From v.tolstov at selfip.ru Tue Apr 1 06:54:57 2014
From: v.tolstov at selfip.ru (Vasiliy Tolstov)
Date: Tue, 1 Apr 2014 10:54:57 +0400
Subject: [Dnsmasq-discuss] ipv6 slaac with global prefixes
Message-ID: <CACaajQux2QGG8M_pejf6OtMOoDR2dUwWnKRXR+B=a9uKmWXaKA@mail.gmail.com>
Hi all. I'm try to use ipv6 slaac addresses and get global routing in
my simple network.
What i need to specify in dnsmasq.conf to provide global prefix to nodes?
Now i write
dhcp-range=::1,slaac,5m
dhcp-option=option6:dns-server,[::]
enable-ra
But when i ping6 some ipv6 addr i get error connect: Invalid argument
--
Vasiliy Tolstov,
e-mail: v.tolstov at selfip.ru
jabber: vase at selfip.ru
From albert.aribaud at free.fr Tue Apr 1 07:12:43 2014
From: albert.aribaud at free.fr (Albert ARIBAUD)
Date: Tue, 01 Apr 2014 09:12:43 +0200
Subject: [Dnsmasq-discuss] ipv6 slaac with global prefixes
In-Reply-To: <CACaajQux2QGG8M_pejf6OtMOoDR2dUwWnKRXR+B=a9uKmWXaKA@mail.gmail.com>
References: <CACaajQux2QGG8M_pejf6OtMOoDR2dUwWnKRXR+B=a9uKmWXaKA@mail.gmail.com>
Message-ID: <533A66EB.8080108@free.fr>
Le 01/04/2014 08:54, Vasiliy Tolstov a ?crit :
> Hi all. I'm try to use ipv6 slaac addresses and get global routing in
> my simple network.
> What i need to specify in dnsmasq.conf to provide global prefix to nodes?
>
> Now i write
> dhcp-range=::1,slaac,5m
> dhcp-option=option6:dns-server,[::]
> enable-ra
>
> But when i ping6 some ipv6 addr i get error connect: Invalid argument
Hi Vasiliy,
What is the *exact* command that you used to ping6? If you don't want to
disclose the actual target, use e.g. albert.aribaud.net, which should
resolve in IPv6 and answer (reasonable) IPv6 pings.
Also, did you have a look at your router's and client's DHCP, network
and/or system logs?
Amicalement,
--
Albert.
From v.tolstov at selfip.ru Tue Apr 1 07:20:08 2014
From: v.tolstov at selfip.ru (Vasiliy Tolstov)
Date: Tue, 1 Apr 2014 11:20:08 +0400
Subject: [Dnsmasq-discuss] ipv6 slaac with global prefixes
In-Reply-To: <533A66EB.8080108@free.fr>
References: <CACaajQux2QGG8M_pejf6OtMOoDR2dUwWnKRXR+B=a9uKmWXaKA@mail.gmail.com>
<533A66EB.8080108@free.fr>
Message-ID: <CACaajQutqLDv1D63DE6omqdcgiauej=QniW9GCURmL-fHfJktg@mail.gmail.com>
2014-04-01 11:12 GMT+04:00 Albert ARIBAUD <albert.aribaud at free.fr>:
> Hi Vasiliy,
>
> What is the *exact* command that you used to ping6? If you don't want to
> disclose the actual target, use e.g. albert.aribaud.net, which should
> resolve in IPv6 and answer (reasonable) IPv6 pings.
>
> Also, did you have a look at your router's and client's DHCP, network and/or
> system logs?
>
> Amicalement,
I don't have external ipv6 and cant check ping for external address.
as i see ip -6 r s i have only link local address with /64 and not
global. And i don't have dhcp and want to use it. I want use only
slaac and radv to get all connected.
--
Vasiliy Tolstov,
e-mail: v.tolstov at selfip.ru
jabber: vase at selfip.ru
From albert.aribaud at free.fr Tue Apr 1 07:26:19 2014
From: albert.aribaud at free.fr (Albert ARIBAUD)
Date: Tue, 01 Apr 2014 09:26:19 +0200
Subject: [Dnsmasq-discuss] ipv6 slaac with global prefixes
In-Reply-To: <CACaajQutqLDv1D63DE6omqdcgiauej=QniW9GCURmL-fHfJktg@mail.gmail.com>
References: <CACaajQux2QGG8M_pejf6OtMOoDR2dUwWnKRXR+B=a9uKmWXaKA@mail.gmail.com>
<533A66EB.8080108@free.fr>
<CACaajQutqLDv1D63DE6omqdcgiauej=QniW9GCURmL-fHfJktg@mail.gmail.com>
Message-ID: <533A6A1B.4030800@free.fr>
Hi again Vasiliy,
Le 01/04/2014 09:20, Vasiliy Tolstov a ?crit :
> 2014-04-01 11:12 GMT+04:00 Albert ARIBAUD <albert.aribaud at free.fr>:
>> Hi Vasiliy,
>>
>> What is the *exact* command that you used to ping6? If you don't want to
>> disclose the actual target, use e.g. albert.aribaud.net, which should
>> resolve in IPv6 and answer (reasonable) IPv6 pings.
>>
>> Also, did you have a look at your router's and client's DHCP, network and/or
>> system logs?
>>
>> Amicalement,
>
>
> I don't have external ipv6 and cant check ping for external address.
> as i see ip -6 r s i have only link local address with /64 and not
> global. And i don't have dhcp and want to use it. I want use only
> slaac and radv to get all connected.
Ok, then, did you have a look at your router's and client's DHCP,
network and/or system logs?
Amicalement,
--
Albert.
From v.tolstov at selfip.ru Tue Apr 1 07:38:04 2014
From: v.tolstov at selfip.ru (Vasiliy Tolstov)
Date: Tue, 1 Apr 2014 11:38:04 +0400
Subject: [Dnsmasq-discuss] ipv6 slaac with global prefixes
In-Reply-To: <533A6A1B.4030800@free.fr>
References: <CACaajQux2QGG8M_pejf6OtMOoDR2dUwWnKRXR+B=a9uKmWXaKA@mail.gmail.com>
<533A66EB.8080108@free.fr>
<CACaajQutqLDv1D63DE6omqdcgiauej=QniW9GCURmL-fHfJktg@mail.gmail.com>
<533A6A1B.4030800@free.fr>
Message-ID: <CACaajQt43tRrjf-oKFck+S75JbBUsbV5d8h8z7m1h0CqGXRh3Q@mail.gmail.com>
2014-04-01 11:26 GMT+04:00 Albert ARIBAUD <albert.aribaud at free.fr>:
> Ok, then, did you have a look at your router's and client's DHCP, network
> and/or system logs?
why i need dhcp logs? i don't use it. all that i have - dnsmasq with
radv enabled and nodes with slaac configured addresses.
--
Vasiliy Tolstov,
e-mail: v.tolstov at selfip.ru
jabber: vase at selfip.ru
From albert.aribaud at free.fr Tue Apr 1 08:14:41 2014
From: albert.aribaud at free.fr (Albert ARIBAUD)
Date: Tue, 01 Apr 2014 10:14:41 +0200
Subject: [Dnsmasq-discuss] ipv6 slaac with global prefixes
In-Reply-To: <CACaajQt43tRrjf-oKFck+S75JbBUsbV5d8h8z7m1h0CqGXRh3Q@mail.gmail.com>
References: <CACaajQux2QGG8M_pejf6OtMOoDR2dUwWnKRXR+B=a9uKmWXaKA@mail.gmail.com>
<533A66EB.8080108@free.fr>
<CACaajQutqLDv1D63DE6omqdcgiauej=QniW9GCURmL-fHfJktg@mail.gmail.com>
<533A6A1B.4030800@free.fr>
<CACaajQt43tRrjf-oKFck+S75JbBUsbV5d8h8z7m1h0CqGXRh3Q@mail.gmail.com>
Message-ID: <533A7571.7090502@free.fr>
Le 01/04/2014 09:38, Vasiliy Tolstov a ?crit :
> 2014-04-01 11:26 GMT+04:00 Albert ARIBAUD <albert.aribaud at free.fr>:
>> Ok, then, did you have a look at your router's and client's DHCP, network
>> and/or system logs?
>
>
> why i need dhcp logs? i don't use it. all that i have - dnsmasq with
> radv enabled and nodes with slaac configured addresses.
DHCP and/*OR* network and/*OR* system logs... :)
Amicalement,
--
Albert.
From v.tolstov at selfip.ru Tue Apr 1 08:21:36 2014
From: v.tolstov at selfip.ru (Vasiliy Tolstov)
Date: Tue, 1 Apr 2014 12:21:36 +0400
Subject: [Dnsmasq-discuss] ipv6 slaac with global prefixes
In-Reply-To: <533A7571.7090502@free.fr>
References: <CACaajQux2QGG8M_pejf6OtMOoDR2dUwWnKRXR+B=a9uKmWXaKA@mail.gmail.com>
<533A66EB.8080108@free.fr>
<CACaajQutqLDv1D63DE6omqdcgiauej=QniW9GCURmL-fHfJktg@mail.gmail.com>
<533A6A1B.4030800@free.fr>
<CACaajQt43tRrjf-oKFck+S75JbBUsbV5d8h8z7m1h0CqGXRh3Q@mail.gmail.com>
<533A7571.7090502@free.fr>
Message-ID: <CACaajQsSAWEw1JQ2=93tHW1k-eq5F5mqDOxEmEj98c9YvW+moQ@mail.gmail.com>
2014-04-01 12:14 GMT+04:00 Albert ARIBAUD <albert.aribaud at free.fr>:
> DHCP and/*OR* network and/*OR* system logs... :)
Nothing printed =). Sorry for noise. I'm switch to radv via bird
routing daemon =).
--
Vasiliy Tolstov,
e-mail: v.tolstov at selfip.ru
jabber: vase at selfip.ru
From rob0 at gmx.co.uk Tue Apr 1 16:54:28 2014
From: rob0 at gmx.co.uk (/dev/rob0)
Date: Tue, 1 Apr 2014 11:54:28 -0500
Subject: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp,
or nettle with gmp?
In-Reply-To: <53320C7C.6010809@yahoo.ca>
References: <5331962D.50000@yahoo.ca> <5331F174.8010709@thekelleys.org.uk>
<8E937FAF-7E60-4F63-8E05-25906CDAE148@lonnie.abelbeck.com>
<5331FA82.5080305@thekelleys.org.uk>
<E3FD9CB6-624A-4615-B05B-9F4322AC91CD@lonnie.abelbeck.com>
<53320592.4020609@thekelleys.org.uk>
<CA++fYEhBF8q-Jt7LkBSfPrk2Lj13XKO6BOkAoRDY0edcO7dpfw@mail.gmail.com>
<53320C7C.6010809@yahoo.ca>
Message-ID: <20140401165428.GZ13999@harrier.slackbuilds.org>
On Tue, Mar 25, 2014 at 07:08:44PM -0400, Alex Xu wrote:
> On 25/03/14 07:03 PM, sven falempin wrote:
> > my concern of nettle vs openssl is the amount of review and
> > testing nettle did get compared to something more widely(!)
> > used
>
> something being used a lot != something being good
Absolutely true, but in the context of open source software,
especially cryptographic software, more use also tends to mean
more code review.
I'm not really qualified to judge here what is best; I can only
point out what I, as a user, think about it. I'll trust Simon's
judgment, but I hope he has considered these concerns.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
From dave.taht at gmail.com Tue Apr 1 17:45:44 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Tue, 1 Apr 2014 10:45:44 -0700
Subject: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp,
or nettle with gmp?
In-Reply-To: <20140401165428.GZ13999@harrier.slackbuilds.org>
References: <5331962D.50000@yahoo.ca> <5331F174.8010709@thekelleys.org.uk>
<8E937FAF-7E60-4F63-8E05-25906CDAE148@lonnie.abelbeck.com>
<5331FA82.5080305@thekelleys.org.uk>
<E3FD9CB6-624A-4615-B05B-9F4322AC91CD@lonnie.abelbeck.com>
<53320592.4020609@thekelleys.org.uk>
<CA++fYEhBF8q-Jt7LkBSfPrk2Lj13XKO6BOkAoRDY0edcO7dpfw@mail.gmail.com>
<53320C7C.6010809@yahoo.ca>
<20140401165428.GZ13999@harrier.slackbuilds.org>
Message-ID: <CAA93jw7WSQW3rH=JyKcM4+4QqKcJtOV9dRHxeAfEbkRHWUau-g@mail.gmail.com>
On Tue, Apr 1, 2014 at 9:54 AM, /dev/rob0 <rob0 at gmx.co.uk> wrote:
> On Tue, Mar 25, 2014 at 07:08:44PM -0400, Alex Xu wrote:
>> On 25/03/14 07:03 PM, sven falempin wrote:
>> > my concern of nettle vs openssl is the amount of review and
>> > testing nettle did get compared to something more widely(!)
>> > used
>>
>> something being used a lot != something being good
>
> Absolutely true, but in the context of open source software,
> especially cryptographic software, more use also tends to mean
> more code review.
>
> I'm not really qualified to judge here what is best; I can only
> point out what I, as a user, think about it. I'll trust Simon's
> judgment, but I hope he has considered these concerns.
I have not been tracking this conversation closely, but my own
take on matters is that I'm opposed to a monoculture of anything...
http://www.abc.net.au/news/2013-08-29/feature-banana/4922208
And thus I enthusiastically support other OSes than linux, other
dns servers besides bind, and other crypto libraries besides openssl.
> --
> http://rob0.nodns4.us/
> Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
--
Dave T?ht
Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
From brad at comstyle.com Tue Apr 1 17:57:57 2014
From: brad at comstyle.com (Brad Smith)
Date: Tue, 01 Apr 2014 13:57:57 -0400
Subject: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp,
or nettle with gmp?
In-Reply-To: <CAA93jw7WSQW3rH=JyKcM4+4QqKcJtOV9dRHxeAfEbkRHWUau-g@mail.gmail.com>
References: <5331962D.50000@yahoo.ca> <5331F174.8010709@thekelleys.org.uk>
<8E937FAF-7E60-4F63-8E05-25906CDAE148@lonnie.abelbeck.com>
<5331FA82.5080305@thekelleys.org.uk>
<E3FD9CB6-624A-4615-B05B-9F4322AC91CD@lonnie.abelbeck.com>
<53320592.4020609@thekelleys.org.uk>
<CA++fYEhBF8q-Jt7LkBSfPrk2Lj13XKO6BOkAoRDY0edcO7dpfw@mail.gmail.com>
<53320C7C.6010809@yahoo.ca> <20140401165428.GZ13999@harrier.slackbuilds.org>
<CAA93jw7WSQW3rH=JyKcM4+4QqKcJtOV9dRHxeAfEbkRHWUau-g@mail.gmail.com>
Message-ID: <533AFE25.4000404@comstyle.com>
On 01/04/14 1:45 PM, Dave Taht wrote:
> On Tue, Apr 1, 2014 at 9:54 AM, /dev/rob0 <rob0 at gmx.co.uk> wrote:
>> On Tue, Mar 25, 2014 at 07:08:44PM -0400, Alex Xu wrote:
>>> On 25/03/14 07:03 PM, sven falempin wrote:
>>>> my concern of nettle vs openssl is the amount of review and
>>>> testing nettle did get compared to something more widely(!)
>>>> used
>>>
>>> something being used a lot != something being good
>>
>> Absolutely true, but in the context of open source software,
>> especially cryptographic software, more use also tends to mean
>> more code review.
>>
>> I'm not really qualified to judge here what is best; I can only
>> point out what I, as a user, think about it. I'll trust Simon's
>> judgment, but I hope he has considered these concerns.
>
> I have not been tracking this conversation closely, but my own
> take on matters is that I'm opposed to a monoculture of anything...
>
> http://www.abc.net.au/news/2013-08-29/feature-banana/4922208
>
> And thus I enthusiastically support other OSes than linux, other
> dns servers besides bind, and other crypto libraries besides openssl.
I have no problem with not having a monoculture. But provide an
option to support more than one crypto library. Don't assume what
is good for OpenWRT and other embedded OS's is good for everyone
else. That's making a really poor assumption.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
From na at rtfm.net Tue Apr 1 18:02:33 2014
From: na at rtfm.net (Nathan Dorfman)
Date: Tue, 1 Apr 2014 14:02:33 -0400
Subject: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp,
or nettle with gmp?
In-Reply-To: <20140401165428.GZ13999@harrier.slackbuilds.org>
References: <5331962D.50000@yahoo.ca> <5331F174.8010709@thekelleys.org.uk>
<8E937FAF-7E60-4F63-8E05-25906CDAE148@lonnie.abelbeck.com>
<5331FA82.5080305@thekelleys.org.uk>
<E3FD9CB6-624A-4615-B05B-9F4322AC91CD@lonnie.abelbeck.com>
<53320592.4020609@thekelleys.org.uk>
<CA++fYEhBF8q-Jt7LkBSfPrk2Lj13XKO6BOkAoRDY0edcO7dpfw@mail.gmail.com>
<53320C7C.6010809@yahoo.ca>
<20140401165428.GZ13999@harrier.slackbuilds.org>
Message-ID: <CADgEyUtB8w1DDtUF61d55LwBjuERzjDa_3aOSLhbB3dsqT3y-Q@mail.gmail.com>
On Tue, Apr 1, 2014 at 12:54 PM, /dev/rob0 <rob0 at gmx.co.uk> wrote:
> a
I can't speak to an actual code audit, but nettle isn't some third-rate
clone. It's a mature, actively developed and (importantly) thoroughly
documented project.
If I were to undertake such an audit however, I would surely prefer to have
to audit nettle rather than OpenSSL, as unlike the latter, nettle's code is
quite readable and even easy on the eyes.
Not to mention that there's much less code to begin with, as the library
simply doesn't try to do everything OpenSSL does. From their
introduction[1]:
"Nettle tries to avoid this problem by doing one thing, the low-level
crypto stuff, and providing a *simple* but general interface to it. In
particular, Nettle doesn't do algorithm selection. It doesn't do memory
allocation. It doesn't do any I/O."
Maybe OpenSSL is the right choice anyway, I don't know. But, I thought
someone should speak up for nettle :)
-nd.
[1] - http://www.lysator.liu.se/~nisse/nettle/nettle.html#Introduction
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140401/dae45738/attachment.html>
From brad at comstyle.com Tue Apr 1 18:07:52 2014
From: brad at comstyle.com (Brad Smith)
Date: Tue, 01 Apr 2014 14:07:52 -0400
Subject: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp,
or nettle with gmp?
In-Reply-To: <CADgEyUtB8w1DDtUF61d55LwBjuERzjDa_3aOSLhbB3dsqT3y-Q@mail.gmail.com>
References: <5331962D.50000@yahoo.ca> <5331F174.8010709@thekelleys.org.uk>
<8E937FAF-7E60-4F63-8E05-25906CDAE148@lonnie.abelbeck.com>
<5331FA82.5080305@thekelleys.org.uk>
<E3FD9CB6-624A-4615-B05B-9F4322AC91CD@lonnie.abelbeck.com>
<53320592.4020609@thekelleys.org.uk>
<CA++fYEhBF8q-Jt7LkBSfPrk2Lj13XKO6BOkAoRDY0edcO7dpfw@mail.gmail.com>
<53320C7C.6010809@yahoo.ca> <20140401165428.GZ13999@harrier.slackbuilds.org>
<CADgEyUtB8w1DDtUF61d55LwBjuERzjDa_3aOSLhbB3dsqT3y-Q@mail.gmail.com>
Message-ID: <533B0078.1090406@comstyle.com>
On 01/04/14 2:02 PM, Nathan Dorfman wrote:
> Maybe OpenSSL is the right choice anyway, I don't know. But, I thought
> someone should speak up for nettle :)
speaking up for nettle means nothing when you don't understand the
issue at hand.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
From na at rtfm.net Tue Apr 1 18:14:57 2014
From: na at rtfm.net (Nathan Dorfman)
Date: Tue, 1 Apr 2014 14:14:57 -0400
Subject: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp,
or nettle with gmp?
In-Reply-To: <533B0078.1090406@comstyle.com>
References: <5331962D.50000@yahoo.ca> <5331F174.8010709@thekelleys.org.uk>
<8E937FAF-7E60-4F63-8E05-25906CDAE148@lonnie.abelbeck.com>
<5331FA82.5080305@thekelleys.org.uk>
<E3FD9CB6-624A-4615-B05B-9F4322AC91CD@lonnie.abelbeck.com>
<53320592.4020609@thekelleys.org.uk>
<CA++fYEhBF8q-Jt7LkBSfPrk2Lj13XKO6BOkAoRDY0edcO7dpfw@mail.gmail.com>
<53320C7C.6010809@yahoo.ca>
<20140401165428.GZ13999@harrier.slackbuilds.org>
<CADgEyUtB8w1DDtUF61d55LwBjuERzjDa_3aOSLhbB3dsqT3y-Q@mail.gmail.com>
<533B0078.1090406@comstyle.com>
Message-ID: <CADgEyUu3ZL04YYw+ZWfW8rKkyGzj9hRYecu5ku3wZGsPQnDssw@mail.gmail.com>
With such superior understanding, shouldn't you be adding OpenSSL support
to dnsmasq yourself? That way you can deal with their byzantine API and the
resulting bugs, and Simon can instead do something actually worthwhile.
On Tue, Apr 1, 2014 at 2:07 PM, Brad Smith <brad at comstyle.com> wrote:
> On 01/04/14 2:02 PM, Nathan Dorfman wrote:
>
>> Maybe OpenSSL is the right choice anyway, I don't know. But, I thought
>> someone should speak up for nettle :)
>>
>
> speaking up for nettle means nothing when you don't understand the
> issue at hand.
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140401/7835082f/attachment.html>
From rob0 at gmx.co.uk Tue Apr 1 18:35:47 2014
From: rob0 at gmx.co.uk (/dev/rob0)
Date: Tue, 1 Apr 2014 13:35:47 -0500
Subject: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp,
or nettle with gmp?
In-Reply-To: <CAA93jw7WSQW3rH=JyKcM4+4QqKcJtOV9dRHxeAfEbkRHWUau-g@mail.gmail.com>
References: <5331962D.50000@yahoo.ca> <5331F174.8010709@thekelleys.org.uk>
<8E937FAF-7E60-4F63-8E05-25906CDAE148@lonnie.abelbeck.com>
<5331FA82.5080305@thekelleys.org.uk>
<E3FD9CB6-624A-4615-B05B-9F4322AC91CD@lonnie.abelbeck.com>
<53320592.4020609@thekelleys.org.uk>
<CA++fYEhBF8q-Jt7LkBSfPrk2Lj13XKO6BOkAoRDY0edcO7dpfw@mail.gmail.com>
<53320C7C.6010809@yahoo.ca>
<20140401165428.GZ13999@harrier.slackbuilds.org>
<CAA93jw7WSQW3rH=JyKcM4+4QqKcJtOV9dRHxeAfEbkRHWUau-g@mail.gmail.com>
Message-ID: <20140401183546.GA13999@harrier.slackbuilds.org>
On Tue, Apr 01, 2014 at 10:45:44AM -0700, Dave Taht wrote:
> And thus I enthusiastically support other OSes than linux,
> other dns servers besides bind, and other crypto libraries
> besides openssl.
One named to rule them all
One named to find them
One named to bring them all
And in the darkness BIND them.
:)
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
From simon at thekelleys.org.uk Tue Apr 1 18:39:16 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Tue, 01 Apr 2014 19:39:16 +0100
Subject: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp,
or nettle with gmp?
In-Reply-To: <CADgEyUu3ZL04YYw+ZWfW8rKkyGzj9hRYecu5ku3wZGsPQnDssw@mail.gmail.com>
References: <5331962D.50000@yahoo.ca> <5331F174.8010709@thekelleys.org.uk>
<8E937FAF-7E60-4F63-8E05-25906CDAE148@lonnie.abelbeck.com>
<5331FA82.5080305@thekelleys.org.uk>
<E3FD9CB6-624A-4615-B05B-9F4322AC91CD@lonnie.abelbeck.com>
<53320592.4020609@thekelleys.org.uk>
<CA++fYEhBF8q-Jt7LkBSfPrk2Lj13XKO6BOkAoRDY0edcO7dpfw@mail.gmail.com>
<53320C7C.6010809@yahoo.ca> <20140401165428.GZ13999@harrier.slackbuilds.org>
<CADgEyUtB8w1DDtUF61d55LwBjuERzjDa_3aOSLhbB3dsqT3y-Q@mail.gmail.com>
<533B0078.1090406@comstyle.com>
<CADgEyUu3ZL04YYw+ZWfW8rKkyGzj9hRYecu5ku3wZGsPQnDssw@mail.gmail.com>
Message-ID: <533B07D4.2050202@thekelleys.org.uk>
On 01/04/14 19:14, Nathan Dorfman wrote:
> With such superior understanding, shouldn't you be adding OpenSSL support
> to dnsmasq yourself? That way you can deal with their byzantine API and the
> resulting bugs, and Simon can instead do something actually worthwhile.
>
>
But don't do that before the licensing issue has been resolved. The
motive for moving from openSSL to (not openSSL) was largely about
incompatible licenses. Delving into the git repo and finding the openSSL
adapter code is the least of the problems.
... and if anyone is volunteering to do a code audit, can I ask they
consider auditing the dnsmasq DNSSEC code, which is orders of magnitude
less mature than either openSSL _or_ Nettle? Let's get our priorities
right here.
Simon.
>
> On Tue, Apr 1, 2014 at 2:07 PM, Brad Smith <brad at comstyle.com> wrote:
>
>> On 01/04/14 2:02 PM, Nathan Dorfman wrote:
>>
>>> Maybe OpenSSL is the right choice anyway, I don't know. But, I thought
>>> someone should speak up for nettle :)
>>>
>>
>> speaking up for nettle means nothing when you don't understand the
>> issue at hand.
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>>
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
From dave at bevhost.com Wed Apr 2 10:46:55 2014
From: dave at bevhost.com (David Beveridge)
Date: Wed, 2 Apr 2014 20:46:55 +1000
Subject: [Dnsmasq-discuss] mixing synth-domain and auth-domain does not
appear to work for me.
Message-ID: <CAM9f+ZykrG_XtmQOJHWLmYO-WsGV7dUESE76SX3GDM_hGCSQBQ@mail.gmail.com>
So I have a few static hosts defined in /etc/hosts and I want to
serve authoritative records for them.
I also have some machines which get address via dhcp and slaac which I want
to publish using synth-domain.
Each option works alone, but when I mix the options
eg
auth-zone=thekelleys.org.uk,192.168.0.0/24
synth-domain=thekelleys.org.uk,192.168.0.0/24,internal-
with synth-domain only
# dig internal-192-168-0-56.thekelleys.org.uk @223.27.66.79
;; ANSWER SECTION:
internal-192-168-0-56.thekelleys.org.uk. 0 IN A 192.168.0.56
with both defined, no answer is returned.
eg
root at ns1 /etc/dnsmasq.d # dig internal-192-168-0-56.thekelleys.org.uk @
223.27.66.79
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>>
internal-192-168-0-56.thekelleys.org.uk @223.27.66.79
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 768
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;internal-192-168-0-56.thekelleys.org.uk. IN A
;; Query time: 0 msec
;; SERVER: 223.27.66.79#53(223.27.66.79)
;; WHEN: Wed Apr 2 21:30:13 2014
;; MSG SIZE rcvd: 57
The behaviour is the same for Ipv6.
regards,
dave.
PS: any reason why synth-domain is limited to /64 for IPv6?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140402/33482149/attachment.html>
From quintus at quintilianus.eu Wed Apr 2 15:26:34 2014
From: quintus at quintilianus.eu (Quintus)
Date: Wed, 02 Apr 2014 17:26:34 +0200
Subject: [Dnsmasq-discuss] DHCPv6 hostname resolving
Message-ID: <533C2C2A.9040605@quintilianus.eu>
Hi there,
with DHPv4, dnsmasq properly converts the hostnames send to it to A
records we can query for. It seems however that this is not the case
with DHCPv6 and AAAA records; while I can perfectly query for the A
record of "atlantis.cable.internal.xxx.eu" (and even the one of
"atlantis" without any further qualification is found), querying for its
AAAA record just returns NXDOMAIN, i.e. it?s not found.
Is this a bug, or do I have to enable that feature somehow so it works
the same for DHCPv6 as it does for DHCPv4?
My Configuration:
--------------------------------------
########## General options ##########
domain-needed
bogus-priv
expand-hosts
########## DHCP DNS domains ##########
# Main
domain=internal.xxx.eu
# IPv4
domain=cable.internal.xxx.eu,10.37.59.0/26
domain=wifi.internal.xxx.eu,10.37.59.64/26
# IPv6
domain=cable.internal6.xxx.eu,2001:4dd0:ff00:8918:1::/80
domain=wifi.internal6.xxx.eu,2001:4dd0:ff00:8918:2::/80
########## DHCP ranges ##########
# Main DHCP ranges.
dhcp-range=set:wired,10.37.59.3,10.37.59.62,6h
dhcp-range=set:wifi,10.37.59.66,10.37.59.126,6h
# Main IPv6 address range
dhcp-range=set:wired6,2001:4dd0:ff00:8918:1::2,2001:4dd0:ff00:8918:1:ffff:ffff:fffe,80,6h
dhcp-range=set:wifi6,2001:4dd0:ff00:8918:2::2,2001:4dd0:ff00:8918:2:ffff:ffff:fffe,80,6h
# Don?t forget to advertise router information to
# IPv6-capable clients
enable-ra
# We are not the IPv4 router (but the IPv6 one).
dhcp-option=tag:wired,3,10.37.59.1
dhcp-option=tag:wifi,3,10.37.59.65
########## Misc ##########
log-dhcp
log-queries
--------------------------------------
Queries:
--------------------------------------
% dig atlantis.cable.internal.xxx.eu A
; <<>> DiG 9.9.2-P2 <<>> atlantis.cable.internal.xxx.eu A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63422
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;atlantis.cable.internal.xxx.eu. IN A
;; ANSWER SECTION:
atlantis.cable.internal.xxx.eu. 0 IN A 10.37.59.42
;; Query time: 1 msec
;; SERVER: 10.37.59.2#53(10.37.59.2)
;; WHEN: Wed Apr 2 16:46:33 2014
;; MSG SIZE rcvd: 80
--------------------------------------
and
--------------------------------------
% dig atlantis.cable.internal.xxx.eu AAAA
; <<>> DiG 9.9.2-P2 <<>> atlantis.cable.internal.xxx.eu AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22012
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;atlantis.cable.internal.xxx.eu. IN AAAA
;; Query time: 79 msec
;; SERVER: 10.37.59.2#53(10.37.59.2)
;; WHEN: Wed Apr 2 16:46:36 2014
;; MSG SIZE rcvd: 64
--------------------------------------
Log shows this:
--------------------------------------
dnsmasq-dhcp[1513]: 2999666139 available DHCP range: 10.37.59.3 --
10.37.59.62
dnsmasq-dhcp[1513]: 2999666139 vendor class:
dhcpcd-6.3.2:Linux-3.13.7-1-ARCH:x86_64:GenuineIntel
dnsmasq-dhcp[1513]: 2999666139 client provides name: atlantis
dnsmasq-dhcp[1513]: 2999666139 DHCPREQUEST(eth0) 10.37.59.42
3c:97:0e:b6:c6:c3
dnsmasq-dhcp[1513]: 2999666139 tags: wired, eth0
dnsmasq-dhcp[1513]: 2999666139 DHCPACK(eth0) 10.37.59.42
3c:97:0e:b6:c6:c3 atlantis
dnsmasq-dhcp[1513]: 2999666139 requested options: 1:netmask,
121:classless-static-route, 33:static-route,
dnsmasq-dhcp[1513]: 2999666139 requested options: 3:router,
6:dns-server, 12:hostname, 15:domain-name,
dnsmasq-dhcp[1513]: 2999666139 requested options: 28:broadcast,
42:ntp-server, 51:lease-time,
dnsmasq-dhcp[1513]: 2999666139 requested options: 54:server-identifier,
58:T1, 59:T2, 119:domain-search
dnsmasq-dhcp[1513]: 2999666139 next server: 10.37.59.2
dnsmasq-dhcp[1513]: 2999666139 sent size: 1 option: 53 message-type 5
dnsmasq-dhcp[1513]: 2999666139 sent size: 4 option: 54
server-identifier 10.37.59.2
dnsmasq-dhcp[1513]: 2999666139 sent size: 4 option: 51 lease-time 6h
dnsmasq-dhcp[1513]: 2999666139 sent size: 4 option: 58 T1 3h
dnsmasq-dhcp[1513]: 2999666139 sent size: 4 option: 59 T2 5h15m
dnsmasq-dhcp[1513]: 2999666139 sent size: 4 option: 1 netmask
255.255.255.192
dnsmasq-dhcp[1513]: 2999666139 sent size: 4 option: 28 broadcast
10.37.59.63
dnsmasq-dhcp[1513]: 2999666139 sent size: 4 option: 6 dns-server
10.37.59.2
dnsmasq-dhcp[1513]: 2999666139 sent size: 37 option: 15 domain-name
cable.internal.xxx.eu
dnsmasq-dhcp[1513]: 2999666139 sent size: 8 option: 12 hostname atlantis
dnsmasq-dhcp[1513]: 2999666139 sent size: 4 option: 3 router 10.37.59.1
dnsmasq-dhcp[1513]: 12187573 available DHCP range:
2001:4dd0:ff00:8918:1::2 -- 2001:4dd0:ff00:8918:1:ffff:ffff:fff
dnsmasq-dhcp[1513]: 12187573 vendor class: 40712
dnsmasq-dhcp[1513]: 12187573 client MAC address: 3c:97:0e:b6:c6:c3
dnsmasq-dhcp[1513]: 12187573 client provides name: atlantis
dnsmasq-dhcp[1513]: 12187573 DHCPSOLICIT(eth0)
00:01:00:01:1a:93:42:fa:3c:97:0e:b6:c6:c3
dnsmasq-dhcp[1513]: 12187573 DHCPREPLY(eth0)
2001:4dd0:ff00:8918:1:39f1:8a99:8e9c 00:01:00:01:1a:93:42:fa:3c:97:0e
dnsmasq-dhcp[1513]: 12187573 requested options: 23:dns-server,
24:domain-search, 31:sntp-server,
dnsmasq-dhcp[1513]: 12187573 requested options: 39:FQDN, 82, 83
dnsmasq-dhcp[1513]: 12187573 tags: wired6, dhcpv6, eth0
dnsmasq-dhcp[1513]: 12187573 sent size: 14 option: 1 client-id
00:01:00:01:1a:93:42:fa:3c:97:0e:b6:c6:c3
dnsmasq-dhcp[1513]: 12187573 sent size: 14 option: 2 server-id
00:01:00:01:c7:92:bc:90:12:57:de:ce:e2:65
dnsmasq-dhcp[1513]: 12187573 sent size: 0 option: 14 rapid-commit
dnsmasq-dhcp[1513]: 12187573 sent size: 32 option: 4 ia-ta IAID=246859459
dnsmasq-dhcp[1513]: 12187573 nest size: 24 option: 5 iaaddr
2001:4dd0:ff00:8918:1:39f1:8a99:8e9c PL=21600 VL=216
dnsmasq-dhcp[1513]: 12187573 sent size: 9 option: 13 status 0 success
dnsmasq-dhcp[1513]: 12187573 sent size: 1 option: 7 preference 0
dnsmasq-dhcp[1513]: 12187573 sent size: 16 option: 23 dns-server
2001:4dd0:ff00:8918:1::1
dnsmasq-dhcp[1513]: 12187573 sent size: 10 option: 39 FQDN atlantis
[...]
dnsmasq[1513]: query[A] atlantis.cable.internal.xxx.eu from 10.37.59.42
dnsmasq[1513]: DHCP atlantis.cable.internal.xxx.eu is 10.37.59.42
dnsmasq[1513]: query[AAAA] atlantis.cable.internal.xxx.eu from 10.37.59.42
dnsmasq[1513]: forwarded atlantis.cable.internal.xxx.eu to
2001:4ba0:cafe:383::1
dnsmasq[1513]: forwarded atlantis.cable.internal.xxx.eu to 62.141.38.230
dnsmasq[1513]: forwarded atlantis.cable.internal.xxx.eu to 10.37.59.1
dnsmasq[1513]: reply atlantis.cable.internal.xxx.eu is NODATA-IPv6
--------------------------------------
Valete,
Quintus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140402/a07184a8/attachment.sig>
From albert.aribaud at free.fr Wed Apr 2 15:59:45 2014
From: albert.aribaud at free.fr (Albert ARIBAUD)
Date: Wed, 02 Apr 2014 17:59:45 +0200
Subject: [Dnsmasq-discuss] DHCPv6 hostname resolving
In-Reply-To: <533C2C2A.9040605@quintilianus.eu>
References: <533C2C2A.9040605@quintilianus.eu>
Message-ID: <533C33F1.6060102@free.fr>
Le 02/04/2014 17:26, Quintus a ?crit :
> Hi there,
Hi Quintus,
> with DHPv4, dnsmasq properly converts the hostnames send to it to A
> records we can query for. It seems however that this is not the case
> with DHCPv6 and AAAA records; while I can perfectly query for the A
> record of "atlantis.cable.internal.xxx.eu" (and even the one of
> "atlantis" without any further qualification is found), querying for its
> AAAA record just returns NXDOMAIN, i.e. it?s not found.
>
> Is this a bug, or do I have to enable that feature somehow so it works
> the same for DHCPv6 as it does for DHCPv4?
As per the manpage for dnsmasq, you should set 'ra-names' in the IPv6
dhcp-range? e.g., instead of
> dhcp-range=set:wired6,2001:4dd0:ff00:8918:1::2,2001:4dd0:ff00:8918:1:ffff:ffff:fffe,80,6h
> dhcp-range=set:wifi6,2001:4dd0:ff00:8918:2::2,2001:4dd0:ff00:8918:2:ffff:ffff:fffe,80,6h
Use
dhcp-range=set:wired6,2001:4dd0:ff00:8918:1::2,2001:4dd0:ff00:8918:1:ffff:ffff:fffe,80,6h,ra-names
dhcp-range=set:wifi6,2001:4dd0:ff00:8918:2::2,2001:4dd0:ff00:8918:2:ffff:ffff:fffe,80,6h,ra-names
From the manpage:
"ra-names enables a mode which gives DNS names to dual-stack
hosts which do SLAAC for IPv6. Dnsmasq uses the host's IPv4
lease to derive the name, network segment and MAC address and
assumes that the host will also have an IPv6 address calculated
using the SLAAC algorithm, on the same network segment. The
address is pinged, and if a reply is received, an AAAA record is
added to the DNS for this IPv6 address. Note that this is only
happens for directly-connected networks, (not one doing DHCP via
a relay) and it will not work if a host is using privacy exten-
sions. ra-names can be combined with ra-stateless and slaac."
Amicalement,
--
Albert.
From dave.taht at gmail.com Wed Apr 2 16:05:02 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Wed, 2 Apr 2014 09:05:02 -0700
Subject: [Dnsmasq-discuss] DHCPv6 hostname resolving
In-Reply-To: <533C33F1.6060102@free.fr>
References: <533C2C2A.9040605@quintilianus.eu>
<533C33F1.6060102@free.fr>
Message-ID: <CAA93jw6Vj37izOC5O0Z-w7Y3xd0mcWDWJQ4JCSj2KxqRC8Hwtg@mail.gmail.com>
On Wed, Apr 2, 2014 at 8:59 AM, Albert ARIBAUD <albert.aribaud at free.fr> wrote:
> Le 02/04/2014 17:26, Quintus a ?crit :
>>
>> Hi there,
>
>
> Hi Quintus,
>
>
>> with DHPv4, dnsmasq properly converts the hostnames send to it to A
>> records we can query for. It seems however that this is not the case
>> with DHCPv6 and AAAA records; while I can perfectly query for the A
>> record of "atlantis.cable.internal.xxx.eu" (and even the one of
>> "atlantis" without any further qualification is found), querying for its
>> AAAA record just returns NXDOMAIN, i.e. it's not found.
>>
>> Is this a bug, or do I have to enable that feature somehow so it works
>> the same for DHCPv6 as it does for DHCPv4?
>
>
> As per the manpage for dnsmasq, you should set 'ra-names' in the IPv6
> dhcp-range? e.g., instead of
>
>
>>
>> dhcp-range=set:wired6,2001:4dd0:ff00:8918:1::2,2001:4dd0:ff00:8918:1:ffff:ffff:fffe,80,6h
>>
>> dhcp-range=set:wifi6,2001:4dd0:ff00:8918:2::2,2001:4dd0:ff00:8918:2:ffff:ffff:fffe,80,6h
>
>
> Use
>
> dhcp-range=set:wired6,2001:4dd0:ff00:8918:1::2,2001:4dd0:ff00:8918:1:ffff:ffff:fffe,80,6h,ra-names
> dhcp-range=set:wifi6,2001:4dd0:ff00:8918:2::2,2001:4dd0:ff00:8918:2:ffff:ffff:fffe,80,6h,ra-names
>
> From the manpage:
>
> "ra-names enables a mode which gives DNS names to dual-stack
> hosts which do SLAAC for IPv6. Dnsmasq uses the host's IPv4
> lease to derive the name, network segment and MAC address and
> assumes that the host will also have an IPv6 address calculated
> using the SLAAC algorithm, on the same network segment. The
> address is pinged, and if a reply is received, an AAAA record is
> added to the DNS for this IPv6 address. Note that this is only
> happens for directly-connected networks, (not one doing DHCP via
> a relay) and it will not work if a host is using privacy exten-
> sions. ra-names can be combined with ra-stateless and slaac."
There is even an internet draft on this... not that it's found a home
within any working groups:
http://tools.ietf.org/html/draft-taht-kelley-hunt-dhcpv4-to-slaac-naming-00
> Amicalement,
> --
> Albert.
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
--
Dave T?ht
Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
From quintus at quintilianus.eu Wed Apr 2 17:08:21 2014
From: quintus at quintilianus.eu (Quintus)
Date: Wed, 02 Apr 2014 19:08:21 +0200
Subject: [Dnsmasq-discuss] DHCPv6 hostname resolving
In-Reply-To: <533C33F1.6060102@free.fr>
References: <533C2C2A.9040605@quintilianus.eu> <533C33F1.6060102@free.fr>
Message-ID: <533C4405.2060603@quintilianus.eu>
Hi Albert,
Am 02.04.2014 17:59, schrieb Albert ARIBAUD:
> "ra-names enables a mode which gives DNS names to dual-stack
> hosts which do SLAAC for IPv6.
I am aware of the ra-names option, but as far as I understand the
manpage, it is specifically targetted at SLAAC network setups. In my
network I?m not doing SLAAC, but stateful DHCPv6 so that this option
won?t work. SLAAC does not work at all with /80 subnets.
> Amicalement,
Vale,
Quintus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140402/c518af14/attachment.sig>
From simon at thekelleys.org.uk Wed Apr 2 18:34:35 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Wed, 02 Apr 2014 19:34:35 +0100
Subject: [Dnsmasq-discuss] DHCPv6 hostname resolving
In-Reply-To: <533C4405.2060603@quintilianus.eu>
References: <533C2C2A.9040605@quintilianus.eu> <533C33F1.6060102@free.fr>
<533C4405.2060603@quintilianus.eu>
Message-ID: <533C583B.8050108@thekelleys.org.uk>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/04/14 18:08, Quintus wrote:
> Hi Albert,
>
> Am 02.04.2014 17:59, schrieb Albert ARIBAUD:
>> "ra-names enables a mode which gives DNS names to
>> dual-stack hosts which do SLAAC for IPv6.
>
> I am aware of the ra-names option, but as far as I understand the
> manpage, it is specifically targetted at SLAAC network setups. In
> my network I?m not doing SLAAC, but stateful DHCPv6 so that this
> option won?t work. SLAAC does not work at all with /80 subnets.
>
Yes, slaac is not relevant here.
Please could you do the following?
1) Check the dnsmasq leases file (normally
/var/lib/misc/dnsmasq.leases) to see if the name "atlantis" appears in
the relevant DHCPv6 lease?
2) See if the plain name (not FQDN) resolves
dig atlantis AAAA
3) See if atlantis.internal.xxx.eu resolves.
dig atlantis.internal.xxx.eu AAAA
It looks like maybe the
domain=<IPv6 subnet>, <domain-name>
option is possibly broken.
Cheers,
Simon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlM8WDsACgkQKPyGmiibgrf2hACgq0GHxRQY9PdK6TSgjb11aJWN
gtIAnAxDOk9peYLF2AmMS3BUH1EfdOEB
=D0WU
-----END PGP SIGNATURE-----
From simon at thekelleys.org.uk Wed Apr 2 20:24:25 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Wed, 02 Apr 2014 21:24:25 +0100
Subject: [Dnsmasq-discuss] mixing synth-domain and auth-domain does not
appear to work for me.
In-Reply-To: <CAM9f+ZykrG_XtmQOJHWLmYO-WsGV7dUESE76SX3GDM_hGCSQBQ@mail.gmail.com>
References: <CAM9f+ZykrG_XtmQOJHWLmYO-WsGV7dUESE76SX3GDM_hGCSQBQ@mail.gmail.com>
Message-ID: <533C71F9.8030901@thekelleys.org.uk>
On 02/04/14 11:46, David Beveridge wrote:
> So I have a few static hosts defined in /etc/hosts and I want to
> serve authoritative records for them.
> I also have some machines which get address via dhcp and slaac which I want
> to publish using synth-domain.
>
> Each option works alone, but when I mix the options
> eg
> auth-zone=thekelleys.org.uk,192.168.0.0/24
> synth-domain=thekelleys.org.uk,192.168.0.0/24,internal-
>
> with synth-domain only
> # dig internal-192-168-0-56.thekelleys.org.uk @223.27.66.79
> ;; ANSWER SECTION:
> internal-192-168-0-56.thekelleys.org.uk. 0 IN A 192.168.0.56
>
> with both defined, no answer is returned.
> eg
> root at ns1 /etc/dnsmasq.d # dig internal-192-168-0-56.thekelleys.org.uk @
> 223.27.66.79
>
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>>
> internal-192-168-0-56.thekelleys.org.uk @223.27.66.79
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 768
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;internal-192-168-0-56.thekelleys.org.uk. IN A
>
> ;; Query time: 0 msec
> ;; SERVER: 223.27.66.79#53(223.27.66.79)
> ;; WHEN: Wed Apr 2 21:30:13 2014
> ;; MSG SIZE rcvd: 57
>
>
> The behaviour is the same for Ipv6.
This is, I think, just an oversight. synth-domain certainly generates
"Locally defined DNS records" which is what the auth-zone is specified
to contain.
>
> regards,
> dave.
>
> PS: any reason why synth-domain is limited to /64 for IPv6?
Prefix length has to be greater than or equal to 64, is that what you
mean? It's about implementation convenience. C doesn't provide a
integer data type larger than 64 bits for doing masking. of the
address-part.
Cheers,
Simon.
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
From simon at thekelleys.org.uk Wed Apr 2 20:38:20 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Wed, 02 Apr 2014 21:38:20 +0100
Subject: [Dnsmasq-discuss] mixing synth-domain and auth-domain does not
appear to work for me.
In-Reply-To: <533C71F9.8030901@thekelleys.org.uk>
References: <CAM9f+ZykrG_XtmQOJHWLmYO-WsGV7dUESE76SX3GDM_hGCSQBQ@mail.gmail.com>
<533C71F9.8030901@thekelleys.org.uk>
Message-ID: <533C753C.10006@thekelleys.org.uk>
On 02/04/14 21:24, Simon Kelley wrote:
>
> This is, I think, just an oversight. synth-domain certainly generates
> "Locally defined DNS records" which is what the auth-zone is specified
> to contain.
>
Actually, there is a reason. It doesn't in general make sense to include
the records created by synth-domain in a zone transfer, since there are
likely to be a lot of them. They could be included in answers for the
auth-zone, at the expense of the additional complication that the zone
answered by dnsmasq becomes no longer exactly the zone that's transfered
to a secondary (since the synth-domain answers can't be included in the
transfer).
Simon.
From olivier at core-hosting.net Wed Apr 2 21:32:17 2014
From: olivier at core-hosting.net (Olivier Mauras)
Date: Wed, 02 Apr 2014 23:32:17 +0200
Subject: [Dnsmasq-discuss] Per entry TTL override
In-Reply-To: <27d0397677b1cd89e9ccaf2afeb6a000@core-hosting.net>
References: <27d0397677b1cd89e9ccaf2afeb6a000@core-hosting.net>
Message-ID: <1396474337.14875.29.camel@tiptop.internal>
On Mon, 2014-03-31 at 12:59 +0200, Olivier Mauras wrote:
> Hello,
>
> Is it thinkable to allow a per entry TTL override system ?
> I have actually two different needs that i'd like to discuss.
> First NXDOMAINS. I'd like to cache NXDOMAIN from some forwarded
> domains to a specific value. Cache time based on default SOA TTL may
> be too long in some cases and requires a manual cache refresh :(
> Easy example:
> Infra team provisions a new server and ping the hostname asked to see
> if it's not already taken - Yes they could act differently
> It's not, so result is cached and will stay for 1H - default SOA TTL.
> Server provisioning takes 10mn, and hostname is still cached as NX for
> 50mn :(
>
> Second is entry override. Some specific DNS entries could have a
> different TTL than the default one - But not globally per entry gives
> much more flexibility :)
>
>
> Would that make sense to have a binding for request replies - like the
> dhcp lua script support - or would this make more sense as specific
> harcoded options? If this makes any sense at all indeed :)
>
>
> Thanks,
> Olivier
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Seemed like i had a double neg-ttl declared in my config and my command
line at the same time which make it to not be correctly handled...
Also seems that no matter what neg-ttl is set to, the first NXDOMAIN on
a cold cache, always get the SOA TTL, am i missing something ?
Any feedback on per entry TTL override ?
Thanks,
Olivier
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140402/671d0c87/attachment-0001.sig>
From dave.taht at gmail.com Thu Apr 3 01:37:28 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Wed, 2 Apr 2014 18:37:28 -0700
Subject: [Dnsmasq-discuss] dnssec on android?
Message-ID: <CAA93jw4wng2NBbqiEXFRyoKMD6Qaqs_Qv73srPj0_vzzs8K4Eg@mail.gmail.com>
It looks like there will be some issues getting dnssec on
on android by switching to dnsmasq:
https://code.google.com/p/android/issues/detail?id=65510
What is dnsmasq's behavior on how/when to switch to tcp?
--
Dave T?ht
Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
From craig.mcqueen at beamcommunications.com Thu Apr 3 06:22:19 2014
From: craig.mcqueen at beamcommunications.com (Craig McQueen)
Date: Thu, 3 Apr 2014 17:22:19 +1100
Subject: [Dnsmasq-discuss] DNS resolving local names with multiple DNS
servers
Message-ID: <533CFE1B.3010800@beamcommunications.com>
I've got an Ubuntu 13.04 Linux PC connected to two networks:
* Internet connection
* Router providing a local network (Wi-Fi) with DNS serving local names
(example.lan)
Via NetworkManager, dnsmasq is set up with the DNS server IP addresses
for these two networks.
The PC is having trouble getting the local names in example.lan, because
it seems dnsmasq is using the Internet connection DNS server for the
example.lan query, and that is returning NXDOMAIN response. Rather than
waiting for a better response from the local DNS server (which is local
but responding more slowly due to being over Wi-Fi), it is just passing
the NXDOMAIN response to the client. At least, I think that's what is
happening; please tell me if I'm wrong.
What I'd hope for is for dnsmasq to not just use the first response it
gets, but use the first response that's not NXDOMAIN. I think the Linux
resolver (/etc/resolv.conf) does this, and it would be great if dnsmasq
could use the same algorithm. Could dnsmasq support this algorithm?
Note--I suppose one response might be to specify the example.lan domain
in one 'server' parameter of the dnsmasq config. Two problems:
1) dnsmasq is being used from NetworkManager, and it seems
NetworkManager is only telling dnsmasq the DNS IP addresses (via D-Bus)
to dnsmasq, and not telling it any domain names (even if I enter the
example.lan in the NetworkManager "extra search domain" config).
2) The router providing the local network is a remote dial-up device
which can optionally provide a (slow) dial-up connection to the
Internet. In that case, it becomes a general Internet connection, so I
don't want to restrict it to just "example.lan".
Regards,
Craig McQueen
From dave at bevhost.com Thu Apr 3 07:14:28 2014
From: dave at bevhost.com (David Beveridge)
Date: Thu, 3 Apr 2014 17:14:28 +1000
Subject: [Dnsmasq-discuss] Fwd: mixing synth-domain and auth-domain does not
appear to work for me.
In-Reply-To: <CAM9f+Zxnj2Bqa38Gb9FSW2jfR8mZvKUOz4BEhGTshpr0F55Zdw@mail.gmail.com>
References: <CAM9f+ZykrG_XtmQOJHWLmYO-WsGV7dUESE76SX3GDM_hGCSQBQ@mail.gmail.com>
<533C71F9.8030901@thekelleys.org.uk>
<CAM9f+Zxnj2Bqa38Gb9FSW2jfR8mZvKUOz4BEhGTshpr0F55Zdw@mail.gmail.com>
Message-ID: <CAM9f+ZycxzFLjQAXONQCkhS2vnWeY0up=uJerMfc70r7yqUiCA@mail.gmail.com>
On Thu, Apr 3, 2014 at 6:24 AM, Simon Kelley <simon at thekelleys.org.uk> wrote:
>
> On 02/04/14 11:46, David Beveridge wrote:
> > So I have a few static hosts defined in /etc/hosts and I want to
> > serve authoritative records for them.
> > I also have some machines which get address via dhcp and slaac which I want
> > to publish using synth-domain.
> >
> > Each option works alone, but when I mix the options
> > eg
> > auth-zone=thekelleys.org.uk,192.168.0.0/24
> > synth-domain=thekelleys.org.uk,192.168.0.0/24,internal-
> >
> > with synth-domain only
> > # dig internal-192-168-0-56.thekelleys.org.uk @223.27.66.79
> > ;; ANSWER SECTION:
> > internal-192-168-0-56.thekelleys.org.uk. 0 IN A 192.168.0.56
> >
> > with both defined, no answer is returned.
> >
> >
> > The behaviour is the same for Ipv6.
>
> This is, I think, just an oversight. synth-domain certainly generates
> "Locally defined DNS records" which is what the auth-zone is specified
> to contain.
>
So if the auth-domain exists and the lookup fails there it does not try to
do a lookup in synth-domain. I'm not sure how commonly people
might want to do that.
> >
> > regards,
> > dave.
> >
> > PS: any reason why synth-domain is limited to /64 for IPv6?
>
> Prefix length has to be greater than or equal to 64, is that what you
> mean? It's about implementation convenience. C doesn't provide a
> integer data type larger than 64 bits for doing masking. of the
> address-part.
>
Fair enough. So I have a copy of dnsmasq running on my bind dns server
just to handle the synthetic reverse (which bind can't do), so each /64
needs to be individually configured in dnsmasq. It's good to know why.
I can't just get lazy and synth a whole /48 or /32.
Probably out of scope for what dnsmasq is designed for anyway.
dave
> Cheers,
>
> Simon.
>
From craig.mcqueen at beamcommunications.com Thu Apr 3 07:22:53 2014
From: craig.mcqueen at beamcommunications.com (Craig McQueen)
Date: Thu, 3 Apr 2014 18:22:53 +1100
Subject: [Dnsmasq-discuss] PTR records with auth-zone and auth-server
Message-ID: <533D0C4D.5070603@beamcommunications.com>
I'm using dnsmasq 2.68. It's mostly working, however I'm having a few
troubles with PTR records when using auth-zone and auth-server. If I use
these options, then:
* PTR look-up of IP addresses defined by interface-name=example.lan,br0
return an answer, but the returned status is NXDOMAIN rather than NOERROR.
* No custom PTR records can be defined with ptr-record.
If I remove the auth-zone and auth-server options, then PTR records work
as expected.
Is there a good reason that this isn't working when using auth-zone and
auth-server options?
Regards,
Craig McQueen
From dave at bevhost.com Thu Apr 3 07:35:32 2014
From: dave at bevhost.com (David Beveridge)
Date: Thu, 3 Apr 2014 17:35:32 +1000
Subject: [Dnsmasq-discuss] mixing synth-domain and auth-domain does not
appear to work for me.
In-Reply-To: <533C753C.10006@thekelleys.org.uk>
References: <CAM9f+ZykrG_XtmQOJHWLmYO-WsGV7dUESE76SX3GDM_hGCSQBQ@mail.gmail.com>
<533C71F9.8030901@thekelleys.org.uk> <533C753C.10006@thekelleys.org.uk>
Message-ID: <CAM9f+Zxidt5u-DyiCOvva6znpNi4BBTLZ-1NuWPBwAYN4o1fbA@mail.gmail.com>
On Thu, Apr 3, 2014 at 6:38 AM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> On 02/04/14 21:24, Simon Kelley wrote:
>
>>
>> This is, I think, just an oversight. synth-domain certainly generates
>> "Locally defined DNS records" which is what the auth-zone is specified
>> to contain.
>>
>
> Actually, there is a reason. It doesn't in general make sense to include
> the records created by synth-domain in a zone transfer, since there are
> likely to be a lot of them. They could be included in answers for the
> auth-zone, at the expense of the additional complication that the zone
> answered by dnsmasq becomes no longer exactly the zone that's transfered
> to a secondary (since the synth-domain answers can't be included in the
> transfer).
>
I agree, you definitely would not want to zone transfer the entire synth zone
just the records from the auth zone. Actually, once you introduce synth
records to a zone, transferring it is not practical at all.
I think I have misunderstood what auth-zone does.
It seems it is not required in this situation.
I just tested and discovered that:- If I remove the auth-zone statement from
the config file the synth-zone will still serve records it finds in /etc/hosts.
In this way I can still have a mixed zone with manually created records and
synthesized records in the same zone.
The synth-domain kind of implies that the zone is authorative,
so no need for the auth-zone statement as well.
dave
From simon at thekelleys.org.uk Thu Apr 3 08:50:51 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Thu, 03 Apr 2014 09:50:51 +0100
Subject: [Dnsmasq-discuss] dnssec on android?
In-Reply-To: <CAA93jw4wng2NBbqiEXFRyoKMD6Qaqs_Qv73srPj0_vzzs8K4Eg@mail.gmail.com>
References: <CAA93jw4wng2NBbqiEXFRyoKMD6Qaqs_Qv73srPj0_vzzs8K4Eg@mail.gmail.com>
Message-ID: <533D20EB.5010904@thekelleys.org.uk>
On 03/04/14 02:37, Dave Taht wrote:
> It looks like there will be some issues getting dnssec on
> on android by switching to dnsmasq:
>
> https://code.google.com/p/android/issues/detail?id=65510
>
> What is dnsmasq's behavior on how/when to switch to tcp?
>
If the client uses UDP to query dnsmasq, then dnsmasq will use UDP to
query upstream. If the client uses TCP to query dnsmasq, then dnsmasq
uses TCP to query upstream. The same applies to DNSKEY and DS queries,
UDP if the original query came by UDP, TCP if TCP.
The normal situation is: client queries dnsmasq over UDP, dnsmasq
queries upstream over UDP, repsonse is truncated, truncated response
returned to client. Client retries over TCP, dnsmasq queries upstream
over TCP, all is good.
The same situation applies with DNSSEC, with one additional wrinkle,
it's possible that the answer to the actual query comes back
untruncated over UDP, but a subsequent query needed to do validation (ie
getting DNSKEYS or DS records) is truncated. In this case, dnsmasq marks
the original answer as truncated itself and returns it, so that the
client will retry using TCP.
Cheers,
Simon.
From quintus at quintilianus.eu Thu Apr 3 15:47:04 2014
From: quintus at quintilianus.eu (Quintus)
Date: Thu, 03 Apr 2014 17:47:04 +0200
Subject: [Dnsmasq-discuss] DHCPv6 hostname resolving
In-Reply-To: <533C583B.8050108@thekelleys.org.uk>
References: <533C2C2A.9040605@quintilianus.eu> <533C33F1.6060102@free.fr>
<533C4405.2060603@quintilianus.eu> <533C583B.8050108@thekelleys.org.uk>
Message-ID: <533D8278.2030904@quintilianus.eu>
Hi Simon,
Am 02.04.2014 20:34, schrieb Simon Kelley:
> Please could you do the following?
>
> 1) Check the dnsmasq leases file (normally
> /var/lib/misc/dnsmasq.leases) to see if the name "atlantis" appears in
> the relevant DHCPv6 lease?
It only appears for DHCPv4 leases, but not DHCPv6 ones. Here?s the full
contents of the lease file: http://pastie.org/8991576
> 2) See if the plain name (not FQDN) resolves
>
> dig atlantis AAAA
-----------------------------------------
; <<>> DiG 9.9.2-P2 <<>> atlantis AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13397
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;atlantis. IN AAAA
;; Query time: 1 msec
;; SERVER: 10.37.59.2#53(10.37.59.2)
;; WHEN: Thu Apr 3 17:31:02 2014
;; MSG SIZE rcvd: 26
-----------------------------------------
> 3) See if atlantis.internal.xxx.eu resolves.
>
> dig atlantis.internal.xxx.eu AAAA
-----------------------------------------
; <<>> DiG 9.9.2-P2 <<>> atlantis.internal.xxx.eu AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55319
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;atlantis.internal.xxx.eu. IN AAAA
;; AUTHORITY SECTION:
xxx.eu. 2560 IN SOA ns.yyy.de. hostmaster.xxx.eu. 1391783412 16384 2048
1048576 2560
;; Query time: 56 msec
;; SERVER: 10.37.59.2#53(10.37.59.2)
;; WHEN: Thu Apr 3 17:35:04 2014
;; MSG SIZE rcvd: 124
-----------------------------------------
-----------------------------------------
; <<>> DiG 9.9.2-P2 <<>> atlantis.cable.internal.xxx.eu AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33135
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;atlantis.cable.internal.xxx.eu. IN AAAA
;; Query time: 100 msec
;; SERVER: 10.37.59.2#53(10.37.59.2)
;; WHEN: Thu Apr 3 17:31:22 2014
;; MSG SIZE rcvd: 75
-----------------------------------------
Normal A records resolve just fine.
-----------------------------------------
; <<>> DiG 9.9.2-P2 <<>> atlantis A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31147
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;atlantis. IN A
;; ANSWER SECTION:
atlantis. 0 IN A 10.37.59.42
;; Query time: 9 msec
;; SERVER: 10.37.59.2#53(10.37.59.2)
;; WHEN: Thu Apr 3 17:30:55 2014
;; MSG SIZE rcvd: 42
-----------------------------------------
-----------------------------------------
; <<>> DiG 9.9.2-P2 <<>> atlantis.cable.internal.xxx.eu A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10528
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;atlantis.cable.internal.xxx.eu. IN A
;; ANSWER SECTION:
atlantis.cable.internal.xxx.eu. 0 IN A 10.37.59.42
;; Query time: 1 msec
;; SERVER: 10.37.59.2#53(10.37.59.2)
;; WHEN: Thu Apr 3 17:31:15 2014
;; MSG SIZE rcvd: 80
-----------------------------------------
This one (of course) does not:
-----------------------------------------
; <<>> DiG 9.9.2-P2 <<>> atlantis.internal.xxx.eu A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27999
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;atlantis.internal.xxx.eu. IN A
;; AUTHORITY SECTION:
xxx.eu. 2389 IN SOA ns.yyy.de. hostmaster.xxx.eu. 1391783412 16384 2048
1048576 2560
;; Query time: 35 msec
;; SERVER: 10.37.59.2#53(10.37.59.2)
;; WHEN: Thu Apr 3 17:37:54 2014
;; MSG SIZE rcvd: 124
-----------------------------------------
I have however discovered a strange thing. If I send the same queries
from another computer (which is in the same subnet and domain), dnsmasq
doesn?t resolve the unqualified name:
-----------------------------------------
; <<>> DiG 9.9.2-P2 <<>> altantis A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34618
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;altantis. IN A
;; Query time: 1 msec
;; SERVER: 10.37.59.2#53(10.37.59.2)
;; WHEN: Thu Apr 3 17:39:40 2014
;; MSG SIZE rcvd: 26
-----------------------------------------
The FQDN is OK:
-----------------------------------------
; <<>> DiG 9.9.2-P2 <<>> atlantis.cable.internal.xxx.eu A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6200
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;atlantis.cable.internal.xxx.eu. IN A
;; ANSWER SECTION:
atlantis.cable.internal.xxx.eu. 0 IN A 10.37.59.42
;; Query time: 1 msec
;; SERVER: 10.37.59.2#53(10.37.59.2)
;; WHEN: Thu Apr 3 17:39:53 2014
;; MSG SIZE rcvd: 80
-----------------------------------------
And this one errors as expected:
-----------------------------------------
; <<>> DiG 9.9.2-P2 <<>> atlantis.internal.xxx.eu A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54270
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;atlantis.internal.xxx.eu. IN A
;; Query time: 1 msec
;; SERVER: 10.37.59.2#53(10.37.59.2)
;; WHEN: Thu Apr 3 17:40:06 2014
;; MSG SIZE rcvd: 58
-----------------------------------------
AAAA records are never resolved.
> Cheers,
>
> Simon.
Vale,
Quintus
--
Blog: http://www.quintilianus.eu
I will reject HTML emails. | Ich akzeptiere keine HTML-Nachrichten.
|
Use GnuPG for mail encryption: | GnuPG f?r Mail-Verschl?sselung:
http://www.gnupg.org | http://gnupg.org/index.de.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140403/cb427856/attachment.sig>
From simon at thekelleys.org.uk Thu Apr 3 18:38:51 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Thu, 03 Apr 2014 19:38:51 +0100
Subject: [Dnsmasq-discuss] DHCPv6 hostname resolving
In-Reply-To: <533D8278.2030904@quintilianus.eu>
References: <533C2C2A.9040605@quintilianus.eu> <533C33F1.6060102@free.fr>
<533C4405.2060603@quintilianus.eu> <533C583B.8050108@thekelleys.org.uk>
<533D8278.2030904@quintilianus.eu>
Message-ID: <533DAABB.6080300@thekelleys.org.uk>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/04/14 16:47, Quintus wrote:
> Hi Simon,
>
> Am 02.04.2014 20:34, schrieb Simon Kelley:
>> Please could you do the following?
>>
>> 1) Check the dnsmasq leases file (normally
>> /var/lib/misc/dnsmasq.leases) to see if the name "atlantis"
>> appears in the relevant DHCPv6 lease?
>
> It only appears for DHCPv4 leases, but not DHCPv6 ones. Here?s the
> full contents of the lease file: http://pastie.org/8991576
OK, that explains why no hostname resolution. I can also explain why
the name is not being associated with the lease, it's because you're
asking a temporary address lease.
I'm not entirely sure why naming is disabled for temporary address
leases. I probably thought that it's inherently not sensible to give
emphemeral and ever-changing addresses entries in the DNS.
Certainly, if there's no other reason not to, you can solve this
problem by reconfiguring your client to ask for a non-temporary address.
Cheers,
Simon.
>
>> 2) See if the plain name (not FQDN) resolves
>>
>> dig atlantis AAAA
>
> ----------------------------------------- ; <<>> DiG 9.9.2-P2 <<>>
> atlantis AAAA ;; global options: +cmd ;; Got answer: ;;
> ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13397 ;; flags: qr
> rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION: ;atlantis. IN AAAA
>
> ;; Query time: 1 msec ;; SERVER: 10.37.59.2#53(10.37.59.2) ;; WHEN:
> Thu Apr 3 17:31:02 2014 ;; MSG SIZE rcvd: 26
> -----------------------------------------
>
>> 3) See if atlantis.internal.xxx.eu resolves.
>>
>> dig atlantis.internal.xxx.eu AAAA
>
> ----------------------------------------- ; <<>> DiG 9.9.2-P2 <<>>
> atlantis.internal.xxx.eu AAAA ;; global options: +cmd ;; Got
> answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55319
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL:
> 0
>
> ;; QUESTION SECTION: ;atlantis.internal.xxx.eu. IN AAAA
>
> ;; AUTHORITY SECTION: xxx.eu. 2560 IN SOA ns.yyy.de.
