[Dnsmasq-discuss] Windows ipv6 hostname
Markus Hartung
mail at hartmark.se
Wed Dec 21 00:26:15 GMT 2016
On 2016-12-20 12:14, Toke Høiland-Jørgensen wrote:
> Well, arguably the Windows 10 behaviour is a feature - RFC7217 was
> written because the EUI-64 based approach has privacy issues (the client
> will use the same address on every network). So I would expect more and
> more clients to adopt the privacy-preserving approach. I believe
> NetworkManager has support for it on Linux, but am not sure if it's
> enabled by default.
Alright, after some researching I understand how the EUI-64 approach is
working and how it might be a bad idea.
I don't have so many machines and the added security implications are
worth the benefit.
And after re-reading the manpage of dnsmasq I found this:
*
ra-names* enables a mode which gives DNS names to dual-stack hosts which
do SLAAC for IPv6. Dnsmasq uses the host's IPv4 lease to derive the
name, network segment and MAC address and assumes that the host will
also have an IPv6 address calculated using the SLAAC algorithm, on the
same network segment. The address is pinged, and if a reply is received,
an AAAA record is added to the DNS for this IPv6 address. Note that this
is only happens for directly-connected networks, (not one doing DHCP via
a relay) and it will not work if a host is using privacy extensions.
*ra-names* can be combined with *ra-stateless* and *slaac.*
So I guess the automatic creation of AAAA-records doesn't work any more
if I enable privacy extensions.
> Haven't had time to play with it myself yet, so can't be of much help
> there; but as I understand it, the idea is that you configure the proxy
> to use a particular domain, and then point dnsmasq at it with --server.
> Don't think this will integrate with the auth server mechanism in
> dnsmasq, though; not sure if there's a way to achieve that.
I haven't been able to get any responses from ohybridproxy using dig so
I guess there's something missing
$ ./ohybridproxy -p 1053 eno1=mydomain.se
$ dig host.mydomain.se aaaa @:: -p 1053
<no answer section>
> Windows 10 by default uses randomized identifiers instead of the MAC
> address. You can turn this off using the following command in an admin
> shell:
>
> netsh interface ipv6 set global randomizeidentifiers=disabled
>
> In addition to that, make sure that the Windows computer replies to the
> ICMP echo requests that dnsmasq uses to check if the address is in use.
>
> With this setting the Windows computer should still use temporary
> addresses to initiate outgoing connections, but be reachable on EUI-64
> based address.
Thanks for the pointers, now I'm able to correctly get an IPv6-address
that should work with ra-names. However it seems that dnsmasq doesn't
have any hostname in the DHvPv4 lease file.
$ cat /var/lib/misc/dnsmasq.leases
1482365715 3e:XX:XX:XX:XX:02 192.168.1.184 * 01:3e:XX:XX:XX:XX:02
1482334524 00:YY:YY:YY:YY:67 192.168.1.133 hostname *
I have masked the MAC-address, as you can see the host at 192.168.1.184
doesn't have any hostname. Is it that windows 10 does something wrong or
anything else I can look at?
On 2016-12-20 12:53, Pali Rohár wrote:
> Another option is to stop using SLAAC and start using DHCPv6 where you
> have full control of assigned IPv6 addresses.
>
> Such feature like host will "randomly" chose address is unsuitable for
> setup when you need to have control of which address is assigned to
> which device (e.g in this setup when you want to assign AAAA record).
That would of cource be the optimal solution, is there a way to get
dnsmasq to do DHCPv6 and also add AAAA-records or any third-party
programs/tools to acheive that?
---
Thanks for all your help so far guys!
Best regards,
Markus
More information about the Dnsmasq-discuss
mailing list