because when > you check the leases file there's only one lease listed. > The reason is simply that there's no way to differentiate the "plain" unqualified versions of the name, without the domain part. To make the multiple names work would mean suppressing unqualified names. For most people, having them is more usefull that having multiple domains. Cheers, Simon. From e1-7n32-h2qw-w2h3 at snugmail.com Mon Aug 4 21:29:21 2008 From: e1-7n32-h2qw-w2h3 at snugmail.com (L Forrister) Date: Mon Aug 4 21:32:05 2008 Subject: My Emailiases: Re: My Emailiases: [Dnsmasq-discuss] multiple domain support - question In-Reply-To: <489753E6.4000608@thekelleys.org.uk> References: <4896C638.7080509@thekelleys.org.uk> <48974064.8090301@snugmail.com> <489753E6.4000608@thekelleys.org.uk> Message-ID: Simon Kelley (simon@thekelleys.org.uk) (Emailias: REPLY-MASKED) wrote: > Original Sender: > Given To: lists.thekelleys.org.uk: Dnsmasq-discuss Info Page > http://www.emailias.com/mailclick/?id=243457 > <--------------------end emailias header--------------------> > > L Forrister wrote: >> Simon Kelley (simon@thekelleys.org.uk) (Emailias: REPLY-MASKED) wrote: >> >>> Original Sender: >>> Given To: lists.thekelleys.org.uk: Dnsmasq-discuss Info Page >>> http://www.emailias.com/mailclick/?id=243457 >>> <--------------------end emailias header--------------------> >>> >>> I have support for multiple domains working, but I've come across a >>> wrinkle. >>> >>> Consider the case that two different DHCP clients claim the same name. >>> With the existing code, only one can have it and the current behaviour >>> is that when a second machine claims a name, the first one loses it. >>> >>> Now, consider the possibility that the two machines claiming the same >>> name are in different domains. By default, the existing behaviour must >>> continue, because the unqualified name is added to the DNS, so that >>> even >>> though the two clients could have "name.domain1.com" and >>> "name.domain2.com", they are still fighting over just plain "name". >>> >>> It would be possible to introduce a new mode, which didn't put the >>> unqualified name into the DNS, and allowed both hosts to keep their >>> name >>> as long as they are in different domains. Would that be useful, or just >>> an confusing complication? >>> >>> >>> >> >> >> I don't see anything confusing about it. What good is multiple domain >> support if you're forced to maintain unique host names across all >> domains. >> >> >> I've never quite understood why dnsmasq can't allow the duplicate names >> in the first place. Why must it be so. Consider a client machine >> with two interfaces. Both dhcp. They'll both get leases. Both ip's >> will be active. But the dns will only return one (name and ip) >> depending on which was most recently renewed. But its not just the >> dns, because when you check the leases file there's only one lease >> listed. >> > > The reason is simply that there's no way to differentiate the "plain" > unqualified versions of the name, without the domain part. To make the > multiple names work would mean suppressing unqualified names. For most > people, having them is more usefull that having multiple domains. > > Cheers, > > Simon. > As far the leases file is concerned, doesn't the mac address (and/or the client id) provide that differentiation? I mean, having the same unqualified host name on two separate leases would not cause identical lines/records in the lease file. The dns code, seems not to have a problem with multihomed hosts in either /etc/hosts or /etc/dnsmasq.hosts (my dnsmasq addn-hosts file.) oso:~ lf$ dig +short -x 192.168.160.67 -x 192.168.160.68 -x 192.168.160.69 alkix.rebel.lan. alkix.rebel.lan. alkix.rebel.lan. oso:~ lf$ dig +short alkix.rebel.lan 192.168.160.67 192.168.160.68 192.168.160.69 ~~L.Forrister From richardvoigt at gmail.com Tue Aug 5 00:41:30 2008 From: richardvoigt at gmail.com (richardvoigt@gmail.com) Date: Tue Aug 5 00:42:54 2008 Subject: [Dnsmasq-discuss] multiple domain support - question In-Reply-To: <4896C638.7080509@thekelleys.org.uk> References: <4896C638.7080509@thekelleys.org.uk> Message-ID: <2e59e6970808041641l4a113efetfb41ff0f3628428c@mail.gmail.com> On Mon, Aug 4, 2008 at 9:04 AM, Simon Kelley wrote: > I have support for multiple domains working, but I've come across a > wrinkle. > > Consider the case that two different DHCP clients claim the same name. > With the existing code, only one can have it and the current behaviour > is that when a second machine claims a name, the first one loses it. > > Now, consider the possibility that the two machines claiming the same > name are in different domains. By default, the existing behaviour must > continue, because the unqualified name is added to the DNS, so that even > though the two clients could have "name.domain1.com" and > "name.domain2.com", they are still fighting over just plain "name". > > It would be possible to introduce a new mode, which didn't put the > unqualified name into the DNS, and allowed both hosts to keep their name > as long as they are in different domains. Would that be useful, or just > an confusing complication? Would it be possible to track the domain, while still responding to the unqualified name (perhaps a CNAME, or perhaps just track internally). Then when the name was claimed a second time, the entry would be marked invalid and no further responses would be sent. Or, if you choose a mode with no unqualified names, consider allowing dotless names from /etc/hosts and the config file to still be resolved. > > > Cheers, > > Simon. > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080804/358d7cdf/attachment.html From simon at thekelleys.org.uk Tue Aug 5 14:40:54 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Tue Aug 5 14:41:45 2008 Subject: My Emailiases: Re: My Emailiases: [Dnsmasq-discuss] multiple domain support - question In-Reply-To: References: <4896C638.7080509@thekelleys.org.uk> <48974064.8090301@snugmail.com> <489753E6.4000608@thekelleys.org.uk> Message-ID: <48985866.5030906@thekelleys.org.uk> L Forrister wrote: >> > As far the leases file is concerned, doesn't the mac address (and/or the > client id) provide that differentiation? I mean, having the same > unqualified host name on two separate leases would not cause identical > lines/records in the lease file. You're right, it wouldn't. removing the name from the leasefile is just an implementation detail: a way to implement the policy for DNS. > > The dns code, seems not to have a problem with multihomed hosts in > either /etc/hosts or /etc/dnsmasq.hosts (my dnsmasq addn-hosts file.) > > oso:~ > lf$ dig +short -x 192.168.160.67 -x 192.168.160.68 -x 192.168.160.69 > alkix.rebel.lan. > alkix.rebel.lan. > alkix.rebel.lan. > > oso:~ > lf$ dig +short alkix.rebel.lan > 192.168.160.67 > 192.168.160.68 > 192.168.160.69 > It works like it does because the one time when this actually happens to me is when I move my laptop from a wired network to a wireless one which is a different subnet. Under those circumstances I don't want DNS lookups for the laptop's name returning both the current wireless address, and the old wired one. Anything trying to connect would use a dead address for half the time until the DHCP lease on the wired network expired. Cheers, Simon. > ~~L.Forrister > > > > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > From simon at thekelleys.org.uk Tue Aug 5 14:46:08 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Tue Aug 5 14:47:01 2008 Subject: [Dnsmasq-discuss] multiple domain support - question In-Reply-To: <2e59e6970808041641l4a113efetfb41ff0f3628428c@mail.gmail.com> References: <4896C638.7080509@thekelleys.org.uk> <2e59e6970808041641l4a113efetfb41ff0f3628428c@mail.gmail.com> Message-ID: <489859A0.5000003@thekelleys.org.uk> richardvoigt@gmail.com wrote: > On Mon, Aug 4, 2008 at 9:04 AM, Simon Kelley wrote: > >> I have support for multiple domains working, but I've come across a >> wrinkle. >> >> Consider the case that two different DHCP clients claim the same name. >> With the existing code, only one can have it and the current behaviour >> is that when a second machine claims a name, the first one loses it. >> >> Now, consider the possibility that the two machines claiming the same >> name are in different domains. By default, the existing behaviour must >> continue, because the unqualified name is added to the DNS, so that even >> though the two clients could have "name.domain1.com" and >> "name.domain2.com", they are still fighting over just plain "name". >> >> It would be possible to introduce a new mode, which didn't put the >> unqualified name into the DNS, and allowed both hosts to keep their name >> as long as they are in different domains. Would that be useful, or just >> an confusing complication? > > > Would it be possible to track the domain, while still responding to the > unqualified name (perhaps a CNAME, or perhaps just track internally). Then > when the name was claimed a second time, the entry would be marked invalid > and no further responses would be sent. It would: it would need a fair bit of thinking to make sure it always behaved. > > Or, if you choose a mode with no unqualified names, consider allowing > dotless names from /etc/hosts dotless names from /etc/hosts is fine: that's not affected. >and the config file to still be resolved. >From dhcp-host lines is not there at the moment. It may be possible, but what happens when two hosts get a dotless name from dhcp-host lines? Of course the search facility in the resolver should fix this..... Cheers, Simon. From e1-7n32-h2qw-w2h3 at snugmail.com Tue Aug 5 17:16:04 2008 From: e1-7n32-h2qw-w2h3 at snugmail.com (L Forrister) Date: Tue Aug 5 17:18:18 2008 Subject: My Emailiases: Re: My Emailiases: Re: My Emailiases: [Dnsmasq-discuss] multiple domain support - question In-Reply-To: <48985866.5030906@thekelleys.org.uk> References: <4896C638.7080509@thekelleys.org.uk> <48974064.8090301@snugmail.com> <489753E6.4000608@thekelleys.org.uk> <48985866.5030906@thekelleys.org.uk> Message-ID: Simon Kelley (simon@thekelleys.org.uk) (Emailias: REPLY-MASKED) wrote: > Original Sender: > Given To: lists.thekelleys.org.uk: Dnsmasq-discuss Info Page > http://www.emailias.com/mailclick/?id=243457 > <--------------------end emailias header--------------------> > > L Forrister wrote: > > >> As far the leases file is concerned, doesn't the mac address (and/or the >> client id) provide that differentiation? I mean, having the same >> unqualified host name on two separate leases would not cause identical >> lines/records in the lease file. >> > > You're right, it wouldn't. removing the name from the leasefile is just > an implementation detail: a way to implement the policy for DNS. > >> The dns code, seems not to have a problem with multihomed hosts in >> either /etc/hosts or /etc/dnsmasq.hosts (my dnsmasq addn-hosts file.) >> >> oso:~ >> lf$ dig +short -x 192.168.160.67 -x 192.168.160.68 -x 192.168.160.69 >> alkix.rebel.lan. >> alkix.rebel.lan. >> alkix.rebel.lan. >> >> oso:~ >> lf$ dig +short alkix.rebel.lan >> 192.168.160.67 >> 192.168.160.68 >> 192.168.160.69 >> >> > > It works like it does because the one time when this actually happens to > me is when I move my laptop from a wired network to a wireless one which > is a different subnet. Under those circumstances I don't want DNS > lookups for the laptop's name returning both the current wireless > address, and the old wired one. Anything trying to connect would use a > dead address for half the time until the DHCP lease on the wired network > expired. > > Then what's really needed is an indicator to distinguish roaming hosts from multihomed/duplicate-named hosts. ~~L.Forrister From richardvoigt at gmail.com Wed Aug 6 05:53:47 2008 From: richardvoigt at gmail.com (richardvoigt@gmail.com) Date: Wed Aug 6 05:54:38 2008 Subject: [Dnsmasq-discuss] Question about the error message In-Reply-To: <20080804202627.E0E0.FUKUTA.SAORI@jp.fujitsu.com> References: <20080804202627.E0E0.FUKUTA.SAORI@jp.fujitsu.com> Message-ID: <2e59e6970808052153n10d67dbcmc73b1ac56fe63135@mail.gmail.com> On Mon, Aug 4, 2008 at 11:26 AM, Saori Fukuta wrote: > Hello, > > I got the following message at /var/log/messages, > dnsmasq[13884]: no address range available for DHCP request via eth3 > when I have the following steps with dnsmasq-2.39-2.el5 (on RHEL-5.2): > 1. start the dnsmasq, which is started by libvirt, with the > following option. > # /usr/sbin/dnsmasq --keep-in-foreground --strict-order > --bind-interfaces --pid-file --conf-file --listen-address 192.168.122.1--except-interface lo --dhcp-leasefile=/var/lib/libvirt/dhcp-default.leases > --dhcp-range 192.168.122.2,192.168.122.254 > 2. change the network address of eth3 to '0.0.0.0'. > # ifconfig eth3 0 up > 3. dnsmasq receives the DHCPINFORM message from DHCP servers of > Windwos 2003 server. > # tethereal -i eth3 > 5.521471 10.123.234.11 -> 255.255.255.255 DHCP DHCP Inform - > Transaction ID 0xbe180000 > > Do you know why the message appeared ? Please tell me the meaning of > this message. If you are serving DHCP addresses on that subnet from a Windows 2003 server, you should not enable dnsmasq's dhcp listener on that interface. Right now, you're asking for DHCP operation of every interface except 'lo'. > > > Regards, > Saori Fukuta > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080806/4cbb8fa1/attachment.htm From richardvoigt at gmail.com Wed Aug 6 06:16:31 2008 From: richardvoigt at gmail.com (richardvoigt@gmail.com) Date: Wed Aug 6 06:17:55 2008 Subject: [Dnsmasq-discuss] multiple domain support - question In-Reply-To: <489859A0.5000003@thekelleys.org.uk> References: <4896C638.7080509@thekelleys.org.uk> <2e59e6970808041641l4a113efetfb41ff0f3628428c@mail.gmail.com> <489859A0.5000003@thekelleys.org.uk> Message-ID: <2e59e6970808052216g71d98119l9f37d31b6a9a6b97@mail.gmail.com> On Tue, Aug 5, 2008 at 1:46 PM, Simon Kelley wrote: > richardvoigt@gmail.com wrote: > > On Mon, Aug 4, 2008 at 9:04 AM, Simon Kelley >wrote: > > > >> I have support for multiple domains working, but I've come across a > >> wrinkle. > >> > >> Consider the case that two different DHCP clients claim the same name. > >> With the existing code, only one can have it and the current behaviour > >> is that when a second machine claims a name, the first one loses it. > >> > >> Now, consider the possibility that the two machines claiming the same > >> name are in different domains. By default, the existing behaviour must > >> continue, because the unqualified name is added to the DNS, so that even > >> though the two clients could have "name.domain1.com" and > >> "name.domain2.com", they are still fighting over just plain "name". > >> > >> It would be possible to introduce a new mode, which didn't put the > >> unqualified name into the DNS, and allowed both hosts to keep their name > >> as long as they are in different domains. Would that be useful, or just > >> an confusing complication? > > > > > > Would it be possible to track the domain, while still responding to the > > unqualified name (perhaps a CNAME, or perhaps just track internally). > Then > > when the name was claimed a second time, the entry would be marked > invalid > > and no further responses would be sent. > > It would: it would need a fair bit of thinking to make sure it always > behaved. I don't think there's any need for the last remaining address to start responding to queries when all other leases expire. Such behavior would be well-nigh undeterministic and confuse users. Just log "name 'xyz' in contention, returning no results". Once a name becomes contended, it stays that way. You could have a reference count on contended names so that they don't become a permanent fixture in memory for long-running instances, but I doubt that would be much of a problem either. > > > > > > Or, if you choose a mode with no unqualified names, consider allowing > > dotless names from /etc/hosts > dotless names from /etc/hosts is fine: that's not affected. > > >and the config file to still be resolved. > From dhcp-host lines is not there at the moment. > It may be possible, but what happens when two hosts get a dotless name > from dhcp-host lines? Error (or warning, ignoring conflicting entries) while processing the config, force the admin to change the names to fully qualified, leaving at most one dotless, so there's no ambiguity. Maybe there's a need for a syntax for specifying aliases in dhcp-host lines, just like you can have multiple names on a single line in /etc/hosts. That way someone using multiple domains would give every dhcp-host a FQDN, and set up an alias for the one intended to be seen as a bare name. If people want the questionable behavior of having their notebook receive the same name whether connected wireless or wired, they'd need a dhcp-host or /etc/ethers entry to map the MAC address to IP address, and an /etc/hosts entry to map the name to the IP address. The name would not be placed in multiple dhcp-host entries. From previous postings to the mailing list, this scenario seems to be very troublesome anyway. I think anything that breaks under the new rules would be broken under the old, and I can probably give examples of how it breaks. Only now such breakage would be reported at dnsmasq startup. But maybe I missed some valid scenario. > > > Of course the search facility in the resolver should fix this..... > > > Cheers, > > Simon. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080806/56ef55b3/attachment.htm From richardvoigt at gmail.com Wed Aug 6 06:21:10 2008 From: richardvoigt at gmail.com (richardvoigt@gmail.com) Date: Wed Aug 6 06:22:01 2008 Subject: My Emailiases: Re: My Emailiases: [Dnsmasq-discuss] multiple domain support - question In-Reply-To: <48985866.5030906@thekelleys.org.uk> References: <4896C638.7080509@thekelleys.org.uk> <48974064.8090301@snugmail.com> <489753E6.4000608@thekelleys.org.uk> <48985866.5030906@thekelleys.org.uk> Message-ID: <2e59e6970808052221l19792252pddb7c9cf8e641329@mail.gmail.com> On Tue, Aug 5, 2008 at 1:40 PM, Simon Kelley wrote: > L Forrister wrote: > >>> >> As far the leases file is concerned, doesn't the mac address (and/or the >> client id) provide that differentiation? I mean, having the same >> unqualified host name on two separate leases would not cause identical >> lines/records in the lease file. > > You're right, it wouldn't. removing the name from the leasefile is just > an implementation detail: a way to implement the policy for DNS. >> >> The dns code, seems not to have a problem with multihomed hosts in >> either /etc/hosts or /etc/dnsmasq.hosts (my dnsmasq addn-hosts file.) >> >> oso:~ >> lf$ dig +short -x 192.168.160.67 -x 192.168.160.68 -x 192.168.160.69 >> alkix.rebel.lan. >> alkix.rebel.lan. >> alkix.rebel.lan. >> >> oso:~ >> lf$ dig +short alkix.rebel.lan >> 192.168.160.67 >> 192.168.160.68 >> 192.168.160.69 >> > > It works like it does because the one time when this actually happens to > me is when I move my laptop from a wired network to a wireless one which > is a different subnet. Under those circumstances I don't want DNS > lookups for the laptop's name returning both the current wireless > address, and the old wired one. Anything trying to connect would use a > dead address for half the time until the DHCP lease on the wired network > expired. However useful sounding, I submit to you that this is broken. If you are connected on wireless, you get a lease, the name is associated to wireless. When you connect on wired, the name is associated to the wired address. When you disconnect from wired, the wireless lease may still be valid (why wouldn't it be?), so the dnsmasq server isn't contacted and doesn't update the name back to the wireless address. > > > Cheers, > > Simon. From fukuta.saori at jp.fujitsu.com Wed Aug 6 06:56:52 2008 From: fukuta.saori at jp.fujitsu.com (Saori Fukuta) Date: Wed Aug 6 06:57:49 2008 Subject: [Dnsmasq-discuss] Question about the error message In-Reply-To: <2e59e6970808052153n10d67dbcmc73b1ac56fe63135@mail.gmail.com> References: <20080804202627.E0E0.FUKUTA.SAORI@jp.fujitsu.com> <2e59e6970808052153n10d67dbcmc73b1ac56fe63135@mail.gmail.com> Message-ID: <20080806145532.FB28.FUKUTA.SAORI@jp.fujitsu.com> On Wed, 6 Aug 2008 04:53:47 +0000 "richardvoigt@gmail.com" wrote: > On Mon, Aug 4, 2008 at 11:26 AM, Saori Fukuta > wrote: > > > Hello, > > > > I got the following message at /var/log/messages, > > dnsmasq[13884]: no address range available for DHCP request via eth3 > > when I have the following steps with dnsmasq-2.39-2.el5 (on RHEL-5.2): > > 1. start the dnsmasq, which is started by libvirt, with the > > following option. > > # /usr/sbin/dnsmasq --keep-in-foreground --strict-order > > --bind-interfaces --pid-file --conf-file --listen-address 192.168.122.1--except-interface lo --dhcp-leasefile=/var/lib/libvirt/dhcp-default.leases > > --dhcp-range 192.168.122.2,192.168.122.254 > > 2. change the network address of eth3 to '0.0.0.0'. > > # ifconfig eth3 0 up > > 3. dnsmasq receives the DHCPINFORM message from DHCP servers of > > Windwos 2003 server. > > # tethereal -i eth3 > > 5.521471 10.123.234.11 -> 255.255.255.255 DHCP DHCP Inform - > > Transaction ID 0xbe180000 > > > > Do you know why the message appeared ? Please tell me the meaning of > > this message. > > If you are serving DHCP addresses on that subnet from a Windows 2003 server, > you should not enable dnsmasq's dhcp listener on that interface. Right now, > you're asking for DHCP operation of every interface except 'lo'. Thank you for your replying ! I understood that I should not enable that option with Windows 2003 server, but why should not dnsmasq's dhcp listen from Windows 2003 server ? Is there any difference between Linux server and Windows server ? In such a case, how can I specify the dnsmasq's option ? For example, should I specify "--interface" option with the interface which is not served DHCP addresses from a Windows 2003 server ? thank you Saori. From g.esp at free.fr Wed Aug 6 08:08:42 2008 From: g.esp at free.fr (Gilles Espinasse) Date: Wed Aug 6 08:07:37 2008 Subject: [Dnsmasq-discuss] Supporting more than one domain. References: <488DD573.4010006@thekelleys.org.uk> Message-ID: <1e6d01c8f793$42c6d800$f9b5a8c0@pii350> ----- Original Message ----- From: "Simon Kelley" To: "dnsmasq discussion list" Sent: Monday, July 28, 2008 4:19 PM Subject: [Dnsmasq-discuss] Supporting more than one domain. ... > > As part of implementing this, I'd like to try (again) to remove the > long-deprecated ISC lease-file reading code. If I don't remove it, it > will need work to fit in with the new facilities. I've tried to remove > this code before and had complaints; can I assume by now that that code > is dead? > > Cheers, > > Simon. > I am afraid we still need that part of code in ipcop-1.4 version as I haven't made changes except upgrade to dnsmasq-2.35 there. New ipcop-2.0 codebase has been migrated to dnsmasq as the dhcp server. Does it not make sense to open a new dnsmasq branch if you are in a direction to remove a feature from 2.0? That way, backport of critical fixes only in 2.0 branch could be easier. Gilles From g.esp at free.fr Wed Aug 6 08:11:15 2008 From: g.esp at free.fr (Gilles Espinasse) Date: Wed Aug 6 08:10:07 2008 Subject: [Dnsmasq-discuss] Supporting more than one domain. Message-ID: <1e7e01c8f793$9dee1c20$f9b5a8c0@pii350> ----- Original Message ----- From: "Gilles Espinasse" To: "Simon Kelley" Cc: Sent: Wednesday, August 06, 2008 9:08 AM Subject: Re: [Dnsmasq-discuss] Supporting more than one domain. > > ----- Original Message ----- > From: "Simon Kelley" > To: "dnsmasq discussion list" > Sent: Monday, July 28, 2008 4:19 PM > Subject: [Dnsmasq-discuss] Supporting more than one domain. ... > > > I am afraid we still need that part of code in ipcop-1.4 version as I > haven't made changes except upgrade to dnsmasq-2.35 there. > s/35/45/ Gilles From simon at thekelleys.org.uk Wed Aug 6 10:14:39 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Wed Aug 6 10:15:38 2008 Subject: [Dnsmasq-discuss] Supporting more than one domain. In-Reply-To: <1e6d01c8f793$42c6d800$f9b5a8c0@pii350> References: <488DD573.4010006@thekelleys.org.uk> <1e6d01c8f793$42c6d800$f9b5a8c0@pii350> Message-ID: <48996B7F.9030605@thekelleys.org.uk> Gilles Espinasse wrote: > ----- Original Message ----- > From: "Simon Kelley" > To: "dnsmasq discussion list" > Sent: Monday, July 28, 2008 4:19 PM > Subject: [Dnsmasq-discuss] Supporting more than one domain. > > > ... >> As part of implementing this, I'd like to try (again) to remove the >> long-deprecated ISC lease-file reading code. If I don't remove it, it >> will need work to fit in with the new facilities. I've tried to remove >> this code before and had complaints; can I assume by now that that code >> is dead? >> >> Cheers, >> >> Simon. >> > I am afraid we still need that part of code in ipcop-1.4 version as I > haven't made changes except upgrade to dnsmasq-2.35 there. > > New ipcop-2.0 codebase has been migrated to dnsmasq as the dhcp server. > > Does it not make sense to open a new dnsmasq branch if you are in a > direction to remove a feature from 2.0? That way, backport of critical fixes > only in 2.0 branch could be easier. I don't want a new formal branch, but I will ensure that any critical fixes get backported to 2.45 - I did that with the port randomisation code for 2.35 in Debian etch and 2.41 in Ubuntu Hardy. Cheers, Simon. From simon at thekelleys.org.uk Wed Aug 6 10:22:03 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Wed Aug 6 10:23:00 2008 Subject: My Emailiases: Re: My Emailiases: [Dnsmasq-discuss] multiple domain support - question In-Reply-To: <2e59e6970808052221l19792252pddb7c9cf8e641329@mail.gmail.com> References: <4896C638.7080509@thekelleys.org.uk> <48974064.8090301@snugmail.com> <489753E6.4000608@thekelleys.org.uk> <48985866.5030906@thekelleys.org.uk> <2e59e6970808052221l19792252pddb7c9cf8e641329@mail.gmail.com> Message-ID: <48996D3B.8030102@thekelleys.org.uk> richardvoigt@gmail.com wrote: > > > However useful sounding, I submit to you that this is broken. > > If you are connected on wireless, you get a lease, the name is > associated to wireless. > When you connect on wired, the name is associated to the wired address. > When you disconnect from wired, the wireless lease may still be valid > (why wouldn't it be?), so the dnsmasq server isn't contacted and > doesn't update the name back to the wireless address. > I've never come across a DHCP client that doesn't move to INIT-REBOOT state when it loses and regains a network connection, or some equivalent. In practise this means that when the wireless connection is re-established, the client renews the lease even if it has local information that says the lease has not yet expired. That moves the name->address mapping back to the wireless address and all is good. Works for me. Of course if the wireless interface is left up whilst using the wired one, the situation you describe can happen, but so can other problems with default routes and controlling which interface is actually used. Cheers, Simon. >> >> Cheers, >> >> Simon. > From simon at thekelleys.org.uk Wed Aug 6 10:28:59 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Wed Aug 6 10:29:53 2008 Subject: My Emailiases: Re: My Emailiases: Re: My Emailiases: [Dnsmasq-discuss] multiple domain support - question In-Reply-To: References: <4896C638.7080509@thekelleys.org.uk> <48974064.8090301@snugmail.com> <489753E6.4000608@thekelleys.org.uk> <48985866.5030906@thekelleys.org.uk> Message-ID: <48996EDB.1030303@thekelleys.org.uk> L Forrister wrote: >> > Then what's really needed is an indicator to distinguish roaming hosts > from multihomed/duplicate-named hosts. Maybe, but multihomed hosts can be done using /etc/hosts as long as your are OK with the configuration on the server and not the client - for such configurations that's probably best anyway. /etc/hosts 1.1.1.1 mymachine 2.2.2.2 mymachine dnsmasq.conf dhcp-host=,1.1.1.1 dhcp-host-,2.2.2.2 Simon. > ~~L.Forrister > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > From cristiano.paris at gmail.com Wed Aug 6 18:31:15 2008 From: cristiano.paris at gmail.com (Cristiano Paris) Date: Wed Aug 6 18:32:06 2008 Subject: [Dnsmasq-discuss] Problems with Samba shares and XP clients In-Reply-To: References: <5611410953710584827@unknownmsgid> <2e59e6970808020930l50774dc5x415c1be82e0095e2@mail.gmail.com> Message-ID: On Mon, Aug 4, 2008 at 1:17 PM, B. Cook wrote: > For what its worth.. > > 1 B-node: Broadcast - no WINS > 2 P-node: Peer - WINS only > 4 M-node: Mixed - broadcast, then WINS > 8 H-node: Hybrid - WINS, then broadcast I found them, thank you anyway. > I believe that to be a correct and complete list for dhcp-option=46 (46 > netbios-nodetype) > > I use 2, because I use wins. Understood. > You might set your log level up a bit in samba and look in your log.nmbd and > see if the hosts are actually registering with wins, is your samba server at > 10.7.0.2? > > This is for my samba server @home.. > ... > > and some dnsmasq: > >... > > Again all works great.. > > (Running FreeBSD 7 on the dnsmasq and samba machines) Excellent. Curiously I see you use logic names for smb-related dhcp options... I'll put them in my dnsmasq too. Thanks. Cristiano From simon at thekelleys.org.uk Thu Aug 7 09:53:13 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Aug 7 09:56:40 2008 Subject: [Dnsmasq-discuss] Missing something obvious #known In-Reply-To: References: <489615CB.2070303@thekelleys.org.uk> Message-ID: <489AB7F9.8090304@thekelleys.org.uk> B. Cook wrote: > On Sun, August 3, 2008 4:32 pm, Simon Kelley wrote: > >>B. Cook wrote: >> >>>Hello All, >>> >>>I thought all of this was working as it should.. but apparently it is >>>not.. >>> >>>from the dnsmasq.log: >>>Aug 1 11:42:56 dnsmasq[32635]: DHCPDISCOVER(em0) 00:0e:7f:3b:ba:2d >>>ignored >>>Aug 1 11:43:11 dnsmasq[32635]: DHCPDISCOVER(em0) 00:0e:7f:3b:ba:2d >>>ignored >>>Aug 1 11:43:14 dnsmasq[32635]: DHCPDISCOVER(em0) 00:0e:7f:3b:ba:2d >>>ignored >>>Aug 1 11:43:21 dnsmasq[32635]: DHCPDISCOVER(em0) 00:0e:7f:3b:ba:2d >>>ignored >>> >>>and from the config: >>> >>> 20 # 100 stuff >>> 21 dhcp-option=net:phsalt,option:router,10.20.100.1 >>> 22 dhcp-range=phsalt,10.20.100.2,10.20.100.254,255.255.255.0,5m >>> 23 dhcp-ignore=net:phsalt,#known >>> 24 >>> 25 dhcp-host=00:0e:7f:3b:ba:2d,10.20.100.3,net:phsalt # someprinter >>> 26 dhcp-host=00:30:6e:c6:13:e6,10.20.100.57,net:phsalt # hplj1150_hs143 >>> >>>I have tried dhcp-ignore without the net: as well and it does not seem >>>to >>>cause an error either way.. >>> >>>I am trying to only let certain hosts end up in the 100.0/24.. >>> >>>Not sure what I am missing.. >>> >>>can anyone help? >>> >>> >> >>You don't need to use dhcp-ignore to achieve what you're trying to do, >>the "net:phsalt" in the dhcp-range is enough to ensure that the range >>only gets used for the hosts which set the phsalt tag. >> >>However, I'm not sure _why_ the configuration you have is behaving as it >>does. Please could you set --log-dhcp and send me the information that >>dnsmasq logs during these DHCP transactions? >> >>Cheers, >> >>Simon. >> >> > > > So a few strange things.. > > I removed the dhcp-range=net:phsalt,#known, and still I was not able to > get an ip in the 10.20.100.0/24 range. > > I removed the dhcp-range=#known (for the whole scope of the lan) and I was > able to get an ip, dhcp-log'in showed me it was being accepted into the > phs range, so thinking that somehow net:phs and net:phsalt was not being > matched fully I :%s/phsalt/altphs/g in the configs.. and it is still being > matched inside net:phs. > > Aug 4 09:11:01 dnsmasq[22625]: DHCP packet: transaction-id is 4133013384 > Aug 4 09:11:01 dnsmasq[22625]: Available DHCP range: 10.20.0.17 -- > 10.20.1.254 > Aug 4 09:11:01 dnsmasq[22625]: Vendor class: Hewlett-Packard JetDirect > Aug 4 09:11:01 dnsmasq[22625]: DHCPDISCOVER(em0) 00:0e:7f:3b:ba:2d > Aug 4 09:11:01 dnsmasq[22625]: DHCPOFFER(em0) 10.20.0.213 00:0e:7f:3b:ba:2d > Aug 4 09:11:01 dnsmasq[22625]: requested options: 1:netmask, 3:router, > 44:netbios-ns, 6:dns-server, > Aug 4 09:11:01 dnsmasq[22625]: requested options: 7:log-server, > 12:hostname, 15:domain-name, > Aug 4 09:11:01 dnsmasq[22625]: requested options: > 22:max-datagram-reassembly, 54:server-identifier, > Aug 4 09:11:01 dnsmasq[22625]: requested options: 58:T1, 59:T2, > 69:smtp-server, 18:extension-path, > Aug 4 09:11:01 dnsmasq[22625]: requested options: 144 > Aug 4 09:11:01 dnsmasq[22625]: tags: phs > Aug 4 09:11:01 dnsmasq[22625]: sent size: 1 option: 53:message-type 02 > Aug 4 09:11:01 dnsmasq[22625]: sent size: 4 option: 54:server-identifier > 0a:14:00:10 > Aug 4 09:11:01 dnsmasq[22625]: sent size: 4 option: 51:lease-time > 00:00:38:40 > Aug 4 09:11:01 dnsmasq[22625]: sent size: 4 option: 58:T1 00:00:1c:20 > Aug 4 09:11:01 dnsmasq[22625]: sent size: 4 option: 59:T2 00:00:31:38 > Aug 4 09:11:01 dnsmasq[22625]: sent size: 4 option: 1:netmask ff:ff:fe:00 > Aug 4 09:11:01 dnsmasq[22625]: sent size: 4 option: 28:broadcast > 0a:14:01:ff > Aug 4 09:11:01 dnsmasq[22625]: sent size: 8 option: 15:domain-name > 70:68:73:2e:70:63:73:64 > Aug 4 09:11:01 dnsmasq[22625]: sent size: 4 option: 44:netbios-ns > 0a:14:00:e6 > Aug 4 09:11:01 dnsmasq[22625]: sent size: 4 option: 3:router 0a:14:00:01 > Aug 4 09:11:01 dnsmasq[22625]: sent size: 4 option: 6:dns-server > 0a:14:00:10 > > something strange I also noticed, which might also help is this: > > (this is a different host) > > Aug 4 09:10:52 dnsmasq[22625]: DHCP packet: transaction-id is 1899741050 > Aug 4 09:10:52 dnsmasq[22625]: Available DHCP range: 10.20.0.17 -- > 10.20.1.254 > Aug 4 09:10:52 dnsmasq[22625]: Vendor class: Hewlett-Packard JetDirect > Aug 4 09:10:52 dnsmasq[22625]: DHCPREQUEST(em0) 10.20.0.186 > 00:1b:78:19:c9:50 > Aug 4 09:10:52 dnsmasq[22625]: DHCPACK(em0) 10.20.0.186 00:1b:78:19:c9:50 > hp4250-lib > Aug 4 09:10:52 dnsmasq[22625]: requested options: 1:netmask, 3:router, > 44:netbios-ns, 6:dns-server, > Aug 4 09:10:52 dnsmasq[22625]: requested options: 7:log-server, > 12:hostname, 15:domain-name, > Aug 4 09:10:52 dnsmasq[22625]: requested options: > 22:max-datagram-reassembly, 54:server-identifier, > Aug 4 09:10:52 dnsmasq[22625]: requested options: 58:T1, 59:T2, > 69:smtp-server, 18:extension-path, > Aug 4 09:10:52 dnsmasq[22625]: requested options: 144 > Aug 4 09:10:52 dnsmasq[22625]: tags: phs, phs, known > Aug 4 09:10:52 dnsmasq[22625]: sent size: 1 option: 53:message-type 05 > Aug 4 09:10:52 dnsmasq[22625]: sent size: 4 option: 54:server-identifier > 0a:14:00:10 > Aug 4 09:10:52 dnsmasq[22625]: sent size: 4 option: 51:lease-time > 00:00:01:2c > Aug 4 09:10:52 dnsmasq[22625]: sent size: 4 option: 58:T1 00:00:00:8a > Aug 4 09:10:52 dnsmasq[22625]: sent size: 4 option: 59:T2 00:00:00:f7 > Aug 4 09:10:52 dnsmasq[22625]: sent size: 4 option: 1:netmask ff:ff:fe:00 > Aug 4 09:10:52 dnsmasq[22625]: sent size: 4 option: 28:broadcast > 0a:14:01:ff > Aug 4 09:10:52 dnsmasq[22625]: sent size: 10 option: 12:hostname > 68:70:34:32:35:30:2d:6c:69:62 > Aug 4 09:10:52 dnsmasq[22625]: sent size: 22 option: 81:FQDN > 01:ff:ff:68:70:34:32:35:30:2d:6c:69:62... > Aug 4 09:10:52 dnsmasq[22625]: sent size: 8 option: 15:domain-name > 70:68:73:2e:70:63:73:64 > Aug 4 09:10:52 dnsmasq[22625]: sent size: 4 option: 44:netbios-ns > 0a:14:00:e6 > Aug 4 09:10:52 dnsmasq[22625]: sent size: 4 option: 3:router 0a:14:00:01 > Aug 4 09:10:52 dnsmasq[22625]: sent size: 4 option: 6:dns-server > 0a:14:00:10 > > see the tags? phs, phs, known. > > clues appreciated.. > I'm having difficulty tracking exactly what's going on here. Can I suggest that you do two things: 1) Describe exactly what you're trying to achieve. There's almost certainly a simpler way to do it. 2) Try and generate a minimal example of something that does'nr set the "known" tag and wich should. That may well be a bug. Cheers, Simon. From simon at thekelleys.org.uk Thu Aug 7 21:25:11 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Aug 7 21:28:38 2008 Subject: [Dnsmasq-discuss] dnsmasq-2.46 test release. Message-ID: <489B5A27.6030400@thekelleys.org.uk> I've put a test release for dnsmasq-2.46 here: http://www.thekelleys.org.uk/dnsmasq/test-releases/dnsmasq-2.46test4.tar.gz Main addition is the multiple domain facility. Feedback appreciated. Cheers, Simon. From richardvoigt at gmail.com Fri Aug 8 23:55:40 2008 From: richardvoigt at gmail.com (richardvoigt@gmail.com) Date: Fri Aug 8 23:56:32 2008 Subject: [Dnsmasq-discuss] Question about the error message In-Reply-To: <20080806145532.FB28.FUKUTA.SAORI@jp.fujitsu.com> References: <20080804202627.E0E0.FUKUTA.SAORI@jp.fujitsu.com> <2e59e6970808052153n10d67dbcmc73b1ac56fe63135@mail.gmail.com> <20080806145532.FB28.FUKUTA.SAORI@jp.fujitsu.com> Message-ID: <2e59e6970808081555g646db4e0qef47aeb78ec23958@mail.gmail.com> On Wed, Aug 6, 2008 at 5:56 AM, Saori Fukuta wrote: > On Wed, 6 Aug 2008 04:53:47 +0000 "richardvoigt@gmail.com" wrote: >> On Mon, Aug 4, 2008 at 11:26 AM, Saori Fukuta >> wrote: >> >> > Hello, >> > >> > I got the following message at /var/log/messages, >> > dnsmasq[13884]: no address range available for DHCP request via eth3 >> > when I have the following steps with dnsmasq-2.39-2.el5 (on RHEL-5.2): >> > 1. start the dnsmasq, which is started by libvirt, with the >> > following option. >> > # /usr/sbin/dnsmasq --keep-in-foreground --strict-order >> > --bind-interfaces --pid-file --conf-file --listen-address 192.168.122.1--except-interface lo --dhcp-leasefile=/var/lib/libvirt/dhcp-default.leases >> > --dhcp-range 192.168.122.2,192.168.122.254 >> > 2. change the network address of eth3 to '0.0.0.0'. >> > # ifconfig eth3 0 up >> > 3. dnsmasq receives the DHCPINFORM message from DHCP servers of >> > Windwos 2003 server. >> > # tethereal -i eth3 >> > 5.521471 10.123.234.11 -> 255.255.255.255 DHCP DHCP Inform - >> > Transaction ID 0xbe180000 >> > >> > Do you know why the message appeared ? Please tell me the meaning of >> > this message. >> >> If you are serving DHCP addresses on that subnet from a Windows 2003 server, >> you should not enable dnsmasq's dhcp listener on that interface. Right now, >> you're asking for DHCP operation of every interface except 'lo'. > > Thank you for your replying ! I understood that I should not enable > that option with Windows 2003 server, but why should not dnsmasq's > dhcp listen from Windows 2003 server ? > Is there any difference between Linux server and Windows server ? Are you trying to get an address for eth3, or give out addresses to other computers in the subnet? In the first case, you should use dhclient or dhcpc, as dnsmasq does not request an address from other computers. In the second case, you should use either dnsmasq or Windows to give out addresses, but not both. If dnsmasq is not meant to give out addresses, do not enable dnsmasq's dhcp server on that interface. > > In such a case, how can I specify the dnsmasq's option ? > For example, should I specify "--interface" option with the interface > which is not served DHCP addresses from a Windows 2003 server ? You should use the --no-dhcp-interface option, as in --no-dhcp-interface=eth3 > > thank you > > Saori. > > > > From richardvoigt at gmail.com Fri Aug 8 23:59:56 2008 From: richardvoigt at gmail.com (richardvoigt@gmail.com) Date: Sat Aug 9 00:00:47 2008 Subject: My Emailiases: Re: My Emailiases: [Dnsmasq-discuss] multiple domain support - question In-Reply-To: <48996D3B.8030102@thekelleys.org.uk> References: <4896C638.7080509@thekelleys.org.uk> <48974064.8090301@snugmail.com> <489753E6.4000608@thekelleys.org.uk> <48985866.5030906@thekelleys.org.uk> <2e59e6970808052221l19792252pddb7c9cf8e641329@mail.gmail.com> <48996D3B.8030102@thekelleys.org.uk> Message-ID: <2e59e6970808081559x61ef2ff4xbf9eaef122ee8556@mail.gmail.com> On Wed, Aug 6, 2008 at 9:22 AM, Simon Kelley wrote: > richardvoigt@gmail.com wrote: >> >> >> However useful sounding, I submit to you that this is broken. >> >> If you are connected on wireless, you get a lease, the name is >> associated to wireless. >> When you connect on wired, the name is associated to the wired address. >> When you disconnect from wired, the wireless lease may still be valid >> (why wouldn't it be?), so the dnsmasq server isn't contacted and >> doesn't update the name back to the wireless address. >> > I've never come across a DHCP client that doesn't move to INIT-REBOOT > state when it loses and regains a network connection, or some > equivalent. In practise this means that when the wireless connection is > re-established, the client renews the lease even if it has