[Dnsmasq-discuss] Windows ipv6 hostname
Pali Rohár
pali.rohar at gmail.com
Thu Dec 22 17:15:50 GMT 2016
Hi Uwe!
On Thu Dec 22 17:35:16 2016 Uwe Schindler <uwe at thetaphi.de> wrote:
> Hi,
>
> Windows hosts generally have 2 problems, so assigning a DNS name with
> IPv6 address using "ra-names" only works under the following
> circumstances:
>
> - The Windows firewall must allow ICMP Echo (PING) requests to go
> through (IPv6). And here comes the problem: By default the Windows
> firewall blocks pings on IPv4 and IPv6. Dnsmasq pings the possible SLAAC
> defined IPv6 address to see if it is valid. And that does not work by
> default.
Ah, so firewall settings. Anyway for correct IPv6 setup you should not disable ICMPv6. As ICMPv6 messages are critical part of whole network. ECHO is probably not needed, but PACKET-TOO-BIG is *required*.
> - Windows has to assign the IPv6 address using the official
> SLAAC algorithm! Unfortunately with randomized-ideftifiers enabled (also
> the default), the auto-assigned IPv6 addresses are not created form the
> MAC address using the SLAAC algorithm. You have to disable
> randomized-identifiers to make this work.
SLAAC is not used when A(utonomous) bit is not announced in RA prefix and in case M(anaged) bit is present DHCPv6 should be used.
And I think this setup is used, so SLAAC algorithm does not matter here.
> With above default, Windows hides its IPv6 address completely and you
> cannot guess it.
>
> Important: Randomized-Identifiers has nothing to do with privacy
> extensions (with privacy extensions, the IPv6 address is still SLAAC
> conform, but IPv6 hosts use a second address for *outgoing* connections
> only. The SLAAC address is still there and can be pinged).
>
> On my windows machines I have disabled randomized-identifiers, but they
> still use privacy extensions. In additions pinging is enabled in the
> firewall. Then everything works. This is not the fault of dnsmasq, there
> is nothing it can do better - maybe instead of pinging it can use some
> different approach to "verify" the IP address (something like a IPv6
> like ARP request only).
Hm, I think this is not an optimal implementation in dnsmasq. ICMPv6 ND packet should be used instead ICMPv6 ECHO.
As ECHO is (as you wrote) by default blocked on Windowses and ND is "equivalent" for ARP I suggest to change implementation to ND.
> Uwe
>
> -----
> Uwe Schindler
> Achterdiek 19, D-28357 Bremen
> http://www.thetaphi.de
> eMail: uwe at thetaphi.de
>
> > -----Original Message-----
> > From: Dnsmasq-discuss [mailto:dnsmasq-discuss-
> > bounces at lists.thekelleys.org.uk] On Behalf Of Pali Rohár
> > Sent: Thursday, December 22, 2016 1:49 PM
> > To: Markus Hartung <mail at hartmark.se>
> > Cc: dnsmasq-discuss at lists.thekelleys.org.uk
> > Subject: Re: [Dnsmasq-discuss] Windows ipv6 hostname
> >
> > On Thursday 22 December 2016 11:24:53 Markus Hartung wrote:
> > > On 2016-12-21 14:08, Michael Stilkerich wrote:
> > > > Well, dnsmasq needs to get the hostname to assign to a machine from
> > > > someplace. I don't know
> > > > all the possible places (search the manual page for that), but I
> > > > can
> > > >
> > > > think of:
> > > > 1) Dnsmasq configuration (dhcp-host options)
> > > > 2) /etc/ethers if enabled
> > > > 3) suggested with the DHCPv4 request by the client
> > > >
> > > > I think Windows 10 should suggest a hostname (3), at least it seems
> > > > to do for me. I have manually assigned
> > > > a hostname on the Windows computer, and dnsmasq knows and assigns
> > > > it.
> > >
> > > On 2016-12-20 12:53, Pali Rohár wrote:
> > > > Another option is to stop using SLAAC and start using DHCPv6 where
> > > > you have full control of assigned IPv6 addresses.