> hostmaster.xxx.eu. 1391783412 16384 2048 1048576 2560
>
> ;; Query time: 56 msec ;; SERVER: 10.37.59.2#53(10.37.59.2) ;;
> WHEN: Thu Apr 3 17:35:04 2014 ;; MSG SIZE rcvd: 124
> -----------------------------------------
>
> ----------------------------------------- ; <<>> DiG 9.9.2-P2 <<>>
> atlantis.cable.internal.xxx.eu AAAA ;; global options: +cmd ;; Got
> answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33135
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
> ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;;
> QUESTION SECTION: ;atlantis.cable.internal.xxx.eu. IN AAAA
>
> ;; Query time: 100 msec ;; SERVER: 10.37.59.2#53(10.37.59.2) ;;
> WHEN: Thu Apr 3 17:31:22 2014 ;; MSG SIZE rcvd: 75
> -----------------------------------------
>
> Normal A records resolve just fine.
>
> ----------------------------------------- ; <<>> DiG 9.9.2-P2 <<>>
> atlantis A ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<-
> opcode: QUERY, status: NOERROR, id: 31147 ;; flags: qr aa rd ra ad;
> QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION: ;atlantis. IN A
>
> ;; ANSWER SECTION: atlantis. 0 IN A 10.37.59.42
>
> ;; Query time: 9 msec ;; SERVER: 10.37.59.2#53(10.37.59.2) ;; WHEN:
> Thu Apr 3 17:30:55 2014 ;; MSG SIZE rcvd: 42
> -----------------------------------------
>
> ----------------------------------------- ; <<>> DiG 9.9.2-P2 <<>>
> atlantis.cable.internal.xxx.eu A ;; global options: +cmd ;; Got
> answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10528
> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
> ADDITIONAL: 0
>
> ;; QUESTION SECTION: ;atlantis.cable.internal.xxx.eu. IN A
>
> ;; ANSWER SECTION: atlantis.cable.internal.xxx.eu. 0 IN A
> 10.37.59.42
>
> ;; Query time: 1 msec ;; SERVER: 10.37.59.2#53(10.37.59.2) ;; WHEN:
> Thu Apr 3 17:31:15 2014 ;; MSG SIZE rcvd: 80
> -----------------------------------------
>
> This one (of course) does not:
>
> ----------------------------------------- ; <<>> DiG 9.9.2-P2 <<>>
> atlantis.internal.xxx.eu A ;; global options: +cmd ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27999 ;;
> flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION: ;atlantis.internal.xxx.eu. IN A
>
> ;; AUTHORITY SECTION: xxx.eu. 2389 IN SOA ns.yyy.de.
> hostmaster.xxx.eu. 1391783412 16384 2048 1048576 2560
>
> ;; Query time: 35 msec ;; SERVER: 10.37.59.2#53(10.37.59.2) ;;
> WHEN: Thu Apr 3 17:37:54 2014 ;; MSG SIZE rcvd: 124
> -----------------------------------------
>
> I have however discovered a strange thing. If I send the same
> queries from another computer (which is in the same subnet and
> domain), dnsmasq doesn?t resolve the unqualified name:
>
> ----------------------------------------- ; <<>> DiG 9.9.2-P2 <<>>
> altantis A ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<-
> opcode: QUERY, status: NOERROR, id: 34618 ;; flags: qr rd ra;
> QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION: ;altantis. IN A
>
> ;; Query time: 1 msec ;; SERVER: 10.37.59.2#53(10.37.59.2) ;; WHEN:
> Thu Apr 3 17:39:40 2014 ;; MSG SIZE rcvd: 26
> -----------------------------------------
>
> The FQDN is OK:
>
> ----------------------------------------- ; <<>> DiG 9.9.2-P2 <<>>
> atlantis.cable.internal.xxx.eu A ;; global options: +cmd ;; Got
> answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6200 ;;
> flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
> ADDITIONAL: 0
>
> ;; QUESTION SECTION: ;atlantis.cable.internal.xxx.eu. IN A
>
> ;; ANSWER SECTION: atlantis.cable.internal.xxx.eu. 0 IN A
> 10.37.59.42
>
> ;; Query time: 1 msec ;; SERVER: 10.37.59.2#53(10.37.59.2) ;; WHEN:
> Thu Apr 3 17:39:53 2014 ;; MSG SIZE rcvd: 80
> -----------------------------------------
>
> And this one errors as expected:
>
> ----------------------------------------- ; <<>> DiG 9.9.2-P2 <<>>
> atlantis.internal.xxx.eu A ;; global options: +cmd ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54270 ;;
> flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL:
> 0
>
> ;; QUESTION SECTION: ;atlantis.internal.xxx.eu. IN A
>
> ;; Query time: 1 msec ;; SERVER: 10.37.59.2#53(10.37.59.2) ;; WHEN:
> Thu Apr 3 17:40:06 2014 ;; MSG SIZE rcvd: 58
> -----------------------------------------
>
> AAAA records are never resolved.
>
>> Cheers,
>>
>> Simon.
>
> Vale, Quintus
>
>
>
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlM9qrsACgkQKPyGmiibgrf2JACgmfi765SJM610Z/r22fvjwgnS
d1gAnjWSK/lLUaJWWTMAz+wNSrrsBWHM
=zJyU
-----END PGP SIGNATURE-----
From egilam_ at hotmail.com Thu Apr 3 19:27:40 2014
From: egilam_ at hotmail.com (Egil Aspevik Martinsen)
Date: Thu, 3 Apr 2014 21:27:40 +0200
Subject: [Dnsmasq-discuss] Using DNSMasq as a DNS sinkhole server
Message-ID: <DUB128-W4591D8E03E737AD0F9B2E79B6C0@phx.gbl>
Hi, I want to setup my Raspberry PI as a DNS sinkhole server using DNSMASQ. Does anyone have experience with using DNSMASQ for this purpose? The DNS sinkhole lists are relatively large (currently the list from www[DOT]malware-domains[DOT]com contains about 18000 domains), and my first suspicion was that this might be too big for DNSMASQ to tackle, at least on a raspberry pi.
Thanks!
BR, Egil Aspevik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140403/2fbecf0f/attachment.html>
From simon at thekelleys.org.uk Thu Apr 3 20:28:17 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Thu, 03 Apr 2014 21:28:17 +0100
Subject: [Dnsmasq-discuss] PTR records with auth-zone and auth-server
In-Reply-To: <533D0C4D.5070603@beamcommunications.com>
References: <533D0C4D.5070603@beamcommunications.com>
Message-ID: <533DC461.7010609@thekelleys.org.uk>
On 03/04/14 08:22, Craig McQueen wrote:
> I'm using dnsmasq 2.68. It's mostly working, however I'm having a few
> troubles with PTR records when using auth-zone and auth-server. If I use
> these options, then:
>
> * PTR look-up of IP addresses defined by interface-name=example.lan,br0
> return an answer, but the returned status is NXDOMAIN rather than NOERROR.
That's a bug, nasty one. Fix pushed to git,
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=10068600f889338d942c7206c98e889bb3a17d57
Thanks for the heads-up.
> * No custom PTR records can be defined with ptr-record.
That's behaving as documented, --ptr-record doesn't appear in the list
of data included in an authoritative zone given in the AUTHORITATIVE
CONFIGURATION section of the man page. The reason is, I think, that
PTR-records can have any name, not just w.x.y.x.in-addr.arpa. It's
therefore difficult to use the subnet(s) associated with an auth-zone to
filter them. It would be possible to filter on the name using the domain
associated with an auth zone, and filter w.x.y.x.in-addr.arpa on the
subnet. That's quite complex to understand/document/use.
>
> If I remove the auth-zone and auth-server options, then PTR records work
> as expected.
>
> Is there a good reason that this isn't working when using auth-zone and
> auth-server options?
See above: I'm interested in opinions on the PTR thing.
Cheers
Simon.
>
> Regards,
> Craig McQueen
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
From simon at thekelleys.org.uk Thu Apr 3 20:37:59 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Thu, 03 Apr 2014 21:37:59 +0100
Subject: [Dnsmasq-discuss] Per entry TTL override
In-Reply-To: <1396474337.14875.29.camel@tiptop.internal>
References: <27d0397677b1cd89e9ccaf2afeb6a000@core-hosting.net>
<1396474337.14875.29.camel@tiptop.internal>
Message-ID: <533DC6A7.2040009@thekelleys.org.uk>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/04/14 22:32, Olivier Mauras wrote:
>
>
> On Mon, 2014-03-31 at 12:59 +0200, Olivier Mauras wrote:
>> Hello,
>>
>> Is it thinkable to allow a per entry TTL override system ? I have
>> actually two different needs that i'd like to discuss. First
>> NXDOMAINS. I'd like to cache NXDOMAIN from some forwarded domains
>> to a specific value. Cache time based on default SOA TTL may be
>> too long in some cases and requires a manual cache refresh :(
>> Easy example: Infra team provisions a new server and ping the
>> hostname asked to see if it's not already taken - Yes they could
>> act differently It's not, so result is cached and will stay for
>> 1H - default SOA TTL. Server provisioning takes 10mn, and
>> hostname is still cached as NX for 50mn :(
>>
>> Second is entry override. Some specific DNS entries could have a
>> different TTL than the default one - But not globally per entry
>> gives much more flexibility :)
>>
>>
>> Would that make sense to have a binding for request replies -
>> like the dhcp lua script support - or would this make more sense
>> as specific harcoded options? If this makes any sense at all
>> indeed :)
>>
>>
>> Thanks, Olivier
>>
>>
>> _______________________________________________ Dnsmasq-discuss
>> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
> Seemed like i had a double neg-ttl declared in my config and my
> command line at the same time which make it to not be correctly
> handled... Also seems that no matter what neg-ttl is set to, the
> first NXDOMAIN on a cold cache, always get the SOA TTL, am i
> missing something ?
neg-ttl does not override the SOA TTL, it provides a TTL for NXDOMAIN
if the upstream server doesn't include an SOA. (Lots of ISP
nameservers seem to strip that information for "bandwidth saving") If
you upstream servers include SOA, as they should, then neg-ttl will
have no effect.
>
>
> Any feedback on per entry TTL override
I'm not sure about that, it seems to me to be fiddly and prone to
errors. You first example could be fixed by using --no-negcache. It
would be less efficient, but it would always work. If you're going to
set a TTL in that case, what's the correct value that will always
work? I don't think there is one.
I'm interested in other opinions.
Cheers,
Simon.
>
>
> Thanks, Olivier
>
>
>
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlM9xqcACgkQKPyGmiibgrf1IACeLu0EOFKHF0AGeALvFtxnSd/6
PUUAnRliZ55VNxqPSyY69h5ytA7KjyEV
=UO5/
-----END PGP SIGNATURE-----
From simon at thekelleys.org.uk Thu Apr 3 20:40:54 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Thu, 03 Apr 2014 21:40:54 +0100
Subject: [Dnsmasq-discuss] mixing synth-domain and auth-domain does not
appear to work for me.
In-Reply-To: <CAM9f+Zxidt5u-DyiCOvva6znpNi4BBTLZ-1NuWPBwAYN4o1fbA@mail.gmail.com>
References: <CAM9f+ZykrG_XtmQOJHWLmYO-WsGV7dUESE76SX3GDM_hGCSQBQ@mail.gmail.com>
<533C71F9.8030901@thekelleys.org.uk> <533C753C.10006@thekelleys.org.uk>
<CAM9f+Zxidt5u-DyiCOvva6znpNi4BBTLZ-1NuWPBwAYN4o1fbA@mail.gmail.com>
Message-ID: <533DC756.5060804@thekelleys.org.uk>
On 03/04/14 08:35, David Beveridge wrote:
> On Thu, Apr 3, 2014 at 6:38 AM, Simon Kelley <simon at thekelleys.org.uk> wrote:
>> On 02/04/14 21:24, Simon Kelley wrote:
>>
>>>
>>> This is, I think, just an oversight. synth-domain certainly generates
>>> "Locally defined DNS records" which is what the auth-zone is specified
>>> to contain.
>>>
>>
>> Actually, there is a reason. It doesn't in general make sense to include
>> the records created by synth-domain in a zone transfer, since there are
>> likely to be a lot of them. They could be included in answers for the
>> auth-zone, at the expense of the additional complication that the zone
>> answered by dnsmasq becomes no longer exactly the zone that's transfered
>> to a secondary (since the synth-domain answers can't be included in the
>> transfer).
>>
>
> I agree, you definitely would not want to zone transfer the entire synth zone
> just the records from the auth zone. Actually, once you introduce synth
> records to a zone, transferring it is not practical at all.
>
> I think I have misunderstood what auth-zone does.
> It seems it is not required in this situation.
>
> I just tested and discovered that:- If I remove the auth-zone statement from
> the config file the synth-zone will still serve records it finds in /etc/hosts.
> In this way I can still have a mixed zone with manually created records and
> synthesized records in the same zone.
>
> The synth-domain kind of implies that the zone is authorative,
> so no need for the auth-zone statement as well.
OK. Happy ending :)
Cheers,
Simon.
>
> dave
>
From simon at thekelleys.org.uk Thu Apr 3 20:43:02 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Thu, 03 Apr 2014 21:43:02 +0100
Subject: [Dnsmasq-discuss] Fwd: mixing synth-domain and auth-domain does
not appear to work for me.
In-Reply-To: <CAM9f+ZycxzFLjQAXONQCkhS2vnWeY0up=uJerMfc70r7yqUiCA@mail.gmail.com>
References: <CAM9f+ZykrG_XtmQOJHWLmYO-WsGV7dUESE76SX3GDM_hGCSQBQ@mail.gmail.com>
<533C71F9.8030901@thekelleys.org.uk>
<CAM9f+Zxnj2Bqa38Gb9FSW2jfR8mZvKUOz4BEhGTshpr0F55Zdw@mail.gmail.com>
<CAM9f+ZycxzFLjQAXONQCkhS2vnWeY0up=uJerMfc70r7yqUiCA@mail.gmail.com>
Message-ID: <533DC7D6.3050702@thekelleys.org.uk>
On 03/04/14 08:14, David Beveridge wrote:
>> Prefix length has to be greater than or equal to 64, is that what you
>> mean? It's about implementation convenience. C doesn't provide a
>> integer data type larger than 64 bits for doing masking. of the
>> address-part.
>>
>
> Fair enough. So I have a copy of dnsmasq running on my bind dns server
> just to handle the synthetic reverse (which bind can't do), so each /64
> needs to be individually configured in dnsmasq. It's good to know why.
>
> I can't just get lazy and synth a whole /48 or /32.
> Probably out of scope for what dnsmasq is designed for anyway.
That's what I told myself when I wrote the code, it's crazy to use
arbitary-precision maths in a DNS daemon. Then a year later I
implemented DNSSEC which uses public-key crypto, based in
arbitrary-precision maths :-)
Cheers,
Simon.
>
> dave
>
>> Cheers,
>>
>> Simon.
>>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
From olivier at core-hosting.net Thu Apr 3 22:10:09 2014
From: olivier at core-hosting.net (Olivier Mauras)
Date: Fri, 04 Apr 2014 00:10:09 +0200
Subject: [Dnsmasq-discuss] Per entry TTL override
In-Reply-To: <533DC6A7.2040009@thekelleys.org.uk>
References: <27d0397677b1cd89e9ccaf2afeb6a000@core-hosting.net>
<1396474337.14875.29.camel@tiptop.internal>
<533DC6A7.2040009@thekelleys.org.uk>
Message-ID: <1396563009.14875.39.camel@tiptop.internal>
On Thu, 2014-04-03 at 21:37 +0100, Simon Kelley wrote:
> On 02/04/14 22:32, Olivier Mauras wrote:
> >
> >
> > On Mon, 2014-03-31 at 12:59 +0200, Olivier Mauras wrote:
> >> Hello,
> >>
> >> Is it thinkable to allow a per entry TTL override system ? I have
> >> actually two different needs that i'd like to discuss. First
> >> NXDOMAINS. I'd like to cache NXDOMAIN from some forwarded domains
> >> to a specific value. Cache time based on default SOA TTL may be
> >> too long in some cases and requires a manual cache refresh :(
> >> Easy example: Infra team provisions a new server and ping the
> >> hostname asked to see if it's not already taken - Yes they could
> >> act differently It's not, so result is cached and will stay for
> >> 1H - default SOA TTL. Server provisioning takes 10mn, and
> >> hostname is still cached as NX for 50mn :(
> >>
> >> Second is entry override. Some specific DNS entries could have a
> >> different TTL than the default one - But not globally per entry
> >> gives much more flexibility :)
> >>
> >>
> >> Would that make sense to have a binding for request replies -
> >> like the dhcp lua script support - or would this make more sense
> >> as specific harcoded options? If this makes any sense at all
> >> indeed :)
> >>
> >>
> >> Thanks, Olivier
> >>
> >>
> >> _______________________________________________ Dnsmasq-discuss
> >> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
> >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
> > Seemed like i had a double neg-ttl declared in my config and my
> > command line at the same time which make it to not be correctly
> > handled... Also seems that no matter what neg-ttl is set to, the
> > first NXDOMAIN on a cold cache, always get the SOA TTL, am i
> > missing something ?
>
> neg-ttl does not override the SOA TTL, it provides a TTL for NXDOMAIN
> if the upstream server doesn't include an SOA. (Lots of ISP
> nameservers seem to strip that information for "bandwidth saving") If
> you upstream servers include SOA, as they should, then neg-ttl will
> have no effect.
> >
> >
> > Any feedback on per entry TTL override
>
> I'm not sure about that, it seems to me to be fiddly and prone to
> errors. You first example could be fixed by using --no-negcache. It
> would be less efficient, but it would always work. If you're going to
> set a TTL in that case, what's the correct value that will always
> work? I don't think there is one.
>
> I'm interested in other opinions.
>
>
> Cheers,
>
>
> Simon.
>
> >
> >
> > Thanks, Olivier
> >
> >
> >
> > _______________________________________________ Dnsmasq-discuss
> > mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
True that no-negcache would fix my first example, but wouldn't caching
for a definite time be more efficient?
I actually have weird behavior when cascading dnsmasq instances.
127.0.0.1 forwarding to a dnsmasq instance, forwarding to an unbound
server...
127.0.0.1 on first query receives the SOA TTL, but as the forwarded
dnsmasq instance has cached, it returns 0 as TTL.
So clearing cache on 127.0.0.1 and asking again same query will return
with neg-ttl as the TTL.
I agree it's pretty particular but having a "neg-cache-ttl" would
prevent this _and_ be efficient enough :)
That was for NXDOMAINS, what about overriding TTL for standard entry?
opinions?
Thanks,
Olivier
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140404/f75284f7/attachment.sig>
From craig.mcqueen at beamcommunications.com Fri Apr 4 03:20:27 2014
From: craig.mcqueen at beamcommunications.com (Craig McQueen)
Date: Fri, 4 Apr 2014 14:20:27 +1100
Subject: [Dnsmasq-discuss] PTR records with auth-zone and auth-server
In-Reply-To: <533DC461.7010609@thekelleys.org.uk>
References: <533D0C4D.5070603@beamcommunications.com>
<533DC461.7010609@thekelleys.org.uk>
Message-ID: <533E24FB.6080902@beamcommunications.com>
On 04/04/14 07:28, Simon Kelley wrote:
> On 03/04/14 08:22, Craig McQueen wrote:
>> * No custom PTR records can be defined with ptr-record.
>
> That's behaving as documented, --ptr-record doesn't appear in the list
> of data included in an authoritative zone given in the AUTHORITATIVE
> CONFIGURATION section of the man page. The reason is, I think, that
> PTR-records can have any name, not just w.x.y.x.in-addr.arpa. It's
> therefore difficult to use the subnet(s) associated with an auth-zone to
> filter them. It would be possible to filter on the name using the domain
> associated with an auth zone, and filter w.x.y.x.in-addr.arpa on the
> subnet. That's quite complex to understand/document/use.
DNS-SD (RFC 6763) makes use of PTR records that end in the domain name.
E.g. ending in example.com.:
_http._tcp.example.com.
lb._dns-sd._udp.example.com.
DNS-SD also makes use of PTR records that end in the reverse mapping
name of the network address of the subnet. E.g. for subnet
192.168.5.0/24, some PTR records ending in 0.5.168.192.in-addr.arpa.:
b._dns-sd._udp.0.5.168.192.in-addr.arpa.
lb._dns-sd._udp.0.5.168.192.in-addr.arpa.
It would be good to allow ptr-record options that match either of these
cases.
The first case (ending in example.com.) should be straight-forward. The
reverse case should also be okay, unless I'm overlooking some
complication. I haven't looked into the IPv6 case.
DNS-SD also uses SRV and TXT records, ending in .example.com.
Thanks,
Craig McQueen
From quintus at quintilianus.eu Fri Apr 4 08:17:59 2014
From: quintus at quintilianus.eu (Quintus)
Date: Fri, 04 Apr 2014 10:17:59 +0200
Subject: [Dnsmasq-discuss] DHCPv6 hostname resolving
In-Reply-To: <533DAABB.6080300@thekelleys.org.uk>
References: <533C2C2A.9040605@quintilianus.eu> <533C33F1.6060102@free.fr>
<533C4405.2060603@quintilianus.eu> <533C583B.8050108@thekelleys.org.uk>
<533D8278.2030904@quintilianus.eu> <533DAABB.6080300@thekelleys.org.uk>
Message-ID: <533E6AB7.1060001@quintilianus.eu>
Hi Simon,
Am 03.04.2014 20:38, schrieb Simon Kelley:
> Certainly, if there's no other reason not to, you can solve this
> problem by reconfiguring your client to ask for a non-temporary
> address.
You?re partly right ? if I configure dhcpcd to not request a temporary
address, the lease file contains this:
-------------------------------------------
1396620247 246859459 2001:4dd0:ff00:8918:1:f858:930c:267b atlantis
00:01:00:01:1a:93:42:fa:3c:97:0e:b6:c6:c3
-------------------------------------------
And resolving of plain names works just fine (BUT, see below):
% dig atlantis AAAA
-------------------------------------------
; <<>> DiG 9.9.2-P2 <<>> atlantis AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2039
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;atlantis. IN AAAA
;; ANSWER SECTION:
atlantis. 0 IN AAAA 2001:4dd0:ff00:8918:1:f858:930c:267b
;; Query time: 1 msec
;; SERVER: 10.37.59.2#53(10.37.59.2)
;; WHEN: Fri Apr 4 10:04:46 2014
;; MSG SIZE rcvd: 54
-------------------------------------------
However, the fully qualified name still doesn?t work:
-------------------------------------------
; <<>> DiG 9.9.2-P2 <<>> atlantis.cable.internal.xxx.eu AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53712
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;atlantis.cable.internal.xxx.eu. IN AAAA
;; Query time: 1 msec
;; SERVER: 10.37.59.2#53(10.37.59.2)
;; WHEN: Fri Apr 4 10:10:17 2014
;; MSG SIZE rcvd: 64
-------------------------------------------
Resolving the fully qualified A record works:
-------------------------------------------
; <<>> DiG 9.9.2-P2 <<>> atlantis.cable.internal.xxx.eu A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17342
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;atlantis.cable.internal.xxx.eu. IN A
;; ANSWER SECTION:
atlantis.cable.internal.xxx.eu. 0 IN A 10.37.59.42
;; Query time: 1 msec
;; SERVER: 10.37.59.2#53(10.37.59.2)
;; WHEN: Fri Apr 4 10:10:11 2014
;; MSG SIZE rcvd: 80
-------------------------------------------
Neither is the AAAA record created in the base domain:
-------------------------------------------
; <<>> DiG 9.9.2-P2 <<>> atlantis.internal.xxx.eu AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6544
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;atlantis.internal.xxx.eu. IN AAAA
;; AUTHORITY SECTION:
xxx.eu. 2560 IN SOA ns.yyy.de. hostmaster.xxx.eu. 1391783412 16384 2048
1048576 2560
;; Query time: 50 msec
;; SERVER: 10.37.59.2#53(10.37.59.2)
;; WHEN: Fri Apr 4 10:14:35 2014
;; MSG SIZE rcvd: 124
-------------------------------------------
So I conclude that the temporary address requestion is only part of the
problem. What do you think?
Vale,
Quintus
--
Blog: http://www.quintilianus.eu
I will reject HTML emails. | Ich akzeptiere keine HTML-Nachrichten.
|
Use GnuPG for mail encryption: | GnuPG f?r Mail-Verschl?sselung:
http://www.gnupg.org | http://gnupg.org/index.de.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140404/cf386c4a/attachment.sig>
From Lutz.Pressler at SerNet.de Fri Apr 4 09:47:48 2014
From: Lutz.Pressler at SerNet.de (Lutz =?iso-8859-1?Q?Pre=DFler?=)
Date: Fri, 4 Apr 2014 11:47:48 +0200
Subject: [Dnsmasq-discuss] auth-server reverse zones / Re: PTR records with
auth-zone and auth-server
In-Reply-To: <533DC461.7010609@thekelleys.org.uk>
References: <533D0C4D.5070603@beamcommunications.com>
<533DC461.7010609@thekelleys.org.uk>
Message-ID: <E1WW0iz-003js7-3e@intern.SerNet.DE>
Hello Simon,
On Do, 03 Apr 2014, Simon Kelley wrote:
> On 03/04/14 08:22, Craig McQueen wrote:
> > I'm using dnsmasq 2.68. It's mostly working, however I'm having a few
> > troubles with PTR records when using auth-zone and auth-server. If I use
> > these options, then:
> >
> > * PTR look-up of IP addresses defined by interface-name=example.lan,br0
> > return an answer, but the returned status is NXDOMAIN rather than NOERROR.
(Coincidentally yesterday I found that problem, too)
>
> That's a bug, nasty one. Fix pushed to git,
Thanks, works.
>
> > * No custom PTR records can be defined with ptr-record.
>
> That's behaving as documented, --ptr-record doesn't appear in the list
> of data included in an authoritative zone given in the AUTHORITATIVE
> CONFIGURATION section of the man page. The reason is, I think, that
> PTR-records can have any name, not just w.x.y.x.in-addr.arpa. It's
> therefore difficult to use the subnet(s) associated with an auth-zone to
> filter them. It would be possible to filter on the name using the domain
> associated with an auth zone, and filter w.x.y.x.in-addr.arpa on the
> subnet. That's quite complex to understand/document/use.
Obviously I'm missing something. Why cannot PTR replies be filtered on
either x.y.x.in-addr.arpa / ...d.c.b.a.ip6.arpa fitting associated
subnets (maybe complicated by the non-nibble IPv4 case) OR any PTR content
for defined auth-zone-s?
(Btw, in the documentation it sometimes reads "ipv6.arpa" instead of
"ip6.arpa".)
To add to the wish list: I'd really like the ability to also do AXFRs
for reverse zones. Is the difficulty to enumerate the records?
Usage is an DNSSEC signing front-end server.
Another question: dnsmasq is not sending NOTIFYs, is it?
Regards,
Lutz
--
Lutz Pre?ler, G?ttingen, Germany
From toke at toke.dk Sat Apr 5 15:21:43 2014
From: toke at toke.dk (=?utf-8?Q?Toke_H=C3=B8iland-J=C3=B8rgensen?=)
Date: Sat, 05 Apr 2014 17:21:43 +0200
Subject: [Dnsmasq-discuss] Authoritative PTR record resolution error messages
Message-ID: <87vbunkdiw.fsf@toke.dk>
After having upgraded dnsmasq (at git commit
b7639d58158c6e971535893b407560e136a27994) I'm getting the following
errors from named when it tries to resolve the reverse address for my laptop:
Apr 05 17:14:23 alrua-kau named[448]: DNS format error from 5.150.xxx.xx#53 resolving [redacted].4.0.1.0.0.2.ip6.arpa/PTR for client 127.0.0.1#26501: CNAME/DNAME chain complete, but RCODE indicates error
I do seem to be able to resolve the name, though.
-Toke
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140405/ef975458/attachment.sig>
From simon at thekelleys.org.uk Sat Apr 5 17:06:14 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Sat, 05 Apr 2014 18:06:14 +0100
Subject: [Dnsmasq-discuss] Authoritative PTR record resolution error
messages
In-Reply-To: <87vbunkdiw.fsf@toke.dk>
References: <87vbunkdiw.fsf@toke.dk>
Message-ID: <53403806.50605@thekelleys.org.uk>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/04/14 16:21, Toke H?iland-J?rgensen wrote:
> After having upgraded dnsmasq (at git commit
> b7639d58158c6e971535893b407560e136a27994) I'm getting the
> following errors from named when it tries to resolve the reverse
> address for my laptop:
>
> Apr 05 17:14:23 alrua-kau named[448]: DNS format error from
> 5.150.xxx.xx#53 resolving [redacted].4.0.1.0.0.2.ip6.arpa/PTR for
> client 127.0.0.1#26501: CNAME/DNAME chain complete, but RCODE
> indicates error
>
> I do seem to be able to resolve the name, though.
>
Sanity check: b7639d58158c6e971535893b407560e136a27994 and _not_
10068600f889338d942c7206c98e889bb3a17d57? I'd expect the later to
cause this, if any.
Where is your laptop's record coming from? DHCP, /etc/hosts or other?
Can you do the query with dig directly to dnsmasq, and see what it's
actually replying to BIND?
Cheers,
Simon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlNAOAYACgkQKPyGmiibgrekigCfQk2J5/4oLhhVrdevotODRo3z
KawAn2uIBAHhg9dHmwk8i+ysJN9Da9dR
=yZVc
-----END PGP SIGNATURE-----
From simon at thekelleys.org.uk Sat Apr 5 17:14:27 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Sat, 05 Apr 2014 18:14:27 +0100
Subject: [Dnsmasq-discuss] DHCPv6 hostname resolving
In-Reply-To: <533E6AB7.1060001@quintilianus.eu>
References: <533C2C2A.9040605@quintilianus.eu> <533C33F1.6060102@free.fr>
<533C4405.2060603@quintilianus.eu> <533C583B.8050108@thekelleys.org.uk>
<533D8278.2030904@quintilianus.eu> <533DAABB.6080300@thekelleys.org.uk>
<533E6AB7.1060001@quintilianus.eu>
Message-ID: <534039F3.4080708@thekelleys.org.uk>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/04/14 09:17, Quintus wrote:
> Hi Simon,
>
> Am 03.04.2014 20:38, schrieb Simon Kelley:
>> Certainly, if there's no other reason not to, you can solve this
>> problem by reconfiguring your client to ask for a non-temporary
>> address.
>
> You?re partly right ? if I configure dhcpcd to not request a
> temporary address, the lease file contains this:
>
> ------------------------------------------- 1396620247 246859459
> 2001:4dd0:ff00:8918:1:f858:930c:267b atlantis
> 00:01:00:01:1a:93:42:fa:3c:97:0e:b6:c6:c3
> -------------------------------------------
>
> And resolving of plain names works just fine (BUT, see below):
>
> % dig atlantis AAAA
>
> ------------------------------------------- ; <<>> DiG 9.9.2-P2
> <<>> atlantis AAAA ;; global options: +cmd ;; Got answer: ;;
> ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2039 ;; flags: qr
> aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION: ;atlantis. IN AAAA
>
> ;; ANSWER SECTION: atlantis. 0 IN AAAA
> 2001:4dd0:ff00:8918:1:f858:930c:267b
>
> ;; Query time: 1 msec ;; SERVER: 10.37.59.2#53(10.37.59.2) ;; WHEN:
> Fri Apr 4 10:04:46 2014 ;; MSG SIZE rcvd: 54
> -------------------------------------------
>
> However, the fully qualified name still doesn?t work:
>
> ------------------------------------------- ; <<>> DiG 9.9.2-P2
> <<>> atlantis.cable.internal.xxx.eu AAAA ;; global options: +cmd ;;
> Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
> 53712 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
> ADDITIONAL: 0
>
> ;; QUESTION SECTION: ;atlantis.cable.internal.xxx.eu. IN AAAA
>
> ;; Query time: 1 msec ;; SERVER: 10.37.59.2#53(10.37.59.2) ;; WHEN:
> Fri Apr 4 10:10:17 2014 ;; MSG SIZE rcvd: 64
> -------------------------------------------
>
> Resolving the fully qualified A record works:
>
> ------------------------------------------- ; <<>> DiG 9.9.2-P2
> <<>> atlantis.cable.internal.xxx.eu A ;; global options: +cmd ;;
> Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
> 17342 ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
> ADDITIONAL: 0
>
> ;; QUESTION SECTION: ;atlantis.cable.internal.xxx.eu. IN A
>
> ;; ANSWER SECTION: atlantis.cable.internal.xxx.eu. 0 IN A
> 10.37.59.42
>
> ;; Query time: 1 msec ;; SERVER: 10.37.59.2#53(10.37.59.2) ;; WHEN:
> Fri Apr 4 10:10:11 2014 ;; MSG SIZE rcvd: 80
> -------------------------------------------
>
> Neither is the AAAA record created in the base domain:
>
> ------------------------------------------- ; <<>> DiG 9.9.2-P2
> <<>> atlantis.internal.xxx.eu AAAA ;; global options: +cmd ;; Got
> answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6544
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL:
> 0
>
> ;; QUESTION SECTION: ;atlantis.internal.xxx.eu. IN AAAA
>
> ;; AUTHORITY SECTION: xxx.eu. 2560 IN SOA ns.yyy.de.
> hostmaster.xxx.eu. 1391783412 16384 2048 1048576 2560
>
> ;; Query time: 50 msec ;; SERVER: 10.37.59.2#53(10.37.59.2) ;;
> WHEN: Fri Apr 4 10:14:35 2014 ;; MSG SIZE rcvd: 124
> -------------------------------------------
>
> So I conclude that the temporary address requestion is only part of
> the problem. What do you think?
I think you may well be right. What happens if you look up the
_address_, ie
dig -x 2001:4dd0:ff00:8918:1:f858:930c:267b
Cheers,
Simon.
>
> Vale, Quintus
>
>
>
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlNAOfMACgkQKPyGmiibgrf8tQCghIa71fnaqioT9ROu/x+6h0Iz
DkYAnjVjoTh3AcGa4d9Kgu1k+0G9FJ38
=WLV/
-----END PGP SIGNATURE-----
From simon at thekelleys.org.uk Sat Apr 5 17:42:50 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Sat, 05 Apr 2014 18:42:50 +0100
Subject: [Dnsmasq-discuss] Using DNSMasq as a DNS sinkhole server
In-Reply-To: <DUB128-W4591D8E03E737AD0F9B2E79B6C0@phx.gbl>
References: <DUB128-W4591D8E03E737AD0F9B2E79B6C0@phx.gbl>
Message-ID: <5340409A.60906@thekelleys.org.uk>
On 03/04/14 20:27, Egil Aspevik Martinsen wrote:
> Hi, I want to setup my Raspberry PI as a DNS sinkhole server using
> DNSMASQ. Does anyone have experience with using DNSMASQ for this
> purpose? The DNS sinkhole lists are relatively large (currently the
> list from www[DOT]malware-domains[DOT]com contains about 18000
> domains), and my first suspicion was that this might be too big for
> DNSMASQ to tackle, at least on a raspberry pi. Thanks! BR, Egil
> Aspevik
Assuming that you're putting the domains in /etc/hosts or equivalent,
then this application was tuned for long ago, and it should be fast. You
will need quite a lot of memory, but "quite a lot of memory" is
soomething that evolves over time. I thing there may be an entry about
this in the FAQ.
Cheers,
Simon.
>
>
>
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
From simon at thekelleys.org.uk Sat Apr 5 19:20:55 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Sat, 05 Apr 2014 20:20:55 +0100
Subject: [Dnsmasq-discuss] Per entry TTL override
In-Reply-To: <1396563009.14875.39.camel@tiptop.internal>
References: <27d0397677b1cd89e9ccaf2afeb6a000@core-hosting.net>
<1396474337.14875.29.camel@tiptop.internal>
<533DC6A7.2040009@thekelleys.org.uk>
<1396563009.14875.39.camel@tiptop.internal>
Message-ID: <53405797.4020609@thekelleys.org.uk>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/04/14 23:10, Olivier Mauras wrote:
>
>
> On Thu, 2014-04-03 at 21:37 +0100, Simon Kelley wrote:
>> On 02/04/14 22:32, Olivier Mauras wrote:
>>>
>>>
>>> On Mon, 2014-03-31 at 12:59 +0200, Olivier Mauras wrote:
>>>> Hello,
>>>>
>>>> Is it thinkable to allow a per entry TTL override system ? I
>>>> have actually two different needs that i'd like to discuss.
>>>> First NXDOMAINS. I'd like to cache NXDOMAIN from some
>>>> forwarded domains to a specific value. Cache time based on
>>>> default SOA TTL may be too long in some cases and requires a
>>>> manual cache refresh :( Easy example: Infra team provisions a
>>>> new server and ping the hostname asked to see if it's not
>>>> already taken - Yes they could act differently It's not, so
>>>> result is cached and will stay for 1H - default SOA TTL.
>>>> Server provisioning takes 10mn, and hostname is still cached
>>>> as NX for 50mn :(
>>>>
>>>> Second is entry override. Some specific DNS entries could
>>>> have a different TTL than the default one - But not globally
>>>> per entry gives much more flexibility :)
>>>>
>>>>
>>>> Would that make sense to have a binding for request replies
>>>> - like the dhcp lua script support - or would this make more
>>>> sense as specific harcoded options? If this makes any sense
>>>> at all indeed :)
>>>>
>>>>
>>>> Thanks, Olivier
>>>>
>>>>
>>>> _______________________________________________
>>>> Dnsmasq-discuss mailing list
>>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>>>
>>>>
Seemed like i had a double neg-ttl declared in my config and my
>>> command line at the same time which make it to not be
>>> correctly handled... Also seems that no matter what neg-ttl is
>>> set to, the first NXDOMAIN on a cold cache, always get the SOA
>>> TTL, am i missing something ?
>>
>> neg-ttl does not override the SOA TTL, it provides a TTL for
>> NXDOMAIN if the upstream server doesn't include an SOA. (Lots of
>> ISP nameservers seem to strip that information for "bandwidth
>> saving") If you upstream servers include SOA, as they should,
>> then neg-ttl will have no effect.
>>>
>>>
>>> Any feedback on per entry TTL override
>>
>> I'm not sure about that, it seems to me to be fiddly and prone
>> to errors. You first example could be fixed by using
>> --no-negcache. It would be less efficient, but it would always
>> work. If you're going to set a TTL in that case, what's the
>> correct value that will always work? I don't think there is one.
>>
>> I'm interested in other opinions.
>>
>>
>> Cheers,
>>
>>
>> Simon.
>>
>>>
>>>
>>> Thanks, Olivier
>>>
>>>
>>>
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>>
>>
>>>
_______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
> True that no-negcache would fix my first example, but wouldn't
> caching for a definite time be more efficient?
How much does a cache miss cost. Why bother tuning the TTLs and
_still_ risking that you've made them too long and something breaks.
Caching is an optimisation. If an optimisation can lead to different
results in in the system, then it's broken and should be turned off,
not tweaked so it breaks less often.
>
> I actually have weird behavior when cascading dnsmasq instances.
> 127.0.0.1 forwarding to a dnsmasq instance, forwarding to an
> unbound server... 127.0.0.1 on first query receives the SOA TTL,
> but as the forwarded dnsmasq instance has cached, it returns 0 as
> TTL. So clearing cache on 127.0.0.1 and asking again same query
> will return with neg-ttl as the TTL.
That's because dnsmasq doesn't cache SOA's so cascaded dnsmasq
instances can lose the SOA TTL information.
> I agree it's pretty particular but having a "neg-cache-ttl" would
> prevent this _and_ be efficient enough :)
>
> That was for NXDOMAINS, what about overriding TTL for standard
> entry? opinions?
I'm not clear what you're suggesting. Override local names, from
/etc/hosts etc. They get "0" TTLS now. Or names loaded from uspstream
nameservers?
Cheers,
Simon
>
>
> Thanks, Olivier
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlNAV5cACgkQKPyGmiibgrcA1gCdHsfqguiD0M+TG0aBEecYxp0T
4A4An2wIJMihLh35/NCAR1Z826nd5FFt
=hjfA
-----END PGP SIGNATURE-----
From simon at thekelleys.org.uk Sat Apr 5 19:22:32 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Sat, 05 Apr 2014 20:22:32 +0100
Subject: [Dnsmasq-discuss] PTR records with auth-zone and auth-server
In-Reply-To: <533E24FB.6080902@beamcommunications.com>
References: <533D0C4D.5070603@beamcommunications.com>
<533DC461.7010609@thekelleys.org.uk>
<533E24FB.6080902@beamcommunications.com>
Message-ID: <534057F8.7080908@thekelleys.org.uk>
On 04/04/14 04:20, Craig McQueen wrote:
> On 04/04/14 07:28, Simon Kelley wrote:
>> On 03/04/14 08:22, Craig McQueen wrote:
>>> * No custom PTR records can be defined with ptr-record.
>>
>> That's behaving as documented, --ptr-record doesn't appear in the list
>> of data included in an authoritative zone given in the AUTHORITATIVE
>> CONFIGURATION section of the man page. The reason is, I think, that
>> PTR-records can have any name, not just w.x.y.x.in-addr.arpa. It's
>> therefore difficult to use the subnet(s) associated with an auth-zone to
>> filter them. It would be possible to filter on the name using the domain
>> associated with an auth zone, and filter w.x.y.x.in-addr.arpa on the
>> subnet. That's quite complex to understand/document/use.
>
> DNS-SD (RFC 6763) makes use of PTR records that end in the domain name.
> E.g. ending in example.com.:
>
> _http._tcp.example.com.
> lb._dns-sd._udp.example.com.
>
> DNS-SD also makes use of PTR records that end in the reverse mapping
> name of the network address of the subnet. E.g. for subnet
> 192.168.5.0/24, some PTR records ending in 0.5.168.192.in-addr.arpa.:
>
> b._dns-sd._udp.0.5.168.192.in-addr.arpa.
> lb._dns-sd._udp.0.5.168.192.in-addr.arpa.
>
> It would be good to allow ptr-record options that match either of these
> cases.
>
> The first case (ending in example.com.) should be straight-forward. The
> reverse case should also be okay, unless I'm overlooking some
> complication. I haven't looked into the IPv6 case.
>
> DNS-SD also uses SRV and TXT records, ending in .example.com.
>
>
Good points. This is something to return to after the imminent 2.69
release. Did you get a chance to see of the patch I made fixed your
NXDOMAIN problem?
Cheers,
Simon.
From simon at thekelleys.org.uk Sat Apr 5 19:26:11 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Sat, 05 Apr 2014 20:26:11 +0100
Subject: [Dnsmasq-discuss] auth-server reverse zones / Re: PTR records
with auth-zone and auth-server
In-Reply-To: <E1WW0iz-003js7-3e@intern.SerNet.DE>
References: <533D0C4D.5070603@beamcommunications.com>
<533DC461.7010609@thekelleys.org.uk> <E1WW0iz-003js7-3e@intern.SerNet.DE>
Message-ID: <534058D3.8010808@thekelleys.org.uk>
On 04/04/14 10:47, Lutz Pre?ler wrote:
> Hello Simon,
>
> On Do, 03 Apr 2014, Simon Kelley wrote:
>
>> On 03/04/14 08:22, Craig McQueen wrote:
>>> I'm using dnsmasq 2.68. It's mostly working, however I'm having a few
>>> troubles with PTR records when using auth-zone and auth-server. If I use
>>> these options, then:
>>>
>>> * PTR look-up of IP addresses defined by interface-name=example.lan,br0
>>> return an answer, but the returned status is NXDOMAIN rather than NOERROR.
> (Coincidentally yesterday I found that problem, too)
>>
>> That's a bug, nasty one. Fix pushed to git,
> Thanks, works.
>>
>>> * No custom PTR records can be defined with ptr-record.
>>
>> That's behaving as documented, --ptr-record doesn't appear in the list
>> of data included in an authoritative zone given in the AUTHORITATIVE
>> CONFIGURATION section of the man page. The reason is, I think, that
>> PTR-records can have any name, not just w.x.y.x.in-addr.arpa. It's
>> therefore difficult to use the subnet(s) associated with an auth-zone to
>> filter them. It would be possible to filter on the name using the domain
>> associated with an auth zone, and filter w.x.y.x.in-addr.arpa on the
>> subnet. That's quite complex to understand/document/use.
> Obviously I'm missing something. Why cannot PTR replies be filtered on
> either x.y.x.in-addr.arpa / ...d.c.b.a.ip6.arpa fitting associated
> subnets (maybe complicated by the non-nibble IPv4 case) OR any PTR content
> for defined auth-zone-s?
> (Btw, in the documentation it sometimes reads "ipv6.arpa" instead of
> "ip6.arpa".)
>
> To add to the wish list: I'd really like the ability to also do AXFRs
> for reverse zones. Is the difficulty to enumerate the records?
> Usage is an DNSSEC signing front-end server.
>
> Another question: dnsmasq is not sending NOTIFYs, is it?
Wishlist for version 2.70 opened.......
Cheers,
Simon.
>
> Regards,
> Lutz
>
From olivier at core-hosting.net Sun Apr 6 11:38:37 2014
From: olivier at core-hosting.net (Olivier Mauras)
Date: Sun, 06 Apr 2014 13:38:37 +0200
Subject: [Dnsmasq-discuss] Per entry TTL override
In-Reply-To: <53405797.4020609@thekelleys.org.uk>
References: <27d0397677b1cd89e9ccaf2afeb6a000@core-hosting.net>
<1396474337.14875.29.camel@tiptop.internal>
<533DC6A7.2040009@thekelleys.org.uk>
<1396563009.14875.39.camel@tiptop.internal>
<53405797.4020609@thekelleys.org.uk>
Message-ID: <1396784317.14875.43.camel@tiptop.internal>
On Sat, 2014-04-05 at 20:20 +0100, Simon Kelley wrote:
> On 03/04/14 23:10, Olivier Mauras wrote:
> >
> >
> > On Thu, 2014-04-03 at 21:37 +0100, Simon Kelley wrote:
> >> On 02/04/14 22:32, Olivier Mauras wrote:
> >>>
> >>>
> >>> On Mon, 2014-03-31 at 12:59 +0200, Olivier Mauras wrote:
> >>>> Hello,
> >>>>
> >>>> Is it thinkable to allow a per entry TTL override system ? I
> >>>> have actually two different needs that i'd like to discuss.
> >>>> First NXDOMAINS. I'd like to cache NXDOMAIN from some
> >>>> forwarded domains to a specific value. Cache time based on
> >>>> default SOA TTL may be too long in some cases and requires a
> >>>> manual cache refresh :( Easy example: Infra team provisions a
> >>>> new server and ping the hostname asked to see if it's not
> >>>> already taken - Yes they could act differently It's not, so
> >>>> result is cached and will stay for 1H - default SOA TTL.
> >>>> Server provisioning takes 10mn, and hostname is still cached
> >>>> as NX for 50mn :(
> >>>>
> >>>> Second is entry override. Some specific DNS entries could
> >>>> have a different TTL than the default one - But not globally
> >>>> per entry gives much more flexibility :)
> >>>>
> >>>>
> >>>> Would that make sense to have a binding for request replies
> >>>> - like the dhcp lua script support - or would this make more
> >>>> sense as specific harcoded options? If this makes any sense
> >>>> at all indeed :)
> >>>>
> >>>>
> >>>> Thanks, Olivier
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Dnsmasq-discuss mailing list
> >>>> Dnsmasq-discuss at lists.thekelleys.org.uk
> >>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>>
> >>>
> >>>>
> Seemed like i had a double neg-ttl declared in my config and my
> >>> command line at the same time which make it to not be
> >>> correctly handled... Also seems that no matter what neg-ttl is
> >>> set to, the first NXDOMAIN on a cold cache, always get the SOA
> >>> TTL, am i missing something ?
> >>
> >> neg-ttl does not override the SOA TTL, it provides a TTL for
> >> NXDOMAIN if the upstream server doesn't include an SOA. (Lots of
> >> ISP nameservers seem to strip that information for "bandwidth
> >> saving") If you upstream servers include SOA, as they should,
> >> then neg-ttl will have no effect.
> >>>
> >>>
> >>> Any feedback on per entry TTL override
> >>
> >> I'm not sure about that, it seems to me to be fiddly and prone
> >> to errors. You first example could be fixed by using
> >> --no-negcache. It would be less efficient, but it would always
> >> work. If you're going to set a TTL in that case, what's the
> >> correct value that will always work? I don't think there is one.
> >>
> >> I'm interested in other opinions.
> >>
> >>
> >> Cheers,
> >>
> >>
> >> Simon.
> >>
> >>>
> >>>
> >>> Thanks, Olivier
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Dnsmasq-discuss mailing list
> >>> Dnsmasq-discuss at lists.thekelleys.org.uk
> >>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>>
> >>
> >>
> >>>
> _______________________________________________
> >> Dnsmasq-discuss mailing list
> >> Dnsmasq-discuss at lists.thekelleys.org.uk
> >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
> > True that no-negcache would fix my first example, but wouldn't
> > caching for a definite time be more efficient?
>
> How much does a cache miss cost. Why bother tuning the TTLs and
> _still_ risking that you've made them too long and something breaks.
> Caching is an optimisation. If an optimisation can lead to different
> results in in the system, then it's broken and should be turned off,
> not tweaked so it breaks less often.
> >
I agree, but in my case i would like to make them shorter than the
default TTL from upstream.
I guess the workaround, would be to give a globally shorter TTL to
clients, just less efficient if i need to override like 10 entries...
> > I actually have weird behavior when cascading dnsmasq instances.
> > 127.0.0.1 forwarding to a dnsmasq instance, forwarding to an
> > unbound server... 127.0.0.1 on first query receives the SOA TTL,
> > but as the forwarded dnsmasq instance has cached, it returns 0 as
> > TTL. So clearing cache on 127.0.0.1 and asking again same query
> > will return with neg-ttl as the TTL.
>
> That's because dnsmasq doesn't cache SOA's so cascaded dnsmasq
> instances can lose the SOA TTL information.
>
> > I agree it's pretty particular but having a "neg-cache-ttl" would
> > prevent this _and_ be efficient enough :)
> >
> > That was for NXDOMAINS, what about overriding TTL for standard
> > entry? opinions?
>
> I'm not clear what you're suggesting. Override local names, from
> /etc/hosts etc. They get "0" TTLS now. Or names loaded from uspstream
> nameservers?
From upstream.
>
>
> Cheers,
>
> Simon
>
> >
> >
> > Thanks, Olivier
> >
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140406/808daaf6/attachment-0001.sig>
From toke at toke.dk Sun Apr 6 12:51:26 2014
From: toke at toke.dk (=?utf-8?Q?Toke_H=C3=B8iland-J=C3=B8rgensen?=)
Date: Sun, 06 Apr 2014 14:51:26 +0200
Subject: [Dnsmasq-discuss] Authoritative PTR record resolution error
messages
In-Reply-To: <53403806.50605@thekelleys.org.uk> (Simon Kelley's message of
"Sat, 05 Apr 2014 18:06:14 +0100")
References: <87vbunkdiw.fsf@toke.dk> <53403806.50605@thekelleys.org.uk>
Message-ID: <87r45ak4dt.fsf@toke.dk>
Simon Kelley <simon at thekelleys.org.uk> writes:
> Sanity check: b7639d58158c6e971535893b407560e136a27994 and _not_
> 10068600f889338d942c7206c98e889bb3a17d57? I'd expect the later to
> cause this, if any.
root at guardian:~# opkg list | grep dnsmasq
dnsmasq-dhcpv6 - 2014-03-30-b7639d58158c6e971535893b407560e136a27994
Upgrading to 10068600f889338d942c7206c98e889bb3a17d57 fixes the error;
but instead I get this in the logs:
Apr 06 14:46:31 alrua-kau named[448]: success resolving 'x.x.x.0.7.4.0.1.0.0.2.ip6.arpa/PTR' (in 'x.x.x.x.0.7.4.0.1.0.0.2.ip6.arpa'?) after reducing the advertised EDNS UDP packet size to 512 octets
> Where is your laptop's record coming from? DHCP, /etc/hosts or other?
> Can you do the query with dig directly to dnsmasq, and see what it's
> actually replying to BIND?
This is with b7639d58158c6e971535893b407560e136a27994. IPv6 is fine:
$ dig -x 2001:470:xxx @2001:470:xxx
; <<>> DiG 9.9.2-P2 <<>> -x 2001:470:xxx @2001:470:xxx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21571
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;x.x.x.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR
;; ANSWER SECTION:
x.x.x.0.7.4.0.1.0.0.2.ip6.arpa. 0 IN PTR alrua-x1.xxx.xxx.
;; Query time: 12 msec
;; SERVER: 2001:470:xxxx#53(2001:470:xxx)
;; WHEN: Sun Apr 6 14:36:35 2014
;; MSG SIZE rcvd: 140
But not IPv4:
$ dig -x 2001:470:xxx @5.150.x.x
; <<>> DiG 9.9.2-P2 <<>> -x 2001:470:xxx @5.150.x.x
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45583
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;x.x.x.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR
;; ANSWER SECTION:
x.x.x.0.7.4.0.1.0.0.2.ip6.arpa. 600 IN PTR alrua-x1.xxx.xxx.
;; AUTHORITY SECTION:
x.x.x.0.7.4.0.1.0.0.2.ip6.arpa. 600 IN NS xxx.xxx.
;; Query time: 11 msec
;; SERVER: 5.150.x.x#53(5.150.x.x)
;; WHEN: Sun Apr 6 14:36:41 2014
;; MSG SIZE rcvd: 199
After upgrading to 10068600f889338d942c7206c98e889bb3a17d57, IPv4
appears to be fine as well:
$ dig -x 2001:470:xxx @5.150.221.33
; <<>> DiG 9.9.2-P2 <<>> -x 2001:470:xxx @5.150.x.x
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44380
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;x.x.x.0.7.4.0.1.0.0.2.ip6.arpa. IN PTR
;; ANSWER SECTION:
x.x.x.0.7.4.0.1.0.0.2.ip6.arpa. 600 IN PTR alrua-x1.xxx.xxx.
;; AUTHORITY SECTION:
x.x.x.0.7.4.0.1.0.0.2.ip6.arpa. 600 IN NS xxx.xxx.
;; Query time: 11 msec
;; SERVER: 5.150.x.x#53(5.150.x.x)
;; WHEN: Sun Apr 6 14:48:37 2014
;; MSG SIZE rcvd: 199
-Toke
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140406/ac4cea21/attachment.sig>
From quintus at quintilianus.eu Mon Apr 7 20:28:54 2014
From: quintus at quintilianus.eu (Quintus)
Date: Mon, 07 Apr 2014 22:28:54 +0200
Subject: [Dnsmasq-discuss] DHCPv6 hostname resolving
In-Reply-To: <534039F3.4080708@thekelleys.org.uk>
References: <533C2C2A.9040605@quintilianus.eu> <533C33F1.6060102@free.fr>
<533C4405.2060603@quintilianus.eu> <533C583B.8050108@thekelleys.org.uk>
<533D8278.2030904@quintilianus.eu> <533DAABB.6080300@thekelleys.org.uk>
<533E6AB7.1060001@quintilianus.eu> <534039F3.4080708@thekelleys.org.uk>
Message-ID: <53430A86.3040907@quintilianus.eu>
Hi Simon,
> I think you may well be right. What happens if you look up the
> _address_, ie
>
> dig -x 2001:4dd0:ff00:8918:1:f858:930c:267b
------------------------------------
; <<>> DiG 9.9.2-P2 <<>> -x 2001:4dd0:ff00:8918:1:f858:930c:267b
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23637
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;b.7.6.2.c.0.3.9.8.5.8.f.1.0.0.0.8.1.9.8.0.0.f.f.0.d.d.4.1.0.0.2.ip6.arpa.
IN PTR
;; Query time: 1 msec
;; SERVER: 10.37.59.2#53(10.37.59.2)
;; WHEN: Mon Apr 7 22:23:31 2014
;; MSG SIZE rcvd: 90
------------------------------------
However, earlier today I suddenly got responses to both the AAAA (FQDN)
and PTR queries, but I cannot reproduce this right now. Really weird.
> Cheers,
>
> Simon.
Vale,
Quintus
--
Blog: http://www.quintilianus.eu
I will reject HTML emails. | Ich akzeptiere keine HTML-Nachrichten.
|
Use GnuPG for mail encryption: | GnuPG f?r Mail-Verschl?sselung:
http://www.gnupg.org | http://gnupg.org/index.de.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140407/a95c2564/attachment.sig>
From simon at thekelleys.org.uk Mon Apr 7 21:15:07 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Mon, 07 Apr 2014 22:15:07 +0100
Subject: [Dnsmasq-discuss] DHCPv6 hostname resolving
In-Reply-To: <53430A86.3040907@quintilianus.eu>
References: <533C2C2A.9040605@quintilianus.eu> <533C33F1.6060102@free.fr>
<533C4405.2060603@quintilianus.eu> <533C583B.8050108@thekelleys.org.uk>
<533D8278.2030904@quintilianus.eu> <533DAABB.6080300@thekelleys.org.uk>
<533E6AB7.1060001@quintilianus.eu> <534039F3.4080708@thekelleys.org.uk>
<53430A86.3040907@quintilianus.eu>
Message-ID: <5343155B.6040005@thekelleys.org.uk>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/04/14 21:28, Quintus wrote:
> Hi Simon,
>
>> I think you may well be right. What happens if you look up the
>> _address_, ie
>>
>> dig -x 2001:4dd0:ff00:8918:1:f858:930c:267b
>
> ------------------------------------ ; <<>> DiG 9.9.2-P2 <<>> -x
> 2001:4dd0:ff00:8918:1:f858:930c:267b ;; global options: +cmd ;; Got
> answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23637
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
> ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;b.7.6.2.c.0.3.9.8.5.8.f.1.0.0.0.8.1.9.8.0.0.f.f.0.d.d.4.1.0.0.2.ip6.arpa.
>
>
IN PTR
>
> ;; Query time: 1 msec ;; SERVER: 10.37.59.2#53(10.37.59.2) ;; WHEN:
> Mon Apr 7 22:23:31 2014 ;; MSG SIZE rcvd: 90
> ------------------------------------
>
> However, earlier today I suddenly got responses to both the AAAA
> (FQDN) and PTR queries, but I cannot reproduce this right now.
> Really weird.
Thanks for getting back. I can't reproduce this here, so I'm going to
shelve it for now.
Cheers,
Simon.
>
>> Cheers,
>>
>> Simon.
>
> Vale, Quintus
>
>
>
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlNDFVsACgkQKPyGmiibgrd+PgCghRmF1E00VTe9OpZbaeTywZo6
HsoAn2qrmOzhQQIf3gj5eIkIlwmsc+Yf
=zaUy
-----END PGP SIGNATURE-----
From simon at thekelleys.org.uk Mon Apr 7 21:18:07 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Mon, 07 Apr 2014 22:18:07 +0100
Subject: [Dnsmasq-discuss] Per entry TTL override
In-Reply-To: <1396784317.14875.43.camel@tiptop.internal>
References: <27d0397677b1cd89e9ccaf2afeb6a000@core-hosting.net>
<1396474337.14875.29.camel@tiptop.internal>
<533DC6A7.2040009@thekelleys.org.uk>
<1396563009.14875.39.camel@tiptop.internal>
<53405797.4020609@thekelleys.org.uk>
<1396784317.14875.43.camel@tiptop.internal>
Message-ID: <5343160F.2070503@thekelleys.org.uk>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/04/14 12:38, Olivier Mauras wrote:
>
>
>> How much does a cache miss cost. Why bother tuning the TTLs and
>> _still_ risking that you've made them too long and something
>> breaks. Caching is an optimisation. If an optimisation can lead
>> to different results in in the system, then it's broken and
>> should be turned off, not tweaked so it breaks less often.
>>>
> I agree, but in my case i would like to make them shorter than the
> default TTL from upstream. I guess the workaround, would be to give
> a globally shorter TTL to clients, just less efficient if i need to
> override like 10 entries...
That's available, see --max-ttl
Cheers,
Simon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlNDFg4ACgkQKPyGmiibgre9JgCgnXmjgL4nmrd+WuEimjX1yejk
t4MAniLwyN8uAQ42lT5uMeC5/QIdrsh9
=jW+p
-----END PGP SIGNATURE-----
From olivier at core-hosting.net Mon Apr 7 21:35:08 2014
From: olivier at core-hosting.net (Olivier Mauras)
Date: Mon, 07 Apr 2014 23:35:08 +0200
Subject: [Dnsmasq-discuss] Per entry TTL override
In-Reply-To: <5343160F.2070503@thekelleys.org.uk>
References: <27d0397677b1cd89e9ccaf2afeb6a000@core-hosting.net>
<1396474337.14875.29.camel@tiptop.internal>
<533DC6A7.2040009@thekelleys.org.uk>
<1396563009.14875.39.camel@tiptop.internal>
<53405797.4020609@thekelleys.org.uk>
<1396784317.14875.43.camel@tiptop.internal>
<5343160F.2070503@thekelleys.org.uk>
Message-ID: <1396906508.29537.2.camel@tiptop.internal>
On Mon, 2014-04-07 at 22:18 +0100, Simon Kelley wrote:
> On 06/04/14 12:38, Olivier Mauras wrote:
> > I agree, but in my case i would like to make them shorter than the
> > default TTL from upstream. I guess the workaround, would be to give
> > a globally shorter TTL to clients, just less efficient if i need to
> > override like 10 entries...
>
> That's available, see --max-ttl
>
> Cheers,
>
>
> Simon.
>
Well it's global and not just for a few entries... I guess i'd better
just override the whole entries in my host file instead of just trying
to override their TTL...
Again, thanks for this nice piece of software, and i'm definitely in
love with the new stats queries :)
Cheers,
Olivier
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140407/238695ba/attachment.sig>
From quintus at quintilianus.eu Tue Apr 8 06:04:39 2014
From: quintus at quintilianus.eu (Quintus)
Date: Tue, 08 Apr 2014 08:04:39 +0200
Subject: [Dnsmasq-discuss] DHCPv6 hostname resolving
In-Reply-To: <5343155B.6040005@thekelleys.org.uk>
References: <533C2C2A.9040605@quintilianus.eu> <533C33F1.6060102@free.fr>
<533C4405.2060603@quintilianus.eu> <533C583B.8050108@thekelleys.org.uk>
<533D8278.2030904@quintilianus.eu> <533DAABB.6080300@thekelleys.org.uk>
<533E6AB7.1060001@quintilianus.eu> <534039F3.4080708@thekelleys.org.uk>
<53430A86.3040907@quintilianus.eu> <5343155B.6040005@thekelleys.org.uk>
Message-ID: <53439177.4010005@quintilianus.eu>
Am 07.04.2014 23:15, schrieb Simon Kelley:
> Thanks for getting back. I can't reproduce this here, so I'm going to
> shelve it for now.
OK. I?ll try to get more reproducible results and will report back under
which conditions I can properly resolve and under which it isn?t possible.
Thank you!
Marvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140408/aac7c9f9/attachment.sig>
From michael at kmaclub.com Tue Apr 8 16:24:44 2014
From: michael at kmaclub.com (Michael)
Date: Tue, 08 Apr 2014 09:24:44 -0700
Subject: [Dnsmasq-discuss] Newcomer to dnsmasq and having issues with DHCP
Message-ID: <534422CC.70400@kmaclub.com>
Hello,
I have been running ISC bind and dhcp on my network for many years and
would like to get those services running on my Asus router running
Merlin firmware using dnsmasq.
At the moment, I am trying to test the config file on a Linux host on
the same subnet. Once it is working, I will move it over to the router.
DNS seems to be working fine, but I am not getting any responses from
DHCP at all, either for static or dynamic hosts.
Below is my config. It is my attempt to convert my isc dhcpd.conf to
dnsmasq. Hopefully I have missed something simple.
Also, am I on the right track for netbooting? I want to hand out ipxe
by default for a couple of hosts and then point them to a URL once
running ipxe
pid-file=/var/run/dnsmasq.pid
user=nobody
no-poll
min-port=4096
bind-dynamic
#interface=br0
#interface=ppp1*
interface=p2p1
no-negcache
cache-size=1500
domain-needed
bogus-priv
domain=mydomain.net
expand-hosts
local=/mydomain.net/
server=8.8.8.8
server=8.8.4.4
cname=mail.mydomain.net,ghs.google.com
cname=calendar.mydomain.net,ghs.google.com
dhcp-authoritative
dhcp-option=1,255.255.255.0
dhcp-option=3,192.168.101.1
dhcp-option=6,192.168.101.1
dhcp-option=7,192.168.101.2
dhcp-option=15,"mydomain.net"
dhcp-option=42,192.168.101.2
dhcp-option=66,192.168.101.2
# Range of addresses for DHCP
dhcp-range=dynamic,192.168.101.2,192.168.101.30,4h
dhcp-range=static,192.168.101.100,192.168.101.150,48h
# Define hosts
dhcp-host=48:02:2a:46:be:a4,babycam,static
dhcp-host=00:e0:91:94:d0:e7,directv-0,static
dhcp-host=00:e0:91:8b:3f:5d,directv-1,static
dhcp-host=08:00:27:31:db:f9,fedoratest,static
dhcp-host=00:21:b9:01:f3:6b,ha,static
dhcp-host=00:18:dd:03:ca:94,hdhr,static
dhcp-host=00:80:a3:8c:77:c6,kvm,static
dhcp-host=00:18:de:2c:77:36,laptop,static
dhcp-host=00:20:6b:72:8d:ee,minolta,static
dhcp-host=00:b5:6d:00:fd:f8,mobl1,static
dhcp-host=84:3a:4b:0a:d8:e4,mobl1-wireless,static
dhcp-host=18:b4:30:06:15:ab,nest-downstairs,static
dhcp-host=18:b4:30:0a:9c:84,nest-upstairs,static
dhcp-host=00:a0:de:a5:57:93,yamaha-liv,static
dhcp-match=set:ipxe,175 # iPXE sends a 175 option
# Special boot hosts
dhcp-host=bc:ee:7b:25:3b:15,mythbed,set:mythbed,static
dhcp-boot=tag:!ipxe,tag=mythliv,ipxe.pxe
dhcp-boot=tag:ipxe,tag:mythliv,http://minimyth2/conf/mythliv/mythliv.ipxe
dhcp-host=38:60:77:9c:6b:1d,mythliv,set:mythliv,static
dhcp-boot=tag:!ipxe,tag=mythbed,ipxe.pxe
dhcp-boot=tag:ipxe,tag:mythbed,http://minimyth2/conf/mythbed/mythbed.ipxe
dhcp-host=08:00:27:B0:D7:3D,fedoratest2,set:fedoratest2,static
dhcp-boot=tag:!ipxe,tag=fedoratest2,ipxe.pxe
dhcp-boot=tag:ipxe,tag:fedoratest2,""
dhcp-option=tag:ipxe,tag:fedoratest2,option:root-path,"iscsi:myhost:::1:iqn.2012-09.net.mydomain:fedoratest2"
From rob0 at gmx.co.uk Wed Apr 9 13:24:48 2014
From: rob0 at gmx.co.uk (/dev/rob0)
Date: Wed, 9 Apr 2014 08:24:48 -0500
Subject: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp,
or nettle with gmp?
In-Reply-To: <20140401165428.GZ13999@harrier.slackbuilds.org>
References: <5331962D.50000@yahoo.ca> <5331F174.8010709@thekelleys.org.uk>
<8E937FAF-7E60-4F63-8E05-25906CDAE148@lonnie.abelbeck.com>
<5331FA82.5080305@thekelleys.org.uk>
<E3FD9CB6-624A-4615-B05B-9F4322AC91CD@lonnie.abelbeck.com>
<53320592.4020609@thekelleys.org.uk>
<CA++fYEhBF8q-Jt7LkBSfPrk2Lj13XKO6BOkAoRDY0edcO7dpfw@mail.gmail.com>
<53320C7C.6010809@yahoo.ca>
<20140401165428.GZ13999@harrier.slackbuilds.org>
Message-ID: <20140409132448.GK32069@harrier.slackbuilds.org>
On Tue, Apr 01, 2014 at 11:54:28AM -0500, I wrote:
^^^^^^
> On Tue, Mar 25, 2014 at 07:08:44PM -0400, Alex Xu wrote:
> > On 25/03/14 07:03 PM, sven falempin wrote:
> > > my concern of nettle vs openssl is the amount of review and
> > > testing nettle did get compared to something more widely(!)