local > information that says the lease has not yet expired. That moves the > name->address mapping back to the wireless address and all is good. > > Works for me. > > Of course if the wireless interface is left up whilst using the wired > one, the situation you describe can happen, but so can other problems > with default routes and controlling which interface is actually used. I was addressing this latter scenario. Routing is usually not a problem because metrics resolve the ambiguity and can be easily set to prefer sending traffic through the wired (or best) connection. Are you running a script to specially disable the wireless connection when the wired link comes up? > > Cheers, > > Simon. > > >>> >>> Cheers, >>> >>> Simon. >> > > From fukuta.saori at jp.fujitsu.com Mon Aug 11 09:36:05 2008 From: fukuta.saori at jp.fujitsu.com (Saori Fukuta) Date: Mon Aug 11 09:37:06 2008 Subject: [Dnsmasq-discuss] Question about the error message In-Reply-To: <2e59e6970808081555g646db4e0qef47aeb78ec23958@mail.gmail.com> References: <20080806145532.FB28.FUKUTA.SAORI@jp.fujitsu.com> <2e59e6970808081555g646db4e0qef47aeb78ec23958@mail.gmail.com> Message-ID: <20080811173501.AB1B.FUKUTA.SAORI@jp.fujitsu.com> On Fri, 8 Aug 2008 22:55:40 +0000 "richardvoigt@gmail.com" wrote: > On Wed, Aug 6, 2008 at 5:56 AM, Saori Fukuta > wrote: > > Thank you for your replying ! I understood that I should not enable > > that option with Windows 2003 server, but why should not dnsmasq's > > dhcp listen from Windows 2003 server ? > > Is there any difference between Linux server and Windows server ? > > Are you trying to get an address for eth3, or give out addresses to > other computers in the subnet? This is more like in the second case. Actually, I am trying to give addresses to Guest Domains on the virtualization system by using dnsmasq. (c.f.) http://libvirt.org/archnetwork.html +--------------------------------+ l Domain-0 l l# dnsmasq l las DHCP server +-----------+ l dnsmasq is started by libvirt l l l GuestA l l as a virtual network. l l +--+--+ l l l +------> l DHCP client l l dnsmasq is a DHCP server l l +--+--+ l l for GuestA and GuestB. l l +-----------+ l l l l But that is not to give out l l +-----------+ l addresses to other computers. l l l GuestB l l l l +--+--+ l l l +------> l DHCP client l l l +--+--+ l l l +-----------+ l l l l +------+ +------+ +------+ l +--+ eth1 +--+ eth2 +--+ eth3 +--+ +------+ +------+ +------+ x.x.x.x y.y.y.y 0.0.0.0 > You should use the --no-dhcp-interface option, as in --no-dhcp-interface=eth3 I can prevent the message by using '--no-dhcp-interface=eth3' option. If I want to give address to only the Guest Domains I should use the '--no-dhcp-interface' option for all interface, as in '--no-dhcp-interface=eth1,eth2,eth3'. And, dnsmasq shows the following message because dnsmasq cannot assign new IP address for that interface which has '0.0.0.0'. dnsmasq[13884]: no address range available for DHCP request via eth3 Is that right ? Regards, Saori. From joju at math.uni-paderborn.de Tue Aug 12 17:23:11 2008 From: joju at math.uni-paderborn.de (joerg jungermann) Date: Tue Aug 12 17:24:05 2008 Subject: [Dnsmasq-discuss] Conditional sending of different DHCP-Options Message-ID: <48A1B8EF.2000802@math.uni-paderborn.de> Hi ! I have the following setup here: - DNSMasq 2.41 on an OpenWrt box. (192.168.137.1/wrt) - A DBOX2 in Debug Mode I want to boot via BOOTP/DHCP/TFTP. (192.168.137.14) The problem: The DBOX refuses to boot, because a certain file 'uboot.0' is send twice. On WRT dnsmasq is called in the following way: /usr/sbin/dnsmasq -K -D -y -Z -b -E -s lan -S /lan/ -l /var/cache/dhcp.leases -r /tmp/resolv.conf.auto --dhcp-range=lan,192.168.137.34,192.168.137.63,255.255.255.0,12h -I ppp0 The file /etc/dnsmasq.conf constains the following: ## /etc/dnsmasq.conf ## user dns masq is running as user=root ## log dns queries #log-queries ## enable dhcp logging log-dhcp ## tftp base enable-tftp tftp-root=/mnt/tftproot #- default netboot dhcp-boot=/tftpboot/pxelinux.0 #- i386 netboot dhcp-boot=net:i386pxe,/tftpboot/pxelinux.0,wrt.lan,192.168.137.1 #- DBox2 netboot setup dhcp-host=00:50:9c:12:34:56,bibu.lan,ignore dhcp-boot=net:dbox2-uboot,/tftpboot/dbox/uboot.0,wrt.lan,192.168.137.1 dhcp-mac=dbox2-uboot,00:50:9c:*:*:* # "DBOX2, EMPTY" is the complete string for yadi cdk-uboot, # but dnsmasq searches for a substring dhcp-boot=net:dbox2-kernel,/tftpboot/dbox/kernel,wrt.lan,192.168.137.1 #dhcp-vendorclass=dbox2-kernel,DBOX2, EMPTY dhcp-vendorclass=dbox2-kernel,DBOX2 At first (stage1) the embedded bootloader of the DBOX2 request an IP + some options eg. the bootfile uboot.0 via BOOTP. Then (stage2) uboot.0 is started an request IP + bootoptions via DHCP. The vendor class is "DBOX2, EMPTY" (obtained via tcpdump/wireshark) , so the line dhcp-vendorclass=dbox2-kernel,DBOX2 should match. Here is the syslog extract: Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: Available DHCP range: 192.168.137.34 -- 192.168.137.63 Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: next server: 192.168.137.1 Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: bootfile name: /tftpboot/dbox/uboot.0 Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: server name: wrt.troja Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: BOOTP(br-lan) 192.168.137.14 00:50:9c:12:34:56 Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: tags: lan, bootp, known, dbox2-uboot Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: sent size: 4 option: 1:netmask ff:ff:ff:00 Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: sent size: 4 option: 28:broadcast c0:a8:89:ff Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: sent size: 4 option: 3:router c0:a8:89:01 Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: sent size: 4 option: 6:dns-server c0:a8:89:01 Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: sent size: 5 option: 15:domain-name 74:72:6f:6a:61 Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: sent size: 4 option: 12:hostname 62:69:62:75 Aug 12 18:08:52 wrt daemon.info dnsmasq[369]: TFTP sent /mnt/tftproot/tftpboot/dbox/uboot.0 to 192.168.137.14 Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: DHCP packet: transaction-id is 827861916 Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: Available DHCP range: 192.168.137.34 -- 192.168.137.63 Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: DHCPDISCOVER(br-lan) 00:50:9c:12:34:56 Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: DHCPOFFER(br-lan) 192.168.137.14 00:50:9c:12:34:56 Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: next server: 192.168.137.1 Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: bootfile name: /tftpboot/dbox/uboot.0 Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: server name: wrt.troja Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: tags: lan, known, dbox2-uboot Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: sent size: 1 option: 53:message-type 02 Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: sent size: 4 option: 54:server-identifier c0:a8:89:01 Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: sent size: 4 option: 51:lease-time 00:00:a8:c0 Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: sent size: 4 option: 58:T1 00:00:54:60 Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: sent size: 4 option: 59:T2 00:00:93:a8 Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: sent size: 4 option: 1:netmask ff:ff:ff:00 Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: sent size: 4 option: 28:broadcast c0:a8:89:ff Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: sent size: 4 option: 3:router c0:a8:89:01 Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: sent size: 4 option: 6:dns-server c0:a8:89:01 Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: sent size: 5 option: 15:domain-name 74:72:6f:6a:61 Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: sent size: 4 option: 12:hostname 62:69:62:75 Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: DHCP packet: transaction-id is 827861916 Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: Available DHCP range: 192.168.137.34 -- 192.168.137.63 Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: DHCPREQUEST(br-lan) 192.168.137.14 00:50:9c:12:34:56 Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: DHCPACK(br-lan) 192.168.137.14 00:50:9c:12:34:56 bibu Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: next server: 192.168.137.1 Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: bootfile name: /tftpboot/dbox/uboot.0 The first autoconfiguration request is done via BOOTP, so I have no chance to match on this. The second request is as you can see in the done via DHCP. Wireshark says there option 60 (vendor class) in the request with content "DBOX2, EMTPY". So the line dhcp-vendorclass=dbox2-kernel,DBOX2 should match, but the boot file is still /mnt/tftproot/tftpboot/dbox/uboot.0 instead of /tftpboot/dbox/kernel. The pcap file I have omitted, yet, because I think all relevant facts are in here. I can reproduce and make it avaiable for download if needed. Do you have an hint where look in documentation, or what settings I can try to solve this issue. There has been a similar problem on this list, but it was not solved, because the poster did not answer on the list [1]. Perhaps were now able to solve it with more information provided. kind regards joerg jungermann [1] http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2006q1/000651.html From joju at math.uni-paderborn.de Tue Aug 12 17:34:40 2008 From: joju at math.uni-paderborn.de (joerg jungermann) Date: Tue Aug 12 17:35:31 2008 Subject: [Dnsmasq-discuss] Re: Conditional sending of different DHCP-Options In-Reply-To: <48A1B8EF.2000802@math.uni-paderborn.de> References: <48A1B8EF.2000802@math.uni-paderborn.de> Message-ID: <48A1BBA0.6010209@math.uni-paderborn.de> Hi ! [...] > The file /etc/dnsmasq.conf constains the following: > [...] > dhcp-host=00:50:9c:12:34:56,bibu.lan,ignore > [...] Sorry, there is a mistak in the configuration. Just ignore this line the configuration. It is just to disable dhcp for this host. kind regards joerg jungermann From bcook at poughkeepsieschools.org Tue Aug 12 18:22:21 2008 From: bcook at poughkeepsieschools.org (B. Cook) Date: Tue Aug 12 18:23:14 2008 Subject: [Dnsmasq-discuss] --dhcp-fqdn example? Message-ID: <81121565-6C47-493A-868B-ED4CBFD5B437@poughkeepsieschools.org> Hello All, trying to figure out how to use the new option.. I have things like this: dnsmasq.cli.dhcp:dhcp-option=cli,option:domain-name,cli.pcsd # Domain dnsmasq.kri.dhcp:dhcp-option=kri,option:domain-name,kri.pcsd # Domain dnsmasq.phs.dhcp:dhcp-option=net:phs,option:domain- name,phs.pcsd # Domain dnsmasq.smi.dhcp:dhcp-option=smi,option:domain-name,smi.pcsd # Domain dnsmasq.war.dhcp:dhcp-option=war,option:domain-name,war.pcsd # Domain and in my global dnsmasq.conf I have domain=phs.pcsd everyone still gets phs.pcsd as their domain name.. root@core [/usr/local/etc/dnsmasq]# 84 > ping 10126kribarclay PING 10126kribarclay.phs.pcsd (10.20.4.125): 56 data bytes 64 bytes from 10.20.4.125: icmp_seq=0 ttl=126 time=163.191 ms 64 bytes from 10.20.4.125: icmp_seq=1 ttl=126 time=75.766 ms ^C --- 10126kribarclay.phs.pcsd ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 75.766/119.478/163.191/43.713 ms root@core [/usr/local/etc/dnsmasq]# 85 > grep 10.20.4 * dnsmasq.kri.dhcp:dhcp-option=kri,option:router,10.20.4.1 dnsmasq.kri.dhcp:dhcp-range=kri,10.20.4.2,10.20.5.254,255.255.254.0,4h dnsmasq.kri.dhcp:dhcp-option=kri,option:domain-name,kri.pcsd # Domain dnsmasq.kri.dhcp:dhcp-host=00:1c:23:1f:59:35,net:kri # 10126kribarclay what am I missing? Thanks in advance.. From rune.kock at gmail.com Wed Aug 13 01:30:12 2008 From: rune.kock at gmail.com (Rune Kock) Date: Wed Aug 13 01:31:04 2008 Subject: [Dnsmasq-discuss] Possible instability of DNS in 2.45 In-Reply-To: References: Message-ID: After running fine for over a week, my router with dnsmasq 2.45 became very unwilling to answer DNS queries (only a few succeeded). Dumping the statistics showed that a significant number of upstream queries had failed. Restarting the router solved the problem. I realise that this is an incredibly useless bug-report. I'm not even sure that it is a dnsmasq problem. So please, Simon, don't waste your time on this yet. I'm only posting this to find out if anyone else has experienced something similar. I have now enabled log-queries, and I hope that it will tell me what happens, should the problem reappear. I'll report back when I know more, but as the problem seems to be infrequent, it may take a long time. Rune From simon at thekelleys.org.uk Wed Aug 13 16:05:11 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Wed Aug 13 16:05:55 2008 Subject: [Dnsmasq-discuss] --dhcp-fqdn example? In-Reply-To: <81121565-6C47-493A-868B-ED4CBFD5B437@poughkeepsieschools.org> References: <81121565-6C47-493A-868B-ED4CBFD5B437@poughkeepsieschools.org> Message-ID: <48A2F827.1050504@thekelleys.org.uk> B. Cook wrote: > Hello All, > > trying to figure out how to use the new option.. > > I have things like this: > > dnsmasq.cli.dhcp:dhcp-option=cli,option:domain-name,cli.pcsd # > Domain > dnsmasq.kri.dhcp:dhcp-option=kri,option:domain-name,kri.pcsd # Domain > dnsmasq.phs.dhcp:dhcp-option=net:phs,option:domain-name,phs.pcsd > # Domain > dnsmasq.smi.dhcp:dhcp-option=smi,option:domain-name,smi.pcsd # Domain > dnsmasq.war.dhcp:dhcp-option=war,option:domain-name,war.pcsd # Domain > > and in my global dnsmasq.conf > > I have domain=phs.pcsd > > everyone still gets phs.pcsd as their domain name.. > > root@core [/usr/local/etc/dnsmasq]# 84 > ping 10126kribarclay > PING 10126kribarclay.phs.pcsd (10.20.4.125): 56 data bytes > 64 bytes from 10.20.4.125: icmp_seq=0 ttl=126 time=163.191 ms > 64 bytes from 10.20.4.125: icmp_seq=1 ttl=126 time=75.766 ms > ^C > --- 10126kribarclay.phs.pcsd ping statistics --- > 2 packets transmitted, 2 packets received, 0% packet loss > round-trip min/avg/max/stddev = 75.766/119.478/163.191/43.713 ms > > root@core [/usr/local/etc/dnsmasq]# 85 > grep 10.20.4 * > dnsmasq.kri.dhcp:dhcp-option=kri,option:router,10.20.4.1 > dnsmasq.kri.dhcp:dhcp-range=kri,10.20.4.2,10.20.5.254,255.255.254.0,4h > dnsmasq.kri.dhcp:dhcp-option=kri,option:domain-name,kri.pcsd # Domain > > dnsmasq.kri.dhcp:dhcp-host=00:1c:23:1f:59:35,net:kri # 10126kribarclay > > > what am I missing? It doesn't work the way you think it does, even though the way you think it works is quite sensible. I've decided to try and answer this by giving a comprehensive explanation of the way names and domains are generated for hosts, and what that data is used for. I hope that this will be generally useful information. So, for each DHCP client, we generate a name, which is unqualified (ie no period.) and a domain. First the name. If there is a matching dhcp-host which includes a name, we use that, if the name in the dhcp-host part is qualified (ie it has a domain part) that is stripped off. If there's no dhcp-host with a name, use a hostname provided by the client as part of the DHCP request. Second, the domain. This is always generated from a "domain=" line, so it depends only on the IP address of the DHCP client. If the client supplies a domain, that is _not_ used. Once the domain is determined, it's compared against any domain from a dhcp-host line or from the client. If they don't match, a warning is logged. Now, we have a name and a domain, what happens to them? They are used to create DNS entries, and they are sent back to the client as part of the DHCP protocol. First DNS. The default behaviour as the DNS entries are created for both and .. If --dhcp-fqdn is set, then only . is put into the DNS. Second DHCP. The name and the domain are sent as DHCP options back to the host, unless there are dhcp-option lines which tell dnsmasq to do something else. Note that sending a different domain as a DHCP option doesn't affect the DNS stuff in the paragraph before this one. So: you probably need to ditch the dhcp-option=kri,option:domain-name,kri.pcsd lines, and replace them with something like domain=kri.pcsd,10.20.4.0/25 to set the domain for a particular subnet to the correct value. HTH. Simon. From simon at thekelleys.org.uk Wed Aug 13 16:20:34 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Wed Aug 13 16:21:18 2008 Subject: [Dnsmasq-discuss] Conditional sending of different DHCP-Options In-Reply-To: <48A1B8EF.2000802@math.uni-paderborn.de> References: <48A1B8EF.2000802@math.uni-paderborn.de> Message-ID: <48A2FBC2.8040707@thekelleys.org.uk> joerg jungermann wrote: > Hi ! > > I have the following setup here: > - DNSMasq 2.41 on an OpenWrt box. (192.168.137.1/wrt) > - A DBOX2 in Debug Mode I want to boot via BOOTP/DHCP/TFTP. (192.168.137.14) > > The problem: The DBOX refuses to boot, because a certain file 'uboot.0' > is send twice. > > On WRT dnsmasq is called in the following way: > /usr/sbin/dnsmasq -K -D -y -Z -b -E -s lan -S /lan/ -l > /var/cache/dhcp.leases -r /tmp/resolv.conf.auto > --dhcp-range=lan,192.168.137.34,192.168.137.63,255.255.255.0,12h -I ppp0 > > The file /etc/dnsmasq.conf constains the following: > ## /etc/dnsmasq.conf > ## user dns masq is running as > user=root > ## log dns queries > #log-queries > ## enable dhcp logging > log-dhcp > ## tftp base > enable-tftp > tftp-root=/mnt/tftproot > #- default netboot > dhcp-boot=/tftpboot/pxelinux.0 > #- i386 netboot > dhcp-boot=net:i386pxe,/tftpboot/pxelinux.0,wrt.lan,192.168.137.1 > #- DBox2 netboot setup > dhcp-host=00:50:9c:12:34:56,bibu.lan,ignore > dhcp-boot=net:dbox2-uboot,/tftpboot/dbox/uboot.0,wrt.lan,192.168.137.1 > dhcp-mac=dbox2-uboot,00:50:9c:*:*:* > # "DBOX2, EMPTY" is the complete string for yadi cdk-uboot, > # but dnsmasq searches for a substring > dhcp-boot=net:dbox2-kernel,/tftpboot/dbox/kernel,wrt.lan,192.168.137.1 > #dhcp-vendorclass=dbox2-kernel,DBOX2, EMPTY > dhcp-vendorclass=dbox2-kernel,DBOX2 > > At first (stage1) the embedded bootloader of the DBOX2 request an IP + > some options eg. the bootfile uboot.0 via BOOTP. > > Then (stage2) uboot.0 is started an request IP + bootoptions via DHCP. > The vendor class is "DBOX2, EMPTY" (obtained via tcpdump/wireshark) , so > the line > dhcp-vendorclass=dbox2-kernel,DBOX2 > should match. dnsmasq logs the vendor-class when log-dhcp is on, and it's not doing so here, so the vendor class is not being picked up. That's enough to explain the problems you are having. Could you send me a dump of the packet which has the vendor-class ID in it, so I can check what's happening? > > Here is the syslog extract: > Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: Available DHCP range: > 192.168.137.34 -- 192.168.137.63 > Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: next server: 192.168.137.1 > Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: bootfile name: > /tftpboot/dbox/uboot.0 > Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: server name: wrt.troja > Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: BOOTP(br-lan) > 192.168.137.14 00:50:9c:12:34:56 > Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: tags: lan, bootp, known, > dbox2-uboot > Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: sent size: 4 option: > 1:netmask ff:ff:ff:00 > Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: sent size: 4 option: > 28:broadcast c0:a8:89:ff > Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: sent size: 4 option: > 3:router c0:a8:89:01 > Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: sent size: 4 option: > 6:dns-server c0:a8:89:01 > Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: sent size: 5 option: > 15:domain-name 74:72:6f:6a:61 > Aug 12 18:08:51 wrt daemon.info dnsmasq[369]: sent size: 4 option: > 12:hostname 62:69:62:75 > Aug 12 18:08:52 wrt daemon.info dnsmasq[369]: TFTP sent > /mnt/tftproot/tftpboot/dbox/uboot.0 to 192.168.137.14 > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: DHCP packet: > transaction-id is 827861916 > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: Available DHCP range: > 192.168.137.34 -- 192.168.137.63 > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: DHCPDISCOVER(br-lan) > 00:50:9c:12:34:56 > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: DHCPOFFER(br-lan) > 192.168.137.14 00:50:9c:12:34:56 > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: next server: 192.168.137.1 > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: bootfile name: > /tftpboot/dbox/uboot.0 > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: server name: wrt.troja > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: tags: lan, known, dbox2-uboot > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: sent size: 1 option: > 53:message-type 02 > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: sent size: 4 option: > 54:server-identifier c0:a8:89:01 > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: sent size: 4 option: > 51:lease-time 00:00:a8:c0 > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: sent size: 4 option: > 58:T1 00:00:54:60 > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: sent size: 4 option: > 59:T2 00:00:93:a8 > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: sent size: 4 option: > 1:netmask ff:ff:ff:00 > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: sent size: 4 option: > 28:broadcast c0:a8:89:ff > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: sent size: 4 option: > 3:router c0:a8:89:01 > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: sent size: 4 option: > 6:dns-server c0:a8:89:01 > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: sent size: 5 option: > 15:domain-name 74:72:6f:6a:61 > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: sent size: 4 option: > 12:hostname 62:69:62:75 > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: DHCP packet: > transaction-id is 827861916 > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: Available DHCP range: > 192.168.137.34 -- 192.168.137.63 > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: DHCPREQUEST(br-lan) > 192.168.137.14 00:50:9c:12:34:56 > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: DHCPACK(br-lan) > 192.168.137.14 00:50:9c:12:34:56 bibu > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: next server: 192.168.137.1 > Aug 12 18:08:54 wrt daemon.info dnsmasq[369]: bootfile name: > /tftpboot/dbox/uboot.0 > > > The first autoconfiguration request is done via BOOTP, so I have no > chance to match on this. in that case, just use the "built-in" tag bootp, but that might not be enough to distinguish PXE, which you seem to have in there too. > The second request is as you can see in the done via DHCP. Wireshark > says there option 60 (vendor class) in the request with content "DBOX2, > EMTPY". > So the line > dhcp-vendorclass=dbox2-kernel,DBOX2 > should match, but the boot file is still > /mnt/tftproot/tftpboot/dbox/uboot.0 instead of /tftpboot/dbox/kernel. > > The pcap file I have omitted, yet, because I think all relevant facts > are in here. I can reproduce and make it avaiable for download if needed. Yes please. > > Do you have an hint where look in documentation, or what settings I can > try to solve this issue. > > There has been a similar problem on this list, but it was not solved, > because the poster did not answer on the list [1]. Perhaps were now able > to solve it with more information provided. > > kind regards > joerg jungermann > > [1] > http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2006q1/000651.html > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > From simon at thekelleys.org.uk Wed Aug 13 16:37:41 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Wed Aug 13 16:38:25 2008 Subject: [Dnsmasq-discuss] Possible instability of DNS in 2.45 In-Reply-To: References: Message-ID: <48A2FFC5.9040100@thekelleys.org.uk> Rune Kock wrote: > After running fine for over a week, my router with dnsmasq 2.45 became > very unwilling to answer DNS queries (only a few succeeded). Dumping > the statistics showed that a significant number of upstream queries > had failed. Restarting the router solved the problem. > > I realise that this is an incredibly useless bug-report. I'm not even > sure that it is a dnsmasq problem. So please, Simon, don't waste your > time on this yet. I'm only posting this to find out if anyone else > has experienced something similar. > > I have now enabled log-queries, and I hope that it will tell me what > happens, should the problem reappear. I'll report back when I know > more, but as the problem seems to be infrequent, it may take a long > time. Thanks for that: if you see that problem again, running strace -p for a couple of minutes and saving the results may be useful, it will give information helpful in tracing any problems with the port-randomisation code. Cheers, Simon. > > > > Rune > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > From xerces8 at butn.net Wed Aug 13 17:37:55 2008 From: xerces8 at butn.net (xerces8) Date: Wed Aug 13 17:38:56 2008 Subject: [Dnsmasq-discuss] Possible instability of DNS in 2.45 In-Reply-To: References: Message-ID: Rune Kock wrote : > After running fine for over a week, my router with dnsmasq 2.45 became > very unwilling to answer DNS queries (only a few succeeded). Dumping > the statistics showed that a significant number of upstream queries > had failed. Restarting the router solved the problem. You might also consider restarting only dnsmaaq instead of entire router. (to see if the restart of dnsmasq helps or something else has to be restarted ...) Regards, David From joju at math.uni-paderborn.de Thu Aug 14 09:21:32 2008 From: joju at math.uni-paderborn.de (joerg jungermann) Date: Thu Aug 14 09:22:25 2008 Subject: [Dnsmasq-discuss] Conditional sending of different DHCP-Options In-Reply-To: <48A34CDA.6040305@thekelleys.org.uk> References: <48A1B8EF.2000802@math.uni-paderborn.de> <48A2FBC2.8040707@thekelleys.org.uk> <48A3492D.3040204@math.uni-paderborn.de> <48A34CDA.6040305@thekelleys.org.uk> Message-ID: <48A3EB0C.6070004@math.uni-paderborn.de> Hi ! Simon Kelley wrote: >>>> Then (stage2) uboot.0 is started an request IP + bootoptions via DHCP. >>>> The vendor class is "DBOX2, EMPTY" (obtained via tcpdump/wireshark) >>>> , so >>>> the line >>>> dhcp-vendorclass=dbox2-kernel,DBOX2 >>>> should match. >>> >>> dnsmasq logs the vendor-class when log-dhcp is on, and it's not doing so >>> here, so the vendor class is not being picked up. That's enough to >>> explain the problems you are having. Could you send me a dump of the >>> packet which has the vendor-class ID in it, so I can check what's >>> happening? >> >> I see. Have a look at http://[...] please. > Got it, thanks. > > The obvious thing there is that the DHCP packets from the client are > subtly wrong, they are messing the "end" option. I think that this is > interacting with a bug in dnsmasq which means that the last option in > the packet does not get recognised. Normally this is the "end" option, > so it doesn't matter, but in this case it's the vendor-class option, so > that is being missed. > > Can you easily upgrade dnsmasq to version 2.45, the latest? I believe > that this bug was fixed in 2.43 and just doing the upgrade should fix > the problem. Upgrading to 2.45 fixes this problem. Thanks. cya From simon at thekelleys.org.uk Thu Aug 14 09:47:51 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Aug 14 09:48:42 2008 Subject: [Dnsmasq-discuss] Conditional sending of different DHCP-Options In-Reply-To: <48A3EB0C.6070004@math.uni-paderborn.de> References: <48A1B8EF.2000802@math.uni-paderborn.de> <48A2FBC2.8040707@thekelleys.org.uk> <48A3492D.3040204@math.uni-paderborn.de> <48A34CDA.6040305@thekelleys.org.uk> <48A3EB0C.6070004@math.uni-paderborn.de> Message-ID: <48A3F137.7020603@thekelleys.org.uk> joerg jungermann wrote: > Hi ! > >> The obvious thing there is that the DHCP packets from the client are >> subtly wrong, they are messing the "end" option. I think that this is >> interacting with a bug in dnsmasq which means that the last option in >> the packet does not get recognised. Normally this is the "end" option, >> so it doesn't matter, but in this case it's the vendor-class option, so >> that is being missed. >> >> Can you easily upgrade dnsmasq to version 2.45, the latest? I believe >> that this bug was fixed in 2.43 and just doing the upgrade should fix >> the problem. > Upgrading to 2.45 fixes this problem. > Great. It would be good to push a bug report to the authors of the client. Is that possible? I'm happy to talk to them direct if you can give me contact info, or to give you details of what's wrong for you to pass on. Cheers, Simon. From bcook at poughkeepsieschools.org Thu Aug 14 17:29:30 2008 From: bcook at poughkeepsieschools.org (B. Cook) Date: Thu Aug 14 17:30:24 2008 Subject: [Dnsmasq-discuss] 53 Bad bootp tag size Message-ID: Hello All, Since moving to dnsmasq for all our dhcp 'needs' things have been quite reliable and predictiable.. we have much more control over things than we did in isc.. It seems we get this error on some Jetdirects.. and I am not sure why. This one at the moment is on a J3113A (G.08.49 - latest rev and EOL'd) the other time it was on a 170X. Here is some debug: Aug 14 11:41:32 core dnsmasq[26613]: DHCP packet: transaction-id is 236322816 Aug 14 11:41:32 core dnsmasq[26613]: Available DHCP range: 10.20.18.2 -- 10.20.19.254 Aug 14 11:41:32 core dnsmasq[26613]: Vendor class: Hewlett-Packard JetDirect Aug 14 11:41:32 core dnsmasq[26613]: DHCPDISCOVER(em0) 00:10:83:55:85:c2 Aug 14 11:41:32 core dnsmasq[26613]: DHCPOFFER(em0) 10.20.18.56 00:10:83:55:85:c2 Aug 14 11:41:32 core dnsmasq[26613]: requested options: 1:netmask, 3:router, 7:log-server, 44:netbios-ns, Aug 14 11:41:32 core dnsmasq[26613]: requested options: 51:lease-time, 54:server-identifier, 58:T1, Aug 14 11:41:32 core dnsmasq[26613]: requested options: 59:T2, 12:hostname, 15:domain-name, 144, Aug 14 11:41:32 core dnsmasq[26613]: requested options: 18:extension-path Aug 14 11:41:32 core dnsmasq[26613]: tags: cli, cli, known Aug 14 11:41:32 core dnsmasq[26613]: sent size: 1 option: 53:message-type 02 Aug 14 11:41:32 core dnsmasq[26613]: sent size: 4 option: 54:server-identifier 0a:14:00:10 Aug 14 11:41:32 core dnsmasq[26613]: sent size: 4 option: 51:lease-time 00:00:38:40 Aug 14 11:41:32 core dnsmasq[26613]: sent size: 4 option: 58:T1 00:00:1c:20 Aug 14 11:41:32 core dnsmasq[26613]: sent size: 4 option: 59:T2 00:00:31:38 Aug 14 11:41:32 core dnsmasq[26613]: sent size: 4 option: 1:netmask ff:ff:fe:00 Aug 14 11:41:32 core dnsmasq[26613]: sent size: 4 option: 28:broadcast 0a:14:13:ff Aug 14 11:41:32 core dnsmasq[26613]: sent size: 8 option: 15:domain-name 63:6c:69:2e:70:63:73:64 Aug 14 11:41:32 core dnsmasq[26613]: sent size: 0 option: 44:netbios-ns Aug 14 11:41:32 core dnsmasq[26613]: sent size: 4 option: 3:router 0a:14:12:01 doing a grep -i bootp on my dnsmasq.log I find things like this: Aug 14 11:32:52 core dnsmasq[26613]: cannot send DHCP/BOOTP option 6: no space left in packet Aug 14 11:32:52 core dnsmasq[26613]: BOOTP(em0) 10.20.18.56 00:10:83:55:85:c2 Aug 14 11:32:52 core dnsmasq[26613]: tags: cli, bootp, cli, known Aug 14 11:33:20 core dnsmasq[26613]: BOOTP(em0) 00:11:43:91:f9:1c disabled Aug 14 11:34:23 core dnsmasq[26613]: BOOTP(em0) 00:11:43:91:f9:1c disabled Aug 14 11:35:25 core dnsmasq[26613]: BOOTP(em0) 00:11:43:91:f9:1c disabled Aug 14 11:36:28 core dnsmasq[26613]: BOOTP(em0) 00:11:43:91:f9:1c disabled Aug 14 11:37:30 core dnsmasq[26613]: BOOTP(em0) 00:11:43:91:f9:1c disabled Not sure what I am missing.. but this will be the second Jetdirect that I will have to hardcode an IP address.. (fear..) option 6 is dns-server here is what I have: grep dns-server dnsmasq.*.dhcp dnsmasq.cli.dhcp:dhcp-option=cli,option:dns-server,0.0.0.0 # DNS dnsmasq.kri.dhcp:dhcp-option=kri,option:dns-server,0.0.0.0 # DNS dnsmasq.phs.dhcp:dhcp-option=phs,option:dns-server,0.0.0.0 # DNS dnsmasq.smi.dhcp:dhcp-option=smi,option:dns-server,0.0.0.0 # DNS dnsmasq.war.dhcp:dhcp-option=war,option:dns-server,0.0.0.0 # DNS I also tried making a global dns-server entry as well.. seems to be the same error.. looking up that other bootp mac it seems to be something 'Dell' related.. I'll look into that.. I restarted dnsmasq and the printer and this is what is happening now.. dnsmasq --version Dnsmasq version 2.46test4 Copyright (C) 2000-2008 Simon Kelley Compile time options no-IPv6 GNU-getopt BSD-bridge no-DBus no-I18N TFTP Aug 14 12:16:12 core dnsmasq[24692]: DHCP packet: transaction-id is 687996928 Aug 14 12:16:12 core dnsmasq[24692]: Available DHCP range: 10.20.18.2 -- 10.20.19.254 Aug 14 12:16:12 core dnsmasq[24692]: Vendor class: Hewlett-Packard JetDirect Aug 14 12:16:12 core dnsmasq[24692]: DHCPDISCOVER(em0) 192.0.0.192 00:10:83:55:85:c2 Aug 14 12:16:12 core dnsmasq[24692]: DHCPOFFER(em0) 10.20.18.56 00:10:83:55:85:c2 Aug 14 12:16:12 core dnsmasq[24692]: requested options: 1:netmask, 3:router, 7:log-server, 44:netbios-ns, Aug 14 12:16:12 core dnsmasq[24692]: requested options: 51:lease-time, 54:server-identifier, 58:T1, Aug 14 12:16:12 core dnsmasq[24692]: requested options: 59:T2, 12:hostname, 15:domain-name, 144, Aug 14 12:16:12 core dnsmasq[24692]: requested options: 18:extension-path Aug 14 12:16:12 core dnsmasq[24692]: tags: cli, cli, known Aug 14 12:16:12 core dnsmasq[24692]: sent size: 1 option: 53:message-type 02 Aug 14 12:16:12 core dnsmasq[24692]: sent size: 4 option: 54:server-identifier 0a:14:00:10 Aug 14 12:16:12 core dnsmasq[24692]: sent size: 4 option: 51:lease-time 00:00:38:40 Aug 14 12:16:12 core dnsmasq[24692]: sent size: 4 option: 58:T1 00:00:1c:20 Aug 14 12:16:12 core dnsmasq[24692]: sent size: 4 option: 59:T2 00:00:31:38 Aug 14 12:16:12 core dnsmasq[24692]: sent size: 4 option: 1:netmask ff:ff:fe:00 Aug 14 12:16:12 core dnsmasq[24692]: sent size: 4 option: 28:broadcast 0a:14:13:ff Aug 14 12:16:12 core dnsmasq[24692]: sent size: 8 option: 15:domain-name 63:6c:69:2e:70:63:73:64 Aug 14 12:16:12 core dnsmasq[24692]: sent size: 0 option: 44:netbios-ns Aug 14 12:16:12 core dnsmasq[24692]: sent size: 4 option: 3:router 0a:14:12:01 Here are the dhcp-options I have set: (these are global) dnsmasq.phs.dhcp:dhcp-option=option:netbios-nodetype,2 dnsmasq.phs.dhcp:dhcp-option=option:netbios-scope dnsmasq.cli.dhcp:dhcp-option=cli,option:router,10.20.18.1 dnsmasq.cli.dhcp:dhcp-option=cli,option:dns-server,0.0.0.0 dnsmasq.cli.dhcp:dhcp-option=cli,option:netbios-ns dnsmasq.cli.dhcp:dhcp-option=cli,option:netbios-dd dnsmasq.kri.dhcp:dhcp-option=kri,option:router,10.20.4.1 dnsmasq.kri.dhcp:dhcp-option=kri,option:dns-server,0.0.0.0 dnsmasq.kri.dhcp:dhcp-option=kri,option:netbios-ns dnsmasq.kri.dhcp:dhcp-option=kri,option:netbios-dd dnsmasq.phs.dhcp:dhcp-option=net:phs,option:router,10.20.0.1 dnsmasq.phs.dhcp:dhcp-option=phs,option:dns-server,0.0.0.0 dnsmasq.phs.dhcp:dhcp-option=net:phs,option:netbios-ns,10.20.0.230 dnsmasq.phs.dhcp:dhcp-option=net:phs,option:netbios-dd,10.20.0.230 dnsmasq.smi.dhcp:dhcp-option=smi,option:router,10.20.6.1 dnsmasq.smi.dhcp:dhcp-option=smi,option:dns-server,0.0.0.0 dnsmasq.smi.dhcp:dhcp-option=smi,option:netbios-ns dnsmasq.smi.dhcp:dhcp-option=smi,option:netbios-dd dnsmasq.war.dhcp:dhcp-option=war,option:router,10.20.14.1 dnsmasq.war.dhcp:dhcp-option=war,option:dns-server,0.0.0.0 dnsmasq.war.dhcp:dhcp-option=war,option:netbios-ns dnsmasq.war.dhcp:dhcp-option=war,option:netbios-dd Any ideas? From simon at thekelleys.org.uk Thu Aug 14 18:16:59 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Aug 14 18:20:16 2008 Subject: [Dnsmasq-discuss] 53 Bad bootp tag size In-Reply-To: References: Message-ID: <48A4688B.7050906@thekelleys.org.uk> B. Cook wrote: > Hello All, > > Since moving to dnsmasq for all our dhcp 'needs' things have been quite > reliable and predictiable.. we have much more control over things than we > did in isc.. > > It seems we get this error on some Jetdirects.. and I am not sure why. > > This one at the moment is on a J3113A (G.08.49 - latest rev and EOL'd) the > other time it was on a 170X. > > Here is some debug: > Aug 14 11:41:32 core dnsmasq[26613]: DHCP packet: transaction-id is 236322816 > Aug 14 11:41:32 core dnsmasq[26613]: Available DHCP range: 10.20.18.2 -- > 10.20.19.254 > Aug 14 11:41:32 core dnsmasq[26613]: Vendor class: Hewlett-Packard JetDirect > Aug 14 11:41:32 core dnsmasq[26613]: DHCPDISCOVER(em0) 00:10:83:55:85:c2 > Aug 14 11:41:32 core dnsmasq[26613]: DHCPOFFER(em0) 10.20.18.56 > 00:10:83:55:85:c2 > Aug 14 11:41:32 core dnsmasq[26613]: requested options: 1:netmask, > 3:router, 7:log-server, 44:netbios-ns, > Aug 14 11:41:32 core dnsmasq[26613]: requested options: 51:lease-time, > 54:server-identifier, 58:T1, > Aug 14 11:41:32 core dnsmasq[26613]: requested options: 59:T2, > 12:hostname, 15:domain-name, 144, > Aug 14 11:41:32 core dnsmasq[26613]: requested options: 18:extension-path > Aug 14 11:41:32 core dnsmasq[26613]: tags: cli, cli, known > Aug 14 11:41:32 core dnsmasq[26613]: sent size: 1 option: 53:message-type > 02 > Aug 14 11:41:32 core dnsmasq[26613]: sent size: 4 option: > 54:server-identifier 0a:14:00:10 > Aug 14 11:41:32 core dnsmasq[26613]: sent size: 4 option: 51:lease-time > 00:00:38:40 > Aug 14 11:41:32 core dnsmasq[26613]: sent size: 4 option: 58:T1 00:00:1c:20 > Aug 14 11:41:32 core dnsmasq[26613]: sent size: 4 option: 59:T2 00:00:31:38 > Aug 14 11:41:32 core dnsmasq[26613]: sent size: 4 option: 1:netmask > ff:ff:fe:00 > Aug 14 11:41:32 core dnsmasq[26613]: sent size: 4 option: 28:broadcast > 0a:14:13:ff > Aug 14 11:41:32 core dnsmasq[26613]: sent size: 8 option: 15:domain-name > 63:6c:69:2e:70:63:73:64 > Aug 14 11:41:32 core dnsmasq[26613]: sent size: 0 option: 44:netbios-ns > Aug 14 11:41:32 core dnsmasq[26613]: sent size: 4 option: 3:router > 0a:14:12:01 > > doing a grep -i bootp on my dnsmasq.log I find things like this: > > Aug 14 11:32:52 core dnsmasq[26613]: cannot send DHCP/BOOTP option 6: no > space left in packet > Aug 14 11:32:52 core dnsmasq[26613]: BOOTP(em0) 10.20.18.56 00:10:83:55:85:c2 > Aug 14 11:32:52 core dnsmasq[26613]: tags: cli, bootp, cli, known > Aug 14 11:33:20 core dnsmasq[26613]: BOOTP(em0) 00:11:43:91:f9:1c disabled > Aug 14 11:34:23 core dnsmasq[26613]: BOOTP(em0) 00:11:43:91:f9:1c disabled > Aug 14 11:35:25 core dnsmasq[26613]: BOOTP(em0) 00:11:43:91:f9:1c disabled > Aug 14 11:36:28 core dnsmasq[26613]: BOOTP(em0) 00:11:43:91:f9:1c disabled > Aug 14 11:37:30 core dnsmasq[26613]: BOOTP(em0) 00:11:43:91:f9:1c disabled > > Not sure what I am missing.. but this will be the second Jetdirect that I > will have to hardcode an IP address.. (fear..) > > option 6 is dns-server > here is what I have: > > grep dns-server dnsmasq.