> > > >
> > > > Such feature like host will "randomly" chose address is unsuitable
> > > > for setup when you need to have control of which address is
> > > > assigned to which device (e.g in this setup when you want to
> > > > assign AAAA record).
> > >
> > > I have managed to get DHCPv6 working now, I thought that windows 10
> > > didn't have any support for it.
> >
> > Windows Vista has (good quality) support for DHCPv6 and IIRC new
> > versions of Windowses uses same/similar implementation. So I think
> > Windows 10 should work (no idea if some advanced configuration is
> > needed)... Also at that time Windows Vista had correct implementation
> > of using RA prefix together with assigned DHCPv6 address. (In contrast
> > common linux ISC DHCPv6 client is still broken and hardcode /64 prefix
> > even if RA announce different).
> >
> > > It turned out that my ufw on my
> > > ubuntu server were blocking the DHCPv6. I was in my simple mind just
> > > assuming that DHCP and DHCPv6 used same ports
> >
> > It is common behaviour that all firewalls block everything except some
> > exceptions. It is also good for security reasons.
> >
> > DHCP is using IPv4 and DHCPv6 is obviously using IPv6. And IPv6 network
> > stack is independent of IPv4, so you need to configure your firewall
> > differently for IPv4 and IPv6 (e.g. iptables vs. ip6tables).
> >
> > And because DHCP and DHCPv6 are *different* protocols, they should not
> > be used on same ports. If you look at DNS there is no DNSv6 or so. DNS
> > is same over IPv4 and IPv6.
> >
> > You cannot ask for IPv6 address via DHCP or IPv4 via DHCPv6. But you
> > can resolve AAAA record (IPv6) via IPv4 connection to DNS, so hence
> > DNS is only one.
> >
> > If you cannot memorize number of tcp or udp ports for some services,
> > just look into /etc/services file.
> >
> > $ grep -E -i 'dhcp|bootp' /etc/services
> > bootps 67/tcp # BOOTP server
> > bootps 67/udp
> > bootpc 68/tcp # BOOTP client
> > bootpc 68/udp
> > dhcpv6-client 546/tcp
> > dhcpv6-client 546/udp
> > dhcpv6-server 547/tcp
> > dhcpv6-server 547/udp
> >
> > > Still no hostname in the lease-file. However, I tried creating a
> > > virtual win10 host and it seems to correctly set the hostname.
> > >
> > > $ cat /var/lib/misc/dnsmasq.leases
> > > 1482450696 3e:fa:72:5b:c7:02 192.168.1.184 * 01:3e:fa:72:5b:c7:02
> > > 1482454218 08:00:27:60:fb:f2 192.168.1.108 budweiser
> > > 01:08:00:27:60:fb:f2 1482454219 34078759 2001:470:28:6ac::b8c2
> > > budweiser
> > > 00:01:00:01:1f:6b:f9:80:08:00:27:60:fb:f2
> > > 1482454045 171899506 2001:470:28:6ac::e82c *
> > > 00:03:00:01:3e:fa:72:5b:c7:02
> > >
> > > Note that the host budweiser correcly gets a host entry in the file.
> > > And ping:ing the hostname on ipv4 and ipv6 yields the correct
> > > ip-address.
> >
> > So if some Windows 10 host is working fine and another not, then some
> > configuration is really needed... You have one working configuration of
> > Windows 10 so you will need to (somehow) reuse it for non-working one.