> > > used openssl
> >
> > something being used a lot != something being good
>
> Absolutely true, but in the context of open source software,
> especially cryptographic software, more use also tends to mean
> more code review.
April Fools!
;)
> I'm not really qualified to judge here what is best; I can only
> point out what I, as a user, think about it. I'll trust Simon's
> judgment, but I hope he has considered these concerns.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
From dave.taht at gmail.com Wed Apr 9 14:51:26 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Wed, 9 Apr 2014 07:51:26 -0700
Subject: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp,
or nettle with gmp?
In-Reply-To: <20140409132448.GK32069@harrier.slackbuilds.org>
References: <5331962D.50000@yahoo.ca> <5331F174.8010709@thekelleys.org.uk>
<8E937FAF-7E60-4F63-8E05-25906CDAE148@lonnie.abelbeck.com>
<5331FA82.5080305@thekelleys.org.uk>
<E3FD9CB6-624A-4615-B05B-9F4322AC91CD@lonnie.abelbeck.com>
<53320592.4020609@thekelleys.org.uk>
<CA++fYEhBF8q-Jt7LkBSfPrk2Lj13XKO6BOkAoRDY0edcO7dpfw@mail.gmail.com>
<53320C7C.6010809@yahoo.ca>
<20140401165428.GZ13999@harrier.slackbuilds.org>
<20140409132448.GK32069@harrier.slackbuilds.org>
Message-ID: <CAA93jw54wzyocz2sgAaccuhpa9tZZX10nvU45+1TUEi8dntvFg@mail.gmail.com>
On Wed, Apr 9, 2014 at 6:24 AM, /dev/rob0 <rob0 at gmx.co.uk> wrote:
> On Tue, Apr 01, 2014 at 11:54:28AM -0500, I wrote:
> ^^^^^^
>> On Tue, Mar 25, 2014 at 07:08:44PM -0400, Alex Xu wrote:
>> > On 25/03/14 07:03 PM, sven falempin wrote:
>> > > my concern of nettle vs openssl is the amount of review and
>> > > testing nettle did get compared to something more widely(!)
>> > > used openssl
>> >
>> > something being used a lot != something being good
>>
>> Absolutely true, but in the context of open source software,
>> especially cryptographic software, more use also tends to mean
>> more code review.
>
> April Fools!
>
> ;)
My heart bleeds for the openssl folk and openssl derived application users
right now. More investment into creating, maintaining and improving
core crypto libraries is desperately needed to hold our civilization together.
>> I'm not really qualified to judge here what is best; I can only
>> point out what I, as a user, think about it. I'll trust Simon's
>> judgment, but I hope he has considered these concerns.
> --
> http://rob0.nodns4.us/
> Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
--
Dave T?ht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
From simon at thekelleys.org.uk Wed Apr 9 17:29:34 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Wed, 09 Apr 2014 18:29:34 +0100
Subject: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp,
or nettle with gmp?
In-Reply-To: <CAA93jw54wzyocz2sgAaccuhpa9tZZX10nvU45+1TUEi8dntvFg@mail.gmail.com>
References: <5331962D.50000@yahoo.ca> <5331F174.8010709@thekelleys.org.uk>
<8E937FAF-7E60-4F63-8E05-25906CDAE148@lonnie.abelbeck.com>
<5331FA82.5080305@thekelleys.org.uk>
<E3FD9CB6-624A-4615-B05B-9F4322AC91CD@lonnie.abelbeck.com>
<53320592.4020609@thekelleys.org.uk>
<CA++fYEhBF8q-Jt7LkBSfPrk2Lj13XKO6BOkAoRDY0edcO7dpfw@mail.gmail.com>
<53320C7C.6010809@yahoo.ca> <20140401165428.GZ13999@harrier.slackbuilds.org>
<20140409132448.GK32069@harrier.slackbuilds.org>
<CAA93jw54wzyocz2sgAaccuhpa9tZZX10nvU45+1TUEi8dntvFg@mail.gmail.com>
Message-ID: <5345837E.9060409@thekelleys.org.uk>
On 09/04/14 15:51, Dave Taht wrote:
>
> My heart bleeds for the openssl folk and openssl derived application users
> right now. More investment into creating, maintaining and improving
> core crypto libraries is desperately needed to hold our civilization together.
>
+1
Don't underestimate the contribution of all the people who take
responsibility for the software that runs as root, or exposed to the
net, on your machines. It's something I have nightmares about.
Simon.
From dave.taht at gmail.com Wed Apr 9 18:03:57 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Wed, 9 Apr 2014 11:03:57 -0700
Subject: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp,
or nettle with gmp?
In-Reply-To: <5345837E.9060409@thekelleys.org.uk>
References: <5331962D.50000@yahoo.ca> <5331F174.8010709@thekelleys.org.uk>
<8E937FAF-7E60-4F63-8E05-25906CDAE148@lonnie.abelbeck.com>
<5331FA82.5080305@thekelleys.org.uk>
<E3FD9CB6-624A-4615-B05B-9F4322AC91CD@lonnie.abelbeck.com>
<53320592.4020609@thekelleys.org.uk>
<CA++fYEhBF8q-Jt7LkBSfPrk2Lj13XKO6BOkAoRDY0edcO7dpfw@mail.gmail.com>
<53320C7C.6010809@yahoo.ca>
<20140401165428.GZ13999@harrier.slackbuilds.org>
<20140409132448.GK32069@harrier.slackbuilds.org>
<CAA93jw54wzyocz2sgAaccuhpa9tZZX10nvU45+1TUEi8dntvFg@mail.gmail.com>
<5345837E.9060409@thekelleys.org.uk>
Message-ID: <CAA93jw5eKmYJxG2KT604YgjgLHL_xCzq-+c5u9PHb-p7hp-n6w@mail.gmail.com>
On Wed, Apr 9, 2014 at 10:29 AM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> On 09/04/14 15:51, Dave Taht wrote:
>
>>
>> My heart bleeds for the openssl folk and openssl derived application users
>> right now. More investment into creating, maintaining and improving
>> core crypto libraries is desperately needed to hold our civilization together.
>>
>
> +1
>
> Don't underestimate the contribution of all the people who take
> responsibility for the software that runs as root, or exposed to the
> net, on your machines. It's something I have nightmares about.
+10.
:empathy waves:
In my case I merely have thousands of users dependent on the OS I create.
I can't push an update to them, and can only update the most current
version of the code to include support (which I did about 2 hours after
the disclosure), and hope people on my mailing list are paying
attention.
millions or billions of users would suck harder.
and I still have several internet facing machines left to fix,
and certs to recreate and redistribute.
I would have preferred the have spent my week doing something else.
The financial cost in patching this hole is nearly incalculatable,
and the cost of having had it, or leaving it unpatched, is nearly infinite.
https://www.youtube.com/watch?v=_y36fG2Oba0
The cost of prevention is slight, in comparison.
>
> Simon.
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
--
Dave T?ht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
From weizen_42 at ipcop-forum.de Wed Apr 9 18:11:49 2014
From: weizen_42 at ipcop-forum.de (Olaf Westrik)
Date: Wed, 09 Apr 2014 20:11:49 +0200
Subject: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp,
or nettle with gmp?
In-Reply-To: <5345837E.9060409@thekelleys.org.uk>
References: <5331962D.50000@yahoo.ca> <5331F174.8010709@thekelleys.org.uk>
<8E937FAF-7E60-4F63-8E05-25906CDAE148@lonnie.abelbeck.com>
<5331FA82.5080305@thekelleys.org.uk>
<E3FD9CB6-624A-4615-B05B-9F4322AC91CD@lonnie.abelbeck.com>
<53320592.4020609@thekelleys.org.uk>
<CA++fYEhBF8q-Jt7LkBSfPrk2Lj13XKO6BOkAoRDY0edcO7dpfw@mail.gmail.com>
<53320C7C.6010809@yahoo.ca> <20140401165428.GZ13999@harrier.slackbuilds.org>
<20140409132448.GK32069@harrier.slackbuilds.org>
<CAA93jw54wzyocz2sgAaccuhpa9tZZX10nvU45+1TUEi8dntvFg@mail.gmail.com>
<5345837E.9060409@thekelleys.org.uk>
Message-ID: <53458D65.8060104@ipcop-forum.de>
Simon,
> Don't underestimate the contribution of all the people who take
> responsibility for the software that runs as root, or exposed to the
> net, on your machines. It's something I have nightmares about.
I do hope that is not true and that you sleep well.
So much better to be rested and clear headed when coding :-)
Olaf
From M.Funke at olpe.de Wed Apr 9 18:31:06 2014
From: M.Funke at olpe.de (Funke, Martin)
Date: Wed, 9 Apr 2014 18:31:06 +0000
Subject: [Dnsmasq-discuss] Ignore proxydhcp
Message-ID: <AFD3E786D12B844AA3E2D7A073B258881F64CE17@WMS000M04.intra.lan>
Hi everyone,
im using dnsmasq as a proxy dhcp for my ubuntu ltsp.
My config so far:
# Configures dnsmasq for PXE client booting.
# All the files in /etc/dnsmasq.d/ override the main dnsmasq configuration in
# /etc/dnsmasq.conf.
# You may modify this file to suit your needs, or create new ones in dnsmasq.d/.
# Log lots of extra information about DHCP transactions.
#log-dhcp
# IP ranges to hand out.
#dhcp-range=192.168.67.20,192.168.67.250,8h
# If another DHCP server is present on the network, you may use a proxy range
# instead. This makes dnsmasq provide boot information but not IP leases.
# (needs dnsmasq 2.48+)
dhcp-range=10.0.0.0,proxy
dhcp-ignore=extern
# The rootpath option is used by both NFS and NBD.
dhcp-option=17,/opt/ltsp/i386
# Define common netboot types.
dhcp-vendorclass=etherboot,Etherboot
dhcp-vendorclass=pxe,PXEClient
dhcp-vendorclass=pxe,PXEClient
dhcp-vendorclass=ltsp,"Linux ipconfig"
# Set the boot filename depending on the client vendor identifier.
# The boot filename is relative to tftp-root.
dhcp-boot=net:pxe,/ltsp/i386/pxelinux.0
dhcp-boot=net:etherboot,/ltsp/i386/nbi.img
dhcp-boot=net:ltsp,/ltsp/i386/lts.conf
# Kill multicast.
dhcp-option=vendor:pxe,6,2b
# Disable re-use of the DHCP servername and filename fields as extra
# option space. That's to avoid confusing some old or broken DHCP clients.
dhcp-no-override
# We don't want a PXE menu since we're using a graphical PXELinux menu.
#pxe-prompt="Press F8 for boot menu", 3
# The known types are x86PC, PC98, IA64_EFI, Alpha, Arc_x86,
# Intel_Lean_Client, IA32_EFI, BC_EFI, Xscale_EFI and X86-64_EFI
pxe-service=X86PC, "Boot from network", /ltsp/i386/pxelinux
#pxe-prompt="Press F8 for boot menu", 3
# The known types are x86PC, PC98, IA64_EFI, Alpha, Arc_x86,
# Intel_Lean_Client, IA32_EFI, BC_EFI, Xscale_EFI and X86-64_EFI
pxe-service=X86PC, "Boot from network", /ltsp/i386/pxelinux
# A boot service type of 0 is special, and will abort the
# net boot procedure and continue booting from local media.
#pxe-service=X86PC, "Boot from local hard disk", 0
# Comment the following to disable the TFTP server functionality of dnsmasq.
enable-tftp
# The TFTP directory. Sometimes /srv/tftp is used instead.
tftp-root=/var/lib/tftpboot/
# Disable the DNS server functionality of dnsmasq by setting port=0
port=0
# Don't listen on lo, to prevent conflicts with Ubuntu's local resolver hack (LP: #959037).
#except-interface=lo
#bind-interfaces
I tried dhcp-ignore=extern and on my other dhcp server (ISC-DHCP) i gave a group of MACs a DHCP-Vendorclass-Identifier=extern
But my request will not be taken. The "extern" client also boots from the ubuntu ltsp. Even if he shouldnt.
Is there a other way to do it.
What i need in the end is a solution to tell the clients X to boot from Ubuntu LTSP1 and clients Y boot from LTSP2.
Hope you can help :)
Best regards
Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140409/ec4678f4/attachment-0001.html>
From dave.taht at gmail.com Wed Apr 9 18:45:50 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Wed, 9 Apr 2014 11:45:50 -0700
Subject: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp,
or nettle with gmp?
In-Reply-To: <53458D65.8060104@ipcop-forum.de>
References: <5331962D.50000@yahoo.ca> <5331F174.8010709@thekelleys.org.uk>
<8E937FAF-7E60-4F63-8E05-25906CDAE148@lonnie.abelbeck.com>
<5331FA82.5080305@thekelleys.org.uk>
<E3FD9CB6-624A-4615-B05B-9F4322AC91CD@lonnie.abelbeck.com>
<53320592.4020609@thekelleys.org.uk>
<CA++fYEhBF8q-Jt7LkBSfPrk2Lj13XKO6BOkAoRDY0edcO7dpfw@mail.gmail.com>
<53320C7C.6010809@yahoo.ca>
<20140401165428.GZ13999@harrier.slackbuilds.org>
<20140409132448.GK32069@harrier.slackbuilds.org>
<CAA93jw54wzyocz2sgAaccuhpa9tZZX10nvU45+1TUEi8dntvFg@mail.gmail.com>
<5345837E.9060409@thekelleys.org.uk>
<53458D65.8060104@ipcop-forum.de>
Message-ID: <CAA93jw57O8B3wtXKf4C7VfbkUpUysZcxWNPbxvKbRmY3GWH6VQ@mail.gmail.com>
On Wed, Apr 9, 2014 at 11:11 AM, Olaf Westrik <weizen_42 at ipcop-forum.de> wrote:
> Simon,
>
>
>> Don't underestimate the contribution of all the people who take
>> responsibility for the software that runs as root, or exposed to the
>> net, on your machines. It's something I have nightmares about.
>
>
> I do hope that is not true and that you sleep well.
> So much better to be rested and clear headed when coding :-)
I sleep more soundly knowing simon works on dnsmasq full time these days.
>
> Olaf
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
--
Dave T?ht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
From simon at thekelleys.org.uk Wed Apr 9 20:13:33 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Wed, 09 Apr 2014 21:13:33 +0100
Subject: [Dnsmasq-discuss] Announce: dnsmasq-2.69
Message-ID: <5345A9ED.5000809@thekelleys.org.uk>
Dnsmasq-2.69 is here.
http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.69.tar.gz
and (new) a signature
http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.69.tar.gz.sign
Many thanks to all who've contributed this major milestone. Most are
mentioned in the CHANGELOG, but it's also necessary to thank Evan Hunt,
Dave Taht, Giovanni Bajo and Comcast.
Release notes below.
Cheers,
Simon.
----------------------------------------------------------------------
version 2.69
Implement dynamic interface discovery on *BSD. This allows
the contructor: syntax to be used in dhcp-range for DHCPv6
on the BSD platform. Thanks to Matthias Andree for
valuable research on how to implement this.
Fix infinite loop associated with some --bogus-nxdomain
configs. Thanks fogobogo for the bug report.
Fix missing RA RDNS option with configuration like
--dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer
for spotting the problem.
Add [fd00::] and [fe80::] as special addresses in DHCPv6
options, analogous to [::]. [fd00::] is replaced with the
actual ULA of the interface on the machine running
dnsmasq, [fe80::] with the link-local address.
Thanks to Tsachi Kimeldorfer for championing this.
DNSSEC validation and caching. Dnsmasq needs to be
compiled with this enabled, with
make dnsmasq COPTS=-DHAVE_DNSSEC
this add dependencies on the nettle crypto library and the
gmp maths library. It's possible to have these linked
statically with
make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
which bloats the dnsmasq binary, but saves the size of
the shared libraries which are much bigger.
To enable, DNSSEC, you will need a set of
trust-anchors. Now that the TLDs are signed, this can be
the keys for the root zone, and for convenience they are
included in trust-anchors.conf in the dnsmasq
distribution. You should of course check that these are
legitimate and up-to-date. So, adding
conf-file=/path/to/trust-anchors.conf
dnssec
to your config is all thats needed to get things
working. The upstream nameservers have to be DNSSEC-capable
too, of course. Many ISP nameservers aren't, but the
Google public nameservers (8.8.8.8 and 8.8.4.4) are.
When DNSSEC is configured, dnsmasq validates any queries
for domains which are signed. Query results which are
bogus are replaced with SERVFAIL replies, and results
which are correctly signed have the AD bit set. In
addition, and just as importantly, dnsmasq supplies
correct DNSSEC information to clients which are doing
their own validation, and caches DNSKEY, DS and RRSIG
records, which significantly improve the performance of
downstream validators. Setting --log-queries will show
DNSSEC in action.
If a domain is returned from an upstream nameserver without
DNSSEC signature, dnsmasq by default trusts this. This
means that for unsigned zone (still the majority) there
is effectively no cost for having DNSSEC enabled. Of course
this allows an attacker to replace a signed record with a
false unsigned record. This is addressed by the
--dnssec-check-unsigned flag, which instructs dnsmasq
to prove that an unsigned record is legitimate, by finding
a secure proof that the zone containing the record is not
signed. Doing this has costs (typically one or two extra
upstream queries). It also has a nasty failure mode if
dnsmasq's upstream nameservers are not DNSSEC capable.
Without --dnssec-check-unsigned using such an upstream
server will simply result in not queries being validated;
with --dnssec-check-unsigned enabled and a
DNSSEC-ignorant upstream server, _all_ queries will fail.
Note that DNSSEC requires that the local time is valid and
accurate, if not then DNSSEC validation will fail. NTP
should be running. This presents a problem for routers
without a battery-backed clock. To set the time needs NTP
to do DNS lookups, but lookups will fail until NTP has run.
To address this, there's a flag, --dnssec-no-timecheck
which disables the time checks (only) in DNSSEC. When
dnsmasq is started and the clock is not synced, this flag
should be used. As soon as the clock is synced, SIGHUP
dnsmasq. The SIGHUP clears the cache of partially-
validated data and resets the no-timecheck flag, so that
all DNSSEC checks henceforward will be complete.
The development of DNSSEC in dnsmasq was started by
Giovanni Bajo, to whom huge thanks are owed. It has been
supported by Comcast, whose techfund grant has allowed for
an invaluable period of full-time work to get it to
a workable state.
Add --rev-server. Thanks to Dave Taht for suggesting this.
Add --servers-file. Allows dynamic update of upstream
servers full access to configuration.
Add --local-service. Accept DNS queries only from hosts
whose address is on a local subnet, ie a subnet for which
an interface exists on the server. This option
only has effect if there are no --interface --except-
interface, --listen-address or --auth-server options. It is
intended to be set as a default on installation, to allow
unconfigured installations to be useful but also safe from
being used for DNS amplification attacks.
Fix crashes in cache_get_cname_target() when dangling CNAMEs
encountered. Thanks to Andy and the rt-n56u project for
find this and helping to chase it down.
Fix wrong RCODE in authoritative DNS replies to PTR
queries. The correct answer was included, but the RCODE was
set to NXDOMAIN. Thanks to Craig McQueen for spotting this.
Make statistics available as DNS queries in the .bind TLD
as well as logging them.
From simon at thekelleys.org.uk Wed Apr 9 20:36:08 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Wed, 09 Apr 2014 21:36:08 +0100
Subject: [Dnsmasq-discuss] Announce: dnsmasq-2.69
In-Reply-To: <20140409203221.GH585@rampage>
References: <5345A9ED.5000809@thekelleys.org.uk> <20140409203221.GH585@rampage>
Message-ID: <5345AF38.10802@thekelleys.org.uk>
On 09/04/14 21:32, Dave Reisner wrote:
> On Wed, Apr 09, 2014 at 09:13:33PM +0100, Simon Kelley wrote:
>> Dnsmasq-2.69 is here.
>>
>> http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.69.tar.gz
>>
>> and (new) a signature
>>
>> http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.69.tar.gz.sign
>>
>
> Hi Simon,
>
> Thanks for providing GPG signatures for the source tarballs. Could I ask
> why you've chosen this particular extension?
Ignorance, plain and simple. I'm new to this stuff, and not familiar
with the conventions.
> GPG normally expects .asc
> (ascii armored) or .sig (raw binary) extensions so this is somewhat
> unexpexcted. Verification still works, but it's not documented anywhere
> in gpg's manpage as an expected extension. To complicate matters
> somewhat more, kernel.org uses .sign as an extension but treats the
> situation differently -- they provide a single .sign file but multiple
> compression formats for the source tarballs. The signature validates
> against the decompressed tarball. This doesn't seem to be the case here,
> as the .sign validates against the gzip tarball.
>
> I humbly ask that you use .asc for the signature.
>
Sounds sensible, I'll change it now, before any dependencies form on my
initial setup.
Cheers,
Simon.
From dreisner at archlinux.org Wed Apr 9 20:47:49 2014
From: dreisner at archlinux.org (Dave Reisner)
Date: Wed, 9 Apr 2014 16:47:49 -0400
Subject: [Dnsmasq-discuss] Announce: dnsmasq-2.69
In-Reply-To: <5345AF38.10802@thekelleys.org.uk>
References: <5345A9ED.5000809@thekelleys.org.uk> <20140409203221.GH585@rampage>
<5345AF38.10802@thekelleys.org.uk>
Message-ID: <20140409204749.GI585@rampage>
On Wed, Apr 09, 2014 at 09:36:08PM +0100, Simon Kelley wrote:
> On 09/04/14 21:32, Dave Reisner wrote:
> > On Wed, Apr 09, 2014 at 09:13:33PM +0100, Simon Kelley wrote:
> >> Dnsmasq-2.69 is here.
> >>
> >> http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.69.tar.gz
> >>
> >> and (new) a signature
> >>
> >> http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.69.tar.gz.sign
> >>
> >
> > Hi Simon,
> >
> > Thanks for providing GPG signatures for the source tarballs. Could I ask
> > why you've chosen this particular extension?
>
> Ignorance, plain and simple. I'm new to this stuff, and not familiar
> with the conventions.
>
> > GPG normally expects .asc
> > (ascii armored) or .sig (raw binary) extensions so this is somewhat
> > unexpexcted. Verification still works, but it's not documented anywhere
> > in gpg's manpage as an expected extension. To complicate matters
> > somewhat more, kernel.org uses .sign as an extension but treats the
> > situation differently -- they provide a single .sign file but multiple
> > compression formats for the source tarballs. The signature validates
> > against the decompressed tarball. This doesn't seem to be the case here,
> > as the .sign validates against the gzip tarball.
> >
> > I humbly ask that you use .asc for the signature.
> >
> Sounds sensible, I'll change it now, before any dependencies form on my
> initial setup.
Great! Thanks for the quick turnaround!
>
>
> Cheers,
>
>
> Simon.
>
>
>
From mail at milen.pankov.eu Wed Apr 9 21:24:11 2014
From: mail at milen.pankov.eu (Milen Pankov)
Date: Thu, 10 Apr 2014 00:24:11 +0300
Subject: [Dnsmasq-discuss] Upstream servers timeout
Message-ID: <5345BA7B.6070405@milen.pankov.eu>
Hi,
I am trying to use dnsmasq to send requests to upstream servers for
specific queries. My config file contains:
server=//192.168.0.4
server=//10.0.0.16
server=/de.example.com/192.168.0.4
server=/en.example.com/10.0.0.16
The upstream servers are reachable via vpn connection and thus are
sometimes slow. Dnsmasq seems to return NXDOMAIN most of the time when
connecting the one server and fewer times when connecting the other (may
be one is slower). The upstream servers are running dnsmasq too and I
have admin access to them. I can confirm debugging that the requests are
send to the right server and that this server is returning correct
response while dnsmasq is returning NXDOMAIN. I think dnsmasq timeouts
waiting for answer from upstream servers after a specific period of
time. However I cannot find such option or variable. Is there a way to
completely disable this timeout if any or change it somehow? Any other
solution?
Thanks,
Milen
From simon at thekelleys.org.uk Thu Apr 10 21:10:31 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Thu, 10 Apr 2014 22:10:31 +0100
Subject: [Dnsmasq-discuss] Upstream servers timeout
In-Reply-To: <5345BA7B.6070405@milen.pankov.eu>
References: <5345BA7B.6070405@milen.pankov.eu>
Message-ID: <534708C7.905@thekelleys.org.uk>
On 09/04/14 22:24, Milen Pankov wrote:
> Hi,
>
> I am trying to use dnsmasq to send requests to upstream servers for
> specific queries. My config file contains:
>
> server=//192.168.0.4
> server=//10.0.0.16
> server=/de.example.com/192.168.0.4
> server=/en.example.com/10.0.0.16
>
> The upstream servers are reachable via vpn connection and thus are
> sometimes slow. Dnsmasq seems to return NXDOMAIN most of the time when
> connecting the one server and fewer times when connecting the other (may
> be one is slower). The upstream servers are running dnsmasq too and I
> have admin access to them. I can confirm debugging that the requests are
> send to the right server and that this server is returning correct
> response while dnsmasq is returning NXDOMAIN. I think dnsmasq timeouts
> waiting for answer from upstream servers after a specific period of
> time. However I cannot find such option or variable. Is there a way to
> completely disable this timeout if any or change it somehow? Any other
> solution?
>
There is _no_ timeout function in dnsmasq, (at least not for UDP
queries). If the upstream server never replies, then dnsmasq will never
reply either. Eventually, dnsmasq will recover the resources used to
handle the request, but it doesn't send an NXDOMAIN reply as part of
that. The timeout happens in the resolver library in the original requestor.
Cheers,
Simon.
From pashajurev at mail.ru Fri Apr 11 04:11:24 2014
From: pashajurev at mail.ru (=?UTF-8?B?0J/QsNCy0LXQuyDQrtGA0YzQtdCy?=)
Date: Fri, 11 Apr 2014 08:11:24 +0400
Subject: [Dnsmasq-discuss] =?utf-8?q?DHCPNAK?=
Message-ID: <1397189484.120599420@f426.i.mail.ru>
Hello! Sorry for not correct English. I have a question for you on the DHCPNAK. I need to send it immediately after starting the server. In turn, I made it a separate function and call directly from dhcp.c. But faced with the problem: according to the information message pack is formed with the necessary parameters, but to the addressee does not reach. Tell me what could be the reason? Thank.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140411/f0159815/attachment.html>
From stephane at 22decembre.eu Fri Apr 11 09:42:17 2014
From: stephane at 22decembre.eu (=?ISO-8859-1?Q?St=E9phane?= Guedon)
Date: Fri, 11 Apr 2014 11:42:17 +0200
Subject: [Dnsmasq-discuss] Announce: dnsmasq-2.69
In-Reply-To: <5345A9ED.5000809@thekelleys.org.uk>
References: <5345A9ED.5000809@thekelleys.org.uk>
Message-ID: <2301963.hokz25g2Xh@luciole>
Le mercredi 9 avril 2014, 21:13:33 Simon Kelley a ?crit :
> Dnsmasq-2.69 is here.
>
> http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.69.tar.gz
>
> and (new) a signature
>
> http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.69.tar.gz.sign
>
>
> Many thanks to all who've contributed this major milestone. Most are
> mentioned in the CHANGELOG, but it's also necessary to thank Evan
> Hunt, Dave Taht, Giovanni Bajo and Comcast.
>
> Release notes below.
>
> Cheers,
>
> Simon.
>
> --------------------------------------------------------------------
> --
>
> version 2.69
> Implement dynamic interface discovery on *BSD. This
> allows the contructor: syntax to be used in dhcp-range for DHCPv6
> on the BSD platform. Thanks to Matthias Andree for valuable
> research on how to implement this.
>
> Fix infinite loop associated with some --bogus-nxdomain
> configs. Thanks fogobogo for the bug report.
>
> Fix missing RA RDNS option with configuration like
> --dhcp-option=option6:23,[::] Thanks to Tsachi
> Kimeldorfer for spotting the problem.
>
> Add [fd00::] and [fe80::] as special addresses in DHCPv6
> options, analogous to [::]. [fd00::] is replaced with the actual
> ULA of the interface on the machine running dnsmasq, [fe80::] with
> the link-local address. Thanks to Tsachi Kimeldorfer for
> championing this.
>
> DNSSEC validation and caching. Dnsmasq needs to be
> compiled with this enabled, with
>
> make dnsmasq COPTS=-DHAVE_DNSSEC
>
> this add dependencies on the nettle crypto library and
> the gmp maths library. It's possible to have these linked
> statically with
>
> make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC'
>
> which bloats the dnsmasq binary, but saves the size of
> the shared libraries which are much bigger.
>
> To enable, DNSSEC, you will need a set of
> trust-anchors. Now that the TLDs are signed, this can be
> the keys for the root zone, and for convenience they are included
> in trust-anchors.conf in the dnsmasq
> distribution. You should of course check that these are
> legitimate and up-to-date. So, adding
>
> conf-file=/path/to/trust-anchors.conf
> dnssec
>
> to your config is all thats needed to get things
> working. The upstream nameservers have to be
> DNSSEC-capable too, of course. Many ISP nameservers aren't, but the
> Google public nameservers (8.8.8.8 and 8.8.4.4) are. When DNSSEC is
> configured, dnsmasq validates any queries for domains which are
> signed. Query results which are bogus are replaced with SERVFAIL
> replies, and results which are correctly signed have the AD bit
> set. In addition, and just as importantly, dnsmasq supplies correct
> DNSSEC information to clients which are doing their own validation,
> and caches DNSKEY, DS and RRSIG records, which significantly
> improve the performance of downstream validators. Setting
> --log-queries will show DNSSEC in action.
>
> If a domain is returned from an upstream nameserver
> without DNSSEC signature, dnsmasq by default trusts this. This
> means that for unsigned zone (still the majority) there is
> effectively no cost for having DNSSEC enabled. Of course this
> allows an attacker to replace a signed record with a false unsigned
> record. This is addressed by the --dnssec-check-unsigned flag,
> which instructs dnsmasq to prove that an unsigned record is
> legitimate, by finding a secure proof that the zone containing the
> record is not signed. Doing this has costs (typically one or two
> extra upstream queries). It also has a nasty failure mode if
> dnsmasq's upstream nameservers are not DNSSEC capable. Without
> --dnssec-check-unsigned using such an upstream server will simply
> result in not queries being validated; with --dnssec-check-unsigned
> enabled and a
> DNSSEC-ignorant upstream server, _all_ queries will
> fail.
>
> Note that DNSSEC requires that the local time is valid
> and accurate, if not then DNSSEC validation will fail. NTP should
> be running. This presents a problem for routers without a
> battery-backed clock. To set the time needs NTP to do DNS lookups,
> but lookups will fail until NTP has run. To address this, there's a
> flag, --dnssec-no-timecheck which disables the time checks (only)
> in DNSSEC. When dnsmasq is started and the clock is not synced,
> this flag should be used. As soon as the clock is synced, SIGHUP
> dnsmasq. The SIGHUP clears the cache of partially- validated data
> and resets the no-timecheck flag, so that all DNSSEC checks
> henceforward will be complete.
>
> The development of DNSSEC in dnsmasq was started by
> Giovanni Bajo, to whom huge thanks are owed. It has been
> supported by Comcast, whose techfund grant has allowed for an
> invaluable period of full-time work to get it to a workable state.
>
> Add --rev-server. Thanks to Dave Taht for suggesting
> this.
>
> Add --servers-file. Allows dynamic update of upstream
> servers full access to configuration.
>
> Add --local-service. Accept DNS queries only from hosts
> whose address is on a local subnet, ie a subnet for
> which an interface exists on the server. This option only has
> effect if there are no --interface --except- interface,
> --listen-address or --auth-server options. It is intended to be set
> as a default on installation, to allow unconfigured installations
> to be useful but also safe from being used for DNS amplification
> attacks.
>
> Fix crashes in cache_get_cname_target() when dangling
> CNAMEs encountered. Thanks to Andy and the rt-n56u project for find
> this and helping to chase it down.
>
> Fix wrong RCODE in authoritative DNS replies to PTR
> queries. The correct answer was included, but the RCODE
> was set to NXDOMAIN. Thanks to Craig McQueen for spotting this.
>
> Make statistics available as DNS queries in the .bind
> TLD as well as logging them.
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Good ! But anyway, we still need a resolver.
Why not considering making dnsmasq acting as resolver itself too ?
Thanks for your work (didn't tried the release, but you deserve some
congrats...)!
From stephane at 22decembre.eu Fri Apr 11 09:56:50 2014
From: stephane at 22decembre.eu (=?ISO-8859-1?Q?St=E9phane?= Guedon)
Date: Fri, 11 Apr 2014 11:56:50 +0200
Subject: [Dnsmasq-discuss] dhcpv6 and RA
Message-ID: <2404626.JC2q4nnrhh@luciole>
Hello
I want to make ipv6 work on dhcp in the network, to make possible
addressing with hostnames. I have seen it works well with some of the
lan hosts (this hosts get ipv6 and are registreted in the local
domain).
But one of my client doesn't behave correctly :
no hostname is registered
after sometime, the default ipv6 route disapears (the networking
process disable accept_ra in the kernel, which erase the route).
This host is a debian jessie/testing. When I ask him to make its
address with "auto", default route stays :
auto eth0
allow-hotplug eth0
iface eth0 inet dhcp
iface eth0 inet6 auto
When I ask dhcp, default route is erased 15 minutes after boot like
said above.
My question is : is it related to dnsmasq ? maybe I placed a wrong
option which tells dhcpv6 clients to disable router adv accepting ?
Here is my config related to the topic :
interface=re0
dhcp-range=192.168.87.50,192.168.87.200,255.255.255.0,12h
dhcp-range=2001:16d8:dd00:8207::100, 2001:16d8:dd00:8207::8000,ra-
names
enable-ra
dhcp-option=option:router,192.168.87.1
dhcp-option=option:ntp-server,0.0.0.0
dhcp-option=option:dns-server,192.168.87.3,192.168.87.5,208.67.222.222
dhcp-option=option:domain-search,22decembre.eu
dhcp-option=option6:dns-server,[::],[2620:0:ccd::2]
dhcp-option=option6:ntp-server,[::]
dhcp-option=option6:domain-search,22decembre.eu
dhcp-authoritative
Thanks for any help on the topic.
From darren.j.breeze.ml at gmail.com Fri Apr 11 23:07:52 2014
From: darren.j.breeze.ml at gmail.com (Darren Breeze ML)
Date: Sat, 12 Apr 2014 07:07:52 +0800
Subject: [Dnsmasq-discuss] dns regex
Message-ID: <534875C8.2070909@gmail.com>
Hi
I am trying to map the various google sites around the world back to a
single google site (nosslsearch.google.com
<http://nosslsearch.google.com/> )
is there a way currently with dnsmasq to map the various regional google
sites (www.google.com.ca, www.google.com.hk, google.com.sg etc.) back to
the nossl ip address without adding a record in dnsmasq for each one?
I have seen that there is a regex patch floating around but is there
another way before I build a patched version?
thanks
Darren Breeze
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140412/2cfac4eb/attachment.html>
From larkwang at gmail.com Sat Apr 12 13:06:11 2014
From: larkwang at gmail.com (Wang Jian)
Date: Sat, 12 Apr 2014 21:06:11 +0800
Subject: [Dnsmasq-discuss] ipset action doesn't work in 2.69
Message-ID: <CAF75rJArVQMzEwHWjFRynv86K=ezyB2sUaZ74MvXO+qCSz1a+w@mail.gmail.com>
Hi,
I build 2.69 deb package from git tree to use the new ipset action
log. To my surprise, ipset action stops working.
I traced the process_reply() and found some strange behavior, but I am
not familiar with util.c, so I can only provide what I found. (break
at process_reply() then break at hostname_isequal(). )
I use 'host 6pm.com' to trigger the break point. In the output, you
can see 6pm.com should be matched but actually not.
---- snip ----
Breakpoint 1, process_reply (header=header at entry=0x85cb278,
now=now at entry=1397305916, server=server at entry=0x85d70a8,
n=n at entry=267, check_rebind=check_rebind at entry=0,
no_cache=no_cache at entry=0, cache_secure=0, ad_reqd=0, do_bit=0,
added_pheader=0, check_subnet=0,
query_source=query_source at entry=0x85d2e68) at forward.c:545
545 forward.c: No such file or directory.
(gdb) display ipset_pos->domain
1: ipset_pos->domain = 0x85d5040 "6pm.com"
(gdb) break hostname_isequal
Breakpoint 2 at 0x8059410: file util.c, line 288.
(gdb) c
Continuing.
Breakpoint 2, hostname_isequal (a=a at entry=0x85c9859 "6pm\003com",
b=b at entry=0x85d5040 "6pm.com") at util.c:288
288 util.c: No such file or directory.
(gdb) display a
2: a = 0x85c9859 "6pm\003com"
(gdb) display b
3: b = 0x85d5040 "6pm.com"
(gdb) c
Continuing.
Breakpoint 1, process_reply (header=header at entry=0x85cb278,
now=now at entry=1397305916, server=server at entry=0x85d70a8,
n=n at entry=267, check_rebind=check_rebind at entry=0,
no_cache=no_cache at entry=0, cache_secure=0, ad_reqd=0, do_bit=0,
added_pheader=0, check_subnet=0,
query_source=query_source at entry=0x85d2e68) at forward.c:545
545 forward.c: No such file or directory.
1: ipset_pos->domain = 0x85d4e68 "zlib.net"
(gdb)
Continuing.
Breakpoint 2, hostname_isequal (a=a at entry=0x85c9858
"\003\066pm\003com", b=b at entry=0x85d4e68 "zlib.net") at util.c:288
288 util.c: No such file or directory.
3: b = 0x85d4e68 "zlib.net"
2: a = 0x85c9858 "\003\066pm\003com"
(gdb)
Continuing.
Breakpoint 1, process_reply (header=header at entry=0x85cb278,
now=now at entry=1397305916, server=server at entry=0x85d70a8,
n=n at entry=267, check_rebind=check_rebind at entry=0,
no_cache=no_cache at entry=0, cache_secure=0, ad_reqd=0, do_bit=0,
added_pheader=0, check_subnet=0,
query_source=query_source at entry=0x85d2e68) at forward.c:545
545 forward.c: No such file or directory.
1: ipset_pos->domain = 0x85d47c8 "hulu.com"
(gdb)
Continuing.
Breakpoint 2, hostname_isequal (a=a at entry=0x85c9858
"\003\066pm\003com", b=b at entry=0x85d47c8 "hulu.com") at util.c:288
288 util.c: No such file or directory.
3: b = 0x85d47c8 "hulu.com"
2: a = 0x85c9858 "\003\066pm\003com"
(gdb)
Continuing.
Breakpoint 2, hostname_isequal (a=a at entry=0x85c9858 "6pm.com",
b=b at entry=0x85d69b0 "6pm.com") at util.c:288
288 in util.c
3: b = 0x85d69b0 "6pm.com"
2: a = 0x85c9858 "6pm.com"
(gdb)
Continuing.
Breakpoint 2, hostname_isequal (a=0x85d69b0 "6pm.com", b=0x85d7240
"wiki.nginx.org") at util.c:288
288 in util.c
3: b = 0x85d7240 "wiki.nginx.org"
2: a = 0x85d69b0 "6pm.com"
(gdb)
From larkwang at gmail.com Sat Apr 12 16:39:38 2014
From: larkwang at gmail.com (Wang Jian)
Date: Sun, 13 Apr 2014 00:39:38 +0800
Subject: [Dnsmasq-discuss] ipset action doesn't work in 2.69
In-Reply-To: <CAF75rJArVQMzEwHWjFRynv86K=ezyB2sUaZ74MvXO+qCSz1a+w@mail.gmail.com>
References: <CAF75rJArVQMzEwHWjFRynv86K=ezyB2sUaZ74MvXO+qCSz1a+w@mail.gmail.com>
Message-ID: <CAF75rJC-P3h96hgvNu2SxkQTjXW01we3yDWPtgpjVdALTSF8yQ@mail.gmail.com>
Simply 'make' within git tree (checkout v2.69), I get a binary which works.
# ./dnsmasq -v
Dnsmasq version 2.69-1-g97dce08 Copyright (c) 2000-2014 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP
DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC
Running 'git-buildpackage --git-debian-tag=v2.69
--git-upstream-tag=v2.69' in git tree, I get a binary which doesn't
work
# /usr/sbin/dnsmasq -v
Dnsmasq version 2.69-1-g97dce08 Copyright (c) 2000-2014 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua
TFTP conntrack ipset auth DNSSEC
The 2.69 binary from sid repository doesn't work, either.
2014-04-12 21:06 GMT+08:00 Wang Jian <larkwang at gmail.com>:
> Hi,
>
> I build 2.69 deb package from git tree to use the new ipset action
> log. To my surprise, ipset action stops working.
>
> I traced the process_reply() and found some strange behavior, but I am
> not familiar with util.c, so I can only provide what I found. (break
> at process_reply() then break at hostname_isequal(). )
>
> I use 'host 6pm.com' to trigger the break point. In the output, you
> can see 6pm.com should be matched but actually not.
>
> ---- snip ----
>
> Breakpoint 1, process_reply (header=header at entry=0x85cb278,
> now=now at entry=1397305916, server=server at entry=0x85d70a8,
> n=n at entry=267, check_rebind=check_rebind at entry=0,
> no_cache=no_cache at entry=0, cache_secure=0, ad_reqd=0, do_bit=0,
> added_pheader=0, check_subnet=0,
> query_source=query_source at entry=0x85d2e68) at forward.c:545
> 545 forward.c: No such file or directory.
> (gdb) display ipset_pos->domain
> 1: ipset_pos->domain = 0x85d5040 "6pm.com"
> (gdb) break hostname_isequal
> Breakpoint 2 at 0x8059410: file util.c, line 288.
> (gdb) c
> Continuing.
>
> Breakpoint 2, hostname_isequal (a=a at entry=0x85c9859 "6pm\003com",
> b=b at entry=0x85d5040 "6pm.com") at util.c:288
> 288 util.c: No such file or directory.
> (gdb) display a
> 2: a = 0x85c9859 "6pm\003com"
> (gdb) display b
> 3: b = 0x85d5040 "6pm.com"
> (gdb) c
> Continuing.
>
> Breakpoint 1, process_reply (header=header at entry=0x85cb278,
> now=now at entry=1397305916, server=server at entry=0x85d70a8,
> n=n at entry=267, check_rebind=check_rebind at entry=0,
> no_cache=no_cache at entry=0, cache_secure=0, ad_reqd=0, do_bit=0,
> added_pheader=0, check_subnet=0,
> query_source=query_source at entry=0x85d2e68) at forward.c:545
> 545 forward.c: No such file or directory.
> 1: ipset_pos->domain = 0x85d4e68 "zlib.net"
> (gdb)
> Continuing.
>
> Breakpoint 2, hostname_isequal (a=a at entry=0x85c9858
> "\003\066pm\003com", b=b at entry=0x85d4e68 "zlib.net") at util.c:288
> 288 util.c: No such file or directory.
> 3: b = 0x85d4e68 "zlib.net"
> 2: a = 0x85c9858 "\003\066pm\003com"
> (gdb)
> Continuing.
>
> Breakpoint 1, process_reply (header=header at entry=0x85cb278,
> now=now at entry=1397305916, server=server at entry=0x85d70a8,
> n=n at entry=267, check_rebind=check_rebind at entry=0,
> no_cache=no_cache at entry=0, cache_secure=0, ad_reqd=0, do_bit=0,
> added_pheader=0, check_subnet=0,
> query_source=query_source at entry=0x85d2e68) at forward.c:545
> 545 forward.c: No such file or directory.
> 1: ipset_pos->domain = 0x85d47c8 "hulu.com"
> (gdb)
> Continuing.
>
> Breakpoint 2, hostname_isequal (a=a at entry=0x85c9858
> "\003\066pm\003com", b=b at entry=0x85d47c8 "hulu.com") at util.c:288
> 288 util.c: No such file or directory.
> 3: b = 0x85d47c8 "hulu.com"
> 2: a = 0x85c9858 "\003\066pm\003com"
> (gdb)
> Continuing.
>
> Breakpoint 2, hostname_isequal (a=a at entry=0x85c9858 "6pm.com",
> b=b at entry=0x85d69b0 "6pm.com") at util.c:288
> 288 in util.c
> 3: b = 0x85d69b0 "6pm.com"
> 2: a = 0x85c9858 "6pm.com"
> (gdb)
> Continuing.
>
> Breakpoint 2, hostname_isequal (a=0x85d69b0 "6pm.com", b=0x85d7240
> "wiki.nginx.org") at util.c:288
> 288 in util.c
> 3: b = 0x85d7240 "wiki.nginx.org"
> 2: a = 0x85d69b0 "6pm.com"
> (gdb)
From brad at comstyle.com Sun Apr 13 01:59:27 2014
From: brad at comstyle.com (Brad Smith)
Date: Sat, 12 Apr 2014 21:59:27 -0400
Subject: [Dnsmasq-discuss] Announce: dnsmasq-2.69
In-Reply-To: <2301963.hokz25g2Xh@luciole>
References: <5345A9ED.5000809@thekelleys.org.uk> <2301963.hokz25g2Xh@luciole>
Message-ID: <5349EF7F.8060104@comstyle.com>
On 11/04/14 5:42 AM, St?phane Guedon wrote:
> Good ! But anyway, we still need a resolver.
> Why not considering making dnsmasq acting as resolver itself too ?
It is outside of the scope of what dnsmasq is for.
> Thanks for your work (didn't tried the release, but you deserve some
> congrats...)!
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
From dave.taht at gmail.com Sun Apr 13 05:31:30 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Sat, 12 Apr 2014 22:31:30 -0700
Subject: [Dnsmasq-discuss] byte swapping test in coverity
Message-ID: <CAA93jw4V3sVzV5E5ayXwBc4h84frbPUX0=ETVETf0TSLccGkSg@mail.gmail.com>
wonder if this would have picked up one of the earlier dnssec bugs...
http://blog.regehr.org/archives/1128
--
Dave T?ht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
From simon at thekelleys.org.uk Sun Apr 13 19:01:50 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Sun, 13 Apr 2014 20:01:50 +0100
Subject: [Dnsmasq-discuss] DHCPNAK
In-Reply-To: <1397189484.120599420@f426.i.mail.ru>
References: <1397189484.120599420@f426.i.mail.ru>
Message-ID: <534ADF1E.4010607@thekelleys.org.uk>
On 11/04/14 05:11, ????? ????? wrote:
> Hello! Sorry for not correct English. I have a question for you on
> the DHCPNAK. I need to send it immediately after starting the server.
> In turn, I made it a separate function and call directly from dhcp.c.
> But faced with the problem: according to the information message pack
> is formed with the necessary parameters, but to the addressee does
> not reach. Tell me what could be the reason? Thank.
It's difficult to say, you don't give much information. Are you sending
the DHCPNAK in response to a request from the client? Maybe look at the
code in rfc2131.c that sends DHCPNAK?
Cheers,
Simon.
From simon at thekelleys.org.uk Sun Apr 13 19:14:48 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Sun, 13 Apr 2014 20:14:48 +0100
Subject: [Dnsmasq-discuss] dns regex
In-Reply-To: <534875C8.2070909@gmail.com>
References: <534875C8.2070909@gmail.com>
Message-ID: <534AE228.8020804@thekelleys.org.uk>
On 12/04/14 00:07, Darren Breeze ML wrote:
> Hi
>
> I am trying to map the various google sites around the world back to a
> single google site (nosslsearch.google.com
> <http://nosslsearch.google.com/> )
>
> is there a way currently with dnsmasq to map the various regional google
> sites (www.google.com.ca, www.google.com.hk, google.com.sg etc.) back to
> the nossl ip address without adding a record in dnsmasq for each one?
>
> I have seen that there is a regex patch floating around but is there
> another way before I build a patched version?
I can't think of one. Patching is probably the way to go.
Cheers,
Simon.
>
> thanks
>
> Darren Breeze
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
From simon at thekelleys.org.uk Sun Apr 13 19:53:16 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Sun, 13 Apr 2014 20:53:16 +0100
Subject: [Dnsmasq-discuss] ipset action doesn't work in 2.69
In-Reply-To: <CAF75rJC-P3h96hgvNu2SxkQTjXW01we3yDWPtgpjVdALTSF8yQ@mail.gmail.com>
References: <CAF75rJArVQMzEwHWjFRynv86K=ezyB2sUaZ74MvXO+qCSz1a+w@mail.gmail.com>
<CAF75rJC-P3h96hgvNu2SxkQTjXW01we3yDWPtgpjVdALTSF8yQ@mail.gmail.com>
Message-ID: <534AEB2C.7070507@thekelleys.org.uk>
I think the problem is that the ipset code simply assumes that the query
domain will be in daemon->namebuff, which isn't in general true, but
happened to be by chance before. When DNSSEC is compiled in,
daemon->namebuf gets used as workspace for DNSSEC and the invalid
assumption of the ipset code is no longer true.
I've pushed a possible (but untested) fix to the git repo. Does that
help for you?
Cheers,
Simon.
On 12/04/14 17:39, Wang Jian wrote:
> Simply 'make' within git tree (checkout v2.69), I get a binary which works.
>
> # ./dnsmasq -v
> Dnsmasq version 2.69-1-g97dce08 Copyright (c) 2000-2014 Simon Kelley
> Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP
> DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC
>
>
> Running 'git-buildpackage --git-debian-tag=v2.69
> --git-upstream-tag=v2.69' in git tree, I get a binary which doesn't
> work
>
> # /usr/sbin/dnsmasq -v
> Dnsmasq version 2.69-1-g97dce08 Copyright (c) 2000-2014 Simon Kelley
> Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua
> TFTP conntrack ipset auth DNSSEC
>
>
> The 2.69 binary from sid repository doesn't work, either.
>
>
> 2014-04-12 21:06 GMT+08:00 Wang Jian <larkwang at gmail.com>:
>> Hi,
>>
>> I build 2.69 deb package from git tree to use the new ipset action
>> log. To my surprise, ipset action stops working.
>>
>> I traced the process_reply() and found some strange behavior, but I am
>> not familiar with util.c, so I can only provide what I found. (break
>> at process_reply() then break at hostname_isequal(). )
>>
>> I use 'host 6pm.com' to trigger the break point. In the output, you
>> can see 6pm.com should be matched but actually not.
>>
>> ---- snip ----
>>
>> Breakpoint 1, process_reply (header=header at entry=0x85cb278,
>> now=now at entry=1397305916, server=server at entry=0x85d70a8,
>> n=n at entry=267, check_rebind=check_rebind at entry=0,
>> no_cache=no_cache at entry=0, cache_secure=0, ad_reqd=0, do_bit=0,
>> added_pheader=0, check_subnet=0,
>> query_source=query_source at entry=0x85d2e68) at forward.c:545
>> 545 forward.c: No such file or directory.
>> (gdb) display ipset_pos->domain
>> 1: ipset_pos->domain = 0x85d5040 "6pm.com"
>> (gdb) break hostname_isequal
>> Breakpoint 2 at 0x8059410: file util.c, line 288.
>> (gdb) c
>> Continuing.
>>
>> Breakpoint 2, hostname_isequal (a=a at entry=0x85c9859 "6pm\003com",
>> b=b at entry=0x85d5040 "6pm.com") at util.c:288
>> 288 util.c: No such file or directory.
>> (gdb) display a
>> 2: a = 0x85c9859 "6pm\003com"
>> (gdb) display b
>> 3: b = 0x85d5040 "6pm.com"
>> (gdb) c
>> Continuing.
>>
>> Breakpoint 1, process_reply (header=header at entry=0x85cb278,
>> now=now at entry=1397305916, server=server at entry=0x85d70a8,
>> n=n at entry=267, check_rebind=check_rebind at entry=0,
>> no_cache=no_cache at entry=0, cache_secure=0, ad_reqd=0, do_bit=0,
>> added_pheader=0, check_subnet=0,
>> query_source=query_source at entry=0x85d2e68) at forward.c:545
>> 545 forward.c: No such file or directory.
>> 1: ipset_pos->domain = 0x85d4e68 "zlib.net"
>> (gdb)
>> Continuing.
>>
>> Breakpoint 2, hostname_isequal (a=a at entry=0x85c9858
>> "\003\066pm\003com", b=b at entry=0x85d4e68 "zlib.net") at util.c:288
>> 288 util.c: No such file or directory.
>> 3: b = 0x85d4e68 "zlib.net"
>> 2: a = 0x85c9858 "\003\066pm\003com"
>> (gdb)
>> Continuing.
>>
>> Breakpoint 1, process_reply (header=header at entry=0x85cb278,
>> now=now at entry=1397305916, server=server at entry=0x85d70a8,
>> n=n at entry=267, check_rebind=check_rebind at entry=0,
>> no_cache=no_cache at entry=0, cache_secure=0, ad_reqd=0, do_bit=0,
>> added_pheader=0, check_subnet=0,
>> query_source=query_source at entry=0x85d2e68) at forward.c:545
>> 545 forward.c: No such file or directory.
>> 1: ipset_pos->domain = 0x85d47c8 "hulu.com"
>> (gdb)
>> Continuing.
>>
>> Breakpoint 2, hostname_isequal (a=a at entry=0x85c9858
>> "\003\066pm\003com", b=b at entry=0x85d47c8 "hulu.com") at util.c:288
>> 288 util.c: No such file or directory.
>> 3: b = 0x85d47c8 "hulu.com"
>> 2: a = 0x85c9858 "\003\066pm\003com"
>> (gdb)
>> Continuing.
>>
>> Breakpoint 2, hostname_isequal (a=a at entry=0x85c9858 "6pm.com",
>> b=b at entry=0x85d69b0 "6pm.com") at util.c:288
>> 288 in util.c
>> 3: b = 0x85d69b0 "6pm.com"
>> 2: a = 0x85c9858 "6pm.com"
>> (gdb)
>> Continuing.
>>
>> Breakpoint 2, hostname_isequal (a=0x85d69b0 "6pm.com", b=0x85d7240
>> "wiki.nginx.org") at util.c:288
>> 288 in util.c
>> 3: b = 0x85d7240 "wiki.nginx.org"
>> 2: a = 0x85d69b0 "6pm.com"
>> (gdb)
>
From dave.taht at gmail.com Sun Apr 13 20:24:22 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Sun, 13 Apr 2014 13:24:22 -0700
Subject: [Dnsmasq-discuss] dnssec and local caching dns in fedora and
network manager
Message-ID: <CAA93jw7T80v_6dS0YOknMrsa33_A=U3tTTN5BGciFHqVjXiJ3A@mail.gmail.com>
interesting long thread over at the fedora project this weekend:
https://lists.fedoraproject.org/pipermail/devel/2014-April/197755.html
---------- Forwarded message ----------
From: Chuck Anderson <cra at wpi.edu>
Date: Sun, Apr 13, 2014 at 10:59 AM
Subject: Re: [Cerowrt-devel] Full blown DNSSEC by default?
To: cerowrt-devel at lists.bufferbloat.net
On Sun, Apr 13, 2014 at 12:05:19PM +0200, Toke H?iland-J?rgensen wrote:
>
> > Is there a "D"?
>
> Running a full resolver in cerowrt? I've been running a dnssec-enabled bind for some time on my boxes (prior to dnssec support in dnsmasq).
How do these proposals compare with unbound+dnssec-trigger in the
Fedora world? I stirred up a rats nest:
https://lists.fedoraproject.org/pipermail/devel/2014-April/197755.html
I realize these are slightly different use cases, but it may be
helpful to learn from the different implementations, if for no other
reason than to be sure they interoperate. I'm going to turn on
unbound+dnssec-trigger on my laptop and try it behind Cerowrt w/DNSSEC
turned on to see what happens...
_______________________________________________
Cerowrt-devel mailing list
Cerowrt-devel at lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/cerowrt-devel
--
Dave T?ht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
From darren.j.breeze.ml at gmail.com Sun Apr 13 20:49:33 2014
From: darren.j.breeze.ml at gmail.com (Darren Breeze ML)
Date: Mon, 14 Apr 2014 04:49:33 +0800
Subject: [Dnsmasq-discuss] dns regex
In-Reply-To: <534AE228.8020804@thekelleys.org.uk>
References: <534875C8.2070909@gmail.com> <534AE228.8020804@thekelleys.org.uk>
Message-ID: <534AF85D.1020603@gmail.com>
Hi Simon
Can you point me in the direction of a patch please, whilst I have seen
one for a very old very old version, it's appearance in the lists and on
google is patchy..
thanks
Darren B.
On 14/04/2014 3:14 AM, Simon Kelley wrote:
> On 12/04/14 00:07, Darren Breeze ML wrote:
>> Hi
>>
>> I am trying to map the various google sites around the world back to a
>> single google site (nosslsearch.google.com
>> <http://nosslsearch.google.com/> )
>>
>> is there a way currently with dnsmasq to map the various regional google
>> sites (www.google.com.ca, www.google.com.hk, google.com.sg etc.) back to
>> the nossl ip address without adding a record in dnsmasq for each one?
>>
>> I have seen that there is a regex patch floating around but is there
>> another way before I build a patched version?
> I can't think of one. Patching is probably the way to go.
>
>
> Cheers,
>
>
> Simon.
>
>> thanks
>>
>> Darren Breeze
>>
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
From simon at thekelleys.org.uk Mon Apr 14 08:29:30 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Mon, 14 Apr 2014 09:29:30 +0100
Subject: [Dnsmasq-discuss] dns regex
In-Reply-To: <534AF85D.1020603@gmail.com>
References: <534875C8.2070909@gmail.com> <534AE228.8020804@thekelleys.org.uk>
<534AF85D.1020603@gmail.com>
Message-ID: <534B9C6A.10702@thekelleys.org.uk>
On 13/04/14 21:49, Darren Breeze ML wrote:
> Hi Simon
>
> Can you point me in the direction of a patch please, whilst I have seen
> one for a very old very old version, it's appearance in the lists and on
> google is patchy..
The patch isn't maintained by me. Probably best to contact Jan directly.
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2011q3/005206.html
Cheers,
Simon.
> thanks
>
> Darren B.
>
>
>
>
> On 14/04/2014 3:14 AM, Simon Kelley wrote:
>> On 12/04/14 00:07, Darren Breeze ML wrote:
>>> Hi
>>>
>>> I am trying to map the various google sites around the world back to a
>>> single google site (nosslsearch.google.com
>>> <http://nosslsearch.google.com/> )
>>>
>>> is there a way currently with dnsmasq to map the various regional google
>>> sites (www.google.com.ca, www.google.com.hk, google.com.sg etc.) back to
>>> the nossl ip address without adding a record in dnsmasq for each one?
>>>
>>> I have seen that there is a regex patch floating around but is there
>>> another way before I build a patched version?
>> I can't think of one. Patching is probably the way to go.
>>
>>
>> Cheers,
>>
>>
>> Simon.
>>
>>> thanks
>>>
>>> Darren Breeze
>>>
>>>
>>>
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
From simon at thekelleys.org.uk Mon Apr 14 08:31:29 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Mon, 14 Apr 2014 09:31:29 +0100
Subject: [Dnsmasq-discuss] dnssec and local caching dns in fedora and
network manager
In-Reply-To: <CAA93jw7T80v_6dS0YOknMrsa33_A=U3tTTN5BGciFHqVjXiJ3A@mail.gmail.com>
References: <CAA93jw7T80v_6dS0YOknMrsa33_A=U3tTTN5BGciFHqVjXiJ3A@mail.gmail.com>
Message-ID: <534B9CE1.1080802@thekelleys.org.uk>
On 13/04/14 21:24, Dave Taht wrote:
> interesting long thread over at the fedora project this weekend:
>
> https://lists.fedoraproject.org/pipermail/devel/2014-April/197755.html
>
I'm quite a long way through it already. The main takehome seems to be
that captive portals are even more broken in the era of DNSSEC than
before. It's amazing that's even possible......
Maybe the IETF should create a sane spec for such things....
Simon.
>
>
> ---------- Forwarded message ----------
> From: Chuck Anderson <cra at wpi.edu>
> Date: Sun, Apr 13, 2014 at 10:59 AM
> Subject: Re: [Cerowrt-devel] Full blown DNSSEC by default?
> To: cerowrt-devel at lists.bufferbloat.net
>
>
> On Sun, Apr 13, 2014 at 12:05:19PM +0200, Toke H?iland-J?rgensen wrote:
>>
>>> Is there a "D"?
>>
>> Running a full resolver in cerowrt? I've been running a dnssec-enabled bind for some time on my boxes (prior to dnssec support in dnsmasq).
>
> How do these proposals compare with unbound+dnssec-trigger in the
> Fedora world? I stirred up a rats nest:
>
> https://lists.fedoraproject.org/pipermail/devel/2014-April/197755.html
>
> I realize these are slightly different use cases, but it may be
> helpful to learn from the different implementations, if for no other
> reason than to be sure they interoperate. I'm going to turn on
> unbound+dnssec-trigger on my laptop and try it behind Cerowrt w/DNSSEC
> turned on to see what happens...
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>
>
From larkwang at gmail.com Mon Apr 14 09:31:58 2014
From: larkwang at gmail.com (Wang Jian)
Date: Mon, 14 Apr 2014 17:31:58 +0800
Subject: [Dnsmasq-discuss] ipset action doesn't work in 2.69
In-Reply-To: <534AEB2C.7070507@thekelleys.org.uk>
References: <CAF75rJArVQMzEwHWjFRynv86K=ezyB2sUaZ74MvXO+qCSz1a+w@mail.gmail.com>
<CAF75rJC-P3h96hgvNu2SxkQTjXW01we3yDWPtgpjVdALTSF8yQ@mail.gmail.com>
<534AEB2C.7070507@thekelleys.org.uk>
Message-ID: <CAF75rJDN+9MTSoyEjC1D0iE9i7vLdxdHA9hTFk2ND5uj-oNxwA@mail.gmail.com>
Seems good now. I will keep it running for a while and report back.
Regards
2014-04-14 3:53 GMT+08:00 Simon Kelley <simon at thekelleys.org.uk>:
> I think the problem is that the ipset code simply assumes that the query
> domain will be in daemon->namebuff, which isn't in general true, but
> happened to be by chance before. When DNSSEC is compiled in,
> daemon->namebuf gets used as workspace for DNSSEC and the invalid
> assumption of the ipset code is no longer true.
>
> I've pushed a possible (but untested) fix to the git repo. Does that
> help for you?
>
>
>
>
> Cheers,
>
> Simon.
>
>
>
> On 12/04/14 17:39, Wang Jian wrote:
>> Simply 'make' within git tree (checkout v2.69), I get a binary which works.
>>
>> # ./dnsmasq -v
>> Dnsmasq version 2.69-1-g97dce08 Copyright (c) 2000-2014 Simon Kelley
>> Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP
>> DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC
>>
>>
>> Running 'git-buildpackage --git-debian-tag=v2.69
>> --git-upstream-tag=v2.69' in git tree, I get a binary which doesn't
>> work
>>
>> # /usr/sbin/dnsmasq -v
>> Dnsmasq version 2.69-1-g97dce08 Copyright (c) 2000-2014 Simon Kelley
>> Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua
>> TFTP conntrack ipset auth DNSSEC
>>
>>
>> The 2.69 binary from sid repository doesn't work, either.
>>
>>
>> 2014-04-12 21:06 GMT+08:00 Wang Jian <larkwang at gmail.com>:
>>> Hi,
>>>
>>> I build 2.69 deb package from git tree to use the new ipset action
>>> log. To my surprise, ipset action stops working.
>>>
>>> I traced the process_reply() and found some strange behavior, but I am
>>> not familiar with util.c, so I can only provide what I found. (break
>>> at process_reply() then break at hostname_isequal(). )
>>>
>>> I use 'host 6pm.com' to trigger the break point. In the output, you
>>> can see 6pm.com should be matched but actually not.
>>>
>>> ---- snip ----
>>>
>>> Breakpoint 1, process_reply (header=header at entry=0x85cb278,
>>> now=now at entry=1397305916, server=server at entry=0x85d70a8,
>>> n=n at entry=267, check_rebind=check_rebind at entry=0,
>>> no_cache=no_cache at entry=0, cache_secure=0, ad_reqd=0, do_bit=0,
>>> added_pheader=0, check_subnet=0,
>>> query_source=query_source at entry=0x85d2e68) at forward.c:545
>>> 545 forward.c: No such file or directory.
>>> (gdb) display ipset_pos->domain
>>> 1: ipset_pos->domain = 0x85d5040 "6pm.com"
>>> (gdb) break hostname_isequal
>>> Breakpoint 2 at 0x8059410: file util.c, line 288.
>>> (gdb) c
>>> Continuing.
>>>
>>> Breakpoint 2, hostname_isequal (a=a at entry=0x85c9859 "6pm\003com",
>>> b=b at entry=0x85d5040 "6pm.com") at util.c:288
>>> 288 util.c: No such file or directory.
>>> (gdb) display a
>>> 2: a = 0x85c9859 "6pm\003com"
>>> (gdb) display b
>>> 3: b = 0x85d5040 "6pm.com"
>>> (gdb) c
>>> Continuing.
>>>
>>> Breakpoint 1, process_reply (header=header at entry=0x85cb278,
>>> now=now at entry=1397305916, server=server at entry=0x85d70a8,
>>> n=n at entry=267, check_rebind=check_rebind at entry=0,
>>> no_cache=no_cache at entry=0, cache_secure=0, ad_reqd=0, do_bit=0,
>>> added_pheader=0, check_subnet=0,
>>> query_source=query_source at entry=0x85d2e68) at forward.c:545
>>> 545 forward.c: No such file or directory.
>>> 1: ipset_pos->domain = 0x85d4e68 "zlib.net"
>>> (gdb)
>>> Continuing.
>>>
>>> Breakpoint 2, hostname_isequal (a=a at entry=0x85c9858
>>> "\003\066pm\003com", b=b at entry=0x85d4e68 "zlib.net") at util.c:288
>>> 288 util.c: No such file or directory.
>>> 3: b = 0x85d4e68 "zlib.net"
>>> 2: a = 0x85c9858 "\003\066pm\003com"
>>> (gdb)
>>> Continuing.
>>>
>>> Breakpoint 1, process_reply (header=header at entry=0x85cb278,
>>> now=now at entry=1397305916, server=server at entry=0x85d70a8,
>>> n=n at entry=267, check_rebind=check_rebind at entry=0,
>>> no_cache=no_cache at entry=0, cache_secure=0, ad_reqd=0, do_bit=0,
>>> added_pheader=0, check_subnet=0,
>>> query_source=query_source at entry=0x85d2e68) at forward.c:545
>>> 545 forward.c: No such file or directory.
>>> 1: ipset_pos->domain = 0x85d47c8 "hulu.com"
>>> (gdb)
>>> Continuing.
>>>
>>> Breakpoint 2, hostname_isequal (a=a at entry=0x85c9858
>>> "\003\066pm\003com", b=b at entry=0x85d47c8 "hulu.com") at util.c:288
>>> 288 util.c: No such file or directory.
>>> 3: b = 0x85d47c8 "hulu.com"
>>> 2: a = 0x85c9858 "\003\066pm\003com"
>>> (gdb)
>>> Continuing.
>>>
>>> Breakpoint 2, hostname_isequal (a=a at entry=0x85c9858 "6pm.com",
>>> b=b at entry=0x85d69b0 "6pm.com") at util.c:288
>>> 288 in util.c
>>> 3: b = 0x85d69b0 "6pm.com"
>>> 2: a = 0x85c9858 "6pm.com"
>>> (gdb)
>>> Continuing.
>>>
>>> Breakpoint 2, hostname_isequal (a=0x85d69b0 "6pm.com", b=0x85d7240
>>> "wiki.nginx.org") at util.c:288
>>> 288 in util.c
>>> 3: b = 0x85d7240 "wiki.nginx.org"
>>> 2: a = 0x85d69b0 "6pm.com"
>>> (gdb)
>>
>
From dcbw at redhat.com Mon Apr 14 15:38:08 2014
From: dcbw at redhat.com (Dan Williams)
Date: Mon, 14 Apr 2014 10:38:08 -0500
Subject: [Dnsmasq-discuss] dnssec and local caching dns in fedora and
network manager
In-Reply-To: <534B9CE1.1080802@thekelleys.org.uk>
References: <CAA93jw7T80v_6dS0YOknMrsa33_A=U3tTTN5BGciFHqVjXiJ3A@mail.gmail.com>
<534B9CE1.1080802@thekelleys.org.uk>
Message-ID: <1397489888.1575.25.camel@dcbw.local>
On Mon, 2014-04-14 at 09:31 +0100, Simon Kelley wrote:
> On 13/04/14 21:24, Dave Taht wrote:
> > interesting long thread over at the fedora project this weekend:
> >
> > https://lists.fedoraproject.org/pipermail/devel/2014-April/197755.html
> >
>
> I'm quite a long way through it already. The main takehome seems to be
> that captive portals are even more broken in the era of DNSSEC than
> before. It's amazing that's even possible......
