[Dnsmasq-discuss] [PATCH] auth-zone to ignore more non-global addresses

Alexander Clouter alex+dnsmasq at digriz.org.uk
Tue Jan 20 20:33:37 GMT 2015 

>Two observations:
>
>1) The patch as it stands doesn't just affect authoritative DNS
>answers - it filters those addresses from "ordinary" internal DNS
>requests too.

Boo!

>2) Following from that, there's a good chance that there are dnsmasq
>installations that rely on theses addresses (RFC1918 and ULA expecially)
>
>So at least, there needs to be a distincion between internal and auth
>requests, and/or some ability to configure this.

I'll try to figure out a fix for that if you think this patch has legs.

>I'm intriqued, why are you assigning "real" addresses to the loopback
>interface.

Most of it comes from whether you think of IP assignments as a per interface, or per host, I tend to roll using the 
latter.

When trying to make a decision where to assign a host IP (what then ends up in DNS, inc your PTR 
records) it becomes awkward when interfaces come and go.  So where do you put it?

I tend to deal with this problem by treating IP assignments as something a host has, rather than something you assign 
to a particular interface.  This is something that network operators tend to do, mainly as often you need IP addresses 
that are always present regardless of the state of the interfaces (for example management IPs).

In my particular situation I have a /56 (or /48) prefix IPv6 that might be dynamic given to me via DHCPv6-PD.  I 
want to slice up the allocation across the possibly multiple LAN interfaces, but I also want an IP assigned to router 
its-self to then appear in DNS.   I could mark an interface as the 'primary'/'master' interface, but with interfaces 
coming and going, I may make the wrong choice...plus my scripts get complicated.  So I prefer the simpler path of just 
dumped the IP on the loopback interface and move onto some other more interesting problem :)

Make sense, vaguely?

Cheers

>On 18/01/15 17:17, Alexander Clouter wrote:
>> This patch makes sure dnsmasq does not put any non-global
>> addresses (loopback, rfc1918, and ULA addresses) into the
>> authoritive zone file, in particular when global addresses are
>> added to the loopback interface.
>>
>> The following configuration shows this behaviour: ---- # ip addr
>> show dev lo 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue
>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet
>> 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever
>> inet6 2002:4d4b:6a22:8::/64 scope global valid_lft forever
>> preferred_lft forever inet6 2a01:348:45:8::/64 scope global
>> valid_lft forever preferred_lft forever inet6 fd2a:7fba:ff04:8::/64
>> scope global valid_lft forever preferred_lft forever inet6 ::1/128
>> scope host valid_lft forever preferred_lft forever
>>
>> # dnsmasq .... \ --auth-server=digriz.wormnet.eu,ppp0 \
>> --server=/digriz.wormnet.eu/ \
>> --interface-name=digriz.wormnet.eu,lo \
>> --interface-name=digriz.wormnet.eu,ppp0 \
>> --auth-zone=digriz.wormnet.eu,lo,ppp0,br0/6 \
>> --domain=digriz.wormnet.eu,192.168.1.0/24,local ----
>>
>> Without this patch, you see externally: ---- alex at marmot:~$ host
>> digriz.wormnet.eu 77.75.106.34 Using domain server: Name:
>> 77.75.106.34 Address: 77.75.106.34#53 Aliases:
>>
>> digriz.wormnet.eu has address 127.0.0.1 digriz.wormnet.eu has
>> address 77.75.106.34 digriz.wormnet.eu has IPv6 address ::1
>> digriz.wormnet.eu has IPv6 address fd2a:7fba:ff04:8::
>> digriz.wormnet.eu has IPv6 address 2a01:348:45:8::
>> digriz.wormnet.eu has IPv6 address 2002:4d4b:6a22:8::
>> digriz.wormnet.eu has IPv6 address
>> 2a01:348:ad51:1539:6524:39bd:2da6:e349 ----
>>
>> With the patch, you see: ---- alex at marmot:~$ host digriz.wormnet.eu
>> 77.75.106.34 Using domain server: Name: 77.75.106.34 Address:
>> 77.75.106.34#53 Aliases:
>>
>> digriz.wormnet.eu has address 77.75.106.34 digriz.wormnet.eu has
>> IPv6 address 2a01:348:45:8:: digriz.wormnet.eu has IPv6 address
>> 2002:4d4b:6a22:8:: digriz.wormnet.eu has IPv6 address
>> 2a01:348:ad51:1539:6524:39bd:2da6:e349 ----
>>
>> Signed-off-by: Alexander Clouter <alex+dnsmasq at digriz.org.uk> --
>> src/network.c |    6 ++++-- 1 files changed, 4 insertions(+), 2
>> deletions(-)
>>
>> --- a/src/network.c    2015-01-04 19:09:25.086396076 +0000 +++
>> b/src/network.c    2015-01-04 19:29:04.402377390 +0000 @@ -302,10
>> +302,12 @@ #endif } } -  + +  if ((addr->sa.sa_family == AF_INET &&
>> !private_net(addr->in.sin_addr, 1)) #ifdef HAVE_IPV6 -  if
>> (addr->sa.sa_family != AF_INET6 ||
>> !IN6_IS_ADDR_LINKLOCAL(&addr->in6.sin6_addr)) +    ||
>> (addr->sa.sa_family == AF_INET6 &&
>> !IN6_IS_ADDR_LOOPBACK(&addr->in6.sin6_addr) &&
>> !IN6_IS_ADDR_LINKLOCAL(&addr->in6.sin6_addr) &&
>> !IN6_IS_ADDR_ULA(&addr->in6.sin6_addr)) #endif +    ) { struct
>> interface_name *int_name; struct addrlist *al;

-- 
Alexander Clouter
.sigmonster says: What this country needs is a good five dollar plasma weapon.

More information about the Dnsmasq-discuss mailing list