[Dnsmasq-discuss] Windows ipv6 hostname

Uwe Schindler uwe at thetaphi.de
Thu Dec 22 18:14:57 GMT 2016


Hi,

> > Windows hosts generally have 2 problems, so assigning a DNS name with
> > IPv6 address using "ra-names" only works under the following
> > circumstances:
> >
> > - The Windows firewall must allow ICMP Echo (PING) requests to go
> > through (IPv6). And here comes the problem: By default the Windows
> > firewall blocks pings on IPv4 and IPv6. Dnsmasq pings the possible SLAAC
> > defined IPv6 address to see if it is valid. And that does not work by
> > default.
> 
> Ah, so firewall settings. Anyway for correct IPv6 setup you should not disable
> ICMPv6. As ICMPv6 messages are critical part of whole network. ECHO is
> probably not needed, but PACKET-TOO-BIG is *required*.

By default the windows firewall blocks ICMPv4 and ICMPv6 ECHO requests, not ICMP in general. This causes several issues, so whenever I setup a Windows machine this is one of the first thing to disable.

> > - Windows has to assign the IPv6 address using the official
> > SLAAC algorithm! Unfortunately with randomized-ideftifiers enabled (also
> > the default), the auto-assigned IPv6 addresses are not created form the
> > MAC address using the SLAAC algorithm. You have to disable
> > randomized-identifiers to make this work.
> 
> SLAAC is not used when A(utonomous) bit is not announced in RA prefix and
> in case M(anaged) bit is present DHCPv6 should be used.
> 
> And I think this setup is used, so SLAAC algorithm does not matter here.

Markus' mails were initially saying that he uses "ra-names", so ist definitely not stateful DHCPv6. Mabye he changed inbetween, but I wanted to post this here, what one must do for "ra-names" to work correct:

- Disable firewall rule to block ICMP v4 and also ICMP v6 ECHO
- Disable randomized-identifiers and reboot:

netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent

Uwe

> > With above default, Windows hides its IPv6 address completely and you
> > cannot guess it.
> >
> > Important: Randomized-Identifiers has nothing to do with privacy
> > extensions (with privacy extensions, the IPv6 address is still SLAAC
> > conform, but IPv6 hosts use a second address for *outgoing* connections
> > only. The SLAAC address is still there and can be pinged).
> >
> > On my windows machines I have disabled randomized-identifiers, but they
> > still use privacy extensions. In additions pinging is enabled in the
> > firewall. Then everything works. This is not the fault of dnsmasq, there
> > is nothing it can do better - maybe instead of pinging it can use some
> > different approach to "verify" the IP address (something like a IPv6
> > like ARP request only).
> 
> Hm, I think this is not an optimal implementation in dnsmasq. ICMPv6 ND
> packet should be used instead ICMPv6 ECHO.
> 
> As ECHO is (as you wrote) by default blocked on Windowses and ND is
> "equivalent" for ARP I suggest to change implementation to ND.

This is why I asked here. Ra-names never woks on Windows with default firewall rules. So something like a ICMP ND would be better to check for existence of IPs. Maybe dnsmasq has an option to do this, but the last time I tried, the only way to get ra-names work with Windows is to disable this stupid Windows-Firewall rule. The problem is more people visiting me and have those misconfigured windowses :-(

> > > > > think of:
> > > > > 1) Dnsmasq configuration (dhcp-host options)
> > > > > 2) /etc/ethers if enabled
> > > > > 3) suggested with the DHCPv4 request by the client

With "ra-names" it does the latter. It uses the hostname from the original DHCPv4 request of the client and registers it in its own DNS. But it has no IPv6 address for it, as this is unknown for stateless RA (as you have enabled with "enable-ra" and "ra-names"). It can only guess and verify the hostname. It does this with the above checkes, which fail if you use "randomized-identifiers" on Windows (default) and the Windows Firewall blocks PING requests. Because of this its impossible to guess the right IPv6 address and not even verify it to be correct!

> > > > > I think Windows 10 should suggest a hostname (3), at least it seems
> > > > > to do for me. I have manually assigned
> > > > > a hostname on the Windows computer, and dnsmasq knows and
> assigns
> > > > > it.

Yes, for IPv4 this works. For IPv6 with "ra-names"  it needs more.

In addition: Since Windows 10 Anniversary update, the DHCPv6 Client of Windows is completely broken. It does not send DHCP6-INFORMATION requests anymore to discover the DNS server. This is known to Microsoft an they work on a solution to make stateless DHCPv6 work again.

Uwe




More information about the Dnsmasq-discuss mailing list