They are quite awful. They were always awful. But with 10+ years of
captive portal hackage, it's pretty much on the DNSSEC implementors to
either (a) change every captive portal to work, or (b) figure out how to
work around the problem. A combination of the two is the right path,
but nobody is going to get all captive portals to follow a spec.
There is Hotspot 2.0 (and the older WISPR) that at least automates the
process so that you *know* you're connected to a captive portal and
sometimes you can automatically log in using the SIM card in your device
or other cached credentials. Usually used by phones and providers to
automatically roam to WiFi networks your provider has affiliations with.
This is where the standardization work is going on for hotspot stuff.
Dan
> Maybe the IETF should create a sane spec for such things....
>
>
>
> Simon.
>
> >
> >
> > ---------- Forwarded message ----------
> > From: Chuck Anderson <cra at wpi.edu>
> > Date: Sun, Apr 13, 2014 at 10:59 AM
> > Subject: Re: [Cerowrt-devel] Full blown DNSSEC by default?
> > To: cerowrt-devel at lists.bufferbloat.net
> >
> >
> > On Sun, Apr 13, 2014 at 12:05:19PM +0200, Toke H?iland-J?rgensen wrote:
> >>
> >>> Is there a "D"?
> >>
> >> Running a full resolver in cerowrt? I've been running a dnssec-enabled bind for some time on my boxes (prior to dnssec support in dnsmasq).
> >
> > How do these proposals compare with unbound+dnssec-trigger in the
> > Fedora world? I stirred up a rats nest:
> >
> > https://lists.fedoraproject.org/pipermail/devel/2014-April/197755.html
> >
> > I realize these are slightly different use cases, but it may be
> > helpful to learn from the different implementations, if for no other
> > reason than to be sure they interoperate. I'm going to turn on
> > unbound+dnssec-trigger on my laptop and try it behind Cerowrt w/DNSSEC
> > turned on to see what happens...
> > _______________________________________________
> > Cerowrt-devel mailing list
> > Cerowrt-devel at lists.bufferbloat.net
> > https://lists.bufferbloat.net/listinfo/cerowrt-devel
> >
> >
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
From dave.taht at gmail.com Mon Apr 14 15:47:33 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Mon, 14 Apr 2014 08:47:33 -0700
Subject: [Dnsmasq-discuss] dnssec and local caching dns in fedora and
network manager
In-Reply-To: <1397489888.1575.25.camel@dcbw.local>
References: <CAA93jw7T80v_6dS0YOknMrsa33_A=U3tTTN5BGciFHqVjXiJ3A@mail.gmail.com>
<534B9CE1.1080802@thekelleys.org.uk>
<1397489888.1575.25.camel@dcbw.local>
Message-ID: <CAA93jw5sFuWzSLZd8dNnRoH8KEiyW5-jZNPvzq_CvgT1CxF6fQ@mail.gmail.com>
On Mon, Apr 14, 2014 at 8:38 AM, Dan Williams <dcbw at redhat.com> wrote:
> On Mon, 2014-04-14 at 09:31 +0100, Simon Kelley wrote:
>> On 13/04/14 21:24, Dave Taht wrote:
>> > interesting long thread over at the fedora project this weekend:
>> >
>> > https://lists.fedoraproject.org/pipermail/devel/2014-April/197755.html
>> >
>>
>> I'm quite a long way through it already. The main takehome seems to be
>> that captive portals are even more broken in the era of DNSSEC than
>> before. It's amazing that's even possible......
>
> They are quite awful. They were always awful. But with 10+ years of
> captive portal hackage, it's pretty much on the DNSSEC implementors to
> either (a) change every captive portal to work, or (b) figure out how to
> work around the problem. A combination of the two is the right path,
> but nobody is going to get all captive portals to follow a spec.
Or c) make the legal and social environment such that the perceived need
for captive portals go away entirely.
https://www.openwireless.org/
> There is Hotspot 2.0 (and the older WISPR) that at least automates the
> process so that you *know* you're connected to a captive portal and
> sometimes you can automatically log in using the SIM card in your device
> or other cached credentials. Usually used by phones and providers to
> automatically roam to WiFi networks your provider has affiliations with.
>
> This is where the standardization work is going on for hotspot stuff.
>
> Dan
>
>> Maybe the IETF should create a sane spec for such things....
>>
>>
>>
>> Simon.
>>
>> >
>> >
>> > ---------- Forwarded message ----------
>> > From: Chuck Anderson <cra at wpi.edu>
>> > Date: Sun, Apr 13, 2014 at 10:59 AM
>> > Subject: Re: [Cerowrt-devel] Full blown DNSSEC by default?
>> > To: cerowrt-devel at lists.bufferbloat.net
>> >
>> >
>> > On Sun, Apr 13, 2014 at 12:05:19PM +0200, Toke H?iland-J?rgensen wrote:
>> >>
>> >>> Is there a "D"?
>> >>
>> >> Running a full resolver in cerowrt? I've been running a dnssec-enabled bind for some time on my boxes (prior to dnssec support in dnsmasq).
>> >
>> > How do these proposals compare with unbound+dnssec-trigger in the
>> > Fedora world? I stirred up a rats nest:
>> >
>> > https://lists.fedoraproject.org/pipermail/devel/2014-April/197755.html
>> >
>> > I realize these are slightly different use cases, but it may be
>> > helpful to learn from the different implementations, if for no other
>> > reason than to be sure they interoperate. I'm going to turn on
>> > unbound+dnssec-trigger on my laptop and try it behind Cerowrt w/DNSSEC
>> > turned on to see what happens...
>> > _______________________________________________
>> > Cerowrt-devel mailing list
>> > Cerowrt-devel at lists.bufferbloat.net
>> > https://lists.bufferbloat.net/listinfo/cerowrt-devel
>> >
>> >
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
--
Dave T?ht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
From stephane at 22decembre.eu Mon Apr 14 16:17:30 2014
From: stephane at 22decembre.eu (=?ISO-8859-1?Q?St=E9phane?= Guedon)
Date: Mon, 14 Apr 2014 18:17:30 +0200
Subject: [Dnsmasq-discuss] local dns setup
Message-ID: <2367231.H1tpaSJUx9@luciole>
Hello
I have written a huge tutorial/article on my blog, and dnsmasq is one
of the main topic.
You may find it here :
http://www.22decembre.eu/2014/04/14/local-dns-setup-with-dnsmasq-nsd-and-unbound/
Feel free to use, inspire yourself or criticize.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140414/7f7e278e/attachment.sig>
From lists at lonnie.abelbeck.com Mon Apr 14 17:17:02 2014
From: lists at lonnie.abelbeck.com (Lonnie Abelbeck)
Date: Mon, 14 Apr 2014 12:17:02 -0500
Subject: [Dnsmasq-discuss] local dns setup
In-Reply-To: <2367231.H1tpaSJUx9@luciole>
References: <2367231.H1tpaSJUx9@luciole>
Message-ID: <DA464BA6-5CF2-4653-971D-C93381CF75CC@lonnie.abelbeck.com>
On Apr 14, 2014, at 11:17 AM, St?phane Guedon wrote:
> Hello
>
> I have written a huge tutorial/article on my blog, and dnsmasq is one
> of the main topic.
>
> You may find it here :
>
> http://www.22decembre.eu/2014/04/14/local-dns-setup-with-dnsmasq-nsd-and-unbound/
While sharing "forest from the trees" DNS strategies, my current approach...
[ Untrusted ] --------------- [ Router/Firewall ] --------------- [ Trusted ]
(Validated DNS Cache[1]) -- (DNSCrypt[2] + dnsmasq) -- (DNS:53 clients)
[1] Resolver + dnscrypt-wrapper[3], OpenDNS, etc.
[2] http://dnscrypt.org/
[3] https://github.com/Cofyc/dnscrypt-wrapper
Thereby DNSSEC is only used (needed) in the cloud validation.
Lonnie
From sven.falempin at gmail.com Tue Apr 15 20:45:42 2014
From: sven.falempin at gmail.com (sven falempin)
Date: Tue, 15 Apr 2014 16:45:42 -0400
Subject: [Dnsmasq-discuss] static classless routes
Message-ID: <CA++fYEjQS+E-e5tMdOHSBBmZW3n24rx_UiB7r9QB8a6PRnTEEQ@mail.gmail.com>
dhcp-option-force=121,192.169.1.0/24,192.169.1.254,192.169.20.0/24,192.169.1.254,192.169.1.254,10.0.0.254
this is not sending the three routes when i test (i look inside the
tcpdump packet after 00 00fe)
always one
someone is using this ?
is /32 mandatory ?
--
---------------------------------------------------------------------------------------------------------------------
() ascii ribbon campaign - against html e-mail
/\
From yosh at yosh.org Tue Apr 15 21:39:27 2014
From: yosh at yosh.org (Manish Singh)
Date: Tue, 15 Apr 2014 14:39:27 -0700
Subject: [Dnsmasq-discuss] Segfault in DNSSEC code
Message-ID: <CAHoRzZ+L0sX_xyiajaXbKNGM8G05HA6Uf8y33KQ6=gVEx+ra6Q@mail.gmail.com>
I've run across a segfault in the DNSSEC code when resolving a domain, when
DNSSEC builtin but turned off:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f3d178fe700 (LWP 10762)]
0x0000000000407e26 in extract_name (header=0x1001272, plen=46,
pp=0x7fffdc948590, name=0x0, isExtract=1, extrabytes=4) at rfc1035.c:27
27 *cp = 0;
(gdb) bt
#0 0x0000000000407e26 in extract_name (header=0x1001272, plen=46,
pp=0x7fffdc948590, name=0x0, isExtract=1, extrabytes=4) at rfc1035.c:27
#1 0x0000000000455419 in hash_questions (header=0x1001272, plen=46,
name=0x0)
at dnssec.c:2284
#2 0x0000000000421160 in tcp_request (confd=11, now=1397591659,
local_addr=0x7fffdc9487b0, netmask=..., auth_dns=0) at forward.c:1745
#3 0x00000000004295e7 in check_dns_listeners (set=0x7fffdc948920,
now=1397591659) at dnsmasq.c:1591
#4 0x0000000000427c88 in main (argc=10, argv=0x7fffdc948c38) at
dnsmasq.c:955
daemon->keyname is eventually passed into extract_name, but it is NULL
since the code that initializes is guarded by an
option_bool(OPT_DNSSEC_VALID) check.
I don't really know enough about DNSSEC to ascertain why this code path got
triggered when it shouldn't be.
-Manish
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140415/caeaaa55/attachment.html>
From jorge at blackdot.be Tue Apr 15 22:31:14 2014
From: jorge at blackdot.be (Jorge Schrauwen)
Date: Wed, 16 Apr 2014 00:31:14 +0200 (CEST)
Subject: [Dnsmasq-discuss] dnsmasq's AdvRouterAddr On equivalent
In-Reply-To: <1380852405.2561.1397601042615.JavaMail.zimbra@blackdot.be>
Message-ID: <308240854.2562.1397601074610.JavaMail.zimbra@blackdot.be>
Hey All,
I had a bit of trouble getting ra to work on OpenBSD but manually compiling 2.69 seems to have done the trick. (Yay!)
I was porting over my old radvd.conf from linux and I have this option set "AdvRouterAddr On". I cannot seem to find the equalivant in dnsmasq.
I want me router's global address 2001:DEAD:BEEF:DDDD::1 to be advertised as the default route and not the link-local.
This breaks some firewall bits that I sadly don't have control over. I could always go back to a dnsmasq+radvd setup but I want to retire the linux server that currently runs radvd.
Some pointers appreciated!
Regards
Jorge
Below is my current configuration (anonimized):
##### dnsmasq configuration
### listen on interface
interface=vlan150
interface=vlan200
interface=vlan300
### dns
## hosts (import /etc/hosts)
#no-hosts
#addn-hosts=/etc/dnsmasq.d/hosts
## custom resolvers
resolv-file=/etc/dnsmasq.d/resolvers
## domain configuration
domain=example.org
domain-needed
expand-hosts
bogus-priv
### dhcp
## options
dhcp-authoritative
dhcp-option=option:netbios-nodetype,8
dhcp-option=option6:dns-server,[::]
dhcp-option-force=option:ntp-server,172.16.db.1
dhcp-option-force=option6:ntp-server,[2001:DEAD:BEEF:AAAA::1]
## static leases
dhcp-hostsfile=/etc/dnsmasq.d/reservations
## ipv4
dhcp-range=vlan150,172.16.db.100,172.16.db.225,24h
dhcp-range=vlan200,172.16.db.220,172.16.db.225,48h
dhcp-range=vlan300,172.16.db.200,172.16.db.225,48h
## ipv6
enable-ra
dhcp-range=vlan150,2001:DEAD:BEEF:DDDD::,ra-stateless,ra-names,64,24h
dhcp-range=vlan200,2001:DEAD:BEEF:EEEE::,ra-stateless,ra-names,64,48h
dhcp-range=vlan300,2001:DEAD:BEEF:AAAA::,ra-stateless,ra-names,64,48h
### logging
## specify syslog facility (- to disable)
log-facility=-
## verbose logging
#log-dhcp
#log-queries
From codronm+circlecode at gmail.com Wed Apr 16 18:35:17 2014
From: codronm+circlecode at gmail.com (CircleCode)
Date: Wed, 16 Apr 2014 20:35:17 +0200
Subject: [Dnsmasq-discuss] search domains list
Message-ID: <CAPQ+Y2DBNDxAWCcLs9XKrNYp2Tc33vx=uMOfnZf70zw08hcBeg@mail.gmail.com>
Hi,
I'm using dnsmasq only for dns (no dhcp), and I'd like to emulate
resolv.conf's search parameter, but right in dnsmasq.
For example, when i do `nslookup foo`, I'd like dnsmasq to try `foo`, then
`foo.bar`, and then `foo.baz`, but without the need to write `search bar
baz` in resolv.conf file. is it possible, and how?
Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140416/047c89a8/attachment.html>
From simon at thekelleys.org.uk Wed Apr 16 21:24:06 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Wed, 16 Apr 2014 22:24:06 +0100
Subject: [Dnsmasq-discuss] Segfault in DNSSEC code
In-Reply-To: <CAHoRzZ+L0sX_xyiajaXbKNGM8G05HA6Uf8y33KQ6=gVEx+ra6Q@mail.gmail.com>
References: <CAHoRzZ+L0sX_xyiajaXbKNGM8G05HA6Uf8y33KQ6=gVEx+ra6Q@mail.gmail.com>
Message-ID: <534EF4F6.2020501@thekelleys.org.uk>
On 15/04/14 22:39, Manish Singh wrote:
> I've run across a segfault in the DNSSEC code when resolving a domain, when
> DNSSEC builtin but turned off:
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x7f3d178fe700 (LWP 10762)]
> 0x0000000000407e26 in extract_name (header=0x1001272, plen=46,
> pp=0x7fffdc948590, name=0x0, isExtract=1, extrabytes=4) at rfc1035.c:27
> 27 *cp = 0;
> (gdb) bt
> #0 0x0000000000407e26 in extract_name (header=0x1001272, plen=46,
> pp=0x7fffdc948590, name=0x0, isExtract=1, extrabytes=4) at rfc1035.c:27
> #1 0x0000000000455419 in hash_questions (header=0x1001272, plen=46,
> name=0x0)
> at dnssec.c:2284
> #2 0x0000000000421160 in tcp_request (confd=11, now=1397591659,
> local_addr=0x7fffdc9487b0, netmask=..., auth_dns=0) at forward.c:1745
> #3 0x00000000004295e7 in check_dns_listeners (set=0x7fffdc948920,
> now=1397591659) at dnsmasq.c:1591
> #4 0x0000000000427c88 in main (argc=10, argv=0x7fffdc948c38) at
> dnsmasq.c:955
>
> daemon->keyname is eventually passed into extract_name, but it is NULL
> since the code that initializes is guarded by an
> option_bool(OPT_DNSSEC_VALID) check.
>
> I don't really know enough about DNSSEC to ascertain why this code path got
> triggered when it shouldn't be.
It's a copy-n-paste error, I think. In any case
s/daemon->keyname/daemon->namebuff/
fixes it. I've just committed the fix to git.
Thanks for that, it's a nasty bug, probably worth of an early release to
fix it.
Cheers,
Simon.
>
> -Manish
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
From bcook at poughkeepsieschools.org Wed Apr 16 21:36:14 2014
From: bcook at poughkeepsieschools.org (B. Cook)
Date: Wed, 16 Apr 2014 17:36:14 -0400
Subject: [Dnsmasq-discuss] #known, set:, tag:, and dhcp-helper..
Message-ID: <CAOyb_Ew5JjLyHmnJdLwG+uNWyaMhuWsdW0iGoPxpHXJxpD1twg@mail.gmail.com>
Trying to do this in dnsmasq without having to build scripts to sed/awk..
I have a default global.conf which looks like this:
conf-file=/etc/dnsmasq.d/allow.dhcp
dhcp-ignore=#known
conf-file=/etc/dnsmasq.d/dnsmasq.bldg1.dhcp # 10.20.0/20
conf-file=/etc/dnsmasq.d/dnsmasq.bldg2.dhcp # 10.20.16/20
conf-file=/etc/dnsmasq.d/dnsmasq.bldg3.dhcp # 10.20.32/20
at the top of each bldg[1,2,3].dhcp I have this:
domain=bldg1.lan,10.20.0.0/20
dhcp-range=bldg1,10.20.12.1,10.20.14.254,255.255.240.0,4h
dhcp-option=bldg1,option:router,10.20.0.1
dhcp-option=bldg1,option:domain-name,bldg1.lan
..
dhcp-host=00:11:22:33:44:55:66,10.20.11.295,name-ipad
..
conf-file=/etc/dnsmasq.d/allow.dhcp
..
So what I have is a setup that for each building there are ranges of
allowed (10.20.12-10.20.14 in this case) for the allow.dhcp hosts to
end up in.
Question 1) if I do not have the allow.dhcp as the first line of the
global.conf AND the last line of the bldg.dhcp this does not work..
I am looking to have a set of devices (with known mac addresses) to be
in a group (administration).. but I want this group to be a part of
each building. I want these devices to pull from a different
pool/range of addresses.
so in building1 the ip range I would like them to use is
10.20.11.1-11.254. (I think this is tag or set; either of which I can
not get to work correctly)
so in building2 this same set of mac addresss would be
10.20.27.1-27.254. Same tag/set (administration).
Currently I have 50 or so of these devices in each building config,
when someone gets one or two more devices.. I'm editing twelve config
files :P - oops made a typo.. go fix it.
I'm looking for something like another include file:
administration.dhcp
dhcp-host=set:administration,11:22:33:44:55:66,username-device
then in each building config
dhcp-range=tag:administration,10.20.11.1,10.20.11.254,2h
Which would assign a user an ip from the tag'ged administration rage
(when they are in that building) and a different range when they are
in another building.
I am not able to figure out where the problem lies (in my syntax or
logic) but the end result is that this pseudo-code when made into
actual configs does not work as intended.
Currently running this on a CentOS 6.5 machine, dnsmasq 2.68 self
built/compiled rpm.
Thank you for taking the time to read and possibly respond to this request.
From larkwang at gmail.com Thu Apr 17 04:11:33 2014
From: larkwang at gmail.com (Wang Jian)
Date: Thu, 17 Apr 2014 12:11:33 +0800
Subject: [Dnsmasq-discuss] ipset action doesn't work in 2.69
In-Reply-To: <CAF75rJDN+9MTSoyEjC1D0iE9i7vLdxdHA9hTFk2ND5uj-oNxwA@mail.gmail.com>
References: <CAF75rJArVQMzEwHWjFRynv86K=ezyB2sUaZ74MvXO+qCSz1a+w@mail.gmail.com>
<CAF75rJC-P3h96hgvNu2SxkQTjXW01we3yDWPtgpjVdALTSF8yQ@mail.gmail.com>
<534AEB2C.7070507@thekelleys.org.uk>
<CAF75rJDN+9MTSoyEjC1D0iE9i7vLdxdHA9hTFk2ND5uj-oNxwA@mail.gmail.com>
Message-ID: <CAF75rJBJCviGWXFYFE_P8V5n310GmG-6wC31cxTyQPpzsXQrag@mail.gmail.com>
In my home network and company network (150 people), it works fine.
2014-04-14 17:31 GMT+08:00 Wang Jian <larkwang at gmail.com>:
> Seems good now. I will keep it running for a while and report back.
>
> Regards
>
> 2014-04-14 3:53 GMT+08:00 Simon Kelley <simon at thekelleys.org.uk>:
>> I think the problem is that the ipset code simply assumes that the query
>> domain will be in daemon->namebuff, which isn't in general true, but
>> happened to be by chance before. When DNSSEC is compiled in,
>> daemon->namebuf gets used as workspace for DNSSEC and the invalid
>> assumption of the ipset code is no longer true.
>>
>> I've pushed a possible (but untested) fix to the git repo. Does that
>> help for you?
>>
>>
>>
>>
>> Cheers,
>>
>> Simon.
>>
>>
>>
>> On 12/04/14 17:39, Wang Jian wrote:
>>> Simply 'make' within git tree (checkout v2.69), I get a binary which works.
>>>
>>> # ./dnsmasq -v
>>> Dnsmasq version 2.69-1-g97dce08 Copyright (c) 2000-2014 Simon Kelley
>>> Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP
>>> DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC
>>>
>>>
>>> Running 'git-buildpackage --git-debian-tag=v2.69
>>> --git-upstream-tag=v2.69' in git tree, I get a binary which doesn't
>>> work
>>>
>>> # /usr/sbin/dnsmasq -v
>>> Dnsmasq version 2.69-1-g97dce08 Copyright (c) 2000-2014 Simon Kelley
>>> Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua
>>> TFTP conntrack ipset auth DNSSEC
>>>
>>>
>>> The 2.69 binary from sid repository doesn't work, either.
>>>
>>>
>>> 2014-04-12 21:06 GMT+08:00 Wang Jian <larkwang at gmail.com>:
>>>> Hi,
>>>>
>>>> I build 2.69 deb package from git tree to use the new ipset action
>>>> log. To my surprise, ipset action stops working.
>>>>
>>>> I traced the process_reply() and found some strange behavior, but I am
>>>> not familiar with util.c, so I can only provide what I found. (break
>>>> at process_reply() then break at hostname_isequal(). )
>>>>
>>>> I use 'host 6pm.com' to trigger the break point. In the output, you
>>>> can see 6pm.com should be matched but actually not.
>>>>
>>>> ---- snip ----
>>>>
>>>> Breakpoint 1, process_reply (header=header at entry=0x85cb278,
>>>> now=now at entry=1397305916, server=server at entry=0x85d70a8,
>>>> n=n at entry=267, check_rebind=check_rebind at entry=0,
>>>> no_cache=no_cache at entry=0, cache_secure=0, ad_reqd=0, do_bit=0,
>>>> added_pheader=0, check_subnet=0,
>>>> query_source=query_source at entry=0x85d2e68) at forward.c:545
>>>> 545 forward.c: No such file or directory.
>>>> (gdb) display ipset_pos->domain
>>>> 1: ipset_pos->domain = 0x85d5040 "6pm.com"
>>>> (gdb) break hostname_isequal
>>>> Breakpoint 2 at 0x8059410: file util.c, line 288.
>>>> (gdb) c
>>>> Continuing.
>>>>
>>>> Breakpoint 2, hostname_isequal (a=a at entry=0x85c9859 "6pm\003com",
>>>> b=b at entry=0x85d5040 "6pm.com") at util.c:288
>>>> 288 util.c: No such file or directory.
>>>> (gdb) display a
>>>> 2: a = 0x85c9859 "6pm\003com"
>>>> (gdb) display b
>>>> 3: b = 0x85d5040 "6pm.com"
>>>> (gdb) c
>>>> Continuing.
>>>>
>>>> Breakpoint 1, process_reply (header=header at entry=0x85cb278,
>>>> now=now at entry=1397305916, server=server at entry=0x85d70a8,
>>>> n=n at entry=267, check_rebind=check_rebind at entry=0,
>>>> no_cache=no_cache at entry=0, cache_secure=0, ad_reqd=0, do_bit=0,
>>>> added_pheader=0, check_subnet=0,
>>>> query_source=query_source at entry=0x85d2e68) at forward.c:545
>>>> 545 forward.c: No such file or directory.
>>>> 1: ipset_pos->domain = 0x85d4e68 "zlib.net"
>>>> (gdb)
>>>> Continuing.
>>>>
>>>> Breakpoint 2, hostname_isequal (a=a at entry=0x85c9858
>>>> "\003\066pm\003com", b=b at entry=0x85d4e68 "zlib.net") at util.c:288
>>>> 288 util.c: No such file or directory.
>>>> 3: b = 0x85d4e68 "zlib.net"
>>>> 2: a = 0x85c9858 "\003\066pm\003com"
>>>> (gdb)
>>>> Continuing.
>>>>
>>>> Breakpoint 1, process_reply (header=header at entry=0x85cb278,
>>>> now=now at entry=1397305916, server=server at entry=0x85d70a8,
>>>> n=n at entry=267, check_rebind=check_rebind at entry=0,
>>>> no_cache=no_cache at entry=0, cache_secure=0, ad_reqd=0, do_bit=0,
>>>> added_pheader=0, check_subnet=0,
>>>> query_source=query_source at entry=0x85d2e68) at forward.c:545
>>>> 545 forward.c: No such file or directory.
>>>> 1: ipset_pos->domain = 0x85d47c8 "hulu.com"
>>>> (gdb)
>>>> Continuing.
>>>>
>>>> Breakpoint 2, hostname_isequal (a=a at entry=0x85c9858
>>>> "\003\066pm\003com", b=b at entry=0x85d47c8 "hulu.com") at util.c:288
>>>> 288 util.c: No such file or directory.
>>>> 3: b = 0x85d47c8 "hulu.com"
>>>> 2: a = 0x85c9858 "\003\066pm\003com"
>>>> (gdb)
>>>> Continuing.
>>>>
>>>> Breakpoint 2, hostname_isequal (a=a at entry=0x85c9858 "6pm.com",
>>>> b=b at entry=0x85d69b0 "6pm.com") at util.c:288
>>>> 288 in util.c
>>>> 3: b = 0x85d69b0 "6pm.com"
>>>> 2: a = 0x85c9858 "6pm.com"
>>>> (gdb)
>>>> Continuing.
>>>>
>>>> Breakpoint 2, hostname_isequal (a=0x85d69b0 "6pm.com", b=0x85d7240
>>>> "wiki.nginx.org") at util.c:288
>>>> 288 in util.c
>>>> 3: b = 0x85d7240 "wiki.nginx.org"
>>>> 2: a = 0x85d69b0 "6pm.com"
>>>> (gdb)
>>>
>>
From larkwang at gmail.com Thu Apr 17 04:13:43 2014
From: larkwang at gmail.com (Wang Jian)
Date: Thu, 17 Apr 2014 12:13:43 +0800
Subject: [Dnsmasq-discuss] Segfault in DNSSEC code
In-Reply-To: <534EF4F6.2020501@thekelleys.org.uk>
References: <CAHoRzZ+L0sX_xyiajaXbKNGM8G05HA6Uf8y33KQ6=gVEx+ra6Q@mail.gmail.com>
<534EF4F6.2020501@thekelleys.org.uk>
Message-ID: <CAF75rJB1BEYSTwYJrDQrGRk=5YMbHUa089kYBeebHqBGkzW-4w@mail.gmail.com>
Will this conflict with ipset fix (which related to DNSSEC) days ago?
2014-04-17 5:24 GMT+08:00 Simon Kelley <simon at thekelleys.org.uk>:
> On 15/04/14 22:39, Manish Singh wrote:
>> I've run across a segfault in the DNSSEC code when resolving a domain, when
>> DNSSEC builtin but turned off:
>>
>> Program received signal SIGSEGV, Segmentation fault.
>> [Switching to Thread 0x7f3d178fe700 (LWP 10762)]
>> 0x0000000000407e26 in extract_name (header=0x1001272, plen=46,
>> pp=0x7fffdc948590, name=0x0, isExtract=1, extrabytes=4) at rfc1035.c:27
>> 27 *cp = 0;
>> (gdb) bt
>> #0 0x0000000000407e26 in extract_name (header=0x1001272, plen=46,
>> pp=0x7fffdc948590, name=0x0, isExtract=1, extrabytes=4) at rfc1035.c:27
>> #1 0x0000000000455419 in hash_questions (header=0x1001272, plen=46,
>> name=0x0)
>> at dnssec.c:2284
>> #2 0x0000000000421160 in tcp_request (confd=11, now=1397591659,
>> local_addr=0x7fffdc9487b0, netmask=..., auth_dns=0) at forward.c:1745
>> #3 0x00000000004295e7 in check_dns_listeners (set=0x7fffdc948920,
>> now=1397591659) at dnsmasq.c:1591
>> #4 0x0000000000427c88 in main (argc=10, argv=0x7fffdc948c38) at
>> dnsmasq.c:955
>>
>> daemon->keyname is eventually passed into extract_name, but it is NULL
>> since the code that initializes is guarded by an
>> option_bool(OPT_DNSSEC_VALID) check.
>>
>> I don't really know enough about DNSSEC to ascertain why this code path got
>> triggered when it shouldn't be.
>
> It's a copy-n-paste error, I think. In any case
> s/daemon->keyname/daemon->namebuff/
> fixes it. I've just committed the fix to git.
>
> Thanks for that, it's a nasty bug, probably worth of an early release to
> fix it.
>
>
> Cheers,
>
>
> Simon.
>
>
>>
>> -Manish
>>
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
From simon at thekelleys.org.uk Thu Apr 17 13:20:20 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Thu, 17 Apr 2014 14:20:20 +0100
Subject: [Dnsmasq-discuss] dnsmasq's AdvRouterAddr On equivalent
In-Reply-To: <308240854.2562.1397601074610.JavaMail.zimbra@blackdot.be>
References: <308240854.2562.1397601074610.JavaMail.zimbra@blackdot.be>
Message-ID: <534FD514.8050003@thekelleys.org.uk>
On 15/04/14 23:31, Jorge Schrauwen wrote:
> Hey All,
>
> I had a bit of trouble getting ra to work on OpenBSD but manually compiling 2.69 seems to have done the trick. (Yay!)
> I was porting over my old radvd.conf from linux and I have this option set "AdvRouterAddr On". I cannot seem to find the equalivant in dnsmasq.
>
> I want me router's global address 2001:DEAD:BEEF:DDDD::1 to be advertised as the default route and not the link-local.
> This breaks some firewall bits that I sadly don't have control over. I could always go back to a dnsmasq+radvd setup but I want to retire the linux server that currently runs radvd.
>
> Some pointers appreciated!
This isn't currently supported by dnsmasq, sorry.
It would be worth considering supporting rfc3775 sections 7.2 and 7.3.
Would that be sensible stand-alone, or is other stuff needed too?
Cheers,
Simon.
>
> Regards
>
>
> Jorge
>
>
> Below is my current configuration (anonimized):
> ##### dnsmasq configuration
> ### listen on interface
> interface=vlan150
> interface=vlan200
> interface=vlan300
>
> ### dns
> ## hosts (import /etc/hosts)
> #no-hosts
> #addn-hosts=/etc/dnsmasq.d/hosts
> ## custom resolvers
> resolv-file=/etc/dnsmasq.d/resolvers
> ## domain configuration
> domain=example.org
> domain-needed
> expand-hosts
> bogus-priv
>
> ### dhcp
> ## options
> dhcp-authoritative
> dhcp-option=option:netbios-nodetype,8
> dhcp-option=option6:dns-server,[::]
> dhcp-option-force=option:ntp-server,172.16.db.1
> dhcp-option-force=option6:ntp-server,[2001:DEAD:BEEF:AAAA::1]
>
> ## static leases
> dhcp-hostsfile=/etc/dnsmasq.d/reservations
>
> ## ipv4
> dhcp-range=vlan150,172.16.db.100,172.16.db.225,24h
> dhcp-range=vlan200,172.16.db.220,172.16.db.225,48h
> dhcp-range=vlan300,172.16.db.200,172.16.db.225,48h
>
> ## ipv6
> enable-ra
> dhcp-range=vlan150,2001:DEAD:BEEF:DDDD::,ra-stateless,ra-names,64,24h
> dhcp-range=vlan200,2001:DEAD:BEEF:EEEE::,ra-stateless,ra-names,64,48h
> dhcp-range=vlan300,2001:DEAD:BEEF:AAAA::,ra-stateless,ra-names,64,48h
>
> ### logging
> ## specify syslog facility (- to disable)
> log-facility=-
> ## verbose logging
> #log-dhcp
> #log-queries
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
From simon at thekelleys.org.uk Thu Apr 17 20:10:21 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Thu, 17 Apr 2014 21:10:21 +0100
Subject: [Dnsmasq-discuss] Segfault in DNSSEC code
In-Reply-To: <CAF75rJB1BEYSTwYJrDQrGRk=5YMbHUa089kYBeebHqBGkzW-4w@mail.gmail.com>
References: <CAHoRzZ+L0sX_xyiajaXbKNGM8G05HA6Uf8y33KQ6=gVEx+ra6Q@mail.gmail.com> <534EF4F6.2020501@thekelleys.org.uk>
<CAF75rJB1BEYSTwYJrDQrGRk=5YMbHUa089kYBeebHqBGkzW-4w@mail.gmail.com>
Message-ID: <5350352D.6010208@thekelleys.org.uk>
On 17/04/14 05:13, Wang Jian wrote:
> Will this conflict with ipset fix (which related to DNSSEC) days ago?
No, both should be applied.
Cheers,
Simon.
>
> 2014-04-17 5:24 GMT+08:00 Simon Kelley <simon at thekelleys.org.uk>:
>> On 15/04/14 22:39, Manish Singh wrote:
>>> I've run across a segfault in the DNSSEC code when resolving a domain, when
>>> DNSSEC builtin but turned off:
>>>
>>> Program received signal SIGSEGV, Segmentation fault.
>>> [Switching to Thread 0x7f3d178fe700 (LWP 10762)]
>>> 0x0000000000407e26 in extract_name (header=0x1001272, plen=46,
>>> pp=0x7fffdc948590, name=0x0, isExtract=1, extrabytes=4) at rfc1035.c:27
>>> 27 *cp = 0;
>>> (gdb) bt
>>> #0 0x0000000000407e26 in extract_name (header=0x1001272, plen=46,
>>> pp=0x7fffdc948590, name=0x0, isExtract=1, extrabytes=4) at rfc1035.c:27
>>> #1 0x0000000000455419 in hash_questions (header=0x1001272, plen=46,
>>> name=0x0)
>>> at dnssec.c:2284
>>> #2 0x0000000000421160 in tcp_request (confd=11, now=1397591659,
>>> local_addr=0x7fffdc9487b0, netmask=..., auth_dns=0) at forward.c:1745
>>> #3 0x00000000004295e7 in check_dns_listeners (set=0x7fffdc948920,
>>> now=1397591659) at dnsmasq.c:1591
>>> #4 0x0000000000427c88 in main (argc=10, argv=0x7fffdc948c38) at
>>> dnsmasq.c:955
>>>
>>> daemon->keyname is eventually passed into extract_name, but it is NULL
>>> since the code that initializes is guarded by an
>>> option_bool(OPT_DNSSEC_VALID) check.
>>>
>>> I don't really know enough about DNSSEC to ascertain why this code path got
>>> triggered when it shouldn't be.
>>
>> It's a copy-n-paste error, I think. In any case
>> s/daemon->keyname/daemon->namebuff/
>> fixes it. I've just committed the fix to git.
>>http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=63758384456baa698385888fe2d04cb899787259
>> Thanks for that, it's a nasty bug, probably worth of an early release to
>> fix it.
>>
>>
>> Cheers,
>>
>>
>> Simon.
>>
>>
>>>
>>> -Manish
>>>
>>>
>>>
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
From brian.haley at hp.com Thu Apr 17 20:12:27 2014
From: brian.haley at hp.com (Brian Haley)
Date: Thu, 17 Apr 2014 16:12:27 -0400
Subject: [Dnsmasq-discuss] dnsmasq's AdvRouterAddr On equivalent
In-Reply-To: <534FD514.8050003@thekelleys.org.uk>
References: <308240854.2562.1397601074610.JavaMail.zimbra@blackdot.be>
<534FD514.8050003@thekelleys.org.uk>
Message-ID: <535035AB.4060106@hp.com>
On 04/17/2014 09:20 AM, Simon Kelley wrote:
> On 15/04/14 23:31, Jorge Schrauwen wrote:
>> Hey All,
>>
>> I had a bit of trouble getting ra to work on OpenBSD but manually compiling 2.69 seems to have done the trick. (Yay!)
>> I was porting over my old radvd.conf from linux and I have this option set "AdvRouterAddr On". I cannot seem to find the equalivant in dnsmasq.
>>
>> I want me router's global address 2001:DEAD:BEEF:DDDD::1 to be advertised as the default route and not the link-local.
>> This breaks some firewall bits that I sadly don't have control over. I could always go back to a dnsmasq+radvd setup but I want to retire the linux server that currently runs radvd.
>>
>> Some pointers appreciated!
>
> This isn't currently supported by dnsmasq, sorry.
>
> It would be worth considering supporting rfc3775 sections 7.2 and 7.3.
> Would that be sensible stand-alone, or is other stuff needed too?
I'd think that's pretty good, since you don't need sections 7.1 and 7.4 unless
you're going to be a home agent. It looks like you already support sending a
Source Link-Layer Address option in the RA (section 7.5), and the shorter
intervals might already be there too?
-Brian
>> Below is my current configuration (anonimized):
>> ##### dnsmasq configuration
>> ### listen on interface
>> interface=vlan150
>> interface=vlan200
>> interface=vlan300
>>
>> ### dns
>> ## hosts (import /etc/hosts)
>> #no-hosts
>> #addn-hosts=/etc/dnsmasq.d/hosts
>> ## custom resolvers
>> resolv-file=/etc/dnsmasq.d/resolvers
>> ## domain configuration
>> domain=example.org
>> domain-needed
>> expand-hosts
>> bogus-priv
>>
>> ### dhcp
>> ## options
>> dhcp-authoritative
>> dhcp-option=option:netbios-nodetype,8
>> dhcp-option=option6:dns-server,[::]
>> dhcp-option-force=option:ntp-server,172.16.db.1
>> dhcp-option-force=option6:ntp-server,[2001:DEAD:BEEF:AAAA::1]
>>
>> ## static leases
>> dhcp-hostsfile=/etc/dnsmasq.d/reservations
>>
>> ## ipv4
>> dhcp-range=vlan150,172.16.db.100,172.16.db.225,24h
>> dhcp-range=vlan200,172.16.db.220,172.16.db.225,48h
>> dhcp-range=vlan300,172.16.db.200,172.16.db.225,48h
>>
>> ## ipv6
>> enable-ra
>> dhcp-range=vlan150,2001:DEAD:BEEF:DDDD::,ra-stateless,ra-names,64,24h
>> dhcp-range=vlan200,2001:DEAD:BEEF:EEEE::,ra-stateless,ra-names,64,48h
>> dhcp-range=vlan300,2001:DEAD:BEEF:AAAA::,ra-stateless,ra-names,64,48h
>>
>> ### logging
>> ## specify syslog facility (- to disable)
>> log-facility=-
>> ## verbose logging
>> #log-dhcp
>> #log-queries
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
From simon at thekelleys.org.uk Thu Apr 17 21:14:50 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Thu, 17 Apr 2014 22:14:50 +0100
Subject: [Dnsmasq-discuss] Stable releases v. development releases.
Message-ID: <5350444A.9080106@thekelleys.org.uk>
Thus far, dnsmasq has not maintained separate stable and development
branches. One reason for this is that there's been a pretty strong
policy of backwards-compatibility, so the penalty for upgrading to the
latest release is low: we've almost certainly not broken your config, or
changed behaviour. On the other hand, sometimes fixes for bugs have been
delayed by work on features.
It looks like there are a couple of regressions in 2.69 which need early
correction. The dnsmasq way of this would be to release 2.70 rapidly
with fixes, but once serious development starts on the next set of
features, the ability to do that is lost. The alternative would be to
open stable and development branches, and make a 2.69.1 bugfix release.
There's some cost in doing that, of course. More repo complexity and
work in moving fixes into the development as well as stable releases.
Git makes that much easier than before, of course.
I'm interested in opinions for and against the status-quo or a new
stable/devel split.
Cheers,
Simon.
From jorge at blackdot.be Thu Apr 17 21:22:18 2014
From: jorge at blackdot.be (Jorge Schrauwen)
Date: Thu, 17 Apr 2014 23:22:18 +0200 (CEST)
Subject: [Dnsmasq-discuss] dnsmasq's AdvRouterAddr On equivalent
In-Reply-To: <534FD514.8050003@thekelleys.org.uk>
References: <308240854.2562.1397601074610.JavaMail.zimbra@blackdot.be>
<534FD514.8050003@thekelleys.org.uk>
Message-ID: <2013336719.3232.1397769738674.JavaMail.zimbra@blackdot.be>
----- Original Message -----
> From: "Simon Kelley" <simon at thekelleys.org.uk>
> To: dnsmasq-discuss at lists.thekelleys.org.uk
> Sent: Thursday, April 17, 2014 3:20:20 PM
> Subject: Re: [Dnsmasq-discuss] dnsmasq's AdvRouterAddr On equivalent
>
> On 15/04/14 23:31, Jorge Schrauwen wrote:
> > Hey All,
> >
> > I had a bit of trouble getting ra to work on OpenBSD but manually compiling
> > 2.69 seems to have done the trick. (Yay!)
> > I was porting over my old radvd.conf from linux and I have this option set
> > "AdvRouterAddr On". I cannot seem to find the equalivant in dnsmasq.
> >
> > I want me router's global address 2001:DEAD:BEEF:DDDD::1 to be advertised
> > as the default route and not the link-local.
> > This breaks some firewall bits that I sadly don't have control over. I
> > could always go back to a dnsmasq+radvd setup but I want to retire the
> > linux server that currently runs radvd.
> >
> > Some pointers appreciated!
>
> This isn't currently supported by dnsmasq, sorry.
>
> It would be worth considering supporting rfc3775 sections 7.2 and 7.3.
> Would that be sensible stand-alone, or is other stuff needed too?
>
>
> Cheers,
>
> Simon.
(Because I was dump and sleepy, I hit reply in stead of reply all the first time.)
Section 7.2 and 7.3 from rfc3775 is all that is needed. From what I can tell the "AdvRouterAddr On" does nothing more than advertise the router with the global address instead of the local one.
Regards
Jorge
>
>
> >
> > Regards
> >
> >
> > Jorge
> >
> >
> > Below is my current configuration (anonimized):
> > ##### dnsmasq configuration
> > ### listen on interface
> > interface=vlan150
> > interface=vlan200
> > interface=vlan300
> >
> > ### dns
> > ## hosts (import /etc/hosts)
> > #no-hosts
> > #addn-hosts=/etc/dnsmasq.d/hosts
> > ## custom resolvers
> > resolv-file=/etc/dnsmasq.d/resolvers
> > ## domain configuration
> > domain=example.org
> > domain-needed
> > expand-hosts
> > bogus-priv
> >
> > ### dhcp
> > ## options
> > dhcp-authoritative
> > dhcp-option=option:netbios-nodetype,8
> > dhcp-option=option6:dns-server,[::]
> > dhcp-option-force=option:ntp-server,172.16.db.1
> > dhcp-option-force=option6:ntp-server,[2001:DEAD:BEEF:AAAA::1]
> >
> > ## static leases
> > dhcp-hostsfile=/etc/dnsmasq.d/reservations
> >
> > ## ipv4
> > dhcp-range=vlan150,172.16.db.100,172.16.db.225,24h
> > dhcp-range=vlan200,172.16.db.220,172.16.db.225,48h
> > dhcp-range=vlan300,172.16.db.200,172.16.db.225,48h
> >
> > ## ipv6
> > enable-ra
> > dhcp-range=vlan150,2001:DEAD:BEEF:DDDD::,ra-stateless,ra-names,64,24h
> > dhcp-range=vlan200,2001:DEAD:BEEF:EEEE::,ra-stateless,ra-names,64,48h
> > dhcp-range=vlan300,2001:DEAD:BEEF:AAAA::,ra-stateless,ra-names,64,48h
> >
> > ### logging
> > ## specify syslog facility (- to disable)
> > log-facility=-
> > ## verbose logging
> > #log-dhcp
> > #log-queries
> >
> > _______________________________________________
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss at lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
From dave.taht at gmail.com Thu Apr 17 21:22:41 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Thu, 17 Apr 2014 14:22:41 -0700
Subject: [Dnsmasq-discuss] Stable releases v. development releases.
In-Reply-To: <5350444A.9080106@thekelleys.org.uk>
References: <5350444A.9080106@thekelleys.org.uk>
Message-ID: <CAA93jw7Ghf-h2X6XANQ+B+gLtqY02M0uR+18EdZPPNa5hMwBig@mail.gmail.com>
I think a lot of distro makers would be comforted by the idea of a
stable branch and feel more comfortable in upgrading to the latest
"stable" for distribution into their embedded products...
... regardless of your success in dealing the backward compatability
issues. You could periodically obsolete a given stable branch, much
like other systems, like linux do, every year or two.
it's also an opportunity to charge for support, if you like.
On Thu, Apr 17, 2014 at 2:14 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> Thus far, dnsmasq has not maintained separate stable and development
> branches. One reason for this is that there's been a pretty strong
> policy of backwards-compatibility, so the penalty for upgrading to the
> latest release is low: we've almost certainly not broken your config, or
> changed behaviour. On the other hand, sometimes fixes for bugs have been
> delayed by work on features.
>
> It looks like there are a couple of regressions in 2.69 which need early
> correction. The dnsmasq way of this would be to release 2.70 rapidly
> with fixes, but once serious development starts on the next set of
> features, the ability to do that is lost. The alternative would be to
> open stable and development branches, and make a 2.69.1 bugfix release.
> There's some cost in doing that, of course. More repo complexity and
> work in moving fixes into the development as well as stable releases.
> Git makes that much easier than before, of course.
>
> I'm interested in opinions for and against the status-quo or a new
> stable/devel split.
>
> Cheers,
>
>
> Simon.
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
--
Dave T?ht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
From b-morgan at concentric.net Thu Apr 17 21:49:40 2014
From: b-morgan at concentric.net (Brad Morgan)
Date: Thu, 17 Apr 2014 15:49:40 -0600
Subject: [Dnsmasq-discuss] Stable releases v. development releases.
In-Reply-To: <5350444A.9080106@thekelleys.org.uk>
References: <5350444A.9080106@thekelleys.org.uk>
Message-ID: <00be01cf5a86$f0cc44b0$d264ce10$@concentric.net>
> I'm interested in opinions for and against the status-quo or a new
stable/devel split.
I'm not sure our opinion matters as much as what is easy for you, Simon. I
also think that a split doesn't have to permanent going forward. If it makes
sense for 2.69 bug fixes then make the split and as soon as it isn't needed,
merge it back into a single stream.
Brad
From thozza at redhat.com Fri Apr 18 06:44:13 2014
From: thozza at redhat.com (Tomas Hozza)
Date: Fri, 18 Apr 2014 02:44:13 -0400 (EDT)
Subject: [Dnsmasq-discuss] Stable releases v. development releases.
In-Reply-To: <5350444A.9080106@thekelleys.org.uk>
References: <5350444A.9080106@thekelleys.org.uk>
Message-ID: <1997557770.3351568.1397803453080.JavaMail.zimbra@redhat.com>
----- Original Message -----
> Thus far, dnsmasq has not maintained separate stable and development
> branches. One reason for this is that there's been a pretty strong
> policy of backwards-compatibility, so the penalty for upgrading to the
> latest release is low: we've almost certainly not broken your config, or
> changed behaviour. On the other hand, sometimes fixes for bugs have been
> delayed by work on features.
>
> It looks like there are a couple of regressions in 2.69 which need early
> correction. The dnsmasq way of this would be to release 2.70 rapidly
> with fixes, but once serious development starts on the next set of
> features, the ability to do that is lost. The alternative would be to
> open stable and development branches, and make a 2.69.1 bugfix release.
> There's some cost in doing that, of course. More repo complexity and
> work in moving fixes into the development as well as stable releases.
> Git makes that much easier than before, of course.
>
> I'm interested in opinions for and against the status-quo or a new
> stable/devel split.
>From Fedora point of view I would welcome the stable branch (version)
that will be maintained for some time and have the development branch
separate.
It is already against Fedora updates policy to bring new functionality
into already released version, it if could change the behaviour. Therefore
dnsmasq 2.69 with DNSSEC is still in Fedora rawhide and will be included
in the next Fedora version (21).
If you decide to keep the current style of development, we can live with
that, too. However the current state makes it harder if one want to maintain
some released version of dnsmasq and from time to time just fix a bug.
Although you are sticking to backward-compatibility, sometimes one (especially
some distro) don't want to rebase to the latest version as it includes
new features that are not necessarily needed.
Regards,
--
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience
PGP: 1D9F3C2D
Red Hat Inc. http://cz.redhat.com
From weizen_42 at ipcop-forum.de Fri Apr 18 09:23:58 2014
From: weizen_42 at ipcop-forum.de (Olaf Westrik)
Date: Fri, 18 Apr 2014 11:23:58 +0200
Subject: [Dnsmasq-discuss] Stable releases v. development releases.
In-Reply-To: <5350444A.9080106@thekelleys.org.uk>
References: <5350444A.9080106@thekelleys.org.uk>
Message-ID: <5350EF2E.8070905@ipcop-forum.de>
On 2014-04-17 23:14, Simon Kelley wrote:
> Thus far, dnsmasq has not maintained separate stable and development
> branches. One reason for this is that there's been a pretty strong
> policy of backwards-compatibility, so the penalty for upgrading to the
> latest release is low: we've almost certainly not broken your config, or
> changed behaviour.
May I add: you have done that exceptionally well.
> I'm interested in opinions for and against the status-quo or a new
> stable/devel split.
A full split would mean extra work for you and probably more users
sticking to some stable branch for a long time. For dnsmasq I do not
think it is worth the effort.
If at some point during development, important fixes are necessary, it
is probably more convenient to open something like a temporary stable
branch with the sole purpose of applying fixes on top of the latest
released version.
OTOH if you were to give out a notice saying: here is something
critically important, please apply GIT commit xyz to fix it, that would
work just as well for our use case.
Olaf
From alex_y_xu at yahoo.ca Fri Apr 18 11:38:51 2014
From: alex_y_xu at yahoo.ca (Alex Xu)
Date: Fri, 18 Apr 2014 07:38:51 -0400
Subject: [Dnsmasq-discuss] Stable releases v. development releases.
In-Reply-To: <5350444A.9080106@thekelleys.org.uk>
References: <5350444A.9080106@thekelleys.org.uk>
Message-ID: <53510ECB.4080803@yahoo.ca>
On 17/04/14 05:14 PM, Simon Kelley wrote:
> I'm interested in opinions for and against the status-quo or a new
> stable/devel split.
Over at Gentoo (and probably most derivatives), we don't really care too
much about this kind of stuff; users are free to mix and match whatever
versions of software they want, and the build system takes care of the rest.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140418/535109e0/attachment.sig>
From weedy2887 at gmail.com Sun Apr 20 15:52:19 2014
From: weedy2887 at gmail.com (Weedy)
Date: Sun, 20 Apr 2014 11:52:19 -0400
Subject: [Dnsmasq-discuss] Stable releases v. development releases.
In-Reply-To: <5350EF2E.8070905@ipcop-forum.de>
References: <5350444A.9080106@thekelleys.org.uk>
<5350EF2E.8070905@ipcop-forum.de>
Message-ID: <CAFE24U2xN3uFiZCuzjm2QsEPF42hHxwtEtCcLFuPaNeNmkpqkw@mail.gmail.com>
On 18 Apr 2014 05:27, "Olaf Westrik" <weizen_42 at ipcop-forum.de> wrote:
>
> On 2014-04-17 23:14, Simon Kelley wrote:
>>
>> Thus far, dnsmasq has not maintained separate stable and development
>> branches. One reason for this is that there's been a pretty strong
>> policy of backwards-compatibility, so the penalty for upgrading to the
>> latest release is low: we've almost certainly not broken your config, or
>> changed behaviour.
>
>
> May I add: you have done that exceptionally well.
>
>
>
>> I'm interested in opinions for and against the status-quo or a new
>> stable/devel split.
>
>
> A full split would mean extra work for you and probably more users
sticking to some stable branch for a long time. For dnsmasq I do not think
it is worth the effort.
>
> If at some point during development, important fixes are necessary, it is
probably more convenient to open something like a temporary stable branch
with the sole purpose of applying fixes on top of the latest released
version.
>
> OTOH if you were to give out a notice saying: here is something
critically important, please apply GIT commit xyz to fix it, that would
work just as well for our use case.
I was about to post a similar comment.
I don't see a point in splitting off stable branches constantly. But point
releases as needed if regressions are found sound about right.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140420/ecd371ed/attachment.html>
From brad at comstyle.com Sun Apr 20 15:57:48 2014
From: brad at comstyle.com (Brad Smith)
Date: Sun, 20 Apr 2014 11:57:48 -0400
Subject: [Dnsmasq-discuss] Stable releases v. development releases.
In-Reply-To: <CAFE24U2xN3uFiZCuzjm2QsEPF42hHxwtEtCcLFuPaNeNmkpqkw@mail.gmail.com>
References: <5350444A.9080106@thekelleys.org.uk>
<5350EF2E.8070905@ipcop-forum.de>
<CAFE24U2xN3uFiZCuzjm2QsEPF42hHxwtEtCcLFuPaNeNmkpqkw@mail.gmail.com>
Message-ID: <20140420155748.GG15907@humpty.home.comstyle.com>
On Sun, Apr 20, 2014 at 11:52:19AM -0400, Weedy wrote:
> On 18 Apr 2014 05:27, "Olaf Westrik" <weizen_42 at ipcop-forum.de> wrote:
> >
> > On 2014-04-17 23:14, Simon Kelley wrote:
> >>
> >> Thus far, dnsmasq has not maintained separate stable and development
> >> branches. One reason for this is that there's been a pretty strong
> >> policy of backwards-compatibility, so the penalty for upgrading to the
> >> latest release is low: we've almost certainly not broken your config, or
> >> changed behaviour.
> >
> >
> > May I add: you have done that exceptionally well.
> >
> >
> >
> >> I'm interested in opinions for and against the status-quo or a new
> >> stable/devel split.
> >
> >
> > A full split would mean extra work for you and probably more users
> sticking to some stable branch for a long time. For dnsmasq I do not think
> it is worth the effort.
> >
> > If at some point during development, important fixes are necessary, it is
> probably more convenient to open something like a temporary stable branch
> with the sole purpose of applying fixes on top of the latest released
> version.
> >
> > OTOH if you were to give out a notice saying: here is something
> critically important, please apply GIT commit xyz to fix it, that would
> work just as well for our use case.
>
> I was about to post a similar comment.
> I don't see a point in splitting off stable branches constantly. But point
> releases as needed if regressions are found sound about right.
IMO sounds good to me. A point release for regressions and
other bug fixes would be a good way of doing things instead
of another full on release which usually tries to mix in
feature changes as well pushing out a release.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
From fa500452 at skynet.be Sun Apr 20 12:31:58 2014
From: fa500452 at skynet.be (fa500452 at skynet.be)
Date: Sun, 20 Apr 2014 14:31:58 +0200 (CEST)
Subject: [Dnsmasq-discuss] Dnsmasq and bond0
Message-ID: <43120621.149239.1397997118110.open-xchange@webmail.nmp.skynet.be>
Hello everyone,
I've got some problem with dnsmasq and it seems bond0. I'm not sure this is why
I'm asking some help.
I'm under gentoo using
net-dns/dnsmasq-2.66 USE="dbus dhcp idn ipv6 nls tftp -auth-dns -conntrack
-dhcp-tools -lua -script (-selinux)" LINGUAS="-de -es -fi -fr -id -it -no -pl
-pt_BR -ro" 0 kB
3 interfaces : enp1s0, enp7s0 and enp8s0. enps7s0 and enp8s0 are bonded. I used
the kernel method. From the kernel documentation ifenslave is "has been".
Interface seem to work :
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp7s0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master
bond0 state UP qlen 1000
link/ether d0:50:99:0a:63:05 brd ff:ff:ff:ff:ff:ff
3: enp8s0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master
bond0 state UP qlen 1000
link/ether d0:50:99:0a:63:05 brd ff:ff:ff:ff:ff:ff
4: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
link/sit 0.0.0.0 brd 0.0.0.0
5: ip6tnl0: <NOARP> mtu 1452 qdisc noop state DOWN
link/tunnel6 :: brd ::
6: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP
qlen 1000
link/ether 64:66:b3:02:3c:91 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.2/24 brd 192.168.2.255 scope global enp1s0
valid_lft forever preferred_lft forever
inet6 fe80::6666:b3ff:fe02:3c91/64 scope link
valid_lft forever preferred_lft forever
9: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UP
link/ether d0:50:99:0a:63:05 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/8 brd 10.0.0.255 scope global bond0
valid_lft forever preferred_lft forever
inet6 fe80::d250:99ff:fe0a:6305/64 scope link
valid_lft forever preferred_lft forever
dnsmasq.conf
domain-needed
bogus-priv
filterwin2k
bridge-interface=bond0,enp7s0,enp8s0
interface=bond0
expand-hosts
domain=arcade.lan
resolv-file=/etc/resolv.dnsmasq.conf
listen-address=127.0.0.1
listen-address=10.0.0.1
dhcp-range=10.0.0.1,10.0.0.50,72h
dhcp-host=bc:5f:f4:fe:10:26,infinite
dhcp-host=outrun,10.0.0.10
dhcp-host=00:26:b0:e6:31:30,10.0.0.12
dhcp-host=WDTVLive,10.0.0.40
dhcp-host=00:14:38:d4:c4:21,printer,10.0.0.45
dhcp-host=00:22:6b:f7:1c:eb,camera,10.0.0.46
dhcp-host=90:f6:52:75:d8:70,10.0.0.49,infinite
dhcp-host=10:fe:ed:ff:f9:4e,10.0.0.50,infinite
dhcp-option=3,10.0.0.1
dhcp-option=6,208.67.222.222,8.8.8.8
dhcp-option=66,"10.0.0.1"
dhcp-option=67,syslinux.efi
dhcp-option=128,10.0.0.1
#dhcp-option-force=211,30i
pxe-service=x86PC, "Launch PXE_BIOS", pxelinux, 10.0.0.1
pxe-service=X86-64_EFI, "Launch PXE-UEFI", syslinux, 10.0.0.1
dhcp-option=42,0.0.0.0
dhcp-option=19,0 # option ip-forwarding off
dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS
server(s)
dhcp-option=45,0.0.0. 0 # netbios datagram distribution server
dhcp-option=46,8 # netbios node type
dhcp-option=47
dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
tftp-root=/tftproot/
tftp-lowercase
dhcp-leasefile=/var/lib/misc/dnsmasq.leases
server=/www.google.com/8.8.8.8
bogus-nxdomain=64.94.110.11
As you can see, I've already tried the solution
bridge-interface=bond0,enp7s0,enp8s0.
I've got no dhcp response for my client.
Thanks. Best regards.
Happy easter.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140420/b8fd4634/attachment.html>
From rath at mglug.de Mon Apr 21 13:28:30 2014
From: rath at mglug.de (Oliver Rath)
Date: Mon, 21 Apr 2014 15:28:30 +0200
Subject: [Dnsmasq-discuss] IPv6 dhcp/ra-issue
Message-ID: <53551CFE.8060401@mglug.de>
Hi list,
Im trying to give my network-computers IPv6-Addresses constructed from
ppp0. In my config I get from my provider i.e. these (dynamic) IPv4 and
IPv6-addresses:
# ifconfig ppp0
ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1492
inet 80.137.126.83 netmask 255.255.255.255 destination
87.186.224.66
inet6 fe80::43c:5b54:cea:b7ea prefixlen 10 scopeid 0x20<link>
inet6 2003:62:487f:b168:43c:5b54:cea:b7ea prefixlen 64 scopeid
0x0<global>
ppp txqueuelen 3 (Punkt-zu-Punkt Verbindung)
RX packets 2546359 bytes 3258224683 (3.0 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1550070 bytes 133189854 (127.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
One of my additional interfaces has this address:
# ifconfig p3p1
p3p1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.2.254 netmask 255.255.255.0 broadcast 192.168.2.255
inet6 fe80::210:f3ff:fe07:f7bf prefixlen 64 scopeid 0x20<link>
ether 00:10:f3:07:f7:bf txqueuelen 1000 (Ethernet)
RX packets 2806761 bytes 3337921408 (3.1 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1832066 bytes 326375284 (311.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
If I understand right, ive got an IPv6-subnet with the ability of ~250
clients (Telekom Germany), directly addressable from internet. Now i
want to configure dnsmasq in a way, that the clients get IPv4- (works,
internal only) and IPv6-addresses in a from internet addressable way.
Imho the fe80.. number is the *router*-ipv6-address, the 2003:... the
*host* ipv6-address. Now my clients should also get an ipv6-router *and*
-host address. Is this right?
My dnsmasq.conf (stripped):
except-interface=ppp0
dhcp-range=set:gw2,192.168.2.50,192.168.2.150,255.255.255.0,12h
dhcp-range=tag:gw2,::,constructor:ppp0
ddhcp-option=tag:gw2,128,192.168.2.254
enable-ra
dhcp-option=mtu,1492
dhcp-option=option6:dns-server,[::]
dhcp-option=252,"http://heimserver/wpad.dat"
log-queries
log-dhcp
Now I would assume, that my clientpc (p3p1 is bridged with wlan-ap)
would get an fe80:.. and another, from internet routable address. While
my card has the mac-address 00:21:6a:37:3f:72, i would assume getting an
IPv6 address like 2003:62:487f:b168:0021:6aFF:FE373f:72, but he doesnt:
wlan0 on my client-pc:
# ifconfig wlan0
wlan0 Link encap:Ethernet Hardware Adresse 00:21:6a:37:3f:72
inet Adresse:192.168.2.100 Bcast:192.168.2.255
Maske:255.255.255.0
inet6-Adresse: fe80::221:6aff:fe37:3f72/64
G?ltigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX-Pakete:2981577 Fehler:0 Verloren:0 ?berl?ufe:0 Fenster:0
TX-Pakete:2979080 Fehler:0 Verloren:0 ?berl?ufe:0 Tr?ger:0
Kollisionen:0 Sendewarteschlangenl?nge:1000
RX-Bytes:3059635559 (3.0 GB) TX-Bytes:2883630423 (2.8 GB)
Here /var/log/syslog on my client (sorry for the german parts):
Apr 21 14:57:29 hp dhclient: DHCPREQUEST of 192.168.2.100 on wlan0 to
255.255.255.255 port 67 (xid=0x48327e63)
Apr 21 14:57:29 hp dhclient: DHCPACK of 192.168.2.100 from 192.168.2.254
Apr 21 14:57:29 hp dhclient: bound to 192.168.2.100 -- renewal in 21016
seconds.
Apr 21 14:57:29 hp dhclient: DHCPACK of 192.168.2.100 from 192.168.2.254
Apr 21 14:57:29 hp dhclient: bound to 192.168.2.100 -- renewal in 21016
seconds.
Apr 21 14:57:29 hp NetworkManager[827]: <info> (wlan0): DHCPv4 state
changed preinit -> reboot
Apr 21 14:57:29 hp NetworkManager[827]: <info> address 192.168.2.100
Apr 21 14:57:29 hp NetworkManager[827]: <info> prefix 24 (255.255.255.0)
Apr 21 14:57:29 hp NetworkManager[827]: <info> gateway 192.168.2.254
Apr 21 14:57:29 hp NetworkManager[827]: <info> hostname 'hp'
Apr 21 14:57:29 hp NetworkManager[827]: <info> nameserver '192.168.2.254'
Apr 21 14:57:29 hp NetworkManager[827]: <info> Activation (wlan0) Stage
5 of 5 (IPv4 Configure Commit) scheduled...
Apr 21 14:57:29 hp NetworkManager[827]: <info> Activation (wlan0) Stage
5 of 5 (IPv4 Commit) started...
Apr 21 14:57:29 hp avahi-daemon[801]: Joining mDNS multicast group on
interface wlan0.IPv4 with address 192.168.2.100.
Apr 21 14:57:29 hp avahi-daemon[801]: New relevant interface wlan0.IPv4
for mDNS.
Apr 21 14:57:29 hp avahi-daemon[801]: Registering new address record for
192.168.2.100 on wlan0.IPv4.
Apr 21 14:57:30 hp NetworkManager[827]: <info> (wlan0): device state
change: ip-config -> secondaries (reason 'none') [70 90 0]
Apr 21 14:57:30 hp NetworkManager[827]: <info> Activation (wlan0) Stage
5 of 5 (IPv4 Commit) complete.
Apr 21 14:57:30 hp NetworkManager[827]: <info> (wlan0): device state
change: secondaries -> activated (reason 'none') [90 100 0]
Apr 21 14:57:30 hp NetworkManager[827]: <info> NetworkManager state is
now CONNECTED_GLOBAL
Apr 21 14:57:30 hp NetworkManager[827]: <info> Policy set
'WLAN-001F3FD648F9' (wlan0) as default for IPv4 routing and DNS.
Apr 21 14:57:30 hp NetworkManager[827]: <info> Writing DNS information
to /sbin/resolvconf
Apr 21 14:57:30 hp dnsmasq[1563]: vorgelagerte Server von DBus gesetzt
Apr 21 14:57:30 hp dnsmasq[1563]: Benutze Namensserver 192.168.2.254#53
Apr 21 14:57:31 hp avahi-daemon[801]: Joining mDNS multicast group on
interface wlan0.IPv6 with address fe80::221:6aff:fe37:3f72.
Apr 21 14:57:31 hp avahi-daemon[801]: New relevant interface wlan0.IPv6
for mDNS.
Apr 21 14:57:31 hp avahi-daemon[801]: Registering new address record for
fe80::221:6aff:fe37:3f72 on wlan0.*.
Apr 21 14:57:41 hp NetworkManager[827]: <info> Activation (wlan0)
successful, device activated.
Apr 21 14:57:41 hp dbus[684]: [system] Activating service
name='org.freedesktop.nm_dispatcher' (using servicehelper)
Apr 21 14:57:41 hp wpa_supplicant[1062]: wlan0: CTRL-EVENT-SCAN-STARTED
Apr 21 14:57:41 hp dbus[684]: [system] Successfully activated service
'org.freedesktop.nm_dispatcher'
Apr 21 14:57:48 hp ntpdate[8010]: adjust time server 91.189.94.4 offset
0.007383 sec
Apr 21 14:57:50 hp NetworkManager[827]: <info> (wlan0): IP6 addrconf
timed out or failed.
Apr 21 14:57:50 hp NetworkManager[827]: <info> Activation (wlan0) Stage
4 of 5 (IPv6 Configure Timeout) scheduled...
Apr 21 14:57:50 hp NetworkManager[827]: <info> Activation (wlan0) Stage
4 of 5 (IPv6 Configure Timeout) started...
Apr 21 14:57:50 hp NetworkManager[827]: <info> Activation (wlan0) Stage
4 of 5 (IPv6 Configure Timeout) complete.
Apr 21 14:59:27 hp wpa_supplicant[1062]: message repeated 2 times: [
wlan0: CTRL-EVENT-SCAN-STARTED ]
Apr 21 14:59:31 hp wpa_supplicant[1062]: nl80211:
send_and_recv->nl_recvmsgs failed: -33
Apr 21 15:00:50 hp wpa_supplicant[1062]: wlan0: CTRL-EVENT-SCAN-STARTED
What Im doing wrong?
Tfh!