*.dhcp > dnsmasq.cli.dhcp:dhcp-option=cli,option:dns-server,0.0.0.0 # DNS > dnsmasq.kri.dhcp:dhcp-option=kri,option:dns-server,0.0.0.0 # DNS > dnsmasq.phs.dhcp:dhcp-option=phs,option:dns-server,0.0.0.0 # DNS > dnsmasq.smi.dhcp:dhcp-option=smi,option:dns-server,0.0.0.0 # DNS > dnsmasq.war.dhcp:dhcp-option=war,option:dns-server,0.0.0.0 # DNS > > I also tried making a global dns-server entry as well.. seems to be the > same error.. > > looking up that other bootp mac it seems to be something 'Dell' related.. > I'll look into that.. > > I restarted dnsmasq and the printer and this is what is happening now.. > > dnsmasq --version > Dnsmasq version 2.46test4 Copyright (C) 2000-2008 Simon Kelley > Compile time options no-IPv6 GNU-getopt BSD-bridge no-DBus no-I18N TFTP > > Aug 14 12:16:12 core dnsmasq[24692]: DHCP packet: transaction-id is 687996928 > Aug 14 12:16:12 core dnsmasq[24692]: Available DHCP range: 10.20.18.2 -- > 10.20.19.254 > Aug 14 12:16:12 core dnsmasq[24692]: Vendor class: Hewlett-Packard JetDirect > Aug 14 12:16:12 core dnsmasq[24692]: DHCPDISCOVER(em0) 192.0.0.192 > 00:10:83:55:85:c2 > Aug 14 12:16:12 core dnsmasq[24692]: DHCPOFFER(em0) 10.20.18.56 > 00:10:83:55:85:c2 > Aug 14 12:16:12 core dnsmasq[24692]: requested options: 1:netmask, > 3:router, 7:log-server, 44:netbios-ns, > Aug 14 12:16:12 core dnsmasq[24692]: requested options: 51:lease-time, > 54:server-identifier, 58:T1, > Aug 14 12:16:12 core dnsmasq[24692]: requested options: 59:T2, > 12:hostname, 15:domain-name, 144, > Aug 14 12:16:12 core dnsmasq[24692]: requested options: 18:extension-path > Aug 14 12:16:12 core dnsmasq[24692]: tags: cli, cli, known > Aug 14 12:16:12 core dnsmasq[24692]: sent size: 1 option: 53:message-type > 02 > Aug 14 12:16:12 core dnsmasq[24692]: sent size: 4 option: > 54:server-identifier 0a:14:00:10 > Aug 14 12:16:12 core dnsmasq[24692]: sent size: 4 option: 51:lease-time > 00:00:38:40 > Aug 14 12:16:12 core dnsmasq[24692]: sent size: 4 option: 58:T1 00:00:1c:20 > Aug 14 12:16:12 core dnsmasq[24692]: sent size: 4 option: 59:T2 00:00:31:38 > Aug 14 12:16:12 core dnsmasq[24692]: sent size: 4 option: 1:netmask > ff:ff:fe:00 > Aug 14 12:16:12 core dnsmasq[24692]: sent size: 4 option: 28:broadcast > 0a:14:13:ff > Aug 14 12:16:12 core dnsmasq[24692]: sent size: 8 option: 15:domain-name > 63:6c:69:2e:70:63:73:64 > Aug 14 12:16:12 core dnsmasq[24692]: sent size: 0 option: 44:netbios-ns > Aug 14 12:16:12 core dnsmasq[24692]: sent size: 4 option: 3:router > 0a:14:12:01 > > Here are the dhcp-options I have set: > (these are global) > dnsmasq.phs.dhcp:dhcp-option=option:netbios-nodetype,2 > dnsmasq.phs.dhcp:dhcp-option=option:netbios-scope > > dnsmasq.cli.dhcp:dhcp-option=cli,option:router,10.20.18.1 > dnsmasq.cli.dhcp:dhcp-option=cli,option:dns-server,0.0.0.0 > dnsmasq.cli.dhcp:dhcp-option=cli,option:netbios-ns > dnsmasq.cli.dhcp:dhcp-option=cli,option:netbios-dd > > dnsmasq.kri.dhcp:dhcp-option=kri,option:router,10.20.4.1 > dnsmasq.kri.dhcp:dhcp-option=kri,option:dns-server,0.0.0.0 > dnsmasq.kri.dhcp:dhcp-option=kri,option:netbios-ns > dnsmasq.kri.dhcp:dhcp-option=kri,option:netbios-dd > > dnsmasq.phs.dhcp:dhcp-option=net:phs,option:router,10.20.0.1 > dnsmasq.phs.dhcp:dhcp-option=phs,option:dns-server,0.0.0.0 > dnsmasq.phs.dhcp:dhcp-option=net:phs,option:netbios-ns,10.20.0.230 > dnsmasq.phs.dhcp:dhcp-option=net:phs,option:netbios-dd,10.20.0.230 > > dnsmasq.smi.dhcp:dhcp-option=smi,option:router,10.20.6.1 > dnsmasq.smi.dhcp:dhcp-option=smi,option:dns-server,0.0.0.0 > dnsmasq.smi.dhcp:dhcp-option=smi,option:netbios-ns > dnsmasq.smi.dhcp:dhcp-option=smi,option:netbios-dd > > dnsmasq.war.dhcp:dhcp-option=war,option:router,10.20.14.1 > dnsmasq.war.dhcp:dhcp-option=war,option:dns-server,0.0.0.0 > dnsmasq.war.dhcp:dhcp-option=war,option:netbios-ns > dnsmasq.war.dhcp:dhcp-option=war,option:netbios-dd > > Any ideas? > Probably completely benign. It looks like the JetDirect is trying BOOTP first (at 11:32:52 ) and then moving on to DHCP (at 11:41:32). The BOOTP request gets truncated options because a BOOTP packet has only 64 bytes available for options. It looks like that means that needed information is left out and the printer tries again with DHCP - which works fine. After your restart, the printer seems to stick with DHCP and everything is OK. To avoid the problem, you could see if it's possible to configure the printer to not use BOOTP somehow, or add something like dhcp-mac=wackyjetdirect,00:10:83:55:85:c2 dhcp-ignore=wackyjetdirect,bootp Which tells dnsmasq to ignore BOOTP requests from that MAC, rather than sending a truncated answer. If you have no use for BOOTP, just do dhcp-ignore=bootp HTH Simon. From esj at harvee.org Thu Aug 14 22:22:36 2008 From: esj at harvee.org (Eric S. Johansson) Date: Thu Aug 14 22:23:41 2008 Subject: [Dnsmasq-discuss] dhcp names visible in dns Message-ID: <48A4A21C.5080101@harvee.org> this must be an faq but I haven't fount it yet. I'm binding a bunch of IP's to mac addresses and I expected the name associated with the mac address would become visible in dns. the dhcp-host line is as follows. dhcp-host=00:15:17:57:a2:0a, ps16, 172.24.128.76 why are the host.names not visible? thanks. From Hullen at t-online.de Sun Aug 17 17:26:00 2008 From: Hullen at t-online.de (Helmut Hullen) Date: Sun Aug 17 17:28:32 2008 Subject: [Dnsmasq-discuss] whois doesn't find entries Message-ID: Hallo, dnsmasq seem to have sometimes problems with "whois" (and related programs). whois 128.163.2.43 doesn't send a whois entry, but when I change from "dnsmasq" to "bind" I get the desired information. The above IP address is just an example, not the only problematic address. Viele Gruesse! Helmut From simon at thekelleys.org.uk Sun Aug 17 18:03:08 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Sun Aug 17 18:03:59 2008 Subject: [Dnsmasq-discuss] whois doesn't find entries In-Reply-To: References: Message-ID: <48A859CC.7030904@thekelleys.org.uk> Helmut Hullen wrote: > Hallo, > > dnsmasq seem to have sometimes problems with "whois" (and related > programs). > > > whois 128.163.2.43 > > doesn't send a whois entry, but when I change from "dnsmasq" to "bind" I > get the desired information. > > The above IP address is just an example, not the only problematic > address. > I'm not sure how this is related to dnsmasq: when I run whois, the only DNS activity I see is IPv4 and IPv6 lookups for "whois.ripe.net". Are you saying that those lookups are failing, or is there something else I don't know about? Cheers, Simon. From Hullen at t-online.de Sun Aug 17 18:34:00 2008 From: Hullen at t-online.de (Helmut Hullen) Date: Sun Aug 17 18:43:38 2008 Subject: [Dnsmasq-discuss] whois doesn't find entries In-Reply-To: <48A859CC.7030904@thekelleys.org.uk> Message-ID: Hallo, Simon, Du (simon) meintest am 17.08.08: >> whois 128.163.2.43 >> >> doesn't send a whois entry, but when I change from "dnsmasq" to >> "bind" I get the desired information. > I'm not sure how this is related to dnsmasq: when I run whois, the > only DNS activity I see is IPv4 and IPv6 lookups for > "whois.ripe.net". Are you saying that those lookups are failing, or > is there something else I don't know about? I see this (annoying) behaviour most times when I call "whois". And in every case switching to "bind" as DNS cures the problem. But now I am a bit confused: some time ago "dnsmasq" didn't tell the "whois" information, I switched to "bind" and got the information I switched back to "dnsmasq", did some other work - and now I get the "whois" information via "dnsmasq" too. Maybe that's an error which is related to the DNS of my uplink (kabeldeutschland)? Next time I'll try to restart "dnsmasq". Viele Gruesse! Helmut From listas at pcs.com.br Mon Aug 18 13:56:36 2008 From: listas at pcs.com.br (PCSLists) Date: Mon Aug 18 13:57:33 2008 Subject: [Dnsmasq-discuss] read-ethers does not work Message-ID: <48A97184.3050506@pcs.com.br> Hi, I have a 300 lines /etc/ethers. Some machines are not in /etc/ether, but they can get IPs. These IPs are in /etc/ethers with others MACs. What am I doing wrong? I am using: Fedora 8 dnsmasq-2.40-1.fc8 Tested too: dnsmasq-2.45-1.fc10 TIA -- PCS - Processos, Consultoria e Solu??es Cosme Faria Corr?a PCS - Processos, Consultoria e Solu??es (21) 2620-0735 / 9219-5949 www.pcs.com.br -------------- next part -------------- Skipped content of type multipart/related From rune.kock at gmail.com Mon Aug 18 18:57:40 2008 From: rune.kock at gmail.com (Rune Kock) Date: Mon Aug 18 18:58:32 2008 Subject: [Dnsmasq-discuss] Re: Possible instability of DNS in 2.45 In-Reply-To: References: Message-ID: On Wed, Aug 13, 2008 at 02:30, Rune Kock wrote: > After running fine for over a week, my router with dnsmasq 2.45 became > very unwilling to answer DNS queries (only a few succeeded). Dumping > the statistics showed that a significant number of upstream queries > had failed. Restarting the router solved the problem. Thanks for the bug-hunting ideas, Simon and David. It turns out that my remote logging was horribly broken. (I wasn't aware that the machine receiving the log-entries would do a reverse dns-lookup to the router for every entry received -- and on the router I had enabled logging of all incoming connections!). With this kind of craziness going on, it seems very unlikely that dnsmasq was the cause of the problems. Really, what puzzles me the most is that things did actually work for some time. So my apologies for wasting your time. I have fixed the logging, and everything seems to be running perfectly now. Rune From simon at thekelleys.org.uk Tue Aug 19 09:42:14 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Tue Aug 19 09:43:12 2008 Subject: [Dnsmasq-discuss] Re: Possible instability of DNS in 2.45 In-Reply-To: References: Message-ID: <48AA8766.7090805@thekelleys.org.uk> Rune Kock wrote: > On Wed, Aug 13, 2008 at 02:30, Rune Kock wrote: >> After running fine for over a week, my router with dnsmasq 2.45 became >> very unwilling to answer DNS queries (only a few succeeded). Dumping >> the statistics showed that a significant number of upstream queries >> had failed. Restarting the router solved the problem. > > Thanks for the bug-hunting ideas, Simon and David. > > It turns out that my remote logging was horribly broken. (I wasn't > aware that the machine receiving the log-entries would do a reverse > dns-lookup to the router for every entry received -- and on the router > I had enabled logging of all incoming connections!). > > With this kind of craziness going on, it seems very unlikely that > dnsmasq was the cause of the problems. Really, what puzzles me the > most is that things did actually work for some time. > Yes, I've seen this before. It's possible to end up with a situation where every DNS query logs enough stuff to trigger more than one extra query. That blows up very quickly. The asynchronous logging stuff in dnsmasq was added at least in part as an attempt to keep things going in pathalogical cases. I think syslog-ng can do local DNS caching which helps too. > So my apologies for wasting your time. I have fixed the logging, and > everything seems to be running perfectly now. > > No problem, thanks for reporting back. Cheers, Simon. From kyron at neuralbs.com Tue Aug 19 16:42:44 2008 From: kyron at neuralbs.com (Eric Thibodeau) Date: Tue Aug 19 16:43:40 2008 Subject: [Dnsmasq-discuss] dhcp-script, add|del|old ...and maybe load, DNSMASQ_USER_CLASSn, etc. Message-ID: <48AAE9F4.8020500@neuralbs.com> Hello, I've been (ab)using dnsmasq for quite a while and I am now attempting to use dhcp-script callbacks to pull information from booting machines. The context is a clustering environment where nodes are PXE booted, NFS root mounted and dhcpcd is used as such to send in the number of detected CPUs: dhcpcd --renew --persistent --userclass=$(c=0; for i in /sys/devices/system/cpu/cpu[0-9]*; do ((c++)); done; echo $c) eth0 I add in --renew to force dhcpcd to send a request, it's not required per say. the `$(c=0; for i in /sys/devices/system/cpu/cpu[0-9]*; do ((c++)); done; echo $c)` translates to 2 . Here is a trace of the execution for a node that was already booted and is part of the dnsmasq's cache: master ~ # dnsmasq -d dnsmasq: started, version 2.45 cachesize 150 dnsmasq: compile time options: IPv6 GNU-getopt no-ISC-leasefile no-DBus I18N TFTP dnsmasq: DHCP, IP range 10.0.0.2 -- 10.0.0.254, lease time 12h dnsmasq: TFTP root is /tftproot dnsmasq: ignoring nameserver 127.0.0.1 - local interface dnsmasq: reading /etc/dnsmasq-resolv.conf dnsmasq: using nameserver 192.168.1.2#53 dnsmasq: read /etc/hosts - 2 addresses ==================== /root/node-manager called with old 00:0c:29:41:b5:7a 10.0.0.162 node162 and DNSMASQ_USER_CLASS0 == ==================== dnsmasq: DHCPREQUEST(eth1) 10.0.0.162 00:0c:29:41:b5:7a dnsmasq: DHCPACK(eth1) 10.0.0.162 00:0c:29:41:b5:7a node162 ==================== /root/node-manager called with old 00:0c:29:41:b5:7a 10.0.0.162 node162 and DNSMASQ_USER_CLASS0 == ==================== dnsmasq: DHCPREQUEST(eth1) 10.0.0.162 00:0c:29:41:b5:7a dnsmasq: DHCPACK(eth1) 10.0.0.162 00:0c:29:41:b5:7a node162 dnsmasq: DHCPREQUEST(eth1) 10.0.0.162 00:0c:29:41:b5:7a dnsmasq: DHCPACK(eth1) 10.0.0.162 00:0c:29:41:b5:7a node162 My interpretation (node-manager is the dhcp-script): * start dnsmasq -d - node-manager is called on startup with old, with DNSMASQ_USER_CLASS0 null, as expected * on node162, call dhcpcd - dhcpcd --renew... - node-manager is called but DNSMASQ_USER_CLASS0 is empty...that wasn't expected. Note: Roy Marples was nice enough to confirm with Wireshark that the userclass is _always_ sent by dhcpcd * on node162, call dhcpcd - dhcpcd --renew... (again) - This time, the script isn't called at all * on node162, call dhcpcd - dhcpcd --renew... (and again) - This time, the script isn't called either I can understand that 'excessive' dhcp requests can trigger a DOS prevention mechanism and not call dhcp-script. But this is neither documented nor controllable. Now here is another trace booting a node that was never booted before (add): dnsmasq: DHCPDISCOVER(eth1) 00:0c:29:8e:50:fa dnsmasq: DHCPOFFER(eth1) 10.0.0.249 00:0c:29:8e:50:fa dnsmasq: DHCPDISCOVER(eth1) 00:0c:29:8e:50:fa dnsmasq: DHCPOFFER(eth1) 10.0.0.249 00:0c:29:8e:50:fa dnsmasq: DHCPREQUEST(eth1) 10.0.0.249 00:0c:29:8e:50:fa dnsmasq: DHCPACK(eth1) 10.0.0.249 00:0c:29:8e:50:fa ==================== /root/node-manager called with add 00:0c:29:8e:50:fa 10.0.0.249 and DNSMASQ_USER_CLASS0 == ==================== dnsmasq: TFTP sent /tftproot/pxelinux.0 to 10.0.0.249 dnsmasq: TFTP error 0 TFTP Aborted received from 10.0.0.249 dnsmasq: TFTP failed sending /tftproot/pxelinux.0 to 10.0.0.249 dnsmasq: TFTP sent /tftproot/pxelinux.0 to 10.0.0.249 dnsmasq: TFTP sent /tftproot/pxelinux.cfg/default to 10.0.0.249 dnsmasq: TFTP sent /tftproot/nfsroot/x86_64/boot/kernel to 10.0.0.249 dnsmasq: DHCPDISCOVER(eth1) 00:0c:29:8e:50:fa dnsmasq: DHCPOFFER(eth1) 10.0.0.249 00:0c:29:8e:50:fa dnsmasq: DHCPREQUEST(eth1) 10.0.0.249 00:0c:29:8e:50:fa dnsmasq: DHCPACK(eth1) 10.0.0.249 00:0c:29:8e:50:fa dnsmasq: DHCPDISCOVER(eth1) 00:0c:29:8e:50:fa dnsmasq: DHCPOFFER(eth1) 10.0.0.249 00:0c:29:8e:50:fa dnsmasq: DHCPREQUEST(eth1) 10.0.0.249 00:0c:29:8e:50:fa dnsmasq: DHCPACK(eth1) 10.0.0.249 00:0c:29:8e:50:fa node249 I would like it to be all clean and only request an IP adderss once but this doesn't seem feasible for the moment since the sequence is kernel-dhcpc -- (something-dhcp...can't figure out where that second request comes from) -- dhcpcd caled from rc scripts So here is my wishlist: - add a keyword (load?) to the add, del, old list so one can differentiate between dnsmasq loading and subsequent DHCPREQUESTs with 'old'. I could cope with the 'old' key being also called at dnsmasq startup but the *USER_CLASSn not being set threw me off. - provide the means to _always_ call the dhcp-script - always pass on the userclass down to the script on 'old|add' (obviously implies the load key gets added). Don't hesitate to hit me in the generally right direction if I am totally off on my usage of these tools or to ask for details. Cheers, Eric Thibodeau PS: This is in the context of the Gentoo Clustering LiveCD: http://git.overlays.gentoo.org/gitweb/?p=proj/clustering-livecd.git;a=tree Files used by dhcp-script can be found here: http://git.overlays.gentoo.org/gitweb/?p=proj/clustering-livecd.git;a=tree;f=overlay/sys-cluster/beowulf-head/files;h=8c38ac5b8fff58f2a20e0dc14e094ddd740478d9;hb=HEAD From kyron at neuralbs.com Tue Aug 19 23:32:28 2008 From: kyron at neuralbs.com (Eric Thibodeau) Date: Tue Aug 19 23:33:25 2008 Subject: [Dnsmasq-discuss] dhcp-script, add|del|old ...and maybe load, DNSMASQ_USER_CLASSn, etc. In-Reply-To: <48AAE9F4.8020500@neuralbs.com> References: <48AAE9F4.8020500@neuralbs.com> Message-ID: <48AB49FC.6050500@neuralbs.com> Well, adding to my own post since I set up an environment where I could use wireshark: Eric Thibodeau wrote: > Hello, > > I've been (ab)using dnsmasq for quite a while and I am now > attempting to use dhcp-script callbacks to pull information from > booting machines. The context is a clustering environment where nodes > are PXE booted, NFS root mounted and dhcpcd is used as such to send in > the number of detected CPUs: > > dhcpcd --renew --persistent --userclass=$(c=0; for i in > /sys/devices/system/cpu/cpu[0-9]*; do ((c++)); done; echo $c) eth0 > > I add in --renew to force dhcpcd to send a request, it's not > required per say. the `$(c=0; for i in > /sys/devices/system/cpu/cpu[0-9]*; do ((c++)); done; echo $c)` > translates to 2 . Here is a trace of the execution for a node that was > already booted and is part of the dnsmasq's cache: > > master ~ # dnsmasq -d > dnsmasq: started, version 2.45 cachesize 150 > dnsmasq: compile time options: IPv6 GNU-getopt no-ISC-leasefile > no-DBus I18N TFTP > dnsmasq: DHCP, IP range 10.0.0.2 -- 10.0.0.254, lease time 12h > dnsmasq: TFTP root is /tftproot > dnsmasq: ignoring nameserver 127.0.0.1 - local interface > dnsmasq: reading /etc/dnsmasq-resolv.conf > dnsmasq: using nameserver 192.168.1.2#53 > dnsmasq: read /etc/hosts - 2 addresses > ==================== > /root/node-manager called with old 00:0c:29:41:b5:7a 10.0.0.162 > node162 and DNSMASQ_USER_CLASS0 == > ==================== > dnsmasq: DHCPREQUEST(eth1) 10.0.0.162 00:0c:29:41:b5:7a > dnsmasq: DHCPACK(eth1) 10.0.0.162 00:0c:29:41:b5:7a node162 > ==================== > /root/node-manager called with old 00:0c:29:41:b5:7a 10.0.0.162 > node162 and DNSMASQ_USER_CLASS0 == > ==================== > dnsmasq: DHCPREQUEST(eth1) 10.0.0.162 00:0c:29:41:b5:7a > dnsmasq: DHCPACK(eth1) 10.0.0.162 00:0c:29:41:b5:7a node162 > dnsmasq: DHCPREQUEST(eth1) 10.0.0.162 00:0c:29:41:b5:7a > dnsmasq: DHCPACK(eth1) 10.0.0.162 00:0c:29:41:b5:7a node162 > > My interpretation (node-manager is the dhcp-script): > * start dnsmasq -d > - node-manager is called on startup with old, with DNSMASQ_USER_CLASS0 > null, as expected > > * on node162, call dhcpcd - dhcpcd --renew... > - node-manager is called but DNSMASQ_USER_CLASS0 is empty...that > wasn't expected. > Note: Roy Marples was nice enough to confirm with Wireshark that the > userclass is _always_ sent by dhcpcd > > * on node162, call dhcpcd - dhcpcd --renew... (again) > - This time, the script isn't called at all > * on node162, call dhcpcd - dhcpcd --renew... (and again) > - This time, the script isn't called either > > I can understand that 'excessive' dhcp requests can trigger a DOS > prevention mechanism and not call dhcp-script. But this is neither > documented nor controllable. > > Now here is another trace booting a node that was never booted before > (add): > > dnsmasq: DHCPDISCOVER(eth1) 00:0c:29:8e:50:fa > dnsmasq: DHCPOFFER(eth1) 10.0.0.249 00:0c:29:8e:50:fa > dnsmasq: DHCPDISCOVER(eth1) 00:0c:29:8e:50:fa > dnsmasq: DHCPOFFER(eth1) 10.0.0.249 00:0c:29:8e:50:fa > dnsmasq: DHCPREQUEST(eth1) 10.0.0.249 00:0c:29:8e:50:fa > dnsmasq: DHCPACK(eth1) 10.0.0.249 00:0c:29:8e:50:fa > ==================== > /root/node-manager called with add 00:0c:29:8e:50:fa 10.0.0.249 and > DNSMASQ_USER_CLASS0 == > ==================== > dnsmasq: TFTP sent /tftproot/pxelinux.0 to 10.0.0.249 > dnsmasq: TFTP error 0 TFTP Aborted received from 10.0.0.249 > dnsmasq: TFTP failed sending /tftproot/pxelinux.0 to 10.0.0.249 > dnsmasq: TFTP sent /tftproot/pxelinux.0 to 10.0.0.249 > dnsmasq: TFTP sent /tftproot/pxelinux.cfg/default to 10.0.0.249 > dnsmasq: TFTP sent /tftproot/nfsroot/x86_64/boot/kernel to 10.0.0.249 > dnsmasq: DHCPDISCOVER(eth1) 00:0c:29:8e:50:fa > dnsmasq: DHCPOFFER(eth1) 10.0.0.249 00:0c:29:8e:50:fa > dnsmasq: DHCPREQUEST(eth1) 10.0.0.249 00:0c:29:8e:50:fa > dnsmasq: DHCPACK(eth1) 10.0.0.249 00:0c:29:8e:50:fa > dnsmasq: DHCPDISCOVER(eth1) 00:0c:29:8e:50:fa > dnsmasq: DHCPOFFER(eth1) 10.0.0.249 00:0c:29:8e:50:fa > dnsmasq: DHCPREQUEST(eth1) 10.0.0.249 00:0c:29:8e:50:fa > dnsmasq: DHCPACK(eth1) 10.0.0.249 00:0c:29:8e:50:fa node249 > > I would like it to be all clean and only request an IP adderss once > but this doesn't seem feasible for the moment since the sequence is > kernel-dhcpc -- (something-dhcp...can't figure out where that second > request comes from) -- dhcpcd caled from rc scripts Ok, correction, I was forgetting PXE's DHCP request, so the DHCP request sequence is: PXE - kernel - dhcpcd > > So here is my wishlist: > > - add a keyword (load?) to the add, del, old list so one can > differentiate between dnsmasq loading and subsequent DHCPREQUESTs with > 'old'. I could cope with the 'old' key being also called at dnsmasq > startup but the *USER_CLASSn not being set threw me off. Well, that still holds as it would really be useful to differentiate between dnsmasq reloading and a dhcp renewal request. > - provide the means to _always_ call the dhcp-script From closer observation, it seems that dnsmasq only sets the DNSMASQ_USER_CLASSn variable if the sequence started with a DHCPDISCOVER, otherwise DNSMASQ_USER_CLASSn is not set: _client_: killall -9 dhcpcd && dhcpcd -n -h burp -u 123123 eth0 _server_: dnsmasq: DHCPDISCOVER(eth0) 00:0c:29:2b:e4:d7 dnsmasq: DHCPOFFER(eth0) 192.168.1.212 00:0c:29:2b:e4:d7 dnsmasq: DHCPREQUEST(eth0) 192.168.1.212 00:0c:29:2b:e4:d7 dnsmasq: DHCPACK(eth0) 192.168.1.212 00:0c:29:2b:e4:d7 MasterVM old 00:0c:29:2b:e4:d7 192.168.1.212 MasterVM 123123 _NOTE_: hostname doesn't change but DNSMASQ_USER_CLASS0 is set and passed along (not stating that this is a bug, I don't know the RFC :P ) dhcpcd not killed: _client_: dhcpcd -n -h burp -u 123123 eth0 _server_: dnsmasq: DHCPREQUEST(eth0) 192.168.1.212 00:0c:29:2b:e4:d7 dnsmasq: DHCPACK(eth0) 192.168.1.212 00:0c:29:2b:e4:d7 MasterVM old 00:0c:29:2b:e4:d7 192.168.1.212 MasterVM Obviously, since the userclass rfc is quite vague and unbinding, one can't say this is a bug nor request that the behavior me different. I might as well report/document my observations here and see if it can help defining "proper usage" of such parameters. > - always pass on the userclass down to the script on 'old|add' > (obviously implies the load key gets added). Well, I guess this is more like: set DNSMASQ_USER_CLASS0 if received on DHCPREQUEST, since it's obviously set on DHCPDISCOVER. > > Don't hesitate to hit me in the generally right direction if I am > totally off on my usage of these tools or to ask for details. > > Cheers, > > Eric Thibodeau > PS: This is in the context of the Gentoo Clustering LiveCD: > http://git.overlays.gentoo.org/gitweb/?p=proj/clustering-livecd.git;a=tree > > Files used by dhcp-script can be found here: > http://git.overlays.gentoo.org/gitweb/?p=proj/clustering-livecd.git;a=tree;f=overlay/sys-cluster/beowulf-head/files;h=8c38ac5b8fff58f2a20e0dc14e094ddd740478d9;hb=HEAD > From rune.kock at gmail.com Wed Aug 20 17:55:29 2008 From: rune.kock at gmail.com (Rune Kock) Date: Wed Aug 20 17:56:25 2008 Subject: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan Message-ID: I know this is a bit off topic, but maybe someone on the list has some thoughts on this: I'm running a router for a group of people connected by lan. And I use a dhcp-server (dnsmasq) on the router to configure the clients. But increasingly often, someone has connected another router to the lan, usually to use it as a wifi access point. And since they don't know what they are doing, they connect their own router's lan-port to the big lan instead of using the wan-port. And so we get a wrong dhcp-server competing with dnsmasq. Every time this happens, I have to track down the rogue router by testing each cable of the lan. Quite time consuming, and until I get it done, the network is very unstable for the users. Does anyone have some ideas as how to mitigate this problem? Rune From kyron at neuralbs.com Wed Aug 20 19:25:22 2008 From: kyron at neuralbs.com (Eric Thibodeau) Date: Wed Aug 20 19:26:11 2008 Subject: [Dnsmasq-discuss] Sequential address assignment Message-ID: <48AC6192.9060008@neuralbs.com> I would like to know if it would be possible to add a simple feature that would tell dnsmasq to assign addresses sequentially (ie: --dhcp-sequential). I am looking at address_allocate() in dhcp.c and it would seem feasible without much "damage" but I'm not accustomed to the code sufficiently to propose a patch. The obvious question is WHY? Well, here is a use case: I am building a clustering livecd (as stated in a previous e-mail) and one of the tasks which tends to be long, annoying and error prone is the identification of nodes, typing of MAC addresses and node number assignment, which usually comes in the form of a static configuration file. To ease the process, one would fire up dnsmasq (on the master node) and sequentially start his slave nodes for the first time. I make sure the assignment remains static after the initial start by auto-generating (dhcp-script) the dnsmas.ndoes.conf which I'd obviously source within dnsmasq.conf. Is this a reasonable feature to ask for? Does this violate any RFC? As far as security is concerned, it's not an issue since this is a closed network. Thanks, Eric Thibodeau From simon at thekelleys.org.uk Wed Aug 20 22:22:50 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Wed Aug 20 22:23:40 2008 Subject: [Dnsmasq-discuss] dhcp-script, add|del|old ...and maybe load, DNSMASQ_USER_CLASSn, etc. In-Reply-To: <48AAE9F4.8020500@neuralbs.com> References: <48AAE9F4.8020500@neuralbs.com> Message-ID: <48AC8B2A.9030906@thekelleys.org.uk> Eric Thibodeau wrote: > Hello, > > I've been (ab)using dnsmasq for quite a while and I am now attempting > to use dhcp-script callbacks to pull information from booting machines. > The context is a clustering environment where nodes are PXE booted, NFS > root mounted and dhcpcd is used as such to send in the number of > detected CPUs: > > dhcpcd --renew --persistent --userclass=$(c=0; for i in > /sys/devices/system/cpu/cpu[0-9]*; do ((c++)); done; echo $c) eth0 > > I add in --renew to force dhcpcd to send a request, it's not required > per say. the `$(c=0; for i in /sys/devices/system/cpu/cpu[0-9]*; do > ((c++)); done; echo $c)` translates to 2 . Here is a trace of the > execution for a node that was already booted and is part of the > dnsmasq's cache: > > master ~ # dnsmasq -d > dnsmasq: started, version 2.45 cachesize 150 > dnsmasq: compile time options: IPv6 GNU-getopt no-ISC-leasefile no-DBus > I18N TFTP > dnsmasq: DHCP, IP range 10.0.0.2 -- 10.0.0.254, lease time 12h > dnsmasq: TFTP root is /tftproot > dnsmasq: ignoring nameserver 127.0.0.1 - local interface > dnsmasq: reading /etc/dnsmasq-resolv.conf > dnsmasq: using nameserver 192.168.1.2#53 > dnsmasq: read /etc/hosts - 2 addresses > ==================== > /root/node-manager called with old 00:0c:29:41:b5:7a 10.0.0.162 node162 > and DNSMASQ_USER_CLASS0 == > ==================== > dnsmasq: DHCPREQUEST(eth1) 10.0.0.162 00:0c:29:41:b5:7a > dnsmasq: DHCPACK(eth1) 10.0.0.162 00:0c:29:41:b5:7a node162 > ==================== > /root/node-manager called with old 00:0c:29:41:b5:7a 10.0.0.162 node162 > and DNSMASQ_USER_CLASS0 == > ==================== > dnsmasq: DHCPREQUEST(eth1) 10.0.0.162 00:0c:29:41:b5:7a > dnsmasq: DHCPACK(eth1) 10.0.0.162 00:0c:29:41:b5:7a node162 > dnsmasq: DHCPREQUEST(eth1) 10.0.0.162 00:0c:29:41:b5:7a > dnsmasq: DHCPACK(eth1) 10.0.0.162 00:0c:29:41:b5:7a node162 > > My interpretation (node-manager is the dhcp-script): > * start dnsmasq -d > - node-manager is called on startup with old, with DNSMASQ_USER_CLASS0 > null, as expected > > * on node162, call dhcpcd - dhcpcd --renew... > - node-manager is called but DNSMASQ_USER_CLASS0 is empty...that wasn't > expected. > Note: Roy Marples was nice enough to confirm with Wireshark that the > userclass is _always_ sent by dhcpcd > > * on node162, call dhcpcd - dhcpcd --renew... (again) > - This time, the script isn't called at all > * on node162, call dhcpcd - dhcpcd --renew... (and again) > - This time, the script isn't called either > > I can understand that 'excessive' dhcp requests can trigger a DOS > prevention mechanism and not call dhcp-script. But this is neither > documented nor controllable. > > Now here is another trace booting a node that was never booted before > (add): > > dnsmasq: DHCPDISCOVER(eth1) 00:0c:29:8e:50:fa > dnsmasq: DHCPOFFER(eth1) 10.0.0.249 00:0c:29:8e:50:fa > dnsmasq: DHCPDISCOVER(eth1) 00:0c:29:8e:50:fa > dnsmasq: DHCPOFFER(eth1) 10.0.0.249 00:0c:29:8e:50:fa > dnsmasq: DHCPREQUEST(eth1) 10.0.0.249 00:0c:29:8e:50:fa > dnsmasq: DHCPACK(eth1) 10.0.0.249 00:0c:29:8e:50:fa > ==================== > /root/node-manager called with add 00:0c:29:8e:50:fa 10.0.0.249 and > DNSMASQ_USER_CLASS0 == > ==================== > dnsmasq: TFTP sent /tftproot/pxelinux.0 to 10.0.0.249 > dnsmasq: TFTP error 0 TFTP Aborted received from 10.0.0.249 > dnsmasq: TFTP failed sending /tftproot/pxelinux.0 to 10.0.0.249 > dnsmasq: TFTP sent /tftproot/pxelinux.0 to 10.0.0.249 > dnsmasq: TFTP sent /tftproot/pxelinux.cfg/default to 10.0.0.249 > dnsmasq: TFTP sent /tftproot/nfsroot/x86_64/boot/kernel to 10.0.0.249 > dnsmasq: DHCPDISCOVER(eth1) 00:0c:29:8e:50:fa > dnsmasq: DHCPOFFER(eth1) 10.0.0.249 00:0c:29:8e:50:fa > dnsmasq: DHCPREQUEST(eth1) 10.0.0.249 00:0c:29:8e:50:fa > dnsmasq: DHCPACK(eth1) 10.0.0.249 00:0c:29:8e:50:fa > dnsmasq: DHCPDISCOVER(eth1) 00:0c:29:8e:50:fa > dnsmasq: DHCPOFFER(eth1) 10.0.0.249 00:0c:29:8e:50:fa > dnsmasq: DHCPREQUEST(eth1) 10.0.0.249 00:0c:29:8e:50:fa > dnsmasq: DHCPACK(eth1) 10.0.0.249 00:0c:29:8e:50:fa node249 > > I would like it to be all clean and only request an IP adderss once but > this doesn't seem feasible for the moment since the sequence is > kernel-dhcpc -- (something-dhcp...can't figure out where that second > request comes from) -- dhcpcd caled from rc scripts > > So here is my wishlist: > > - add a keyword (load?) to the add, del, old list so one can > differentiate between dnsmasq loading and subsequent DHCPREQUESTs with > 'old'. I could cope with the 'old' key being also called at dnsmasq > startup but the *USER_CLASSn not being set threw me off. > - provide the means to _always_ call the dhcp-script > - always pass on the userclass down to the script on 'old|add' > (obviously implies the load key gets added). > > Don't hesitate to hit me in the generally right direction if I am > totally off on my usage of these tools or to ask for details. A few comments, in no particular order. The dhcp script communicates changes to the lease _database_ not individual DHCP interactions with a host. It's as designed that it doesn't get called when a lease is renewed. The userclass info is not always available, as you saw. If you want to use it, you'll probably need to implement a parallel database which has IP address as primary key and stores the userclass information. The userclass will always be provided when a lease is created, but not later. The trace where you don't see userclass information even during a DISCOVER/OFFER/REQUEST/ACK sequence may well be a bug. What version of dhcpcd are you using? I'll do some tests. There's no DOS prevention code in the script-calling system. It may be sensible to provide raw DHCP events to the script if people can use them. CHeers, Simon. From simon at thekelleys.org.uk Wed Aug 20 22:33:13 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Wed Aug 20 22:34:04 2008 Subject: [Dnsmasq-discuss] Sequential address assignment In-Reply-To: <48AC6192.9060008@neuralbs.com> References: <48AC6192.9060008@neuralbs.com> Message-ID: <48AC8D99.3040103@thekelleys.org.uk> Eric Thibodeau wrote: > I would like to know if it would be possible to add a simple feature > that would tell dnsmasq to assign addresses sequentially (ie: > --dhcp-sequential). I am looking at address_allocate() in dhcp.c and it > would seem feasible without much "damage" but I'm not accustomed to the > code sufficiently to propose a patch. The obvious question is WHY? Well, > here is a use case: > > I am building a clustering livecd (as stated in a previous e-mail) > and one of the tasks which tends to be long, annoying and error prone is > the identification of nodes, typing of MAC addresses and node number > assignment, which usually comes in the form of a static configuration > file. To ease the process, one would fire up dnsmasq (on the master > node) and sequentially start his slave nodes for the first time. I make > sure the assignment remains static after the initial start by > auto-generating (dhcp-script) the dnsmas.ndoes.conf which I'd obviously > source within dnsmasq.conf. > > Is this a reasonable feature to ask for? Does this violate any RFC? > As far as security is concerned, it's not an issue since this is a > closed network. The reason it's done the way it is goes like this: It's good to offer the same address to a node whenever it does dhcpdiscover. Not doing so is probably OK from an RFC point of view, but may well confuse some clients. The standard way to do this is to keep some state in the lease database when DHCPDISCOVER happens, you record what address was offered. That's how ISC dhcpd works. For dnsmasq, I wanted to have the DISCOVER/OFFER part of the DHCP protocol work without touching the lease database - it make implementing that much easier. Therefore the offered address is determined as a hash of the MAC address. Apart from collisions, a host is always offered the same address when is does a DISCOVER, without needing to use the lease database. If that's changed, you either need to complicate the lease database, or just use a counter and offer the next address each time a DISCOVER comes in. That means that a client gets offered different addresses each time it does a DISCOVER. Very early versions of dnsmasq worked like this, and it didn't cause problems. Cheers, Simon. > > Thanks, > > Eric Thibodeau > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > From kyron at neuralbs.com Wed Aug 20 22:56:04 2008 From: kyron at neuralbs.com (Eric Thibodeau) Date: Wed Aug 20 22:56:57 2008 Subject: [Dnsmasq-discuss] dhcp-script, add|del|old ...and maybe load, DNSMASQ_USER_CLASSn, etc. In-Reply-To: <48AC8B2A.9030906@thekelleys.org.uk> References: <48AAE9F4.8020500@neuralbs.com> <48AC8B2A.9030906@thekelleys.org.uk> Message-ID: <48AC92F4.50204@neuralbs.com> Correction and comments below: Simon Kelley wrote: > Eric Thibodeau wrote: >> Hello, >> >> I've been (ab)using dnsmasq for quite a while and I am now >> attempting to use dhcp-script callbacks to pull information from >> booting machines. The context is a clustering environment where nodes >> are PXE booted, NFS root mounted and dhcpcd is used as such to send >> in the number of detected CPUs: >> >> dhcpcd --renew --persistent --userclass=$(c=0; for i in >> /sys/devices/system/cpu/cpu[0-9]*; do ((c++)); done; echo $c) eth0 >> >> I add in --renew to force dhcpcd to send a request, it's not >> required per say. the `$(c=0; for i in >> /sys/devices/system/cpu/cpu[0-9]*; do ((c++)); done; echo $c)` >> translates to 2 . Here is a trace of the execution for a node that >> was already booted and is part of the dnsmasq's cache: >> >> master ~ # dnsmasq -d >> dnsmasq: started, version 2.45 cachesize 150 >> dnsmasq: compile time options: IPv6 GNU-getopt no-ISC-leasefile >> no-DBus I18N TFTP >> dnsmasq: DHCP, IP range 10.0.0.2 -- 10.0.0.254, lease time 12h >> dnsmasq: TFTP root is /tftproot >> dnsmasq: ignoring nameserver 127.0.0.1 - local interface >> dnsmasq: reading /etc/dnsmasq-resolv.conf >> dnsmasq: using nameserver 192.168.1.2#53 >> dnsmasq: read /etc/hosts - 2 addresses >> ==================== >> /root/node-manager called with old 00:0c:29:41:b5:7a 10.0.0.162 >> node162 and DNSMASQ_USER_CLASS0 == >> ==================== >> dnsmasq: DHCPREQUEST(eth1) 10.0.0.162 00:0c:29:41:b5:7a >> dnsmasq: DHCPACK(eth1) 10.0.0.162 00:0c:29:41:b5:7a node162 >> ==================== >> /root/node-manager called with old 00:0c:29:41:b5:7a 10.0.0.162 >> node162 and DNSMASQ_USER_CLASS0 == >> ==================== >> dnsmasq: DHCPREQUEST(eth1) 10.0.0.162 00:0c:29:41:b5:7a >> dnsmasq: DHCPACK(eth1) 10.0.0.162 00:0c:29:41:b5:7a node162 >> dnsmasq: DHCPREQUEST(eth1) 10.0.0.162 00:0c:29:41:b5:7a >> dnsmasq: DHCPACK(eth1) 10.0.0.162 00:0c:29:41:b5:7a node162 >> >> My interpretation (node-manager is the dhcp-script): >> * start dnsmasq -d >> - node-manager is called on startup with old, with >> DNSMASQ_USER_CLASS0 null, as expected >> >> * on node162, call dhcpcd - dhcpcd --renew... >> - node-manager is called but DNSMASQ_USER_CLASS0 is empty...that >> wasn't expected. >> Note: Roy Marples was nice enough to confirm with Wireshark that the >> userclass is _always_ sent by dhcpcd >> >> * on node162, call dhcpcd - dhcpcd --renew... (again) >> - This time, the script isn't called at all >> * on node162, call dhcpcd - dhcpcd --renew... (and again) >> - This time, the script isn't called either >> >> I can understand that 'excessive' dhcp requests can trigger a DOS >> prevention mechanism and not call dhcp-script. But this is neither >> documented nor controllable. >> >> Now here is another trace booting a node that was never booted before >> (add): >> >> dnsmasq: DHCPDISCOVER(eth1) 00:0c:29:8e:50:fa >> dnsmasq: DHCPOFFER(eth1) 10.0.0.249 00:0c:29:8e:50:fa >> dnsmasq: DHCPDISCOVER(eth1) 00:0c:29:8e:50:fa >> dnsmasq: DHCPOFFER(eth1) 10.0.0.249 00:0c:29:8e:50:fa >> dnsmasq: DHCPREQUEST(eth1) 10.0.0.249 00:0c:29:8e:50:fa >> dnsmasq: DHCPACK(eth1) 10.0.0.249 00:0c:29:8e:50:fa >> ==================== >> /root/node-manager called with add 00:0c:29:8e:50:fa 10.0.0.249 and >> DNSMASQ_USER_CLASS0 == >> ==================== >> dnsmasq: TFTP sent /tftproot/pxelinux.0 to 10.0.0.249 >> dnsmasq: TFTP error 0 TFTP Aborted received from 10.0.0.249 >> dnsmasq: TFTP failed sending /tftproot/pxelinux.0 to 10.0.0.249 >> dnsmasq: TFTP sent /tftproot/pxelinux.0 to 10.0.0.249 >> dnsmasq: TFTP sent /tftproot/pxelinux.cfg/default to 10.0.0.249 >> dnsmasq: TFTP sent /tftproot/nfsroot/x86_64/boot/kernel to 10.0.0.249 >> dnsmasq: DHCPDISCOVER(eth1) 00:0c:29:8e:50:fa >> dnsmasq: DHCPOFFER(eth1) 10.0.0.249 00:0c:29:8e:50:fa >> dnsmasq: DHCPREQUEST(eth1) 10.0.0.249 00:0c:29:8e:50:fa >> dnsmasq: DHCPACK(eth1) 10.0.0.249 00:0c:29:8e:50:fa >> dnsmasq: DHCPDISCOVER(eth1) 00:0c:29:8e:50:fa >> dnsmasq: DHCPOFFER(eth1) 10.0.0.249 00:0c:29:8e:50:fa >> dnsmasq: DHCPREQUEST(eth1) 10.0.0.249 00:0c:29:8e:50:fa >> dnsmasq: DHCPACK(eth1) 10.0.0.249 00:0c:29:8e:50:fa node249 >> >> I would like it to be all clean and only request an IP adderss once >> but this doesn't seem feasible for the moment since the sequence is >> kernel-dhcpc -- (something-dhcp...can't figure out where that second >> request comes from) -- dhcpcd caled from rc scripts >> >> So here is my wishlist: >> >> - add a keyword (load?) to the add, del, old list so one can >> differentiate between dnsmasq loading and subsequent DHCPREQUESTs >> with 'old'. I could cope with the 'old' key being also called at >> dnsmasq startup but the *USER_CLASSn not being set threw me off. >> - provide the means to _always_ call the dhcp-script >> - always pass on the userclass down to the script on 'old|add' >> (obviously implies the load key gets added). >> >> Don't hesitate to hit me in the generally right direction if I am >> totally off on my usage of these tools or to ask for details. > > A few comments, in no particular order. > > The dhcp script communicates changes to the lease _database_ not > individual DHCP interactions with a host. It's as designed that it > doesn't get called when a lease is renewed. Then I guess this is a misinterpretation on my part on the "old" key, I thought it would be called each time there was interaction between a host and the server. > The userclass info is not always available, as you saw. If you want to > use it, you'll probably need to implement a parallel database which > has IP address as primary key and stores the userclass information. > The userclass will always be provided when a lease is created, but not > later. Actually, I was _also_ calling dhcpcd incorrectly (or rather, misinterpreting the --renew option) and this was causing me to end up with dhcpcd initialized with an empty userclass, which would stick for the life of dhcpcd. Once corrected with the initial dhcpcd called correctly with the userclass data, the information _is_ sent through to dnsmasq. What I have noticed is that the userclass is passwd down _only_ when the DISCOVER/OFFER/REQUEST/ACK is encountered, which is the case 3 times within the boot process because a client ends up using 3 different/independent clients (PXE, kernel and dhcpcd). > > The trace where you don't see userclass information even during a > DISCOVER/OFFER/REQUEST/ACK sequence may well be a bug. What version of > dhcpcd are you using? I'll do some tests. Those cases aren't a bug, they are the cases where it's PXE and the kernel requesting an address. > > There's no DOS prevention code in the script-calling system. Then I could not figure out why dnsmasq wasn't calling the dhcp-script upon repeated calls of `dhcpcd -n ... eth0 ` > > It may be sensible to provide raw DHCP events to the script if people > can use them. I now have a setup where I can use wireshark and have recorded exchanges, is this the type of trace you're referring to? > > CHeers, > > Simon. Thanks! Eric From kyron at neuralbs.com Wed Aug 20 23:49:11 2008 From: kyron at neuralbs.com (Eric Thibodeau) Date: Wed Aug 20 23:50:05 2008 Subject: [Dnsmasq-discuss] Sequential address assignment In-Reply-To: <48AC8D99.3040103@thekelleys.org.uk> References: <48AC6192.9060008@neuralbs.com> <48AC8D99.3040103@thekelleys.org.uk> Message-ID: <48AC9F67.6040909@neuralbs.com> Simon Kelley wrote: > Eric Thibodeau wrote: >> I would like to know if it would be possible to add a simple >> feature that would tell dnsmasq to assign addresses sequentially (ie: >> --dhcp-sequential). I am looking at address_allocate() in dhcp.c and >> it would seem feasible without much "damage" but I'm not accustomed >> to the code sufficiently to propose a patch. The obvious question is >> WHY? Well, here is a use case: >> >> I am building a clustering livecd (as stated in a previous e-mail) >> and one of the tasks which tends to be long, annoying and error prone >> is the identification of nodes, typing of MAC addresses and node >> number assignment, which usually comes in the form of a static >> configuration file. To ease the process, one would fire up dnsmasq >> (on the master node) and sequentially start his slave nodes for the >> first time. I make sure the assignment remains static after the >> initial start by auto-generating (dhcp-script) the dnsmas.ndoes.conf >> which I'd obviously source within dnsmasq.conf. >> >> Is this a reasonable feature to ask for? Does this violate any >> RFC? As far as security is concerned, it's not an issue since this is >> a closed network. > > The reason it's done the way it is goes like this: It's good to offer > the same address to a node whenever it does dhcpdiscover. Not doing so > is probably OK from an RFC point of view, but may well confuse some > clients. The standard way to do this is to keep some state in the > lease database when DHCPDISCOVER happens, you record what address was > offered. That's how ISC dhcpd works. > > For dnsmasq, I wanted to have the DISCOVER/OFFER part of the DHCP > protocol work without touching the lease database - it make > implementing that much easier. Therefore the offered address is > determined as a hash of the MAC address. Apart from collisions, a host > is always offered the same address when is does a DISCOVER, without > needing to use the lease database. Is this the part of code you're referring to (dhcp.c): 552 /* pick a seed based on hwaddr then iterate until we find a free address. */ 553 start.s_addr = addr.s_addr = 554 htonl(ntohl(c->start.s_addr) + 555 ((j + c->addr_epoch) % (1 + ntohl(c->end.s_addr) - ntohl(c->start.s_addr)))); Which then gets an offset if it happens to match an existing lease which isn't his and is in use: 589 /* address in use: perturb address selection so that we are 590 less likely to try this address again. */ 591 c->addr_epoch++; Would this be the part to be swapped by an optional --incremental to something like (pseudo code): if (sequential) start.s_addr = RANGE_START + 1 (search for address collisionn) if (collision) start.s_addr++ (^^^ my blunt ignorance of the addr scruct value but the idea is there. ) This implies the search by address is already implemented and the code leads me to believe it is. > > If that's changed, you either need to complicate the lease database, > or just use a counter and offer the next address each time a DISCOVER > comes in. That means that a client gets offered different addresses > each time it does a DISCOVER. Very early versions of dnsmasq worked > like this, and it didn't cause problems. Yeah, comment above.. Simple `static int counter`. Let's not forget the incremental search will also assign holes when one is met and is not reserved, which makes sense. > > Cheers, > > Simon. > >> >> Thanks, >> >> Eric Thibodeau >> >> _______________________________________________ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >> > From richardvoigt at gmail.com Thu Aug 21 05:35:18 2008 From: richardvoigt at gmail.com (richardvoigt@gmail.com) Date: Thu Aug 21 05:36:10 2008 Subject: [Dnsmasq-discuss] dhcp-script, add|del|old ...and maybe load, DNSMASQ_USER_CLASSn, etc. In-Reply-To: <48AC8B2A.9030906@thekelleys.org.uk> References: <48AAE9F4.8020500@neuralbs.com> <48AC8B2A.9030906@thekelleys.org.uk> Message-ID: <2e59e6970808202135l3d01cdbdn136fd067a199344@mail.gmail.com> > A few comments, in no particular order. > > The dhcp script communicates changes to the lease _database_ not individual > DHCP interactions with a host. It's as designed that it doesn't get called > when a lease is renewed. Huh? A renewal typically changes the expiration time, hence requiring database interaction. At least in my experience the script is called for each renewal (using external database only, no lease file). From simon at thekelleys.org.uk Thu Aug 21 14:53:27 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Aug 21 14:54:22 2008 Subject: [Dnsmasq-discuss] dhcp-script, add|del|old ...and maybe load, DNSMASQ_USER_CLASSn, etc. In-Reply-To: <48AC92F4.50204@neuralbs.com> References: <48AAE9F4.8020500@neuralbs.com> <48AC8B2A.9030906@thekelleys.org.uk> <48AC92F4.50204@neuralbs.com> Message-ID: <48AD7357.8030005@thekelleys.org.uk> Eric Thibodeau wrote: >> The dhcp script communicates changes to the lease _database_ not >> individual DHCP interactions with a host. It's as designed that it >> doesn't get called when a lease is renewed. > Then I guess this is a misinterpretation on my part on the "old" key, > I thought it would be called each time there was interaction between > a host and the server. No, it gets called when an existing lease record changes (and for all existing leases when dnsmasq starts up) (for extra info, see my reply to Richard) >> The userclass info is not always available, as you saw. If you want >> to use it, you'll probably need to implement a parallel database >> which has IP address as primary key and stores the userclass >> information. The userclass will always be provided when a lease is >> created, but not later. > Actually, I was _also_ calling dhcpcd incorrectly (or rather, > misinterpreting the --renew option) and this was causing me to end up > with dhcpcd initialized with an empty userclass, which would stick > for the life of dhcpcd. Once corrected with the initial dhcpcd called > correctly with the userclass data, the information _is_ sent through > to dnsmasq. What I have noticed is that the userclass is passwd down > _only_ when the DISCOVER/OFFER/REQUEST/ACK is encountered, which is > the case 3 times within the boot process because a client ends up > using 3 different/independent clients (PXE, kernel and dhcpcd). >> Ok, that means there's not bug in dnsmasq. >> The trace where you don't see userclass information even during a >> DISCOVER/OFFER/REQUEST/ACK sequence may well be a bug. What version >> of dhcpcd are you using? I'll do some tests. > Those cases aren't a bug, they are the cases where it's PXE and the > kernel requesting an address. OK. >> >> There's no DOS prevention code in the script-calling system. > Then I could not figure out why dnsmasq wasn't calling the > dhcp-script upon repeated calls of `dhcpcd -n ... eth0 ` As I recall, the reasoning was that the userclass info could not always be provided, so it was restricted to appear only when it would always be available, during the DISCOVER/OFFER etc phase. >> >> It may be sensible to provide raw DHCP events to the script if >> people can use them. > I now have a setup where I can use wireshark and have recorded > exchanges, is this the type of trace you're referring to? >> No, my thinking was that the lease-change script could be called with arguments like "offer" and "ack" when DHCP protocol interactions take place. That would be a fair bit of extra code to do, so it would have to be demonstrably useful. Cheers, Simon. From simon at thekelleys.org.uk Thu Aug 21 14:59:55 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Aug 21 15:00:46 2008 Subject: [Dnsmasq-discuss] dhcp-script, add|del|old ...and maybe load, DNSMASQ_USER_CLASSn, etc. In-Reply-To: <2e59e6970808202135l3d01cdbdn136fd067a199344@mail.gmail.com> References: <48AAE9F4.8020500@neuralbs.com> <48AC8B2A.9030906@thekelleys.org.uk> <2e59e6970808202135l3d01cdbdn136fd067a199344@mail.gmail.com> Message-ID: <48AD74DB.4070802@thekelleys.org.uk> richardvoigt@gmail.com wrote: >> A few comments, in no particular order. >> >> The dhcp script communicates changes to the lease _database_ not individual >> DHCP interactions with a host. It's as designed that it doesn't get called >> when a lease is renewed. > > Huh? A renewal typically changes the expiration time, hence requiring > database interaction. At least in my experience the script is called > for each renewal (using external database only, no lease file). > Ok, I'm guilty of over-simplification. There's a configuration flag, --leasefile-ro, which is set when dnsmasq is used with an external database. It's very badly named, but amongst other things, it changes this behaviour so that a change in expiration time causes a call to the lease-change script. This is exactly so that an external database can track lease time. Note that this still doesn't mean that the script is called on each renewal; it's possible, though maybe pointless, to renew a lease for a shorter time so that the expiration time doesn't change. Also, dnsmasq can be compiled with the HAVE_BROKEN_RTC option. In this case it tracks lease length, not expiration time. One of the reasons for this is so that lease renewal _doesn't_ change the lease database. It saves writes when the database is stored in NVRAM. Cheers, Simon. From simon at thekelleys.org.uk Thu Aug 21 15:03:46 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Aug 21 15:04:40 2008 Subject: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan In-Reply-To: References: Message-ID: <48AD75C2.9070004@thekelleys.org.uk> Rune Kock wrote: > I know this is a bit off topic, but maybe someone on the list has some > thoughts on this: > > I'm running a router for a group of people connected by lan. And I > use a dhcp-server (dnsmasq) on the router to configure the clients. > > But increasingly often, someone has connected another router to the > lan, usually to use it as a wifi access point. And since they don't > know what they are doing, they connect their own router's lan-port to > the big lan instead of using the wan-port. And so we get a wrong > dhcp-server competing with dnsmasq. > > Every time this happens, I have to track down the rogue router by > testing each cable of the lan. Quite time consuming, and until I get > it done, the network is very unstable for the users. > > Does anyone have some ideas as how to mitigate this problem? Talking to the network guys of my aquaintance, it's not an easy problem to fix unless you have enterprise-grade networking kit. You could try something which broadcasts a DHCPDISCOVER packet, that should give you replies from every DHCP server on the net, with their IP addresses. Cheers, Simon. > > > Rune > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > From rune.kock at gmail.com Thu Aug 21 16:01:21 2008 From: rune.kock at gmail.com (Rune Kock) Date: Thu Aug 21 16:02:12 2008 Subject: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan In-Reply-To: <48AD75C2.9070004@thekelleys.org.uk> References: <48AD75C2.9070004@thekelleys.org.uk> Message-ID: On Thu, Aug 21, 2008 at 16:03, Simon Kelley wrote: > Rune Kock wrote: >> I know this is a bit off topic, but maybe someone on the list has some >> thoughts on this: >> >> I'm running a router for a group of people connected by lan. And I >> use a dhcp-server (dnsmasq) on the router to configure the clients. >> >> But increasingly often, someone has connected another router to the >> lan, usually to use it as a wifi access point. And since they don't >> know what they are doing, they connect their own router's lan-port to >> the big lan instead of using the wan-port. And so we get a wrong >> dhcp-server competing with dnsmasq. >> >> Every time this happens, I have to track down the rogue router by >> testing each cable of the lan. Quite time consuming, and until I get >> it done, the network is very unstable for the users. >> >> Does anyone have some ideas as how to mitigate this problem? > > Talking to the network guys of my aquaintance, it's not an easy problem > to fix unless you have enterprise-grade networking kit. How would enterprise-grade equipment help? > You could try something which broadcasts a DHCPDISCOVER packet, that > should give you replies from every DHCP server on the net, with their IP > addresses. Yes, that would at least alert me immediately when the thing happens. Know any program that can do that, or would I have to write one from scratch? Anyway, thanks for your input. I never expected any easy solution for this. My own thoughts have been: - drop DHCP, and configure all clients statically. Not fun. - use some kind of software-firewall or access program (PPPoE?) on the clients. Definitely not fun. - split the lan into small segments. Doable, but will only confine the problem to one segment, not remove it. In the end, perhaps the only way is to shout DON'T DO THAT to the users, and hope they listen... Rune From bod at bod.org Thu Aug 21 16:42:18 2008 From: bod at bod.org (Paul Chambers) Date: Thu Aug 21 16:43:09 2008 Subject: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan In-Reply-To: <48AD75C2.9070004@thekelleys.org.uk> References: <48AD75C2.9070004@thekelleys.org.uk> Message-ID: <48AD8CDA.9060909@bod.org> An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080821/38320838/attachment.htm From kyron at neuralbs.com Thu Aug 21 17:28:09 2008 From: kyron at neuralbs.com (Eric Thibodeau) Date: Thu Aug 21 17:29:03 2008 Subject: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan In-Reply-To: References: <48AD75C2.9070004@thekelleys.org.uk> Message-ID: <48AD9799.3050804@neuralbs.com> Rune Kock wrote: > On Thu, Aug 21, 2008 at 16:03, Simon Kelley wrote: > >> Rune Kock wrote: >> >>> I know this is a bit off topic, but maybe someone on the list has some >>> thoughts on this: >>> >>> I'm running a router for a group of people connected by lan. And I >>> use a dhcp-server (dnsmasq) on the router to configure the clients. >>> >>> But increasingly often, someone has connected another router to the >>> lan, usually to use it as a wifi access point. And since they don't >>> know what they are doing, they connect their own router's lan-port to >>> the big lan instead of using the wan-port. And so we get a wrong >>> dhcp-server competing with dnsmasq. >>> >>> Every time this happens, I have to track down the rogue router by >>> testing each cable of the lan. Quite time consuming, and until I get >>> it done, the network is very unstable for the users. >>> >>> Does anyone have some ideas as how to mitigate this problem? >>> >> Talking to the network guys of my aquaintance, it's not an easy problem >> to fix unless you have enterprise-grade networking kit. >> > > How would enterprise-grade equipment help? > I would suspect such equipment can tell you on which port XYZ MAC address is connected, which makes identifying the culprit much MUCH easier. And, a really cool thing with dnsmasq, you could even trigger an alarm when an unknown MAC is added to the network or if a given MAC address matches certain a criterion such as manufacturer (ie: your network only has 3COM nics and a Cisco/Linksys MAC address suddenly appears, the script sounds a BEEP on the server and sends an administrative alert). >> You could try something which broadcasts a DHCPDISCOVER packet, that >> should give you replies from every DHCP server on the net, with their IP >> addresses. >> > > Yes, that would at least alert me immediately when the thing happens. > Know any program that can do that, or would I have to write one from > scratch? > > Anyway, thanks for your input. I never expected any easy solution for > this. My own thoughts have been: > > - drop DHCP, and configure all clients statically. Not fun. > At worst, long leases with static assignments in the dnsmasq configuration... Funny how I'm working on a script that can build the initial configuration (an poking at Mr. Kelly for incremental IP assignments but that's only a wish and I don't want him to break his code ;oP ) > - use some kind of software-firewall or access program (PPPoE?) on the > clients. Definitely not fun. > Nah. But I seem to remember seeing some sort of "secure" DHCP somewhere but I wouldn't go there... > - split the lan into small segments. Doable, but will only confine > the problem to one segment, not remove it. > I don't really see how this would really help unless the segments are physical (broadcast domain) segments. > In the end, perhaps the only way is to shout DON'T DO THAT to the > users, and hope they listen... > This is the right answer IMHO, a net admin sometimes has to be authoritative and "put your foot down". As a consultant, I charge extra for "user did stupid thing" problems and it's in the contract and _not_ in small print so that the customer thinks more than twice before plugging anything into network. > > Rune > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080821/59025eb5/attachment.htm From rune.kock at gmail.com Thu Aug 21 18:23:25 2008 From: rune.kock at gmail.com (Rune Kock) Date: Thu Aug 21 18:24:17 2008 Subject: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan In-Reply-To: <48AD9799.3050804@neuralbs.com> References: <48AD75C2.9070004@thekelleys.org.uk> <48AD9799.3050804@neuralbs.com> Message-ID: On Thu, Aug 21, 2008 at 18:28, Eric Thibodeau wrote: > Rune Kock wrote: >> How would enterprise-grade equipment help? > > I would suspect such equipment can tell you on which port XYZ MAC address is > connected, which makes identifying the culprit much MUCH easier. Yes, Paul mentioned a Dell switch with that functionality. > And, a > really cool thing with dnsmasq, you could even trigger an alarm when an > unknown MAC is added to the network or if a given MAC address matches > certain a criterion such as manufacturer (ie: your network only has 3COM > nics and a Cisco/Linksys MAC address suddenly appears, the script sounds a > BEEP on the server and sends an administrative alert). Well, that is great when you want tight control of your network. My network is mostly used by people in their homes, and I would prefer not to get involved in whatever equipment they attach -- beyond what's necessary to keep the network running, that is. >> - drop DHCP, and configure all clients statically. Not fun. > > At worst, long leases with static assignments in the dnsmasq > configuration... Yes, long leases would help a bit. I don't think assigning the static IPs from dnsmasq would be any better than dynamic IPs -- in both cases, the clients are susceptible to a rogue DHCP-server. Maybe a mix is an idea: configuring the most important computers statically, and using DHCP for the rest. > Funny how I'm working on a script that can build the > initial configuration (an poking at Mr. Kelly for incremental IP assignments > but that's only a wish and I don't want him to break his code ;oP ) > >> - use some kind of software-firewall or access program (PPPoE?) on the >> clients. Definitely not fun. > > Nah. But I seem to remember seeing some sort of "secure" DHCP somewhere but > I wouldn't go there... Any solution would have to work on a wide range of different client machines. So I agree that some non-standard secure DHCP is probably out of the question. >> - split the lan into small segments. Doable, but will only confine >>the problem to one segment, not remove it. > > I don't really see how this would really help unless the segments are > physical (broadcast domain) segments. True, I was thinking about physical segments. >> In the end, perhaps the only way is to shout DON'T DO THAT to the >> users, and hope they listen... > > This is the right answer IMHO, a net admin sometimes has to be authoritative > and "put your foot down". As a consultant, I charge extra for "user did > stupid thing" problems and it's in the contract and _not_ in small print so > that the customer thinks more than twice before plugging anything into > network. Yes, if a technical fix isn't possible, I'll have to make the users aware of the situation. Rune From rune.kock at gmail.com Thu Aug 21 19:13:43 2008 From: rune.kock at gmail.com (Rune Kock) Date: Thu Aug 21 19:14:34 2008 Subject: Fwd: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan In-Reply-To: References: <48AD75C2.9070004@thekelleys.org.uk> Message-ID: Oops, I forgot to cc the list on a number of my replies... ---------- Forwarded message ---------- From: Rune Kock Date: Thu, Aug 21, 2008 at 17:10 Subject: Re: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan To: Simon Kelley >> You could try something which broadcasts a DHCPDISCOVER packet, that >> should give you replies from every DHCP server on the net, with their IP >> addresses. > > Yes, that would at least alert me immediately when the thing happens. > Know any program that can do that, or would I have to write one from > scratch? Sorry, should have googled before asking: http://www.net.princeton.edu/software/dhcp_probe/ From rune.kock at gmail.com Thu Aug 21 19:14:09 2008 From: rune.kock at gmail.com (Rune Kock) Date: Thu Aug 21 19:15:03 2008 Subject: Fwd: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan In-Reply-To: References: <48AD75C2.9070004@thekelleys.org.uk> <48AD8CDA.9060909@bod.org> Message-ID: ---------- Forwarded message ---------- From: Rune Kock Date: Thu, Aug 21, 2008 at 18:50 Subject: Re: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan To: Paul Chambers On Thu, Aug 21, 2008 at 17:42, Paul Chambers wrote: > I'm likely showing my ignorance here, but would you be able to track down > the right port on a switch by using using the MAC address of the > DHCPDISCOVER response and the spanning tree protocol? (RSTP). I don't know > of any host-based software that does such a thing, though. How complex is > the switch topology we're talking about? I don't really know how the spanning tree protocol works, and only high-end switches support it anyway, so I think I like your second suggestion better. As for the topology, it's not quite gordian knot, but not a text book example either. Maybe "ad hoc" is the best word. Approx. 50 computers. > Another possibility is to get a switch that does support SNMP (i.e. > 'enterprise grade'). They used to be hideously expensive, but there's now > 'mid-level' products with simple web-based UIs and SNMP support that aren't > too bad. I'm using a Dell Powerconnect 2716 at home, for example - about > US$320 for a 16 port gigabit ethernet switch with a pretty rich feature set. So, you're saying that this Powerconnect 2716 is able to tell me on which port a given MAC communicates? I've never tried using SNMP, but could I send it an SNMP-request "where is MAC xx:xx:yy:zz:vv", and then get a port number back? I see that Dell has a special offer on the 2716 right now. It's actually very cheap. Rune From rune.kock at gmail.com Thu Aug 21 19:14:50 2008 From: rune.kock at gmail.com (Rune Kock) Date: Thu Aug 21 19:15:42 2008 Subject: Fwd: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan In-Reply-To: References: <48AD75C2.9070004@thekelleys.org.uk> <48AD8CDA.9060909@bod.org> <48ADA4D5.7000805@bod.org> Message-ID: ---------- Forwarded message ---------- From: Rune Kock Date: Thu, Aug 21, 2008 at 20:03 Subject: Re: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan To: Paul Chambers >> So, you're saying that this Powerconnect 2716 is able to tell me on >> which port a given MAC communicates? > > I can't say for certain, having not tried it myself. What I do know is the > documentation claims it supports the RMON MIB of SNMP, and there's an > optional group in that MIB specification that's described as: > > -- The host group discovers new hosts on the network by > -- keeping a list of source and destination MAC Addresses seen > -- in good packets. For each of these addresses, the host group > -- keeps a set of statistics. The hostControlTable controls > -- which interfaces this function is performed on, and contains > -- some information about the process. On behalf of each > -- hostControlEntry, data is collected on an interface and placed > -- in both the hostTable and the hostTimeTable. If the > -- monitoring device finds itself short of resources, it may > -- delete entries as needed. It is suggested that the device > -- delete the least recently used entries first. > > -- The hostTable contains entries for each address discovered on > -- a particular interface. Each entry contains statistical > -- data about that host. This table is indexed by the > -- MAC address of the host, through which a random access > -- may be achieved. > > Since it's optional, I don't know if the Powerconnect switches exposes this > info or not. I don't use SNMP at home, so I'd have to install an SNMP > browser and take a look. It may be a few days before I have time to do that. Please do. > Another approach that I'm pretty confident would work is to use the VLAN > support in an unusual way. Tag every port with a different VLAN on ingress, > and subscribe every port to the other VLANs. Mark every port to remove the > VLAN tag on egress, except the monitoring port. Mirror all the ports to the > monitoring port. Now you have that one monitoring port that sees all > traffic, and retains the VLAN tag so you can identify which port it entered > the switch on. Using that monitoring port, you'll be able to watch for > packets from a 'rogue' DHCP server, and know which port it arrived on. Or > any other kind of wayward traffic, for that matter. Honestly, this sounds a bit difficult. Would the tagged packets be able to go through other (non-VLAN-capable) switches before getting to the router? How would I read the tag on the router? An SNMP-solution seems so much simpler. From kyron at neuralbs.com Fri Aug 22 00:04:48 2008 From: kyron at neuralbs.com (Eric Thibodeau) Date: Fri Aug 22 00:05:41 2008 Subject: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan In-Reply-To: References: <48AD75C2.9070004@thekelleys.org.uk> <48AD9799.3050804@neuralbs.com> Message-ID: <48ADF490.3080204@neuralbs.com> Any of the solutions mentioned below are "patches" except probably for the level 2 switch filtering/denying DHCP server-type replies from your customers other than from your own server (or is it level3 at this point...in between maybe ;P ). Rune Kock wrote: > On Thu, Aug 21, 2008 at 18:28, Eric Thibodeau wrote: > >> Rune Kock wrote: >> >>> How would enterprise-grade equipment help? >>> >> I would suspect such equipment can tell you on which port XYZ MAC address is >> connected, which makes identifying the culprit much MUCH easier. >> > > Yes, Paul mentioned a Dell switch with that functionality. > > >> And, a >> really cool thing with dnsmasq, you could even trigger an alarm when an >> unknown MAC is added to the network or if a given MAC address matches >> certain a criterion such as manufacturer (ie: your network only has 3COM >> nics and a Cisco/Linksys MAC address suddenly appears, the script sounds a >> BEEP on the server and sends an administrative alert). >> > > Well, that is great when you want tight control of your network. My > network is mostly used by people in their homes, and I would prefer > not to get involved in whatever equipment they attach -- beyond what's > necessary to keep the network running, that is. > Well, it sounds like you're running some sort of ISPish service sort of like one you'd see as a community service with somewhat "loose" management...btw, I am not saying this as an insult I am attempting to picture your actual setup and constraints. If you have the luxury of a level2 switch and 1-client per port, you could probably deny DHCPOFFER from any ports other than your own DHCP (don't quote me on the actual DHCP message, just block serve responses is the idea). Even if you have more than 1 client/port you should enable such filtering to at least isolate the propagation of invalid addresses. See below for more details: >>> - drop DHCP, and configure all clients statically. Not fun. >>> >> At worst, long leases with static assignments in the dnsmasq >> configuration... >> > > Yes, long leases would help a bit. I don't think assigning the static > IPs from dnsmasq would be any better than dynamic IPs -- in both > cases, the clients are susceptible to a rogue DHCP-server. > > Maybe a mix is an idea: configuring the most important computers > statically, and using DHCP for the rest. > Yes, most definitely, configure your servers with a static IP (served by DHCP with rather long leases) and keep them on an isolated broadcast network (if possible) and try to use an improbable network address base like 10.103.42.x/24 for them so chances are they won't come in conflict with another router's accidental assignment. >> Funny how I'm working on a script that can build the >> initial configuration (an poking at Mr. Kelly for incremental IP assignments >> but that's only a wish and I don't want him to break his code ;oP ) >> >> >>> - use some kind of software-firewall or access program (PPPoE?) on the >>> clients. Definitely not fun. >>> >> Nah. But I seem to remember seeing some sort of "secure" DHCP somewhere but >> I wouldn't go there... >> > > Any solution would have to work on a wide range of different client > machines. So I agree that some non-standard secure DHCP is probably > out of the question. > > >>> - split the lan into small segments. Doable, but will only confine >>> the problem to one segment, not remove it. >>> >> I don't really see how this would really help unless the segments are >> physical (broadcast domain) segments. >> > > True, I was thinking about physical segments. > > >>> In the end, perhaps the only way is to shout DON'T DO THAT to the >>> users, and hope they listen... >>> >> This is the right answer IMHO, a net admin sometimes has to be authoritative >> and "put your foot down". As a consultant, I charge extra for "user did >> stupid thing" problems and it's in the contract and _not_ in small print so >> that the customer thinks more than twice before plugging anything into >> network. >> > > Yes, if a technical fix isn't possible, I'll have to make the users > aware of the situation. > > > Rune > Eric -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080821/f66153f0/attachment.htm From bod at bod.org Fri Aug 22 08:35:04 2008 From: bod at bod.org (Paul Chambers) Date: Fri Aug 22 08:54:19 2008 Subject: Fwd: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan In-Reply-To: References: <48AD75C2.9070004@thekelleys.org.uk> <48AD8CDA.9060909@bod.org> <48ADA4D5.7000805@bod.org> Message-ID: <48AE6C28.6090602@bod.org> An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080822/5cb76325/attachment-0001.htm From grant_lkml at dodo.com.au Fri Aug 22 22:27:13 2008 From: grant_lkml at dodo.com.au (Grant Coady) Date: Fri Aug 22 22:28:34 2008 Subject: [Dnsmasq-discuss] Is there a way to return names for DHCP clients? Message-ID: Hi there, My linux boxes all have static addresses, but dnsmasq is set to give DHCP address to 'casual' boxes, usually a friend's box over for a fixup, etc. Today I installed linux on a friend's box with DHCP lookup, but I cannot login by name: $ ssh sharkey ssh: Could not resolve hostname sharkey: Name or service not known grant@deltree:~/ip2c$ ssh 192.168.1.107 ... grant@192.168.1.107's password: Last login: Sat Aug 23 06:17:41 2008 from sillywin.mire.mine.nu Linux 2.6.24.5-smp. ... Is there a dnsmasq DHCP option to fix this? I have in server's /etc/dnsmasq.conf: ... #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- # Section 2. DHCP Server # ``````````````````````` domain=mire.mine.nu expand-hosts dhcp-authoritative dhcp-range=192.168.1.101,192.168.1.109,2h <-- this gave the address dhcp-range=192.168.2.101,192.168.2.109,2h dhcp-host=magpie,192.168.1.31,8h <-- windoze boxen dhcp-host=toshnt,192.168.1.35,8h dhcp-host=sillywin,192.168.1.36,8h dhcp-host=silly64,192.168.1.37,8h dhcp-host=tosh98,192.168.1.45,8h dhcp-option=42,0.0.0.0 # This box is NTP server # these are suggested for msft boxen: # FIXME check rfc2132 for other option #dhcp-option=19,0 # option ip-forwarding off #dhcp-option=36,1 # use 802.3 ethernet dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) dhcp-option=45,0.0.0.0 # netbios datagram distribution server dhcp-option=46,8 # netbios node type dhcp-option=47 # empty netbios scope. # dhcp-lease-max=50 # end The DHCP client looks correct: root@sharkey:/etc# cat /etc/resolv.conf # Generated by dhcpcd for interface eth0 search mire.mine.nu nameserver 192.168.1.1 Thanks, Grant. From rune.kock at gmail.com Fri Aug 22 22:32:35 2008 From: rune.kock at gmail.com (Rune Kock) Date: Fri Aug 22 22:33:26 2008 Subject: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan In-Reply-To: <48ADF490.3080204@neuralbs.com> References: <48AD75C2.9070004@thekelleys.org.uk> <48AD9799.3050804@neuralbs.com> <48ADF490.3080204@neuralbs.com> Message-ID: > Well, it sounds like you're running some sort of ISPish service sort of like > one you'd see as a community service with somewhat "loose" management...btw, > I am not saying this as an insult I am attempting to picture your actual > setup and constraints. Yes, community service is exactly what it is. (See http://en.wikipedia.org/wiki/Svanholm). > If you have the luxury of a level2 switch and > 1-client per port, you could probably deny DHCPOFFER from any ports other > than your own DHCP (don't quote me on the actual DHCP message, just block > serve responses is the idea). Even if you have more than 1 client/port you > should enable such filtering to at least isolate the propagation of invalid > addresses. So these switches have a kind of firewall on each port? I've never used a really high-end switch, so I don't know what it can do. But this would surely solve the problem. But if we are talking thousands of dollars, it's probably too expensive. > Yes, most definitely, configure your servers with a static IP (served by > DHCP with rather long leases) and keep them on an isolated broadcast network > (if possible) and try to use an improbable network address base like > 10.103.42.x/24 for them so chances are they won't come in conflict with > another router's accidental assignment. Yes, I'll try to do that. I really appreciate the feedback from you and the others on the list. Though a simple fix hasn't turned up (never thought it would), you have given me a number of approaches to try. Rune From rune.kock at gmail.com Fri Aug 22 22:54:34 2008 From: rune.kock at gmail.com (Rune Kock) Date: Fri Aug 22 22:55:25 2008 Subject: Fwd: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan In-Reply-To: <48AE6C28.6090602@bod.org> References: <48AD75C2.9070004@thekelleys.org.uk> <48AD8CDA.9060909@bod.org> <48ADA4D5.7000805@bod.org> <48AE6C28.6090602@bod.org> Message-ID: On Fri, Aug 22, 2008 at 09:35, Paul Chambers wrote: > Sadly the Dell Powerconnect 2716 does not support SNMP at all. The so-called > 'RMON' support is limited to aggregated statistics for the entire switch, > and is only visible within the web interface, not through SNMP (I think it's > very misleading on Dell's part to call that RMON, to be honest). > > So no joy with this particular model, sorry. It's possible that there are > other mid-level switches which do support this info via SNMP, but I have no > information to offer. Thanks for taking the time to test it. I'll start looking at different switches and see if one turns up at a reasonable price. Anyway, just knowing that this is an option is a great help. It never occurred to me to look for advanced switches to solve this. > Another random idea: how about attempting to 'starve' a rogue DHCP server of > addresses to hand out? i.e. monitor for another DHCP server, and if one > appears, repeatedly request fresh DHCP addresses until it has no more to > hand out? would the requests need to come from unique MAC addresses? does it > help to pretend to be a bootp relay? This isn't an area I know a whole lot > about, to be honest. A very interesting idea. I don't know how a DHCP-server reacts when it runs out of IPs. Whether it just becomes silent, or whether it sends an error back. The first case would be great, the latter might cause the client to give up, and thus not solve anything. If this idea works, it might be possible to hack an existing program such as dhcp_probe to do this. > It's a shame DHCP doesn't offer a mechanism to handle such situations more > gracefully. I guess we could always extend dnsmasq to add one, in an attempt > to establish a de facto standard :) I wonder if IPv6 handles this any better. If we were to extend the DHCP-standard, I would suggest a priority field. Routers would have a low priority until they are explicitly configured with a higher one. And the top priorities might require a certificate signed by some CA. From bod at bod.org Fri Aug 22 23:38:21 2008 From: bod at bod.org (Paul Chambers) Date: Fri Aug 22 23:39:13 2008 Subject: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan In-Reply-To: References: <48AD75C2.9070004@thekelleys.org.uk> <48AD9799.3050804@neuralbs.com> <48ADF490.3080204@neuralbs.com> Message-ID: <48AF3FDD.7000707@bod.org> An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080822/5fe5040c/attachment.htm From bod at bod.org Sat Aug 23 00:50:47 2008 From: bod at bod.org (Paul Chambers) Date: Sat Aug 23 00:51:40 2008 Subject: Fwd: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan In-Reply-To: References: <48AD75C2.9070004@thekelleys.org.uk> <48AD8CDA.9060909@bod.org> <48ADA4D5.7000805@bod.org> <48AE6C28.6090602@bod.org> Message-ID: <48AF50D7.1090804@bod.org> An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080822/ce259b23/attachment.htm From bcook at poughkeepsieschools.org Sat Aug 23 14:04:18 2008 From: bcook at poughkeepsieschools.org (B. Cook) Date: Sat Aug 23 14:05:10 2008 Subject: [Dnsmasq-discuss] Is there a way to return names for DHCP clients? In-Reply-To: References: Message-ID: <5DF3B029-7DE2-484C-866A-D984E3265295@poughkeepsieschools.org> Depending on your version of Linux, your dhclient might not send it's name when it asks for a lease. You could take it's mac address and assign it a name as well. so: dhcp-host=00:11:22:33:44:55,sharkey that way whatever ip that mac got it would always have the name sharkey (which seems like the point) not sure what linux you have, but there is an excellent dnsmasq.conf.example that is heavily documented and has tons of great examples (hence the name) You might also set these things in your .conf as well and then you can see what is going on in the dhcp 'process' (to some degree) log-facility=/var/log/dnsmasq.log log-dhcp no-negcache HTH On Aug 22, 2008, at 5:27 PM, Grant Coady wrote: > Hi there, > > My linux boxes all have static addresses, but dnsmasq is set to give > DHCP address to 'casual' boxes, usually a friend's box over for a > fixup, etc. > > Today I installed linux on a friend's box with DHCP lookup, but I > cannot login by name: > > $ ssh sharkey > ssh: Could not resolve hostname sharkey: Name or service not known > grant@deltree:~/ip2c$ ssh 192.168.1.107 > ... > grant@192.168.1.107's password: > Last login: Sat Aug 23 06:17:41 2008 from sillywin.mire.mine.nu > Linux 2.6.24.5-smp. > ... > > Is there a dnsmasq DHCP option to fix this? > > I have in server's /etc/dnsmasq.conf: > ... > #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > =-=-=-=- > # Section 2. DHCP Server > # ``````````````````````` > > domain=mire.mine.nu > expand-hosts > dhcp-authoritative > > dhcp-range=192.168.1.101,192.168.1.109,2h <-- this gave the address > dhcp-range=192.168.2.101,192.168.2.109,2h > > dhcp-host=magpie,192.168.1.31,8h <-- windoze boxen > dhcp-host=toshnt,192.168.1.35,8h > dhcp-host=sillywin,192.168.1.36,8h > dhcp-host=silly64,192.168.1.37,8h > dhcp-host=tosh98,192.168.1.45,8h > > dhcp-option=42,0.0.0.0 # This box is NTP server > > # these are suggested for msft boxen: > # FIXME check rfc2132 for other option > #dhcp-option=19,0 # option ip-forwarding off > #dhcp-option=36,1 # use 802.3 ethernet > dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) > aka WINS server(s) > dhcp-option=45,0.0.0.0 # netbios datagram distribution server > dhcp-option=46,8 # netbios node type > dhcp-option=47 # empty netbios scope. > # > dhcp-lease-max=50 > # end > > The DHCP client looks correct: > root@sharkey:/etc# cat /etc/resolv.conf > # Generated by dhcpcd for interface eth0 > search mire.mine.nu > nameserver 192.168.1.1 > > Thanks, > Grant. > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss From grant_lkml at dodo.com.au Sat Aug 23 18:26:54 2008 From: grant_lkml at dodo.com.au (Grant Coady) Date: Sat Aug 23 18:28:18 2008 Subject: [Dnsmasq-discuss] Is there a way to return names