> >
> > > Been doing some wireshark-ing and found this request on the working
> > > host:
> > >
> > > Frame 1998: 210 bytes on wire (1680 bits), 210 bytes captured (1680
> > > bits) on interface 0
> > > Ethernet II, Src: PcsSyste_60:fb:f2 (08:00:27:60:fb:f2), Dst:
> > > IPv6mcast_01:00:02 (33:33:00:01:00:02)
> > > Internet Protocol Version 6, Src: fe80::a00:27ff:fe60:fbf2, Dst:
> > > ff02::1:2 User Datagram Protocol, Src Port: 546, Dst Port: 547
> > > DHCPv6
> > > Message type: Request (3)
> > > Transaction ID: 0xe6d3a2
> > > Elapsed time
> > > Client Identifier
> > > Server Identifier
> > > Identity Association for Non-temporary Address
> > > Fully Qualified Domain Name
> > > Option: Fully Qualified Domain Name (39)
> > > Length: 24
> > > Value: 000962756477656973657208686172746d61726b02736500
> > > 0000 0... = Reserved: 0x00
> > > .... .0.. = N bit: Server should perform DNS updates
> > > .... ..0. = O bit: Server has not overridden client's S bit
> > > preference
> > > .... ...0 = S bit: Server should not perform forward DNS
> > > updates Client FQDN: budweiser.hartmark.se
> >
> > So working host send us FQDN.
> >
> > > Vendor Class
> > > Option: Vendor Class (16)
> > > Length: 14
> > > Value: 0000013700084d53465420352e30
> > > Enterprise ID: Microsoft (311)
> > > vendor-class-data: MSFT 5.0
> >
> > And working host tell use it Microsoft DHCP client.
> >
> > > Option Request
> > > Option: Option Request (6)
> > > Length: 8
> > > Value: 0011001700180027
> > > Requested Option code: Vendor-specific Information (17)
> > > Requested Option code: DNS recursive name server (23)
> > > Requested Option code: Domain Search List (24)
> > > Requested Option code: Fully Qualified Domain Name (39)
> > >
> > > and this is the request for the broken host:
> > > Frame 786: 160 bytes on wire (1280 bits), 160 bytes captured (1280
> > > bits) on interface 0
> > > Ethernet II, Src: 3e:fa:72:5b:c7:02 (3e:fa:72:5b:c7:02), Dst:
> > > IPv6mcast_01:00:02 (33:33:00:01:00:02)
> > > Internet Protocol Version 6, Src: fe80::3cfa:72ff:fe5b:c702, Dst:
> > > ff02::1:2 User Datagram Protocol, Src Port: 546, Dst Port: 547
> > > DHCPv6
> > > Message type: Request (3)
> > > Transaction ID: 0x83e70d
> > > Elapsed time
> > > Client Identifier
> > > Server Identifier
> > > Identity Association for Non-temporary Address
> > > Option Request
> > > Option: Option Request (6)
> > > Length: 8
> > > Value: 0011001700180027
> > > Requested Option code: Vendor-specific Information (17)
> > > Requested Option code: DNS recursive name server (23)
> > > Requested Option code: Domain Search List (24)
> > > Requested Option code: Fully Qualified Domain Name (39)
> >
> > So non working host did not send FQDN.
> >
> > > however it seems it tries to update its dns record like this:
> > > 973 84.385064 192.168.1.184 195.178.160.145 DNS 200
> > > Dynamic update 0xf052 SOA hartmark.se CNAME AAAA A AAAA
> > > 2001:470:28:6ac::e834 AAAA 2001:470:28:6ac:3cfa:72ff:fe5b:c702 A
> > > 192.168.1.184
> > >
> > > 974 84.389532 195.178.160.145 192.168.1.184 DNS 200
> > > Dynamic update response 0xf052 Not implemented SOA hartmark.se
> > CNAME
> > > AAAA A AAAA 2001:470:28:6ac::e834 AAAA
> > > 2001:470:28:6ac:3cfa:72ff:fe5b:c702 A 192.168.1.184
> > >
> > > I need to do some more digging, but perhaps someone knows why the
> > > hosts tries to do differently. And is the dynamic update dns some
> > > microsoft dns server thingy?
> >
> > I remember that Windowses act differently if they are configured to be
> > part of domain or if they have set some domain name or if they have
> > configured some workgroup or if they have enabled sharing for small
> > home networks... This is just my observation and maybe one of those
> > settings is different on working and non working host?
> >
> > I could not help you with Windows 10, but try to look at different
> > network settings in Windows. Maybe you find something...
> >
> > --
> > Pali Rohár
> > pali.rohar at gmail.com
>
--
Pali Rohár
pali.rohar at gmail.com
More information about the Dnsmasq-discuss
mailing list