Oliver
From stephane at 22decembre.eu Mon Apr 21 13:35:57 2014
From: stephane at 22decembre.eu (=?ISO-8859-1?Q?St=E9phane?= Guedon)
Date: Mon, 21 Apr 2014 15:35:57 +0200
Subject: [Dnsmasq-discuss] IPv6 dhcp/ra-issue
In-Reply-To: <53551CFE.8060401@mglug.de>
References: <53551CFE.8060401@mglug.de>
Message-ID: <1404899.LMq7gNx5fc@luciole>
Le lundi 21 avril 2014, 15:28:30 Oliver Rath a ?crit :
> Hi list,
>
> Im trying to give my network-computers IPv6-Addresses constructed
> from ppp0. In my config I get from my provider i.e. these (dynamic)
> IPv4 and IPv6-addresses:
>
> # ifconfig ppp0
> ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1492
> inet 80.137.126.83 netmask 255.255.255.255 destination
> 87.186.224.66
> inet6 fe80::43c:5b54:cea:b7ea prefixlen 10 scopeid
> 0x20<link> inet6 2003:62:487f:b168:43c:5b54:cea:b7ea prefixlen 64
> scopeid 0x0<global>
> ppp txqueuelen 3 (Punkt-zu-Punkt Verbindung)
> RX packets 2546359 bytes 3258224683 (3.0 GiB)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 1550070 bytes 133189854 (127.0 MiB)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>
> One of my additional interfaces has this address:
> # ifconfig p3p1
> p3p1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> inet 192.168.2.254 netmask 255.255.255.0 broadcast
> 192.168.2.255 inet6 fe80::210:f3ff:fe07:f7bf prefixlen 64 scopeid
> 0x20<link> ether 00:10:f3:07:f7:bf txqueuelen 1000 (Ethernet) RX
> packets 2806761 bytes 3337921408 (3.1 GiB)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 1832066 bytes 326375284 (311.2 MiB)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>
>
>
> If I understand right, ive got an IPv6-subnet with the ability of
> ~250 clients (Telekom Germany), directly addressable from internet.
> Now i want to configure dnsmasq in a way, that the clients get
> IPv4- (works, internal only) and IPv6-addresses in a from internet
> addressable way.
>
> Imho the fe80.. number is the *router*-ipv6-address, the 2003:...
> the *host* ipv6-address. Now my clients should also get an
> ipv6-router *and* -host address. Is this right?
>
> My dnsmasq.conf (stripped):
>
> except-interface=ppp0
> dhcp-range=set:gw2,192.168.2.50,192.168.2.150,255.255.255.0,12h
> dhcp-range=tag:gw2,::,constructor:ppp0
> ddhcp-option=tag:gw2,128,192.168.2.254
> enable-ra
> dhcp-option=mtu,1492
> dhcp-option=option6:dns-server,[::]
> dhcp-option=252,"http://heimserver/wpad.dat"
> log-queries
> log-dhcp
>
> Now I would assume, that my clientpc (p3p1 is bridged with wlan-ap)
> would get an fe80:.. and another, from internet routable address.
> While my card has the mac-address 00:21:6a:37:3f:72, i would assume
> getting an IPv6 address like 2003:62:487f:b168:0021:6aFF:FE373f:72,
> but he doesnt:
>
> wlan0 on my client-pc:
>
> # ifconfig wlan0
> wlan0 Link encap:Ethernet Hardware Adresse 00:21:6a:37:3f:72
> inet Adresse:192.168.2.100 Bcast:192.168.2.255
> Maske:255.255.255.0
> inet6-Adresse: fe80::221:6aff:fe37:3f72/64
> G?ltigkeitsbereich:Verbindung
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
> RX-Pakete:2981577 Fehler:0 Verloren:0 ?berl?ufe:0
> Fenster:0 TX-Pakete:2979080 Fehler:0 Verloren:0 ?berl?ufe:0
> Tr?ger:0 Kollisionen:0 Sendewarteschlangenl?nge:1000
> RX-Bytes:3059635559 (3.0 GB) TX-Bytes:2883630423 (2.8 GB)
>
>
> Here /var/log/syslog on my client (sorry for the german parts):
>
> Apr 21 14:57:29 hp dhclient: DHCPREQUEST of 192.168.2.100 on wlan0
> to 255.255.255.255 port 67 (xid=0x48327e63)
> Apr 21 14:57:29 hp dhclient: DHCPACK of 192.168.2.100 from
> 192.168.2.254 Apr 21 14:57:29 hp dhclient: bound to 192.168.2.100
> -- renewal in 21016 seconds.
> Apr 21 14:57:29 hp dhclient: DHCPACK of 192.168.2.100 from
> 192.168.2.254 Apr 21 14:57:29 hp dhclient: bound to 192.168.2.100
> -- renewal in 21016 seconds.
> Apr 21 14:57:29 hp NetworkManager[827]: <info> (wlan0): DHCPv4 state
> changed preinit -> reboot
> Apr 21 14:57:29 hp NetworkManager[827]: <info> address
> 192.168.2.100 Apr 21 14:57:29 hp NetworkManager[827]: <info>
> prefix 24 (255.255.255.0) Apr 21 14:57:29 hp NetworkManager[827]:
> <info> gateway 192.168.2.254 Apr 21 14:57:29 hp
> NetworkManager[827]: <info> hostname 'hp' Apr 21 14:57:29 hp
> NetworkManager[827]: <info> nameserver '192.168.2.254' Apr 21
> 14:57:29 hp NetworkManager[827]: <info> Activation (wlan0) Stage 5
> of 5 (IPv4 Configure Commit) scheduled...
> Apr 21 14:57:29 hp NetworkManager[827]: <info> Activation (wlan0)
> Stage 5 of 5 (IPv4 Commit) started...
> Apr 21 14:57:29 hp avahi-daemon[801]: Joining mDNS multicast group
> on interface wlan0.IPv4 with address 192.168.2.100.
> Apr 21 14:57:29 hp avahi-daemon[801]: New relevant interface
> wlan0.IPv4 for mDNS.
> Apr 21 14:57:29 hp avahi-daemon[801]: Registering new address record
> for 192.168.2.100 on wlan0.IPv4.
> Apr 21 14:57:30 hp NetworkManager[827]: <info> (wlan0): device state
> change: ip-config -> secondaries (reason 'none') [70 90 0] Apr 21
> 14:57:30 hp NetworkManager[827]: <info> Activation (wlan0) Stage 5
> of 5 (IPv4 Commit) complete.
> Apr 21 14:57:30 hp NetworkManager[827]: <info> (wlan0): device state
> change: secondaries -> activated (reason 'none') [90 100 0] Apr 21
> 14:57:30 hp NetworkManager[827]: <info> NetworkManager state is now
> CONNECTED_GLOBAL
> Apr 21 14:57:30 hp NetworkManager[827]: <info> Policy set
> 'WLAN-001F3FD648F9' (wlan0) as default for IPv4 routing and DNS.
> Apr 21 14:57:30 hp NetworkManager[827]: <info> Writing DNS
> information to /sbin/resolvconf
> Apr 21 14:57:30 hp dnsmasq[1563]: vorgelagerte Server von DBus
> gesetzt Apr 21 14:57:30 hp dnsmasq[1563]: Benutze Namensserver
> 192.168.2.254#53 Apr 21 14:57:31 hp avahi-daemon[801]: Joining mDNS
> multicast group on interface wlan0.IPv6 with address
> fe80::221:6aff:fe37:3f72. Apr 21 14:57:31 hp avahi-daemon[801]: New
> relevant interface wlan0.IPv6 for mDNS.
> Apr 21 14:57:31 hp avahi-daemon[801]: Registering new address record
> for fe80::221:6aff:fe37:3f72 on wlan0.*.
> Apr 21 14:57:41 hp NetworkManager[827]: <info> Activation (wlan0)
> successful, device activated.
> Apr 21 14:57:41 hp dbus[684]: [system] Activating service
> name='org.freedesktop.nm_dispatcher' (using servicehelper)
> Apr 21 14:57:41 hp wpa_supplicant[1062]: wlan0:
> CTRL-EVENT-SCAN-STARTED Apr 21 14:57:41 hp dbus[684]: [system]
> Successfully activated service 'org.freedesktop.nm_dispatcher'
> Apr 21 14:57:48 hp ntpdate[8010]: adjust time server 91.189.94.4
> offset 0.007383 sec
> Apr 21 14:57:50 hp NetworkManager[827]: <info> (wlan0): IP6 addrconf
> timed out or failed.
> Apr 21 14:57:50 hp NetworkManager[827]: <info> Activation (wlan0)
> Stage 4 of 5 (IPv6 Configure Timeout) scheduled...
> Apr 21 14:57:50 hp NetworkManager[827]: <info> Activation (wlan0)
> Stage 4 of 5 (IPv6 Configure Timeout) started...
> Apr 21 14:57:50 hp NetworkManager[827]: <info> Activation (wlan0)
> Stage 4 of 5 (IPv6 Configure Timeout) complete.
> Apr 21 14:59:27 hp wpa_supplicant[1062]: message repeated 2 times: [
> wlan0: CTRL-EVENT-SCAN-STARTED ]
> Apr 21 14:59:31 hp wpa_supplicant[1062]: nl80211:
> send_and_recv->nl_recvmsgs failed: -33
> Apr 21 15:00:50 hp wpa_supplicant[1062]: wlan0:
> CTRL-EVENT-SCAN-STARTED
>
>
> What Im doing wrong?
>
> Tfh!
> Oliver
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
I don't understand many of what you say. But your setup looks like
mine, and I wrote an article about that :
http://www.22decembre.eu/2014/04/14/local-dns-setup-with-dnsmasq-nsd-and-unbound/
You may just have a quick look at it, maybe it will help you a bit ?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140421/00f935dd/attachment.sig>
From fstd.lkml at gmail.com Mon Apr 21 13:50:04 2014
From: fstd.lkml at gmail.com (Timo Buhrmester)
Date: Mon, 21 Apr 2014 15:50:04 +0200
Subject: [Dnsmasq-discuss] IPv6 dhcp/ra-issue
In-Reply-To: <53551CFE.8060401@mglug.de>
References: <53551CFE.8060401@mglug.de>
Message-ID: <20140421135004.GA7558@frozen.localdomain>
> inet6 fe80::43c:5b54:cea:b7ea prefixlen 10 scopeid 0x20<link>
This is the link-local address, established by stateless autoconfiguration.
> inet6 2003:62:487f:b168:43c:5b54:cea:b7ea prefixlen 64 scopeid
This is the /64 your ISP assigned you.
> If I understand right, ive got an IPv6-subnet with the ability of ~250
> clients (Telekom Germany), directly addressable from internet.
Looks like you got a /64, therefore there's slightly more than 250 adresses ;).
> Imho the fe80.. number is the *router*-ipv6-address, the 2003:... the
> *host* ipv6-address. Now my clients should also get an ipv6-router *and*
> -host address. Is this right?
As per the above (though i'm not quite sure what you mean by router/host addresses, this doesn't sound right.
> My dnsmasq.conf (stripped):
Unfortunately I can't help you on the dnsmasq specifics for I'm rather new to it, however I just felt like clarifying these IPv6 specifics.
Best Regards,
Timo
From stephane at 22decembre.eu Mon Apr 21 13:55:47 2014
From: stephane at 22decembre.eu (=?ISO-8859-1?Q?St=E9phane?= Guedon)
Date: Mon, 21 Apr 2014 15:55:47 +0200
Subject: [Dnsmasq-discuss] IPv6 dhcp/ra-issue
In-Reply-To: <20140421135004.GA7558@frozen.localdomain>
References: <53551CFE.8060401@mglug.de>
<20140421135004.GA7558@frozen.localdomain>
Message-ID: <1794136.Je7ydj25Ho@luciole>
Le lundi 21 avril 2014, 15:50:04 Timo Buhrmester a ?crit :
> > inet6 fe80::43c:5b54:cea:b7ea prefixlen 10 scopeid
> > 0x20<link>
>
> This is the link-local address, established by stateless
> autoconfiguration.
> > inet6 2003:62:487f:b168:43c:5b54:cea:b7ea prefixlen 64
> > scopeid
>
> This is the /64 your ISP assigned you.
>
> > If I understand right, ive got an IPv6-subnet with the ability of
> > ~250 clients (Telekom Germany), directly addressable from
> > internet.
> Looks like you got a /64, therefore there's slightly more than 250
> adresses ;).
network /64 is the minimum. so yes, millions of addresses available !
> > Imho the fe80.. number is the *router*-ipv6-address, the 2003:...
> > the *host* ipv6-address. Now my clients should also get an
> > ipv6-router *and* -host address. Is this right?
fe80:: adresses are local adresses, non-routable.
>
> As per the above (though i'm not quite sure what you mean by
> router/host addresses, this doesn't sound right.
> > My dnsmasq.conf (stripped):
> Unfortunately I can't help you on the dnsmasq specifics for I'm
> rather new to it, however I just felt like clarifying these IPv6
> specifics.
I wanted myself to improve Timo's answer.
>
>
> Best Regards,
>
> Timo
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140421/26da14e7/attachment.sig>
From rath at mglug.de Mon Apr 21 14:43:36 2014
From: rath at mglug.de (Oliver Rath)
Date: Mon, 21 Apr 2014 16:43:36 +0200
Subject: [Dnsmasq-discuss] IPv6 dhcp/ra-issue
In-Reply-To: <1404899.LMq7gNx5fc@luciole>
References: <53551CFE.8060401@mglug.de> <1404899.LMq7gNx5fc@luciole>
Message-ID: <53552E98.9030009@mglug.de>
Hi St?phane!
Am 21.04.2014 15:35, schrieb St?phane Guedon:
> Le lundi 21 avril 2014, 15:28:30 Oliver Rath a ?crit :
> [..]I don't understand many of what you say. But your setup looks like
> mine, and I wrote an article about that :
> http://www.22decembre.eu/2014/04/14/local-dns-setup-with-dnsmasq-nsd-and-unbound/
> You may just have a quick look at it, maybe it will help you a bit ?
Thanks for the link! At the moment i cant see the big difference between
our configs. But maybe it is some more basicly? My ppp0 interface has
the only routeable IPv6-address, the p3p1-Interface doesnt. Does it need
a routeable address? If yes, which one should it be (according to ppp0)?
Oliver
From ryan at rchapman.org Mon Apr 21 15:08:42 2014
From: ryan at rchapman.org (Ryan A. Chapman)
Date: Mon, 21 Apr 2014 09:08:42 -0600
Subject: [Dnsmasq-discuss] Dnsmasq and bond0
In-Reply-To: <43120621.149239.1397997118110.open-xchange@webmail.nmp.skynet.be>
References: <43120621.149239.1397997118110.open-xchange@webmail.nmp.skynet.be>
Message-ID: <214BD7B6-78C6-4E70-9035-59016BA39D34@rchapman.org>
Hi,
This looks like a bonding issue rather than a dnsmasq issue. What happens when you remove the bonding config on the host, down all interfaces but one, and unplug all interfaces but one on to the switch?
If that fixes it, then you have a bonding config issue on either the host or switch side. In order to troubleshoot that, you need "cat /proc/net/bonding/bond0" as well as the port channel and interface configs off the switch. If it's a Cisco, then it's something like "sh run int port-channelN" as well as each interface in the port-channel "sh run int GigabitEthernetX/Y/Z".
Not sure that everyone on this list is interested in a bonding issue, so I'm happy to help troubleshoot it off list.
Ryan
On Apr 20, 2014, at 6:31 AM, "fa500452 at skynet.be" <fa500452 at skynet.be> wrote:
> Hello everyone,
>
> I've got some problem with dnsmasq and it seems bond0. I'm not sure this is why I'm asking some help.
>
> I'm under gentoo using
> net-dns/dnsmasq-2.66 USE="dbus dhcp idn ipv6 nls tftp -auth-dns -conntrack -dhcp-tools -lua -script (-selinux)" LINGUAS="-de -es -fi -fr -id -it -no -pl -pt_BR -ro" 0 kB
>
> 3 interfaces : enp1s0, enp7s0 and enp8s0. enps7s0 and enp8s0 are bonded. I used the kernel method. From the kernel documentation ifenslave is "has been".
>
> Interface seem to work :
>
> ip a
>
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> valid_lft forever preferred_lft forever
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: enp7s0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP qlen 1000
> link/ether d0:50:99:0a:63:05 brd ff:ff:ff:ff:ff:ff
> 3: enp8s0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP qlen 1000
> link/ether d0:50:99:0a:63:05 brd ff:ff:ff:ff:ff:ff
> 4: sit0: <NOARP> mtu 1480 qdisc noop state DOWN
> link/sit 0.0.0.0 brd 0.0.0.0
> 5: ip6tnl0: <NOARP> mtu 1452 qdisc noop state DOWN
> link/tunnel6 :: brd ::
> 6: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
> link/ether 64:66:b3:02:3c:91 brd ff:ff:ff:ff:ff:ff
> inet 192.168.2.2/24 brd 192.168.2.255 scope global enp1s0
> valid_lft forever preferred_lft forever
> inet6 fe80::6666:b3ff:fe02:3c91/64 scope link
> valid_lft forever preferred_lft forever
> 9: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
> link/ether d0:50:99:0a:63:05 brd ff:ff:ff:ff:ff:ff
> inet 10.0.0.1/8 brd 10.0.0.255 scope global bond0
> valid_lft forever preferred_lft forever
> inet6 fe80::d250:99ff:fe0a:6305/64 scope link
> valid_lft forever preferred_lft forever
>
> dnsmasq.conf
> domain-needed
> bogus-priv
> filterwin2k
> bridge-interface=bond0,enp7s0,enp8s0
> interface=bond0
> expand-hosts
> domain=arcade.lan
> resolv-file=/etc/resolv.dnsmasq.conf
> listen-address=127.0.0.1
> listen-address=10.0.0.1
> dhcp-range=10.0.0.1,10.0.0.50,72h
> dhcp-host=bc:5f:f4:fe:10:26,infinite
> dhcp-host=outrun,10.0.0.10
> dhcp-host=00:26:b0:e6:31:30,10.0.0.12
> dhcp-host=WDTVLive,10.0.0.40
> dhcp-host=00:14:38:d4:c4:21,printer,10.0.0.45
> dhcp-host=00:22:6b:f7:1c:eb,camera,10.0.0.46
> dhcp-host=90:f6:52:75:d8:70,10.0.0.49,infinite
> dhcp-host=10:fe:ed:ff:f9:4e,10.0.0.50,infinite
> dhcp-option=3,10.0.0.1
> dhcp-option=6,208.67.222.222,8.8.8.8
> dhcp-option=66,"10.0.0.1"
> dhcp-option=67,syslinux.efi
> dhcp-option=128,10.0.0.1
> #dhcp-option-force=211,30i
> pxe-service=x86PC, "Launch PXE_BIOS", pxelinux, 10.0.0.1
> pxe-service=X86-64_EFI, "Launch PXE-UEFI", syslinux, 10.0.0.1
> dhcp-option=42,0.0.0.0
> dhcp-option=19,0 # option ip-forwarding off
> dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
> dhcp-option=45,0.0.0. 0 # netbios datagram distribution server
> dhcp-option=46,8 # netbios node type
> dhcp-option=47
> dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
> tftp-root=/tftproot/
> tftp-lowercase
> dhcp-leasefile=/var/lib/misc/dnsmasq.leases
> server=/www.google.com/8.8.8.8
> bogus-nxdomain=64.94.110.11
>
> As you can see, I've already tried the solution bridge-interface=bond0,enp7s0,enp8s0.
>
> I've got no dhcp response for my client.
>
> Thanks. Best regards.
>
> Happy easter.
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
From davidj at nkcc.org.uk Tue Apr 22 19:04:30 2014
From: davidj at nkcc.org.uk (David Joslin)
Date: Tue, 22 Apr 2014 20:04:30 +0100
Subject: [Dnsmasq-discuss] dnsmasq using 100% cpu on router
Message-ID: <CAJ-gf5DEsMq5QR_r-mC1aHFUysNH53SB_z7wizoUwrLPWWbuvg@mail.gmail.com>
Hi
I have an Asus rt-n16 router running the Shibby version of the Tomato
firmware which includes dnsmasq version 2.69test3. It's in use in a
building that frequently has 50+ users on a wireless network and dnsmasq
has performed extremely well with very little load on the router.
However, we've recently run a couple of conferences in the building and the
number of people using the wireless network has been just over 100. Several
times there have been problems resolving addresses and when I've looked at
the router dnsmasq has been using 100% cpu. Restarting dnsmasq temporarily
fixes the problem but it occurs again maybe 20 minutes later.
I've turned off logging, increased the cache-size and the maximum number of
dhcp leases (anything I could see that might be a problem with more users)
but this hasn't fixed the problem.
I wondered if anyone has come across anything similar or has any
suggestions?
Thanks
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140422/8956a569/attachment.html>
From alex_y_xu at yahoo.ca Tue Apr 22 21:50:58 2014
From: alex_y_xu at yahoo.ca (Alex Xu)
Date: Tue, 22 Apr 2014 17:50:58 -0400
Subject: [Dnsmasq-discuss] dnsmasq using 100% cpu on router
In-Reply-To: <CAJ-gf5DEsMq5QR_r-mC1aHFUysNH53SB_z7wizoUwrLPWWbuvg@mail.gmail.com>
References: <CAJ-gf5DEsMq5QR_r-mC1aHFUysNH53SB_z7wizoUwrLPWWbuvg@mail.gmail.com>
Message-ID: <5356E442.5090503@yahoo.ca>
On 22/04/14 03:04 PM, David Joslin wrote:
> Hi
>
> I have an Asus rt-n16 router running the Shibby version of the Tomato
> firmware which includes dnsmasq version 2.69test3. It's in use in a
> building that frequently has 50+ users on a wireless network and dnsmasq
> has performed extremely well with very little load on the router.
>
> However, we've recently run a couple of conferences in the building and the
> number of people using the wireless network has been just over 100. Several
> times there have been problems resolving addresses and when I've looked at
> the router dnsmasq has been using 100% cpu. Restarting dnsmasq temporarily
> fixes the problem but it occurs again maybe 20 minutes later.
>
> I've turned off logging, increased the cache-size and the maximum number of
> dhcp leases (anything I could see that might be a problem with more users)
> but this hasn't fixed the problem.
>
> I wondered if anyone has come across anything similar or has any
> suggestions?
>
> Thanks
>
> David
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
dnssec
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140422/2bfea746/attachment.sig>
From weedy2887 at gmail.com Wed Apr 23 01:43:26 2014
From: weedy2887 at gmail.com (Weedy)
Date: Tue, 22 Apr 2014 21:43:26 -0400
Subject: [Dnsmasq-discuss] dnsmasq using 100% cpu on router
In-Reply-To: <CAJ-gf5DEsMq5QR_r-mC1aHFUysNH53SB_z7wizoUwrLPWWbuvg@mail.gmail.com>
References: <CAJ-gf5DEsMq5QR_r-mC1aHFUysNH53SB_z7wizoUwrLPWWbuvg@mail.gmail.com>
Message-ID: <CAFE24U3TkCyymM7+E5J5c3Qz8irsz7jJneGuyf7EyWhWm9vWbg@mail.gmail.com>
On 22 Apr 2014 15:10, "David Joslin" <davidj at nkcc.org.uk> wrote:
>
> Hi
>
> I have an Asus rt-n16 router running the Shibby version of the Tomato
firmware which includes dnsmasq version 2.69test3. It's in use in a
building that frequently has 50+ users on a wireless network and dnsmasq
has performed extremely well with very little load on the router.
>
> However, we've recently run a couple of conferences in the building and
the number of people using the wireless network has been just over 100.
Even if you fix this you should look into better hardware.
480mhz and broadcom radios at your loads worries the hell out of me.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140422/b21fbc3c/attachment.html>
From davidj at nkcc.org.uk Wed Apr 23 07:28:21 2014
From: davidj at nkcc.org.uk (David Joslin)
Date: Wed, 23 Apr 2014 08:28:21 +0100
Subject: [Dnsmasq-discuss] dnsmasq using 100% cpu on router
In-Reply-To: <CAFE24U3TkCyymM7+E5J5c3Qz8irsz7jJneGuyf7EyWhWm9vWbg@mail.gmail.com>
References: <CAJ-gf5DEsMq5QR_r-mC1aHFUysNH53SB_z7wizoUwrLPWWbuvg@mail.gmail.com>
<CAFE24U3TkCyymM7+E5J5c3Qz8irsz7jJneGuyf7EyWhWm9vWbg@mail.gmail.com>
Message-ID: <CAJ-gf5A_YofB4NjJcur6=Nw2Gh0QsNJ+xJk5fWVRg02+7LCBYA@mail.gmail.com>
The router isn't being used for wi-fi. We have a Ubiquiti Unifi wi-fi
system throughout the building. The router is just routing (and providing
dns, dhcp etc).
David
On 23 April 2014 02:43, Weedy <weedy2887 at gmail.com> wrote:
>
> On 22 Apr 2014 15:10, "David Joslin" <davidj at nkcc.org.uk> wrote:
> >
> > Hi
> >
> > I have an Asus rt-n16 router running the Shibby version of the Tomato
> firmware which includes dnsmasq version 2.69test3. It's in use in a
> building that frequently has 50+ users on a wireless network and dnsmasq
> has performed extremely well with very little load on the router.
> >
> > However, we've recently run a couple of conferences in the building and
> the number of people using the wireless network has been just over 100.
>
> Even if you fix this you should look into better hardware.
>
> 480mhz and broadcom radios at your loads worries the hell out of me.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140423/1cb05709/attachment.html>
From simon at thekelleys.org.uk Wed Apr 23 11:12:27 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Wed, 23 Apr 2014 12:12:27 +0100
Subject: [Dnsmasq-discuss] IPv6 dhcp/ra-issue
In-Reply-To: <53551CFE.8060401@mglug.de>
References: <53551CFE.8060401@mglug.de>
Message-ID: <5357A01B.8010907@thekelleys.org.uk>
On 21/04/14 14:28, Oliver Rath wrote:
> Hi list,
>
> Im trying to give my network-computers IPv6-Addresses constructed from
> ppp0. In my config I get from my provider i.e. these (dynamic) IPv4 and
> IPv6-addresses:
>
> # ifconfig ppp0
> ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1492
> inet 80.137.126.83 netmask 255.255.255.255 destination
> 87.186.224.66
> inet6 fe80::43c:5b54:cea:b7ea prefixlen 10 scopeid 0x20<link>
> inet6 2003:62:487f:b168:43c:5b54:cea:b7ea prefixlen 64 scopeid
> 0x0<global>
> ppp txqueuelen 3 (Punkt-zu-Punkt Verbindung)
> RX packets 2546359 bytes 3258224683 (3.0 GiB)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 1550070 bytes 133189854 (127.0 MiB)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>
> One of my additional interfaces has this address:
> # ifconfig p3p1
> p3p1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> inet 192.168.2.254 netmask 255.255.255.0 broadcast 192.168.2.255
> inet6 fe80::210:f3ff:fe07:f7bf prefixlen 64 scopeid 0x20<link>
> ether 00:10:f3:07:f7:bf txqueuelen 1000 (Ethernet)
> RX packets 2806761 bytes 3337921408 (3.1 GiB)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 1832066 bytes 326375284 (311.2 MiB)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>
>
>
> If I understand right, ive got an IPv6-subnet with the ability of ~250
> clients (Telekom Germany), directly addressable from internet. Now i
> want to configure dnsmasq in a way, that the clients get IPv4- (works,
> internal only) and IPv6-addresses in a from internet addressable way.
>
> Imho the fe80.. number is the *router*-ipv6-address, the 2003:... the
> *host* ipv6-address. Now my clients should also get an ipv6-router *and*
> -host address. Is this right?
>
> My dnsmasq.conf (stripped):
>
> except-interface=ppp0
> dhcp-range=set:gw2,192.168.2.50,192.168.2.150,255.255.255.0,12h
> dhcp-range=tag:gw2,::,constructor:ppp0
> ddhcp-option=tag:gw2,128,192.168.2.254
> enable-ra
> dhcp-option=mtu,1492
> dhcp-option=option6:dns-server,[::]
> dhcp-option=252,"http://heimserver/wpad.dat"
> log-queries
> log-dhcp
>
> Now I would assume, that my clientpc (p3p1 is bridged with wlan-ap)
> would get an fe80:.. and another, from internet routable address. While
> my card has the mac-address 00:21:6a:37:3f:72, i would assume getting an
> IPv6 address like 2003:62:487f:b168:0021:6aFF:FE373f:72, but he doesnt:
>
> wlan0 on my client-pc:
>
> # ifconfig wlan0
> wlan0 Link encap:Ethernet Hardware Adresse 00:21:6a:37:3f:72
> inet Adresse:192.168.2.100 Bcast:192.168.2.255
> Maske:255.255.255.0
> inet6-Adresse: fe80::221:6aff:fe37:3f72/64
> G?ltigkeitsbereich:Verbindung
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
> RX-Pakete:2981577 Fehler:0 Verloren:0 ?berl?ufe:0 Fenster:0
> TX-Pakete:2979080 Fehler:0 Verloren:0 ?berl?ufe:0 Tr?ger:0
> Kollisionen:0 Sendewarteschlangenl?nge:1000
> RX-Bytes:3059635559 (3.0 GB) TX-Bytes:2883630423 (2.8 GB)
>
>
> Here /var/log/syslog on my client (sorry for the german parts):
>
> Apr 21 14:57:29 hp dhclient: DHCPREQUEST of 192.168.2.100 on wlan0 to
> 255.255.255.255 port 67 (xid=0x48327e63)
> Apr 21 14:57:29 hp dhclient: DHCPACK of 192.168.2.100 from 192.168.2.254
> Apr 21 14:57:29 hp dhclient: bound to 192.168.2.100 -- renewal in 21016
> seconds.
> Apr 21 14:57:29 hp dhclient: DHCPACK of 192.168.2.100 from 192.168.2.254
> Apr 21 14:57:29 hp dhclient: bound to 192.168.2.100 -- renewal in 21016
> seconds.
> Apr 21 14:57:29 hp NetworkManager[827]: <info> (wlan0): DHCPv4 state
> changed preinit -> reboot
> Apr 21 14:57:29 hp NetworkManager[827]: <info> address 192.168.2.100
> Apr 21 14:57:29 hp NetworkManager[827]: <info> prefix 24 (255.255.255.0)
> Apr 21 14:57:29 hp NetworkManager[827]: <info> gateway 192.168.2.254
> Apr 21 14:57:29 hp NetworkManager[827]: <info> hostname 'hp'
> Apr 21 14:57:29 hp NetworkManager[827]: <info> nameserver '192.168.2.254'
> Apr 21 14:57:29 hp NetworkManager[827]: <info> Activation (wlan0) Stage
> 5 of 5 (IPv4 Configure Commit) scheduled...
> Apr 21 14:57:29 hp NetworkManager[827]: <info> Activation (wlan0) Stage
> 5 of 5 (IPv4 Commit) started...
> Apr 21 14:57:29 hp avahi-daemon[801]: Joining mDNS multicast group on
> interface wlan0.IPv4 with address 192.168.2.100.
> Apr 21 14:57:29 hp avahi-daemon[801]: New relevant interface wlan0.IPv4
> for mDNS.
> Apr 21 14:57:29 hp avahi-daemon[801]: Registering new address record for
> 192.168.2.100 on wlan0.IPv4.
> Apr 21 14:57:30 hp NetworkManager[827]: <info> (wlan0): device state
> change: ip-config -> secondaries (reason 'none') [70 90 0]
> Apr 21 14:57:30 hp NetworkManager[827]: <info> Activation (wlan0) Stage
> 5 of 5 (IPv4 Commit) complete.
> Apr 21 14:57:30 hp NetworkManager[827]: <info> (wlan0): device state
> change: secondaries -> activated (reason 'none') [90 100 0]
> Apr 21 14:57:30 hp NetworkManager[827]: <info> NetworkManager state is
> now CONNECTED_GLOBAL
> Apr 21 14:57:30 hp NetworkManager[827]: <info> Policy set
> 'WLAN-001F3FD648F9' (wlan0) as default for IPv4 routing and DNS.
> Apr 21 14:57:30 hp NetworkManager[827]: <info> Writing DNS information
> to /sbin/resolvconf
> Apr 21 14:57:30 hp dnsmasq[1563]: vorgelagerte Server von DBus gesetzt
> Apr 21 14:57:30 hp dnsmasq[1563]: Benutze Namensserver 192.168.2.254#53
> Apr 21 14:57:31 hp avahi-daemon[801]: Joining mDNS multicast group on
> interface wlan0.IPv6 with address fe80::221:6aff:fe37:3f72.
> Apr 21 14:57:31 hp avahi-daemon[801]: New relevant interface wlan0.IPv6
> for mDNS.
> Apr 21 14:57:31 hp avahi-daemon[801]: Registering new address record for
> fe80::221:6aff:fe37:3f72 on wlan0.*.
> Apr 21 14:57:41 hp NetworkManager[827]: <info> Activation (wlan0)
> successful, device activated.
> Apr 21 14:57:41 hp dbus[684]: [system] Activating service
> name='org.freedesktop.nm_dispatcher' (using servicehelper)
> Apr 21 14:57:41 hp wpa_supplicant[1062]: wlan0: CTRL-EVENT-SCAN-STARTED
> Apr 21 14:57:41 hp dbus[684]: [system] Successfully activated service
> 'org.freedesktop.nm_dispatcher'
> Apr 21 14:57:48 hp ntpdate[8010]: adjust time server 91.189.94.4 offset
> 0.007383 sec
> Apr 21 14:57:50 hp NetworkManager[827]: <info> (wlan0): IP6 addrconf
> timed out or failed.
> Apr 21 14:57:50 hp NetworkManager[827]: <info> Activation (wlan0) Stage
> 4 of 5 (IPv6 Configure Timeout) scheduled...
> Apr 21 14:57:50 hp NetworkManager[827]: <info> Activation (wlan0) Stage
> 4 of 5 (IPv6 Configure Timeout) started...
> Apr 21 14:57:50 hp NetworkManager[827]: <info> Activation (wlan0) Stage
> 4 of 5 (IPv6 Configure Timeout) complete.
> Apr 21 14:59:27 hp wpa_supplicant[1062]: message repeated 2 times: [
> wlan0: CTRL-EVENT-SCAN-STARTED ]
> Apr 21 14:59:31 hp wpa_supplicant[1062]: nl80211:
> send_and_recv->nl_recvmsgs failed: -33
> Apr 21 15:00:50 hp wpa_supplicant[1062]: wlan0: CTRL-EVENT-SCAN-STARTED
>
>
> What Im doing wrong?
>
As an experiment, rather than a long-term solution, try assiging p3p1
an address on the 2003:62:487f:b168:: subnet with prefix length 64, and
see if that improves things.
Cheers,
Simon.
From dave.taht at gmail.com Wed Apr 23 15:42:08 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Wed, 23 Apr 2014 08:42:08 -0700
Subject: [Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures
In-Reply-To: <CALQXh-NJOnjhmV9gU_C7VRMDrTDoNK=BP2PtSpnwT8erocRZwQ@mail.gmail.com>
References: <CALQXh-NJOnjhmV9gU_C7VRMDrTDoNK=BP2PtSpnwT8erocRZwQ@mail.gmail.com>
Message-ID: <CAA93jw68NwFnVaRxYS6odJ7fCtQbQSOLiYMpjWJPRwDhqB9t1w@mail.gmail.com>
I will argue that a better place to report dnssec validation
errors is the dnsmasq list.
On Wed, Apr 23, 2014 at 8:31 AM, Aaron Wood <woody77 at gmail.com> wrote:
> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: query[A]
> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net from 172.30.42.99
> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: dnssec-query[DS]
> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.4.4
> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: reply
> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net is BOGUS DS
> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: validation result is
> BOGUS
> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: reply
> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net is 2.20.28.186
>
> This one validates via verisign, however.
>
> -Aaron
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>
--
Dave T?ht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
From simon at thekelleys.org.uk Wed Apr 23 15:58:46 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Wed, 23 Apr 2014 16:58:46 +0100
Subject: [Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures
In-Reply-To: <CAA93jw68NwFnVaRxYS6odJ7fCtQbQSOLiYMpjWJPRwDhqB9t1w@mail.gmail.com>
References: <CALQXh-NJOnjhmV9gU_C7VRMDrTDoNK=BP2PtSpnwT8erocRZwQ@mail.gmail.com>
<CAA93jw68NwFnVaRxYS6odJ7fCtQbQSOLiYMpjWJPRwDhqB9t1w@mail.gmail.com>
Message-ID: <5357E336.6070406@thekelleys.org.uk>
On 23/04/14 16:42, Dave Taht wrote:
> I will argue that a better place to report dnssec validation
> errors is the dnsmasq list.
>
> On Wed, Apr 23, 2014 at 8:31 AM, Aaron Wood <woody77 at gmail.com> wrote:
>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: query[A]
>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net from 172.30.42.99
>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: dnssec-query[DS]
>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.4.4
>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: reply
>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net is BOGUS DS
>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: validation result is
>> BOGUS
>> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: reply
>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net is 2.20.28.186
>>
>> This one validates via verisign, however.
>>
Something strange in that domain. Turning off DNSSEC with the
checking-disabled bit, the original A-record query is OK
; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 a
e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45416
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net. IN A
;; ANSWER SECTION:
e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net. 19 IN A 23.195.61.15
;; Query time: 112 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Apr 23 16:52:06 2014
;; MSG SIZE rcvd: 81
But a query for DS on the same domain, which is what dnsmasq does next,
returns SERVFAIL, _even_with_ checking disabled.
; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 ds
e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44148
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net. IN DS
;; Query time: 149 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Apr 23 16:52:30 2014
;; MSG SIZE rcvd: 65
Dnsmasq does the DS query next because the answer to the A query comes
back unsigned, so dnsmasq is looking for a DS record that proves this is
OK. It's likely that Verisign does that top-down (starting from the
root) whilst dnsmasq does it bottom up. Hence Verisign never finds the
broken DS, whilst dnsmasq does.
That's as good an analysis as I can produce right now. Anyone who can
shed more light, please do.
(And yes, please report DNSSEC problems on the dnsmasq-discuss list for
preference.)
Cheers,
Simon.
From dave.taht at gmail.com Wed Apr 23 17:29:10 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Wed, 23 Apr 2014 10:29:10 -0700
Subject: [Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures
In-Reply-To: <CALQXh-NJ7WDZjB-DqwHASU6zB4CMeRW7=tTW2MvmrsDPsVwXQA@mail.gmail.com>
References: <CALQXh-NJOnjhmV9gU_C7VRMDrTDoNK=BP2PtSpnwT8erocRZwQ@mail.gmail.com>
<CAA93jw68NwFnVaRxYS6odJ7fCtQbQSOLiYMpjWJPRwDhqB9t1w@mail.gmail.com>
<5357E336.6070406@thekelleys.org.uk> <5357EDE7.2000409@gmail.com>
<CALQXh-NJ7WDZjB-DqwHASU6zB4CMeRW7=tTW2MvmrsDPsVwXQA@mail.gmail.com>
Message-ID: <CAA93jw6sop29-n6Cc+6uSNRKdcXzXfUOQQTCOwAFGoypbJrM_g@mail.gmail.com>
On Wed, Apr 23, 2014 at 10:18 AM, Aaron Wood <woody77 at gmail.com> wrote:
> On Wed, Apr 23, 2014 at 6:44 PM, Robert Bradley <robert.bradley1 at gmail.com>
> wrote:
>>
>>
>> > ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 a
>> > e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>> <snip rest of NOERROR response>
>> >
>> > But a query for DS on the same domain, which is what dnsmasq does next,
>> > returns SERVFAIL, _even_with_ checking disabled.
>> >
>> > ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 ds
>> > e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>> <snip SERVFAIL response>
>>
>> This looks identical to the *.cloudflare.com issue I had last week. In
>> both cases, using Level 3's 4.2.2.2 instead of Google DNS works fine,
>> and 8.8.8.8 returns SERVFAIL for DS lookups. This looks like a bug in
>> Google's DNS servers as opposed to dnsmasq...
>
>
> A question about dnsmasq and multiple servers. If I listed both 4.2.2.2 and
> 8.8.8.8 in my dnsmasq configuration, how would dnsmasq behave in this case?
> would it query both for the DS? or just "stick" with the first server to
> start responding with an A-record?
By default dnsmasq probes for a "best" upstream dns server periodically
and uses that.
>
> (I confess that I don't know the details of DNS very well)
>
> -Aaron
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>
--
Dave T?ht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
From simon at thekelleys.org.uk Wed Apr 23 19:04:35 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Wed, 23 Apr 2014 20:04:35 +0100
Subject: [Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures
In-Reply-To: <CAA93jw6sop29-n6Cc+6uSNRKdcXzXfUOQQTCOwAFGoypbJrM_g@mail.gmail.com>
References: <CALQXh-NJOnjhmV9gU_C7VRMDrTDoNK=BP2PtSpnwT8erocRZwQ@mail.gmail.com>
<CAA93jw68NwFnVaRxYS6odJ7fCtQbQSOLiYMpjWJPRwDhqB9t1w@mail.gmail.com>
<5357E336.6070406@thekelleys.org.uk> <5357EDE7.2000409@gmail.com>
<CALQXh-NJ7WDZjB-DqwHASU6zB4CMeRW7=tTW2MvmrsDPsVwXQA@mail.gmail.com>
<CAA93jw6sop29-n6Cc+6uSNRKdcXzXfUOQQTCOwAFGoypbJrM_g@mail.gmail.com>
Message-ID: <53580EC3.3080807@thekelleys.org.uk>
On 23/04/14 18:29, Dave Taht wrote:
> On Wed, Apr 23, 2014 at 10:18 AM, Aaron Wood <woody77 at gmail.com> wrote:
>> On Wed, Apr 23, 2014 at 6:44 PM, Robert Bradley <robert.bradley1 at gmail.com>
>> wrote:
>>>
>>>
>>>> ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 a
>>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>>> <snip rest of NOERROR response>
>>>>
>>>> But a query for DS on the same domain, which is what dnsmasq does next,
>>>> returns SERVFAIL, _even_with_ checking disabled.
>>>>
>>>> ; <<>> DiG 9.8.1-P1 <<>> +cd @8.8.8.8 ds
>>>> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>>> <snip SERVFAIL response>
>>>
>>> This looks identical to the *.cloudflare.com issue I had last week. In
>>> both cases, using Level 3's 4.2.2.2 instead of Google DNS works fine,
>>> and 8.8.8.8 returns SERVFAIL for DS lookups. This looks like a bug in
>>> Google's DNS servers as opposed to dnsmasq...
>>
>>
>> A question about dnsmasq and multiple servers. If I listed both 4.2.2.2 and
>> 8.8.8.8 in my dnsmasq configuration, how would dnsmasq behave in this case?
>> would it query both for the DS? or just "stick" with the first server to
>> start responding with an A-record?
>
> By default dnsmasq probes for a "best" upstream dns server periodically
> and uses that.
subsequent queries needed to do DNSSEC validation of an initial answer
are always sent to the same server which provided that answer.
Simon.
>
>>
>> (I confess that I don't know the details of DNS very well)
>>
>> -Aaron
>>
>> _______________________________________________
>> Cerowrt-devel mailing list
>> Cerowrt-devel at lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>>
>
>
>
From woody77 at gmail.com Thu Apr 24 10:49:58 2014
From: woody77 at gmail.com (Aaron Wood)
Date: Thu, 24 Apr 2014 12:49:58 +0200
Subject: [Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures
In-Reply-To: <5357E336.6070406@thekelleys.org.uk>
References: <CALQXh-NJOnjhmV9gU_C7VRMDrTDoNK=BP2PtSpnwT8erocRZwQ@mail.gmail.com>
<CAA93jw68NwFnVaRxYS6odJ7fCtQbQSOLiYMpjWJPRwDhqB9t1w@mail.gmail.com>
<5357E336.6070406@thekelleys.org.uk>
Message-ID: <CALQXh-M5PuaPVOC-oSX4SUpYs78+VuYtPtOASV3EFAF1MDFSsA@mail.gmail.com>
On Wed, Apr 23, 2014 at 5:58 PM, Simon Kelley <simon at thekelleys.org.uk>wrote:
> On 23/04/14 16:42, Dave Taht wrote:
> > I will argue that a better place to report dnssec validation
> > errors is the dnsmasq list.
> >
> > On Wed, Apr 23, 2014 at 8:31 AM, Aaron Wood <woody77 at gmail.com> wrote:
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: query[A]
> >> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net from 172.30.42.99
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
> >> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: dnssec-query[DS]
> >> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
> >> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.4.4
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded
> >> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: reply
> >> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net is BOGUS DS
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: validation result
> is
> >> BOGUS
> >> Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: reply
> >> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net is 2.20.28.186
> >>
> >> This one validates via verisign, however.
> >>
>
> Something strange in that domain. Turning off DNSSEC with the
> checking-disabled bit, the original A-record query is OK
....
> Dnsmasq does the DS query next because the answer to the A query comes
> back unsigned, so dnsmasq is looking for a DS record that proves this is
> OK. It's likely that Verisign does that top-down (starting from the
> root) whilst dnsmasq does it bottom up. Hence Verisign never finds the
> broken DS, whilst dnsmasq does.
>
> That's as good an analysis as I can produce right now. Anyone who can
> shed more light, please do.
>
> (And yes, please report DNSSEC problems on the dnsmasq-discuss list for
> preference.)
>
This is still persisting (and it appears to be blocking a bunch of Apple
software update functions). From your comments, Simon, it sounds like you
think this is an Akamai issue, and should be reported to them?
Thanks,
Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140424/7596d801/attachment.html>
From simon at thekelleys.org.uk Thu Apr 24 11:27:54 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Thu, 24 Apr 2014 12:27:54 +0100
Subject: [Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures
In-Reply-To: <CALQXh-M5PuaPVOC-oSX4SUpYs78+VuYtPtOASV3EFAF1MDFSsA@mail.gmail.com>
References: <CALQXh-NJOnjhmV9gU_C7VRMDrTDoNK=BP2PtSpnwT8erocRZwQ@mail.gmail.com> <CAA93jw68NwFnVaRxYS6odJ7fCtQbQSOLiYMpjWJPRwDhqB9t1w@mail.gmail.com> <5357E336.6070406@thekelleys.org.uk>
<CALQXh-M5PuaPVOC-oSX4SUpYs78+VuYtPtOASV3EFAF1MDFSsA@mail.gmail.com>
Message-ID: <5358F53A.3050501@thekelleys.org.uk>
On 24/04/14 11:49, Aaron Wood wrote:
>
>> Dnsmasq does the DS query next because the answer to the A query comes
>> back unsigned, so dnsmasq is looking for a DS record that proves this is
>> OK. It's likely that Verisign does that top-down (starting from the
>> root) whilst dnsmasq does it bottom up. Hence Verisign never finds the
>> broken DS, whilst dnsmasq does.
>>
>> That's as good an analysis as I can produce right now. Anyone who can
>> shed more light, please do.
>>
>> (And yes, please report DNSSEC problems on the dnsmasq-discuss list for
>> preference.)
>>
>
> This is still persisting (and it appears to be blocking a bunch of Apple
> software update functions). From your comments, Simon, it sounds like you
> think this is an Akamai issue, and should be reported to them?
>
I'm not absolutely sure that this isn't also a dnsmasq problem, and
DNSSEC is still capable of surprising me, but I can't see how a SERVFAIL
answer to
dig @8.8.8.8 DS e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
can not be either a Google ('cause it's their recursive server) or
Akamai problem.
Poking further, it looks like the authoritative name servers for that
zone are
; <<>> DiG 9.8.1-P1 <<>> @8.8.8.8 NS cn.akamaiedge.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43031
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;cn.akamaiedge.net. IN NS
;; ANSWER SECTION:
cn.akamaiedge.net. 299 IN NS n7cn.akamaiedge.net.
cn.akamaiedge.net. 299 IN NS n6cn.akamaiedge.net.
cn.akamaiedge.net. 299 IN NS n0cn.akamaiedge.net.
cn.akamaiedge.net. 299 IN NS n2cn.akamaiedge.net.
cn.akamaiedge.net. 299 IN NS n5cn.akamaiedge.net.
cn.akamaiedge.net. 299 IN NS n4cn.akamaiedge.net.
cn.akamaiedge.net. 299 IN NS n3cn.akamaiedge.net.
cn.akamaiedge.net. 299 IN NS n1cn.akamaiedge.net.
cn.akamaiedge.net. 299 IN NS n8cn.akamaiedge.net.
and all of those give sensible answers for
DS e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
except n8cn.akamaiedge.net, which isn't responding, so I rather think
this may be a Google mess.
Or maybe it's Great Firewall induced breakage?
Cheers,
Simon.
From simon at thekelleys.org.uk Thu Apr 24 11:41:36 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Thu, 24 Apr 2014 12:41:36 +0100
Subject: [Dnsmasq-discuss] dnsmasq using 100% cpu on router
In-Reply-To: <CAJ-gf5DEsMq5QR_r-mC1aHFUysNH53SB_z7wizoUwrLPWWbuvg@mail.gmail.com>
References: <CAJ-gf5DEsMq5QR_r-mC1aHFUysNH53SB_z7wizoUwrLPWWbuvg@mail.gmail.com>
Message-ID: <5358F870.4050006@thekelleys.org.uk>
On 22/04/14 20:04, David Joslin wrote:
> Hi
>
> I have an Asus rt-n16 router running the Shibby version of the Tomato
> firmware which includes dnsmasq version 2.69test3. It's in use in a
> building that frequently has 50+ users on a wireless network and dnsmasq
> has performed extremely well with very little load on the router.
>
> However, we've recently run a couple of conferences in the building and the
> number of people using the wireless network has been just over 100. Several
> times there have been problems resolving addresses and when I've looked at
> the router dnsmasq has been using 100% cpu. Restarting dnsmasq temporarily
> fixes the problem but it occurs again maybe 20 minutes later.
>
> I've turned off logging, increased the cache-size and the maximum number of
> dhcp leases (anything I could see that might be a problem with more users)
> but this hasn't fixed the problem.
>
> I wondered if anyone has come across anything similar or has any
> suggestions?
>
The first thing is to try and decide which of two possible scenarios ar
happening. The first is that you've triggered a bug in the code and
dnsmasq is looping somewhere without ever getting back to the select()
loop and doing actual work. The second is that it's getting so much work
that it's running out of CPU to do it.
In the first case, dnsmasq will stop working entirely. Is that
consistent with "problems resolving addresses" or does it still
partially work? Turning off logging is probably counter-productive here,
the logs may have valuable clues.
In the second case, DNSSEC is something to worry about. Do you have that
turned on?
Also, it's possible to arrive at configurations with DNS forwarding
loops where once DNS query gets sent upstream, but somehow ends up back
at the dnsmasq instance that originally forwarded it and then goes round
in circles. It's quite difficult to do this without at least two dnsmasq
instances, but it is possible.
Finally, logging to a syslog daemon which does its own DNS lookups (to
label logs from remote hosts) can create a collapse: dnsmasq will log
several lines for each DNS query, if each of those lines generates a new
DNS query which has to handled by dnsmasq, it all goes wrong very quickly.
Cheers,
Simon.
From simon at thekelleys.org.uk Thu Apr 24 12:03:15 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Thu, 24 Apr 2014 13:03:15 +0100
Subject: [Dnsmasq-discuss] Stable releases v. development releases.
In-Reply-To: <20140420155748.GG15907@humpty.home.comstyle.com>
References: <5350444A.9080106@thekelleys.org.uk>
<5350EF2E.8070905@ipcop-forum.de>
<CAFE24U2xN3uFiZCuzjm2QsEPF42hHxwtEtCcLFuPaNeNmkpqkw@mail.gmail.com>
<20140420155748.GG15907@humpty.home.comstyle.com>
Message-ID: <5358FD83.3050602@thekelleys.org.uk>
On 20/04/14 16:57, Brad Smith wrote:
> On Sun, Apr 20, 2014 at 11:52:19AM -0400, Weedy wrote:
>> On 18 Apr 2014 05:27, "Olaf Westrik" <weizen_42 at ipcop-forum.de> wrote:
>>>
>>> On 2014-04-17 23:14, Simon Kelley wrote:
>>>>
>>>> Thus far, dnsmasq has not maintained separate stable and development
>>>> branches. One reason for this is that there's been a pretty strong
>>>> policy of backwards-compatibility, so the penalty for upgrading to the
>>>> latest release is low: we've almost certainly not broken your config, or
>>>> changed behaviour.
>>>
>>>
>>> May I add: you have done that exceptionally well.
>>>
>>>
>>>
>>>> I'm interested in opinions for and against the status-quo or a new
>>>> stable/devel split.
>>>
>>>
>>> A full split would mean extra work for you and probably more users
>> sticking to some stable branch for a long time. For dnsmasq I do not think
>> it is worth the effort.
>>>
>>> If at some point during development, important fixes are necessary, it is
>> probably more convenient to open something like a temporary stable branch
>> with the sole purpose of applying fixes on top of the latest released
>> version.
>>>
>>> OTOH if you were to give out a notice saying: here is something
>> critically important, please apply GIT commit xyz to fix it, that would
>> work just as well for our use case.
>>
>> I was about to post a similar comment.
>> I don't see a point in splitting off stable branches constantly. But point
>> releases as needed if regressions are found sound about right.
>
> IMO sounds good to me. A point release for regressions and
> other bug fixes would be a good way of doing things instead
> of another full on release which usually tries to mix in
> feature changes as well pushing out a release.
>
That seems to be the concensus.
In the current state, I can simply do a 2.70 release to fix the nasty
bugs in 2.69, since there's been no feature work done since. In future,
if bugs come up later in the development cycle, I'll do point releases
to fix them.
Cheers,
Simon.
From woody77 at gmail.com Thu Apr 24 12:33:05 2014
From: woody77 at gmail.com (Aaron Wood)
Date: Thu, 24 Apr 2014 14:33:05 +0200
Subject: [Dnsmasq-discuss] local dns-sd requests being forwarded to upstream
servers on CeroWRT?
Message-ID: <CALQXh-PjwizvKEHdXUXQF8ha3LFe6y-ohQ-K6gFiX26E75dKKg@mail.gmail.com>
Using CeroWRT 3.10.36-4, I'm seeing the following in the logs:
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: query[PTR]
b._dns-sd._udp.96.42.30.172.in-addr.arpa from 172.30.42.99
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: forwarded
b._dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: query[PTR]
db._dns-sd._udp.96.42.30.172.in-addr.arpa from 172.30.42.99
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: forwarded
db._dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: query[PTR]
r._dns-sd._udp.96.42.30.172.in-addr.arpa from 172.30.42.99
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: forwarded
r._dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: query[PTR]
dr._dns-sd._udp.96.42.30.172.in-addr.arpa from 172.30.42.99
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: forwarded
dr._dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: query[PTR]
lb._dns-sd._udp.96.42.30.172.in-addr.arpa from 172.30.42.99
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: forwarded
lb._dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: query[PTR]
b._dns-sd._udp.home.lan from 172.30.42.99
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: config
b._dns-sd._udp.home.lan is NXDOMAIN
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: query[PTR]
db._dns-sd._udp.home.lan from 172.30.42.99
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: config
db._dns-sd._udp.home.lan is NXDOMAIN
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: query[PTR]
r._dns-sd._udp.home.lan from 172.30.42.99
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: config
r._dns-sd._udp.home.lan is NXDOMAIN
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: query[PTR]
dr._dns-sd._udp.home.lan from 172.30.42.99
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: config
dr._dns-sd._udp.home.lan is NXDOMAIN
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: query[PTR]
lb._dns-sd._udp.home.lan from 172.30.42.99
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: config
lb._dns-sd._udp.home.lan is NXDOMAIN
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
b._dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
db._dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
r._dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
dr._dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
lb._dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
_dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
_dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
_dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
_udp.96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
_udp.96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
_dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
_udp.96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
_udp.96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
_dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
_udp.96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
96.42.30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
30.172.in-addr.arpa to 8.8.8.8
Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
30.172.in-addr.arpa to 8.8.8.8
172.39.42.99 is my OSX laptop, and 172.39.42.96 is ip 0 in the sw10 subnet?
The router has no leases active for that particular ip, and it doesn't
have an arp entry on my laptop...
-Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140424/cf94106e/attachment.html>
From woody77 at gmail.com Thu Apr 24 12:33:20 2014
From: woody77 at gmail.com (Aaron Wood)
Date: Thu, 24 Apr 2014 14:33:20 +0200
Subject: [Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures
In-Reply-To: <5358F53A.3050501@thekelleys.org.uk>
References: <CALQXh-NJOnjhmV9gU_C7VRMDrTDoNK=BP2PtSpnwT8erocRZwQ@mail.gmail.com>
<CAA93jw68NwFnVaRxYS6odJ7fCtQbQSOLiYMpjWJPRwDhqB9t1w@mail.gmail.com>
<5357E336.6070406@thekelleys.org.uk>
<CALQXh-M5PuaPVOC-oSX4SUpYs78+VuYtPtOASV3EFAF1MDFSsA@mail.gmail.com>
<5358F53A.3050501@thekelleys.org.uk>
Message-ID: <CALQXh-N6fA-oGg6BmyZwYCAmtCLLMD0_R7QTA+9n8A8KqPZu1g@mail.gmail.com>
Well, I'm seeing the same results as you are from here in Paris (using
Free.fr).
-Aaron
On Thu, Apr 24, 2014 at 1:27 PM, Simon Kelley <simon at thekelleys.org.uk>wrote:
> On 24/04/14 11:49, Aaron Wood wrote:
>
> >
> >> Dnsmasq does the DS query next because the answer to the A query comes
> >> back unsigned, so dnsmasq is looking for a DS record that proves this is
> >> OK. It's likely that Verisign does that top-down (starting from the
> >> root) whilst dnsmasq does it bottom up. Hence Verisign never finds the
> >> broken DS, whilst dnsmasq does.
> >>
> >> That's as good an analysis as I can produce right now. Anyone who can
> >> shed more light, please do.
> >>
> >> (And yes, please report DNSSEC problems on the dnsmasq-discuss list for
> >> preference.)
> >>
> >
> > This is still persisting (and it appears to be blocking a bunch of Apple
> > software update functions). From your comments, Simon, it sounds like
> you
> > think this is an Akamai issue, and should be reported to them?
> >
>
> I'm not absolutely sure that this isn't also a dnsmasq problem, and
> DNSSEC is still capable of surprising me, but I can't see how a SERVFAIL
> answer to
>
> dig @8.8.8.8 DS e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>
> can not be either a Google ('cause it's their recursive server) or
> Akamai problem.
>
> Poking further, it looks like the authoritative name servers for that
> zone are
>
> ; <<>> DiG 9.8.1-P1 <<>> @8.8.8.8 NS cn.akamaiedge.net
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43031
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;cn.akamaiedge.net. IN NS
>
> ;; ANSWER SECTION:
> cn.akamaiedge.net. 299 IN NS n7cn.akamaiedge.net.
> cn.akamaiedge.net. 299 IN NS n6cn.akamaiedge.net.
> cn.akamaiedge.net. 299 IN NS n0cn.akamaiedge.net.
> cn.akamaiedge.net. 299 IN NS n2cn.akamaiedge.net.
> cn.akamaiedge.net. 299 IN NS n5cn.akamaiedge.net.
> cn.akamaiedge.net. 299 IN NS n4cn.akamaiedge.net.
> cn.akamaiedge.net. 299 IN NS n3cn.akamaiedge.net.
> cn.akamaiedge.net. 299 IN NS n1cn.akamaiedge.net.
> cn.akamaiedge.net. 299 IN NS n8cn.akamaiedge.net.
>
> and all of those give sensible answers for
>
> DS e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>
> except n8cn.akamaiedge.net, which isn't responding, so I rather think
> this may be a Google mess.
>
> Or maybe it's Great Firewall induced breakage?
>
> Cheers,
>
>
> Simon.
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140424/bee76ef5/attachment.html>
From woody77 at gmail.com Thu Apr 24 12:35:27 2014
From: woody77 at gmail.com (Aaron Wood)
Date: Thu, 24 Apr 2014 14:35:27 +0200
Subject: [Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures
In-Reply-To: <CALQXh-N6fA-oGg6BmyZwYCAmtCLLMD0_R7QTA+9n8A8KqPZu1g@mail.gmail.com>
References: <CALQXh-NJOnjhmV9gU_C7VRMDrTDoNK=BP2PtSpnwT8erocRZwQ@mail.gmail.com>
<CAA93jw68NwFnVaRxYS6odJ7fCtQbQSOLiYMpjWJPRwDhqB9t1w@mail.gmail.com>
<5357E336.6070406@thekelleys.org.uk>
<CALQXh-M5PuaPVOC-oSX4SUpYs78+VuYtPtOASV3EFAF1MDFSsA@mail.gmail.com>
<5358F53A.3050501@thekelleys.org.uk>
<CALQXh-N6fA-oGg6BmyZwYCAmtCLLMD0_R7QTA+9n8A8KqPZu1g@mail.gmail.com>
Message-ID: <CALQXh-O4puZOB710+R2CcY3AEqTZhAJvU8YFsjjH3_xK1CdXvA@mail.gmail.com>
And if I use Free.fr's servers, the DS resolves (I'm running CeroWRT
double-NAT behind a Freebox v6):
dig @192.168.1.254 DS e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
; <<>> DiG 9.8.5-P1 <<>> @192.168.1.254 DS
e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11369
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net. IN DS
;; AUTHORITY SECTION:
cn.akamaiedge.net. 1800 IN SOA n0cn.akamaiedge.net. hostmaster.akamai.com.
1398342840 1000 1000 1000 1800
;; Query time: 39 msec
;; SERVER: 192.168.1.254#53(192.168.1.254)
;; WHEN: Thu Apr 24 14:34:00 CEST 2014
;; MSG SIZE rcvd: 127
-Aaron
On Thu, Apr 24, 2014 at 2:33 PM, Aaron Wood <woody77 at gmail.com> wrote:
> Well, I'm seeing the same results as you are from here in Paris (using
> Free.fr).
>
> -Aaron
>
>
> On Thu, Apr 24, 2014 at 1:27 PM, Simon Kelley <simon at thekelleys.org.uk>wrote:
>
>> On 24/04/14 11:49, Aaron Wood wrote:
>>
>> >
>> >> Dnsmasq does the DS query next because the answer to the A query comes
>> >> back unsigned, so dnsmasq is looking for a DS record that proves this
>> is
>> >> OK. It's likely that Verisign does that top-down (starting from the
>> >> root) whilst dnsmasq does it bottom up. Hence Verisign never finds the
>> >> broken DS, whilst dnsmasq does.
>> >>
>> >> That's as good an analysis as I can produce right now. Anyone who can
>> >> shed more light, please do.
>> >>
>> >> (And yes, please report DNSSEC problems on the dnsmasq-discuss list
>> for
>> >> preference.)
>> >>
>> >
>> > This is still persisting (and it appears to be blocking a bunch of Apple
>> > software update functions). From your comments, Simon, it sounds like
>> you
>> > think this is an Akamai issue, and should be reported to them?
>> >
>>
>> I'm not absolutely sure that this isn't also a dnsmasq problem, and
>> DNSSEC is still capable of surprising me, but I can't see how a SERVFAIL
>> answer to
>>
>> dig @8.8.8.8 DS e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>>
>> can not be either a Google ('cause it's their recursive server) or
>> Akamai problem.
>>
>> Poking further, it looks like the authoritative name servers for that
>> zone are
>>
>> ; <<>> DiG 9.8.1-P1 <<>> @8.8.8.8 NS cn.akamaiedge.net
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43031
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;cn.akamaiedge.net. IN NS
>>
>> ;; ANSWER SECTION:
>> cn.akamaiedge.net. 299 IN NS n7cn.akamaiedge.net.
>> cn.akamaiedge.net. 299 IN NS n6cn.akamaiedge.net.
>> cn.akamaiedge.net. 299 IN NS n0cn.akamaiedge.net.
>> cn.akamaiedge.net. 299 IN NS n2cn.akamaiedge.net.
>> cn.akamaiedge.net. 299 IN NS n5cn.akamaiedge.net.
>> cn.akamaiedge.net. 299 IN NS n4cn.akamaiedge.net.
>> cn.akamaiedge.net. 299 IN NS n3cn.akamaiedge.net.
>> cn.akamaiedge.net. 299 IN NS n1cn.akamaiedge.net.
>> cn.akamaiedge.net. 299 IN NS n8cn.akamaiedge.net.
>>
>> and all of those give sensible answers for
>>
>> DS e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>>
>> except n8cn.akamaiedge.net, which isn't responding, so I rather think
>> this may be a Google mess.
>>
>> Or maybe it's Great Firewall induced breakage?
>>
>> Cheers,
>>
>>
>> Simon.
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140424/9e05255d/attachment-0001.html>
From simon at thekelleys.org.uk Thu Apr 24 13:17:45 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Thu, 24 Apr 2014 14:17:45 +0100
Subject: [Dnsmasq-discuss] Announce: dnsmasq-2.70
Message-ID: <53590EF9.7070200@thekelleys.org.uk>
I've just released dnsmasq-2.70. This is a small bug-fix release that
addresses a couple of problems which have emerged with the 2.69 release.
There is no new functionality and anyone running 2.69 should upgrade to
2.70.
Release notes below.
http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.70.tar.gz
Cheers,
Simon.
-----------------------------------------------------------------------------
version 2.70
Fix crash, introduced in 2.69, on TCP request when dnsmasq
compiled with DNSSEC support, but running without DNSSEC
enabled. Thanks to Manish Sing for spotting that one.
Fix regression which broke ipset functionality. Thanks to
Wang Jian for the bug report.
From dave.taht at gmail.com Thu Apr 24 16:03:49 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Thu, 24 Apr 2014 09:03:49 -0700
Subject: [Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures
In-Reply-To: <CALQXh-O4puZOB710+R2CcY3AEqTZhAJvU8YFsjjH3_xK1CdXvA@mail.gmail.com>
References: <CALQXh-NJOnjhmV9gU_C7VRMDrTDoNK=BP2PtSpnwT8erocRZwQ@mail.gmail.com>
<CAA93jw68NwFnVaRxYS6odJ7fCtQbQSOLiYMpjWJPRwDhqB9t1w@mail.gmail.com>
<5357E336.6070406@thekelleys.org.uk>
<CALQXh-M5PuaPVOC-oSX4SUpYs78+VuYtPtOASV3EFAF1MDFSsA@mail.gmail.com>
<5358F53A.3050501@thekelleys.org.uk>
<CALQXh-N6fA-oGg6BmyZwYCAmtCLLMD0_R7QTA+9n8A8KqPZu1g@mail.gmail.com>
<CALQXh-O4puZOB710+R2CcY3AEqTZhAJvU8YFsjjH3_xK1CdXvA@mail.gmail.com>
Message-ID: <CAA93jw70=XwH+Q8_6cPJN_S=joayOvZ2fmMZHgoXTN0r+EWyMQ@mail.gmail.com>
What does unbound or bind do?
On Thu, Apr 24, 2014 at 5:35 AM, Aaron Wood <woody77 at gmail.com> wrote:
> And if I use Free.fr's servers, the DS resolves (I'm running CeroWRT
> double-NAT behind a Freebox v6):
>
> dig @192.168.1.254 DS e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>
> ; <<>> DiG 9.8.5-P1 <<>> @192.168.1.254 DS
> e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11369
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net. IN DS
>
> ;; AUTHORITY SECTION:
> cn.akamaiedge.net. 1800 IN SOA n0cn.akamaiedge.net. hostmaster.akamai.com.
> 1398342840 1000 1000 1000 1800
>
> ;; Query time: 39 msec
> ;; SERVER: 192.168.1.254#53(192.168.1.254)
> ;; WHEN: Thu Apr 24 14:34:00 CEST 2014
> ;; MSG SIZE rcvd: 127
>
> -Aaron
>
>
> On Thu, Apr 24, 2014 at 2:33 PM, Aaron Wood <woody77 at gmail.com> wrote:
>>
>> Well, I'm seeing the same results as you are from here in Paris (using
>> Free.fr).