for DHCP clients? In-Reply-To: <5DF3B029-7DE2-484C-866A-D984E3265295@poughkeepsieschools.org> References: <5DF3B029-7DE2-484C-866A-D984E3265295@poughkeepsieschools.org> Message-ID: On Sat, 23 Aug 2008 09:04:18 -0400, "B. Cook" wrote: >Depending on your version of Linux, your dhclient might not send it's >name when it asks for a lease. I think what I did wrong was to leave this client option blank during setup ;) > >You could take it's mac address and assign it a name as well. > >so: >dhcp-host=00:11:22:33:44:55,sharkey Not for a casual machine -- the box is already back with its owner. >not sure what linux you have, but there is an excellent >dnsmasq.conf.example that is heavily documented and has tons of great >examples (hence the name) Yeah, time to look at that again, been using dnsmasq for ~ four years > >You might also set these things in your .conf as well and then you can >see what is going on in the dhcp 'process' (to some degree) >log-facility=/var/log/dnsmasq.log >log-dhcp >no-negcache Okay, thanks, Grant. From rune.kock at gmail.com Tue Aug 26 09:00:13 2008 From: rune.kock at gmail.com (Rune Kock) Date: Tue Aug 26 09:01:07 2008 Subject: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan In-Reply-To: <48B2C3CC.5010101@beer.tclug.org> References: <48B2C3CC.5010101@beer.tclug.org> Message-ID: Hi Jima On Mon, Aug 25, 2008 at 16:38, Jima wrote: > Out of curiosity, around how many nodes does your network have? About 50. > Is the > network core centralized (i.e., mostly one big switch) or decentralized > (mish-mash of smaller switches)? Unfortunately, mish-mash describes it rather well. Still, there are of couse a few switches that are particularly important. > Also, what speed is the majority of the > network (10, 10/100, gigabit)? Everything is 100 Mbit currently. > I have a vague idea relating to a VLAN-capable switch married to a Linux > router, but it may or may not be terribly feasible depending on the network > topology and capacity. :-) Paul and Eric have brought forth some interesting ideas about advanced switches, too. It seems a promising line to pursue (and one that I hadn't thought about previously). I would very much like to hear your ideas as well. And even if they won't fit my lan, they may be of value to others on the list. I doubt I'm the only one with this problem. Rune From richardvoigt at gmail.com Tue Aug 26 17:59:46 2008 From: richardvoigt at gmail.com (richardvoigt@gmail.com) Date: Tue Aug 26 18:00:43 2008 Subject: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan In-Reply-To: References: <48B2C3CC.5010101@beer.tclug.org> Message-ID: <2e59e6970808260959w17477962y1e6dc1af13d40541@mail.gmail.com> On Tue, Aug 26, 2008 at 3:00 AM, Rune Kock wrote: > Hi Jima > > On Mon, Aug 25, 2008 at 16:38, Jima wrote: >> Out of curiosity, around how many nodes does your network have? > > About 50. > >> Is the >> network core centralized (i.e., mostly one big switch) or decentralized >> (mish-mash of smaller switches)? > > Unfortunately, mish-mash describes it rather well. Still, there are > of couse a few switches that are particularly important. > >> Also, what speed is the majority of the >> network (10, 10/100, gigabit)? > > Everything is 100 Mbit currently. > >> I have a vague idea relating to a VLAN-capable switch married to a Linux >> router, but it may or may not be terribly feasible depending on the network >> topology and capacity. :-) I've got a setup like that, which enables per-port packet filtering. Of course, in our wireless environment you can't actually get per-client filtering that way, unless the access point does the filtering. Still, it can limit the damage of a rogue DHCP server to a single VLAN while you track the user down and revoke their access (actively interfering with the service is grounds to cut off access, at least temporarily, under most agreements). Essentially: split the switch ports into VLANs. Attach the linux b-router to a "trunk port", defined as being a member of all VLANs with 802.1q tagging enabled. Use brctl to bridge all the ethx.n vlan virtual interfaces. Configure iptables/ebtables/arptables. The b-router also becomes a good place for NAT, IDS, bandwidth throttling and QoS, and/or load balancing upstream links. > > Paul and Eric have brought forth some interesting ideas about advanced > switches, too. It seems a promising line to pursue (and one that I > hadn't thought about previously). > > I would very much like to hear your ideas as well. And even if they > won't fit my lan, they may be of value to others on the list. I doubt > I'm the only one with this problem. > > > Rune > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > From richardvoigt at gmail.com Tue Aug 26 21:26:49 2008 From: richardvoigt at gmail.com (richardvoigt@gmail.com) Date: Tue Aug 26 21:27:42 2008 Subject: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan In-Reply-To: <2e59e6970808261325r410b5f96ledb4a0de2d964ab9@mail.gmail.com> References: <48B2C3CC.5010101@beer.tclug.org> <2e59e6970808260959w17477962y1e6dc1af13d40541@mail.gmail.com> <48B44D12.40904@beer.tclug.org> <2e59e6970808261325r410b5f96ledb4a0de2d964ab9@mail.gmail.com> Message-ID: <2e59e6970808261326u48044430nb657e6f71a4a62c1@mail.gmail.com> I meant for this to go to the list, but reply-to-all didn't do it, so here's a resend. ---------- Forwarded message ---------- From: richardvoigt@gmail.com Date: Tue, Aug 26, 2008 at 3:25 PM Subject: Re: [Dnsmasq-discuss] Request for brain-storm: Rogue dhcp-servers on the lan To: Jima On Tue, Aug 26, 2008 at 1:36 PM, Jima wrote: > richardvoigt@gmail.com wrote: >>> >>> On Mon, Aug 25, 2008 at 16:38, Jima wrote: >>>> >>>> I have a vague idea relating to a VLAN-capable switch married to a >>>> Linux >>>> router, but it may or may not be terribly feasible depending on the >>>> network >>>> topology and capacity. :-) >> >> Essentially: >> >> split the switch ports into VLANs. >> Attach the linux b-router to a "trunk port", defined as being a member >> of all VLANs with 802.1q tagging enabled. >> Use brctl to bridge all the ethx.n vlan virtual interfaces. >> Configure iptables/ebtables/arptables. >> >> The b-router also becomes a good place for NAT, IDS, bandwidth >> throttling and QoS, and/or load balancing upstream links. > > Richard pretty well outlined what my own course of action would be. > Although in my experience, ebtables isn't terribly necessary -- I've been > able to accomplish everything I've needed using iptables' physdev module. Unless of course you want to prevent people from, for example, typing in DNS server addresses in the "own IP address" field, and screwing up the whole network. Or broadcasting wake-on-lan packets. Or flooding the network with physical-layer broadcasts. There are a lot of things that iptables won't see, and even if you have no malicious users, you may still have infected users. > YMMV, though. > > Jima > From nmav at gennetsa.com Thu Aug 28 13:23:25 2008 From: nmav at gennetsa.com (Nikos Mavrogiannopoulos) Date: Thu Aug 28 13:24:04 2008 Subject: [Dnsmasq-discuss] double DHCP leases Message-ID: <48B698BD.9010703@gennetsa.com> I've come across to a situation where dnsmasq was giving two IP addresses to certain (windows) hosts. The problem was that the windows host was requesting two times for an IP but having a different client identifier (check the wireshark output). I've fixed this using the attached patch. In that patch I make lease_find_by_client() to return the lease of any of the MAC and the ClientID match. The previous behaviour was that if client IDs are there, it didn't check the MAC address. What was the reason for that? regards, Nikos -------------- next part -------------- Index: lease.c =================================================================== --- lease.c (revision 593) +++ lease.c (working copy) @@ -295,19 +295,16 @@ { struct dhcp_lease *lease; - if (clid) - for (lease = leases; lease; lease = lease->next) - if (lease->clid && clid_len == lease->clid_len && + for (lease = leases; lease; lease = lease->next) { + if (clid && lease->clid && clid_len == lease->clid_len && memcmp(clid, lease->clid, clid_len) == 0) return lease; - - for (lease = leases; lease; lease = lease->next) - if ((!lease->clid || !clid) && - hw_len != 0 && - lease->hwaddr_len == hw_len && + else if (hwaddr && lease->hwaddr_len == hw_len && lease->hwaddr_type == hw_type && memcmp(hwaddr, lease->hwaddr, hw_len) == 0) - return lease; + return lease; + + } return NULL; } -------------- next part -------------- A non-text attachment was scrubbed... Name: wireshark.out.gz Type: application/x-gzip Size: 3964 bytes Desc: not available Url : http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080828/c2f94374/wireshark.out.bin From kyron at neuralbs.com Thu Aug 28 15:20:05 2008 From: kyron at neuralbs.com (Eric Thibodeau) Date: Thu Aug 28 15:21:00 2008 Subject: [Dnsmasq-discuss] double DHCP leases In-Reply-To: <48B698BD.9010703@gennetsa.com> References: <48B698BD.9010703@gennetsa.com> Message-ID: <48B6B415.8060407@neuralbs.com> I came across the same "problem" when in my environment where 3 different dhcp clients request an IP address for the same machine (PXE, kernel dhcp, dhcpcd) and was actually wondering if the change was trivial or not, the proposed modifications seem quite simple and of little performance impact. I must admit that I find peculiar that the Windows dhcp client changes Client IDs between invocations...although there is also the fact that MS Windows provides for kerberos binding to most of the OS's service and one can actually specify an IP address on user or machine rights...which might explain the Client ID change between boot and logon or when the machine is ready to identify itself in the Windows realm. This is pure conjecture on my part but it's my only explanation for having differing Client IDs for the requests. Eric Nikos Mavrogiannopoulos wrote: > I've come across to a situation where dnsmasq was giving two IP > addresses to certain (windows) hosts. The problem was that the windows > host was requesting two times for an IP but having a different client > identifier (check the wireshark output). I've fixed this using the > attached patch. In that patch I make lease_find_by_client() to return > the lease of any of the MAC and the ClientID match. The previous > behaviour was that if client IDs are there, it didn't check the MAC > address. What was the reason for that? > > regards, > Nikos > > ------------------------------------------------------------------------ > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080828/7b49d0e4/attachment.htm From meuserj at gmail.com Thu Aug 28 16:51:22 2008 From: meuserj at gmail.com (John C. Meuser) Date: Thu Aug 28 16:52:16 2008 Subject: [Dnsmasq-discuss] Bug in DNSMasq Message-ID: <1219938682.21608.9.camel@d-ilsit1> I found a small bug in DNSMasq. I'm using dnsmasq at my company for caching and resolving internal hosts. One of the hosts is our webserver, which has a lot of domains, so its hosts line is quite long. I noticed that some of the hostnames weren't resolving, and through trial and error discovered that the problem was with any name beyond the 1024'th character in the hosts line (as I said, it has a LOT of hosts). Very simple workaround was to split the line into two, because DNSMasq doesn't seem to care if you repeat IP addresses. So it's not a huge bug, but I thought you might want to be aware of it. John -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080828/9e76c836/attachment.pgp From simon at thekelleys.org.uk Fri Aug 29 07:29:33 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Fri Aug 29 07:30:28 2008 Subject: [Dnsmasq-discuss] double DHCP leases In-Reply-To: <48B698BD.9010703@gennetsa.com> References: <48B698BD.9010703@gennetsa.com> Message-ID: <48B7974D.7030708@thekelleys.org.uk> Nikos Mavrogiannopoulos wrote: > I've come across to a situation where dnsmasq was giving two IP > addresses to certain (windows) hosts. The problem was that the windows > host was requesting two times for an IP but having a different client > identifier (check the wireshark output). Looks like windows is using RFC2132-like behaviour (client-id derived from MAC address) then moving to RFC4361-like behaviour (DUID client-id). Is this a big problem? the first lease will expire and release the IP address in time. I've fixed this using the > attached patch. In that patch I make lease_find_by_client() to return > the lease of any of the MAC and the ClientID match. The previous > behaviour was that if client IDs are there, it didn't check the MAC > address. What was the reason for that? > Yes, it's what the RFCs mandate. If a client-id is provided, it shall be used as the host unique-identifier, and the MAC address ignored. See RFC4361 section 6.3 for the definative statement on this. Cheers, Simon. > ------------------------------------------------------------------------ > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss From simon at thekelleys.org.uk Fri Aug 29 07:32:39 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Fri Aug 29 07:33:31 2008 Subject: [Dnsmasq-discuss] Bug in DNSMasq In-Reply-To: <1219938682.21608.9.camel@d-ilsit1> References: <1219938682.21608.9.camel@d-ilsit1> Message-ID: <48B79807.3040600@thekelleys.org.uk> John C. Meuser wrote: > I found a small bug in DNSMasq. I'm using dnsmasq at my company for > caching and resolving internal hosts. One of the hosts is our > webserver, which has a lot of domains, so its hosts line is quite long. > I noticed that some of the hostnames weren't resolving, and through > trial and error discovered that the problem was with any name beyond the > 1024'th character in the hosts line (as I said, it has a LOT of hosts). > > Very simple workaround was to split the line into two, because DNSMasq > doesn't seem to care if you repeat IP addresses. So it's not a huge > bug, but I thought you might want to be aware of it. > Let this be a lesson to all C programmers out there. Fixed length buffers (even generous ones) will come back and bite you in the end. Thanks for the report: I'll re-write the relevant code. Cheers, Simon. From tushar_mehta at hotmail.com Fri Aug 29 09:28:08 2008 From: tushar_mehta at hotmail.com (Tushar Mehta) Date: Fri Aug 29 09:29:00 2008 Subject: [Dnsmasq-discuss] How to setup static IP address in dnsmasq.con from external file ? Message-ID: Hello Guys, Is anybody having any idea how to setup external file assigning static ip address in dnsmasq.conf file ? Purpose of doing is very simple to not allow non-administrator to not do any wrong changes in configuration file. Help will be highly appreciated. Tushar Mehta -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080829/ef8f4450/attachment.htm From nmav at gennetsa.com Fri Aug 29 21:19:01 2008 From: nmav at gennetsa.com (Nikos Mavrogiannopoulos) Date: Fri Aug 29 21:19:30 2008 Subject: [Dnsmasq-discuss] double DHCP leases In-Reply-To: <48B7974D.7030708@thekelleys.org.uk> References: <48B698BD.9010703@gennetsa.com> <48B7974D.7030708@thekelleys.org.uk> Message-ID: <48B859B5.10700@gennetsa.com> O/H Simon Kelley ??????: > Nikos Mavrogiannopoulos wrote: >> I've come across to a situation where dnsmasq was giving two IP >> addresses to certain (windows) hosts. The problem was that the windows >> host was requesting two times for an IP but having a different client >> identifier (check the wireshark output). > Looks like windows is using RFC2132-like behaviour (client-id derived > from MAC address) then moving to RFC4361-like behaviour (DUID > client-id). Is this a big problem? the first lease will expire and > release the IP address in time. Unfortunately in my case it was annoying because the user had to select his host from a menu. His host was displayed using DHCP data, that were duplicate in this case. > > I've fixed this using the >> attached patch. In that patch I make lease_find_by_client() to return >> the lease of any of the MAC and the ClientID match. The previous >> behaviour was that if client IDs are there, it didn't check the MAC >> address. What was the reason for that? >> > > Yes, it's what the RFCs mandate. If a client-id is provided, it shall > be used as the host unique-identifier, and the MAC address ignored. > See RFC4361 section 6.3 for the definative statement on this. Actually my understanding of this RFC is that client identifiers must be used as identifiers for a host. Ie one client identifier might identify several MAC addresses that belong to a single host. I don't think it forbids disallowing multiple client identifiers per MAC address (what my patch does). Their goal was to allow a single entity (pc) to be able to identify itself by using a unique identifier over several different interfaces (with different mac addresses). What the current implementation allows is to have a single entity (pc) to identify itself several times using different names (identifiers) over a single MAC address. That case is not in scope of RFC4361, thus my patch might not be that bad. regards, Nikos From simon at thekelleys.org.uk Sun Aug 31 22:22:47 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Sun Aug 31 22:23:41 2008 Subject: [Dnsmasq-discuss] double DHCP leases In-Reply-To: <48B859B5.10700@gennetsa.com> References: <48B698BD.9010703@gennetsa.com> <48B7974D.7030708@thekelleys.org.uk> <48B859B5.10700@gennetsa.com> Message-ID: <48BB0BA7.3050507@thekelleys.org.uk> Nikos Mavrogiannopoulos wrote: > O/H Simon Kelley ??????: >> Nikos Mavrogiannopoulos wrote: >>> I've come across to a situation where dnsmasq was giving two IP >>> addresses to certain (windows) hosts. The problem was that the windows >>> host was requesting two times for an IP but having a different client >>> identifier (check the wireshark output). >> Looks like windows is using RFC2132-like behaviour (client-id derived >> from MAC address) then moving to RFC4361-like behaviour (DUID >> client-id). Is this a big problem? the first lease will expire and >> release the IP address in time. > Unfortunately in my case it was annoying because the user had to select > his host from a menu. His host was displayed using DHCP data, that were > duplicate in this case. > >> I've fixed this using the >>> attached patch. In that patch I make lease_find_by_client() to return >>> the lease of any of the MAC and the ClientID match. The previous >>> behaviour was that if client IDs are there, it didn't check the MAC >>> address. What was the reason for that? >>> >> Yes, it's what the RFCs mandate. If a client-id is provided, it shall >> be used as the host unique-identifier, and the MAC address ignored. >> See RFC4361 section 6.3 for the definative statement on this. > Actually my understanding of this RFC is that client identifiers must be > used as identifiers for a host. Ie one client identifier might identify > several MAC addresses that belong to a single host. I don't think it > forbids disallowing multiple client identifiers per MAC address (what my > patch does). Their goal was to allow a single entity (pc) to be able to > identify itself by using a unique identifier over several different > interfaces (with different mac addresses). What the current > implementation allows is to have a single entity (pc) to identify itself > several times using different names (identifiers) over a single MAC > address. That case is not in scope of RFC4361, thus my patch might not > be that bad. > > regards, > Nikos > This comes from RFC2131 and think makes it fairly clear that the behaviour of windows is broken in this case. It also gives the desired server behavior A DHCP server needs to use some unique identifier to associate a client with its lease. The client MAY choose to explicitly provide the identifier through the 'client identifier' option. If the client supplies a 'client identifier', the client MUST use the same 'client identifier' in all subsequent messages, and the server MUST use that identifier to identify the client. If the client does not provide a 'client identifier' option, the server MUST use the contents of the 'chaddr' field to identify the client. One reason that I'm reluctant to change the current behaviour is that a lot of fiddling occurred early on in the development of dnsmasq to make sure that things work in a related but more common situation, when a client send a client-identifier sometimes but no client-identifier at other times. Related to this, one needs to think about what happens to the lease database when more than one client-id is accepted for a lease. Cheers, Simon. From simon at thekelleys.org.uk Sun Aug 31 22:25:39 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Sun Aug 31 22:26:31 2008 Subject: [Dnsmasq-discuss] double DHCP leases In-Reply-To: <48B859B5.10700@gennetsa.com> References: <48B698BD.9010703@gennetsa.com> <48B7974D.7030708@thekelleys.org.uk> <48B859B5.10700@gennetsa.com> Message-ID: <48BB0C53.9000503@thekelleys.org.uk> Nikos Mavrogiannopoulos wrote: > O/H Simon Kelley ??????: >> Nikos Mavrogiannopoulos wrote: >>> I've come across to a situation where dnsmasq was giving two IP >>> addresses to certain (windows) hosts. The problem was that the windows >>> host was requesting two times for an IP but having a different client >>> identifier (check the wireshark output). >> Looks like windows is using RFC2132-like behaviour (client-id derived >> from MAC address) then moving to RFC4361-like behaviour (DUID >> client-id). Is this a big problem? the first lease will expire and >> release the IP address in time. > Unfortunately in my case it was annoying because the user had to select > his host from a menu. His host was displayed using DHCP data, that were > duplicate in this case. > >> I've fixed this using the >>> attached patch. In that patch I make lease_find_by_client() to return >>> the lease of any of the MAC and the ClientID match. The previous >>> behaviour was that if client IDs are there, it didn't check the MAC >>> address. What was the reason for that? >>> >> Yes, it's what the RFCs mandate. If a client-id is provided, it shall >> be used as the host unique-identifier, and the MAC address ignored. >> See RFC4361 section 6.3 for the definative statement on this. > Actually my understanding of this RFC is that client identifiers must be > used as identifiers for a host. Ie one client identifier might identify > several MAC addresses that belong to a single host. I don't think it > forbids disallowing multiple client identifiers per MAC address (what my > patch does). Their goal was to allow a single entity (pc) to be able to > identify itself by using a unique identifier over several different > interfaces (with different mac addresses). What the current > implementation allows is to have a single entity (pc) to identify itself > several times using different names (identifiers) over a single MAC > address. That case is not in scope of RFC4361, thus my patch might not > be that bad. > > regards, > Nikos > One thing that might save the situation here is that dnsmasq can be configured to just ignore all client-ids from a MAC address. --dhcp-host=00:11:22:33:44:55,id:* If you now which clients have this problem, that might fix it. Cheers, Simon. From simon at thekelleys.org.uk Sun Aug 31 22:38:31 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Sun Aug 31 22:39:22 2008 Subject: [Dnsmasq-discuss] How to setup static IP address in dnsmasq.con from external file ? In-Reply-To: References: Message-ID: <48BB0F57.10701@thekelleys.org.uk> Tushar Mehta wrote: > Hello Guys, > > Is anybody having any idea how to setup external file assigning static > ip address in dnsmasq.conf file ? Purpose of doing is very simple to not > allow non-administrator to not do any wrong changes in configuration file. > > Help will be highly appreciated. > > Tushar Mehta > Check out the dhcp-hostsfile config option, that should be what you want. Cheers, Simon. > > ------------------------------------------------------------------------ > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss From agcme at hotmail.com Mon Sep 1 02:04:17 2008 From: agcme at hotmail.com (A C) Date: Mon Sep 1 02:05:07 2008 Subject: [Dnsmasq-discuss] one laptop, one IP, two NICs? Message-ID: I've got a laptop that uses a wireless or wired connection (never both simultaneously). Is there a way to configure dnsmasq to serve the same IP and hostname to the laptop regardless of which interface is used? Currently other DHCP devices on my network use /etc/ethers to govern which IP they get to ensure a static IP assignment (for things like cameras and printers). Thanks _________________________________________________________________ Get thousands of games on your PC, your mobile phone, and the web with Windows?. http://clk.atdmt.com/MRT/go/108588800/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080831/4c21ac12/attachment.htm From nmav at gennetsa.com Mon Sep 1 07:04:35 2008 From: nmav at gennetsa.com (Nikos Mavrogiannopoulos) Date: Mon Sep 1 07:04:46 2008 Subject: [Dnsmasq-discuss] double DHCP leases In-Reply-To: <48BB0BA7.3050507@thekelleys.org.uk> References: <48B698BD.9010703@gennetsa.com> <48B7974D.7030708@thekelleys.org.uk> <48B859B5.10700@gennetsa.com> <48BB0BA7.3050507@thekelleys.org.uk> Message-ID: <48BB85F3.6020707@gennetsa.com> O/H Simon Kelley ??????: > Nikos Mavrogiannopoulos wrote: >> O/H Simon Kelley ??????: >>> Nikos Mavrogiannopoulos wrote: >>>> I've come across to a situation where dnsmasq was giving two IP >>>> addresses to certain (windows) hosts. The problem was that the windows >>>> host was requesting two times for an IP but having a different client >>>> identifier (check the wireshark output). >>> Looks like windows is using RFC2132-like behaviour (client-id derived >>> from MAC address) then moving to RFC4361-like behaviour (DUID >>> client-id). Is this a big problem? the first lease will expire and >>> release the IP address in time. >> Unfortunately in my case it was annoying because the user had to select >> his host from a menu. His host was displayed using DHCP data, that were >> duplicate in this case. >> >>> I've fixed this using the >>>> attached patch. In that patch I make lease_find_by_client() to return >>>> the lease of any of the MAC and the ClientID match. The previous >>>> behaviour was that if client IDs are there, it didn't check the MAC >>>> address. What was the reason for that? >>>> >>> Yes, it's what the RFCs mandate. If a client-id is provided, it shall >>> be used as the host unique-identifier, and the MAC address ignored. >>> See RFC4361 section 6.3 for the definative statement on this. >> Actually my understanding of this RFC is that client identifiers must be >> used as identifiers for a host. Ie one client identifier might identify >> several MAC addresses that belong to a single host. I don't think it >> forbids disallowing multiple client identifiers per MAC address (what my >> patch does). Their goal was to allow a single entity (pc) to be able to >> identify itself by using a unique identifier over several different >> interfaces (with different mac addresses). What the current >> implementation allows is to have a single entity (pc) to identify itself >> several times using different names (identifiers) over a single MAC >> address. That case is not in scope of RFC4361, thus my patch might not >> be that bad. >> >> regards, >> Nikos >> > This comes from RFC2131 and think makes it fairly clear that the > behaviour of windows is broken in this case. It also gives the desired > server behavior > > A DHCP server needs to use some unique identifier to associate a > client with its lease. The client MAY choose to explicitly provide > the identifier through the 'client identifier' option. If the client > supplies a 'client identifier', the client MUST use the same 'client > identifier' in all subsequent messages, and the server MUST use that > identifier to identify the client. If the client does not provide a > 'client identifier' option, the server MUST use the contents of the > 'chaddr' field to identify the client. Indeed windows is broken here. My patch was there to allow dnsmasq to detect those hosts and forbid them from obtaining multiple ip addresses (consider the case where a host is sending multiple random identifiers- it is going to flood the server which would result on a DoS). > One reason that I'm reluctant to change the current behaviour is that > a lot of fiddling occurred early on in the development of dnsmasq to > make sure that things work in a related but more common situation, > when a client send a client-identifier sometimes but no > client-identifier at other times. Related to this, one needs to think > about what happens to the lease database when more than one client-id > is accepted for a lease. I am not expert in DHCP protocol, I just sent the patch for consideration, because it improved the behavior (in my setup). However I dont believe the behavior is changed much. In the case you're describing the host that uses more than one client-id will be identified using the first client id that he offered (because the mac address would be the same). The second client id is effectively ignored (thus enforcing rfc2131). I haven't got through every scenario that might occur though. regards, Nikos From xerces8 at butn.net Mon Sep 1 09:29:55 2008 From: xerces8 at butn.net (xerces8) Date: Mon Sep 1 09:30:54 2008 Subject: [Dnsmasq-discuss] one laptop, one IP, two NICs? In-Reply-To: References: Message-ID: A C wrote: > I've got a laptop that uses a wireless or wired connection (never both simultaneously). Is there > a way to configure dnsmasq to serve the same IP and hostname to the laptop regardless of which > interface is used? Currently other DHCP devices on my network use /etc/ethers to govern which IP > they get to ensure a static IP assignment (for things like cameras and printers). Try assigning IP address to hostname, instead to MAC : dhcp-host=hostname,192.168.x.y Regards, David From matthias.andree at gmx.de Thu Sep 4 12:30:26 2008 From: matthias.andree at gmx.de (Matthias Andree) Date: Thu Sep 4 12:31:23 2008 Subject: [Dnsmasq-discuss] dnsmasq.conf 2.41 violates RFC-2132 on dhcp-option=47 Message-ID: <48BFC6D2.9090604@gmx.de> Greetings, dnsmasq 2.41's .conf (I'm looking at Ubuntu 8.04 LTS installed from server CD, in case that matters) suggests to uncomment a line "#dhcp-option=47" in order to send an empty NetBIOS scope. However, if I do that, dnsmasq sends option 47 with zero-length, which violates RFC-2132 section 8.8 that states this option has a minimal length of 1. Practical consequence: dhcpcd 3.2.3 on Linux (tried openSUSE 11) sees a packet with malformed option (zero-length) and discards the packet and is unable to obtain an IP address. Leaving this option commented out, dhcpcd gets the IP address as desired. For reference, ISC dhcpd doesn't send option 47 in response if it is either not configured at all, or if configured to be the empty string (with: option netbios-scope="";) I'd suggest to either adjust the configuration suggestion to be in compliance with RFC-2132, or, a bit stricter, make sure that this option isn't sent with zero length. Reference: bug report against dhcpcd Thanks in advance & best regards -- Matthias Andree From simon at thekelleys.org.uk Thu Sep 4 13:50:45 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Sep 4 13:51:20 2008 Subject: [Dnsmasq-discuss] dnsmasq.conf 2.41 violates RFC-2132 on dhcp-option=47 In-Reply-To: <48BFC6D2.9090604@gmx.de> References: <48BFC6D2.9090604@gmx.de> Message-ID: <48BFD9A5.9070708@thekelleys.org.uk> Matthias Andree wrote: > Greetings, > > dnsmasq 2.41's .conf (I'm looking at Ubuntu 8.04 LTS installed from server > CD, in case that matters) suggests to uncomment a line > > "#dhcp-option=47" > > in order to send an empty NetBIOS scope. > > However, if I do that, dnsmasq sends option 47 with zero-length, which > violates RFC-2132 section 8.8 that states this option has a minimal length > of 1. > > Practical consequence: dhcpcd 3.2.3 on Linux (tried openSUSE 11) sees a > packet with malformed option (zero-length) and discards the packet and is > unable to obtain an IP address. Leaving this option commented out, dhcpcd > gets the IP address as desired. > > For reference, ISC dhcpd doesn't send option 47 in response if it is either > not configured at all, or if configured to be the empty string > (with: option netbios-scope="";) > > I'd suggest to either adjust the configuration suggestion to be in > compliance with RFC-2132, or, a bit stricter, make sure that this option > isn't sent with zero length. > > Reference: > bug report against dhcpcd > > > Thanks in advance & best regards > Thanks for the report. I'm no expert on NetBios configuration (in fact I know almost nothing about it....) Those suggested options came from a third party, long ago. Is there a "empty netbios scope" which is one character long? If not, I'm inclined simply to delete that line from the example file, or maybe change to to show how to set the scope to "example.com" or similar. Cheers, Simon. From matthias.andree at gmx.de Thu Sep 4 15:14:23 2008 From: matthias.andree at gmx.de (Matthias Andree) Date: Thu Sep 4 15:15:14 2008 Subject: [Dnsmasq-discuss] dnsmasq.conf 2.41 violates RFC-2132 on dhcp-option=47 In-Reply-To: <48BFD9A5.9070708@thekelleys.org.uk> References: <48BFC6D2.9090604@gmx.de> <48BFD9A5.9070708@thekelleys.org.uk> Message-ID: <48BFED3F.9070408@gmx.de> Simon Kelley schrieb: > I'm no expert on NetBios configuration (in fact I know almost nothing > about it....) Those suggested options came from a third party, long ago. I don't know NetBIOS either. Some more detail though: the upstream dhcpcd 3.2.3 version is fine, it's a Novell/openSUSE patch that breaks the dhcpcd client on openSUSE 11.0, in that it requests option 47. Plain dhcpcd doesn't do that (dhclient neither) and hence doesn't get this malformed response. Novell patched dhcpcd apparently (and incorrectly) in order to support Samba client reconfiguration - introducing nice inconsistencies with dhclient along the way... Why do vendors always resort to such undocumented, half-baked package breaking... undocumented, bogus patches, ... I wish Roy Marples had left it at the GPL, that Novell had been required to state they broke the package. https://bugzilla.novell.com/show_bug.cgi?id=423145 > Is there a "empty netbios scope" which is one character long? I don't know. Apparently the empty value was meant to override possible Windows Registry configuration on clients, but a snippet I've found in older Samba instructions on the web, namely "options netbios-scope="";", is ignored by ISC dhcpd v3.0.6 (I checked openSUSE 11.0, whatever contorted patches THAT package might have applied). OTOH, I wouldn't be too surprised if some Microsoftish DHCP server were to return bogus zero-length option 47 records in violation of RFC-2132... > If not, > I'm inclined simply to delete that line from the example file, or maybe > change to to show how to set the scope to "example.com" or similar. Your suggestion seems sensible to me. Workaround: leave dhcp-option=47 commented out... -- Matthias Andree From matthias.andree at gmx.de Thu Sep 4 15:16:51 2008 From: matthias.andree at gmx.de (Matthias Andree) Date: Thu Sep 4 15:17:40 2008 Subject: [Dnsmasq-discuss] dnsmasq.conf 2.41 violates RFC-2132 ondhcp-option=47 In-Reply-To: References: Message-ID: <48BFEDD3.5040001@gmx.de> Michael Elkevizth schrieb: > Just to comment on this, which may or may not be relevant, I have assigned a > static IP to my one OpenSUSE 11 box. It seemed to intermittently refuse to > accept a dhcp assigned address. I would attribute this to a dhcpclient > problem with OpenSUSE rather than dnsmasq only because I have not trouble > with any other client. This could be because the newer versions of > dhcpclient do things "the correct way", but the correct way in my opinion is > to work, which it most certainly does not. And my dnsmasq config doesn't > have option 47 in it at all so that isn't causing the problem for me. Check /var/log/messages and see why it refuses the address, or check with tshark/tcpdump what happens on the wire. -- Matthias Andree From mike at dcsamerica.com Thu Sep 4 15:17:58 2008 From: mike at dcsamerica.com (Data Control Systems - Mike Elkevizth) Date: Thu Sep 4 15:18:56 2008 Subject: [Dnsmasq-discuss] dnsmasq.conf 2.41 violates RFC-2132 ondhcp-option=47 In-Reply-To: <48BFD9A5.9070708@thekelleys.org.uk> Message-ID: Just to comment on this, which may or may not be relevant, I have assigned a static IP to my one OpenSUSE 11 box. It seemed to intermittently refuse to accept a dhcp assigned address. I would attribute this to a dhcpclient problem with OpenSUSE rather than dnsmasq only because I have not trouble with any other client. This could be because the newer versions of dhcpclient do things "the correct way", but the correct way in my opinion is to work, which it most certainly does not. And my dnsmasq config doesn't have option 47 in it at all so that isn't causing the problem for me. Mike E. -----Original Message----- From: dnsmasq-discuss-bounces@lists.thekelleys.org.uk [mailto:dnsmasq-discuss-bounces@lists.thekelleys.org.uk]On Behalf Of Simon Kelley Sent: Thursday, September 04, 2008 8:51 AM To: Matthias Andree; dnsmasq discussion list Subject: Re: [Dnsmasq-discuss] dnsmasq.conf 2.41 violates RFC-2132 ondhcp-option=47 Matthias Andree wrote: > Greetings, > > dnsmasq 2.41's .conf (I'm looking at Ubuntu 8.04 LTS installed from server > CD, in case that matters) suggests to uncomment a line > > "#dhcp-option=47" > > in order to send an empty NetBIOS scope. > > However, if I do that, dnsmasq sends option 47 with zero-length, which > violates RFC-2132 section 8.8 that states this option has a minimal length > of 1. > > Practical consequence: dhcpcd 3.2.3 on Linux (tried openSUSE 11) sees a > packet with malformed option (zero-length) and discards the packet and is > unable to obtain an IP address. Leaving this option commented out, dhcpcd > gets the IP address as desired. > > For reference, ISC dhcpd doesn't send option 47 in response if it is either > not configured at all, or if configured to be the empty string > (with: option netbios-scope="";) > > I'd suggest to either adjust the configuration suggestion to be in > compliance with RFC-2132, or, a bit stricter, make sure that this option > isn't sent with zero length. > > Reference: > bug report against dhcpcd > > > Thanks in advance & best regards > Thanks for the report. I'm no expert on NetBios configuration (in fact I know almost nothing about it....) Those suggested options came from a third party, long ago. Is there a "empty netbios scope" which is one character long? If not, I'm inclined simply to delete that line from the example file, or maybe change to to show how to set the scope to "example.com" or similar. Cheers, Simon. _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss From bcook at poughkeepsieschools.org Thu Sep 4 15:35:21 2008 From: bcook at poughkeepsieschools.org (B. Cook) Date: Thu Sep 4 15:36:17 2008 Subject: [Dnsmasq-discuss] dhcp-ignore=bootp still missing something.. Message-ID: Hello, Not sure what is going on still, but it seems these JetDirect 170x's are turning into non dhcp'able devices.. Sep 4 10:09:23 core dnsmasq[43184]: DHCP packet: transaction-id is 620822528 Sep 4 10:09:23 core dnsmasq[43184]: Available DHCP range: 10.20.6.2 -- 10.20.7.254 Sep 4 10:09:23 core dnsmasq[43184]: Vendor class: Hewlett-Packard JetDirect Sep 4 10:09:23 core dnsmasq[43184]: DHCPDISCOVER(em0) 10.20.6.45 00:0e:7f:37:22:e5 Sep 4 10:09:23 core dnsmasq[43184]: DHCPOFFER(em0) 10.20.6.45 00:0e: 7f:37:22:e5 Sep 4 10:09:23 core dnsmasq[43184]: requested options: 1:netmask, 3:router, 7:log-server, 44:netbios-ns, Sep 4 10:09:23 core dnsmasq[43184]: requested options: 51:lease-time, 54:server-identifier, 58:T1, Sep 4 10:09:23 core dnsmasq[43184]: requested options: 59:T2, 12:hostname, 15:domain-name, 144, Sep 4 10:09:23 core dnsmasq[43184]: requested options: 18:extension- path Sep 4 10:09:23 core dnsmasq[43184]: tags: smi, smi, known Sep 4 10:09:23 core dnsmasq[43184]: sent size: 1 option: 53:message- type 02 Sep 4 10:09:23 core dnsmasq[43184]: sent size: 4 option: 54:server- identifier 0a:14:00:10 Sep 4 10:09:23 core dnsmasq[43184]: sent size: 4 option: 51:lease- time 00:00:38:40 Sep 4 10:09:23 core dnsmasq[43184]: sent size: 4 option: 58:T1 00:00:1c:20 Sep 4 10:09:23 core dnsmasq[43184]: sent size: 4 option: 59:T2 00:00:31:38 Sep 4 10:09:23 core dnsmasq[43184]: sent size: 4 option: 1:netmask ff:ff:fe:00 Sep 4 10:09:23 core