[Dnsmasq-discuss] Windows ipv6 hostname

Wed Dec 21 00:26:15 GMT 2016

On 2016-12-20 12:14, Toke Høiland-Jørgensen wrote:

> Well, arguably the Windows 10 behaviour is a feature - RFC7217 was
> written because the EUI-64 based approach has privacy issues (the client
> will use the same address on every network). So I would expect more and
> more clients to adopt the privacy-preserving approach. I believe
> NetworkManager has support for it on Linux, but am not sure if it's
> enabled by default.

Alright, after some researching I understand how the EUI-64 approach is 
working and how it might be a bad idea.

I don't have so many machines and the added security implications are 
worth the benefit.

And after re-reading the manpage of dnsmasq I found this:
*
ra-names* enables a mode which gives DNS names to dual-stack hosts which 
do SLAAC for IPv6. Dnsmasq uses the host's IPv4 lease to derive the 
name, network segment and MAC address and assumes that the host will 
also have an IPv6 address calculated using the SLAAC algorithm, on the 
same network segment. The address is pinged, and if a reply is received, 
an AAAA record is added to the DNS for this IPv6 address. Note that this 
is only happens for directly-connected networks, (not one doing DHCP via 
a relay) and it will not work if a host is using privacy extensions. 
*ra-names* can be combined with *ra-stateless* and *slaac.*

So I guess the automatic creation of AAAA-records doesn't work any more 
if I enable privacy extensions.

> Haven't had time to play with it myself yet, so can't be of much help
> there; but as I understand it, the idea is that you configure the proxy
> to use a particular domain, and then point dnsmasq at it with --server.
> Don't think this will integrate with the auth server mechanism in
> dnsmasq, though; not sure if there's a way to achieve that.
I haven't been able to get any responses from ohybridproxy using dig so 
I guess there's something missing
$ ./ohybridproxy -p 1053 eno1=mydomain.se

$ dig host.mydomain.se aaaa @:: -p 1053
<no answer section>

>    Windows 10 by default uses randomized identifiers instead of the MAC
> address. You can turn this off using the following command in an admin
> shell:
>
> netsh interface ipv6 set global randomizeidentifiers=disabled
>
> In addition to that, make sure that the Windows computer replies to the
> ICMP echo requests that dnsmasq uses to check if the address is in use.
>
> With this setting the Windows computer should still use temporary
> addresses to initiate outgoing connections, but be reachable on EUI-64
> based address.
Thanks for the pointers, now I'm able to correctly get an IPv6-address 
that should work with ra-names. However it seems that dnsmasq doesn't 
have any hostname in the DHvPv4 lease file.

$ cat /var/lib/misc/dnsmasq.leases
1482365715 3e:XX:XX:XX:XX:02 192.168.1.184 * 01:3e:XX:XX:XX:XX:02
1482334524 00:YY:YY:YY:YY:67 192.168.1.133 hostname *

I have masked the MAC-address, as you can see the host at 192.168.1.184 
doesn't have any hostname. Is it that windows 10 does something wrong or 
anything else I can look at?

On 2016-12-20 12:53, Pali Rohár wrote:
> Another option is to stop using SLAAC and start using DHCPv6 where you
> have full control of assigned IPv6 addresses.
>
> Such feature like host will "randomly" chose address is unsuitable for
> setup when you need to have control of which address is assigned to
> which device (e.g in this setup when you want to assign AAAA record).
That would of cource be the optimal solution, is there a way to get 
dnsmasq to do DHCPv6 and also add AAAA-records or any third-party 
programs/tools to acheive that?

---
Thanks for all your help so far guys!

Best regards,
Markus