>>
>> -Aaron
>>
>>
>> On Thu, Apr 24, 2014 at 1:27 PM, Simon Kelley <simon at thekelleys.org.uk>
>> wrote:
>>>
>>> On 24/04/14 11:49, Aaron Wood wrote:
>>>
>>> >
>>> >> Dnsmasq does the DS query next because the answer to the A query comes
>>> >> back unsigned, so dnsmasq is looking for a DS record that proves this
>>> >> is
>>> >> OK. It's likely that Verisign does that top-down (starting from the
>>> >> root) whilst dnsmasq does it bottom up. Hence Verisign never finds the
>>> >> broken DS, whilst dnsmasq does.
>>> >>
>>> >> That's as good an analysis as I can produce right now. Anyone who can
>>> >> shed more light, please do.
>>> >>
>>> >> (And yes, please report DNSSEC problems on the dnsmasq-discuss list
>>> >> for
>>> >> preference.)
>>> >>
>>> >
>>> > This is still persisting (and it appears to be blocking a bunch of
>>> > Apple
>>> > software update functions). From your comments, Simon, it sounds like
>>> > you
>>> > think this is an Akamai issue, and should be reported to them?
>>> >
>>>
>>> I'm not absolutely sure that this isn't also a dnsmasq problem, and
>>> DNSSEC is still capable of surprising me, but I can't see how a SERVFAIL
>>> answer to
>>>
>>> dig @8.8.8.8 DS e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>>>
>>> can not be either a Google ('cause it's their recursive server) or
>>> Akamai problem.
>>>
>>> Poking further, it looks like the authoritative name servers for that
>>> zone are
>>>
>>> ; <<>> DiG 9.8.1-P1 <<>> @8.8.8.8 NS cn.akamaiedge.net
>>> ; (1 server found)
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43031
>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0
>>>
>>> ;; QUESTION SECTION:
>>> ;cn.akamaiedge.net. IN NS
>>>
>>> ;; ANSWER SECTION:
>>> cn.akamaiedge.net. 299 IN NS n7cn.akamaiedge.net.
>>> cn.akamaiedge.net. 299 IN NS n6cn.akamaiedge.net.
>>> cn.akamaiedge.net. 299 IN NS n0cn.akamaiedge.net.
>>> cn.akamaiedge.net. 299 IN NS n2cn.akamaiedge.net.
>>> cn.akamaiedge.net. 299 IN NS n5cn.akamaiedge.net.
>>> cn.akamaiedge.net. 299 IN NS n4cn.akamaiedge.net.
>>> cn.akamaiedge.net. 299 IN NS n3cn.akamaiedge.net.
>>> cn.akamaiedge.net. 299 IN NS n1cn.akamaiedge.net.
>>> cn.akamaiedge.net. 299 IN NS n8cn.akamaiedge.net.
>>>
>>> and all of those give sensible answers for
>>>
>>> DS e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net
>>>
>>> except n8cn.akamaiedge.net, which isn't responding, so I rather think
>>> this may be a Google mess.
>>>
>>> Or maybe it's Great Firewall induced breakage?
>>>
>>> Cheers,
>>>
>>>
>>> Simon.
>>>
>>>
>>>
>>
>
--
Dave T?ht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
From rick.jones2 at hp.com Thu Apr 24 16:31:17 2014
From: rick.jones2 at hp.com (Rick Jones)
Date: Thu, 24 Apr 2014 09:31:17 -0700
Subject: [Dnsmasq-discuss] dnsmasq using 100% cpu on router
In-Reply-To: <5358F870.4050006@thekelleys.org.uk>
References: <CAJ-gf5DEsMq5QR_r-mC1aHFUysNH53SB_z7wizoUwrLPWWbuvg@mail.gmail.com>
<5358F870.4050006@thekelleys.org.uk>
Message-ID: <53593C55.4030605@hp.com>
>
> The first thing is to try and decide which of two possible scenarios ar
> happening. The first is that you've triggered a bug in the code and
> dnsmasq is looping somewhere without ever getting back to the select()
> loop and doing actual work. The second is that it's getting so much work
> that it's running out of CPU to do it.
>
> In the first case, dnsmasq will stop working entirely. Is that
> consistent with "problems resolving addresses" or does it still
> partially work? Turning off logging is probably counter-productive here,
> the logs may have valuable clues.
And if indeed the dnsmasq process is simply being inundated then
presumably its socket(s) will start overflowing which should trigger a
netstat somewhere. For the DNS portion that would be something in
netstat -s I would think, the UDP section.
Knowing how much of this 100% CPU time is user space versus
system/kernel would be goodness, as might a system call trace (eg strace)
happy benchmarking,
rick jones
From davidj at nkcc.org.uk Thu Apr 24 19:41:13 2014
From: davidj at nkcc.org.uk (David Joslin)
Date: Thu, 24 Apr 2014 20:41:13 +0100
Subject: [Dnsmasq-discuss] dnsmasq using 100% cpu on router
In-Reply-To: <5358F870.4050006@thekelleys.org.uk>
References: <CAJ-gf5DEsMq5QR_r-mC1aHFUysNH53SB_z7wizoUwrLPWWbuvg@mail.gmail.com>
<5358F870.4050006@thekelleys.org.uk>
Message-ID: <CAJ-gf5AP+jFS7Vky1Aj7bd=hzO9wfhGyGq4GzzyB=qCxaZRPmg@mail.gmail.com>
Thanks for the reply, Simon.
DNSSEC isn't enabled.
I wonder if the pattern of the problem gives any clues...
As I said, on a normal day with around 40-50 clients on the network there
is no problem at all with dnsmasq managing to use barely 0 - 2% of the CPU.
When the problem occurred there were a little over 100 clients. Running top
showed dnsmasq using 100% cpu so I restarted dnsmasq and kept an eye on
top. For maybe 5 or 10 minutes there was no problem, with dnsmasq using
very little cpu. Then dnsmasq would start to peak at maybe 20-30% for a
couple of seconds before dropping back. Then it would start peaking at
higher and higher levels before dropping back. Eventually, after running
for maybe half an hour it would start peaking at over 90% and staying there
for longer before dropping back. At this point dns requests would become
very slow (and maybe time out). And then dnsmasq would hit 100% cpu and
would stay there. Dns requests would time out and only restarting dnsmasq
would fix the problem. The pattern would then start over again.
I may be wrong but it doesn't seem that dnsmasq is hitting a bug that
suddenly causes it to loop and hog the cpu until it's killed. It seems to
gradually show more and more of the problem before it eventually hogs 100%
cpu and has to be killed.
If the problem was caused by dnsmasq being overloaded with requests, is it
likely or possible that 50 clients could put very little load on it but 100
clients could swamp it? Also, would the problem not show itself as soon as
dnsmasq was restarted rather than showing the gradual increase in peak
usage until it hits 100%?
I hope this helps. Any thoughts on this pattern?
Cheers
David
On 24 April 2014 12:41, Simon Kelley <simon at thekelleys.org.uk> wrote:
> On 22/04/14 20:04, David Joslin wrote:
> > Hi
> >
> > I have an Asus rt-n16 router running the Shibby version of the Tomato
> > firmware which includes dnsmasq version 2.69test3. It's in use in a
> > building that frequently has 50+ users on a wireless network and dnsmasq
> > has performed extremely well with very little load on the router.
> >
> > However, we've recently run a couple of conferences in the building and
> the
> > number of people using the wireless network has been just over 100.
> Several
> > times there have been problems resolving addresses and when I've looked
> at
> > the router dnsmasq has been using 100% cpu. Restarting dnsmasq
> temporarily
> > fixes the problem but it occurs again maybe 20 minutes later.
> >
> > I've turned off logging, increased the cache-size and the maximum number
> of
> > dhcp leases (anything I could see that might be a problem with more
> users)
> > but this hasn't fixed the problem.
> >
> > I wondered if anyone has come across anything similar or has any
> > suggestions?
> >
>
> The first thing is to try and decide which of two possible scenarios ar
> happening. The first is that you've triggered a bug in the code and
> dnsmasq is looping somewhere without ever getting back to the select()
> loop and doing actual work. The second is that it's getting so much work
> that it's running out of CPU to do it.
>
> In the first case, dnsmasq will stop working entirely. Is that
> consistent with "problems resolving addresses" or does it still
> partially work? Turning off logging is probably counter-productive here,
> the logs may have valuable clues.
>
>
> In the second case, DNSSEC is something to worry about. Do you have that
> turned on?
>
> Also, it's possible to arrive at configurations with DNS forwarding
> loops where once DNS query gets sent upstream, but somehow ends up back
> at the dnsmasq instance that originally forwarded it and then goes round
> in circles. It's quite difficult to do this without at least two dnsmasq
> instances, but it is possible.
>
> Finally, logging to a syslog daemon which does its own DNS lookups (to
> label logs from remote hosts) can create a collapse: dnsmasq will log
> several lines for each DNS query, if each of those lines generates a new
> DNS query which has to handled by dnsmasq, it all goes wrong very quickly.
>
>
> Cheers,
>
>
> Simon.
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140424/cfd36332/attachment.html>
From simon at thekelleys.org.uk Thu Apr 24 19:49:52 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Thu, 24 Apr 2014 20:49:52 +0100
Subject: [Dnsmasq-discuss] dnsmasq using 100% cpu on router
In-Reply-To: <CAJ-gf5AP+jFS7Vky1Aj7bd=hzO9wfhGyGq4GzzyB=qCxaZRPmg@mail.gmail.com>
References: <CAJ-gf5DEsMq5QR_r-mC1aHFUysNH53SB_z7wizoUwrLPWWbuvg@mail.gmail.com>
<5358F870.4050006@thekelleys.org.uk>
<CAJ-gf5AP+jFS7Vky1Aj7bd=hzO9wfhGyGq4GzzyB=qCxaZRPmg@mail.gmail.com>
Message-ID: <53596AE0.3070906@thekelleys.org.uk>
On 24/04/14 20:41, David Joslin wrote:
> Thanks for the reply, Simon.
>
> DNSSEC isn't enabled.
>
> I wonder if the pattern of the problem gives any clues...
>
> As I said, on a normal day with around 40-50 clients on the network there
> is no problem at all with dnsmasq managing to use barely 0 - 2% of the CPU.
> When the problem occurred there were a little over 100 clients. Running top
> showed dnsmasq using 100% cpu so I restarted dnsmasq and kept an eye on
> top. For maybe 5 or 10 minutes there was no problem, with dnsmasq using
> very little cpu. Then dnsmasq would start to peak at maybe 20-30% for a
> couple of seconds before dropping back. Then it would start peaking at
> higher and higher levels before dropping back. Eventually, after running
> for maybe half an hour it would start peaking at over 90% and staying there
> for longer before dropping back. At this point dns requests would become
> very slow (and maybe time out). And then dnsmasq would hit 100% cpu and
> would stay there. Dns requests would time out and only restarting dnsmasq
> would fix the problem. The pattern would then start over again.
>
> I may be wrong but it doesn't seem that dnsmasq is hitting a bug that
> suddenly causes it to loop and hog the cpu until it's killed. It seems to
> gradually show more and more of the problem before it eventually hogs 100%
> cpu and has to be killed.
>
> If the problem was caused by dnsmasq being overloaded with requests, is it
> likely or possible that 50 clients could put very little load on it but 100
> clients could swamp it? Also, would the problem not show itself as soon as
> dnsmasq was restarted rather than showing the gradual increase in peak
> usage until it hits 100%?
Logs would help. The pattern doesn't look familiar, but if I had to
guess, I'd say that the problem is DHCP, not DNS. Every change to the
DHCP lease database causes the file storing it to be re-written, and I
suspect that's what's eating CPU, in disk wait.
Version of dnsmasq in use would be useful, and a copy of your config (to
me privately, if you prefer.)
When dnsmasq is running at 100%, try running
strace -p <pid of dnsmasq process>
that will run forever, printing what syscalls are being made, you can
ctrl-c it after a show while, which will stop strace, but not dnsmasq.
Cheers,
Simon
>
> I hope this helps. Any thoughts on this pattern?
>
> Cheers
>
> David
>
>
> On 24 April 2014 12:41, Simon Kelley <simon at thekelleys.org.uk> wrote:
>
>> On 22/04/14 20:04, David Joslin wrote:
>>> Hi
>>>
>>> I have an Asus rt-n16 router running the Shibby version of the Tomato
>>> firmware which includes dnsmasq version 2.69test3. It's in use in a
>>> building that frequently has 50+ users on a wireless network and dnsmasq
>>> has performed extremely well with very little load on the router.
>>>
>>> However, we've recently run a couple of conferences in the building and
>> the
>>> number of people using the wireless network has been just over 100.
>> Several
>>> times there have been problems resolving addresses and when I've looked
>> at
>>> the router dnsmasq has been using 100% cpu. Restarting dnsmasq
>> temporarily
>>> fixes the problem but it occurs again maybe 20 minutes later.
>>>
>>> I've turned off logging, increased the cache-size and the maximum number
>> of
>>> dhcp leases (anything I could see that might be a problem with more
>> users)
>>> but this hasn't fixed the problem.
>>>
>>> I wondered if anyone has come across anything similar or has any
>>> suggestions?
>>>
>>
>> The first thing is to try and decide which of two possible scenarios ar
>> happening. The first is that you've triggered a bug in the code and
>> dnsmasq is looping somewhere without ever getting back to the select()
>> loop and doing actual work. The second is that it's getting so much work
>> that it's running out of CPU to do it.
>>
>> In the first case, dnsmasq will stop working entirely. Is that
>> consistent with "problems resolving addresses" or does it still
>> partially work? Turning off logging is probably counter-productive here,
>> the logs may have valuable clues.
>>
>>
>> In the second case, DNSSEC is something to worry about. Do you have that
>> turned on?
>>
>> Also, it's possible to arrive at configurations with DNS forwarding
>> loops where once DNS query gets sent upstream, but somehow ends up back
>> at the dnsmasq instance that originally forwarded it and then goes round
>> in circles. It's quite difficult to do this without at least two dnsmasq
>> instances, but it is possible.
>>
>> Finally, logging to a syslog daemon which does its own DNS lookups (to
>> label logs from remote hosts) can create a collapse: dnsmasq will log
>> several lines for each DNS query, if each of those lines generates a new
>> DNS query which has to handled by dnsmasq, it all goes wrong very quickly.
>>
>>
>> Cheers,
>>
>>
>> Simon.
>>
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
From kevin at darbyshire-bryant.me.uk Thu Apr 24 20:13:23 2014
From: kevin at darbyshire-bryant.me.uk (Kevin Darbyshire-Bryant)
Date: Thu, 24 Apr 2014 21:13:23 +0100
Subject: [Dnsmasq-discuss] dnsmasq using 100% cpu on router
In-Reply-To: <53596AE0.3070906@thekelleys.org.uk>
References: <CAJ-gf5DEsMq5QR_r-mC1aHFUysNH53SB_z7wizoUwrLPWWbuvg@mail.gmail.com>
<5358F870.4050006@thekelleys.org.uk>
<CAJ-gf5AP+jFS7Vky1Aj7bd=hzO9wfhGyGq4GzzyB=qCxaZRPmg@mail.gmail.com>
<53596AE0.3070906@thekelleys.org.uk>
Message-ID: <53597063.4020608@darbyshire-bryant.me.uk>
On 24/04/2014 20:49, Simon Kelley wrote:
> On 24/04/14 20:41, David Joslin wrote:
>> Thanks for the reply, Simon.
>>
>> DNSSEC isn't enabled.
>>
>> I wonder if the pattern of the problem gives any clues...
>>
>> As I said, on a normal day with around 40-50 clients on the network there
>> is no problem at all with dnsmasq managing to use barely 0 - 2% of the CPU.
>> When the problem occurred there were a little over 100 clients. Running top
>> showed dnsmasq using 100% cpu so I restarted dnsmasq and kept an eye on
>> top. For maybe 5 or 10 minutes there was no problem, with dnsmasq using
>> very little cpu. Then dnsmasq would start to peak at maybe 20-30% for a
>> couple of seconds before dropping back. Then it would start peaking at
>> higher and higher levels before dropping back. Eventually, after running
>> for maybe half an hour it would start peaking at over 90% and staying there
>> for longer before dropping back. At this point dns requests would become
>> very slow (and maybe time out). And then dnsmasq would hit 100% cpu and
>> would stay there. Dns requests would time out and only restarting dnsmasq
>> would fix the problem. The pattern would then start over again.
>>
>> I may be wrong but it doesn't seem that dnsmasq is hitting a bug that
>> suddenly causes it to loop and hog the cpu until it's killed. It seems to
>> gradually show more and more of the problem before it eventually hogs 100%
>> cpu and has to be killed.
>>
>> If the problem was caused by dnsmasq being overloaded with requests, is it
>> likely or possible that 50 clients could put very little load on it but 100
>> clients could swamp it? Also, would the problem not show itself as soon as
>> dnsmasq was restarted rather than showing the gradual increase in peak
>> usage until it hits 100%?
>
> Logs would help. The pattern doesn't look familiar, but if I had to
> guess, I'd say that the problem is DHCP, not DNS. Every change to the
> DHCP lease database causes the file storing it to be re-written, and I
> suspect that's what's eating CPU, in disk wait.
>
> Version of dnsmasq in use would be useful, and a copy of your config (to
> me privately, if you prefer.)
>
> When dnsmasq is running at 100%, try running
>
> strace -p <pid of dnsmasq process>
>
> that will run forever, printing what syscalls are being made, you can
> ctrl-c it after a show while, which will stop strace, but not dnsmasq.
>
>
> Cheers,
>
>
> Simon
>
>
Chaps,
Please be aware that the dnsmasq included in tomato is not a clean
'pull' out of Simon's release but includes some tweaks, mainly to the
lease writing code (where it outputs 'remaining leasetime' rather than
expiry time) There's also a 'helper' function that upon receipt of
SIGUSR1 (or it may be 2 I can't remember) dumps the leasefile in a
tomato specific format so that it may be read & parsed into the 'dhcp
status' page.
Those changes were 'formalised' by me into IFDEF conditional compilation
flags when I first investigated updating dnsmasq from v2.61 to something
slightly newer which fixed the IPv6 RA flags. The original changes by
Jon Zarate were identified and re-inserted after a few false starts. I
am no 'C' coder!
My suggestion for a start are to upgrade to dnsmasq 2.70 rather than a
test release of 2.69. Also try changing the location of the leasefile
to somewhere else e.g. a USB stick if your router supports it.
I've not encountered anything like this but then I don't have 100 clients.
Kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3768 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140424/b91f010e/attachment.bin>
From dave.taht at gmail.com Thu Apr 24 21:24:48 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Thu, 24 Apr 2014 14:24:48 -0700
Subject: [Dnsmasq-discuss] [Cerowrt-devel] local dns-sd requests being
forwarded to upstream servers on CeroWRT?
In-Reply-To: <CALQXh-PjwizvKEHdXUXQF8ha3LFe6y-ohQ-K6gFiX26E75dKKg@mail.gmail.com>
References: <CALQXh-PjwizvKEHdXUXQF8ha3LFe6y-ohQ-K6gFiX26E75dKKg@mail.gmail.com>
Message-ID: <CAA93jw7X2=R7auJ6iSkMjnHo8CuNK+KKSeGHPTY3=jXCm5rYUw@mail.gmail.com>
On Thu, Apr 24, 2014 at 5:33 AM, Aaron Wood <woody77 at gmail.com> wrote:
> Using CeroWRT 3.10.36-4, I'm seeing the following in the logs:
>
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: query[PTR]
> b._dns-sd._udp.96.42.30.172.in-addr.arpa from 172.30.42.99
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: forwarded
> b._dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
I don't think it should do that.
Am curious if it happens from the ethernet interface.
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: query[PTR]
> db._dns-sd._udp.96.42.30.172.in-addr.arpa from 172.30.42.99
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: forwarded
> db._dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: query[PTR]
> r._dns-sd._udp.96.42.30.172.in-addr.arpa from 172.30.42.99
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: forwarded
> r._dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: query[PTR]
> dr._dns-sd._udp.96.42.30.172.in-addr.arpa from 172.30.42.99
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: forwarded
> dr._dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: query[PTR]
> lb._dns-sd._udp.96.42.30.172.in-addr.arpa from 172.30.42.99
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: forwarded
> lb._dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: query[PTR]
> b._dns-sd._udp.home.lan from 172.30.42.99
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: config
> b._dns-sd._udp.home.lan is NXDOMAIN
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: query[PTR]
> db._dns-sd._udp.home.lan from 172.30.42.99
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: config
> db._dns-sd._udp.home.lan is NXDOMAIN
The NXDOMAINS seem sane.
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: query[PTR]
> r._dns-sd._udp.home.lan from 172.30.42.99
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: config
> r._dns-sd._udp.home.lan is NXDOMAIN
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: query[PTR]
> dr._dns-sd._udp.home.lan from 172.30.42.99
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: config
> dr._dns-sd._udp.home.lan is NXDOMAIN
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: query[PTR]
> lb._dns-sd._udp.home.lan from 172.30.42.99
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: config
> lb._dns-sd._udp.home.lan is NXDOMAIN
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> b._dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
Shouldn't do that either.
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> db._dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> r._dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> dr._dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> lb._dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> _dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> _dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> _dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> _udp.96.42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> _udp.96.42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> _dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> _udp.96.42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> 96.42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> _udp.96.42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> 96.42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> _dns-sd._udp.96.42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> 96.42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> 42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> 42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> _udp.96.42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> 42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> 30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> 96.42.30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> 30.172.in-addr.arpa to 8.8.8.8
> Thu Apr 24 14:15:14 2014 daemon.info dnsmasq[13365]: dnssec-query[DS]
> 30.172.in-addr.arpa to 8.8.8.8
>
> 172.39.42.99 is my OSX laptop, and 172.39.42.96 is ip 0 in the sw10 subnet?
> The router has no leases active for that particular ip, and it doesn't have
> an arp entry on my laptop...
>
> -Aaron
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>
--
Dave T?ht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
From davidj at nkcc.org.uk Fri Apr 25 08:37:16 2014
From: davidj at nkcc.org.uk (David Joslin)
Date: Fri, 25 Apr 2014 09:37:16 +0100
Subject: [Dnsmasq-discuss] dnsmasq using 100% cpu on router
In-Reply-To: <53597063.4020608@darbyshire-bryant.me.uk>
References: <CAJ-gf5DEsMq5QR_r-mC1aHFUysNH53SB_z7wizoUwrLPWWbuvg@mail.gmail.com>
<5358F870.4050006@thekelleys.org.uk>
<CAJ-gf5AP+jFS7Vky1Aj7bd=hzO9wfhGyGq4GzzyB=qCxaZRPmg@mail.gmail.com>
<53596AE0.3070906@thekelleys.org.uk>
<53597063.4020608@darbyshire-bryant.me.uk>
Message-ID: <CAJ-gf5CTZOSsBuv+sSq+sD_Y7VJ=LV1efnV_WvndEzH33FzmEQ@mail.gmail.com>
Hi Kevin and thanks for the help.
Is it possible to upgrade the dnsmasq version on the router without waiting
for the author of the tomato firmware to include a later version in a
release of his firmware (and you mentioned that dnsmasq in tomato isn't a
clean pull of Simon's release)?
Why would changing the location of the leasefile to a usb stick make a
difference? If the issue, as Simon suggests, is caused by the constant
rewriting of the lease database, then wouldn't its current location (which
on a router would be RAM) be a faster/better option than a usb stick? Or is
there another possible issue here that I've missed?
The only recent change I've made to the router was the addition of a usb
stick as the location for the writing of system logs and bandwidth and IP
traffic usage logs (so that they weren't lost on a reboot). I had wondered
if the cause of the problem was related to the speed of writing this stuff
(which obviously includes dnsmasq logging) to the usb stick rather than
RAM. That's why I turned off dnsmasq logging at one point but it didn't
seem to make any difference.
Thanks again for your help and I'll wait for your comments on the above.
Cheers
David
On 24 April 2014 21:13, Kevin Darbyshire-Bryant <
kevin at darbyshire-bryant.me.uk> wrote:
> On 24/04/2014 20:49, Simon Kelley wrote:
> > On 24/04/14 20:41, David Joslin wrote:
> >> Thanks for the reply, Simon.
> >>
> >> DNSSEC isn't enabled.
> >>
> >> I wonder if the pattern of the problem gives any clues...
> >>
> >> As I said, on a normal day with around 40-50 clients on the network
> there
> >> is no problem at all with dnsmasq managing to use barely 0 - 2% of the
> CPU.
> >> When the problem occurred there were a little over 100 clients. Running
> top
> >> showed dnsmasq using 100% cpu so I restarted dnsmasq and kept an eye on
> >> top. For maybe 5 or 10 minutes there was no problem, with dnsmasq using
> >> very little cpu. Then dnsmasq would start to peak at maybe 20-30% for a
> >> couple of seconds before dropping back. Then it would start peaking at
> >> higher and higher levels before dropping back. Eventually, after running
> >> for maybe half an hour it would start peaking at over 90% and staying
> there
> >> for longer before dropping back. At this point dns requests would become
> >> very slow (and maybe time out). And then dnsmasq would hit 100% cpu and
> >> would stay there. Dns requests would time out and only restarting
> dnsmasq
> >> would fix the problem. The pattern would then start over again.
> >>
> >> I may be wrong but it doesn't seem that dnsmasq is hitting a bug that
> >> suddenly causes it to loop and hog the cpu until it's killed. It seems
> to
> >> gradually show more and more of the problem before it eventually hogs
> 100%
> >> cpu and has to be killed.
> >>
> >> If the problem was caused by dnsmasq being overloaded with requests, is
> it
> >> likely or possible that 50 clients could put very little load on it but
> 100
> >> clients could swamp it? Also, would the problem not show itself as soon
> as
> >> dnsmasq was restarted rather than showing the gradual increase in peak
> >> usage until it hits 100%?
> >
> > Logs would help. The pattern doesn't look familiar, but if I had to
> > guess, I'd say that the problem is DHCP, not DNS. Every change to the
> > DHCP lease database causes the file storing it to be re-written, and I
> > suspect that's what's eating CPU, in disk wait.
> >
> > Version of dnsmasq in use would be useful, and a copy of your config (to
> > me privately, if you prefer.)
> >
> > When dnsmasq is running at 100%, try running
> >
> > strace -p <pid of dnsmasq process>
> >
> > that will run forever, printing what syscalls are being made, you can
> > ctrl-c it after a show while, which will stop strace, but not dnsmasq.
> >
> >
> > Cheers,
> >
> >
> > Simon
> >
> >
>
> Chaps,
>
> Please be aware that the dnsmasq included in tomato is not a clean
> 'pull' out of Simon's release but includes some tweaks, mainly to the
> lease writing code (where it outputs 'remaining leasetime' rather than
> expiry time) There's also a 'helper' function that upon receipt of
> SIGUSR1 (or it may be 2 I can't remember) dumps the leasefile in a
> tomato specific format so that it may be read & parsed into the 'dhcp
> status' page.
>
> Those changes were 'formalised' by me into IFDEF conditional compilation
> flags when I first investigated updating dnsmasq from v2.61 to something
> slightly newer which fixed the IPv6 RA flags. The original changes by
> Jon Zarate were identified and re-inserted after a few false starts. I
> am no 'C' coder!
>
> My suggestion for a start are to upgrade to dnsmasq 2.70 rather than a
> test release of 2.69. Also try changing the location of the leasefile
> to somewhere else e.g. a USB stick if your router supports it.
>
> I've not encountered anything like this but then I don't have 100 clients.
>
> Kevin
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140425/613ddb7b/attachment-0001.html>
From dave.taht at gmail.com Fri Apr 25 17:39:57 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Fri, 25 Apr 2014 10:39:57 -0700
Subject: [Dnsmasq-discuss] test-ipv6.com vs dnssec
Message-ID: <CAA93jw6zwHw67oBBYx2EwYrK+z=PdxTt=FVtGidnz=AYuVzx1w@mail.gmail.com>
jg tells me the test-ipv6.com site fails with dnssec and enabled on native ipv6.
disabling dnssec works.
anyone can confirm? get a log/packet capture?
--
Dave T?ht
From jg at freedesktop.org Fri Apr 25 18:01:37 2014
From: jg at freedesktop.org (Jim Gettys)
Date: Fri, 25 Apr 2014 14:01:37 -0400
Subject: [Dnsmasq-discuss] [Cerowrt-devel] test-ipv6.com vs dnssec
In-Reply-To: <CAA93jw6zwHw67oBBYx2EwYrK+z=PdxTt=FVtGidnz=AYuVzx1w@mail.gmail.com>
References: <CAA93jw6zwHw67oBBYx2EwYrK+z=PdxTt=FVtGidnz=AYuVzx1w@mail.gmail.com>
Message-ID: <CAGhGL2CGVDoMoQxyRKoPV2zM42wYA3XT22w5DDrLVppjEg23bg@mail.gmail.com>
More specifically, after boot, most of the time test-ipv6.com reports lots
of problems.
Then I turned off both dnssec and dnssec-check-unsigned, and restarted
dnsmasq; clean bill of health from test-ipv6.com.
Then I turned on dnssec only, leaving dnssec-check-unsigned, and got a
clean bill of health.
Then I turned on both at the same time, and things are working.
So we seem to have a boot time race of some sort.
- Jim
On Fri, Apr 25, 2014 at 1:39 PM, Dave Taht <dave.taht at gmail.com> wrote:
> jg tells me the test-ipv6.com site fails with dnssec and enabled on
> native ipv6.
>
> disabling dnssec works.
>
> anyone can confirm? get a log/packet capture?
>
>
> --
> Dave T?ht
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140425/2aa6a7b0/attachment.html>
From simon at thekelleys.org.uk Fri Apr 25 18:49:27 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Fri, 25 Apr 2014 19:49:27 +0100
Subject: [Dnsmasq-discuss] [Cerowrt-devel] test-ipv6.com vs dnssec
In-Reply-To: <CAGhGL2CGVDoMoQxyRKoPV2zM42wYA3XT22w5DDrLVppjEg23bg@mail.gmail.com>
References: <CAA93jw6zwHw67oBBYx2EwYrK+z=PdxTt=FVtGidnz=AYuVzx1w@mail.gmail.com>
<CAGhGL2CGVDoMoQxyRKoPV2zM42wYA3XT22w5DDrLVppjEg23bg@mail.gmail.com>
Message-ID: <535AAE37.103@thekelleys.org.uk>
On 25/04/14 19:01, Jim Gettys wrote:
> More specifically, after boot, most of the time test-ipv6.com reports lots
> of problems.
>
> Then I turned off both dnssec and dnssec-check-unsigned, and restarted
> dnsmasq; clean bill of health from test-ipv6.com.
>
> Then I turned on dnssec only, leaving dnssec-check-unsigned, and got a
> clean bill of health.
>
> Then I turned on both at the same time, and things are working.
>
> So we seem to have a boot time race of some sort.
> - Jim
>
>
test-ipv6.com is unsigned, so the important thing which is likely
failing is the query for the DS record of test-ipv6.com, which should
return NSEC records providing it doesn't exist, signed by .com
Simon.
>
> On Fri, Apr 25, 2014 at 1:39 PM, Dave Taht <dave.taht at gmail.com> wrote:
>
>> jg tells me the test-ipv6.com site fails with dnssec and enabled on
>> native ipv6.
>>
>> disabling dnssec works.
>>
>> anyone can confirm? get a log/packet capture?
>>
>>
>> --
>> Dave T?ht
>> _______________________________________________
>> Cerowrt-devel mailing list
>> Cerowrt-devel at lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>>
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
From woody77 at gmail.com Sat Apr 26 11:38:08 2014
From: woody77 at gmail.com (Aaron Wood)
Date: Sat, 26 Apr 2014 13:38:08 +0200
Subject: [Dnsmasq-discuss] Had to disable dnssec today
Message-ID: <CALQXh-PJ+iP0r15Jewyx1wt3KWSmXNwbUME-41WM3BfXVja81g@mail.gmail.com>
Just too many sites aren't working correctly with dnsmasq and using
Google's DNS servers.
- Bank of America (sso-fi.bankofamerica.com)
- Weather Underground (cdnjs.cloudflare.com)
- Akamai (e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net)
And I'm not getting any traction with reporting the errors to those sites,
so it's frustrating in getting it properly fixed.
While Akamai and cloudflare appear to be issues with their entries in
google dns, or with dnsmasq's validation of them being insecure domains,
the BofA issue appears to be an outright bad key. And BofA isn't being
helpful (just a continual "we use ssl" sort of quasi-automated response).
So I'm disabling it for now, or rather, falling back to using my ISP's dns
servers, which don't support DNSSEC at this time. I'll be periodically
turning it back on, but too much is broken (mainly due to the cdns) to be
able to rely on it at this time.
-Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140426/7f705f09/attachment.html>
From woody77 at gmail.com Sat Apr 26 16:20:05 2014
From: woody77 at gmail.com (Aaron Wood)
Date: Sat, 26 Apr 2014 18:20:05 +0200
Subject: [Dnsmasq-discuss] [Cerowrt-devel] Had to disable dnssec today
In-Reply-To: <1398528012.36628423@apps.rackspace.com>
References: <CALQXh-PJ+iP0r15Jewyx1wt3KWSmXNwbUME-41WM3BfXVja81g@mail.gmail.com>
<1398528012.36628423@apps.rackspace.com>
Message-ID: <CALQXh-Mv_WD+ya3-2awmN6bQ_wV0KeuEe0AsXKXar5KJYaGyMQ@mail.gmail.com>
David,
With two of them (akamai and cloudflare), I _think_ it's a dnsmasq issue
with the DS records for proving insecure domains are insecure. But Simon
Kelley would know that better than I.
With BofA, I'm nearly certain it's them, or an issue with one of their
partners (since the domain that fails isn't BofA, but something else):
(with dnssec turned off):
;; QUESTION SECTION:
;sso-fi.bankofamerica.com. IN A
;; ANSWER SECTION:
sso-fi.bankofamerica.com. 3599 IN CNAME saml-bac.onefiserv.com.
saml-bac.onefiserv.com. 299 IN CNAME saml-bac.gslb.onefiserv.com.
saml-bac.gslb.onefiserv.com. 119 IN A 208.235.248.157
And it's the saml-bac.gslb.onefiserv.com host that's failing (see here for
debug info):
http://dnssec-debugger.verisignlabs.com/sso-fi.bankofamerica.com
-Aaron
On Sat, Apr 26, 2014 at 6:00 PM, <dpreed at reed.com> wrote:
> Is this just a dnsmasq issue or is the DNSSEC mechanism broken at these
> sites? If it is the latter, I can get attention from executives at some
> of these companies (Heartbleed has sensitized all kinds of companies to the
> need to strengthen security infrastructure).
>
>
>
> If the former, the change process is going to be more tricky, because
> dnsmasq is easily dismissed as too small a proportion of the market to
> care. (wish it were not so).
>
>
>
> On Saturday, April 26, 2014 7:38am, "Aaron Wood" <woody77 at gmail.com> said:
>
> Just too many sites aren't working correctly with dnsmasq and using
> Google's DNS servers.
> - Bank of America (sso-fi.bankofamerica.com)
> - Weather Underground (cdnjs.cloudflare.com)
> - Akamai (e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net)
> And I'm not getting any traction with reporting the errors to those sites,
> so it's frustrating in getting it properly fixed.
> While Akamai and cloudflare appear to be issues with their entries in
> google dns, or with dnsmasq's validation of them being insecure domains,
> the BofA issue appears to be an outright bad key. And BofA isn't being
> helpful (just a continual "we use ssl" sort of quasi-automated response).
> So I'm disabling it for now, or rather, falling back to using my ISP's dns
> servers, which don't support DNSSEC at this time. I'll be periodically
> turning it back on, but too much is broken (mainly due to the cdns) to be
> able to rely on it at this time.
> -Aaron
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140426/9606499e/attachment.html>
From simon at thekelleys.org.uk Sat Apr 26 19:44:53 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Sat, 26 Apr 2014 20:44:53 +0100
Subject: [Dnsmasq-discuss] [Cerowrt-devel] Had to disable dnssec today
In-Reply-To: <CALQXh-Mv_WD+ya3-2awmN6bQ_wV0KeuEe0AsXKXar5KJYaGyMQ@mail.gmail.com>
References: <CALQXh-PJ+iP0r15Jewyx1wt3KWSmXNwbUME-41WM3BfXVja81g@mail.gmail.com>
<1398528012.36628423@apps.rackspace.com>
<CALQXh-Mv_WD+ya3-2awmN6bQ_wV0KeuEe0AsXKXar5KJYaGyMQ@mail.gmail.com>
Message-ID: <535C0CB5.7070506@thekelleys.org.uk>
On 26/04/14 17:20, Aaron Wood wrote:
> David,
>
> With two of them (akamai and cloudflare), I _think_ it's a dnsmasq
> issue with the DS records for proving insecure domains are insecure.
> But Simon Kelley would know that better than I.
>
The result of the analysis of the akamai domain was that there's a
problem with the domain (ie it's an akamai problem) See the post in the
Cerowrt list by Evan Hunt for the origin of this conclusion.
There's a dnsmasq issue to the extent that dnsmasq uses a different
strategy for proving that a name should not be signed than other
nameservers (dnsmasq works bottom-up, the others can work top-down,
since they are recursive servers, not forwarders.) This means that
dnsmasq sees the akamai problem, whilst eg unbound happens not to. I
plan to see if dnsmasq can be modified to improve this.
I'm not sure of cloudflare has been looked at in detail, but my
impression was that it's the same as akamai.
> With BofA, I'm nearly certain it's them, or an issue with one of
> their partners (since the domain that fails isn't BofA, but
> something else):
>
> (with dnssec turned off):
>
> ;; QUESTION SECTION: ;sso-fi.bankofamerica.com. IN A
>
> ;; ANSWER SECTION: sso-fi.bankofamerica.com. 3599 IN CNAME
> saml-bac.onefiserv.com. saml-bac.onefiserv.com. 299 IN CNAME
> saml-bac.gslb.onefiserv.com. saml-bac.gslb.onefiserv.com. 119 IN A
> 208.235.248.157
>
> And it's the saml-bac.gslb.onefiserv.com host that's failing (see
> here for debug info):
>
> http://dnssec-debugger.verisignlabs.com/sso-fi.bankofamerica.com
>
> -Aaron
>
>
> On Sat, Apr 26, 2014 at 6:00 PM, <dpreed at reed.com> wrote:
>
>> Is this just a dnsmasq issue or is the DNSSEC mechanism broken at
>> these sites? If it is the latter, I can get attention from
>> executives at some of these companies (Heartbleed has sensitized
>> all kinds of companies to the need to strengthen security
>> infrastructure).
>>
>>
>>
>> If the former, the change process is going to be more tricky,
>> because dnsmasq is easily dismissed as too small a proportion of
>> the market to care. (wish it were not so).
>>
Given it's less than a month since the first DNSSEC-capable dnsmasq
release, anything other than small market share would be fairly miraculous!
Cheers,
Simon.
From simon at thekelleys.org.uk Sat Apr 26 21:17:40 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Sat, 26 Apr 2014 22:17:40 +0100
Subject: [Dnsmasq-discuss] [Cerowrt-devel] Had to disable dnssec today
In-Reply-To: <535C0CB5.7070506@thekelleys.org.uk>
References: <CALQXh-PJ+iP0r15Jewyx1wt3KWSmXNwbUME-41WM3BfXVja81g@mail.gmail.com>
<1398528012.36628423@apps.rackspace.com>
<CALQXh-Mv_WD+ya3-2awmN6bQ_wV0KeuEe0AsXKXar5KJYaGyMQ@mail.gmail.com>
<535C0CB5.7070506@thekelleys.org.uk>
Message-ID: <535C2274.6010106@thekelleys.org.uk>
On 26/04/14 20:44, Simon Kelley wrote:
> I plan to see if dnsmasq can be modified to improve this.
In the git repo now, the change allows the akamai domain to resolve
successfully.
Simon.
From dave.taht at gmail.com Sat Apr 26 23:28:42 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Sat, 26 Apr 2014 16:28:42 -0700
Subject: [Dnsmasq-discuss] [Cerowrt-devel] Had to disable dnssec today
In-Reply-To: <535C0CB5.7070506@thekelleys.org.uk>
References: <CALQXh-PJ+iP0r15Jewyx1wt3KWSmXNwbUME-41WM3BfXVja81g@mail.gmail.com>
<1398528012.36628423@apps.rackspace.com>
<CALQXh-Mv_WD+ya3-2awmN6bQ_wV0KeuEe0AsXKXar5KJYaGyMQ@mail.gmail.com>
<535C0CB5.7070506@thekelleys.org.uk>
Message-ID: <CAA93jw66UGCcrNtP8i3PovSQhQWR3XSaPZXKQMD=ePL6s7pZjw@mail.gmail.com>
On Sat, Apr 26, 2014 at 12:44 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> On 26/04/14 17:20, Aaron Wood wrote:
>> David,
>>
>> With two of them (akamai and cloudflare), I _think_ it's a dnsmasq
>> issue with the DS records for proving insecure domains are insecure.
>> But Simon Kelley would know that better than I.
>>
>
>
> The result of the analysis of the akamai domain was that there's a
> problem with the domain (ie it's an akamai problem) See the post in the
> Cerowrt list by Evan Hunt for the origin of this conclusion.
>
> There's a dnsmasq issue to the extent that dnsmasq uses a different
> strategy for proving that a name should not be signed than other
> nameservers (dnsmasq works bottom-up, the others can work top-down,
> since they are recursive servers, not forwarders.) This means that
> dnsmasq sees the akamai problem, whilst eg unbound happens not to. I
> plan to see if dnsmasq can be modified to improve this.
If it's not a violation of the specification, the bottom-up method might
be good to add to a dnssec validation tool.
>
> I'm not sure of cloudflare has been looked at in detail, but my
> impression was that it's the same as akamai.
>
>> With BofA, I'm nearly certain it's them, or an issue with one of
>> their partners (since the domain that fails isn't BofA, but
>> something else):
>>
>> (with dnssec turned off):
>>
>> ;; QUESTION SECTION: ;sso-fi.bankofamerica.com. IN A
>>
>> ;; ANSWER SECTION: sso-fi.bankofamerica.com. 3599 IN CNAME
>> saml-bac.onefiserv.com. saml-bac.onefiserv.com. 299 IN CNAME
>> saml-bac.gslb.onefiserv.com. saml-bac.gslb.onefiserv.com. 119 IN A
>> 208.235.248.157
>>
>> And it's the saml-bac.gslb.onefiserv.com host that's failing (see
>> here for debug info):
>>
>> http://dnssec-debugger.verisignlabs.com/sso-fi.bankofamerica.com
>>
>> -Aaron
>>
>>
>> On Sat, Apr 26, 2014 at 6:00 PM, <dpreed at reed.com> wrote:
>>
>>> Is this just a dnsmasq issue or is the DNSSEC mechanism broken at
>>> these sites? If it is the latter, I can get attention from
>>> executives at some of these companies (Heartbleed has sensitized
>>> all kinds of companies to the need to strengthen security
>>> infrastructure).
>>>
>>>
>>>
>>> If the former, the change process is going to be more tricky,
>>> because dnsmasq is easily dismissed as too small a proportion of
>>> the market to care. (wish it were not so).
>>>
>
>
> Given it's less than a month since the first DNSSEC-capable dnsmasq
> release, anything other than small market share would be fairly miraculous!
>
> Cheers,
>
> Simon.
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
--
Dave T?ht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
From dave.taht at gmail.com Sun Apr 27 02:46:06 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Sat, 26 Apr 2014 19:46:06 -0700
Subject: [Dnsmasq-discuss] [Cerowrt-devel] Had to disable dnssec today
In-Reply-To: <CALQXh-PJ+iP0r15Jewyx1wt3KWSmXNwbUME-41WM3BfXVja81g@mail.gmail.com>
References: <CALQXh-PJ+iP0r15Jewyx1wt3KWSmXNwbUME-41WM3BfXVja81g@mail.gmail.com>
Message-ID: <CAA93jw7eJ+=rfZDGCzHpv1qqjBtAoW4mWPCBMhusctfNaVz-bw@mail.gmail.com>
On Sat, Apr 26, 2014 at 4:38 AM, Aaron Wood <woody77 at gmail.com> wrote:
> Just too many sites aren't working correctly with dnsmasq and using Google's
> DNS servers.
After 4 days of uptime, I too ended up with a wedged cerowrt 3.10.36-6 on wifi.
The symptoms
were dissimilar from what has been described here - I was seeing odhcpd
trying to and failing to answer requests on the wifi interfaces, which I'd never
seen in operation before (and could have been a self-induced failure by
fiddling with hnetd)
I have merged with openwrt head, which has some hostapd and routing fixes,
as well as dnsmasq head which has some dnssec lookup fixes...
and put out cerowrt-3.10.36-7. On first boot, it had problems getting anything
on wifi to do dhcp. A reboot later (with multicast 9000 also disabled),
a kindle that was failing to get online did. This box has also never got
upstream dns servers right from the isp. I'll fiddle with the multicast thing
later, to see if that or the reboot fixed it.
With this dnssec with dnssec-check-unsigned, once time is correct:
> - Bank of America (sso-fi.bankofamerica.com)
still fails. It ain't our fault it's broke.
> - Weather Underground (cdnjs.cloudflare.com)
succeeds.
> - Akamai (e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net)
succeeds.
> http://test-ipv6.com/
don't have ipv6 capability at this location, so this succeeds. I did see
it fail once on the first boot but haven't repeated it.
>
> And I'm not getting any traction with reporting the errors to those sites,
> so it's frustrating in getting it properly fixed.
There needs to be constant network wide scanning service of some kind
to detect dnssec configuration errors.
>
> While Akamai and cloudflare appear to be issues with their entries in google
> dns, or with dnsmasq's validation of them being insecure domains, the BofA
> issue appears to be an outright bad key. And BofA isn't being helpful (just
> a continual "we use ssl" sort of quasi-automated response).
Cluebats are needed.
> So I'm disabling it for now, or rather, falling back to using my ISP's dns
> servers, which don't support DNSSEC at this time. I'll be periodically
> turning it back on, but too much is broken (mainly due to the cdns) to be
> able to rely on it at this time.
don't blame you, but if we weren't beating it up, nobody would be.
>
> -Aaron
>
>
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>
--
Dave T?ht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
From kevin at darbyshire-bryant.me.uk Mon Apr 28 11:18:17 2014
From: kevin at darbyshire-bryant.me.uk (Kevin Darbyshire-Bryant)
Date: Mon, 28 Apr 2014 12:18:17 +0100
Subject: [Dnsmasq-discuss] dnsmasq using 100% cpu on router
In-Reply-To: <CAJ-gf5CTZOSsBuv+sSq+sD_Y7VJ=LV1efnV_WvndEzH33FzmEQ@mail.gmail.com>
References: <CAJ-gf5DEsMq5QR_r-mC1aHFUysNH53SB_z7wizoUwrLPWWbuvg@mail.gmail.com>
<5358F870.4050006@thekelleys.org.uk>
<CAJ-gf5AP+jFS7Vky1Aj7bd=hzO9wfhGyGq4GzzyB=qCxaZRPmg@mail.gmail.com>
<53596AE0.3070906@thekelleys.org.uk>
<53597063.4020608@darbyshire-bryant.me.uk>
<CAJ-gf5CTZOSsBuv+sSq+sD_Y7VJ=LV1efnV_WvndEzH33FzmEQ@mail.gmail.com>
Message-ID: <535E38F9.5000709@darbyshire-bryant.me.uk>
On 25/04/2014 09:37, David Joslin wrote:
> Hi Kevin and thanks for the help.
>
Apologies for delay in reply.
> Is it possible to upgrade the dnsmasq version on the router without
> waiting for the author of the tomato firmware to include a later
> version in a release of his firmware (and you mentioned that dnsmasq
> in tomato isn't a clean pull of Simon's release)?
Probably, but as you'd have to cross compile it to MIPS and 'Tomato'
environment you might as well try to rebuild the entire firmware. I
loosely 'maintain' a shadow of Simon's git repo of dnsmasq with the
Tomato/Asuswrt tweaks here
https://github.com/kdarbyshirebryant/dnsmasq - No guarantees etc etc,
but I personally try to keep up to date with both 'Merlin's
Asuswrt/rmerlin and put current dnsmasq in there too.
>
> Why would changing the location of the leasefile to a usb stick make a
> difference? If the issue, as Simon suggests, is caused by the constant
> rewriting of the lease database, then wouldn't its current location
> (which on a router would be RAM) be a faster/better option than a usb
> stick? Or is there another possible issue here that I've missed?
Agree, RAM should be faster but there is a finite amount of it and it's
volatile...I quite like to store the database on something that survives
reboots. Also, as tomato is compiled with 'no rtc', the code tries to
minimise the number of writes to the leasefile on the basis it thinks it
likely that flash memory is involved, so better to reduce the wear.
>
> The only recent change I've made to the router was the addition of a
> usb stick as the location for the writing of system logs and bandwidth
> and IP traffic usage logs (so that they weren't lost on a reboot). I
> had wondered if the cause of the problem was related to the speed of
> writing this stuff (which obviously includes dnsmasq logging) to the
> usb stick rather than RAM. That's why I turned off dnsmasq logging at
> one point but it didn't seem to make any difference.
>
> Thanks again for your help and I'll wait for your comments on the above.
I'm not sure I've helped really.
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140428/08109400/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3768 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140428/08109400/attachment.bin>
From jg at freedesktop.org Mon Apr 28 16:55:11 2014
From: jg at freedesktop.org (Jim Gettys)
Date: Mon, 28 Apr 2014 12:55:11 -0400
Subject: [Dnsmasq-discuss] Problems with DNSsec on Comcast,
with Cero 3.10.38-1/DNSmasq 4-26-2014
Message-ID: <CAGhGL2BeuvR4bNqWbTF5FfNnwW0LC28-z_MJsCQLpb8izHK2oA@mail.gmail.com>
??Comcast recently lit up IPv6 native dual stack in the Boston area.
The http://test-ipv6.com/ web site complains about DNS problems unless
dnssec is disabled; if it is, I get various timeouts.
Test with IPv4 DNS record
ok (4.196s)
Test with IPv6 DNS record
ok (0.115s) using ipv6
Test with Dual Stack DNS record
timeout (11.882s)
Test for Dual Stack DNS and large packet
timeout (11.817s)
Test IPv4 without DNS
ok (0.214s) using ipv4
Test IPv6 without DNS
ok (0.204s) using ipv6
Test IPv6 large packet
ok (0.120s) using ipv6
Test if your ISP's DNS server uses IPv6
slow (8.752s)
Find IPv4 Service Provider
timeout (11.968s)
Find IPv6 Service Provider
ok (0.126s) using ipv6 ASN 7922
Test for buggy DNS
undefined (5.003s)
DNS server addresses look reasonable for Comcast.
DNS 1: 75.75.75.75
DNS 2: 75.75.76.76
DNS 1: 2001:558:feed::1
DNS 2: 2001:558:feed::2
Today, the problem seems consistent with turning dnssec on and off on the
router. If enabled, I have problems; if disabled, I get a clean bill of
health out of test-ipv6.com.
- Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140428/3b0f7127/attachment.html>
From dave.taht at gmail.com Mon Apr 28 17:03:35 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Mon, 28 Apr 2014 10:03:35 -0700
Subject: [Dnsmasq-discuss] [Cerowrt-devel] Problems with DNSsec on
Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014
In-Reply-To: <CAGhGL2BeuvR4bNqWbTF5FfNnwW0LC28-z_MJsCQLpb8izHK2oA@mail.gmail.com>
References: <CAGhGL2BeuvR4bNqWbTF5FfNnwW0LC28-z_MJsCQLpb8izHK2oA@mail.gmail.com>
Message-ID: <CAA93jw6ukYcBSEdubFbqoT20MdLLdXHZUbU6Hq+gLWNCaCTY6Q@mail.gmail.com>
On Mon, Apr 28, 2014 at 9:55 AM, Jim Gettys <jg at freedesktop.org> wrote:
> ??Comcast recently lit up IPv6 native dual stack in the Boston area.
>
> The http://test-ipv6.com/ web site complains about DNS problems unless
> dnssec is disabled; if it is, I get various timeouts.
>
>
>
Test with IPv4 DNS record
> ok (4.196s)
> Test with IPv6 DNS record
> ok (0.115s) using ipv6
> Test with Dual Stack DNS record
> timeout (11.882s)
>
I don't know what this test does. try a local query over ipv6?
Test for Dual Stack DNS and large packet
> timeout (11.817s)
> Test IPv4 without DNS
> ok (0.214s) using ipv4
> Test IPv6 without DNS
> ok (0.204s) using ipv6
> Test IPv6 large packet
> ok (0.120s) using ipv6
> Test if your ISP's DNS server uses IPv6
> slow (8.752s)
> Find IPv4 Service Provider
> timeout (11.968s)
> Find IPv6 Service Provider
> ok (0.126s) using ipv6 ASN 7922
> Test for buggy DNS
> undefined (5.003s)
>
> DNS server addresses look reasonable for Comcast.
> DNS 1: 75.75.75.75
> DNS 2: 75.75.76.76
>
To try to isolate things a little bit, you can turn off fetching ipv4 dns
servers
with
option peerdns '0'
in the wan (ge00) stanza of /etc/config/network
and let the wan6 stanza fetch them.
A packet capture of it working vs not working would be good.
tcpdump -i ge00 -w cap1.cap port 53
Also capture on the local interface.
DNS 1: 2001:558:feed::1
> DNS 2: 2001:558:feed::2
>
> Today, the problem seems consistent with turning dnssec on and off on the
> router. If enabled, I have problems; if disabled, I get a clean bill of
> health out of test-ipv6.com.
> - Jim
>
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>
>
--
Dave T?ht
NSFW:
https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140428/1582de5c/attachment.html>
From simon at thekelleys.org.uk Mon Apr 28 17:36:24 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Mon, 28 Apr 2014 18:36:24 +0100
Subject: [Dnsmasq-discuss] dnsmasq using 100% cpu on router
In-Reply-To: <535E38F9.5000709@darbyshire-bryant.me.uk>
References: <CAJ-gf5DEsMq5QR_r-mC1aHFUysNH53SB_z7wizoUwrLPWWbuvg@mail.gmail.com>
<5358F870.4050006@thekelleys.org.uk>
<CAJ-gf5AP+jFS7Vky1Aj7bd=hzO9wfhGyGq4GzzyB=qCxaZRPmg@mail.gmail.com>
<53596AE0.3070906@thekelleys.org.uk>
<53597063.4020608@darbyshire-bryant.me.uk>
<CAJ-gf5CTZOSsBuv+sSq+sD_Y7VJ=LV1efnV_WvndEzH33FzmEQ@mail.gmail.com>
<535E38F9.5000709@darbyshire-bryant.me.uk>
Message-ID: <535E9198.3080201@thekelleys.org.uk>
Note that this bug appears to be a hard lockup.
https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1313393
investigations are continuing.....
Simon.
On 28/04/14 12:18, Kevin Darbyshire-Bryant wrote:
> On 25/04/2014 09:37, David Joslin wrote:
>> Hi Kevin and thanks for the help.
>>
> Apologies for delay in reply.
>> Is it possible to upgrade the dnsmasq version on the router without
>> waiting for the author of the tomato firmware to include a later
>> version in a release of his firmware (and you mentioned that dnsmasq
>> in tomato isn't a clean pull of Simon's release)?
> Probably, but as you'd have to cross compile it to MIPS and 'Tomato'
> environment you might as well try to rebuild the entire firmware. I
> loosely 'maintain' a shadow of Simon's git repo of dnsmasq with the
> Tomato/Asuswrt tweaks here
> https://github.com/kdarbyshirebryant/dnsmasq - No guarantees etc etc,
> but I personally try to keep up to date with both 'Merlin's
> Asuswrt/rmerlin and put current dnsmasq in there too.
>>
>> Why would changing the location of the leasefile to a usb stick make a
>> difference? If the issue, as Simon suggests, is caused by the constant
>> rewriting of the lease database, then wouldn't its current location
>> (which on a router would be RAM) be a faster/better option than a usb
>> stick? Or is there another possible issue here that I've missed?
> Agree, RAM should be faster but there is a finite amount of it and it's
> volatile...I quite like to store the database on something that survives
> reboots. Also, as tomato is compiled with 'no rtc', the code tries to
> minimise the number of writes to the leasefile on the basis it thinks it
> likely that flash memory is involved, so better to reduce the wear.
>>
>> The only recent change I've made to the router was the addition of a
>> usb stick as the location for the writing of system logs and bandwidth
>> and IP traffic usage logs (so that they weren't lost on a reboot). I
>> had wondered if the cause of the problem was related to the speed of
>> writing this stuff (which obviously includes dnsmasq logging) to the
>> usb stick rather than RAM. That's why I turned off dnsmasq logging at
>> one point but it didn't seem to make any difference.
>>
>> Thanks again for your help and I'll wait for your comments on the above.
> I'm not sure I've helped really.
>
> Kevin
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
From dave.taht at gmail.com Mon Apr 28 18:37:42 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Mon, 28 Apr 2014 11:37:42 -0700
Subject: [Dnsmasq-discuss] [Cerowrt-devel] Problems with DNSsec on
Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014
In-Reply-To: <CAA93jw6ukYcBSEdubFbqoT20MdLLdXHZUbU6Hq+gLWNCaCTY6Q@mail.gmail.com>
References: <CAGhGL2BeuvR4bNqWbTF5FfNnwW0LC28-z_MJsCQLpb8izHK2oA@mail.gmail.com>
<CAA93jw6ukYcBSEdubFbqoT20MdLLdXHZUbU6Hq+gLWNCaCTY6Q@mail.gmail.com>
Message-ID: <CAA93jw4D790r=UD0uKjfWZ2vDGO6u+dQG0GdYXbPXrTeiZWxYw@mail.gmail.com>
I have put a link up to two of jim's captures going to test-ipv6 via cero,
one with dnssec enabled, captured at the local laptop
http://snapon.lab.bufferbloat.net/~cero2/baddns/
definately a lot of missing responses when captured at this end. the local
laptop is using a local dnsmasq forwarder.
It is falling back to trying a recursive lookup on the default domain (
ipv6.test-ipv6.com.home.lan ) - which it does do a nxdomain for
immediately...
On Mon, Apr 28, 2014 at 10:03 AM, Dave Taht <dave.taht at gmail.com> wrote:
>
>
>
> On Mon, Apr 28, 2014 at 9:55 AM, Jim Gettys <jg at freedesktop.org> wrote:
>
>> ??Comcast recently lit up IPv6 native dual stack in the Boston area.
>>
>> The http://test-ipv6.com/ web site complains about DNS problems unless
>> dnssec is disabled; if it is, I get various timeouts.
>>
>>
>>
> Test with IPv4 DNS record
>> ok (4.196s)
>> Test with IPv6 DNS record
>> ok (0.115s) using ipv6
>> Test with Dual Stack DNS record
>> timeout (11.882s)
>>
>
> I don't know what this test does. try a local query over ipv6?
>
> Test for Dual Stack DNS and large packet
>> timeout (11.817s)
>> Test IPv4 without DNS
>> ok (0.214s) using ipv4
>> Test IPv6 without DNS
>> ok (0.204s) using ipv6
>> Test IPv6 large packet
>> ok (0.120s) using ipv6
>> Test if your ISP's DNS server uses IPv6
>> slow (8.752s)
>> Find IPv4 Service Provider
>> timeout (11.968s)
>> Find IPv6 Service Provider
>> ok (0.126s) using ipv6 ASN 7922
>> Test for buggy DNS
>> undefined (5.003s)
>>
>> DNS server addresses look reasonable for Comcast.
>> DNS 1: 75.75.75.75
>> DNS 2: 75.75.76.76
>>
>
> To try to isolate things a little bit, you can turn off fetching ipv4
> dns servers
> with
>
> option peerdns '0'
>
> in the wan (ge00) stanza of /etc/config/network
>
> and let the wan6 stanza fetch them.
>
> A packet capture of it working vs not working would be good.
>
> tcpdump -i ge00 -w cap1.cap port 53
>
> Also capture on the local interface.
>
> DNS 1: 2001:558:feed::1
>> DNS 2: 2001:558:feed::2
>>
>> Today, the problem seems consistent with turning dnssec on and off on the
>> router. If enabled, I have problems; if disabled, I get a clean bill of
>> health out of test-ipv6.com.
>> - Jim
>>
>>
>> _______________________________________________
>> Cerowrt-devel mailing list
>> Cerowrt-devel at lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>>
>>
>
>
> --
> Dave T?ht
>
> NSFW:
> https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
>
--
Dave T?ht
NSFW:
https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140428/5d2e9695/attachment-0001.html>
From dave.taht at gmail.com Mon Apr 28 18:56:32 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Mon, 28 Apr 2014 11:56:32 -0700
Subject: [Dnsmasq-discuss] [Cerowrt-devel] Problems with DNSsec on
Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014
In-Reply-To: <CAA93jw4D790r=UD0uKjfWZ2vDGO6u+dQG0GdYXbPXrTeiZWxYw@mail.gmail.com>
References: <CAGhGL2BeuvR4bNqWbTF5FfNnwW0LC28-z_MJsCQLpb8izHK2oA@mail.gmail.com>
<CAA93jw6ukYcBSEdubFbqoT20MdLLdXHZUbU6Hq+gLWNCaCTY6Q@mail.gmail.com>
<CAA93jw4D790r=UD0uKjfWZ2vDGO6u+dQG0GdYXbPXrTeiZWxYw@mail.gmail.com>
Message-ID: <CAA93jw6+sfWqiLc3LgyNufRixUz_f9TCSpxf+aGoLo0cq-PZWw@mail.gmail.com>
I see A and AAAA requests for for "ds.test-ipv6.com" that fail.
On Mon, Apr 28, 2014 at 11:37 AM, Dave Taht <dave.taht at gmail.com> wrote:
> I have put a link up to two of jim's captures going to test-ipv6 via cero,
> one with dnssec enabled, captured at the local laptop
>
> http://snapon.lab.bufferbloat.net/~cero2/baddns/
>
> definately a lot of missing responses when captured at this end. the local
> laptop is using a local dnsmasq forwarder.
>
> It is falling back to trying a recursive lookup on the default domain (
> ipv6.test-ipv6.com.home.lan ) - which it does do a nxdomain for
> immediately...
>
>
>
> On Mon, Apr 28, 2014 at 10:03 AM, Dave Taht <dave.taht at gmail.com> wrote:
>
>>
>>
>>
>> On Mon, Apr 28, 2014 at 9:55 AM, Jim Gettys <jg at freedesktop.org> wrote:
>>
>>> ??Comcast recently lit up IPv6 native dual stack in the Boston area.
>>>
>>> The http://test-ipv6.com/ web site complains about DNS problems unless
>>> dnssec is disabled; if it is, I get various timeouts.
>>>
>>>
>>>
>> Test with IPv4 DNS record
>>> ok (4.196s)
>>> Test with IPv6 DNS record
>>> ok (0.115s) using ipv6
>>> Test with Dual Stack DNS record
>>> timeout (11.882s)
>>>
>>
>> I don't know what this test does. try a local query over ipv6?
>>
>> Test for Dual Stack DNS and large packet
>>> timeout (11.817s)
>>> Test IPv4 without DNS
>>> ok (0.214s) using ipv4
>>> Test IPv6 without DNS
>>> ok (0.204s) using ipv6
>>> Test IPv6 large packet
>>> ok (0.120s) using ipv6
>>> Test if your ISP's DNS server uses IPv6
>>> slow (8.752s)
>>> Find IPv4 Service Provider
>>> timeout (11.968s)
>>> Find IPv6 Service Provider
>>> ok (0.126s) using ipv6 ASN 7922
>>> Test for buggy DNS
>>> undefined (5.003s)
>>>
>>> DNS server addresses look reasonable for Comcast.
>>> DNS 1: 75.75.75.75
>>> DNS 2: 75.75.76.76
>>>
>>
>> To try to isolate things a little bit, you can turn off fetching ipv4
>> dns servers
>> with
>>
>> option peerdns '0'
>>
>> in the wan (ge00) stanza of /etc/config/network
>>
>> and let the wan6 stanza fetch them.
>>
>> A packet capture of it working vs not working would be good.
>>
>> tcpdump -i ge00 -w cap1.cap port 53
>>
>> Also capture on the local interface.
>>
>> DNS 1: 2001:558:feed::1
>>> DNS 2: 2001:558:feed::2
>>>
>>> Today, the problem seems consistent with turning dnssec on and off on
>>> the router. If enabled, I have problems; if disabled, I get a clean bill
>>> of health out of test-ipv6.com.
>>> - Jim
>>>
>>>
>>> _______________________________________________
>>> Cerowrt-devel mailing list
>>> Cerowrt-devel at lists.bufferbloat.net
>>> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>>>
>>>
>>
>>
>> --
>> Dave T?ht
>>
>> NSFW:
>> https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
>>
>
>
>
> --
> Dave T?ht
>
> NSFW:
> https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
>
--
Dave T?ht
NSFW:
https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140428/1f39d481/attachment.html>
From dave.taht at gmail.com Mon Apr 28 19:07:06 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Mon, 28 Apr 2014 12:07:06 -0700
Subject: [Dnsmasq-discuss] [Cerowrt-devel] test-ipv6.com vs dnssec
In-Reply-To: <535AAE37.103@thekelleys.org.uk>
References: <CAA93jw6zwHw67oBBYx2EwYrK+z=PdxTt=FVtGidnz=AYuVzx1w@mail.gmail.com>
<CAGhGL2CGVDoMoQxyRKoPV2zM42wYA3XT22w5DDrLVppjEg23bg@mail.gmail.com>
<535AAE37.103@thekelleys.org.uk>
Message-ID: <CAA93jw66ZC14u88jOgFOhbj-QQgNVfZSZnxWTTRBVLNSEx8ZAQ@mail.gmail.com>
On Fri, Apr 25, 2014 at 11:49 AM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> On 25/04/14 19:01, Jim Gettys wrote:
>> More specifically, after boot, most of the time test-ipv6.com reports lots
>> of problems.
>>
>> Then I turned off both dnssec and dnssec-check-unsigned, and restarted
>> dnsmasq; clean bill of health from test-ipv6.com.
>>
>> Then I turned on dnssec only, leaving dnssec-check-unsigned, and got a
>> clean bill of health.
>>
>> Then I turned on both at the same time, and things are working.
>>
>> So we seem to have a boot time race of some sort.
>> - Jim
>>
>>
>
>
> test-ipv6.com is unsigned, so the important thing which is likely
> failing is the query for the DS record of test-ipv6.com, which should
> return NSEC records providing it doesn't exist, signed by .com
As one example of a registrar not with the program, name.com
(registrar for bufferbloat.net) does not allow for ds records to
come from it, so that domain can't be fully signed.
So it sounds to me as if negative proofs are not possible with
registrars that lack this support?
>
> Simon.
>
>
>
>>
>> On Fri, Apr 25, 2014 at 1:39 PM, Dave Taht <dave.taht at gmail.com> wrote:
>>
>>> jg tells me the test-ipv6.com site fails with dnssec and enabled on
>>> native ipv6.
>>>
>>> disabling dnssec works.
>>>
>>> anyone can confirm? get a log/packet capture?
>>>
>>>
>>> --
>>> Dave T?ht
>>> _______________________________________________
>>> Cerowrt-devel mailing list
>>> Cerowrt-devel at lists.bufferbloat.net
>>> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>>>
>>
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
>
--
Dave T?ht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
From simon at thekelleys.org.uk Mon Apr 28 19:32:27 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Mon, 28 Apr 2014 20:32:27 +0100
Subject: [Dnsmasq-discuss] [Cerowrt-devel] Problems with DNSsec on
Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014
In-Reply-To: <CAA93jw6+sfWqiLc3LgyNufRixUz_f9TCSpxf+aGoLo0cq-PZWw@mail.gmail.com>
References: <CAGhGL2BeuvR4bNqWbTF5FfNnwW0LC28-z_MJsCQLpb8izHK2oA@mail.gmail.com>
<CAA93jw6ukYcBSEdubFbqoT20MdLLdXHZUbU6Hq+gLWNCaCTY6Q@mail.gmail.com>
<CAA93jw4D790r=UD0uKjfWZ2vDGO6u+dQG0GdYXbPXrTeiZWxYw@mail.gmail.com>
<CAA93jw6+sfWqiLc3LgyNufRixUz_f9TCSpxf+aGoLo0cq-PZWw@mail.gmail.com>
Message-ID: <535EACCB.7090104@thekelleys.org.uk>
On 28/04/14 19:56, Dave Taht wrote:
> I see A and AAAA requests for for "ds.test-ipv6.com" that fail.