dnsmasq[43184]: sent size: 4 option: 28:broadcast 0a:14:07:ff Sep 4 10:09:23 core dnsmasq[43184]: sent size: 8 option: 15:domain- name 73:6d:69:2e:70:63:73:64 Sep 4 10:09:23 core dnsmasq[43184]: sent size: 0 option: 44:netbios-ns Sep 4 10:09:23 core dnsmasq[43184]: sent size: 4 option: 3:router 0a:14:06:01 ( looks like it all worked ) > ping 10.20.6.45 PING 10.20.6.45 (10.20.6.45): 56 data bytes ^C --- 10.20.6.45 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss From mike at dcsamerica.com Thu Sep 4 16:36:12 2008 From: mike at dcsamerica.com (Data Control Systems - Mike Elkevizth) Date: Thu Sep 4 16:37:11 2008 Subject: [Dnsmasq-discuss] dnsmasq.conf 2.41 violates RFC-2132 ondhcp-option=47 In-Reply-To: <48BFEDD3.5040001@gmx.de> Message-ID: I have checked /var/log/messages on both the dnsmasq server (which is CentOS 4.7) and the client (OpenSUSE 11.0). The server shows that it is sending a DHCPOFFER and DHCPACK after a DHCPREQUEST from the client. The client rarely (like I said it is intermittent) shows a DHCPINFORM. I might check the wire with Wireshark, but since it is only one client that has the problem, it was much easier to just assign a static IP and hope that the problem gets fixed sometime in the future. Thanks for the advise, Mike -----Original Message----- From: dnsmasq-discuss-bounces@lists.thekelleys.org.uk [mailto:dnsmasq-discuss-bounces@lists.thekelleys.org.uk]On Behalf Of Matthias Andree Sent: Thursday, September 04, 2008 10:17 AM To: dnsmasq discussion list Subject: Re: [Dnsmasq-discuss] dnsmasq.conf 2.41 violates RFC-2132 ondhcp-option=47 Michael Elkevizth schrieb: > Just to comment on this, which may or may not be relevant, I have assigned a > static IP to my one OpenSUSE 11 box. It seemed to intermittently refuse to > accept a dhcp assigned address. I would attribute this to a dhcpclient > problem with OpenSUSE rather than dnsmasq only because I have not trouble > with any other client. This could be because the newer versions of > dhcpclient do things "the correct way", but the correct way in my opinion is > to work, which it most certainly does not. And my dnsmasq config doesn't > have option 47 in it at all so that isn't causing the problem for me. Check /var/log/messages and see why it refuses the address, or check with tshark/tcpdump what happens on the wire. -- Matthias Andree _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss From kyron at neuralbs.com Thu Sep 4 17:05:51 2008 From: kyron at neuralbs.com (Eric Thibodeau) Date: Thu Sep 4 17:06:40 2008 Subject: [Dnsmasq-discuss] dhcp-ignore=bootp still missing something.. In-Reply-To: References: Message-ID: <48C0075F.3080007@neuralbs.com> Nope, you're missing 2 elements in the sequence after the offer, your HP doesn't confirm with a DHCPREQUEST. Here is one of my sequences: dnsmasq: DHCPDISCOVER(eth1) 00:0c:29:8e:50:fa dnsmasq: DHCPOFFER(eth1) 10.0.0.249 00:0c:29:8e:50:fa dnsmasq: DHCPREQUEST(eth1) 10.0.0.249 00:0c:29:8e:50:fa dnsmasq: DHCPACK(eth1) 10.0.0.249 00:0c:29:8e:50:fa B. Cook wrote: > Hello, > > Not sure what is going on still, but it seems these JetDirect 170x's > are turning into non dhcp'able devices.. > > Sep 4 10:09:23 core dnsmasq[43184]: DHCP packet: transaction-id is > 620822528 > Sep 4 10:09:23 core dnsmasq[43184]: Available DHCP range: 10.20.6.2 > -- 10.20.7.254 > Sep 4 10:09:23 core dnsmasq[43184]: Vendor class: Hewlett-Packard > JetDirect > Sep 4 10:09:23 core dnsmasq[43184]: DHCPDISCOVER(em0) 10.20.6.45 > 00:0e:7f:37:22:e5 > Sep 4 10:09:23 core dnsmasq[43184]: DHCPOFFER(em0) 10.20.6.45 > 00:0e:7f:37:22:e5 > Sep 4 10:09:23 core dnsmasq[43184]: requested options: 1:netmask, > 3:router, 7:log-server, 44:netbios-ns, > Sep 4 10:09:23 core dnsmasq[43184]: requested options: 51:lease-time, > 54:server-identifier, 58:T1, > Sep 4 10:09:23 core dnsmasq[43184]: requested options: 59:T2, > 12:hostname, 15:domain-name, 144, > Sep 4 10:09:23 core dnsmasq[43184]: requested options: 18:extension-path > Sep 4 10:09:23 core dnsmasq[43184]: tags: smi, smi, known > Sep 4 10:09:23 core dnsmasq[43184]: sent size: 1 option: > 53:message-type 02 > Sep 4 10:09:23 core dnsmasq[43184]: sent size: 4 option: > 54:server-identifier 0a:14:00:10 > Sep 4 10:09:23 core dnsmasq[43184]: sent size: 4 option: > 51:lease-time 00:00:38:40 > Sep 4 10:09:23 core dnsmasq[43184]: sent size: 4 option: 58:T1 > 00:00:1c:20 > Sep 4 10:09:23 core dnsmasq[43184]: sent size: 4 option: 59:T2 > 00:00:31:38 > Sep 4 10:09:23 core dnsmasq[43184]: sent size: 4 option: 1:netmask > ff:ff:fe:00 > Sep 4 10:09:23 core dnsmasq[43184]: sent size: 4 option: > 28:broadcast 0a:14:07:ff > Sep 4 10:09:23 core dnsmasq[43184]: sent size: 8 option: > 15:domain-name 73:6d:69:2e:70:63:73:64 > Sep 4 10:09:23 core dnsmasq[43184]: sent size: 0 option: 44:netbios-ns > Sep 4 10:09:23 core dnsmasq[43184]: sent size: 4 option: 3:router > 0a:14:06:01 > > ( looks like it all worked ) > > > ping 10.20.6.45 > PING 10.20.6.45 (10.20.6.45): 56 data bytes > ^C > --- 10.20.6.45 ping statistics --- > 5 packets transmitted, 0 packets received, 100% packet loss > > > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss From cm-dnsmasq at matter.net Thu Sep 4 20:24:22 2008 From: cm-dnsmasq at matter.net (Larry Matter) Date: Thu Sep 4 20:25:22 2008 Subject: [Dnsmasq-discuss] dnsmasq and freenum.org issue Message-ID: <42113.192.168.1.97.1220556262.squirrel@matter.net> Hi, I've been using dnsmasq for a while now and love it. It's perfect for my home LAN setup. I have one issue, however, trying to use the services of freenum.org. Forgive me, but I'm not well versed in DNS so I may not explain the problem that well. As I understand it, freenum essentially uses DNS to turn a "phone number" into an SIP url (or a SIP url regular expression). It uses NAPTR records, for which I understand support was added in 2.43. I'm running 2.45. Dialing a "freenum" number works from my freeswitch installation when using an outside DNS server, but when I point it to my local dnsmasq, it does not. Doing a "dig xxx.freenum.org NAPTR" command against dnsmasq and the outside server shows the same thing, except that dnsmasq sets the aa flag. Here is the output from dnsmasq -d: dnsmasq: query[A] 4.3.2.1.256.freenum.org from 192.168.1.xxx dnsmasq: forwarded 4.3.2.1.256.freenum.org to 216.218.159.179 dnsmasq: query[A] 4.3.2.1.256.freenum.org from 192.168.1.xxx dnsmasq: forwarded 4.3.2.1.256.freenum.org to 216.218.159.179 Which doesn't mean much to me. I'm not sure how best to debug this, and would appreciate any suggestions. Thanks! Larry Matter Using a public dns server From simon at thekelleys.org.uk Thu Sep 4 21:42:04 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Sep 4 21:42:54 2008 Subject: [Dnsmasq-discuss] dnsmasq and freenum.org issue In-Reply-To: <42113.192.168.1.97.1220556262.squirrel@matter.net> References: <42113.192.168.1.97.1220556262.squirrel@matter.net> Message-ID: <48C0481C.4060005@thekelleys.org.uk> Larry Matter wrote: > Hi, > > I've been using dnsmasq for a while now and love it. It's perfect for my > home LAN setup. I have one issue, however, trying to use the services of > freenum.org. Forgive me, but I'm not well versed in DNS so I may not > explain the problem that well. > > As I understand it, freenum essentially uses DNS to turn a "phone number" > into an SIP url (or a SIP url regular expression). It uses NAPTR > records, for which I understand support was added in 2.43. I'm running > 2.45. The addition in 2.43 was to support local NAPTR records, dnsmasq has always been capable of forwarding NAPTR queries and returning the results. (This is true of all DNS record types.) > > Dialing a "freenum" number works from my freeswitch installation when > using an outside DNS server, but when I point it to my local dnsmasq, it > does not. Doing a "dig xxx.freenum.org NAPTR" command against dnsmasq > and the outside server shows the same thing, except that dnsmasq sets the > aa flag. > Indeed, that seems to work fine here. > Here is the output from dnsmasq -d: > > dnsmasq: query[A] 4.3.2.1.256.freenum.org from 192.168.1.xxx > dnsmasq: forwarded 4.3.2.1.256.freenum.org to 216.218.159.179 > dnsmasq: query[A] 4.3.2.1.256.freenum.org from 192.168.1.xxx > dnsmasq: forwarded 4.3.2.1.256.freenum.org to 216.218.159.179 Something is making queries for A records (IP addresses) there. Do you see something like dnsmasq: query[NAPTR] 4.3.2.1.256.freenum.org from 192.168.1.xxx too? One posibility, do you have the filterwin2k flag set in the dnsmasq config? It's possible that PTR lookups are involved somewhere in this process, and filterwin2k can interfere with that. Cheers, Simon. From cm-dnsmasq at matter.net Thu Sep 4 22:56:28 2008 From: cm-dnsmasq at matter.net (Larry Matter) Date: Thu Sep 4 22:57:29 2008 Subject: [Dnsmasq-discuss] dnsmasq and freenum.org issue In-Reply-To: <48C0481C.4060005@thekelleys.org.uk> References: <42113.192.168.1.97.1220556262.squirrel@matter.net> <48C0481C.4060005@thekelleys.org.uk> Message-ID: <3273.192.168.1.83.1220565388.squirrel@matter.net> > Something is making queries for A records (IP addresses) there. Do you > see something like > > dnsmasq: query[NAPTR] 4.3.2.1.256.freenum.org from 192.168.1.xxx > too? Here is a better trace: dnsmasq: query[SRV] _sip._udp.sip.matter.net from 192.168.1. dnsmasq: config _sip._udp.sip.matter.net is NXDOMAIN dnsmasq: query[A] sip.matter.net from 192.168.1. dnsmasq: /etc/hosts sip.matter.net is 192.168.1. dnsmasq: query[NAPTR] 4.3.2.1.256.freenum.org from 192.168.1. dnsmasq: forwarded 4.3.2.1.256.freenum.org to 216.218.159.179 dnsmasq: query[NAPTR] 4.3.2.1.256.freenum.org from 192.168.1. dnsmasq: forwarded 4.3.2.1.256.freenum.org to 216.218.159.179 dnsmasq: query[SRV] _sip._udp.sip.matter.net from 192.168.1. dnsmasq: config _sip._udp.sip.matter.net is NXDOMAIN dnsmasq: query[A] sip.matter.net from 192.168.1. dnsmasq: /etc/hosts sip.matter.net is 192.168.1. > > One posibility, do you have the filterwin2k flag set in the dnsmasq > config? It's possible that PTR lookups are involved somewhere in this > process, and filterwin2k can interfere with that. No, I commented that out a while ago as my sip trunk (voicepulse) uses PTR records and as you said that was interfering. Any other ways I can dig deeper? Thanks! Larry Matter From cm-dnsmasq at matter.net Fri Sep 5 00:41:42 2008 From: cm-dnsmasq at matter.net (Larry Matter) Date: Fri Sep 5 00:42:37 2008 Subject: [Dnsmasq-discuss] dnsmasq and freenum.org issue In-Reply-To: <3273.192.168.1.83.1220565388.squirrel@matter.net> References: <42113.192.168.1.97.1220556262.squirrel@matter.net> <48C0481C.4060005@thekelleys.org.uk> <3273.192.168.1.83.1220565388.squirrel@matter.net> Message-ID: <3524.192.168.1.83.1220571702.squirrel@matter.net> More information. I ran wireshark on both the freeswitch and dnsmasq machines. When going through dnsmasq, dnsmasq makes the NAPTR query directly to freenum.org - 216.218.159.17, not to the upstream dns server. It appears never to get a response. However, "dig 4.3.2.1.256.freenum.org naptr @216.218.159.179" does give me the correct response. So I'm at a loss. One other peculiarity; I use dnsmasq to give internal LAN IP's to my machines (e.g., sip.matter.net). These hostnames also resolve on the internet to my current dyndns IP via zoneedit. So having my freeswitch machine bypass dnsmasq might confuse things when it queries for its own IP from an outside dns server. Any advice for next steps? Thanks! Larry Matter >> Something is making queries for A records (IP addresses) there. Do you >> see something like >> >> dnsmasq: query[NAPTR] 4.3.2.1.256.freenum.org from 192.168.1.xxx >> too? > > Here is a better trace: > > dnsmasq: query[SRV] _sip._udp.sip.matter.net from 192.168.1. > dnsmasq: config _sip._udp.sip.matter.net is NXDOMAIN > dnsmasq: query[A] sip.matter.net from 192.168.1. > dnsmasq: /etc/hosts sip.matter.net is 192.168.1. > dnsmasq: query[NAPTR] 4.3.2.1.256.freenum.org from 192.168.1. > dnsmasq: forwarded 4.3.2.1.256.freenum.org to 216.218.159.179 > dnsmasq: query[NAPTR] 4.3.2.1.256.freenum.org from 192.168.1. > dnsmasq: forwarded 4.3.2.1.256.freenum.org to 216.218.159.179 > dnsmasq: query[SRV] _sip._udp.sip.matter.net from 192.168.1. > dnsmasq: config _sip._udp.sip.matter.net is NXDOMAIN > dnsmasq: query[A] sip.matter.net from 192.168.1. > dnsmasq: /etc/hosts sip.matter.net is 192.168.1. > >> >> One posibility, do you have the filterwin2k flag set in the dnsmasq >> config? It's possible that PTR lookups are involved somewhere in this >> process, and filterwin2k can interfere with that. > > No, I commented that out a while ago as my sip trunk (voicepulse) uses PTR > records and as you said that was interfering. > > Any other ways I can dig deeper? > > Thanks! > Larry Matter > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > From richardvoigt at gmail.com Fri Sep 5 01:12:26 2008 From: richardvoigt at gmail.com (richardvoigt@gmail.com) Date: Fri Sep 5 01:13:18 2008 Subject: [Dnsmasq-discuss] double DHCP leases In-Reply-To: <48BB85F3.6020707@gennetsa.com> References: <48B698BD.9010703@gennetsa.com> <48B7974D.7030708@thekelleys.org.uk> <48B859B5.10700@gennetsa.com> <48BB0BA7.3050507@thekelleys.org.uk> <48BB85F3.6020707@gennetsa.com> Message-ID: <2e59e6970809041712p1fef260eh51efbf80c43fd90c@mail.gmail.com> > Indeed windows is broken here. My patch was there to allow dnsmasq to > detect those hosts and forbid them from obtaining multiple ip addresses > (consider the case where a host is sending multiple random identifiers- > it is going to flood the server which would result on a DoS). Using the MAC address does nothing to prevent DoS attacks. From simon at thekelleys.org.uk Fri Sep 5 16:47:02 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Fri Sep 5 16:47:59 2008 Subject: [Dnsmasq-discuss] dnsmasq and freenum.org issue In-Reply-To: <3273.192.168.1.83.1220565388.squirrel@matter.net> References: <42113.192.168.1.97.1220556262.squirrel@matter.net> <48C0481C.4060005@thekelleys.org.uk> <3273.192.168.1.83.1220565388.squirrel@matter.net> Message-ID: <48C15476.4080305@thekelleys.org.uk> Larry Matter wrote: >> Something is making queries for A records (IP addresses) there. Do you >> see something like >> >> dnsmasq: query[NAPTR] 4.3.2.1.256.freenum.org from 192.168.1.xxx >> too? > > Here is a better trace: > > dnsmasq: query[SRV] _sip._udp.sip.matter.net from 192.168.1. > dnsmasq: config _sip._udp.sip.matter.net is NXDOMAIN > dnsmasq: query[A] sip.matter.net from 192.168.1. > dnsmasq: /etc/hosts sip.matter.net is 192.168.1. > dnsmasq: query[NAPTR] 4.3.2.1.256.freenum.org from 192.168.1. > dnsmasq: forwarded 4.3.2.1.256.freenum.org to 216.218.159.179 > dnsmasq: query[NAPTR] 4.3.2.1.256.freenum.org from 192.168.1. > dnsmasq: forwarded 4.3.2.1.256.freenum.org to 216.218.159.179 > dnsmasq: query[SRV] _sip._udp.sip.matter.net from 192.168.1. > dnsmasq: config _sip._udp.sip.matter.net is NXDOMAIN > dnsmasq: query[A] sip.matter.net from 192.168.1. > dnsmasq: /etc/hosts sip.matter.net is 192.168.1. > >> One posibility, do you have the filterwin2k flag set in the dnsmasq >> config? It's possible that PTR lookups are involved somewhere in this >> process, and filterwin2k can interfere with that. > > No, I commented that out a while ago as my sip trunk (voicepulse) uses PTR > records and as you said that was interfering. Are you sure, dnsmasq: config _sip._udp.sip.matter.net is NXDOMAIN Looks very like the work of --filterwin2k. Simon. > > Any other ways I can dig deeper? > > Thanks! > Larry Matter > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > From cm-dnsmasq at matter.net Fri Sep 5 17:44:57 2008 From: cm-dnsmasq at matter.net (Larry Matter) Date: Fri Sep 5 17:45:55 2008 Subject: [Dnsmasq-discuss] dnsmasq and freenum.org issue In-Reply-To: <48C15476.4080305@thekelleys.org.uk> References: <42113.192.168.1.97.1220556262.squirrel@matter.net> <48C0481C.4060005@thekelleys.org.uk> <3273.192.168.1.83.1220565388.squirrel@matter.net> <48C15476.4080305@thekelleys.org.uk> Message-ID: <51633.148.87.1.167.1220633097.squirrel@matter.net> I found the problem. For some reason I had a "server=/freenum.org/216.218.159.179" line in dnsmasq.conf. Not sure why I put it there, and it is the correct IP. Anyway, removing it solved my problem. Thanks for the help and sorry for the trouble. Larry From simon at thekelleys.org.uk Sat Sep 6 17:50:19 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Sat Sep 6 17:53:11 2008 Subject: [Dnsmasq-discuss] one laptop, one IP, two NICs? In-Reply-To: References: Message-ID: <48C2B4CB.1090208@thekelleys.org.uk> A C wrote: > I've got a laptop that uses a wireless or wired connection (never both > simultaneously). Is there a way to configure dnsmasq to serve the same > IP and hostname to the laptop regardless of which interface is used? > Currently other DHCP devices on my network use /etc/ethers to govern > which IP they get to ensure a static IP assignment (for things like > cameras and printers). > This is a FAQ: the solution is to configure the DHCP client to send the same client-id on both networks. That will override the MAC address. Simon. From zhangweiwu at realss.com Sat Sep 6 18:19:27 2008 From: zhangweiwu at realss.com (zhangweiwu@realss.com) Date: Sat Sep 6 18:20:19 2008 Subject: [Dnsmasq-discuss] both dns & dhcp timeout Message-ID: <48C2BB9F.8050208@realss.com> The daemon on a Lemote MIPS server version 2.26 can start but all connection to its dns service timeout, dhcp clients also timeout trying to get an IP address. RAYS:~# ifconfig | head -n2 eth0 Link encap:Ethernet HWaddr 00:11:11:11:18:B1 inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0 RAYS:~# cat /etc/dnsmasq.conf dhcp-range=192.168.1.100,192.168.1.150,12h RAYS:~# grep nameserver /etc/resolv.conf nameserver 202.106.46.151 nameserver 202.106.195.68 RAYS:~# /usr/sbin/dnsmasq -u dnsmasq -d dnsmasq: started, version 2.26 cachesize 150 dnsmasq: compile time options: IPv6 GNU-getopt RTNetlink ISC-leasefile no-DBus I18N dnsmasq: DHCP, IP range 192.168.1.100 -- 192.168.1.150, lease time 12h dnsmasq: read /etc/hosts - 2 addresses dnsmasq: reading /etc/resolv.conf dnsmasq: using nameserver 202.106.195.68#53 dnsmasq: using nameserver 202.106.46.151#53 On the client side: DNS doesn't work: zhangweiwu@esmeralda:~$ host realss.com 192.168.1.100 Nameserver 192.168.1.100 not responding realss.com A record not found at 192.168.1.100, try again zhangweiwu@esmeralda:~$ host realss.com 202.106.46.151 realss.com A 211.157.114.130 DHCP doesn't work: zhangweiwu@esmeralda:~$ sudo /etc/init.d/net.eth2 restart * Stopping eth2 * Bringing down eth2 * Stopping dhcpcd on eth2 ... [ ok ] * Shutting down eth2 ... [ ok ] * Starting eth2 * Configuring wireless network for eth2 * eth2 connected to ESSID "ZWW_SOHO" at 00:18:3F:AA:C0:09 * in managed mode on channel 6 (WEP enabled - open) * Bringing up eth2 * dhcp * Running dhcpcd ... err, eth2: timed out warn, eth2: using IPV4LL address 169.254.166.12 [ ok ] * eth2 received address 169.254.166.12/16 A modem with DNS+DHCP feature sits just to the next port that connects to the server runs dnsmasq, which works fine, showing the network itself should be OK. Interestingly, sending USR1 to it doesn't cause it coredump (basically nothing happens after killing it with -USR1) Operating System is "rays", a "slightly" modified Debian distribution. -- Real Softservice Huateng Tower, Unit 1788 Jia 302 3rd area of Jinsong, Chao Yang Tel: +86 (10) 8773 0650 ext 603 Mobile: 159 1111 7382 http://www.realss.com From hyc at symas.com Sat Sep 6 21:30:39 2008 From: hyc at symas.com (Howard Chu) Date: Sat Sep 6 21:31:37 2008 Subject: [Dnsmasq-discuss] DBus support Message-ID: <48C2E86F.8030805@symas.com> I've just written a patch for NetworkManager to update dnsmasq's server list using DBus. You can find it here http://mail.gnome.org/archives/networkmanager-list/2008-September/msg00042.html However, it seems there's a missing detail here - it's possible to run multiple instances of dnsmasq on the same machine (using separate listen-addresses, etc.) but apparently only one of them can register as a DBus listener. Is that correct? I guess it's not likely that multiple instances would be running on a machine with NetworkManager, so perhaps this is all irrelevant. Just wanted to make sure I wasn't missing something obvious. E.g., if in fact you can have multiple dnsmasq instances listening on DBus, how should NetworkManager decide which one to send nameserver updates to? -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From simon at thekelleys.org.uk Sat Sep 6 21:41:59 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Sat Sep 6 21:44:46 2008 Subject: [Dnsmasq-discuss] DBus support In-Reply-To: <48C2E86F.8030805@symas.com> References: <48C2E86F.8030805@symas.com> Message-ID: <48C2EB17.9090405@thekelleys.org.uk> Howard Chu wrote: > I've just written a patch for NetworkManager to update dnsmasq's server list > using DBus. You can find it here > http://mail.gnome.org/archives/networkmanager-list/2008-September/msg00042.html > Cool! > However, it seems there's a missing detail here - it's possible to run > multiple instances of dnsmasq on the same machine (using separate > listen-addresses, etc.) but apparently only one of them can register as a DBus > listener. Is that correct? I guess it's not likely that multiple instances > would be running on a machine with NetworkManager, so perhaps this is all > irrelevant. Just wanted to make sure I wasn't missing something obvious. > > E.g., if in fact you can have multiple dnsmasq instances listening on DBus, > how should NetworkManager decide which one to send nameserver updates to? The DBus service and path are hard-coded (they're specified in src/config.c) I guess that means that only one instance can be running, with dbus enabled and the "which one gets updated" question is moot. The usual reason to run multiple instances of dnsmasq is to provide services to virtual machines, libvirt does this. These instances will probably not have --enable-dbus set in their configuration, so no problem. That's my hazy understanding. If it's wrong and you need more run-time configurability of the DBus code in dnsmasq, just shout (or submit a patch). Cheers, Simon. From hyc at symas.com Sat Sep 6 21:48:57 2008 From: hyc at symas.com (Howard Chu) Date: Sat Sep 6 21:50:46 2008 Subject: [Dnsmasq-discuss] DBus support In-Reply-To: <48C2EB17.9090405@thekelleys.org.uk> References: <48C2E86F.8030805@symas.com> <48C2EB17.9090405@thekelleys.org.uk> Message-ID: <48C2ECB9.9070409@symas.com> Simon Kelley wrote: > Howard Chu wrote: >> I've just written a patch for NetworkManager to update dnsmasq's server list >> using DBus. You can find it here >> http://mail.gnome.org/archives/networkmanager-list/2008-September/msg00042.html >> > Cool! > >> However, it seems there's a missing detail here - it's possible to run >> multiple instances of dnsmasq on the same machine (using separate >> listen-addresses, etc.) but apparently only one of them can register as a DBus >> listener. Is that correct? I guess it's not likely that multiple instances >> would be running on a machine with NetworkManager, so perhaps this is all >> irrelevant. Just wanted to make sure I wasn't missing something obvious. >> >> E.g., if in fact you can have multiple dnsmasq instances listening on DBus, >> how should NetworkManager decide which one to send nameserver updates to? > > The DBus service and path are hard-coded (they're specified in > src/config.c) I guess that means that only one instance can be running, > with dbus enabled and the "which one gets updated" question is moot. > > The usual reason to run multiple instances of dnsmasq is to provide > services to virtual machines, libvirt does this. These instances will > probably not have --enable-dbus set in their configuration, so no problem. > > That's my hazy understanding. If it's wrong and you need more run-time > configurability of the DBus code in dnsmasq, just shout (or submit a patch). Thanks. Given the explanation re: virtual machines, this all seems fine to me as-is. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From landman at scalableinformatics.com Wed Sep 10 13:58:26 2008 From: landman at scalableinformatics.com (Joe Landman) Date: Wed Sep 10 13:58:59 2008 Subject: [Dnsmasq-discuss] gPXE booting issue Message-ID: <48C7C472.1020308@scalableinformatics.com> Hi folks Has anyone implemented gPXE served by dnsmasq booting in such a way that the iSCSI portion of gPXE can function? Basically I want to set up iSCSI disks, as basic block devices, and just have dnsmasq serve the gPXE bits. I have PXE booting working with gPXE, but it looks like some arguments are not being passed back to the gPXE boot environment (even when I force them by hand), and thus it is never getting the root-path option among others. Any thoughts? Has anyone made this work with dnsmasq? Joe -- Joseph Landman, Ph.D Founder and CEO Scalable Informatics LLC, email: landman@scalableinformatics.com web : http://www.scalableinformatics.com http://jackrabbit.scalableinformatics.com phone: +1 734 786 8423 x121 fax : +1 866 888 3112 cell : +1 734 612 4615 From carlos at fisica.ufpr.br Wed Sep 10 16:08:46 2008 From: carlos at fisica.ufpr.br (Carlos Carvalho) Date: Wed Sep 10 16:09:39 2008 Subject: [Dnsmasq-discuss] gPXE booting issue In-Reply-To: <48C7C472.1020308@scalableinformatics.com> References: <48C7C472.1020308@scalableinformatics.com> Message-ID: <18631.58110.920593.601835@fisica.ufpr.br> Joe Landman (landman@scalableinformatics.com) wrote on 10 September 2008 08:58: > Has anyone implemented gPXE served by dnsmasq booting in such a way >that the iSCSI portion of gPXE can function? Basically I want to set up >iSCSI disks, as basic block devices, and just have dnsmasq serve the >gPXE bits. > > I have PXE booting working with gPXE, but it looks like some >arguments are not being passed back to the gPXE boot environment (even >when I force them by hand), and thus it is never getting the root-path >option among others. Did you try --dhcp-option-force? From the manual: This works in exactly the same way as --dhcp-option except that the option will always be sent, even if the client does not ask for it in the parameter request list. This is sometimes needed, for example when sending options to PXELinux. From adam.ant at cyberspaceroad.com Thu Sep 11 14:08:31 2008 From: adam.ant at cyberspaceroad.com (Adam Hardy) Date: Thu Sep 11 14:09:30 2008 Subject: [Dnsmasq-discuss] using DHCP to set clients' MTU Message-ID: <48C9184F.2030209@cyberspaceroad.com> Hi, searched the archives and the net and was surprised not to see any hits for MTU except its generic appearance in log statements. I had to change my MTU on my workstations to1430 to get SMTP and some websites to work (e.g. paypal). Can I tell dnsmasq to send the MTU setting with the DHCP information? My attempts to hack it into the config haven't worked. Thanks Adam From steven at springl.ukfsn.org Thu Sep 11 15:20:34 2008 From: steven at springl.ukfsn.org (Steven Jan Springl) Date: Thu Sep 11 15:21:26 2008 Subject: [Dnsmasq-discuss] using DHCP to set clients' MTU In-Reply-To: <48C9184F.2030209@cyberspaceroad.com> References: <48C9184F.2030209@cyberspaceroad.com> Message-ID: <200809111520.35011.steven@springl.ukfsn.org> On Thursday 11 September 2008 14:08, Adam Hardy wrote: > Hi, > > searched the archives and the net and was surprised not to see any hits > for MTU except its generic appearance in log statements. > > I had to change my MTU on my workstations to1430 to get SMTP and some > websites to work (e.g. paypal). > > Can I tell dnsmasq to send the MTU setting with the DHCP information? > > My attempts to hack it into the config haven't worked. > > > Thanks > Adam Adam I use the following statement to set the mtu size to 1492 for clients connected to eth0: dhcp-option=eth0,26,1492 Steven. From adam.ant at cyberspaceroad.com Thu Sep 11 16:54:48 2008 From: adam.ant at cyberspaceroad.com (Adam Hardy) Date: Thu Sep 11 16:55:43 2008 Subject: [Dnsmasq-discuss] using DHCP to set clients' MTU In-Reply-To: <200809111520.35011.steven@springl.ukfsn.org> References: <48C9184F.2030209@cyberspaceroad.com> <200809111520.35011.steven@springl.ukfsn.org> Message-ID: <48C93F48.5090206@cyberspaceroad.com> Steven Jan Springl on 11/09/08 15:20, wrote: > On Thursday 11 September 2008 14:08, Adam Hardy wrote: >> Hi, >> >> searched the archives and the net and was surprised not to see any hits >> for MTU except its generic appearance in log statements. >> >> I had to change my MTU on my workstations to1430 to get SMTP and some >> websites to work (e.g. paypal). >> >> Can I tell dnsmasq to send the MTU setting with the DHCP information? >> >> My attempts to hack it into the config haven't worked. >> >> >> Thanks >> Adam > > Adam > > I use the following statement to set the mtu size to 1492 for clients > connected to eth0: > > dhcp-option=eth0,26,1492 Steve, thanks for the info! For anyone else looking at this in future, there's a good doc here: http://www.faqs.org/rfcs/rfc2132.html All the best Adam From redbully at cc.hs-owl.de Thu Sep 11 21:17:31 2008 From: redbully at cc.hs-owl.de (Jan 'RedBully' Seiffert) Date: Thu Sep 11 21:18:41 2008 Subject: [Dnsmasq-discuss] using DHCP to set clients' MTU In-Reply-To: <48C93F48.5090206@cyberspaceroad.com> References: <48C9184F.2030209@cyberspaceroad.com> <200809111520.35011.steven@springl.ukfsn.org> <48C93F48.5090206@cyberspaceroad.com> Message-ID: <48C97CDB.3010801@cc.hs-owl.de> Adam Hardy wrote: > Steven Jan Springl on 11/09/08 15:20, wrote: >> On Thursday 11 September 2008 14:08, Adam Hardy wrote: >>> Hi, >>> >>> searched the archives and the net and was surprised not to see any hits >>> for MTU except its generic appearance in log statements. >>> >>> I had to change my MTU on my workstations to1430 to get SMTP and some >>> websites to work (e.g. paypal). >>> >>> Can I tell dnsmasq to send the MTU setting with the DHCP information? >>> >>> My attempts to hack it into the config haven't worked. >>> >>> >>> Thanks >>> Adam >> >> Adam >> >> I use the following statement to set the mtu size to 1492 for clients >> connected to eth0: >> >> dhcp-option=eth0,26,1492 > > Steve, thanks for the info! > > For anyone else looking at this in future, there's a good doc here: > > http://www.faqs.org/rfcs/rfc2132.html > Hmmm, a mtu of 1430 looks a bit strange, but propably depends on your link. Some kind of VPN or PPPoA on your side? Or are you saying paypal has some kind of Tunnel/Route/Whatever which limits THEIR mtu? In an ideal World you would not need to fiddle with your mtu, because a thing called "path mtu discovery" should catch this. Your kernel sends packets with the "Don't Fragment"-Bit (DF) set, and every router on the way to the target should sent you a packet back when your packet is to big, so your kernel can lower the pmtu, till it fits. Unfortunatly, this does not always work, either because the setup is so complex (vpn over a tunnel over dailup...) that errors are not properly propagated, or, and this is more anoing, because some Admins block ICMP, which is needed for this to work. In their view ICMP is "evil" and a 1337 H4x0r protocol, neglegting that it is a needed part for {TCP|UDP}/IP to work. A big german freemail provider was notoriously known for this braindamage for years. But before you lower your clients mtu, do you know where the mtu bottleneck is and/or is your router by chance a Linux box? (such things can shurely also be done with other gear, but i don't know how) Because there are two other and maybe more interresting solutions: 1) Linux knows an iptables target named TCPMSS. It adjusts the tcp mss, so it won't help you on UDP, but "fixes" the most commen case, that tcp connection hang. But only if your router sees the mtu bottleneck (PPPoE or something similar). Look at your iptables man-page, it comes with an example command. Most SOHO-router-in-a-box implement this, maybe it it switched off? This also fixes problems with other sites, until their pmtu is lower than yours and they do the braindamaged stuff... 2) You can try setting the pmtu early (so icmp messages reach the client) by setting up a route with the right mtu on your router. Hmmm, you can even set it on the clients. Example: $ dig paypal.com MX [snip] ;; QUESTION SECTION: ;paypal.com. IN MX ;; ANSWER SECTION: paypal.com. 461 IN MX 10 data.ebay.com. [snip] ;; ADDITIONAL SECTION: lore.ebay.com. 3462 IN A 66.135.195.181 $ whois 66.135.195.181 OrgName: eBay, Inc [snip] NetRange: 66.135.192.0 - 66.135.223.255 CIDR: 66.135.192.0/19 NetName: EBAY-1 # ip route add to 66.135.192.0/19 via mtu 1430 $ tracepath 66.135.195.181 1: my_box.lan (192.168.0.2) 0.224ms pmtu 1430 1: my_gateway.lan (192.168.0.254) 0.286ms [snip] Problem is, you would have to set this up for every pmtu blackhole... HTH > All the best > Adam > Greetings Jan -- Murphy's Law of Combat Rule #3: "Never forget that your weapon was manufactured by the lowest bidder" From adam.ant at cyberspaceroad.com Thu Sep 11 23:58:22 2008 From: adam.ant at cyberspaceroad.com (Adam Hardy) Date: Thu Sep 11 23:59:22 2008 Subject: [Dnsmasq-discuss] using DHCP to set clients' MTU In-Reply-To: <48C97CDB.3010801@cc.hs-owl.de> References: <48C9184F.2030209@cyberspaceroad.com> <200809111520.35011.steven@springl.ukfsn.org> <48C93F48.5090206@cyberspaceroad.com> <48C97CDB.3010801@cc.hs-owl.de> Message-ID: <48C9A28E.9050407@cyberspaceroad.com> Jan 'RedBully' Seiffert on 11/09/08 21:17, wrote: > Adam Hardy wrote: >> Steven Jan Springl on 11/09/08 15:20, wrote: >>> On Thursday 11 September 2008 14:08, Adam Hardy wrote: >>>> searched the archives and the net and was surprised not to see any hits >>>> for MTU except its generic appearance in log statements. >>>> >>>> I had to change my MTU on my workstations to1430 to get SMTP and some >>>> websites to work (e.g. paypal). >>>> >>>> Can I tell dnsmasq to send the MTU setting with the DHCP information? >>>> >>>> My attempts to hack it into the config haven't worked. >>> >>> I use the following statement to set the mtu size to 1492 for clients >>> connected to eth0: >>> >>> dhcp-option=eth0,26,1492 >> >> Steve, thanks for the info! >> >> For anyone else looking at this in future, there's a good doc here: >> >> http://www.faqs.org/rfcs/rfc2132.html > > Hmmm, a mtu of 1430 looks a bit strange, but propably depends on your link. > Some kind of VPN or PPPoA on your side? Or are you saying paypal has some > kind of Tunnel/Route/Whatever which limits THEIR mtu? > > In an ideal World you would not need to fiddle with your mtu, because a thing > called "path mtu discovery" should catch this. Your kernel sends packets > with the "Don't Fragment"-Bit (DF) set, and every router on the way to the > target should sent you a packet back when your packet is to big, so your > kernel can lower the pmtu, till it fits. Unfortunatly, this does not always > work, either because the setup is so complex (vpn over a tunnel over > dailup...) that errors are not properly propagated, or, and this is more > anoing, because some Admins block ICMP, which is needed for this to work. In > their view ICMP is "evil" and a 1337 H4x0r protocol, neglegting that it is a > needed part for {TCP|UDP}/IP to work. A big german freemail provider was > notoriously known for this braindamage for years. > > But before you lower your clients mtu, do you know where the mtu bottleneck > is and/or is your router by chance a Linux box? (such things can shurely also > be done with other gear, but i don't know how) > > Because there are two other and maybe more interresting solutions: > > 1) Linux knows an iptables target named TCPMSS. It adjusts the tcp mss, so it > won't help you on UDP, but "fixes" the most commen case, that tcp connection > hang. But only if your router sees the mtu bottleneck (PPPoE or something > similar). Look at your iptables man-page, it comes with an example command. > Most SOHO-router-in-a-box implement this, maybe it it switched off? This also > fixes problems with other sites, until their pmtu is lower than yours and > they do the braindamaged stuff... > > 2) You can try setting the pmtu early (so icmp messages reach the client) by > setting up a route with the right mtu on your router. Hmmm, you can even set > it on the clients. Example: Hi Jan, I really appreciate the feedback - although I think your option (2) is slightly beyond what I want to get into for the sake of network admin here! I must admit that I set up the iptables firewall on my gateway machine, and I need to look at it to check whether I inadvertantly blocked this ICMP business. The gateway has a NIC connected to a DSL modem and that has no firewall, it's just my machine and BT on the other side. I had problems with SMTP and a new hosting service - a solar powered hosting service provider actually :) - and the man said I should try lowering my MTU. I looked into the situation a little and set my workstation MTU to 1458, an apparently well-used value for it. I had no joy with the SMTP still, so I lowered my gateway's MTU to 1458 and my workstation to 1430, which was a value I chose. Hence the 'oddness' of it. Regards Adam From redbully at cc.hs-owl.de Fri Sep 12 12:53:28 2008 From: redbully at cc.hs-owl.de (Jan 'RedBully' Seiffert) Date: Fri Sep 12 12:54:39 2008 Subject: [Dnsmasq-discuss] using DHCP to set clients' MTU In-Reply-To: <48C9A28E.9050407@cyberspaceroad.com> References: <48C9184F.2030209@cyberspaceroad.com> <200809111520.35011.steven@springl.ukfsn.org> <48C93F48.5090206@cyberspaceroad.com> <48C97CDB.3010801@cc.hs-owl.de> <48C9A28E.9050407@cyberspaceroad.com> Message-ID: <48CA5838.2080007@cc.hs-owl.de> Adam Hardy wrote: > Jan 'RedBully' Seiffert on 11/09/08 21:17, wrote: [snip] >> >> Hmmm, a mtu of 1430 looks a bit strange, but propably depends on your >> link. >> Some kind of VPN or PPPoA on your side? Or are you saying paypal has >> some kind of Tunnel/Route/Whatever which limits THEIR mtu? >> >> In an ideal World you would not need to fiddle with your mtu, because >> a thing >> called "path mtu discovery" should catch this. Your kernel sends packets >> with the "Don't Fragment"-Bit (DF) set, and every router on the way to >> the >> target should sent you a packet back when your packet is to big, so your >> kernel can lower the pmtu, till it fits. Unfortunatly, this does not >> always >> work, either because the setup is so complex (vpn over a tunnel over >> dailup...) that errors are not properly propagated, or, and this is more >> anoing, because some Admins block ICMP, which is needed for this to >> work. In >> their view ICMP is "evil" and a 1337 H4x0r protocol, neglegting that >> it is a >> needed part for {TCP|UDP}/IP to work. A big german freemail provider was >> notoriously known for this braindamage for years. >> >> But before you lower your clients mtu, do you know where the mtu >> bottleneck >> is and/or is your router by chance a Linux box? (such things can >> shurely also >> be done with other gear, but i don't know how) >> >> Because there are two other and maybe more interresting solutions: >> >> 1) Linux knows an iptables target named TCPMSS. It adjusts the tcp >> mss, so it >> won't help you on UDP, but "fixes" the most commen case, that tcp >> connection >> hang. But only if your router sees the mtu bottleneck (PPPoE or >> something >> similar). Look at your iptables man-page, it comes with an example >> command. Most SOHO-router-in-a-box implement this, maybe it it >> switched off? This also >> fixes problems with other sites, until their pmtu is lower than yours and >> they do the braindamaged stuff... >> >> 2) You can try setting the pmtu early (so icmp messages reach the >> client) by setting up a route with the right mtu on your router. Hmmm, >> you can even set >> it on the clients. Example: > > Hi Jan, > > I really appreciate the feedback - although I think your option (2) is > slightly beyond what I want to get into for the sake of network admin > here! Yeah, it is a possible workaround for a "one oddball" situation, but if your link is the permanent bottleneck, you will hit this problem again and again... > I must admit that I set up the iptables firewall on my gateway > machine, and I need to look at it to check whether I inadvertantly > blocked this ICMP business. > Oh, initially i wasn't even talking about you, but problems on the remote end where you have no control how they configure their stuff. Then you are forced to employ ugly workarounds on your side. If you check your firewall rules, make sure there is a path for icmp-fragmentation-needed packets. (iptables -p icmp --icmp-type fragmentation-needed -j ACCEPT) > The gateway has a NIC connected to a DSL modem and that has no firewall, > it's just my machine and BT on the other side. > I read a little on BT, seems they use PPPoA, and this is terminated on the modem... Hmmm, ATM equipment for PCs is rare, so your router has normal ethernet to the modem and "sees" an mtu of 1500, while the true mtu is hidden in the modem. And i thought one of the benefits of pppoa was, that the mtu is kept at 1500. Any chance your new hosting service has a funny uplink? (should not, a big site should have a "real" connection and not a dsl line...) /me is tottaly confused Gnarf, seems this is even a bigger PITA than PPPoE ... Searching for the right mtu turned up a lot of values, does someone know the true mtu of a BT PPPoA link? (note: first and foremost you better find the real mtu of the link, to get a grip on the problem, then one can think about adjusting/tuning it to better match the ATM-part of the connection) The modem faced interface of your router needs the MTU set to the true value. This way your router should not send packets to big (or fragment them), your clients should get an fragmentation-needed when they try to. But this still leaves problems with the path back to you when the remote side is blocking icmp (a bottleneck has two sides ;). Lowering the mtu of your clients is a cheap trick to repair this: the clients set "the right" tcpmss when they start a connection (you can only set it at the start, but the first packet (the SYN, approx. 