[Dnsmasq-discuss] TTL override for clients?

Fredrik Ringertz Fredrik_Ringertz at livewire-connections.com
Thu Apr 22 12:52:18 BST 2010


Hi Simon,

Thank you very much! I think I got it working now. Both the GETLONG and PUTLONG increments the pointer by 4 bytes doesn't it? So after retrieving the ttl into attl I will need to get the pointer to point back to the previous address so that I can overwrite it?

This is what I basically ended up doing:

GETLONG(attl,p1);
(p1) -= NS_INT32SZ;
PUTLONG(123456, p1);

(I got the NS_INT32SZ from the /usr/include/nameser.h (rather then hard coding the value 4) which the GETLONG function uses. I thought this would be more universal across different platforms/systems?).


Now I think I just need to also add the following features,
* Add a command line/configuration option to specify the TTL
* Add a check for is_sign to make sure it only modifies packets which aren't signed
* Only use the modified TTL value if the original TTL is higher then our configured maximum ttl (123456 in the example above)
* Still need to solve CNAME lookups as well as they still return the original ttl


Best Regards

Fredrik

-----Original Message-----
From: Simon Kelley [mailto:simon at thekelleys.org.uk] 
Sent: 21 April 2010 20:58
To: Fredrik Ringertz
Cc: dnsmasq-discuss at lists.thekelleys.org.uk
Subject: Re: [Dnsmasq-discuss] TTL override for clients?

Fredrik Ringertz wrote:
> Hi Simon,
> 
> Thank you for clarifying that! If a packet is signed, is it ever
> cached by dnsmasq? I would assume not because it would contain a
> timestamp of some sort?

Data from the packet could be cached, but no reply from the dnsmasq
cache is ever signed, this is just about allowing signed packets from
upstream.

> 
> I have to admit that I haven't dealt a lot with signatures before in
> DNS, am I correct in thinking they are only used when a client wants
> to initiate a dynamic update? Or can it be used in standard lookups?
> I only have 10-15 or so clients behind my dnsmasq server and none of
> them are in need of anything more then normal record lookups.

It's highly unlikely that you'll see any signed packets, but to do this
right and allow dnsmasq to act as a transparent proxy for any query,
it's necessary to avoid touching signed packets.

Cheers,

Simon.



More information about the Dnsmasq-discuss mailing list