>
The root of this failure is that DS ds.test-ipv6.com is broken.
<<>> DiG 9.8.1-P1 <<>> @8.8.8.8 ds ds.test-ipv6.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63751
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ds.test-ipv6.com. IN DS
;; Query time: 1186 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Apr 28 20:19:34 2014
;; MSG SIZE rcvd: 34
The latest fix I made (when the SERVFAIL reply comes, try the next
possible secure-nonexistent DS record at test-ipv6.com) works sometimes,
but the query above is taking long enough to fail that sometimes the
original requestor has timed out before it gets the answer and tries again.
Neither of authoritative nameservers for test-ipv6.com return answers to
the DS query, they just time out. They do return answers for A and AAAA
queries. That looks broken to me.
Problems like this have been at the root of most (but not all) of the
DNSSEC failures that have been reported.
Cheers,
Simon.
>
> On Mon, Apr 28, 2014 at 11:37 AM, Dave Taht <dave.taht at gmail.com>
> wrote:
>
>> I have put a link up to two of jim's captures going to test-ipv6
>> via cero, one with dnssec enabled, captured at the local laptop
>>
>> http://snapon.lab.bufferbloat.net/~cero2/baddns/
>>
>> definately a lot of missing responses when captured at this end.
>> the local laptop is using a local dnsmasq forwarder.
>>
>> It is falling back to trying a recursive lookup on the default
>> domain ( ipv6.test-ipv6.com.home.lan ) - which it does do a
>> nxdomain for immediately...
>>
>>
>>
>> On Mon, Apr 28, 2014 at 10:03 AM, Dave Taht <dave.taht at gmail.com>
>> wrote:
>>
>>>
>>>
>>>
>>> On Mon, Apr 28, 2014 at 9:55 AM, Jim Gettys <jg at freedesktop.org>
>>> wrote:
>>>
>>>> ??Comcast recently lit up IPv6 native dual stack in the Boston
>>>> area.
>>>>
>>>> The http://test-ipv6.com/ web site complains about DNS problems
>>>> unless dnssec is disabled; if it is, I get various timeouts.
>>>>
>>>>
>>>>
>>> Test with IPv4 DNS record
>>>> ok (4.196s) Test with IPv6 DNS record ok (0.115s) using ipv6
>>>> Test with Dual Stack DNS record timeout (11.882s)
>>>>
>>>
>>> I don't know what this test does. try a local query over ipv6?
>>>
>>> Test for Dual Stack DNS and large packet
>>>> timeout (11.817s) Test IPv4 without DNS ok (0.214s) using ipv4
>>>> Test IPv6 without DNS ok (0.204s) using ipv6 Test IPv6 large
>>>> packet ok (0.120s) using ipv6 Test if your ISP's DNS server
>>>> uses IPv6 slow (8.752s) Find IPv4 Service Provider timeout
>>>> (11.968s) Find IPv6 Service Provider ok (0.126s) using ipv6 ASN
>>>> 7922 Test for buggy DNS undefined (5.003s)
>>>>
>>>> DNS server addresses look reasonable for Comcast. DNS 1:
>>>> 75.75.75.75 DNS 2: 75.75.76.76
>>>>
>>>
>>> To try to isolate things a little bit, you can turn off
>>> fetching ipv4 dns servers with
>>>
>>> option peerdns '0'
>>>
>>> in the wan (ge00) stanza of /etc/config/network
>>>
>>> and let the wan6 stanza fetch them.
>>>
>>> A packet capture of it working vs not working would be good.
>>>
>>> tcpdump -i ge00 -w cap1.cap port 53
>>>
>>> Also capture on the local interface.
>>>
>>> DNS 1: 2001:558:feed::1
>>>> DNS 2: 2001:558:feed::2
>>>>
>>>> Today, the problem seems consistent with turning dnssec on and
>>>> off on the router. If enabled, I have problems; if disabled, I
>>>> get a clean bill of health out of test-ipv6.com. - Jim
>>>>
>>>>
>>>> _______________________________________________ Cerowrt-devel
>>>> mailing list Cerowrt-devel at lists.bufferbloat.net
>>>> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>>>>
>>>>
>>>
>>>
>>> -- Dave T?ht
>>>
>>> NSFW:
>>> https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
>>>
>>
>>
>>
>>
>>>
--
>> Dave T?ht
>>
>> NSFW:
>> https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
>>
>
>>
>
>
>
>
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
From woody77 at gmail.com Mon Apr 28 19:45:28 2014
From: woody77 at gmail.com (Aaron Wood)
Date: Mon, 28 Apr 2014 21:45:28 +0200
Subject: [Dnsmasq-discuss] [Cerowrt-devel] Problems with DNSsec on
Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014
In-Reply-To: <535EACCB.7090104@thekelleys.org.uk>
References: <CAGhGL2BeuvR4bNqWbTF5FfNnwW0LC28-z_MJsCQLpb8izHK2oA@mail.gmail.com>
<CAA93jw6ukYcBSEdubFbqoT20MdLLdXHZUbU6Hq+gLWNCaCTY6Q@mail.gmail.com>
<CAA93jw4D790r=UD0uKjfWZ2vDGO6u+dQG0GdYXbPXrTeiZWxYw@mail.gmail.com>
<CAA93jw6+sfWqiLc3LgyNufRixUz_f9TCSpxf+aGoLo0cq-PZWw@mail.gmail.com>
<535EACCB.7090104@thekelleys.org.uk>
Message-ID: <CALQXh-PSJfPLqrL3Ad=s3Rs33is_L3baK45YOUfkgteu58ZgYQ@mail.gmail.com>
This timeout, I'm guessing this is older/naive setups that aren't expecting
to support DNSSEC, and thought "over-securing" their setup, have managed to
break the non-existence-proof process?
-Aaron
On Mon, Apr 28, 2014 at 9:32 PM, Simon Kelley <simon at thekelleys.org.uk>wrote:
...
> Neither of authoritative nameservers for test-ipv6.com return answers to
> the DS query, they just time out. They do return answers for A and AAAA
> queries. That looks broken to me.
>
> Problems like this have been at the root of most (but not all) of the
> DNSSEC failures that have been reported.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140428/7122486d/attachment-0001.html>
From cloos at jhcloos.com Mon Apr 28 19:57:43 2014
From: cloos at jhcloos.com (James Cloos)
Date: Mon, 28 Apr 2014 15:57:43 -0400
Subject: [Dnsmasq-discuss] [Cerowrt-devel] test-ipv6.com vs dnssec
In-Reply-To: <CAA93jw66ZC14u88jOgFOhbj-QQgNVfZSZnxWTTRBVLNSEx8ZAQ@mail.gmail.com>
(Dave Taht's message of "Mon, 28 Apr 2014 12:07:06 -0700")
References: <CAA93jw6zwHw67oBBYx2EwYrK+z=PdxTt=FVtGidnz=AYuVzx1w@mail.gmail.com>
<CAGhGL2CGVDoMoQxyRKoPV2zM42wYA3XT22w5DDrLVppjEg23bg@mail.gmail.com>
<535AAE37.103@thekelleys.org.uk>
<CAA93jw66ZC14u88jOgFOhbj-QQgNVfZSZnxWTTRBVLNSEx8ZAQ@mail.gmail.com>
Message-ID: <m3lhupdy5r.fsf@carbon.jhcloos.org>
>>>>> "DT" == Dave Taht <dave.taht at gmail.com> writes:
DT> As one example of a registrar not with the program, name.com
DT> (registrar for bufferbloat.net) does not allow for ds records to
DT> come from it, so that domain can't be fully signed.
DT> So it sounds to me as if negative proofs are not possible with
DT> registrars that lack this support?
No. Signed parent zones (like com, net, org) always provide either a
signed DS record if it exists or proof of non-existance.
Try doing:
dig @i.gtld-servers.net. bufferbloat.net ds +dnssec
The two nsec3 records (each signed by an rrsig record) prove that there
is no DS record in net. with the name bufferbloat.net.
Compare that with what you get asking for ns records:
That replies with the two ns records, as well as the proof that the DS
records do not exist.
Now, try with a zone which is signed:
dig @i.gtld-servers.net. jhcloos.net ns +dnssec
dig @i.gtld-servers.net. jhcloos.net ds +dnssec
The first returns both the ns and ds records, with an rrsig over the ds
records (returned in the authority section); the latter returns the
signed ds records in the answer section and net's own signed ns set in
the authority section.
Given that some zones have nameservers which fail to respond if they do
not like or understand the query, it seems that only root-down verifi-
cation can work. Unless I'm missing something....
-JimC
--
James Cloos <cloos at jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
From ck at conrad-kostecki.de Mon Apr 28 21:17:49 2014
From: ck at conrad-kostecki.de (Conrad Kostecki)
Date: Mon, 28 Apr 2014 21:17:49 +0000
Subject: [Dnsmasq-discuss] IPv6-constructor for dhcp-host?
Message-ID: <e0335aac910342fb96c8b970a827a41e@DB4PR04MB265.eurprd04.prod.outlook.com>
Hi!
Recently, I was using an IPv6 tunnel from Hurricane Electric with a static /48 IPv6-subnet, which was working fine.
My ISP (Telekom Deutschland) offers now native IPV6, but its only giving me a dynamic /56 IPv6-subnet. I have to use the IPv6-constructors with DNSMasq. That is working fine for me with router advertisements. I am also using parallel DHCPv6. That is also working.
But there is one problem for me. I am setting for some clients via dhcp-host and the duid a static ipv6-adress. As the IPv6-prefix is now dynamic, I can't set them. Would It be possible, to set some sort of an ipv6-contructor there for prefix?
Thanks!
Conrad
From simon at thekelleys.org.uk Mon Apr 28 21:22:33 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Mon, 28 Apr 2014 22:22:33 +0100
Subject: [Dnsmasq-discuss] IPv6-constructor for dhcp-host?
In-Reply-To: <e0335aac910342fb96c8b970a827a41e@DB4PR04MB265.eurprd04.prod.outlook.com>
References: <e0335aac910342fb96c8b970a827a41e@DB4PR04MB265.eurprd04.prod.outlook.com>
Message-ID: <535EC699.9000908@thekelleys.org.uk>
On 28/04/14 22:17, Conrad Kostecki wrote:
> Hi! Recently, I was using an IPv6 tunnel from Hurricane Electric with
> a static /48 IPv6-subnet, which was working fine. My ISP (Telekom
> Deutschland) offers now native IPV6, but its only giving me a dynamic
> /56 IPv6-subnet. I have to use the IPv6-constructors with DNSMasq.
> That is working fine for me with router advertisements. I am also
> using parallel DHCPv6. That is also working.
>
> But there is one problem for me. I am setting for some clients via
> dhcp-host and the duid a static ipv6-adress. As the IPv6-prefix is
> now dynamic, I can't set them. Would It be possible, to set some sort
> of an ipv6-contructor there for prefix?
>
> Thanks! Conrad
>
The facility is there already:
"IPv6 addresses may contain only the host-identifier part:
--dhcp-host=laptop,[::56] in which case they act as wildcards
constructed dhcp ranges, with the appropriate network part inserted."
Cheers,
Simon.
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
From ck at conrad-kostecki.de Mon Apr 28 21:34:10 2014
From: ck at conrad-kostecki.de (Conrad Kostecki)
Date: Mon, 28 Apr 2014 21:34:10 +0000
Subject: [Dnsmasq-discuss] IPv6-constructor for dhcp-host?
In-Reply-To: <535EC699.9000908@thekelleys.org.uk>
References: <e0335aac910342fb96c8b970a827a41e@DB4PR04MB265.eurprd04.prod.outlook.com>
<535EC699.9000908@thekelleys.org.uk>
Message-ID: <e3cf871214384c7b8aab7cc38ca1bba1@DB4PR04MB265.eurprd04.prod.outlook.com>
> The facility is there already:
>
> "IPv6 addresses may contain only the host-identifier part:
> --dhcp-host=laptop,[::56] in which case they act as wildcards constructed
> dhcp ranges, with the appropriate network part inserted."
Hi Simon!
It seems, I've overlooked that ;)
That's what I needed.
Thanks!
Conrad
From sgpinkus at gmail.com Tue Apr 29 11:25:59 2014
From: sgpinkus at gmail.com (Sam Pinkus)
Date: Tue, 29 Apr 2014 21:25:59 +1000
Subject: [Dnsmasq-discuss] Why doesn't dnsmasq poll or inotify on hosts and
resolve.conf?
Message-ID: <535F8C47.6030000@gmail.com>
Hello everyone,
I was wondering why dnsmasq doesn't poll or inotify on hosts and
resolve.conf. I think this would be a useful feature, but I cant imagine
it has not been considered before so maybe there is a good reason. Or
maybe it does but just with a long period, or there is an option I
missed? I do realize I could restart dnsmasq but I still think it would
be handy if host at least were polled.
Thanks for any help,
-Sam.
From fstd.lkml at gmail.com Tue Apr 29 12:16:24 2014
From: fstd.lkml at gmail.com (Timo Buhrmester)
Date: Tue, 29 Apr 2014 14:16:24 +0200
Subject: [Dnsmasq-discuss] Why doesn't dnsmasq poll or inotify on hosts
and resolve.conf?
In-Reply-To: <535F8C47.6030000@gmail.com>
References: <535F8C47.6030000@gmail.com>
Message-ID: <20140429121624.GA6720@frozen.localdomain>
> poll
Solves a different problem
> inotify
Linux specific
(is my guess for why this isn't done)
Timo
From Franco.Broi at iongeo.com Tue Apr 29 12:22:52 2014
From: Franco.Broi at iongeo.com (Franco Broi)
Date: Tue, 29 Apr 2014 12:22:52 +0000
Subject: [Dnsmasq-discuss] Why doesn't dnsmasq poll or inotify on hosts
and resolve.conf?
In-Reply-To: <20140429121624.GA6720@frozen.localdomain>
References: <535F8C47.6030000@gmail.com>,
<20140429121624.GA6720@frozen.localdomain>
Message-ID: <12CA6E0F1387FA4BA882F4D32604D944146E692D@AUS1EXMBX03.ioinc.ioroot.tld>
resolv.conf is polled, hosts isn't because it's dangerous, ie the hosts file could be incomplete when read. There have been a few posts about this quite recently.
On 29 Apr 2014 20:17, Timo Buhrmester <fstd.lkml at gmail.com> wrote:
> poll
Solves a different problem
> inotify
Linux specific
(is my guess for why this isn't done)
Timo
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss at lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
________________________________
This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately notify the sender and delete the original.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140429/31d328b3/attachment.html>
From davidj at nkcc.org.uk Tue Apr 29 12:50:24 2014
From: davidj at nkcc.org.uk (David Joslin)
Date: Tue, 29 Apr 2014 13:50:24 +0100
Subject: [Dnsmasq-discuss] dnsmasq using 100% cpu on router
In-Reply-To: <535E9198.3080201@thekelleys.org.uk>
References: <CAJ-gf5DEsMq5QR_r-mC1aHFUysNH53SB_z7wizoUwrLPWWbuvg@mail.gmail.com>
<5358F870.4050006@thekelleys.org.uk>
<CAJ-gf5AP+jFS7Vky1Aj7bd=hzO9wfhGyGq4GzzyB=qCxaZRPmg@mail.gmail.com>
<53596AE0.3070906@thekelleys.org.uk>
<53597063.4020608@darbyshire-bryant.me.uk>
<CAJ-gf5CTZOSsBuv+sSq+sD_Y7VJ=LV1efnV_WvndEzH33FzmEQ@mail.gmail.com>
<535E38F9.5000709@darbyshire-bryant.me.uk>
<535E9198.3080201@thekelleys.org.uk>
Message-ID: <CAJ-gf5DVGJnxxroTXPRpzdKwNdThOjfe=T-YBAKmi=ak0OHfXQ@mail.gmail.com>
Thanks Simon.
In your earlier message you said you thought this is probably dhcp related.
I did manage to retrieve some logs from the time of the problem and there
was a great deal of dhcp happening on the network at the time. I haven't
had time to go over them yet but I can see repeated dhcp requests from the
same clients over and over again and often only a few minutes (or less)
apart. Our network is only lightly loaded at the moment and I can't
reproduce the problem on any client. Does this sound like the same bug?
Would the logs be useful to you?
Cheers
David
On 28 April 2014 18:36, Simon Kelley <simon at thekelleys.org.uk> wrote:
> Note that this bug appears to be a hard lockup.
>
> https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1313393
>
> investigations are continuing.....
>
>
> Simon.
>
>
>
>
> On 28/04/14 12:18, Kevin Darbyshire-Bryant wrote:
> > On 25/04/2014 09:37, David Joslin wrote:
> >> Hi Kevin and thanks for the help.
> >>
> > Apologies for delay in reply.
> >> Is it possible to upgrade the dnsmasq version on the router without
> >> waiting for the author of the tomato firmware to include a later
> >> version in a release of his firmware (and you mentioned that dnsmasq
> >> in tomato isn't a clean pull of Simon's release)?
> > Probably, but as you'd have to cross compile it to MIPS and 'Tomato'
> > environment you might as well try to rebuild the entire firmware. I
> > loosely 'maintain' a shadow of Simon's git repo of dnsmasq with the
> > Tomato/Asuswrt tweaks here
> > https://github.com/kdarbyshirebryant/dnsmasq - No guarantees etc etc,
> > but I personally try to keep up to date with both 'Merlin's
> > Asuswrt/rmerlin and put current dnsmasq in there too.
> >>
> >> Why would changing the location of the leasefile to a usb stick make a
> >> difference? If the issue, as Simon suggests, is caused by the constant
> >> rewriting of the lease database, then wouldn't its current location
> >> (which on a router would be RAM) be a faster/better option than a usb
> >> stick? Or is there another possible issue here that I've missed?
> > Agree, RAM should be faster but there is a finite amount of it and it's
> > volatile...I quite like to store the database on something that survives
> > reboots. Also, as tomato is compiled with 'no rtc', the code tries to
> > minimise the number of writes to the leasefile on the basis it thinks it
> > likely that flash memory is involved, so better to reduce the wear.
> >>
> >> The only recent change I've made to the router was the addition of a
> >> usb stick as the location for the writing of system logs and bandwidth
> >> and IP traffic usage logs (so that they weren't lost on a reboot). I
> >> had wondered if the cause of the problem was related to the speed of
> >> writing this stuff (which obviously includes dnsmasq logging) to the
> >> usb stick rather than RAM. That's why I turned off dnsmasq logging at
> >> one point but it didn't seem to make any difference.
> >>
> >> Thanks again for your help and I'll wait for your comments on the above.
> > I'm not sure I've helped really.
> >
> > Kevin
> >
> >
> >
> > _______________________________________________
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss at lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140429/766ad47e/attachment.html>
From simon at thekelleys.org.uk Tue Apr 29 13:22:27 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Tue, 29 Apr 2014 14:22:27 +0100
Subject: [Dnsmasq-discuss] [Cerowrt-devel] Problems with DNSsec on
Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014
In-Reply-To: <20140428232459.GA55372@redoubt.spodhuis.org>
References: <CAGhGL2BeuvR4bNqWbTF5FfNnwW0LC28-z_MJsCQLpb8izHK2oA@mail.gmail.com>
<CAA93jw6ukYcBSEdubFbqoT20MdLLdXHZUbU6Hq+gLWNCaCTY6Q@mail.gmail.com>
<CAA93jw4D790r=UD0uKjfWZ2vDGO6u+dQG0GdYXbPXrTeiZWxYw@mail.gmail.com>
<CAA93jw6+sfWqiLc3LgyNufRixUz_f9TCSpxf+aGoLo0cq-PZWw@mail.gmail.com>
<535EACCB.7090104@thekelleys.org.uk>
<20140428232459.GA55372@redoubt.spodhuis.org>
Message-ID: <535FA793.8020502@thekelleys.org.uk>
On 29/04/14 00:24, Phil Pennock wrote:
> On 2014-04-28 at 20:32 +0100, Simon Kelley wrote:
>> On 28/04/14 19:56, Dave Taht wrote:
>>> I see A and AAAA requests for for "ds.test-ipv6.com" that fail.
>>
>> The root of this failure is that DS ds.test-ipv6.com is broken.
>>
>> <<>> DiG 9.8.1-P1 <<>> @8.8.8.8 ds ds.test-ipv6.com
>
>> The latest fix I made (when the SERVFAIL reply comes, try the next
>> possible secure-nonexistent DS record at test-ipv6.com) works sometimes,
>> but the query above is taking long enough to fail that sometimes the
>> original requestor has timed out before it gets the answer and tries again.
>
> Er, DS records are authoritative in the parent domain and are equivalent
> to glue; they are not expected to exist below the zone cut.
>
> This is why you'll get results from:
>
> $ dig -t ds spodhuis.org @a2.org.afilias-nst.info
>
> but a NOERROR from:
>
> $ dig -t ds spodhuis.org @nsauth.spodhuis.org
A NOERROR answer from the authoritative server for test-ipv6.com would
be fine. What actually happens is no answer at all and a timeout (or a
closed TCP connection if TCP is used.)
It's maybe worth expanding on what we're trying to do here. The original
query is "A ds.test-ipv6.com". The answer to that comes back fine, but
there are no RRSIGs proving that that answer is good. Now we have to
distinguish between no signatures because the domain isn't signed, and
no signatures because the answer has come from the Bad Guys.
To do that, we need to find proof (NSEC or NSEC3 records) that a DS
doesn't exist somewhere between ds.test-ipv6.com and the root. Bear in
mind that dnsmasq is a DNS forwarder, not a recursive DNS server, so it
doesn't know where the zone cuts are.
The current strategy it to start at ds.test-ipv6.com and do DS queries.
There are three possible results.
unsigned NOERROR -> chop one label off the RHS and repeat
DS record -> definite Bad Guy activity, return BOGUS
signed no DS record -> we expect unsigned original answer, return
INSECURE result.ds.test-ipv6.com
The other alternative approach is to start from the root and add labels,
but that has a problem.
Consider
department.campus.university.edu
where there are zone cuts between university and edu and between
department and campus.
All the zones are signed, so if we look up something under .department,
we expect a signature, if we don't get it, we check
DS .edu gives an answer
DS university.edu gives secure NODATA
secure no DS means that the original unsigned answer should be accepted,
except that it shouldn't. There's no way to distinguish between secure
lack of DS because we've reached an unsigned branch of the tree, and
secure lack of DS because we're not at a zone cut, except if we know
where the zone cuts are, and we don't.
That's why dnsmasq works up from the bottom. The first secure no-DS
answer we find marks the boundary between signed and unsigned tree.
Dnsmasq is acting as a validating stub resolver here. That's a supported
role for DNSSEC, so this must be possible. If it's not then we have a
standards problem.
>
> An NS query for "ds.test-ipv6.com" gives "test-ipv6.com", so that is the
> zone cut, so it's in the COM. zone that you should expect to find any DS
> records for "test-ipv6.com" and there's no need for a DS for anything
> below that unless there's also a zone cut, in which case there's a DS at
> the delegation point.
ds.test-ipv6.com
Doing NS queries to find zone cuts is a possible solution, but I know of
ISP nameservers that elide the Authority section for "performance".
Simon.
>
> RFC 4033:
> ----------------------------8< cut here >8------------------------------
> 3.1. Data Origin Authentication and Data Integrity
> [...]
> The Delegation Signer (DS) RR type simplifies some of the
> administrative tasks involved in signing delegations across
> organizational boundaries. The DS RRset resides at a delegation
> point in a parent zone and indicates the public key(s) corresponding
> to the private key(s) used to self-sign the DNSKEY RRset at the
> delegated child zone's apex. The administrator of the child zone, in
> turn, uses the private key(s) corresponding to one or more of the
> public keys in this DNSKEY RRset to sign the child zone's data. The
> typical authentication chain is therefore
> DNSKEY->[DS->DNSKEY]*->RRset, where "*" denotes zero or more
> DS->DNSKEY subchains. DNSSEC permits more complex authentication
> chains, such as additional layers of DNSKEY RRs signing other DNSKEY
> RRs within a zone.
> ----------------------------8< cut here >8------------------------------
>
From dave.taht at gmail.com Wed Apr 30 17:26:21 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Wed, 30 Apr 2014 10:26:21 -0700
Subject: [Dnsmasq-discuss] [Cerowrt-devel] Problems with DNSsec on
Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014
In-Reply-To: <20140429205757.GA70801@redoubt.spodhuis.org>
References: <CAGhGL2BeuvR4bNqWbTF5FfNnwW0LC28-z_MJsCQLpb8izHK2oA@mail.gmail.com>
<CAA93jw6ukYcBSEdubFbqoT20MdLLdXHZUbU6Hq+gLWNCaCTY6Q@mail.gmail.com>
<CAA93jw4D790r=UD0uKjfWZ2vDGO6u+dQG0GdYXbPXrTeiZWxYw@mail.gmail.com>
<CAA93jw6+sfWqiLc3LgyNufRixUz_f9TCSpxf+aGoLo0cq-PZWw@mail.gmail.com>
<535EACCB.7090104@thekelleys.org.uk>
<20140428232459.GA55372@redoubt.spodhuis.org>
<535FA793.8020502@thekelleys.org.uk>
<20140429205757.GA70801@redoubt.spodhuis.org>
Message-ID: <CAA93jw7O8btE9nUuRVJpcU+QVyENRv5mAFax5BCwdk3pR0QvRw@mail.gmail.com>
On Tue, Apr 29, 2014 at 1:57 PM, Phil Pennock
<cerowrt-devel+phil at spodhuis.org> wrote:
> On 2014-04-29 at 14:22 +0100, Simon Kelley wrote:
>> secure no DS means that the original unsigned answer should be accepted,
>> except that it shouldn't. There's no way to distinguish between secure
>> lack of DS because we've reached an unsigned branch of the tree, and
>> secure lack of DS because we're not at a zone cut, except if we know
>> where the zone cuts are, and we don't.
>
> Fair point.
>
>> That's why dnsmasq works up from the bottom. The first secure no-DS
>> answer we find marks the boundary between signed and unsigned tree.
>>
>> Dnsmasq is acting as a validating stub resolver here. That's a supported
>> role for DNSSEC, so this must be possible. If it's not then we have a
>> standards problem.
>
> You have a standards vs reality problem: lots of loadbalancer appliances
> suck at DNS and are only just now managing to return errors, instead of
> dropping the query (hanging), when queried for AAAA records instead of A
> records.
>
> ( This has led to no end of pain in the IPv6 world; Happy Eyeballs,
> expectations around improved _client_ behaviour, handle other parts of
> the puzzle and tends to require the concurrency that a client also
> needs to handle DNS problems, but it's still distinct. )
>
> You're not going to get such loadbalancers responding sanely to a DS
> query any time soon, and with the other DNS client software all being
> recursors which work fine because they know where zone cuts are, you're
> going to be fighting a long hard battle with vendors and sites to get
> them to fix their brokenness when "it works for everyone else".
>
> So the standards 100% support what you're doing, but they don't match
> common stupidity in deployed (high end, expensive) equipment.
The only idea I have is to adopt some sort of whitelisting technology,
and simultaneously nag the folk with busted implementations.
>
> To support DNSSEC in the real world without changing from being a
> forwarder, you're going to need new insight. My only thoughts are
> around whether or not this might provide impetus for TKEY-based TSIG for
> forwarders to establish trust links to recursors elsewhere, in which
> case once you have a TSIG key (whether TKEY-derived or OOB manual) then
> you might delegate trust to the remote recursor.
I see there have been a few commits to dnsmasq that address some stuff.
>
> Sorry to be the bearer of bad news,
I'm delighted to have got this far.
Is the consensus to not run with negative proofs on at this juncture?
> -Phil
--
Dave T?ht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
From simon at thekelleys.org.uk Thu May 1 18:35:12 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Thu, 01 May 2014 19:35:12 +0100
Subject: [Dnsmasq-discuss] [Cerowrt-devel] Problems with DNSsec on
Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014
In-Reply-To: <20140429205757.GA70801@redoubt.spodhuis.org>
References: <CAGhGL2BeuvR4bNqWbTF5FfNnwW0LC28-z_MJsCQLpb8izHK2oA@mail.gmail.com>
<CAA93jw6ukYcBSEdubFbqoT20MdLLdXHZUbU6Hq+gLWNCaCTY6Q@mail.gmail.com>
<CAA93jw4D790r=UD0uKjfWZ2vDGO6u+dQG0GdYXbPXrTeiZWxYw@mail.gmail.com>
<CAA93jw6+sfWqiLc3LgyNufRixUz_f9TCSpxf+aGoLo0cq-PZWw@mail.gmail.com>
<535EACCB.7090104@thekelleys.org.uk>
<20140428232459.GA55372@redoubt.spodhuis.org>
<535FA793.8020502@thekelleys.org.uk>
<20140429205757.GA70801@redoubt.spodhuis.org>
Message-ID: <536293E0.6070508@thekelleys.org.uk>
On 29/04/14 21:57, Phil Pennock wrote:
> On 2014-04-29 at 14:22 +0100, Simon Kelley wrote:
>> secure no DS means that the original unsigned answer should be accepted,
>> except that it shouldn't. There's no way to distinguish between secure
>> lack of DS because we've reached an unsigned branch of the tree, and
>> secure lack of DS because we're not at a zone cut, except if we know
>> where the zone cuts are, and we don't.
>
> Fair point.
>
>> That's why dnsmasq works up from the bottom. The first secure no-DS
>> answer we find marks the boundary between signed and unsigned tree.
>>
>> Dnsmasq is acting as a validating stub resolver here. That's a supported
>> role for DNSSEC, so this must be possible. If it's not then we have a
>> standards problem.
>
> You have a standards vs reality problem: lots of loadbalancer appliances
> suck at DNS and are only just now managing to return errors, instead of
> dropping the query (hanging), when queried for AAAA records instead of A
> records.
>
> ( This has led to no end of pain in the IPv6 world; Happy Eyeballs,
> expectations around improved _client_ behaviour, handle other parts of
> the puzzle and tends to require the concurrency that a client also
> needs to handle DNS problems, but it's still distinct. )
>
> You're not going to get such loadbalancers responding sanely to a DS
> query any time soon, and with the other DNS client software all being
> recursors which work fine because they know where zone cuts are, you're
> going to be fighting a long hard battle with vendors and sites to get
> them to fix their brokenness when "it works for everyone else".
A valid point, but "every leaf system has to be a recursor" is not a
pleasant outcome of widely implementing DNSSEC. I wonder, do the
browser-based validators suffer from this, or are they recursors under
the hood? This is a judgement for integrators, not for me, but if
there's anything widely deployed enough to act as a lever to get this
fixed, it's dnsmasq.
>
> So the standards 100% support what you're doing, but they don't match
> common stupidity in deployed (high end, expensive) equipment.
>
> To support DNSSEC in the real world without changing from being a
> forwarder, you're going to need new insight. My only thoughts are
> around whether or not this might provide impetus for TKEY-based TSIG for
> forwarders to establish trust links to recursors elsewhere, in which
> case once you have a TSIG key (whether TKEY-derived or OOB manual) then
> you might delegate trust to the remote recursor.
That's nice, but it needs recursors to play ball too, so it's even
further into the indefinite future than what we have now.
>
> Sorry to be the bearer of bad news,
Better to know.
Cheers,
Simon.
> -Phil
>
From simon at thekelleys.org.uk Thu May 1 18:37:21 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Thu, 01 May 2014 19:37:21 +0100
Subject: [Dnsmasq-discuss] [Cerowrt-devel] Problems with DNSsec on
Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014
In-Reply-To: <CAA93jw7O8btE9nUuRVJpcU+QVyENRv5mAFax5BCwdk3pR0QvRw@mail.gmail.com>
References: <CAGhGL2BeuvR4bNqWbTF5FfNnwW0LC28-z_MJsCQLpb8izHK2oA@mail.gmail.com> <CAA93jw6ukYcBSEdubFbqoT20MdLLdXHZUbU6Hq+gLWNCaCTY6Q@mail.gmail.com> <CAA93jw4D790r=UD0uKjfWZ2vDGO6u+dQG0GdYXbPXrTeiZWxYw@mail.gmail.com> <CAA93jw6+sfWqiLc3LgyNufRixUz_f9TCSpxf+aGoLo0cq-PZWw@mail.gmail.com> <535EACCB.7090104@thekelleys.org.uk> <20140428232459.GA55372@redoubt.spodhuis.org> <535FA793.8020502@thekelleys.org.uk> <20140429205757.GA70801@redoubt.spodhuis.org>
<CAA93jw7O8btE9nUuRVJpcU+QVyENRv5mAFax5BCwdk3pR0QvRw@mail.gmail.com>
Message-ID: <53629461.6020500@thekelleys.org.uk>
On 30/04/14 18:26, Dave Taht wrote:
> On Tue, Apr 29, 2014 at 1:57 PM, Phil Pennock
> <cerowrt-devel+phil at spodhuis.org> wrote:
>> On 2014-04-29 at 14:22 +0100, Simon Kelley wrote:
>>> secure no DS means that the original unsigned answer should be accepted,
>>> except that it shouldn't. There's no way to distinguish between secure
>>> lack of DS because we've reached an unsigned branch of the tree, and
>>> secure lack of DS because we're not at a zone cut, except if we know
>>> where the zone cuts are, and we don't.
>>
>> Fair point.
>>
>>> That's why dnsmasq works up from the bottom. The first secure no-DS
>>> answer we find marks the boundary between signed and unsigned tree.
>>>
>>> Dnsmasq is acting as a validating stub resolver here. That's a supported
>>> role for DNSSEC, so this must be possible. If it's not then we have a
>>> standards problem.
>>
>> You have a standards vs reality problem: lots of loadbalancer appliances
>> suck at DNS and are only just now managing to return errors, instead of
>> dropping the query (hanging), when queried for AAAA records instead of A
>> records.
>>
>> ( This has led to no end of pain in the IPv6 world; Happy Eyeballs,
>> expectations around improved _client_ behaviour, handle other parts of
>> the puzzle and tends to require the concurrency that a client also
>> needs to handle DNS problems, but it's still distinct. )
>>
>> You're not going to get such loadbalancers responding sanely to a DS
>> query any time soon, and with the other DNS client software all being
>> recursors which work fine because they know where zone cuts are, you're
>> going to be fighting a long hard battle with vendors and sites to get
>> them to fix their brokenness when "it works for everyone else".
>>
>> So the standards 100% support what you're doing, but they don't match
>> common stupidity in deployed (high end, expensive) equipment.
>
> The only idea I have is to adopt some sort of whitelisting technology,
> and simultaneously nag the folk with busted implementations.
>
>>
>> To support DNSSEC in the real world without changing from being a
>> forwarder, you're going to need new insight. My only thoughts are
>> around whether or not this might provide impetus for TKEY-based TSIG for
>> forwarders to establish trust links to recursors elsewhere, in which
>> case once you have a TSIG key (whether TKEY-derived or OOB manual) then
>> you might delegate trust to the remote recursor.
>
> I see there have been a few commits to dnsmasq that address some stuff.
>
>>
>> Sorry to be the bearer of bad news,
>
> I'm delighted to have got this far.
>
> Is the consensus to not run with negative proofs on at this juncture?
If you want stuff to just work, turn off negative proofs, if you want to
push the envelope, leave them on and complain to domain-admins.
I had some feeling that something like this might be a problem, hence
the discrete controls.
Cheers,
Simon
>
>> -Phil
>
>
>
From dave.taht at gmail.com Thu May 1 22:27:20 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Thu, 1 May 2014 15:27:20 -0700
Subject: [Dnsmasq-discuss] [Cerowrt-devel] Problems with DNSsec on
Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014
In-Reply-To: <B4ED81EB-88F3-4A89-85BA-5DD89969879D@gmail.com>
References: <CAGhGL2BeuvR4bNqWbTF5FfNnwW0LC28-z_MJsCQLpb8izHK2oA@mail.gmail.com>
<CAA93jw6ukYcBSEdubFbqoT20MdLLdXHZUbU6Hq+gLWNCaCTY6Q@mail.gmail.com>
<CAA93jw4D790r=UD0uKjfWZ2vDGO6u+dQG0GdYXbPXrTeiZWxYw@mail.gmail.com>
<CAA93jw6+sfWqiLc3LgyNufRixUz_f9TCSpxf+aGoLo0cq-PZWw@mail.gmail.com>
<535EACCB.7090104@thekelleys.org.uk>
<20140428232459.GA55372@redoubt.spodhuis.org>
<535FA793.8020502@thekelleys.org.uk>
<20140429205757.GA70801@redoubt.spodhuis.org>
<CAA93jw7O8btE9nUuRVJpcU+QVyENRv5mAFax5BCwdk3pR0QvRw@mail.gmail.com>
<53629461.6020500@thekelleys.org.uk>
<B4ED81EB-88F3-4A89-85BA-5DD89969879D@gmail.com>
Message-ID: <CAA93jw4cHeMKN_N8H8E53a+KOhMGi_5sTd58u8O0q6p66XqjsA@mail.gmail.com>
On Thu, May 1, 2014 at 1:26 PM, Rich Brown <richb.hanover at gmail.com> wrote:
>
> On May 1, 2014, at 2:37 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
>
>> On 30/04/14 18:26, Dave Taht wrote:
>>> On Tue, Apr 29, 2014 at 1:57 PM, Phil Pennock
>>> <cerowrt-devel+phil at spodhuis.org> wrote:
>
> snip, snip snip...
>
>>> Is the consensus to not run with negative proofs on at this juncture?
>>
>> If you want stuff to just work, turn off negative proofs, if you want to
>> push the envelope, leave them on and complain to domain-admins.
>>
>> I had some feeling that something like this might be a problem, hence
>> the discrete controls.
>
> I apologize that I haven't been following this closely, but so I'm going to ask a TL;DR question.
>
> Which places in the OpenWrt/CeroWrt GUI (or the config files) do I use to wiggle these levers?
There is no gui support as yet. enablement is via /etc/dnsmasq.conf
I disabled (commented out) the negative proof checks in the 3.10.38-2 release.
> Thanks!
>
> Rich
--
Dave T?ht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
From cloos at jhcloos.com Fri May 2 16:40:16 2014
From: cloos at jhcloos.com (James Cloos)
Date: Fri, 02 May 2014 12:40:16 -0400
Subject: [Dnsmasq-discuss] [Cerowrt-devel] Problems with DNSsec on
Comcast, with Cero 3.10.38-1/DNSmasq 4-26-2014
In-Reply-To: <536293E0.6070508@thekelleys.org.uk> (Simon Kelley's message of
"Thu, 01 May 2014 19:35:12 +0100")
References: <CAGhGL2BeuvR4bNqWbTF5FfNnwW0LC28-z_MJsCQLpb8izHK2oA@mail.gmail.com>
<CAA93jw6ukYcBSEdubFbqoT20MdLLdXHZUbU6Hq+gLWNCaCTY6Q@mail.gmail.com>
<CAA93jw4D790r=UD0uKjfWZ2vDGO6u+dQG0GdYXbPXrTeiZWxYw@mail.gmail.com>
<CAA93jw6+sfWqiLc3LgyNufRixUz_f9TCSpxf+aGoLo0cq-PZWw@mail.gmail.com>
<535EACCB.7090104@thekelleys.org.uk>
<20140428232459.GA55372@redoubt.spodhuis.org>
<535FA793.8020502@thekelleys.org.uk>
<20140429205757.GA70801@redoubt.spodhuis.org>
<536293E0.6070508@thekelleys.org.uk>
Message-ID: <m37g643zhy.fsf@carbon.jhcloos.org>
>>>>> "SK" == Simon Kelley <simon at thekelleys.org.uk> writes:
SK> A valid point, but "every leaf system has to be a recursor" is not a
SK> pleasant outcome of widely implementing DNSSEC.
>From a security POV, every system needs its own local verifier, and every
administrative domain needs its own recursor. Optimally every system will
have its own validating recursor.
SK> I wonder, do the browser-based validators suffer from this, or are
SK> they recursors under the hood?
They are full validating recursors. Often using libunbound to do the
heavy lifting.
-JimC
--
James Cloos <cloos at jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
From ms at mike2k.de Sat May 3 18:44:30 2014
From: ms at mike2k.de (Michael Stilkerich)
Date: Sat, 03 May 2014 20:44:30 +0200
Subject: [Dnsmasq-discuss] ra-names without router advertisements
Message-ID: <2815f2d1bdb6d798eb54680f45a6b06e@www.mike2k.de>
Hi,
I'd like to use dnsmasq as DNS and DHCP(v6) server on my home network.
The box running dnsmasq is not the router; the router is a box provided
by my internet provider that does router advertisements with the A flag
set. The dnsmasq box gets the IPv6 prefix from the router advertisements
of the router.
I'd also like dnsmasq to answer AAAA-DNS requests for my local hosts.
For this, the ra-names seemed useful, since I'd be fine with all my
hosts using SLAAC only. However, setting the ra-names options also
causes dnsmasq to advertise the box it's running on as the router, which
it isn't.
Is there a technical reason/requirement that ra-names turns on the
router advertisements?
Thanks,
-Mike
Here's my config:
domain-needed
bogus-priv
no-resolv
server=192.168.0.4
interface=eth0
domain=mylocaldomain.de
# DHCPv4, static and dynamic range
dhcp-range=192.168.0.50,192.168.0.250,255.255.255.0,12h
dhcp-range=192.168.0.1,192.168.0.49,static,255.255.255.0,12h
read-ethers
dhcp-option=option:router,192.168.0.4
# DHCPv6
dhcp-range=::1,::ffff:ffff:ffff:ffff,constructor:eth0,ra-names
dhcp-option=option6:dns-server,[::]
dhcp-authoritative
From simon at thekelleys.org.uk Sun May 4 20:53:00 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Sun, 04 May 2014 21:53:00 +0100
Subject: [Dnsmasq-discuss] ra-names without router advertisements
In-Reply-To: <2815f2d1bdb6d798eb54680f45a6b06e@www.mike2k.de>
References: <2815f2d1bdb6d798eb54680f45a6b06e@www.mike2k.de>
Message-ID: <5366A8AC.1060401@thekelleys.org.uk>
On 03/05/14 19:44, Michael Stilkerich wrote:
> Hi,
>
> I'd like to use dnsmasq as DNS and DHCP(v6) server on my home network.
> The box running dnsmasq is not the router; the router is a box provided
> by my internet provider that does router advertisements with the A flag
> set. The dnsmasq box gets the IPv6 prefix from the router advertisements
> of the router.
>
> I'd also like dnsmasq to answer AAAA-DNS requests for my local hosts.
> For this, the ra-names seemed useful, since I'd be fine with all my
> hosts using SLAAC only. However, setting the ra-names options also
> causes dnsmasq to advertise the box it's running on as the router, which
> it isn't.
>
> Is there a technical reason/requirement that ra-names turns on the
> router advertisements?
There _may_ be. When a host gets a DHCPv4 lease, dnsmasq sends ICMPv6
pings and gratuitous RAs whilst it's verifying that the hosts is using
the expected IPv6 address. Since the host is likely to send it's own
requests to RAs when it arrives on a network, this process will probably
work without being able to trigger gratuitous RAs, but that's never been
tested.
Cheers,
Simon.
>
> Thanks,
> -Mike
>
> Here's my config:
>
> domain-needed
> bogus-priv
> no-resolv
> server=192.168.0.4
> interface=eth0
> domain=mylocaldomain.de
>
> # DHCPv4, static and dynamic range
> dhcp-range=192.168.0.50,192.168.0.250,255.255.255.0,12h
> dhcp-range=192.168.0.1,192.168.0.49,static,255.255.255.0,12h
> read-ethers
> dhcp-option=option:router,192.168.0.4
>
> # DHCPv6
> dhcp-range=::1,::ffff:ffff:ffff:ffff,constructor:eth0,ra-names
> dhcp-option=option6:dns-server,[::]
>
> dhcp-authoritative
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
From larkwang at gmail.com Thu May 8 12:47:21 2014
From: larkwang at gmail.com (Wang Jian)
Date: Thu, 8 May 2014 20:47:21 +0800
Subject: [Dnsmasq-discuss] Failed to lookup names randomly
Message-ID: <CAF75rJCCpq5UraqGHupF1Q=45dH5EaNPF+WeXZ5Tcss1GJRKxQ@mail.gmail.com>
As I said earlier, I have a dnsmasq setup in a 150 clients environment. We
are running debian package 2.70-1 built from git.
These few days, we frequently have name lookup failure. I have no
conclusion by now, but I suspect cache code is involved.
A log segment
<colleague A in my team visit this site in browser>
May 8 18:51:30 dnsmasq[22631]: query[A] www.iciba.com from 10.2.3.102
May 8 18:51:30 dnsmasq[22631]: forwarded www.iciba.com to 114.114.114.114
May 8 18:51:30 dnsmasq[22631]: query[A] goto.www.iciba.com from 10.2.3.102
May 8 18:51:30 dnsmasq[22631]: forwarded goto.www.iciba.com to
114.114.114.114
May 8 18:51:30 dnsmasq[22631]: reply www.iciba.com is 58.68.226.32
May 8 18:51:30 dnsmasq[22631]: reply goto.www.iciba.com is <CNAME>
< browser failed to load the page, dns query failed >
<colleague B in my team visit this site by click url provided by A>
May 8 18:52:23 dnsmasq[22631]: query[A] www.iciba.com from 10.2.1.194
May 8 18:52:23 dnsmasq[22631]: forwarded www.iciba.com to 114.114.114.114
May 8 18:52:23 dnsmasq[22631]: reply www.iciba.com is 58.68.226.32
<colleague A tried again>
May 8 18:52:39 dnsmasq[22631]: query[A] www.iciba.com from 10.2.3.102
May 8 18:52:39 dnsmasq[22631]: forwarded www.iciba.com to 114.114.114.114
May 8 18:52:39 dnsmasq[22631]: reply www.iciba.com is 58.68.226.32
<this time page load successfully>
May 8 18:53:03 dnsmasq[22631]: query[A] goto.www.iciba.com from 10.2.3.102
May 8 18:53:03 dnsmasq[22631]: forwarded goto.www.iciba.com to
114.114.114.114
May 8 18:53:03 dnsmasq[22631]: reply goto.www.iciba.com is <CNAME>
<the following is I test from the router itself, by running 'host' and
'dig'>
May 8 19:59:00 dnsmasq[22631]: query[A] www.iciba.com from 10.2.0.1
May 8 19:59:00 dnsmasq[22631]: forwarded www.iciba.com to 114.114.114.114
May 8 19:59:00 dnsmasq[22631]: reply www.iciba.com is 58.68.226.32
May 8 19:59:04 dnsmasq[22631]: query[A] www.iciba.com from 10.2.0.1
May 8 19:59:04 dnsmasq[22631]: forwarded www.iciba.com to 114.114.114.114
May 8 19:59:04 dnsmasq[22631]: reply www.iciba.com is 58.68.226.32
May 8 19:59:06 dnsmasq[22631]: query[A] www.iciba.com from 10.2.0.1
May 8 19:59:06 dnsmasq[22631]: cached www.iciba.com is 58.68.226.32
May 8 19:59:08 dnsmasq[22631]: query[A] www.iciba.com from 10.2.0.1
May 8 19:59:08 dnsmasq[22631]: cached www.iciba.com is 58.68.226.32
May 8 19:59:12 dnsmasq[22631]: query[A] www.iciba.com from 10.2.0.1
May 8 19:59:12 dnsmasq[22631]: cached www.iciba.com is 58.68.226.32
May 8 19:59:13 dnsmasq[22631]: query[A] www.iciba.com from 10.2.0.1
May 8 19:59:13 dnsmasq[22631]: cached www.iciba.com is 58.68.226.32
May 8 19:59:15 dnsmasq[22631]: query[A] www.iciba.com from 10.2.0.1
May 8 19:59:15 dnsmasq[22631]: cached www.iciba.com is 58.68.226.32
May 8 20:00:22 dnsmasq[22631]: query[A] www.iciba.com from 10.2.0.1
May 8 20:00:22 dnsmasq[22631]: forwarded www.iciba.com to 114.114.114.114
May 8 20:00:22 dnsmasq[22631]: reply www.iciba.com is 58.68.226.32
The last 8 'dig' return (look at the TTL)
www.iciba.com. 557 IN A 58.68.226.32
www.iciba.com. 552 IN A 58.68.226.32
www.iciba.com. 550 IN A 58.68.226.32
www.iciba.com. 548 IN A 58.68.226.32
www.iciba.com. 544 IN A 58.68.226.32
www.iciba.com. 543 IN A 58.68.226.32
www.iciba.com. 541 IN A 58.68.226.32
www.iciba.com. 475 IN A 58.68.226.32
The following is earlier log I lookup a name from the router when given a
unresolvable name.
root at b10gw:~# host en.cppreference.com
Host en.cppreference.com not found: 2(SERVFAIL)
root at b10gw:~# host en.cppreference.com
Host en.cppreference.com not found: 2(SERVFAIL)
root at b10gw:~# host en.cppreference.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
en.cppreference.com has address 74.114.88.128
root at b10gw:~# host en.cppreference.com
Host en.cppreference.com not found: 2(SERVFAIL)
root at b10gw:~# host en.cppreference.com
en.cppreference.com has address 74.114.88.128
root at b10gw:~# host en.cppreference.com
en.cppreference.com has address 74.114.88.128
root at b10gw:~# host en.cppreference.com
en.cppreference.com has address 74.114.88.128
root at b10gw:~# host en.cppreference.com
en.cppreference.com has address 74.114.88.128
root at b10gw:~# host en.cppreference.com
en.cppreference.com has address 74.114.88.128
root at b10gw:~# host en.cppreference.com
en.cppreference.com has address 74.114.88.128
May 8 17:49:15 dnsmasq[17390]: query[A] en.cppreference.com from 10.2.0.1
May 8 17:49:15 dnsmasq[17390]: forwarded en.cppreference.com to
114.114.114.114
May 8 17:49:15 dnsmasq[17390]: reply en.cppreference.com is 74.114.88.128
May 8 17:49:15 dnsmasq[17390]: query[A] en.cppreference.com from 10.2.0.1
May 8 17:49:15 dnsmasq[17390]: forwarded en.cppreference.com to
114.114.114.114
May 8 17:49:15 dnsmasq[17390]: reply en.cppreference.com is 74.114.88.128
May 8 17:49:17 dnsmasq[17390]: query[A] en.cppreference.com from 10.2.0.1
May 8 17:49:17 dnsmasq[17390]: forwarded en.cppreference.com to
114.114.114.114
May 8 17:49:17 dnsmasq[17390]: reply en.cppreference.com is 74.114.88.128
May 8 17:49:17 dnsmasq[17390]: query[A] en.cppreference.com from 10.2.0.1
May 8 17:49:17 dnsmasq[17390]: forwarded en.cppreference.com to
114.114.114.114
May 8 17:49:17 dnsmasq[17390]: reply en.cppreference.com is 74.114.88.128
May 8 17:49:24 dnsmasq[17390]: query[A] en.cppreference.com from 10.2.0.1
May 8 17:49:24 dnsmasq[17390]: forwarded en.cppreference.com to
114.114.114.114
May 8 17:49:24 dnsmasq[17390]: reply en.cppreference.com is 74.114.88.128
May 8 17:49:24 dnsmasq[17390]: query[A] en.cppreference.com from 10.2.0.1
May 8 17:49:24 dnsmasq[17390]: forwarded en.cppreference.com to
114.114.114.114
May 8 17:49:24 dnsmasq[17390]: reply en.cppreference.com is 74.114.88.128
May 8 17:49:26 dnsmasq[17390]: query[A] en.cppreference.com from 10.2.0.1
May 8 17:49:26 dnsmasq[17390]: forwarded en.cppreference.com to
114.114.114.114
May 8 17:49:26 dnsmasq[17390]: reply en.cppreference.com is 74.114.88.128
May 8 17:49:26 dnsmasq[17390]: query[AAAA] en.cppreference.com from
10.2.0.1
May 8 17:49:26 dnsmasq[17390]: forwarded en.cppreference.com to
114.114.114.114
May 8 17:49:26 dnsmasq[17390]: reply en.cppreference.com is NODATA-IPv6
May 8 17:49:26 dnsmasq[17390]: query[MX] en.cppreference.com from 10.2.0.1
May 8 17:49:26 dnsmasq[17390]: forwarded en.cppreference.com to
114.114.114.114
May 8 17:49:27 dnsmasq[17390]: query[A] en.cppreference.com from 10.2.0.1
May 8 17:49:27 dnsmasq[17390]: cached en.cppreference.com is 74.114.88.128
May 8 17:49:27 dnsmasq[17390]: query[AAAA] en.cppreference.com from
10.2.0.1
May 8 17:49:27 dnsmasq[17390]: cached en.cppreference.com is NODATA-IPv6
May 8 17:49:27 dnsmasq[17390]: query[MX] en.cppreference.com from 10.2.0.1
May 8 17:49:27 dnsmasq[17390]: forwarded en.cppreference.com to
114.114.114.114
May 8 17:49:32 dnsmasq[17390]: query[A] en.cppreference.com from 10.2.0.1
May 8 17:49:32 dnsmasq[17390]: forwarded en.cppreference.com to
114.114.114.114
May 8 17:49:32 dnsmasq[17390]: reply en.cppreference.com is 74.114.88.128
May 8 17:49:32 dnsmasq[17390]: query[AAAA] en.cppreference.com from
10.2.0.1
May 8 17:49:32 dnsmasq[17390]: forwarded en.cppreference.com to
114.114.114.114
May 8 17:49:32 dnsmasq[17390]: reply en.cppreference.com is NODATA-IPv6
May 8 17:49:32 dnsmasq[17390]: query[MX] en.cppreference.com from 10.2.0.1
May 8 17:49:32 dnsmasq[17390]: forwarded en.cppreference.com to
114.114.114.114
May 8 17:49:33 dnsmasq[17390]: query[A] en.cppreference.com from 10.2.0.1
May 8 17:49:33 dnsmasq[17390]: forwarded en.cppreference.com to
114.114.114.114
May 8 17:49:33 dnsmasq[17390]: reply en.cppreference.com is 74.114.88.128
May 8 17:49:33 dnsmasq[17390]: query[AAAA] en.cppreference.com from
10.2.0.1
May 8 17:49:33 dnsmasq[17390]: forwarded en.cppreference.com to
114.114.114.114
May 8 17:49:33 dnsmasq[17390]: reply en.cppreference.com is NODATA-IPv6
May 8 17:49:33 dnsmasq[17390]: query[MX] en.cppreference.com from 10.2.0.1
May 8 17:49:33 dnsmasq[17390]: forwarded en.cppreference.com to
114.114.114.114
May 8 17:49:33 dnsmasq[17390]: query[A] en.cppreference.com from 10.2.1.194
May 8 17:49:33 dnsmasq[17390]: cached en.cppreference.com is 74.114.88.128
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140508/0fd80387/attachment.html>
From larkwang at gmail.com Fri May 9 06:31:48 2014
From: larkwang at gmail.com (Wang Jian)
Date: Fri, 9 May 2014 14:31:48 +0800
Subject: [Dnsmasq-discuss] Failed to lookup names randomly
In-Reply-To: <CAF75rJCCpq5UraqGHupF1Q=45dH5EaNPF+WeXZ5Tcss1GJRKxQ@mail.gmail.com>
References: <CAF75rJCCpq5UraqGHupF1Q=45dH5EaNPF+WeXZ5Tcss1GJRKxQ@mail.gmail.com>
Message-ID: <CAF75rJDuVUL8Hj9ktJYxS5ufWfUMGA+kSWbD+yMRAL-X6+a5Wg@mail.gmail.com>
Just now, I refreshed store.apple.com page but failed, I retried several
times and it loaded. The following is the relevant log.
May 9 14:09:36 dnsmasq[22631]: query[A] store.apple.com from 10.2.3.178
May 9 14:09:36 dnsmasq[22631]: forwarded store.apple.com to 114.114.114.114
May 9 14:09:36 dnsmasq[22631]: reply store.apple.com is <CNAME>
May 9 14:09:36 dnsmasq[22631]: reply store.apple.com.edgekey.net is <CNAME>
May 9 14:09:36 dnsmasq[22631]: reply
store.apple.com.edgekey.net.globalredir.akadns.net is <CNAME>
May 9 14:09:36 dnsmasq[22631]: reply e2850.ca2.s.tl88.net is 183.61.92.118
May 9 14:09:37 dnsmasq[22631]: query[A] store.apple.com from 10.2.3.178
May 9 14:09:37 dnsmasq[22631]: forwarded store.apple.com to 114.114.114.114
May 9 14:09:37 dnsmasq[22631]: reply store.apple.com is <CNAME>
May 9 14:09:37 dnsmasq[22631]: reply store.apple.com.edgekey.net is <CNAME>
May 9 14:09:37 dnsmasq[22631]: reply
store.apple.com.edgekey.net.globalredir.akadns.net is <CNAME>
May 9 14:09:37 dnsmasq[22631]: reply e2850.ca2.s.tl88.net is 183.61.92.118
May 9 14:09:38 dnsmasq[22631]: query[A] store.apple.com from 10.2.3.178
May 9 14:09:38 dnsmasq[22631]: forwarded store.apple.com to 114.114.114.114
May 9 14:09:38 dnsmasq[22631]: reply store.apple.com is <CNAME>
May 9 14:09:38 dnsmasq[22631]: reply store.apple.com.edgekey.net is <CNAME>
May 9 14:09:38 dnsmasq[22631]: reply
store.apple.com.edgekey.net.globalredir.akadns.net is <CNAME>
May 9 14:09:38 dnsmasq[22631]: reply e2850.ca2.s.tl88.net is 183.61.92.118
May 9 14:09:39 dnsmasq[22631]: reply e7766.ca.s.tl88.net is 122.228.220.28
May 9 14:09:39 dnsmasq[22631]: query[A] store.apple.com from 10.2.3.178
May 9 14:09:39 dnsmasq[22631]: forwarded store.apple.com to 114.114.114.114
May 9 14:09:40 dnsmasq[22631]: reply store.apple.com is <CNAME>
May 9 14:09:40 dnsmasq[22631]: reply store.apple.com.edgekey.net is <CNAME>
May 9 14:09:40 dnsmasq[22631]: reply
store.apple.com.edgekey.net.globalredir.akadns.net is <CNAME>
May 9 14:09:40 dnsmasq[22631]: reply e2850.ca2.s.tl88.net is 183.61.92.118
2014-05-08 20:47 GMT+08:00 Wang Jian <larkwang at gmail.com>:
> As I said earlier, I have a dnsmasq setup in a 150 clients environment.
> We are running debian package 2.70-1 built from git.
>
> These few days, we frequently have name lookup failure. I have no
> conclusion by now, but I suspect cache code is involved.
>
> A log segment
>
> <colleague A in my team visit this site in browser>
> May 8 18:51:30 dnsmasq[22631]: query[A] www.iciba.com from 10.2.3.102
> May 8 18:51:30 dnsmasq[22631]: forwarded www.iciba.com to 114.114.114.114
> May 8 18:51:30 dnsmasq[22631]: query[A] goto.www.iciba.com from
> 10.2.3.102
> May 8 18:51:30 dnsmasq[22631]: forwarded goto.www.iciba.com to
> 114.114.114.114
> May 8 18:51:30 dnsmasq[22631]: reply www.iciba.com is 58.68.226.32
> May 8 18:51:30 dnsmasq[22631]: reply goto.www.iciba.com is <CNAME>
> < browser failed to load the page, dns query failed >
>
> <colleague B in my team visit this site by click url provided by A>
> May 8 18:52:23 dnsmasq[22631]: query[A] www.iciba.com from 10.2.1.194
> May 8 18:52:23 dnsmasq[22631]: forwarded www.iciba.com to 114.114.114.114
> May 8 18:52:23 dnsmasq[22631]: reply www.iciba.com is 58.68.226.32
>
> <colleague A tried again>
> May 8 18:52:39 dnsmasq[22631]: query[A] www.iciba.com from 10.2.3.102
> May 8 18:52:39 dnsmasq[22631]: forwarded www.iciba.com to 114.114.114.114
> May 8 18:52:39 dnsmasq[22631]: reply www.iciba.com is 58.68.226.32
> <this time page load successfully>
>
> May 8 18:53:03 dnsmasq[22631]: query[A] goto.www.iciba.com from
> 10.2.3.102
> May 8 18:53:03 dnsmasq[22631]: forwarded goto.www.iciba.com to
> 114.114.114.114
> May 8 18:53:03 dnsmasq[22631]: reply goto.www.iciba.com is <CNAME>
>
> <the following is I test from the router itself, by running 'host' and
> 'dig'>
>
> May 8 19:59:00 dnsmasq[22631]: query[A] www.iciba.com from 10.2.0.1
> May 8 19:59:00 dnsmasq[22631]: forwarded www.iciba.com to 114.114.114.114
> May 8 19:59:00 dnsmasq[22631]: reply www.iciba.com is 58.68.226.32
> May 8 19:59:04 dnsmasq[22631]: query[A] www.iciba.com from 10.2.0.1
> May 8 19:59:04 dnsmasq[22631]: forwarded www.iciba.com to 114.114.114.114
> May 8 19:59:04 dnsmasq[22631]: reply www.iciba.com is 58.68.226.32
> May 8 19:59:06 dnsmasq[22631]: query[A] www.iciba.com from 10.2.0.1
> May 8 19:59:06 dnsmasq[22631]: cached www.iciba.com is 58.68.226.32
> May 8 19:59:08 dnsmasq[22631]: query[A] www.iciba.com from 10.2.0.1
> May 8 19:59:08 dnsmasq[22631]: cached www.iciba.com is 58.68.226.32
> May 8 19:59:12 dnsmasq[22631]: query[A] www.iciba.com from 10.2.0.1
> May 8 19:59:12 dnsmasq[22631]: cached www.iciba.com is 58.68.226.32
> May 8 19:59:13 dnsmasq[22631]: query[A] www.iciba.com from 10.2.0.1
> May 8 19:59:13 dnsmasq[22631]: cached www.iciba.com is 58.68.226.32
> May 8 19:59:15 dnsmasq[22631]: query[A] www.iciba.com from 10.2.0.1
> May 8 19:59:15 dnsmasq[22631]: cached www.iciba.com is 58.68.226.32
> May 8 20:00:22 dnsmasq[22631]: query[A] www.iciba.com from 10.2.0.1
> May 8 20:00:22 dnsmasq[22631]: forwarded www.iciba.com to 114.114.114.114
> May 8 20:00:22 dnsmasq[22631]: reply www.iciba.com is 58.68.226.32
>
>
> The last 8 'dig' return (look at the TTL)
>
> www.iciba.com. 557 IN A 58.68.226.32
> www.iciba.com. 552 IN A 58.68.226.32
> www.iciba.com. 550 IN A 58.68.226.32
> www.iciba.com. 548 IN A 58.68.226.32
> www.iciba.com. 544 IN A 58.68.226.32
> www.iciba.com. 543 IN A 58.68.226.32
> www.iciba.com. 541 IN A 58.68.226.32
> www.iciba.com. 475 IN A 58.68.226.32
>
>
>
> The following is earlier log I lookup a name from the router when given a
> unresolvable name.
>
>
> root at b10gw:~# host en.cppreference.com
> Host en.cppreference.com not found: 2(SERVFAIL)
> root at b10gw:~# host en.cppreference.com
> Host en.cppreference.com not found: 2(SERVFAIL)
> root at b10gw:~# host en.cppreference.com 8.8.8.8
> Using domain server:
> Name: 8.8.8.8
> Address: 8.8.8.8#53
> Aliases:
>
> en.cppreference.com has address 74.114.88.128
> root at b10gw:~# host en.cppreference.com
> Host en.cppreference.com not found: 2(SERVFAIL)
> root at b10gw:~# host en.cppreference.com
> en.cppreference.com has address 74.114.88.128
> root at b10gw:~# host en.cppreference.com
> en.cppreference.com has address 74.114.88.128
> root at b10gw:~# host en.cppreference.com
> en.cppreference.com has address 74.114.88.128
> root at b10gw:~# host en.cppreference.com
> en.cppreference.com has address 74.114.88.128
> root at b10gw:~# host en.cppreference.com
> en.cppreference.com has address 74.114.88.128
> root at b10gw:~# host en.cppreference.com
> en.cppreference.com has address 74.114.88.128
>
>
>
> May 8 17:49:15 dnsmasq[17390]: query[A] en.cppreference.com from 10.2.0.1
> May 8 17:49:15 dnsmasq[17390]: forwarded en.cppreference.com to
> 114.114.114.114
> May 8 17:49:15 dnsmasq[17390]: reply en.cppreference.com is 74.114.88.128
> May 8 17:49:15 dnsmasq[17390]: query[A] en.cppreference.com from 10.2.0.1
> May 8 17:49:15 dnsmasq[17390]: forwarded en.cppreference.com to
> 114.114.114.114
> May 8 17:49:15 dnsmasq[17390]: reply en.cppreference.com is 74.114.88.128
> May 8 17:49:17 dnsmasq[17390]: query[A] en.cppreference.com from 10.2.0.1
> May 8 17:49:17 dnsmasq[17390]: forwarded en.cppreference.com to
> 114.114.114.114
> May 8 17:49:17 dnsmasq[17390]: reply en.cppreference.com is 74.114.88.128
> May 8 17:49:17 dnsmasq[17390]: query[A] en.cppreference.com from 10.2.0.1
> May 8 17:49:17 dnsmasq[17390]: forwarded en.cppreference.com to
> 114.114.114.114
> May 8 17:49:17 dnsmasq[17390]: reply en.cppreference.com is 74.114.88.128
> May 8 17:49:24 dnsmasq[17390]: query[A] en.cppreference.com from 10.2.0.1
> May 8 17:49:24 dnsmasq[17390]: forwarded en.cppreference.com to
> 114.114.114.114
> May 8 17:49:24 dnsmasq[17390]: reply en.cppreference.com is 74.114.88.128
> May 8 17:49:24 dnsmasq[17390]: query[A] en.cppreference.com from 10.2.0.1
> May 8 17:49:24 dnsmasq[17390]: forwarded en.cppreference.com to
> 114.114.114.114
> May 8 17:49:24 dnsmasq[17390]: reply en.cppreference.com is 74.114.88.128
> May 8 17:49:26 dnsmasq[17390]: query[A] en.cppreference.com from 10.2.0.1
> May 8 17:49:26 dnsmasq[17390]: forwarded en.cppreference.com to
> 114.114.114.114
> May 8 17:49:26 dnsmasq[17390]: reply en.cppreference.com is 74.114.88.128
> May 8 17:49:26 dnsmasq[17390]: query[AAAA] en.cppreference.com from
> 10.2.0.1
> May 8 17:49:26 dnsmasq[17390]: forwarded en.cppreference.com to
> 114.114.114.114
> May 8 17:49:26 dnsmasq[17390]: reply en.cppreference.com is NODATA-IPv6
> May 8 17:49:26 dnsmasq[17390]: query[MX] en.cppreference.com from
> 10.2.0.1
> May 8 17:49:26 dnsmasq[17390]: forwarded en.cppreference.com to
> 114.114.114.114
> May 8 17:49:27 dnsmasq[17390]: query[A] en.cppreference.com from 10.2.0.1
> May 8 17:49:27 dnsmasq[17390]: cached en.cppreference.com is
> 74.114.88.128
> May 8 17:49:27 dnsmasq[17390]: query[AAAA] en.cppreference.com from
> 10.2.0.1
> May 8 17:49:27 dnsmasq[17390]: cached en.cppreference.com is NODATA-IPv6
> May 8 17:49:27 dnsmasq[17390]: query[MX] en.cppreference.com from
> 10.2.0.1
> May 8 17:49:27 dnsmasq[17390]: forwarded en.cppreference.com to
> 114.114.114.114
> May 8 17:49:32 dnsmasq[17390]: query[A] en.cppreference.com from 10.2.0.1
> May 8 17:49:32 dnsmasq[17390]: forwarded en.cppreference.com to
> 114.114.114.114
> May 8 17:49:32 dnsmasq[17390]: reply en.cppreference.com is 74.114.88.128
> May 8 17:49:32 dnsmasq[17390]: query[AAAA] en.cppreference.com from
> 10.2.0.1
> May 8 17:49:32 dnsmasq[17390]: forwarded en.cppreference.com to
> 114.114.114.114
> May 8 17:49:32 dnsmasq[17390]: reply en.cppreference.com is NODATA-IPv6
> May 8 17:49:32 dnsmasq[17390]: query[MX] en.cppreference.com from
> 10.2.0.1
> May 8 17:49:32 dnsmasq[17390]: forwarded en.cppreference.com to
> 114.114.114.114
> May 8 17:49:33 dnsmasq[17390]: query[A] en.cppreference.com from 10.2.0.1
> May 8 17:49:33 dnsmasq[17390]: forwarded en.cppreference.com to
> 114.114.114.114
> May 8 17:49:33 dnsmasq[17390]: reply en.cppreference.com is 74.114.88.128
> May 8 17:49:33 dnsmasq[17390]: query[AAAA] en.cppreference.com from
> 10.2.0.1
> May 8 17:49:33 dnsmasq[17390]: forwarded en.cppreference.com to
> 114.114.114.114
> May 8 17:49:33 dnsmasq[17390]: reply en.cppreference.com is NODATA-IPv6
> May 8 17:49:33 dnsmasq[17390]: query[MX] en.cppreference.com from
> 10.2.0.1
> May 8 17:49:33 dnsmasq[17390]: forwarded en.cppreference.com to
> 114.114.114.114
> May 8 17:49:33 dnsmasq[17390]: query[A] en.cppreference.com from
> 10.2.1.194
> May 8 17:49:33 dnsmasq[17390]: cached en.cppreference.com is
> 74.114.88.128
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140509/34a133ab/attachment-0001.html>
From cl at isbd.net Sat May 10 11:07:59 2014
From: cl at isbd.net (Chris Green)
Date: Sat, 10 May 2014 12:07:59 +0100
Subject: [Dnsmasq-discuss] Setting up dnsmasq on an [x]ubuntu machine -
what's the 'right' way to do it?