60 bytes) doesn't trigger the pmtu...), so the remote end will not run into trouble on the path back. In effect you are doing their work (But this will not help for UDP) This is where the: iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ -j TCPMSS --clamp-mss-to-pmtu comes into play. Your router now hopefully knows the pmtu, and will lower the tcpmss set by the clients as a band aid, the connection will be (hopefully) the right size from the beginning. > I had problems with SMTP and a new hosting service - a solar powered > hosting service provider actually :) Since you are talking about SMTP, so you had problems sending large packets? Then the problem can be on your side, according to my crystal ball ^^. But can be also on the remote side... It's important which packet choked, your outgoing packet or the incoming packet not coming through to you. Are you sure this is a "true" modem and not also a little router, do you have a non-private ip-address on your router? Maybe its also twiddling some values... Maybe you should go back to sqare one, set everything back to 1500 and then use tcpdump to see where your packets vanish, or how big they are with other known to work sites. > - and the man said I should try lowering my MTU. Yeah... "...by all means, do not use a hammer." (IBM documentation ca. 1920) > I looked into the situation a little and set my > workstation MTU to 1458, an apparently well-used value for it. I had no > joy with the SMTP still, so I lowered my gateway's MTU to 1458 and my > workstation to 1430, which was a value I chose. Hence the 'oddness' of it. > I think 1430 is one of those "optimised values", and 1458 maybe still to big for pppoa, but i'm not sure. Did you tried 1454 & 1452? I think it's something with 145[0-9] from what i read. Or is BT adding another encapsulation like L2TP? > Regards > Adam > Greetings Jan -- The Theorem Theorem: If If, Then Then. From grant_lkml at dodo.com.au Fri Sep 12 15:29:58 2008 From: grant_lkml at dodo.com.au (Grant Coady) Date: Fri Sep 12 15:30:57 2008 Subject: [Dnsmasq-discuss] using DHCP to set clients' MTU In-Reply-To: <48CA5838.2080007@cc.hs-owl.de> References: <48C9184F.2030209@cyberspaceroad.com> <200809111520.35011.steven@springl.ukfsn.org> <48C93F48.5090206@cyberspaceroad.com> <48C97CDB.3010801@cc.hs-owl.de> <48C9A28E.9050407@cyberspaceroad.com> <48CA5838.2080007@cc.hs-owl.de> Message-ID: <8uukc4l98io8fqvm45ufn9v15u6jbdhh2k@4ax.com> On Fri, 12 Sep 2008 13:53:28 +0200, Jan 'RedBully' Seiffert wrote: ... >I think 1430 is one of those "optimised values", and 1458 maybe still to big for >pppoa, but i'm not sure. Did you tried 1454 & 1452? I think it's something with >145[0-9] from what i read. Or is BT adding another encapsulation like L2TP? >From my firewall script: #-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- # maximum mss or mtu # ``````````````````` # Policy: the firewall controls this value as it is required when ethernet # access to ADSL modem is used, clamping MSS here removes the need to # modify any localnet machines' MTU setting. # # Information: http://www.cisco.com/warp/public/794/router_mtu.html states # baseline (lowest) MSS value is = 1360, highest is 1452 for PPPoE, add # 40 for matching MTU values. # # Check you have rp-pppoe.conf 'CLAMPMSS=no' # # Leave MAX_MSS empty to perform path mtu discovery, this doesn't work with # ISPs that drop ICMP traffic -- refer `man iptables`. # # MAX_MSS="1452" # maximum MSS (ref: cisco) # MAX_MSS="1360" # minimum MSS (ref: cisco) MAX_MSS="1412" # default MSS (ref: rp-pppoe default) # MAX_MSS="" # use PMTU discovery # ... # clamp MTU for new TCP connections to world if [ -n "$MAX_MSS" ] then # use preset iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN \ -o $X_WORLD -j TCPMSS --set-mss $MAX_MSS else # use path discovery iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN \ -o $X_WORLD -j TCPMSS --clamp-mss-to-pmtu fi ... Grant. From philip.leriche at virgin.net Sun Sep 14 20:56:00 2008 From: philip.leriche at virgin.net (Philip Le Riche) Date: Sun Sep 14 20:57:05 2008 Subject: [Dnsmasq-discuss] CNAME buffer overflow? Message-ID: <48CD6C50.1050808@virgin.net> Recently, Steve Gibson of grc.com has been developing a DNS test page similar to Doxpara but intended to test in much greater detail for the Dan Kaminsky DNS vulnerability. Currently, Steve's DNS test page crashes certain routers, in particular some by Belkin, and mine by Ozenda. It has been suggested (no more than a suggestion: nntp://news.grc.com/grc.news.feedback) that these routers may incorporate dnsmasq in their firmware, which, if true, would indicate a possible buffer overrun, albeit one that may have been fixed some time ago. Whilst the source of dnsmasq is accessible and very modest in size, it would take me a lot longer than someone familiar with it to check for such a bug, hence my posting. And setting up a rig to test it out would also take some while. Essentially what Steve's page does (www.grc.com/dns) is to provoke a DNS query from the user's browser for .dns.grc.com. When this hits Steve's DNS server, it returns 2 resource records: - First a CNAME record giving the primary name of the queried FQDN as a.{repeated 95 times}..dns.grc.com - Then an A record giving an IP address for the primary name. At this point, my router crashes, and reboots some 60 secs later, presumably forced by a heartbeat failure. I've uploaded a Wireshark capture of this (using a non-vulnerable router) to www.blueskylark.org/pcap.zip If I provoke my router simply to do a DNS query for the horribly long primary name, I get the result I expect, namely an A record just like the one Steve returns but giving the IP address of the OpenDNS default page (since I'm using OpenDNS), and my router survives. I conclude therefore that it's being killed by the CNAME record, possibly because the primary name is being stored in a fixed length buffer. Looking through the change log, this could be an issue fixed in 2.17 (Nov '04), and it's not implausible that my router has firmware containing a version of dnsmasq that old. If anyone could throw any light on this I'd be most interested. Regards - Philip From simon at thekelleys.org.uk Sun Sep 14 21:28:34 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Sun Sep 14 21:29:24 2008 Subject: [Dnsmasq-discuss] CNAME buffer overflow? In-Reply-To: <48CD6C50.1050808@virgin.net> References: <48CD6C50.1050808@virgin.net> Message-ID: <48CD73F2.2020406@thekelleys.org.uk> Philip Le Riche wrote: > Recently, Steve Gibson of grc.com has been developing a DNS test page > similar to Doxpara but intended to test in much greater detail for the > Dan Kaminsky DNS vulnerability. Currently, Steve's DNS test page crashes > certain routers, in particular some by Belkin, and mine by Ozenda. It > has been suggested (no more than a suggestion: > nntp://news.grc.com/grc.news.feedback) that these routers may > incorporate dnsmasq in their firmware, which, if true, would indicate a > possible buffer overrun, albeit one that may have been fixed some time ago. > > Whilst the source of dnsmasq is accessible and very modest in size, it > would take me a lot longer than someone familiar with it to check for > such a bug, hence my posting. And setting up a rig to test it out would > also take some while. > > Essentially what Steve's page does (www.grc.com/dns) is to provoke a DNS > query from the user's browser for .dns.grc.com. When > this hits Steve's DNS server, it returns 2 resource records: > > - First a CNAME record giving the primary name of the queried FQDN as > a.{repeated 95 times}..dns.grc.com > > - Then an A record giving an IP address for the primary name. > > At this point, my router crashes, and reboots some 60 secs later, > presumably forced by a heartbeat failure. I've uploaded a Wireshark > capture of this (using a non-vulnerable router) to > www.blueskylark.org/pcap.zip > > If I provoke my router simply to do a DNS query for the horribly long > primary name, I get the result I expect, namely an A record just like > the one Steve returns but giving the IP address of the OpenDNS default > page (since I'm using OpenDNS), and my router survives. I conclude > therefore that it's being killed by the CNAME record, possibly because > the primary name is being stored in a fixed length buffer. > > Looking through the change log, this could be an issue fixed in 2.17 > (Nov '04), and it's not implausible that my router has firmware > containing a version of dnsmasq that old. > > If anyone could throw any light on this I'd be most interested. > > Regards - Philip > I'll try and chase this a bit more tomorrow if I get time. In the meantime, two observations. 1) Opening here in a browser which is doing DNS lookup via dnsmasq-2.46test7 doesn't cause any problems. 2) You can find out what version of dnsmasq (and if the forwarder is dnsmasq) that your router is running with the following query dig chaos txt version.bind Cheers, Simon. From simon at thekelleys.org.uk Sun Sep 14 22:28:12 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Sun Sep 14 22:30:50 2008 Subject: [Dnsmasq-discuss] CNAME buffer overflow? In-Reply-To: <48CD6C50.1050808@virgin.net> References: <48CD6C50.1050808@virgin.net> Message-ID: <48CD81EC.4090606@thekelleys.org.uk> A couple more data points: dig abcdefghijklm.dns.grc.com (query taken from Philip's packet capture) works fine with the lastest dnsmasq code, and with 2.16, the release before the putative fix. srk@spike:~$ dig abcdefghijklm.dns.grc.com ; <<>> DiG 9.3.2-P1 <<>> abcdefghijklm.dns.grc.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45378 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;abcdefghijklm.dns.grc.com. IN A ;; ANSWER SECTION: abcdefghijklm.dns.grc.com. 60 IN CNAME a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a. a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a. a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a. a.m0zhev0yf1pjl.dns.grc.com. a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a. a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a. a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.m0zhev0yf1pjl.dns.grc.com. 60 IN A 4.79.142.19 3 ;; Query time: 301 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Sep 14 22:26:22 2008 ;; MSG SIZE rcvd: 281 srk@spike:~$ dig chaos txt version.bind ; <<>> DiG 9.3.2-P1 <<>> @central chaos txt version.bind ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47301 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;version.bind. CH TXT ;; ANSWER SECTION: version.bind. 0 CH TXT "dnsmasq-2.46test9" ;; Query time: 0 msec ;; SERVER: 192.168.0.4#53(192.168.0.4) ;; WHEN: Sun Sep 14 22:27:29 2008 ;; MSG SIZE rcvd: 60 Cheers, Simon. From adam.ant at cyberspaceroad.com Mon Sep 15 11:28:42 2008 From: adam.ant at cyberspaceroad.com (Adam Hardy) Date: Mon Sep 15 11:29:42 2008 Subject: [Dnsmasq-discuss] using DHCP to set clients' MTU In-Reply-To: <48CA5838.2080007@cc.hs-owl.de> References: <48C9184F.2030209@cyberspaceroad.com> <200809111520.35011.steven@springl.ukfsn.org> <48C93F48.5090206@cyberspaceroad.com> <48C97CDB.3010801@cc.hs-owl.de> <48C9A28E.9050407@cyberspaceroad.com> <48CA5838.2080007@cc.hs-owl.de> Message-ID: <48CE38DA.2020309@cyberspaceroad.com> Jan 'RedBully' Seiffert on 12/09/08 12:53, wrote: > Adam Hardy wrote: >> Jan 'RedBully' Seiffert on 11/09/08 21:17, wrote: > [snip] >>> >>> Hmmm, a mtu of 1430 looks a bit strange, but propably depends on your >>> link. Some kind of VPN or PPPoA on your side? Or are you saying paypal >>> has some kind of Tunnel/Route/Whatever which limits THEIR mtu? >>> [SNIP] > > Oh, initially i wasn't even talking about you, but problems on the remote end > where you have no control how they configure their stuff. Then you are forced > to employ ugly workarounds on your side. If you check your firewall rules, > make sure there is a path for icmp-fragmentation-needed packets. (iptables > -p icmp --icmp-type fragmentation-needed -j ACCEPT) OK, I'll go with that, but I'm trying to work out logically if I have blocked it. What state are the ICMP fragmentation-needed packets returned? Surely they are RELATED or ESTABLISHED? In that case, I am not blocking them. I only block INVALID and NEW for most ports. > [SNIP] > I read a little on BT, seems they use PPPoA, and this is terminated on the > modem... Hmmm, ATM equipment for PCs is rare, so your router has normal > ethernet to the modem and "sees" an mtu of 1500, while the true mtu is hidden > in the modem. And i thought one of the benefits of pppoa was, that the mtu is > kept at 1500. Any chance your new hosting service has a funny uplink? (should > not, a big site should have a "real" connection and not a dsl line...) /me is > tottaly confused Gnarf, seems this is even a bigger PITA than PPPoE ... > > Searching for the right mtu turned up a lot of values, does someone know the > true mtu of a BT PPPoA link? (note: first and foremost you better find the > real mtu of the link, to get a grip on the problem, then one can think about > adjusting/tuning it to better match the ATM-part of the connection) > > The modem faced interface of your router needs the MTU set to the true value. > This way your router should not send packets to big (or fragment them), your > clients should get an fragmentation-needed when they try to. > Using http://www.dslreports.com/tweaks I see that my network is unpingable under the 'ICMP (ping) check' result. That looks bad in view of the above. But it also tells me: Max packet sent (MTU): 1488 Max packet recd (MTU): 1418 Retransmitted packets: 4 sacks you sent: 2 so I guess that 1488 is what I should set my ADSL modem to? [SNIP] > Since you are talking about SMTP, so you had problems sending large packets? > Then the problem can be on your side, according to my crystal ball ^^. But > can be also on the remote side... It's important which packet choked, your > outgoing packet or the incoming packet not coming through to you. Are you > sure this is a "true" modem and not also a little router, do you have a > non-private ip-address on your router? Maybe its also twiddling some > values... Maybe you should go back to sqare one, set everything back to 1500 > and then use tcpdump to see where your packets vanish, or how big they are > with other known to work sites. Maybe later if there's no joy with the latest stuff I've learnt about.... > something with 145[0-9] from what i read. Or is BT adding another > encapsulation like L2TP? I searched the most useful UK broadband users forum for L2TP and only saw references to it in connection with resellers or wholesale. It doesn't look like something that BT are using on my (& other retail customers') connection. Regards Adam From mysql.jorge at decimal.pt Mon Sep 15 13:43:11 2008 From: mysql.jorge at decimal.pt (Jorge Bastos) Date: Mon Sep 15 13:47:00 2008 Subject: [Dnsmasq-discuss] Feature Request? Message-ID: <000901c91730$9d3c65e0$d7b531a0$@jorge@decimal.pt> Hi, Simon, i'd like to ask for a feature if not implemented yet. I've saw in other dns/dns proxy servers, the ability to serve an IP when certain DNS host is down/doesn't respond. Is it possible for dnsmasq, to do this, with two parameters, one for on/off the feature, and the 2nd to specify the host/IP for the response. With this I could for example, inside my network, redirect all broken DNS's to my webserver specifying a host and do a webpage explaining what happened. Is this possible? Thanks in advanced, Jorge PS: I saw it here, and it's something that will be very handy for me, and I'm sure for other because of dns problems. --- About: pdnsd is a Proxy DNS server for Linux and FreeBSD that is designed to cope with unreacheable nameservers (e.g. because the dial-in link is not up) in a graceful manner to prevent DNS-dependent applications like Netscape from hanging. It has a permanent disk cache and supports parallel query and a wide variety of link uptests. It also has the ability to serve some local records. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080915/4b2ab1d7/attachment.htm From bod at bod.org Mon Sep 15 16:52:14 2008 From: bod at bod.org (Paul Chambers) Date: Mon Sep 15 16:53:12 2008 Subject: [Dnsmasq-discuss] Feature Request? In-Reply-To: <000901c91730$9d3c65e0$d7b531a0$@jorge@decimal.pt> References: <000901c91730$9d3c65e0$d7b531a0$@jorge@decimal.pt> Message-ID: <48CE84AE.5040703@bod.org> I'd like to do something vaguely similar, though in my case it's sending requests in a particular domain to a given pair of servers, only when a vpn is up (e.g. tun0). If the VPN isn't up, those servers are not reachable anyhow. I noticed the 'server=//@' variant in the docs, but haven't had the time to investigate how it behaves if the interface in question is down. This is also something pdnsd can do, but dnsmasq is a much better tool for my needs in just about every respect, and I'd really prefer not to have to run both. Paul Jorge Bastos wrote: > > Hi, > > Simon, i'd like to ask for a feature if not implemented yet. > > I've saw in other dns/dns proxy servers, the ability to serve an IP > when certain DNS host is down/doesn't respond. > > Is it possible for dnsmasq, to do this, with two parameters, one for > on/off the feature, and the 2^nd to specify the host/IP for the response. > > With this I could for example, inside my network, redirect all broken > DNS's to my webserver specifying a host and do a webpage explaining > what happened. > > > > Is this possible? > > > > Thanks in advanced, > > Jorge > > > > PS: I saw it here, and it's something that will be very handy for me, > and I'm sure for other because of dns problems. > > --- > > *About:* pdnsd is a Proxy DNS server for Linux and FreeBSD that is > designed to cope with unreacheable nameservers (e.g. because the > dial-in link is not up) in a graceful manner to prevent DNS-dependent > applications like Netscape from hanging. It has a permanent disk cache > and supports parallel query and a wide variety of link uptests. It > also has the ability to serve some local records. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080915/e5040635/attachment.htm From mysql.jorge at decimal.pt Mon Sep 15 17:47:01 2008 From: mysql.jorge at decimal.pt (Jorge Bastos) Date: Mon Sep 15 17:47:56 2008 Subject: [Dnsmasq-discuss] Feature Request? In-Reply-To: <48CE84AE.5040703@bod.org> References: <000901c91730$9d3c65e0$d7b531a0$@jorge@decimal.pt> <48CE84AE.5040703@bod.org> Message-ID: <00cc01c91752$ad5bc700$08135500$@jorge@decimal.pt> Yap, DNSMasq is much better, that's why i'd like to have this feature on it. From: dnsmasq-discuss-bounces@lists.thekelleys.org.uk [mailto:dnsmasq-discuss-bounces@lists.thekelleys.org.uk] On Behalf Of Paul Chambers Sent: segunda-feira, 15 de Setembro de 2008 16:52 To: dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: [Dnsmasq-discuss] Feature Request? I'd like to do something vaguely similar, though in my case it's sending requests in a particular domain to a given pair of servers, only when a vpn is up (e.g. tun0). If the VPN isn't up, those servers are not reachable anyhow. I noticed the 'server=//@' variant in the docs, but haven't had the time to investigate how it behaves if the interface in question is down. This is also something pdnsd can do, but dnsmasq is a much better tool for my needs in just about every respect, and I'd really prefer not to have to run both. Paul Jorge Bastos wrote: Hi, Simon, i'd like to ask for a feature if not implemented yet. I've saw in other dns/dns proxy servers, the ability to serve an IP when certain DNS host is down/doesn't respond. Is it possible for dnsmasq, to do this, with two parameters, one for on/off the feature, and the 2nd to specify the host/IP for the response. With this I could for example, inside my network, redirect all broken DNS's to my webserver specifying a host and do a webpage explaining what happened. Is this possible? Thanks in advanced, Jorge PS: I saw it here, and it's something that will be very handy for me, and I'm sure for other because of dns problems. --- About: pdnsd is a Proxy DNS server for Linux and FreeBSD that is designed to cope with unreacheable nameservers (e.g. because the dial-in link is not up) in a graceful manner to prevent DNS-dependent applications like Netscape from hanging. It has a permanent disk cache and supports parallel query and a wide variety of link uptests. It also has the ability to serve some local records. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080915/2ece3c91/attachment.htm From byogi at yahoo.com Mon Sep 15 21:34:26 2008 From: byogi at yahoo.com (yogi) Date: Mon Sep 15 21:42:00 2008 Subject: [Dnsmasq-discuss] dhcpd.conf Message-ID: <367694.95292.qm@web43136.mail.sp1.yahoo.com> Hi , I 'm trying to implement soalris 10 netboot and install environment Can anybody help me coneverting this section ---- use-host-decl-names on; vendor-option-space SUNW; option SUNW.JumpStart-server "jumper:/export/JS/sol10/configs"; option SUNW.install-server-hostname "jumper"; option SUNW.install-server-ip-address 10.31.0.1; option SUNW.install-path "/export/JS/sol10/01_06"; option SUNW.root-server-hostname "jumper"; option SUNW.root-server-ip-address 10.31.0.1; option SUNW.root-path-name "/export/JS/sol10/01_06/Solaris_10/Tools/Boot"; option SUNW.sysid-config-file-server = "jumper:/export/JS/sol10/configs/workstation"; ---- thanks yogi From philip.leriche at virgin.net Tue Sep 16 12:32:28 2008 From: philip.leriche at virgin.net (Philip Le Riche) Date: Tue Sep 16 12:33:25 2008 Subject: [Dnsmasq-discuss] CNAME buffer overflow? In-Reply-To: <48CD81EC.4090606@thekelleys.org.uk> References: <48CD6C50.1050808@virgin.net> <48CD81EC.4090606@thekelleys.org.uk> Message-ID: <48CF994C.2030604@virgin.net> Thanks for your help Simon. For the record (for other readers of the forum), my router gives a reply status of REFUSED to the dig chaos txt version.bind, strongly indicating that it isn't dnsmasq in there. I'll go and search elsewhere. Regards - Philip Simon Kelley wrote: > A couple more data points: > > dig abcdefghijklm.dns.grc.com > > (query taken from Philip's packet capture) works fine with the lastest > dnsmasq code, and with 2.16, the release before the putative fix. > > > srk@spike:~$ dig abcdefghijklm.dns.grc.com > > ; <<>> DiG 9.3.2-P1 <<>> abcdefghijklm.dns.grc.com > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45378 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;abcdefghijklm.dns.grc.com. IN A > > ;; ANSWER SECTION: > abcdefghijklm.dns.grc.com. 60 IN CNAME > a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a. > a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a. > > a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a. > a.m0zhev0yf1pjl.dns.grc.com. > a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a. > > a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a. > > a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.m0zhev0yf1pjl.dns.grc.com. 60 IN A > 4.79.142.19 3 > > ;; Query time: 301 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Sun Sep 14 22:26:22 2008 > ;; MSG SIZE rcvd: 281 > > srk@spike:~$ dig chaos txt version.bind > > ; <<>> DiG 9.3.2-P1 <<>> @central chaos txt version.bind > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47301 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;version.bind. CH TXT > > ;; ANSWER SECTION: > version.bind. 0 CH TXT "dnsmasq-2.46test9" > > ;; Query time: 0 msec > ;; SERVER: 192.168.0.4#53(192.168.0.4) > ;; WHEN: Sun Sep 14 22:27:29 2008 > ;; MSG SIZE rcvd: 60 > > > Cheers, > > Simon. > This email originates from Steria*. It, and any attachments, may contain confidential information and may be subject to copyright or other intellectual property rights. It is only for the use of the addressee(s). You may not copy, forward, disclose, save or otherwise use it in any way if you are not the addressee(s) or responsible for delivery. If you receive this email by mistake, please advise the sender and cancel it immediately. Steria may monitor the content of emails within its network to ensure compliance with its policies and procedures. Any email is susceptible to alteration and its integrity cannot be assured. Steria shall not be liable if the message is altered, modified, falsified, or edited. _____________________________________________________ * Steria Limited, number 4077975; Steria Services Limited, number 2706218; Steria Recruitment Limited, number 1437998. Registered in England and Wales; registered office Three Cherry Trees Lane, Hemel Hempstead, Hertfordshire HP2 7AH From simon at thekelleys.org.uk Tue Sep 16 13:29:03 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Tue Sep 16 13:29:57 2008 Subject: [Dnsmasq-discuss] dhcpd.conf In-Reply-To: <367694.95292.qm@web43136.mail.sp1.yahoo.com> References: <367694.95292.qm@web43136.mail.sp1.yahoo.com> Message-ID: <48CFA68F.1070404@thekelleys.org.uk> yogi wrote: > Hi , > I 'm trying to implement soalris 10 netboot and install > environment > Can anybody help me coneverting this section > ---- > use-host-decl-names on; > vendor-option-space SUNW; > option SUNW.JumpStart-server > "jumper:/export/JS/sol10/configs"; > option SUNW.install-server-hostname "jumper"; > option SUNW.install-server-ip-address 10.31.0.1; > option SUNW.install-path "/export/JS/sol10/01_06"; > option SUNW.root-server-hostname "jumper"; > option SUNW.root-server-ip-address 10.31.0.1; > option SUNW.root-path-name > "/export/JS/sol10/01_06/Solaris_10/Tools/Boot"; > option SUNW.sysid-config-file-server = > "jumper:/export/JS/sol10/configs/workstation"; > ---- > As I understand things, we'll need the part of the config file where these options are declared in order to do a conversion. Cheers, Simon. From mysql.jorge at decimal.pt Tue Sep 16 14:04:17 2008 From: mysql.jorge at decimal.pt (Jorge Bastos) Date: Tue Sep 16 14:05:20 2008 Subject: [Dnsmasq-discuss] Feature Request? In-Reply-To: <00cc01c91752$ad5bc700$08135500$@jorge@decimal.pt> References: <000901c91730$9d3c65e0$d7b531a0$@jorge@decimal.pt> <48CE84AE.5040703@bod.org> <00cc01c91752$ad5bc700$08135500$@jorge@decimal.pt> Message-ID: <016201c917fc$bbf6a230$33e3e690$@jorge@decimal.pt> Hi Simon, What can you say about this? Jorge, From: dnsmasq-discuss-bounces@lists.thekelleys.org.uk [mailto:dnsmasq-discuss-bounces@lists.thekelleys.org.uk] On Behalf Of Jorge Bastos Sent: segunda-feira, 15 de Setembro de 2008 17:47 To: dnsmasq-discuss@lists.thekelleys.org.uk Subject: RE: [Dnsmasq-discuss] Feature Request? Yap, DNSMasq is much better, that's why i'd like to have this feature on it. From: dnsmasq-discuss-bounces@lists.thekelleys.org.uk [mailto:dnsmasq-discuss-bounces@lists.thekelleys.org.uk] On Behalf Of Paul Chambers Sent: segunda-feira, 15 de Setembro de 2008 16:52 To: dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: [Dnsmasq-discuss] Feature Request? I'd like to do something vaguely similar, though in my case it's sending requests in a particular domain to a given pair of servers, only when a vpn is up (e.g. tun0). If the VPN isn't up, those servers are not reachable anyhow. I noticed the 'server=//@' variant in the docs, but haven't had the time to investigate how it behaves if the interface in question is down. This is also something pdnsd can do, but dnsmasq is a much better tool for my needs in just about every respect, and I'd really prefer not to have to run both. Paul Jorge Bastos wrote: Hi, Simon, i'd like to ask for a feature if not implemented yet. I've saw in other dns/dns proxy servers, the ability to serve an IP when certain DNS host is down/doesn't respond. Is it possible for dnsmasq, to do this, with two parameters, one for on/off the feature, and the 2nd to specify the host/IP for the response. With this I could for example, inside my network, redirect all broken DNS's to my webserver specifying a host and do a webpage explaining what happened. Is this possible? Thanks in advanced, Jorge PS: I saw it here, and it's something that will be very handy for me, and I'm sure for other because of dns problems. --- About: pdnsd is a Proxy DNS server for Linux and FreeBSD that is designed to cope with unreacheable nameservers (e.g. because the dial-in link is not up) in a graceful manner to prevent DNS-dependent applications like Netscape from hanging. It has a permanent disk cache and supports parallel query and a wide variety of link uptests. It also has the ability to serve some local records. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080916/c177bf6c/attachment.htm From byogi at yahoo.com Tue Sep 16 15:25:41 2008 From: byogi at yahoo.com (yogi) Date: Tue Sep 16 15:26:36 2008 Subject: [Dnsmasq-discuss] dhcpd.conf In-Reply-To: <48CFA68F.1070404@thekelleys.org.uk> Message-ID: <124357.15391.qm@web43138.mail.sp1.yahoo.com> Hi Simon , I'm sorry about the goof up. here it is . ----- # Jumpstart Support option space SUNW; option SUNW.root-mount-options code 1 = text; option SUNW.root-server-ip-address code 2 = ip-address; option SUNW.root-server-hostname code 3 = text; option SUNW.root-path-name code 4 = text; option SUNW.swap-server-ip-address code 5 = ip-address; option SUNW.swap-file-path code 6 = text; option SUNW.boot-file-path code 7 = text; option SUNW.posix-timezone-string code 8 = text; option SUNW.boot-read-size code 9 = unsigned integer 16; option SUNW.install-server-ip-address code 10 = ip-address; option SUNW.install-server-hostname code 11 = text; option SUNW.install-path code 12 = text; option SUNW.sysid-config-file-server code 13 = text; option SUNW.JumpStart-server code 14 = text; option SUNW.terminal-name code 15 = text; ----- ---- > > use-host-decl-names on; > > vendor-option-space SUNW; > > option SUNW.JumpStart-server > > "jumper:/export/JS/sol10/configs"; > > option SUNW.install-server-hostname "jumper"; > > option SUNW.install-server-ip-address 10.31.0.1; > > option SUNW.install-path "/export/JS/sol10/01_06"; > > option SUNW.root-server-hostname "jumper"; > > option SUNW.root-server-ip-address 10.31.0.1; > > option SUNW.root-path-name > > "/export/JS/sol10/01_06/Solaris_10/Tools/Boot"; > > option SUNW.sysid-config-file-server = > > "jumper:/export/JS/sol10/configs/workstation"; > > ---- Cheers yogesh From simon at thekelleys.org.uk Tue Sep 16 16:22:03 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Tue Sep 16 16:22:53 2008 Subject: [Dnsmasq-discuss] dhcpd.conf In-Reply-To: <124357.15391.qm@web43138.mail.sp1.yahoo.com> References: <124357.15391.qm@web43138.mail.sp1.yahoo.com> Message-ID: <48CFCF1B.4070603@thekelleys.org.uk> yogi wrote: > Hi Simon , > I'm sorry about the goof up. here it is . > > ----- > # Jumpstart Support > option space SUNW; > option SUNW.root-mount-options code 1 = text; > option SUNW.root-server-ip-address code 2 = ip-address; > option SUNW.root-server-hostname code 3 = text; > option SUNW.root-path-name code 4 = text; > option SUNW.swap-server-ip-address code 5 = ip-address; > option SUNW.swap-file-path code 6 = text; > option SUNW.boot-file-path code 7 = text; > option SUNW.posix-timezone-string code 8 = text; > option SUNW.boot-read-size code 9 = unsigned integer 16; > option SUNW.install-server-ip-address code 10 = ip-address; > option SUNW.install-server-hostname code 11 = text; > option SUNW.install-path code 12 = text; > option SUNW.sysid-config-file-server code 13 = text; > option SUNW.JumpStart-server code 14 = text; > option SUNW.terminal-name code 15 = text; > ----- > > ---- >>> use-host-decl-names on; >>> vendor-option-space SUNW; >>> option SUNW.JumpStart-server >>> "jumper:/export/JS/sol10/configs"; >>> option SUNW.install-server-hostname "jumper"; >>> option SUNW.install-server-ip-address 10.31.0.1; >>> option SUNW.install-path "/export/JS/sol10/01_06"; >>> option SUNW.root-server-hostname "jumper"; >>> option SUNW.root-server-ip-address 10.31.0.1; >>> option SUNW.root-path-name >>> "/export/JS/sol10/01_06/Solaris_10/Tools/Boot"; >>> option SUNW.sysid-config-file-server = >>> "jumper:/export/JS/sol10/configs/workstation"; >>> ---- > > Cheers > yogesh > > > > > OK, just is dhcp-option, and the vendor: contruction and integer option numbers, so dhcp-option=vendor:SUNW,14,"jumper:/export/JS/sol10/configs" dhcp-option=vendor:SUNW,11,jumper dhcp-option=vendor:SUNW,10,10.31.0.1 From simon at thekelleys.org.uk Tue Sep 16 16:26:38 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Tue Sep 16 16:27:29 2008 Subject: [Dnsmasq-discuss] dhcpd.conf In-Reply-To: <124357.15391.qm@web43138.mail.sp1.yahoo.com> References: <124357.15391.qm@web43138.mail.sp1.yahoo.com> Message-ID: <48CFD02E.50408@thekelleys.org.uk> Sorry, posted too soon, I meant to add that use-host-decl-names on; is, I think, default behaviour in dnsmasq. Cheers, Simon. From aweber at comcast.net Wed Sep 17 13:38:59 2008 From: aweber at comcast.net (AJ Weber) Date: Wed Sep 17 13:41:50 2008 Subject: [Dnsmasq-discuss] multiple host names? Message-ID: <006a01c918c2$601af030$d101a8c0@webtekllc.com> Is there a way to resolve more than one hostname to a single host? Like an alias-feature? Analogous to putting a line in /etc/hosts with multiple names after the IP address? Then have dnsmasq resolve any of the names to the correct address? Thanks, AJ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080917/17cad40f/attachment.htm From simon at thekelleys.org.uk Wed Sep 17 14:36:46 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Wed Sep 17 14:37:40 2008 Subject: [Dnsmasq-discuss] Feature Request? In-Reply-To: <016201c917fc$bbf6a230$33e3e690$@jorge@decimal.pt> References: <000901c91730$9d3c65e0$d7b531a0$@jorge@decimal.pt> <48CE84AE.5040703@bod.org> <00cc01c91752$ad5bc700$08135500$@jorge@decimal.pt> <016201c917fc$bbf6a230$33e3e690$@jorge@decimal.pt> Message-ID: <48D107EE.5020900@thekelleys.org.uk> Jorge Bastos wrote: > Hi Simon, > > What can you say about this? > > It rather depends on what you mean by "doesn't respond". The possibilities I can think of are 1) network error "No route to host" talking to upstream server. 2) Upstream server returns NXDOMAIN or NODATA reply. 3) Upstream server returns SERVFAIL or REFUSED return codes. 4) Upstream server doesn't reply at all. 1) is already detected, and results is a REFUSED reply to the original requestor, that could be customised fairly easily. 2) are legitimate replies and shouldn't be interfered with, 3) are arguably also legit replies, but could be substituted. 4) Is difficult to even reliably detect. DNS usually uses UDP as a transport, the only way to substitute a different reply for no-reply from the upstream server is to use a shorter time-out then the original requestor. Since the length of that time-out is not known, that's difficult to do reliably. On top of this, messing with the DNS in this way can have unexpected results: it sounds like you're trying to control the web-surfing experience, but DNS is not just the web. If having the DNS go down results in substituted results rather than errors, you could easily find the contents of your mail spool delivered to your local webserver or, more likely, bounced by it. There's also the problem that the results of DNS lookups can get cached in surprising places, leading to problems after connectivity is restored. Cheers, Simon. > > Jorge, > > > > > > From: dnsmasq-discuss-bounces@lists.thekelleys.org.uk > [mailto:dnsmasq-discuss-bounces@lists.thekelleys.org.uk] On Behalf Of Jorge > Bastos > Sent: segunda-feira, 15 de Setembro de 2008 17:47 > To: dnsmasq-discuss@lists.thekelleys.org.uk > Subject: RE: [Dnsmasq-discuss] Feature Request? > > > > Yap, DNSMasq is much better, that's why i'd like to have this feature on it. > > > > > > > > From: dnsmasq-discuss-bounces@lists.thekelleys.org.uk > [mailto:dnsmasq-discuss-bounces@lists.thekelleys.org.uk] On Behalf Of Paul > Chambers > Sent: segunda-feira, 15 de Setembro de 2008 16:52 > To: dnsmasq-discuss@lists.thekelleys.org.uk > Subject: Re: [Dnsmasq-discuss] Feature Request? > > > > I'd like to do something vaguely similar, though in my case it's sending > requests in a particular domain to a given pair of servers, only when a vpn > is up (e.g. tun0). If the VPN isn't up, those servers are not reachable > anyhow. > > I noticed the 'server=//@' variant in the docs, > but haven't had the time to investigate how it behaves if the interface in > question is down. > > This is also something pdnsd can do, but dnsmasq is a much better tool for > my needs in just about every respect, and I'd really prefer not to have to > run both. > > Paul > > Jorge Bastos wrote: > > Hi, > > Simon, i'd like to ask for a feature if not implemented yet. > > I've saw in other dns/dns proxy servers, the ability to serve an IP when > certain DNS host is down/doesn't respond. > > Is it possible for dnsmasq, to do this, with two parameters, one for on/off > the feature, and the 2nd to specify the host/IP for the response. > > With this I could for example, inside my network, redirect all broken DNS's > to my webserver specifying a host and do a webpage explaining what happened. > > > > Is this possible? > > > > Thanks in advanced, > > Jorge > > > > PS: I saw it here, and it's something that will be very handy for me, and > I'm sure for other because of dns problems. > > --- > > About: pdnsd is a Proxy DNS server for Linux and FreeBSD that is designed to > cope with unreacheable nameservers (e.g. because the dial-in link is not up) > in a graceful manner to prevent DNS-dependent applications like Netscape > from hanging. It has a permanent disk cache and supports parallel query and > a wide variety of link uptests. It also has the ability to serve some local > records. > > > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss From kyron at neuralbs.com Wed Sep 17 14:38:48 2008 From: kyron at neuralbs.com (Eric Thibodeau) Date: Wed Sep 17 14:39:38 2008 Subject: [Dnsmasq-discuss] multiple host names? In-Reply-To: <006a01c918c2$601af030$d101a8c0@webtekllc.com> References: <006a01c918c2$601af030$d101a8c0@webtekllc.com> Message-ID: <48D10868.40908@neuralbs.com> From the dnsmasq manpage: -H, --addn-hosts= Additional hosts file. Read the specified file as well as /etc/hosts. If -h is given, read only the specified file. This option may be repeated for more than one additional hosts file. So, simply define a addn-hosts= to add a hosts-styled config file and define the host in there. This is assuming you didn't want to put that host definition in the /etc/hosts Eric AJ Weber wrote: > Is there a way to resolve more than one hostname to a single host? > Like an alias-feature? Analogous to putting a line in /etc/hosts with > multiple names after the IP address? Then have dnsmasq resolve any of > the names to the correct address? > > Thanks, > AJ > ------------------------------------------------------------------------ > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080917/e34d08b4/attachment.htm From briemers at redhat.com Wed Sep 17 14:46:00 2008 From: briemers at redhat.com (Bill C. Riemers) Date: Wed Sep 17 14:48:05 2008 Subject: [Dnsmasq-discuss] multiple host names? In-Reply-To: <006a01c918c2$601af030$d101a8c0@webtekllc.com> References: <006a01c918c2$601af030$d101a8c0@webtekllc.com> Message-ID: <48D10A18.40200@redhat.com> The easiest way is to use the address directive in the dnsmasq.conf file. e.g. address=/dd-wrt.local/dd-wrt/gateway.local/gateway/192.168.1.1 The disadvantages of address directives is that the dnsmasq.conf file is not automatically re-read when you update it. But the address feature is particularly useful on DD-WRT devices, because the hosts file will be overwritten each reboot. Note: A reverse dns lookup will not return multiple entries. e.g. [docbill@hartnell ~]$ nslookup 192.168.1.1 Server: 192.168.1.1 Address: 192.168.1.1#53 1.1.168.192.in-addr.arpa name = dd-wrt.local. [docbill@hartnell ~]$ Bill AJ Weber wrote: > Is there a way to resolve more than one hostname to a single host? > Like an alias-feature? Analogous to putting a line in /etc/hosts with > multiple names after the IP address? Then have dnsmasq resolve any of > the names to the correct address? > > Thanks, > AJ > ------------------------------------------------------------------------ > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > From aweber at comcast.net Wed Sep 17 15:17:14 2008 From: aweber at comcast.net (AJ Weber) Date: Wed Sep 17 15:20:04 2008 Subject: [Dnsmasq-discuss] multiple host names? References: <006a01c918c2$601af030$d101a8c0@webtekllc.com> <48D10A18.40200@redhat.com> Message-ID: <000e01c918d0$1b0757a0$d101a8c0@webtekllc.com> I should have been more specific. Is there a way to do it in conjunction with a dhcp-host line? I do NOT, in fact, give the host I'm referring to a consistent address. I was just wondering if there was some option elsewhere or using that address directive (but without specifying a specific IP). Thanks for the feedback, -AJ ----- Original Message ----- From: Bill C. Riemers To: AJ Weber Cc: dnsmasq-discuss@thekelleys.org.uk Sent: Wednesday, September 17, 2008 9:46 AM Subject: Re: [Dnsmasq-discuss] multiple host names? The easiest way is to use the address directive in the dnsmasq.conf file. e.g. address=/dd-wrt.local/dd-wrt/gateway.local/gateway/192.168.1.1 The disadvantages of address directives is that the dnsmasq.conf file is not automatically re-read when you update it. But the address feature is particularly useful on DD-WRT devices, because the hosts file will be overwritten each reboot. Note: A reverse dns lookup will not return multiple entries. e.g. [docbill@hartnell ~]$ nslookup 192.168.1.1 Server: 192.168.1.1 Address: 192.168.1.1#53 1.1.168.192.in-addr.arpa name = dd-wrt.local. [docbill@hartnell ~]$ Bill AJ Weber wrote: > Is there a way to resolve more than one hostname to a single host? > Like an alias-feature? Analogous to putting a line in /etc/hosts with > multiple names after the IP address? Then have dnsmasq resolve any of > the names to the correct address? > > Thanks, > AJ > ------------------------------------------------------------------------ > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080917/98b7d90b/attachment.htm From mysql.jorge at decimal.pt Wed Sep 17 20:02:15 2008 From: mysql.jorge at decimal.pt (Jorge Bastos) Date: Wed Sep 17 20:04:07 2008 Subject: [Dnsmasq-discuss] Feature Request? In-Reply-To: <48D107EE.5020900@thekelleys.org.uk> References: <000901c91730$9d3c65e0$d7b531a0$@jorge@decimal.pt> <48CE84AE.5040703@bod.org> <00cc01c91752$ad5bc700$08135500$@jorge@decimal.pt> <016201c917fc$bbf6a230$33e3e690$@jorge@decimal.pt> <48D107EE.5020900@thekelleys.org.uk> Message-ID: <000601c918f7$e6600150$b32003f0$@jorge@decimal.pt> Well what i had in mind is when a non-existent dns name is requested. >From what you said, forgive me if I interpreted it wrong, dnsmasq is already able to detect that and reply with a customized value? Am I correct? If so can you post an example for the config? > -----Original Message----- > From: Simon Kelley [mailto:simon@thekelleys.org.uk] > Sent: quarta-feira, 17 de Setembro de 2008 14:37 > To: Jorge Bastos > Cc: dnsmasq-discuss@lists.thekelleys.org.uk > Subject: Re: [Dnsmasq-discuss] Feature Request? > > Jorge Bastos wrote: > > Hi Simon, > > > > What can you say about this? > > > > > It rather depends on what you mean by "doesn't respond". The > possibilities I can think of are > > 1) network error "No route to host" talking to upstream server. > 2) Upstream server returns NXDOMAIN or NODATA reply. > 3) Upstream server returns SERVFAIL or REFUSED return codes. > 4) Upstream server doesn't reply at all. > > 1) is already detected, and results is a REFUSED reply to the original > requestor, that could be customised fairly easily. > > 2) are legitimate replies and shouldn't be interfered with, > 3) are arguably also legit replies, but could be substituted. > > 4) Is difficult to even reliably detect. DNS usually uses UDP as a > transport, the only way to substitute a different reply for no-reply > from the upstream server is to use a shorter time-out then the original > requestor. Since the length of that time-out is not known, that's > difficult to do reliably. > > On top of this, messing with the DNS in this way can have unexpected > results: it sounds like you're trying to control the web-surfing > experience, but DNS is not just the web. If having the DNS go down > results in substituted results rather than errors, you could easily > find > the contents of your mail spool delivered to your local webserver or, > more likely, bounced by it. There's also the problem that the results > of > DNS lookups can get cached in surprising places, leading to problems > after connectivity is restored. > > Cheers, > > Simon. > > > > > > > > > > > > Jorge, > > > > > > > > > > > > From: dnsmasq-discuss-bounces@lists.thekelleys.org.uk > > [mailto:dnsmasq-discuss-bounces@lists.thekelleys.org.uk] On Behalf Of > Jorge > > Bastos > > Sent: segunda-feira, 15 de Setembro de 2008 17:47 > > To: dnsmasq-discuss@lists.thekelleys.org.uk > > Subject: RE: [Dnsmasq-discuss] Feature Request? > > > > > > > > Yap, DNSMasq is much better, that's why i'd like to have this feature > on it. > > > > > > > > > > > > > > > > From: dnsmasq-discuss-bounces@lists.thekelleys.org.uk > > [mailto:dnsmasq-discuss-bounces@lists.thekelleys.org.uk] On Behalf Of > Paul > > Chambers > > Sent: segunda-feira, 15 de Setembro de 2008 16:52 > > To: dnsmasq-discuss@lists.thekelleys.org.uk > > Subject: Re: [Dnsmasq-discuss] Feature Request? > > > > > > > > I'd like to do something vaguely similar, though in my case it's > sending > > requests in a particular domain to a given pair of servers, only when > a vpn > > is up (e.g. tun0). If the VPN isn't up, those servers are not > reachable > > anyhow. > > > > I noticed the 'server=//@' variant in the > docs, > > but haven't had the time to investigate how it behaves if the > interface in > > question is down. > > > > This is also something pdnsd can do, but dnsmasq is a much better > tool for > > my needs in just about every respect, and I'd really prefer not to > have to > > run both. > > > > Paul > > > > Jorge Bastos wrote: > > > > Hi, > > > > Simon, i'd like to ask for a feature if not implemented yet. > > > > I've saw in other dns/dns proxy servers, the ability to serve an IP > when > > certain DNS host is down/doesn't respond. > > > > Is it possible for dnsmasq, to do this, with two parameters, one for > on/off > > the feature, and the 2nd to specify the host/IP for the response. > > > > With this I could for example, inside my network, redirect all broken > DNS's > > to my webserver specifying a host and do a webpage explaining what > happened. > > > > > > > > Is this possible? > > > > > > > > Thanks in advanced, > > > > Jorge > > > > > > > > PS: I saw it here, and it's something that will be very handy for me, > and > > I'm sure for other because of dns problems. > > > > --- > > > > About: pdnsd is a Proxy DNS server for Linux and FreeBSD that is > designed to > > cope with unreacheable nameservers (e.g. because the dial-in link is > not up) > > in a graceful manner to prevent DNS-dependent applications like > Netscape > > from hanging. It has a permanent disk cache and supports parallel > query and > > a wide variety of link uptests. It also has the ability to serve some > local > > records. > > > > > > > > > > > > > > --------------------------------------------------------------------- > --- > > > > _______________________________________________ > > Dnsmasq-discuss mailing list > > Dnsmasq-discuss@lists.thekelleys.org.uk > > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss From jon.bogan at gmail.com Thu Sep 18 01:49:09 2008 From: jon.bogan at gmail.com (Jon Bogan) Date: Thu Sep 18 01:50:05 2008 Subject: [Dnsmasq-discuss] dnsmasq Problems on Windows Network Message-ID: <7eaca4730809171749v64ff9474r86952ea9fd886d4@mail.gmail.com> Everything with dnsmasq running on Fedora seems to be fine as long as I'm actually on the Linux box. When I set my Windoze clients to use the Linux box seem to get no response from dnsmasq and all requests timeout. I've run Wireshark on both systems to ensure the request goes out from the laptop and that the request is received by the Linux box. No firewall on either system. Pings,etc., work just fine. Samba shares fully accessible. Webmin from Windoze ok. Requests to Apache on the Linux box work as well. VNC sessions and telnet just fine. Basically, all communications between the systems work as expected. It seems to me that either dnsmasq can't hear the request or that it chooses to not respond. I'm more than happy to provide logs, config files, etc. Just need to know what would help. Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080917/3c62032a/attachment.htm From p.katzmann at thiesen.com Thu Sep 18 12:44:36 2008 From: p.katzmann at thiesen.com (Peter Katzmann) Date: Thu Sep 18 12:45:55 2008 Subject: [Dnsmasq-discuss] Small Bug with MAC Wildcards ? Message-ID: <48D23F24.6020305@thiesen.com> Hello, i currently made a mistake in my dnsmasq conf file. Setting dhcp-host=00:12:20:21:bd:*:*:ip,net:xxx was accepted without complaints about the malformed mac address I had 7 parameters instead of the 6 peter From simon at thekelleys.org.uk Thu Sep 18 14:01:11 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Sep 18 14:02:03 2008 Subject: [Dnsmasq-discuss] Small Bug with MAC Wildcards ? In-Reply-To: <48D23F24.6020305@thiesen.com> References: <48D23F24.6020305@thiesen.com> Message-ID: <48D25117.3010008@thekelleys.org.uk> Peter Katzmann wrote: > Hello, > i currently made a mistake in my dnsmasq conf file. > Setting > dhcp-host=00:12:20:21:bd:*:*:ip,net:xxx > was accepted without complaints about the malformed mac address > I had 7 parameters instead of the 6 > There's nothing that says a MAC address has to be 6 bytes. Firewire MAC addresses are 8 bytes, and the DHCP packet format has space for up to 16 bytes. Cheers, Simon. From simon at thekelleys.org.uk Thu Sep 18 14:17:10 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Sep 18 14:18:01 2008 Subject: [Dnsmasq-discuss] multiple host names? In-Reply-To: <000e01c918d0$1b0757a0$d101a8c0@webtekllc.com> References: <006a01c918c2$601af030$d101a8c0@webtekllc.com> <48D10A18.40200@redhat.com> <000e01c918d0$1b0757a0$d101a8c0@webtekllc.com> Message-ID: <48D254D6.2000605@thekelleys.org.uk> AJ Weber wrote: > I should have been more specific. Is there a way to do it in > conjunction with a dhcp-host line? I do NOT, in fact, give the host > I'm referring to a consistent address. > No, there isn't. The closest you can get is to give the host a fixed IP address, associate the fixed address with the MAC using a dhcp-host line and then associate many names with the IP address in /etc/hosts. Cheers, Simon. From aweber at comcast.net Thu Sep 18 14:31:57 2008 From: aweber at comcast.net (AJ Weber) Date: Thu Sep 18 14:34:52 2008 Subject: [Dnsmasq-discuss] multiple host names? References: <006a01c918c2$601af030$d101a8c0@webtekllc.com> <48D10A18.40200@redhat.com> <000e01c918d0$1b0757a0$d101a8c0@webtekllc.com> <48D254D6.2000605@thekelleys.org.uk> Message-ID: <001d01c91992$f3721770$d101a8c0@webtekllc.com> Can we make it a low-priority FR? Would seem straight DNS can effectively do it, as can an /etc/hosts file. Some kind of "alias" feature for hosts? -AJ ----- Original Message ----- From: Simon Kelley To: AJ Weber Cc: dnsmasq-discuss@thekelleys.org.uk Sent: Thursday, September 18, 2008 9:17 AM Subject: Re: [Dnsmasq-discuss] multiple host names? AJ Weber wrote: > I should have been more specific. Is there a way to do it in > conjunction with a dhcp-host line? I do NOT, in fact, give the host > I'm referring to a consistent address. > No, there isn't. The closest you can get is to give the host a fixed IP address, associate the fixed address with the MAC using a dhcp-host line and then associate many names with the IP address in /etc/hosts. Cheers, Simon. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080918/97f12144/attachment.htm From dnsmasq.list at michaelrack.de Thu Sep 18 17:06:55 2008 From: dnsmasq.list at michaelrack.de (Michael Rack) Date: Thu Sep 18 17:07:44 2008 Subject: [Dnsmasq-discuss] Question to dhcp-lease-format in conjunction with dhcp-script Message-ID: <48D27C9F.90409@michaelrack.de> Hi, i have a question to the dnsmasq dhcp-lease-format in conjunction with dhcp-script. I have some devices with no hostname. When dnsmasq is calling my dhcp-script with the init parameter, in what format have this hosts to be exported? Currently i create a output to stdout look like as follow: > 1221753155 00:1f:3f:53:a2:38 81.95.xxx.117 01:00:1f:3f:53:a2:38 > 1221753001 00:17:31:83:0a:a2 81.95.xxx.119 01:00:17:31:83:0a:a2 > 1221753063 00:1d:73:18:18:ca 81.95.xxx.124 01:00:1d:73:18:18:ca > 1221753205 00:04:0e:df:0f:dd 81.95.xxx.125 datapipe 01:00:04:0e:df:0f:dd > 1221753257 00:1d:73:05:81:7c 81.95.xxx.22 AP001D7305817C 01:00:1d:73:05:81:7c > 1221753006 00:13:49:63:55:fd 81.95.xxx.25 01:00:13:49:63:55:fd > 1221753059 00:16:01:f4:e8:59 81.95.xxx.41 buffalo-router 01:00:16:01:f4:e8:59 > 1221753166 00:1f:3a:b5:bf:c3 81.95.xxx.87 01:00:1f:3a:b5:bf:c3 Is this correct, or how to export this rows? And other question: * What is the fifth part of the dhcp-lease-format? * Why is the MAC-Address prefixed with 01: ? Thanks, Michael. From dnsmasq.list at michaelrack.de Thu Sep 18 17:50:51 2008 From: dnsmasq.list at michaelrack.de (Michael Rack) Date: Thu Sep 18 17:51:39 2008 Subject: [Dnsmasq-discuss] missing 00: on the leading of the mac-address in dhcp-script programm Message-ID: <48D286EB.5060908@michaelrack.de> Hi List, its me again. I have a very confusing issue. I use dhcp-script with leasefile-ro to manage all leases with my own script. After dnsmasq invokes my dhcp-script with init, it invokes my script to commit some changes with "old" - message. The very bad issue is the missing 00: on the leading of the mac-address! My ARGV-Tracking of the invoke to my dhcp-script: > /usr/sbin/store-dhcp-lease init > /usr/sbin/store-dhcp-lease old 16:01:f4:e8:59 81.95.xxx.41 buffalo-router > /usr/sbin/store-dhcp-lease old 16:01:f4:e8:59 81.95.xxx.41 buffalo-router > /usr/sbin/store-dhcp-lease old 04:0e:df:0f:dd 81.95.xxx.125 datapipe > /usr/sbin/store-dhcp-lease old 1d:73:18:18:ca 81.95.xxx.124 > /usr/sbin/store-dhcp-lease old 17:31:83:0a:a2 81.95.xxx.119 Why does dnsmasq forget to send the leading 00: ? My Configuration look as follow: > dhcp-authoritative > dhcp-leasefile=/var/state/dnsmasq/dhcp.lease > dhcp-script=/usr/sbin/store-dhcp-lease > dhcp-hostsfile=/etc/dnsmasq.dhcp-hosts > leasefile-ro > log-dhcp > > dhcp-ignore-names > > # Time-Server > dhcp-option=option:ntp-server,141.40.103.103,81.169.141.30 > > # DNS Server > dhcp-option=option:dns-server,81.95.xxx.1 > > # Maximal Leases > dhcp-lease-max=255 Thanks in advance, Michael Rack. From mysql.jorge at decimal.pt Thu Sep 18 20:34:09 2008 From: mysql.jorge at decimal.pt (Jorge Bastos) Date: Thu Sep 18 20:34:58 2008 Subject: [Dnsmasq-discuss] Feature Request? In-Reply-To: <48D24C5B.10307@thekelleys.org.uk> References: <000901c91730$9d3c65e0$d7b531a0$@jorge@decimal.pt> <48CE84AE.5040703@bod.org> <00cc01c91752$ad5bc700$08135500$@jorge@decimal.pt> <016201c917fc$bbf6a230$33e3e690$@jorge@decimal.pt> <48D107EE.5020900@thekelleys.org.uk> <000601c918f7$e6600150$b32003f0$@jorge@decimal.pt> <48D24C5B.10307@thekelleys.org.uk> Message-ID: <005001c919c5$85b20d20$91162760$@jorge@decimal.pt> I see. I'm going to forget this :P Thanks Simon > -----Original Message----- > From: Simon Kelley [mailto:simon@thekelleys.org.uk] > Sent: quinta-feira, 18 de Setembro de 2008 13:41 > To: Jorge Bastos > Subject: Re: [Dnsmasq-discuss] Feature Request? > > Jorge Bastos wrote: > > Well what i had in mind is when a non-existent dns name is requested. > > > >>From what you said, forgive me if I interpreted it wrong, dnsmasq is > already > > able to detect that and reply with a customized value? > > Am I correct? If so can you post an example for the config? > > No, that's not correct. My posting wasn't clear. You can't configure an > address to be returned when an upstream server returns NXDOMAIN. I've > resisted attempts to do this before, as there are downsides to doing > it. > It's exactly what Verisign did a few years back, and caused a storm. > See > http://www.imperialviolet.org/dnsfix.html for a discussion. > > Indeed, dnsmasq has an option (bogus-nxdomain) to reverse the effect. > > Simon. > From bcook at poughkeepsieschools.org Fri Sep 19 15:41:15 2008 From: bcook at poughkeepsieschools.org (B. Cook) Date: Fri Sep 19 15:42:09 2008 Subject: [Dnsmasq-discuss] Vendor class not appearing.. Message-ID: Hello all, Other than log-dhcp what makes the entry 'Vendor class: ' appear in the logs? I am on test4 and I even tried test7.. I don't think that is it. I have one machine (core) that Vendor class shows up in the logs and another machine (ismiasm) that it does not.. Not sure what I am missing.. From bod at bod.org Fri Sep 19 16:57:14 2008 From: bod at bod.org (Paul Chambers) Date: Fri Sep 19 16:58:04 2008 Subject: [Dnsmasq-discuss] Feature Request? In-Reply-To: <005001c919c5$85b20d20$91162760$@jorge@decimal.pt> References: <000901c91730$9d3c65e0$d7b531a0$@jorge@decimal.pt> <48CE84AE.5040703@bod.org> <00cc01c91752$ad5bc700$08135500$@jorge@decimal.pt> <016201c917fc$bbf6a230$33e3e690$@jorge@decimal.pt> <48D107EE.5020900@thekelleys.org.uk> <000601c918f7$e6600150$b32003f0$@jorge@decimal.pt> <48D24C5B.10307@thekelleys.org.uk> <005001c919c5$85b20d20$91162760$@jorge@decimal.pt> Message-ID: <48D3CBDA.90301@bod.org> An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080919/9533ca5a/attachment.htm From simon at thekelleys.org.uk Fri Sep 19 17:45:29 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Fri Sep 19 17:48:02 2008 Subject: [Dnsmasq-discuss] Question to dhcp-lease-format in conjunction with dhcp-script In-Reply-To: <48D27C9F.90409@michaelrack.de> References: <48D27C9F.90409@michaelrack.de> Message-ID: <48D3D729.2030501@thekelleys.org.uk> Michael Rack wrote: > Hi, > > i have a question to the dnsmasq dhcp-lease-format in conjunction with > dhcp-script. I have some devices with no hostname. When dnsmasq is > calling my dhcp-script with the init parameter, in what format have this > hosts to be exported? Exactly the same format as the hosts file |* |* > > Currently i create a output to stdout look like as follow: > > 1221753155 00:1f:3f:53:a2:38 81.95.xxx.117 01:00:1f:3f:53:a2:38 > > 1221753001 00:17:31:83:0a:a2 81.95.xxx.119 01:00:17:31:83:0a:a2 > > 1221753063 00:1d:73:18:18:ca 81.95.xxx.124 01:00:1d:73:18:18:ca > > 1221753205 00:04:0e:df:0f:dd 81.95.xxx.125 datapipe 01:00:04:0e:df:0f:dd > > 1221753257 00:1d:73:05:81:7c 81.95.xxx.22 AP001D7305817C > 01:00:1d:73:05:81:7c > > 1221753006 00:13:49:63:55:fd 81.95.xxx.25 01:00:13:49:63:55:fd > > 1221753059 00:16:01:f4:e8:59 81.95.xxx.41 buffalo-router > 01:00:16:01:f4:e8:59 > > 1221753166 00:1f:3a:b5:bf:c3 81.95.xxx.87 01:00:1f:3a:b5:bf:c3 > Is this correct, or how to export this rows? No, you need to have a * instead of the hostname when it's not present. > > And other question: > * What is the fifth part of the dhcp-lease-format? Client-identifier. > * Why is the MAC-Address prefixed with 01: ? Because that's what many DHCP clients use as the client identifier (the 01 means "ethernet") Not all do that though, so don't rely on it. If you look in contrib/wrt/lease_update.sh in the dnsmasq tarball, it has exactly the right shell code to turn the arguments to the lease-change script into the correct format. >Why does dnsmasq forget to send the leading 00: ? I've not seen that before, are you sure it's not a problem with your script, maybe you are mangling the lease database somehow: "old" events are generated for existing leases that will have been through your code and fed back to dnsmasq with an "init" call. Cheers, Simon. > > Thanks, > Michael. > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > From simon at thekelleys.org.uk Fri Sep 19 17:50:55 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Fri Sep 19 17:53:26 2008 Subject: [Dnsmasq-discuss] Vendor class not appearing.. In-Reply-To: References: Message-ID: <48D3D86F.1050209@thekelleys.org.uk> B. Cook wrote: > Hello all, > > Other than log-dhcp what makes the entry 'Vendor class: ' appear in > the logs? > > I am on test4 and I even tried test7.. I don't think that is it. > > I have one machine (core) that Vendor class shows up in the logs and > another machine (ismiasm) that it does not.. > > Not sure what I am missing.. > > > Neither am I, as far as I can see, the message only ever gets logged when --log-dhcp is set: if (daemon->options & OPT_LOG_OPTS) { if (sanitise(option_find(mess, sz, OPTION_VENDOR_ID, 1), daemon->namebuff)) my_syslog(LOG_INFO, _("Vendor class: %s"), daemon->namebuff); if (sanitise(option_find(mess, sz, OPTION_USER_CLASS, 1), daemon->namebuff)) my_syslog(LOG_INFO, _("User class: %s"), daemon->namebuff); } Cheers, Simon. > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > From simon at thekelleys.org.uk Fri Sep 19 18:14:45 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Fri Sep 19 18:17:20 2008 Subject: [Dnsmasq-discuss] multiple host names? In-Reply-To: <001d01c91992$f3721770$d101a8c0@webtekllc.com> References: <006a01c918c2$601af030$d101a8c0@webtekllc.com> <48D10A18.40200@redhat.com> <000e01c918d0$1b0757a0$d101a8c0@webtekllc.com> <48D254D6.2000605@thekelleys.org.uk> <001d01c91992$f3721770$d101a8c0@webtekllc.com> Message-ID: <48D3DE05.4020302@thekelleys.org.uk> AJ Weber wrote: > Can we make it a low-priority FR? Would seem straight DNS can > effectively do it, as can an /etc/hosts file. Some kind of "alias" > feature for hosts? Sure can, it's not a straightforward as you might think to define the semantics: what happens if one host is abe, bert and carl, then another jost comes along an claims to be abe, does the first one get to keep bert and carl. Which name is used for reverse lookups? Making a second class "alias" name might be the simplest. Cheers, Simon. > > -AJ > > ----- Original Message ----- > *From:* Simon Kelley > *To:* AJ Weber > *Cc:* dnsmasq-discuss@thekelleys.org.uk > > *Sent:* Thursday, September 18, 2008 9:17 AM > *Subject:* Re: [Dnsmasq-discuss] multiple host names? > > AJ Weber wrote: > > I should have been more specific. Is there a way to do it in > > conjunction with a dhcp-host line? I do NOT, in fact, give the host > > I'm referring to a consistent address. > > > No, there isn't. The closest you can get is to give the host a fixed IP > address, associate the fixed address with the MAC using a dhcp-host line > and then associate many names with the IP address in /etc/hosts. > > > Cheers, > > Simon. From agcme at hotmail.com Tue Sep 23 20:45:24 2008 From: agcme at hotmail.com (A C) Date: Tue Sep 23 20:46:19 2008 Subject: [Dnsmasq-discuss] Override DNS servers in DHCP packet In-Reply-To: References: Message-ID: Does dnsmasq use the DNS servers listed in /etc/resolv.conf over those listed in a DHCP packet? I was forced to use DHCP for my public connection but I don't want to use the provided DNS servers as they are slower than the ones I had manually configured. _________________________________________________________________ See how Windows connects the people, information, and fun that are part of your life. http://clk.atdmt.com/MRT/go/msnnkwxp1020093175mrt/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080923/2720c8ea/attachment.htm From chekh at pcbi.upenn.edu Tue Sep 23 23:02:13 2008 From: chekh at pcbi.upenn.edu (Alex Chekholko) Date: Tue Sep 23 23:03:20 2008 Subject: [Dnsmasq-discuss] Override DNS servers in DHCP packet In-Reply-To: References: Message-ID: <20080923180213.6ff00b0c.chekh@pcbi.upenn.edu> On Tue, 23 Sep 2008 15:45:24 -0400 A C wrote: > > Does dnsmasq use the DNS servers listed in /etc/resolv.conf over those listed in a DHCP packet? I was forced to use DHCP for my public connection but I don't want to use the provided DNS servers as they are slower than the ones I had manually configured. I think typically the DHCP client would write /etc/resolv.conf with the information it is provided by the DHCP server. Then dnsmasq looks there, unless you configure it otherwise. If you're talking about serving up different DNS servers via dnsmasq's bult-in DHCP server, then take a look at: dnsmasq --help dhcp I have a line like this in my dnsmasq.conf: dhcp-option=6,10.10.70.5,10.10.70.7 Regards, Alex From agcme at hotmail.com Wed Sep 24 01:51:39 2008 From: agcme at hotmail.com (A C) Date: Wed Sep 24 02:04:47 2008 Subject: [Dnsmasq-discuss] Override DNS servers in DHCP packet In-Reply-To: <20080923180213.6ff00b0c.chekh@pcbi.upenn.edu> References: <20080923180213.6ff00b0c.chekh@pcbi.upenn.edu> Message-ID: > Date: Tue, 23 Sep 2008 18:02:13 -0400 > From: chekh@pcbi.upenn.edu > To: agcme@hotmail.com > CC: dnsmasq-discuss@thekelleys.org.uk > Subject: Re: [Dnsmasq-discuss] Override DNS servers in DHCP packet > > On Tue, 23 Sep 2008 15:45:24 -0400 > A C wrote: > > > > > Does dnsmasq use the DNS servers listed in /etc/resolv.conf over those listed in a DHCP packet? I was forced to use DHCP for my public connection but I don't want to use the provided DNS servers as they are slower than the ones I had manually configured. > > I think typically the DHCP client would write /etc/resolv.conf with the > information it is provided by the DHCP server. Then dnsmasq looks > there, unless you configure it otherwise. > > If you're talking about serving up different DNS servers via dnsmasq's > bult-in DHCP server, then take a look at: dnsmasq --help dhcp > I was indeed talking about the first situation and not serving up alternate DNS servers. As it turns out, my installation is using udhcpd and writing the data to /tmp/resolv.conf while dnsmasq is still looking at /etc/resolv.conf. Since I don't have any directives to look at any other resolv.conf that I can see, I think it's safe to assume that dnsmasq is honoring my own /etc/resolv.conf and ignoring the DHCP packet. _________________________________________________________________ See how Windows Mobile brings your life together?at home, work, or on the go. http://clk.atdmt.com/MRT/go/msnnkwxp1020093182mrt/direct/01/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080923/baec7fde/attachment.htm From gray at agora-net.com Wed Sep 24 14:31:20 2008 From: gray at agora-net.com (John Gray) Date: Wed Sep 24 14:32:39 2008 Subject: [Dnsmasq-discuss] The same address on mulitple interface issue (yet again)... Message-ID: <48DA4128.2070106@agora-net.com> I'd really like to see an option that'll allow static addresses to work on multiple interfaces without mucking with the machine to fiddle with their client id. On a large network, fiddling with machines instead of tweaking the dhcp server doesn't seem like the way to do. I realize this sort of violates the protocol. I was thinking just an option, that's off by default, that allow the multiple definitions for the same IP. If I request comes in for a static, we honor the request, and probably remove the old leases (I realize the old client won't necessarily know this) The option should probably have a big warning on it. ISC allows this. I can't tell you exactly how they implement it (I suspect they simply give out two leases). I work on one network where this behavior is a requirement. Thanks, John From simon at thekelleys.org.uk Thu Sep 25 12:02:30 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Sep 25 12:03:21 2008 Subject: [Dnsmasq-discuss] The same address on mulitple interface issue (yet again)... In-Reply-To: <48DA4128.2070106@agora-net.com> References: <48DA4128.2070106@agora-net.com> Message-ID: <48DB6FC6.5090405@thekelleys.org.uk> John Gray wrote: > I'd really like to see an option that'll allow static addresses to work > on multiple interfaces without mucking with the machine to fiddle with > their client id. > > On a large network, fiddling with machines instead of tweaking the dhcp > server doesn't seem like the way to do. > > I realize this sort of violates the protocol. I was thinking just an > option, that's off by default, that allow the multiple definitions for > the same IP. If I request comes in for a static, we honor the request, > and probably remove the old leases (I realize the old client won't > necessarily know this) The option should probably have a big warning on it. > > ISC allows this. I can't tell you exactly how they implement it (I > suspect they simply give out two leases). > > I work on one network where this behavior is a requirement. > > Thanks, > John > How about this as a solution? Allow more than one MAC address in a dhcp-host statement, so that it's possible to specify all the possible MAC addresses that a IP can be assigned to. If a MAC address asks for an IP address which is already in use, and the IP address is leased to one of the other MAC addresses specified, allow take-over. This has the advantage that it doesn't change the behaviour of any currently-legal configuration, and it makes the intention of newly-possible configurations explicit. dhcp-host=1.2.3.4,, Implementing this should be fairly straightforward. Cheers, Simon. From gray at agora-net.com Thu Sep 25 13:23:58 2008 From: gray at agora-net.com (John Gray) Date: Thu Sep 25 13:27:17 2008 Subject: [Dnsmasq-discuss] The same address on mulitple interface issue (yet again)... In-Reply-To: <48DB6FC6.5090405@thekelleys.org.uk> References: <48DA4128.2070106@agora-net.com> <48DB6FC6.5090405@thekelleys.org.uk> Message-ID: <48DB82DE.3000303@agora-net.com> Simon Kelley wrote: > > How about this as a solution? > > Allow more than one MAC address in a dhcp-host statement, so that it's > possible to specify all the possible MAC addresses that a IP can be > assigned to. > > If a MAC address asks for an IP address which is already in use, and the > IP address is leased to one of the other MAC addresses specified, allow > take-over. > > This has the advantage that it doesn't change the behaviour of any > currently-legal configuration, and it makes the intention of > newly-possible configurations explicit. > > dhcp-host=1.2.3.4,, > > > Implementing this should be fairly straightforward. > > Cheers, > > Simon. > Hi Simon, That sounds like a good plan, but I've been using the /etc/ethers file to define my static addresses. I'd really like to have support to be able to specify multiples in there. I looked around the code a bit. And it didn't look like it would be too hard to swing that either. John -- John Gray gray@agora-net.com AgoraNet, Inc. (302) 224-2475 314 E. Main Street, Suite 1 (302) 224-2552 (fax) Newark, De 19711 http://www.agora-net.com From simon at thekelleys.org.uk Thu Sep 25 16:58:45 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Sep 25 16:59:29 2008 Subject: [Dnsmasq-discuss] The same address on mulitple interface issue (yet again)... In-Reply-To: <48DB82DE.3000303@agora-net.com> References: <48DA4128.2070106@agora-net.com> <48DB6FC6.5090405@thekelleys.org.uk> <48DB82DE.3000303@agora-net.com> Message-ID: <48DBB535.8070902@thekelleys.org.uk> John Gray wrote: > > Hi Simon, > > That sounds like a good plan, but I've been using the /etc/ethers file > to define my static addresses. I'd really like to have support to be > able to specify multiples in there. > > I looked around the code a bit. And it didn't look like it would be too > hard to swing that either. > Code-wise, it wouldn't, but the syntax and semantics of /etc/ethers are not defined by dnsmasq; it's a system file that's potentially used by other tools and I'm not at liberty to extend the format. It's very easy to move you host declarations into a dnsmasq-only configuration file, see dhcp-hostsfile in the dnsmasq man page. Cheers, Simon. > John > From gray at agora-net.com Thu Sep 25 17:40:24 2008 From: gray at agora-net.com (John Gray) Date: Thu Sep 25 17:42:21 2008 Subject: [Dnsmasq-discuss] The same address on mulitple interface issue (yet again)... In-Reply-To: <48DBB535.8070902@thekelleys.org.uk> References: <48DA4128.2070106@agora-net.com> <48DB6FC6.5090405@thekelleys.org.uk> <48DB82DE.3000303@agora-net.com> <48DBB535.8070902@thekelleys.org.uk> Message-ID: <48DBBEF8.4080409@agora-net.com> Simon Kelley wrote: > Code-wise, it wouldn't, but the syntax and semantics of /etc/ethers are > not defined by dnsmasq; it's a system file that's potentially used by > other tools and I'm not at liberty to extend the format. > > It's very easy to move you host declarations into a dnsmasq-only > configuration file, see dhcp-hostsfile in the dnsmasq man page. > Yes, I understand we can't change the format /etc/ethers, but we could superimpose rules on the existing format. Namely that you must define multiple interfaces on adjacent lines if you want them to share the IP. John -- John Gray gray@agora-net.com AgoraNet, Inc. (302) 224-2475 314 E. Main Street, Suite 1 (302) 224-2552 (fax) Newark, De 19711 http://www.agora-net.com From simon at thekelleys.org.uk Thu Sep 25 18:26:37 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Thu Sep 25 18:29:04 2008 Subject: [Dnsmasq-discuss] The same address on mulitple interface issue (yet again)... In-Reply-To: <48DBBEF8.4080409@agora-net.com> References: <48DA4128.2070106@agora-net.com> <48DB6FC6.5090405@thekelleys.org.uk> <48DB82DE.3000303@agora-net.com> <48DBB535.8070902@thekelleys.org.uk> <48DBBEF8.4080409@agora-net.com> Message-ID: <48DBC9CD.5090800@thekelleys.org.uk> John Gray wrote: > Simon Kelley wrote: > >>Code-wise, it wouldn't, but the syntax and semantics of /etc/ethers are >>not defined by dnsmasq; it's a system file that's potentially used by >>other tools and I'm not at liberty to extend the format. >> >>It's very easy to move you host declarations into a dnsmasq-only >>configuration file, see dhcp-hostsfile in the dnsmasq man page. >> > > > Yes, I understand we can't change the format /etc/ethers, but we could > superimpose rules on the existing format. Namely that you must define > multiple interfaces on adjacent lines if you want them to share the IP. Since this is invoking somewhat dangerour behaviour, I want to make it explicit, and only have one configuration statement, rather then automagically combining two and then doing dangerous things. Hence dhcp-host=1.2.3.4,, To keep the host definitions is their own file, add dhcp-hostsfile= to /etc/dnsmasq.conf and put 1.2.3.4,, 2.3.4.5,, in . Different syntax, same data. I gets reloaded on SIGHUP, just like /etc/ethers. A first stab at this is in http://www.thekelleys.org.uk/dnsmasq/test-releases/dnsmasq-2.46test12.tar.gz if you'd like to try it out. I've not updated the man page yet. Cheers, Simon. > > John > From gray at agora-net.com Thu Sep 25 18:37:01 2008 From: gray at agora-net.com (John Gray) Date: Thu Sep 25 18:38:49 2008 Subject: [Dnsmasq-discuss] The same address on mulitple interface issue (yet again)... In-Reply-To: <48DBC9CD.5090800@thekelleys.org.uk> References: <48DA4128.2070106@agora-net.com> <48DB6FC6.5090405@thekelleys.org.uk> <48DB82DE.3000303@agora-net.com> <48DBB535.8070902@thekelleys.org.uk> <48DBBEF8.4080409@agora-net.com> <48DBC9CD.5090800@thekelleys.org.uk> Message-ID: <48DBCC3D.8040601@agora-net.com> Simon Kelley wrote: > > Since this is invoking somewhat dangerour behaviour, I want to make it > explicit, and only have one configuration statement, rather then > automagically combining two and then doing dangerous things. Hence > > dhcp-host=1.2.3.4,, > > To keep the host definitions is their own file, add > > dhcp-hostsfile= > > to /etc/dnsmasq.conf and put > > 1.2.3.4,, > 2.3.4.5,, > > in . Different syntax, same data. I gets reloaded on SIGHUP, > just like /etc/ethers. > > A first stab at this is in > > http://www.thekelleys.org.uk/dnsmasq/test-releases/dnsmasq-2.46test12.tar.gz > > > if you'd like to try it out. I've not updated the man page yet. > > > Cheers, > > Simon. > > Hi Simon, That's excellent. The only reason I want to use /etc/ethers was so it would be easy to parse for some 3rd party tools for adding/removing hosts. And with separating dhcp-host definitions into a separate file, that'll work just as well. I really appreciate your willingness to work with this. I will try your attached version when I get a little free time. John -- John Gray gray@agora-net.com AgoraNet, Inc. (302) 224-2475 314 E. Main Street, Suite 1 (302) 224-2552 (fax) Newark, De 19711 http://www.agora-net.com From brett.warden at gmail.com Fri Sep 26 00:27:20 2008 From: brett.warden at gmail.com (Brett Warden) Date: Fri Sep 26 00:28:14 2008 Subject: [Dnsmasq-discuss] The same address on mulitple interface issue (yet again)... In-Reply-To: <48DBC9CD.5090800@thekelleys.org.uk> References: <48DA4128.2070106@agora-net.com> <48DB6FC6.5090405@thekelleys.org.uk> <48DB82DE.3000303@agora-net.com> <48DBB535.8070902@thekelleys.org.uk> <48DBBEF8.4080409@agora-net.com> <48DBC9CD.5090800@thekelleys.org.uk> Message-ID: On Thu, Sep 25, 2008 at 10:26 AM, Simon Kelley wrote: > > dhcp-host=1.2.3.4,, > > To keep the host definitions is their own file, add > > dhcp-hostsfile= > > to /etc/dnsmasq.conf and put > > 1.2.3.4,, > 2.3.4.5,, > > in . Different syntax, same data. I gets reloaded on SIGHUP, just > like /etc/ethers. > I just wanted to add that I think this is an excellent approach, and I'm looking forward to trying it out myself when I get the chance. -- Brett Warden -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080925/61494258/attachment.htm From jackie.networking at gmail.com Fri Sep 26 04:03:35 2008 From: jackie.networking at gmail.com (Jackie Xie) Date: Fri Sep 26 04:04:26 2008 Subject: [Dnsmasq-discuss] about avoid circular CNAME references. Message-ID: Hi , How do I know about the dnsmasq-1.18 which support "avoid circular CNAME references" or not? Thanks a lot. BR, Jackie -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20080926/03cb4f4f/attachment.htm From simon at thekelleys.org.uk Fri Sep 26 19:58:41 2008 From: simon at thekelleys.org.uk (Simon Kelley) Date: Fri Sep 26 20:01:10 2008 Subject: [Dnsmasq-discuss] The same address on mulitple interface issue (yet again)... In-Reply-To: <48DBCC3D.8040601@agora-net.com> References: <48DA4128.2070106@agora-net.com> <48DB6FC6.5090405@thekelleys.org.uk> <48DB82DE.3000303@agora-net.com> <48DBB535.8070902@thekelleys.org.uk> <48DBBEF8.4080409@agora-net.com> <48DBC9CD.5090800@thekelleys.org.uk> <48DBCC3D.8040601@agora-net.com> Message-ID: <48DD30E1.3020308@thekelleys.org.uk> John Gray wrote: > Simon Kelley wrote: > >>Since this is invoking somewhat dangerour behaviour, I want to make it >>explicit, and only have one configuration statement, rather then >>automagically combining two and then doing dangerous things. Hence >> >>dhcp-host=1.2.3.4,, >> >>To keep the host definitions is their own file, add >> >>dhcp-hostsfile= >> >>to /etc/dnsmasq.conf and put >> >>1.2.3.4,, >>2.3.4.5,, >> >>in . Different syntax, same data. I gets reloaded on SIGHUP, >>just like /etc/ethers. >> >>A first stab at this is in >> >>http://www.thekelleys.org.uk/dnsmasq/test-releases/dnsmasq-2.46test12.tar.gz >> >> >>if you'd like to try it out. I've not updated the man page yet. >> >> >>Cheers, >> >>Simon. >> >> > > > Hi Simon, > > That's excellent. The only reason I want to use /etc/ethers was so it > would be easy to parse for some 3rd party tools for adding/removing > hosts. And with separating dhcp-host definitions into a separate file, > that'll work just as well. > > I really appreciate your willingness to work with this. > > I will try your attached version when I get a little free time. > > John > Cool, I've released 2.46test13, in the same place, which updates the man page and subtly alters the way the lease database changes when a lease is abandoned. Please try that in preference to test12. Cheers, Simon.