Message-ID: <20140510110759.GA15847@chris>
I've been using dnsmasq for quite a while on a small server machine on
my home network but that machine is now redundant really and I'd like
to save the electricity it's using.
So I'm going to move dnsmasq to my desktop machine (which is also a
server and is powered up all the time). My desktop machine runs
xubuntu 14.04 so has the default resolvconf setup where the resolver
runs a cut-down dnsmasq and /etc/resolv.conv just points to 127.0.0.1.
What's the 'right' way to install a full dnsmasq onto my system and
make it use /etc/dnsmasq.conf for configuration etc.? I know I had a
fairly hard time sorting it out on the system where it is now and I
want to make the process as painless as possible! :-)
Obviously I need to give my machine a static IP on my Lan, that's easy
enough.
At present there is dnsmasq-base installed (used by resolvconf), if I
just install the dnsmasq package will it do the necessary so that
it uses /etc/dnsmasq.conf etc.?
Where do I specify the upstream DNS servers that dnsmasq should use?
Can I get dnsmasq to hand out a secondary/backup DNS server to DHCP
clients so that if/when my desktop machine is turned off for upgrades
or reboots it doesn't totally disable the other machines on the LAN?
--
Chris Green
From cl at isbd.net Sat May 10 16:07:19 2014
From: cl at isbd.net (Chris Green)
Date: Sat, 10 May 2014 17:07:19 +0100
Subject: [Dnsmasq-discuss] Setting up dnsmasq on an [x]ubuntu machine -
what's the 'right' way to do it?
In-Reply-To: <20140510110759.GA15847@chris>
References: <20140510110759.GA15847@chris>
Message-ID: <20140510160719.GA7109@chris>
On Sat, May 10, 2014 at 12:07:59PM +0100, Chris Green wrote:
> I've been using dnsmasq for quite a while on a small server machine on
> my home network but that machine is now redundant really and I'd like
> to save the electricity it's using.
>
> So I'm going to move dnsmasq to my desktop machine (which is also a
> server and is powered up all the time). My desktop machine runs
> xubuntu 14.04 so has the default resolvconf setup where the resolver
> runs a cut-down dnsmasq and /etc/resolv.conv just points to 127.0.0.1.
>
> What's the 'right' way to install a full dnsmasq onto my system and
> make it use /etc/dnsmasq.conf for configuration etc.? I know I had a
> fairly hard time sorting it out on the system where it is now and I
> want to make the process as painless as possible! :-)
>
Well I decided I could probably muddle through and I seem to have
managed it fairly OK, I have attached my summary of how to do it (as a
Dokuwiki text file, easy enough to read). Would it be useful to add
this to the FAQ, it's an issue that comes up quite a lot in various
forums.
It's not for the faint-hearted though, I'll make some comments here.
> Obviously I need to give my machine a static IP on my Lan, that's easy
> enough.
>
Yes, no need to set the DNS server(s) here, I don't think.
> At present there is dnsmasq-base installed (used by resolvconf), if I
> just install the dnsmasq package will it do the necessary so that
> it uses /etc/dnsmasq.conf etc.?
>
Yes, but you need to disable the NetworkManager dnsmasq by editing
/etc/NetworkManager/NetworkManager.conf to remove the dns=dnsmasq.
> Where do I specify the upstream DNS servers that dnsmasq should use?
>
In one or more files in /etc/NetworkManager/system-connections.
> Can I get dnsmasq to hand out a secondary/backup DNS server to DHCP
> clients so that if/when my desktop machine is turned off for upgrades
> or reboots it doesn't totally disable the other machines on the LAN?
>
I still want an answer to this one please.
--
Chris Green
-------------- next part --------------
======dnsmasq======
To use a 'proper' dnsmasq instead of the dnsmasq-base package that provides local DNS
and is run by NetworkManager the following steps are needed:-
==1 - Install the dnsmasq package==
The dnsmasq-base package will already be installed bur you can't remove it because
it's a dependency of NetworkManager, just leave it.
==2 - Change to a static IP==
The simplest way to do this is simply to do it by clicking on the NetworkManager
applet and set the IPV4 addressing to 'manual'. I don't think there's any need
to set the DNS server IP here.
==3 - Edit the Network Manager configuration==
In directory /etc/NetworkManager/system-connections there will be a file 'Wired connection 1',
edit the dns line in this file to point to localhost plus real DNS servers:-
dns=127.0.0.1;212.159.6.9;212.159.13.49;
There may be more files in the same directory for WiFi connections, edit them in
the same way (though I'm not sure that a DNS server connected by WiFi is a good
idea).
Edit the file /etc/NetworkManager/NetworkManager.conf, comment out the line dns=dnsmasq
(or if you're feeling daring, delete it).
==4 - Set options as required in /etc/dnsmasq.conf==
In particular DHCP isn't enabled in the supplied default configuration so at
the very least you need to un-comment the dhcp-range line and check that it
is correct for the LAN.
From simon at thekelleys.org.uk Sat May 10 20:56:20 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Sat, 10 May 2014 21:56:20 +0100
Subject: [Dnsmasq-discuss] Setting up dnsmasq on an [x]ubuntu machine -
what's the 'right' way to do it?
In-Reply-To: <20140510160719.GA7109@chris>
References: <20140510110759.GA15847@chris> <20140510160719.GA7109@chris>
Message-ID: <536E9274.8000304@thekelleys.org.uk>
On 10/05/14 17:07, Chris Green wrote:
> On Sat, May 10, 2014 at 12:07:59PM +0100, Chris Green wrote:
>> I've been using dnsmasq for quite a while on a small server machine on
>> my home network but that machine is now redundant really and I'd like
>> to save the electricity it's using.
>>
>> So I'm going to move dnsmasq to my desktop machine (which is also a
>> server and is powered up all the time). My desktop machine runs
>> xubuntu 14.04 so has the default resolvconf setup where the resolver
>> runs a cut-down dnsmasq and /etc/resolv.conv just points to 127.0.0.1.
>>
>> What's the 'right' way to install a full dnsmasq onto my system and
>> make it use /etc/dnsmasq.conf for configuration etc.? I know I had a
>> fairly hard time sorting it out on the system where it is now and I
>> want to make the process as painless as possible! :-)
>>
> Well I decided I could probably muddle through and I seem to have
> managed it fairly OK, I have attached my summary of how to do it (as a
> Dokuwiki text file, easy enough to read). Would it be useful to add
> this to the FAQ, it's an issue that comes up quite a lot in various
> forums.
It would be good to put it somewhere. I'm not sure about the FAQ, which
is fairly distrubution-agnostic. Let me think about that.
>
> It's not for the faint-hearted though, I'll make some comments here.
>
>
>> Obviously I need to give my machine a static IP on my Lan, that's easy
>> enough.
>>
> Yes, no need to set the DNS server(s) here, I don't think.
>
>
>> At present there is dnsmasq-base installed (used by resolvconf), if I
>> just install the dnsmasq package will it do the necessary so that
>> it uses /etc/dnsmasq.conf etc.?
>>
> Yes, but you need to disable the NetworkManager dnsmasq by editing
> /etc/NetworkManager/NetworkManager.conf to remove the dns=dnsmasq.
>
>
>> Where do I specify the upstream DNS servers that dnsmasq should use?
>>
> In one or more files in /etc/NetworkManager/system-connections.
>
>
>> Can I get dnsmasq to hand out a secondary/backup DNS server to DHCP
>> clients so that if/when my desktop machine is turned off for upgrades
>> or reboots it doesn't totally disable the other machines on the LAN?
>>
> I still want an answer to this one please.
dhcp-option=option:dns-server,0.0.0.0,<ip of secondary DNS server>
That sends two addresses as DNS servers in DHCP replies: 0.0.0.0 is
replaced with the address of the machine running dnsmasq, and the second
is the secondary.
Cheers,
Simon.
From cl at isbd.net Sun May 11 11:55:59 2014
From: cl at isbd.net (Chris Green)
Date: Sun, 11 May 2014 12:55:59 +0100
Subject: [Dnsmasq-discuss] Setting up dnsmasq on an [x]ubuntu machine -
what's the 'right' way to do it?
In-Reply-To: <536E9274.8000304@thekelleys.org.uk>
References: <20140510110759.GA15847@chris> <20140510160719.GA7109@chris>
<536E9274.8000304@thekelleys.org.uk>
Message-ID: <20140511115559.GA26344@chris>
On Sat, May 10, 2014 at 09:56:20PM +0100, Simon Kelley wrote:
[snip]
> > Well I decided I could probably muddle through and I seem to have
> > managed it fairly OK, I have attached my summary of how to do it (as a
> > Dokuwiki text file, easy enough to read). Would it be useful to add
> > this to the FAQ, it's an issue that comes up quite a lot in various
> > forums.
>
> It would be good to put it somewhere. I'm not sure about the FAQ, which
> is fairly distrubution-agnostic. Let me think about that.
Yes, true, it's pretty Linux (or even ubuntu family) specific. It's
dealing with the default 'dnsmasq run by Network Manager' that makes
it a bit tricky.
[snip]
> >> Can I get dnsmasq to hand out a secondary/backup DNS server to DHCP
> >> clients so that if/when my desktop machine is turned off for upgrades
> >> or reboots it doesn't totally disable the other machines on the LAN?
> >>
> > I still want an answer to this one please.
>
> dhcp-option=option:dns-server,0.0.0.0,<ip of secondary DNS server>
>
> That sends two addresses as DNS servers in DHCP replies: 0.0.0.0 is
> replaced with the address of the machine running dnsmasq, and the second
> is the secondary.
>
Thank you, exactly what I need, I can run dnsmasq somewhere else on
the LAN or simply put my ISP's DNS in there.
--
Chris Green
From simon at thekelleys.org.uk Sun May 11 20:09:14 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Sun, 11 May 2014 21:09:14 +0100
Subject: [Dnsmasq-discuss] Setting up dnsmasq on an [x]ubuntu machine -
what's the 'right' way to do it?
In-Reply-To: <20140511115559.GA26344@chris>
References: <20140510110759.GA15847@chris> <20140510160719.GA7109@chris>
<536E9274.8000304@thekelleys.org.uk> <20140511115559.GA26344@chris>
Message-ID: <536FD8EA.6080602@thekelleys.org.uk>
>> It would be good to put it somewhere. I'm not sure about the FAQ, which
>> is fairly distrubution-agnostic. Let me think about that.
>
> Yes, true, it's pretty Linux (or even ubuntu family) specific. It's
> dealing with the default 'dnsmasq run by Network Manager' that makes
> it a bit tricky.
>
Where it needs to go is the "setup.html" file in the distro. That's so
ancient as to be useless (Redhat 7.x anyone?) I'll try and get around to
doing a revamp soon.
Cheers,
Simon.
From michael at kmaclub.com Mon May 12 16:45:13 2014
From: michael at kmaclub.com (Michael)
Date: Mon, 12 May 2014 09:45:13 -0700
Subject: [Dnsmasq-discuss] converting ISC dhcpd.conf to dnsmasq
Message-ID: <5370FA99.4070202@kmaclub.com>
Hello,
i am trying to convert my existing isc dhcp service to dnsmasq.
The only issue I am having is with netbooting.
For isc dhcp, I have a few entries like:
host mythbed {
hardware ethernet bc:ee:7b:25:3b:15;
fixed-address mythbed;
if exists user-class and option user-class = "iPXE" {
#filename "http://minimyth/ipxe/mythbed";
filename "http://minimyth2/conf/mythbed/mythbed.ipxe";
} else{
filename "ipxe.pxe";
}
default-lease-time 604800;
max-lease-time 1209600;
}
host mythliv {
hardware ethernet 38:60:77:9c:6b:1d;
fixed-address mythliv;
if exists user-class and option user-class = "iPXE" {
filename "http://minimyth2/conf/mythliv/mythliv.ipxe";
} else {
filename "ipxe.pxe";
}
}
I have been trying to translate this into dnsmasq, but not having much luck.
Something like this will let one host boot:
dhcp-match=set:ipxe,175 # iPXE sends a 175 option
dhcp-host=bc:ee:7b:25:3b:15,mythbed
dhcp-boot=tag:!ipxe,ipxe.pxe
dhcp-boot=tag:ipxe,http://minimyth2/conf/mythbed/mythbed.ipxe
But adding:
dhcp-host=bc:ee:7b:25:3b:15,mythbed
dhcp-boot=tag:!ipxe,ipxe.pxe
dhcp-boot=tag:ipxe,http://minimyth2/conf/mythbed/mythbed.ipxe
causes the options for the first to get overwritten.
Could someone give me an example of how to only supply pxe options
requested, if it is a certain host/mac, boot ipxe the first time, and
then pass a URL to ipxe on the next request?
I tried using multiple tags but either that isn't allowed or I didn't
use them correctly.
Any help would be much appreciated.
Michael
From lists at wildgooses.com Tue May 13 14:02:50 2014
From: lists at wildgooses.com (Ed W)
Date: Tue, 13 May 2014 15:02:50 +0100
Subject: [Dnsmasq-discuss] Stable releases v. development releases.
In-Reply-To: <5358FD83.3050602@thekelleys.org.uk>
References: <5350444A.9080106@thekelleys.org.uk>
<5350EF2E.8070905@ipcop-forum.de>
<CAFE24U2xN3uFiZCuzjm2QsEPF42hHxwtEtCcLFuPaNeNmkpqkw@mail.gmail.com>
<20140420155748.GG15907@humpty.home.comstyle.com>
<5358FD83.3050602@thekelleys.org.uk>
Message-ID: <5372260A.8030801@wildgooses.com>
Hi
>>>> A full split would mean extra work for you and probably more users
>>> sticking to some stable branch for a long time. For dnsmasq I do not think
>>> it is worth the effort.
>>>> If at some point during development, important fixes are necessary, it is
>>> probably more convenient to open something like a temporary stable branch
>>> with the sole purpose of applying fixes on top of the latest released
>>> version.
>>>> OTOH if you were to give out a notice saying: here is something
>>> critically important, please apply GIT commit xyz to fix it, that would
>>> work just as well for our use case.
>>>
>>> I was about to post a similar comment.
>>> I don't see a point in splitting off stable branches constantly. But point
>>> releases as needed if regressions are found sound about right.
>> IMO sounds good to me. A point release for regressions and
>> other bug fixes would be a good way of doing things instead
>> of another full on release which usually tries to mix in
>> feature changes as well pushing out a release.
>>
>
> That seems to be the concensus.
>
> In the current state, I can simply do a 2.70 release to fix the nasty
> bugs in 2.69, since there's been no feature work done since. In future,
> if bugs come up later in the development cycle, I'll do point releases
> to fix them.
With git there is no difference between tags and branches or whatever?
So what most people seem to do is roughly what you described above, but
in the interests of clarity:
- git checkout master
- fix bug/regression (assuming it exists in master)
- Git checkout <your tagged/branched release>
- git cherry-pick <relevant commits from master>
- merge, test, etc
- git tag new point release
The only subtlety above over common sense is that some hold the opinion
that all fixes should be in master first and then pulled into various
release branches
Also I presume it's obvious but you can always hop around and check out
any commit/tag/branch you like, mess around with it committing some
changes and then declare it a branch... As far as I understand a branch
is just a pointer to the tip of some set of commits, you don't need to
branch first and then start committing?
Obviously consistency of naming branches/tags helps with automated
stuff, but the rest is just a case of checking out the last release and
committing changes, you are simply putting a name on the tip of those
changes (and ideally the changes exist in master to prevent them getting
lost) but nothing else is special
These distributed VCS systems are very cool!
Ed W
From Vuthanhtung.Nguyen at sonymobile.com Wed May 14 08:27:58 2014
From: Vuthanhtung.Nguyen at sonymobile.com (Nguyen, Vuthanhtung (Sony Mobile))
Date: Wed, 14 May 2014 17:27:58 +0900
Subject: [Dnsmasq-discuss] Offer different subnet on DHCPDECLINE
Message-ID: <1A83C4F2F1059B46BC380B221C4410B1C8781BE21B@jptombx01.corpusers.net>
Hi,
I get a requirement like following.
Dhcp range is defined as 192.168.x.y with x in the range of 2 to 127 and y in the range of 0 to 254. When client sends DHCPDECLINE, server must offer a new IP address, 192.168.x_new.y_new, where at least x_new is different from the previous offered address.
Is there any way to do it with only dnsmasq configuration?
Regards,
-Tung
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140514/fe6af839/attachment.html>
From madhan.mepco at gmail.com Fri May 16 17:56:26 2014
From: madhan.mepco at gmail.com (Madhan)
Date: Fri, 16 May 2014 23:26:26 +0530
Subject: [Dnsmasq-discuss] mtu size to client
Message-ID: <CA+BD1JH25GXU16y9Hv57U0v1meYFW==7+dHPE1+vk7vmB7=X2w@mail.gmail.com>
hi ,
How to set mtu size to client from tethering server .
does dhcp-option=26,1500 set for both ipv4 and ipv6
if not , how to set ipv6 mtu size .
regards,
Madhan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140516/63b59a1f/attachment.html>
From woody77 at gmail.com Sat May 17 03:58:19 2014
From: woody77 at gmail.com (Aaron Wood)
Date: Fri, 16 May 2014 20:58:19 -0700
Subject: [Dnsmasq-discuss] [Cerowrt-devel] Had to disable dnssec today
In-Reply-To: <20140516202500.364d7912@nehalam.linuxnetplumber.net>
References: <CALQXh-PJ+iP0r15Jewyx1wt3KWSmXNwbUME-41WM3BfXVja81g@mail.gmail.com>
<20140516202500.364d7912@nehalam.linuxnetplumber.net>
Message-ID: <CALQXh-Phv21BJYmCr=SKwsynw3bH6dvvrwAiJe83-mzpdQtRkA@mail.gmail.com>
Now that I'm on Comcast, I'm going to try it again.
-Aaron
On Fri, May 16, 2014 at 8:25 PM, Stephen Hemminger <
stephen at networkplumber.org> wrote:
> On Sat, 26 Apr 2014 13:38:08 +0200
> Aaron Wood <woody77 at gmail.com> wrote:
>
> > Just too many sites aren't working correctly with dnsmasq and using
> > Google's DNS servers.
> >
> > - Bank of America (sso-fi.bankofamerica.com)
> > - Weather Underground (cdnjs.cloudflare.com)
> > - Akamai (e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net)
> >
> > And I'm not getting any traction with reporting the errors to those
> sites,
> > so it's frustrating in getting it properly fixed.
> >
> > While Akamai and cloudflare appear to be issues with their entries in
> > google dns, or with dnsmasq's validation of them being insecure domains,
> > the BofA issue appears to be an outright bad key. And BofA isn't being
> > helpful (just a continual "we use ssl" sort of quasi-automated response).
> >
> > So I'm disabling it for now, or rather, falling back to using my ISP's
> dns
> > servers, which don't support DNSSEC at this time. I'll be periodically
> > turning it back on, but too much is broken (mainly due to the cdns) to be
> > able to rely on it at this time.
> >
> > -Aaron
>
> Ditto. I was holding out, but performance was much worse, many websites
> would load poorly and got complaints from many errors from my customers
> (family).
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140516/3b01a453/attachment.html>
From simon at thekelleys.org.uk Sat May 17 18:55:20 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Sat, 17 May 2014 19:55:20 +0100
Subject: [Dnsmasq-discuss] Announce dnsmasq-2.71
Message-ID: <5377B098.5050807@thekelleys.org.uk>
I've just released dnsmasq-2.71. This is a pure bugfix release which
addresses some DNSSEC problems, and a nasty failure which occurs when
dnsmasq is started with the DNS cache size set to zero.
If you're running 2.69 or 2.70, you should upgrade.
CHANGELOG below.
Cheers,
Simon
----------------------------------------------------------------------------
version 2.71
Subtle change to error handling to help DNSSEC validation
when servers fail to provide NODATA answers for
non-existent DS records.
Tweak code which removes DNSSEC records from answers when
not required. Fixes broken answers when additional section
has real records in it. Thanks to Marco Davids for the bug
report.
Fix DNSSEC validation of ANY queries. Thanks to Marco Davids
for spotting that too.
Fix total DNS failure and 100% CPU use if cachesize set
to zero, regression introduced in 2.69. Thanks to James
Hunt and the Ubuntu crowd for assistance in fixing this.
From 2bluesc+dnsmasq-disquss at gmail.com Thu May 22 03:46:15 2014
From: 2bluesc+dnsmasq-disquss at gmail.com (Kyle Manna)
Date: Wed, 21 May 2014 20:46:15 -0700
Subject: [Dnsmasq-discuss] Patch for ioctl(SIOCSARP) issue with Docker +
Dnsmasq
Message-ID: <CAM9fjH77gG1L7M2aahKW5ZTWgfn_vGw39Cw9bVNZCePWqSLmGQ@mail.gmail.com>
Hey all,
I ran into an issue using dnsmasq within a docker/lxc container.
Newer versions of docker drop the NET_ADMIN capability[1] which
prevents ioctl(SIOCSARP) call from succeeding for unicast DHCPOFFERs.
I've thrown together a quick patch (hack? due to lack of familiarity
perhaps) and it's available on Github[2] as well as attached for
completeness.
I'm not sure if this is the best way to fix this or not. I'm not that
familiar with DHCP + dnsmasq to know any better. I've also tried a
docker container with ISC dhcpd and it worked without any
modifications. I didn't look any closer to see how isc dhcpd operated.
[1] https://github.com/dotcloud/docker/pull/4059
[2] https://github.com/kmanna/dnsmasq/compare/master...docker_arp_fail
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-dhcp-Broadcast-if-ARP-ioctl-fails-during-DHCPOFFER.patch
Type: application/octet-stream
Size: 2128 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140521/949cb7c4/attachment.obj>
From simon at thekelleys.org.uk Thu May 22 10:17:33 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Thu, 22 May 2014 11:17:33 +0100
Subject: [Dnsmasq-discuss] Patch for ioctl(SIOCSARP) issue with Docker +
Dnsmasq
In-Reply-To: <CAM9fjH77gG1L7M2aahKW5ZTWgfn_vGw39Cw9bVNZCePWqSLmGQ@mail.gmail.com>
References: <CAM9fjH77gG1L7M2aahKW5ZTWgfn_vGw39Cw9bVNZCePWqSLmGQ@mail.gmail.com>
Message-ID: <537DCEBD.8070709@thekelleys.org.uk>
On 22/05/14 04:46, Kyle Manna wrote:
> Hey all,
>
> I ran into an issue using dnsmasq within a docker/lxc container.
> Newer versions of docker drop the NET_ADMIN capability[1] which
> prevents ioctl(SIOCSARP) call from succeeding for unicast DHCPOFFERs.
>
> I've thrown together a quick patch (hack? due to lack of familiarity
> perhaps) and it's available on Github[2] as well as attached for
> completeness.
>
> I'm not sure if this is the best way to fix this or not. I'm not that
> familiar with DHCP + dnsmasq to know any better. I've also tried a
> docker container with ISC dhcpd and it worked without any
> modifications. I didn't look any closer to see how isc dhcpd operated.
>
> [1] https://github.com/dotcloud/docker/pull/4059
> [2] https://github.com/kmanna/dnsmasq/compare/master...docker_arp_fail
>
>
It's possible to get the same effect by configuration. Adding
dhcp-broadcast
to the dnsmasq config which will cause it to always use broadcast.
If a dnsmasq configuration is supplied for use with docker then adding
to that might be a better solution. If not then this patch has merit,
but some downsides too: it's a classic "do something surprising to mask
an unexpected error".
Note that there are other bits of code in dnsmasq that rely on having
NET_ADMIN, most obviously, the ability to bind ports < 1024 if
--bind-dynamic is in use.
Cheers,
Simon.
From nic at ferrier.me.uk Thu May 22 20:53:53 2014
From: nic at ferrier.me.uk (Nic Ferrier)
Date: Thu, 22 May 2014 21:53:53 +0100
Subject: [Dnsmasq-discuss] dnsmasq and dbus - strange reset behaviour
Message-ID: <8761kxpmam.fsf@ferrier.me.uk>
I've got ubuntu 14 and I was having a few issues with the OpenVPN
support not setting DNS properly.
So I thought I'd just use openvpn from the command line. But making it
work with ubuntu's package dnsmasq is a bit tricky.
They run dnsmasq like this!
dnsmasq --no-resolv --keep-in-foreground --no-hosts \
--bind-interfaces
--pid-file=/run/sendsigs.omit.d/network-manager.dnsmasq.pid \
--listen-address=127.0.1.1
--conf-file=/var/run/NetworkManager/dnsmasq.conf \
--cache-size=0 --proxy-dnssec
--enable-dbus=org.freedesktop.NetworkManager.dnsmasq \
--conf-dir=/etc/NetworkManager/dnsmasq.d
it's not possible (apparently) to do this with a config file so I've
been using the dbus.
I've got something like this:
sudo dbus-send --system --print-reply \
--dest=org.freedesktop.NetworkManager.dnsmasq \
/uk/org/thekelleys/dnsmasq \
uk.org.thekelleys.SetDomainServers "array:string:${CURRENT_DNS}/vpndomain.name/10.5.1.20 at tun0"
and it works, I get this:
method return sender=:1.79468 -> dest=:1.79479 reply_serial=2
but only after a clean reboot, and I get:
May 22 21:26:49 mymachine3 dnsmasq[14146]: using nameserver 10.5.1.20#53 for domain vpndomain.com
When I try and dig the name from the local dns it just times out.
I can dig from the upstream vpn side server.
So it seems like dnsmasq isn't actually obeying the server set when it's
done more than once or something?
Can anyone suggest some debugging I could do or what the problem
actually is?
Nic Ferrier
From simon at thekelleys.org.uk Thu May 22 21:42:42 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Thu, 22 May 2014 22:42:42 +0100
Subject: [Dnsmasq-discuss] dnsmasq and dbus - strange reset behaviour
In-Reply-To: <8761kxpmam.fsf@ferrier.me.uk>
References: <8761kxpmam.fsf@ferrier.me.uk>
Message-ID: <537E6F52.2090706@thekelleys.org.uk>
On 22/05/14 21:53, Nic Ferrier wrote:
> I've got ubuntu 14 and I was having a few issues with the OpenVPN
> support not setting DNS properly.
>
> So I thought I'd just use openvpn from the command line. But making it
> work with ubuntu's package dnsmasq is a bit tricky.
>
> They run dnsmasq like this!
>
> dnsmasq --no-resolv --keep-in-foreground --no-hosts \
> --bind-interfaces
> --pid-file=/run/sendsigs.omit.d/network-manager.dnsmasq.pid \
> --listen-address=127.0.1.1
> --conf-file=/var/run/NetworkManager/dnsmasq.conf \
> --cache-size=0 --proxy-dnssec
> --enable-dbus=org.freedesktop.NetworkManager.dnsmasq \
> --conf-dir=/etc/NetworkManager/dnsmasq.d
>
> it's not possible (apparently) to do this with a config file so I've
> been using the dbus.
>
> I've got something like this:
>
> sudo dbus-send --system --print-reply \
> --dest=org.freedesktop.NetworkManager.dnsmasq \
> /uk/org/thekelleys/dnsmasq \
> uk.org.thekelleys.SetDomainServers "array:string:${CURRENT_DNS}/vpndomain.name/10.5.1.20 at tun0"
>
> and it works, I get this:
>
> method return sender=:1.79468 -> dest=:1.79479 reply_serial=2
>
> but only after a clean reboot, and I get:
>
> May 22 21:26:49 mymachine3 dnsmasq[14146]: using nameserver 10.5.1.20#53 for domain vpndomain.com
>
> When I try and dig the name from the local dns it just times out.
>
> I can dig from the upstream vpn side server.
>
> So it seems like dnsmasq isn't actually obeying the server set when it's
> done more than once or something?
>
> Can anyone suggest some debugging I could do or what the problem
> actually is?
>
First thing is to set --log-queries, to get an idea what's actually
happening to your test query. I'd also simplify things and remove the
"@tun0" for a start.
"but only after a clean reboot" I'm not sure I understand this: what
happens when you run the command for the second time?
Cheers,
Simon.
>
> Nic Ferrier
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
From cl at isbd.net Thu May 22 21:46:46 2014
From: cl at isbd.net (Chris Green)
Date: Thu, 22 May 2014 22:46:46 +0100
Subject: [Dnsmasq-discuss] dnsmasq not working as DNS server for client
machines
Message-ID: <20140522214646.GA1402@chris>
I seem to have spoken too soon with my transfer of dnsmasq to a
different machine.
It's running on my desktop machine which is also an always on server.
DNS is working fine for the desktop machine itself but it's not
working for client machines.
DHCP is working though, so clients get an IP address OK and can talk
to other machines on the LAN if I specify IP addresses rather than
names.
So how do I diagnose this? It's on xubuntu 14.04 so it's made a
little opaque by not being able view 'real' DNS servers anywhere
--
Chris Green
From nic at ferrier.me.uk Thu May 22 21:53:18 2014
From: nic at ferrier.me.uk (Nic Ferrier)
Date: Thu, 22 May 2014 22:53:18 +0100
Subject: [Dnsmasq-discuss] dnsmasq and dbus - strange reset behaviour
In-Reply-To: <537E6F52.2090706@thekelleys.org.uk> (Simon Kelley's message of
"Thu, 22 May 2014 22:42:42 +0100")
References: <8761kxpmam.fsf@ferrier.me.uk> <537E6F52.2090706@thekelleys.org.uk>
Message-ID: <8738g1pjjl.fsf@ferrier.me.uk>
Simon Kelley <simon at thekelleys.org.uk> writes:
> On 22/05/14 21:53, Nic Ferrier wrote:
>> So it seems like dnsmasq isn't actually obeying the server set when it's
>> done more than once or something?
>>
>> Can anyone suggest some debugging I could do or what the problem
>> actually is?
>>
>
> First thing is to set --log-queries, to get an idea what's actually
> happening to your test query. I'd also simplify things and remove the
> "@tun0" for a start.
But if I don't set the tun0 it won't go over the vpn?
I don't think I can change the log-queries, I can't alter the config at
all, except through dbus, because dnsmasq is controlled by ubuntu's
network-manager
> "but only after a clean reboot" I'm not sure I understand this: what
> happens when you run the command for the second time?
When I start the system afresh it works, I can query the vpn side DNS
via the rules I've added via DBUS.
If I then drop the VPN, re-establish it and redo the dbus set nothing
works.
The dbus call still comes back correctly with something that looks like
dnsmasq understood it and dnsmasq logs to syslog that it has started
using the new domains and DNS server... but nothing works, dig to
dnsmasq for the new names just hangs for timeout.
That's what is so wierd.
Nic
From cl at isbd.net Thu May 22 22:08:22 2014
From: cl at isbd.net (Chris Green)
Date: Thu, 22 May 2014 23:08:22 +0100
Subject: [Dnsmasq-discuss] dnsmasq not working as DNS server for client
machines
In-Reply-To: <20140522214646.GA1402@chris>
References: <20140522214646.GA1402@chris>
Message-ID: <20140522220822.GA2276@chris>
On Thu, May 22, 2014 at 10:46:46PM +0100, Chris Green wrote:
> I seem to have spoken too soon with my transfer of dnsmasq to a
> different machine.
>
> It's running on my desktop machine which is also an always on server.
> DNS is working fine for the desktop machine itself but it's not
> working for client machines.
>
> DHCP is working though, so clients get an IP address OK and can talk
> to other machines on the LAN if I specify IP addresses rather than
> names.
>
> So how do I diagnose this? It's on xubuntu 14.04 so it's made a
> little opaque by not being able view 'real' DNS servers anywhere
>
Sorry about that abrupt end. Not much to add though.
As a general comment it would be very useful to be able easily to see
what DNS servers are being used.
--
Chris Green
From cl at isbd.net Thu May 22 22:33:50 2014
From: cl at isbd.net (Chris Green)
Date: Thu, 22 May 2014 23:33:50 +0100
Subject: [Dnsmasq-discuss] dnsmasq not working as DNS server for client
machines
In-Reply-To: <20140522220822.GA2276@chris>
References: <20140522214646.GA1402@chris>
<20140522220822.GA2276@chris>
Message-ID: <20140522223349.GA3680@chris>
On Thu, May 22, 2014 at 11:08:22PM +0100, Chris Green wrote:
> On Thu, May 22, 2014 at 10:46:46PM +0100, Chris Green wrote:
> > I seem to have spoken too soon with my transfer of dnsmasq to a
> > different machine.
> >
> > It's running on my desktop machine which is also an always on server.
> > DNS is working fine for the desktop machine itself but it's not
> > working for client machines.
> >
> > DHCP is working though, so clients get an IP address OK and can talk
> > to other machines on the LAN if I specify IP addresses rather than
> > names.
> >
> > So how do I diagnose this? It's on xubuntu 14.04 so it's made a
> > little opaque by not being able view 'real' DNS servers anywhere
> >
> Sorry about that abrupt end. Not much to add though.
>
> As a general comment it would be very useful to be able easily to see
> what DNS servers are being used.
>
... a little more information. DHCP clients are getting all the right
information, e.g. the laptop I'm using at the moment has:-
IP Address: 192.168.1.125
Broadcast Address: 192.168.1.255
Subnet Mask: 255.255.255.0
Default Route: 192.168.1.1
Primary DNS: 192.168.1.4
The default route is an ADSL router and the primary DNS is my desktop
server machine running dnsmasq. So it would appear that dnsmasq isn't
answering DNS queries rather than it's not doing DHCP correctly.
It's almost certainly a trivial configuration problem but I can't see
it at the moment.
--
Chris Green
From dave.taht at gmail.com Fri May 23 03:11:24 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Thu, 22 May 2014 20:11:24 -0700
Subject: [Dnsmasq-discuss] dnsmasq not working as DNS server for client
machines
In-Reply-To: <20140522223349.GA3680@chris>
References: <20140522214646.GA1402@chris> <20140522220822.GA2276@chris>
<20140522223349.GA3680@chris>
Message-ID: <CAA93jw7-kXyU29E0VD-Mx3XmTOipD=wQnPsOjuqLFcF+yQQZTA@mail.gmail.com>
On May 22, 2014 3:37 PM, "Chris Green" <cl at isbd.net> wrote:
>
> On Thu, May 22, 2014 at 11:08:22PM +0100, Chris Green wrote:
> > On Thu, May 22, 2014 at 10:46:46PM +0100, Chris Green wrote:
> > > I seem to have spoken too soon with my transfer of dnsmasq to a
> > > different machine.
> > >
> > > It's running on my desktop machine which is also an always on server.
> > > DNS is working fine for the desktop machine itself but it's not
> > > working for client machines.
> > >
> > > DHCP is working though, so clients get an IP address OK and can talk
> > > to other machines on the LAN if I specify IP addresses rather than
> > > names.
> > >
> > > So how do I diagnose this? It's on xubuntu 14.04 so it's made a
> > > little opaque by not being able view 'real' DNS servers anywhere
> > >
> > Sorry about that abrupt end. Not much to add though.
> >
> > As a general comment it would be very useful to be able easily to see
> > what DNS servers are being used.
> >
> ... a little more information. DHCP clients are getting all the right
> information, e.g. the laptop I'm using at the moment has:-
>
> IP Address: 192.168.1.125
> Broadcast Address: 192.168.1.255
> Subnet Mask: 255.255.255.0
> Default Route: 192.168.1.1
> Primary DNS: 192.168.1.4
>
> The default route is an ADSL router and the primary DNS is my desktop
> server machine running dnsmasq. So it would appear that dnsmasq isn't
> answering DNS queries rather than it's not doing DHCP correctly.
>
> It's almost certainly a trivial configuration problem but I can't see
> it at the moment.
Tcpdump is your friend.
>
> --
> Chris Green
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140522/09873798/attachment.html>
From simon at thekelleys.org.uk Fri May 23 08:30:39 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Fri, 23 May 2014 09:30:39 +0100
Subject: [Dnsmasq-discuss] dnsmasq and dbus - strange reset behaviour
In-Reply-To: <8738g1pjjl.fsf@ferrier.me.uk>
References: <8761kxpmam.fsf@ferrier.me.uk> <537E6F52.2090706@thekelleys.org.uk>
<8738g1pjjl.fsf@ferrier.me.uk>
Message-ID: <537F072F.4020903@thekelleys.org.uk>
On 22/05/14 22:53, Nic Ferrier wrote:
> Simon Kelley <simon at thekelleys.org.uk> writes:
>
>> On 22/05/14 21:53, Nic Ferrier wrote:
>>> So it seems like dnsmasq isn't actually obeying the server set when it's
>>> done more than once or something?
>>>
>>> Can anyone suggest some debugging I could do or what the problem
>>> actually is?
>>>
>>
>> First thing is to set --log-queries, to get an idea what's actually
>> happening to your test query. I'd also simplify things and remove the
>> "@tun0" for a start.
>
> But if I don't set the tun0 it won't go over the vpn?
>
> I don't think I can change the log-queries, I can't alter the config at
> all, except through dbus, because dnsmasq is controlled by ubuntu's
> network-manager
... which is probably fighting you by making DBus calls which overwrite
yours. My understanding is that network-manager supports the sort of
split-DNS you want direct from the GUI these days.
If not see here, for how to wrest control of dnsmasq from network-manager:
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2014q2/008528.html
Cheers,
Simon.
>
>> "but only after a clean reboot" I'm not sure I understand this: what
>> happens when you run the command for the second time?
>
> When I start the system afresh it works, I can query the vpn side DNS
> via the rules I've added via DBUS.
>
> If I then drop the VPN, re-establish it and redo the dbus set nothing
> works.
>
> The dbus call still comes back correctly with something that looks like
> dnsmasq understood it and dnsmasq logs to syslog that it has started
> using the new domains and DNS server... but nothing works, dig to
> dnsmasq for the new names just hangs for timeout.
>
> That's what is so wierd.
>
>
> Nic
>
From cl at isbd.net Fri May 23 09:10:36 2014
From: cl at isbd.net (Chris Green)
Date: Fri, 23 May 2014 10:10:36 +0100
Subject: [Dnsmasq-discuss] dnsmasq not working as DNS server for client
machines
In-Reply-To: <CAA93jw7-kXyU29E0VD-Mx3XmTOipD=wQnPsOjuqLFcF+yQQZTA@mail.gmail.com>
References: <20140522214646.GA1402@chris> <20140522220822.GA2276@chris>
<20140522223349.GA3680@chris>
<CAA93jw7-kXyU29E0VD-Mx3XmTOipD=wQnPsOjuqLFcF+yQQZTA@mail.gmail.com>
Message-ID: <20140523091035.GA26074@chris>
On Thu, May 22, 2014 at 08:11:24PM -0700, Dave Taht wrote:
> On May 22, 2014 3:37 PM, "Chris Green" <[1]cl at isbd.net> wrote:
> >
> >
> > A A IP Address: A A A A 192.168.1.125
> > A A Broadcast Address: A 192.168.1.255
> > A A Subnet Mask: A A A A 255.255.255.0
> > A A Default Route: A A A 192.168.1.1
> > A A Primary DNS: A A A A 192.168.1.4
> >
> > The default route is an ADSL router and the primary DNS is my desktop
> > server machine running dnsmasq. A So it would appear that dnsmasq isn't
> > answering DNS queries rather than it's not doing DHCP correctly.
> >
> > It's almost certainly a trivial configuration problem but I can't see
> > it at the moment.
>
> Tcpdump is your friend.
>
Maybe it is but what do I do with it? :-)
If I run tcpdump on the (supposed to be) dnsmasq server machine
listening for packets on port 53, e.g. I do:-
tcpdump host 192.168.1.4 and port 53
Then I see incoming packets when systems make DNS requests, e.g.:-
10:01:26.252358 IP acer-aspire.zbmc.eu.60680 > chris.zbmc.eu.domain:
59352+ A? chris.zbmc.eu. (31)
10:01:26.252533 IP acer-aspire.zbmc.eu.30826 > chris.zbmc.eu.domain:
24757+ AAAA? chris.zbmc.eu. (31)
10:01:31.257784 IP acer-aspire.zbmc.eu.60680 > chris.zbmc.eu.domain:
59352+ A? chris.zbmc.eu. (31)
10:01:31.258104 IP acer-aspire.zbmc.eu.30826 > chris.zbmc.eu.domain:
24757+ AAAA? chris.zbmc.eu. (31)
So the requests are coming in, it's just that dnsmasq isn't answering.
It sounds as if something, somewhere is preventing responses to
external DNS requests, in other words I still have the 'dnsmasq run by
network manager' mode of operation. However I can't see where this is
done nowadays, there's no portmapper or similar thing any more. So
what configures dnsmasq (or anything) to get and act upon packets from
the outside?
--
Chris Green
From nic at ferrier.me.uk Fri May 23 10:31:59 2014
From: nic at ferrier.me.uk (Nic Ferrier)
Date: Fri, 23 May 2014 11:31:59 +0100
Subject: [Dnsmasq-discuss] dnsmasq and dbus - strange reset behaviour
In-Reply-To: <537F072F.4020903@thekelleys.org.uk> (Simon Kelley's message of
"Fri, 23 May 2014 09:30:39 +0100")
References: <8761kxpmam.fsf@ferrier.me.uk>
<537E6F52.2090706@thekelleys.org.uk> <8738g1pjjl.fsf@ferrier.me.uk>
<537F072F.4020903@thekelleys.org.uk>
Message-ID: <87zji8okf4.fsf@ferrier.me.uk>
Simon Kelley <simon at thekelleys.org.uk> writes:
> ... which is probably fighting you by making DBus calls which overwrite
> yours. My understanding is that network-manager supports the sort of
> split-DNS you want direct from the GUI these days.
Well, there are problems with it right now, it's stealing my
gateway. Which is why I wanted to be tactical.
Also it's harder to work with than just scripts.
I don't believe network-manager is doing what you think it's doing, if
it was surely dnsmasq would report the change of servers.
I wish I could use dbus to get dnsmasq to tell me what it's doing.
> If not see here, for how to wrest control of dnsmasq from network-manager:
>
> http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2014q2/008528.html
I don't want to do that either. I am fine with the dbus that's running
if it would do what I want it to do.
I don't want to wholesale change ubuntu.
That feels like a bit of a final comment though.
I guess I could try and alter dnsmasq's dbus handling myself to get it
to report the servers it's using... but it'll be tricky to get ubuntu to
use the new version I guess.
Thanks anyway.
Nic
From cl at isbd.net Fri May 23 11:08:19 2014
From: cl at isbd.net (Chris Green)
Date: Fri, 23 May 2014 12:08:19 +0100
Subject: [Dnsmasq-discuss] dnsmasq not working as DNS server for client
machines
In-Reply-To: <20140523091035.GA26074@chris>
References: <20140522214646.GA1402@chris> <20140522220822.GA2276@chris>
<20140522223349.GA3680@chris>
<CAA93jw7-kXyU29E0VD-Mx3XmTOipD=wQnPsOjuqLFcF+yQQZTA@mail.gmail.com>
<20140523091035.GA26074@chris>
Message-ID: <20140523110819.GA28217@chris>
Here's my problem, I think:-
root at chris:/etc# netstat -nlptu|grep 53
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1374/dnsmasq
tcp6 0 0 ::1:53 :::* LISTEN 1374/dnsmasq
udp 0 0 0.0.0.0:35316 0.0.0.0:* 712/rpc.statd
udp 0 0 127.0.0.1:53 0.0.0.0:* 1374/dnsmasq
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1102/avahi-daemon:
udp6 0 0 ::1:53 :::* 1374/dnsmasq
udp6 0 0 :::53679 :::* 1594/rpc.mountd
udp6 0 0 :::5353 :::* 1102/avahi-daemon:
udp6 0 0 :::55397 :::* 1102/avahi-daemon:
So dnsmasq is only listening on localhost port 53, how do I tell it to
listen on 192.168.1.4 as well?
I've fixed it by adding an explicit 'interface=eth0' line to my
dnsmasq.conf file, but I don't really understand why it's necessary, I
didn't have to do this on the previous dnsmasq installation and it was
running the same version of dnsmasq (2.68).
What would make dnsmasq listen only on the loopback interface when
there are no explicit interface or listen-address options set in
dnsmasq.conf?
Finally I'd prefer to make dnsmasq listen on just the loopback
interface and 192.168.1.4 by setting the listen address rather than
using 'interface='. How do I specify two addresses, do they both go
on on listen-address= (comma spearated, space separated?) or do I put
two listen-address= lines?
--
Chris Green
From cl at isbd.net Fri May 23 11:13:51 2014
From: cl at isbd.net (Chris Green)
Date: Fri, 23 May 2014 12:13:51 +0100
Subject: [Dnsmasq-discuss] dnsmasq not working as DNS server for client
machines
In-Reply-To: <20140523110819.GA28217@chris>
References: <20140522214646.GA1402@chris> <20140522220822.GA2276@chris>
<20140522223349.GA3680@chris>
<CAA93jw7-kXyU29E0VD-Mx3XmTOipD=wQnPsOjuqLFcF+yQQZTA@mail.gmail.com>
<20140523091035.GA26074@chris> <20140523110819.GA28217@chris>
Message-ID: <20140523111351.GA30039@chris>
> interface and 192.168.1.4 by setting the listen address rather than
> using 'interface='. How do I specify two addresses, do they both go
> on on listen-address= (comma spearated, space separated?) or do I put
on one listen-address= (comma separated, space separated?) or do I put
> two listen-address= lines?
>
--
Chris Green
From simon at thekelleys.org.uk Fri May 23 20:02:38 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Fri, 23 May 2014 21:02:38 +0100
Subject: [Dnsmasq-discuss] dnsmasq and dbus - strange reset behaviour
In-Reply-To: <87zji8okf4.fsf@ferrier.me.uk>
References: <8761kxpmam.fsf@ferrier.me.uk> <537E6F52.2090706@thekelleys.org.uk>
<8738g1pjjl.fsf@ferrier.me.uk> <537F072F.4020903@thekelleys.org.uk>
<87zji8okf4.fsf@ferrier.me.uk>
Message-ID: <537FA95E.4080002@thekelleys.org.uk>
On 23/05/14 11:31, Nic Ferrier wrote:
> Simon Kelley <simon at thekelleys.org.uk> writes:
>
>> ... which is probably fighting you by making DBus calls which overwrite
>> yours. My understanding is that network-manager supports the sort of
>> split-DNS you want direct from the GUI these days.
>
> Well, there are problems with it right now, it's stealing my
> gateway. Which is why I wanted to be tactical.
>
> Also it's harder to work with than just scripts.
>
> I don't believe network-manager is doing what you think it's doing, if
> it was surely dnsmasq would report the change of servers.
>
> I wish I could use dbus to get dnsmasq to tell me what it's doing.
It does. Every time the dbus method is invoked, it logs
"setting upstream servers from DBus"
and every time the set of upstream servers is changed, either through
DBus or otherwise, the whole set of upstream servers is logged.
>
>
>> If not see here, for how to wrest control of dnsmasq from network-manager:
>>
>> http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2014q2/008528.html
>
> I don't want to do that either. I am fine with the dbus that's running
> if it would do what I want it to do.
>
> I don't want to wholesale change ubuntu.
>
>
> That feels like a bit of a final comment though.
Not at all, it seemed like the easiest option, at the time.
>
> I guess I could try and alter dnsmasq's dbus handling myself to get it
> to report the servers it's using... but it'll be tricky to get ubuntu to
> use the new version I guess.
Se above, it should be doing that. What version of dnsmasq are you using?
Cheers,
Simon.
>
>
> Thanks anyway.
>
>
> Nic
>
From simon at thekelleys.org.uk Fri May 23 20:08:15 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Fri, 23 May 2014 21:08:15 +0100
Subject: [Dnsmasq-discuss] dnsmasq not working as DNS server for client
machines
In-Reply-To: <20140523111351.GA30039@chris>
References: <20140522214646.GA1402@chris> <20140522220822.GA2276@chris>
<20140522223349.GA3680@chris>
<CAA93jw7-kXyU29E0VD-Mx3XmTOipD=wQnPsOjuqLFcF+yQQZTA@mail.gmail.com>
<20140523091035.GA26074@chris> <20140523110819.GA28217@chris>
<20140523111351.GA30039@chris>
Message-ID: <537FAAAF.5060202@thekelleys.org.uk>
On 23/05/14 12:13, Chris Green wrote:
>> interface and 192.168.1.4 by setting the listen address rather than
>> using 'interface='. How do I specify two addresses, do they both go
>> on on listen-address= (comma spearated, space separated?) or do I put
>
> on one listen-address= (comma separated, space separated?) or do I put
>
>> two listen-address= lines?
>>
>
Two listen-address lines is fine.
Cheers,
Simon.
From linuxluser at gmail.com Sat May 24 01:42:52 2014
From: linuxluser at gmail.com (Linux Luser)
Date: Fri, 23 May 2014 18:42:52 -0700
Subject: [Dnsmasq-discuss] converting ISC dhcpd.conf to dnsmasq
In-Reply-To: <5370FA99.4070202@kmaclub.com>
References: <5370FA99.4070202@kmaclub.com>
Message-ID: <CAPoZCFBm7L08eBbXW6te+6zp9t+nYzNbB13Bk8BVqbmPPn3joQ@mail.gmail.com>
Use the "set:tagname" option in your dhcp-host command. Then use that tag
in it's own dchp-boot command to send a specific boot file to a specific
host.
# PXE response for non-iPXE clients
dhcp-match=set:ipxe,175 # iPXE sends a 175 option
dhcp-boot=tag:!ipxe,ipxe.pxe
# PXE response for host 'mythbed'
dhcp-host=bc:ee:7b:25:3b:15,*set:mythbed*,mythbed
tag-if=set:mythbed-ipxe,tag:ipxe,tag:mythbed
dhcp-boot=mythbed-ipxe,http://minimyth2/conf/mythbed/mythbed.ipxe
# PXE response for host 'mythliv'
dhcp-host=38:60:77:9c:6b:1d,*set:mythliv*,mythliv
tag-if=set:mythliv-ipxe,tag:ipxe,tag:mythliv
dhcp-boot=mythliv-ipxe,http://minimyth2/conf/mythbed/mythliv.ipxe
Using the 'tag-if' command, you can effectively combine two tags into one.
But depending only your case, you might be able to omit this line and
simply send the 'filename' DHCP field (which is what dhcp-boot does) for
every DHCP request, regardless if it is during an iPXE boot or not.
On Mon, May 12, 2014 at 9:45 AM, Michael <michael at kmaclub.com> wrote:
> Hello,
>
> i am trying to convert my existing isc dhcp service to dnsmasq.
>
> The only issue I am having is with netbooting.
>
> For isc dhcp, I have a few entries like:
> host mythbed {
> hardware ethernet bc:ee:7b:25:3b:15;
> fixed-address mythbed;
> if exists user-class and option user-class = "iPXE" {
> #filename "http://minimyth/ipxe/mythbed";
> filename "http://minimyth2/conf/mythbed/mythbed.ipxe";
> } else{
> filename "ipxe.pxe";
> }
> default-lease-time 604800;
> max-lease-time 1209600;
> }
> host mythliv {
> hardware ethernet 38:60:77:9c:6b:1d;
> fixed-address mythliv;
> if exists user-class and option user-class = "iPXE" {
> filename "http://minimyth2/conf/mythliv/mythliv.ipxe";
> } else {
> filename "ipxe.pxe";
> }
> }
>
> I have been trying to translate this into dnsmasq, but not having much
> luck.
>
> Something like this will let one host boot:
>
> dhcp-match=set:ipxe,175 # iPXE sends a 175 option
> dhcp-host=bc:ee:7b:25:3b:15,mythbed
> dhcp-boot=tag:!ipxe,ipxe.pxe
> dhcp-boot=tag:ipxe,http://minimyth2/conf/mythbed/mythbed.ipxe
>
> But adding:
> dhcp-host=bc:ee:7b:25:3b:15,mythbed
> dhcp-boot=tag:!ipxe,ipxe.pxe
> dhcp-boot=tag:ipxe,http://minimyth2/conf/mythbed/mythbed.ipxe
>
>
> causes the options for the first to get overwritten.
>
> Could someone give me an example of how to only supply pxe options
> requested, if it is a certain host/mac, boot ipxe the first time, and then
> pass a URL to ipxe on the next request?
>
> I tried using multiple tags but either that isn't allowed or I didn't use
> them correctly.
>
> Any help would be much appreciated.
>
> Michael
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140523/8eccc3c0/attachment.html>
From nic at ferrier.me.uk Sat May 24 08:43:32 2014
From: nic at ferrier.me.uk (Nic Ferrier)
Date: Sat, 24 May 2014 09:43:32 +0100
Subject: [Dnsmasq-discuss] dnsmasq and dbus - strange reset behaviour
In-Reply-To: <537FA95E.4080002@thekelleys.org.uk> (Simon Kelley's message of
"Fri, 23 May 2014 21:02:38 +0100")
References: <8761kxpmam.fsf@ferrier.me.uk>
<537E6F52.2090706@thekelleys.org.uk> <8738g1pjjl.fsf@ferrier.me.uk>
<537F072F.4020903@thekelleys.org.uk> <87zji8okf4.fsf@ferrier.me.uk>
<537FA95E.4080002@thekelleys.org.uk>
Message-ID: <87ppj37eiz.fsf@ferrier.me.uk>
Simon Kelley <simon at thekelleys.org.uk> writes:
>> I guess I could try and alter dnsmasq's dbus handling myself to get it
>> to report the servers it's using... but it'll be tricky to get ubuntu to
>> use the new version I guess.
>
> Se above, it should be doing that. What version of dnsmasq are you
> using?
I am using 2.68, which is Ubuntu's.
I discovered that I can kill and start dnsmasq and then I can get it all
to work.
But if I just stop and restart the vpn, calling the dbus-send every
time, it does not work. Although dnsmasq syslogs that it's using the
right servers, it doesn't seem to be.
Even if I send it SIGHUP before I send the dbus-send, dnsmasq syslogs
the new servers but does not seem to use them.
Interestingly, when you look at the way Ubuntu's Network Manager behaves
it seems to do the same thing (restart dnsmasq) when you drop one of
it's native VPNs.
I've no idea how you'd test this.
Nic
From cl at isbd.net Sat May 24 10:58:13 2014
From: cl at isbd.net (Chris Green)
Date: Sat, 24 May 2014 11:58:13 +0100
Subject: [Dnsmasq-discuss] dnsmasq not working as DNS server for client
machines
In-Reply-To: <537FAAAF.5060202@thekelleys.org.uk>
References: <20140522214646.GA1402@chris> <20140522220822.GA2276@chris>
<20140522223349.GA3680@chris>
<CAA93jw7-kXyU29E0VD-Mx3XmTOipD=wQnPsOjuqLFcF+yQQZTA@mail.gmail.com>
<20140523091035.GA26074@chris> <20140523110819.GA28217@chris>
<20140523111351.GA30039@chris> <537FAAAF.5060202@thekelleys.org.uk>
Message-ID: <20140524105813.GA3778@chris>
On Fri, May 23, 2014 at 09:08:15PM +0100, Simon Kelley wrote:
> On 23/05/14 12:13, Chris Green wrote:
> >> interface and 192.168.1.4 by setting the listen address rather than
> >> using 'interface='. How do I specify two addresses, do they both go
> >> on on listen-address= (comma spearated, space separated?) or do I put
> >
> > on one listen-address= (comma separated, space separated?) or do I put
> >
> >> two listen-address= lines?
> >>
> >
>
> Two listen-address lines is fine.
>
OK, thanks.
Any idea why I have to specifically put the listen-address now? I
never used to have to do it before on the other server which was
running the same version of dnsmasq and the same xubuntu distributionr?
--
Chris Green
From michael at kmaclub.com Sat May 24 14:30:30 2014
From: michael at kmaclub.com (Michael)
Date: Sat, 24 May 2014 07:30:30 -0700
Subject: [Dnsmasq-discuss] converting ISC dhcpd.conf to dnsmasq
In-Reply-To: <CAPoZCFBm7L08eBbXW6te+6zp9t+nYzNbB13Bk8BVqbmPPn3joQ@mail.gmail.com>
References: <5370FA99.4070202@kmaclub.com>
<CAPoZCFBm7L08eBbXW6te+6zp9t+nYzNbB13Bk8BVqbmPPn3joQ@mail.gmail.com>
Message-ID: <5380AD06.9080004@kmaclub.com>
On 05/23/2014 06:42 PM, Linux Luser wrote:
> Use the "set:tagname" option in your dhcp-host command. Then use that
> tag in it's own dchp-boot command to send a specific boot file to
> a specific host.
>
>
> # PXE response for non-iPXE clients
> dhcp-match=set:ipxe,175 # iPXE sends a 175 option
> dhcp-boot=tag:!ipxe,ipxe.pxe
>
> # PXE response for host 'mythbed'
> dhcp-host=bc:ee:7b:25:3b:15,*set:mythbed*,mythbed
> tag-if=set:mythbed-ipxe,tag:ipxe,tag:mythbed
> dhcp-boot=mythbed-ipxe,http://minimyth2/conf/mythbed/mythbed.ipxe
>
> # PXE response for host 'mythliv'
> dhcp-host=38:60:77:9c:6b:1d,*set:mythliv*,mythliv
> tag-if=set:mythliv-ipxe,tag:ipxe,tag:mythliv
> dhcp-boot=mythliv-ipxe,http://minimyth2/conf/mythbed/mythliv.ipxe
>
>
> Using the 'tag-if' command, you can effectively combine two tags into
> one. But depending only your case, you might be able to omit this line
> and simply send the 'filename' DHCP field (which is what dhcp-boot
> does) for every DHCP request, regardless if it is during an iPXE boot
> or not.
>
Thanks, your example really helped me get it working. Your example was
only missing the tag on the dhcp-boot line.
# Special boot hosts
# PXE response for non-iPXE clients
dhcp-match=set:ipxe,175 # iPXE sends a 175 option
dhcp-boot=tag:!ipxe,ipxe.pxe
# PXE response for host 'mythbed'
dhcp-host=bc:ee:7b:25:3b:15,set:mythbed,mythbed
tag-if=set:mythbed-ipxe,tag:ipxe,tag:mythbed
dhcp-boot=tag:mythbed-ipxe,http://minimyth2/conf/mythbed/mythbed.ipxe
# PXE response for host 'mythliv'
dhcp-host=38:60:77:9c:6b:1d,set:mythliv,mythliv
tag-if=set:mythliv-ipxe,tag:ipxe,tag:mythliv
dhcp-boot=tag:mythliv-ipxe,http://minimyth2/conf/mythliv/mythliv.ipxe
I really appreciate the help. I can now EOL my local copy of tftp,
bind, and dhcpd in favor of dnsmasq!
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140524/595f8a35/attachment.html>
From simon at thekelleys.org.uk Sat May 24 18:41:01 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Sat, 24 May 2014 19:41:01 +0100
Subject: [Dnsmasq-discuss] dnsmasq not working as DNS server for client
machines
In-Reply-To: <20140524105813.GA3778@chris>
References: <20140522214646.GA1402@chris> <20140522220822.GA2276@chris>
<20140522223349.GA3680@chris>
<CAA93jw7-kXyU29E0VD-Mx3XmTOipD=wQnPsOjuqLFcF+yQQZTA@mail.gmail.com>
<20140523091035.GA26074@chris> <20140523110819.GA28217@chris>
<20140523111351.GA30039@chris> <537FAAAF.5060202@thekelleys.org.uk>
<20140524105813.GA3778@chris>
Message-ID: <5380E7BD.6080501@thekelleys.org.uk>
On 24/05/14 11:58, Chris Green wrote:
> On Fri, May 23, 2014 at 09:08:15PM +0100, Simon Kelley wrote:
>> On 23/05/14 12:13, Chris Green wrote:
>>>> interface and 192.168.1.4 by setting the listen address rather than
>>>> using 'interface='. How do I specify two addresses, do they both go
>>>> on on listen-address= (comma spearated, space separated?) or do I put
>>>
>>> on one listen-address= (comma separated, space separated?) or do I put
>>>
>>>> two listen-address= lines?
>>>>
>>>
>>
>> Two listen-address lines is fine.
>>
> OK, thanks.
>
> Any idea why I have to specifically put the listen-address now? I
> never used to have to do it before on the other server which was
> running the same version of dnsmasq and the same xubuntu distributionr?
>
>
If there are _no_ listen-address or interface stanzas, then dnsmasq will
listen on every address, once you supply either, then that limits where
dnsmasq listens and you have to specify all the addresses or interfaces.
I guess you've just got different configuration.
Cheers,
Simon.
From simon at thekelleys.org.uk Sun May 25 08:18:13 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Sun, 25 May 2014 09:18:13 +0100
Subject: [Dnsmasq-discuss] dnsmasq and dbus - strange reset behaviour
In-Reply-To: <87ppj37eiz.fsf@ferrier.me.uk>
References: <8761kxpmam.fsf@ferrier.me.uk> <537E6F52.2090706@thekelleys.org.uk>
<8738g1pjjl.fsf@ferrier.me.uk> <537F072F.4020903@thekelleys.org.uk>
<87zji8okf4.fsf@ferrier.me.uk> <537FA95E.4080002@thekelleys.org.uk>
<87ppj37eiz.fsf@ferrier.me.uk>
Message-ID: <5381A745.50602@thekelleys.org.uk>
On 24/05/14 09:43, Nic Ferrier wrote:
> Simon Kelley <simon at thekelleys.org.uk> writes:
>
>>> I guess I could try and alter dnsmasq's dbus handling myself to get it
>>> to report the servers it's using... but it'll be tricky to get ubuntu to
>>> use the new version I guess.
>>
>> Se above, it should be doing that. What version of dnsmasq are you
>> using?
>
> I am using 2.68, which is Ubuntu's.
>
> I discovered that I can kill and start dnsmasq and then I can get it all
> to work.
>
> But if I just stop and restart the vpn, calling the dbus-send every
> time, it does not work. Although dnsmasq syslogs that it's using the
> right servers, it doesn't seem to be.
>
> Even if I send it SIGHUP before I send the dbus-send, dnsmasq syslogs
> the new servers but does not seem to use them.
>
>
> Interestingly, when you look at the way Ubuntu's Network Manager behaves
> it seems to do the same thing (restart dnsmasq) when you drop one of
> it's native VPNs.
>
>
> I've no idea how you'd test this.
A suggestion: attach to the process using strace. That should give you
information about where dnsmasq is getting queries from and sending them
to, with a bit of interpretation. Post strace output here if you need
help with interpretation.
Cheers,
Simon.
>
>
> Nic
>
From nathandownes at hotmail.com Sun May 25 11:50:08 2014
From: nathandownes at hotmail.com (Mr Nathan Downes)
Date: Sun, 25 May 2014 21:50:08 +1000
Subject: [Dnsmasq-discuss] Is this possible? different response for a
certain IP range
Message-ID: <BLU170-DS25C61EF48C542CFDD6E5E8D7380@phx.gbl>
Hi,
I want to use dnsmasq for general caching of DNS, listening on a public IP
and an internal IP used for NAT PPPOE clients (172.16.x.x). I want one
address when the internet NAT clients request it to return an internal IP
but not for anyone else..
i.e
any other ip requests whats.the.ip.com it would get 130.130.44.44
172.16.x.x client requests whats.the.ip.com it would get 172.16.0.10
I am going to use this to bypass the NAT for PPPOE clients for a SIP server,
so they can route direct to it. But don't want this for the PPPOE clients
that get a public IP, because they have no way to route to the internal IP.
Thanks,
Nathan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140525/2827ede0/attachment.html>
From cl at isbd.net Sun May 25 18:02:18 2014
From: cl at isbd.net (Chris Green)
Date: Sun, 25 May 2014 19:02:18 +0100
Subject: [Dnsmasq-discuss] dnsmasq tries to start up before eth0 is ready,
how to fix?
Message-ID: <20140525180218.GA4754@chris>
I have the following in my dnsmasq.conf file:-
listen-address=192.168.1.4
listen-address=127.0.0.1
In syslog when I reboot I'm seeing:-
May 25 18:45:07 chris dnsmasq[1300]: failed to create listening socket for 192.168.1.4: Cannot assign requested address
May 25 18:45:07 chris dnsmasq[1300]: FAILED to start up
The reason is simple to see, eth0 (which is 192.168.1.4) only comes up
three seconds later:-
May 25 18:45:10 chris NetworkManager[1305]: <info> (eth0): carrier now ON (device state 20)
May 25 18:45:10 chris NetworkManager[1305]: <info> (eth0): device state change: unavailable -> disconnected (reason 'carrier-changed') [20 30 40]
May 25 18:45:10 chris kernel: [ 40.576716] r8169 0000:03:00.0 eth0: link up
May 25 18:45:10 chris kernel: [ 40.576730] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
Is there any way to make dnsmasq wait for eth0 to be ready? Or,
alternatively, as I originally had (but don't seem to get by default
on this system) how do I get dnsmasq to accept input from anywhere?
--
Chris Green
From albert.aribaud at free.fr Sun May 25 18:09:09 2014
From: albert.aribaud at free.fr (Albert ARIBAUD)
Date: Sun, 25 May 2014 20:09:09 +0200
Subject: [Dnsmasq-discuss] dnsmasq tries to start up before eth0 is
ready, how to fix?
In-Reply-To: <20140525180218.GA4754@chris>
References: <20140525180218.GA4754@chris>
Message-ID: <20140525200909.7b8d9c0e@lilith>
Bonjour Chris,
Le Sun, 25 May 2014 19:02:18 +0100, Chris Green <cl at isbd.net> a ?crit :
> I have the following in my dnsmasq.conf file:-
>
> listen-address=192.168.1.4
> listen-address=127.0.0.1
>
> In syslog when I reboot I'm seeing:-
>
> May 25 18:45:07 chris dnsmasq[1300]: failed to create listening socket for 192.168.1.4: Cannot assign requested address
> May 25 18:45:07 chris dnsmasq[1300]: FAILED to start up
>
> The reason is simple to see, eth0 (which is 192.168.1.4) only comes up
> three seconds later:-
>
> May 25 18:45:10 chris NetworkManager[1305]: <info> (eth0): carrier now ON (device state 20)
> May 25 18:45:10 chris NetworkManager[1305]: <info> (eth0): device state change: unavailable -> disconnected (reason 'carrier-changed') [20 30 40]
> May 25 18:45:10 chris kernel: [ 40.576716] r8169 0000:03:00.0 eth0: link up
> May 25 18:45:10 chris kernel: [ 40.576730] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
>
>
> Is there any way to make dnsmasq wait for eth0 to be ready? Or,
> alternatively, as I originally had (but don't seem to get by default
> on this system) how do I get dnsmasq to accept input from anywhere?
I benlieve the option --bind-dynamic can help, if it is available to
you.
Amicalement,
--
Albert.
From donald.chisholm at gmail.com Tue May 27 00:23:27 2014
From: donald.chisholm at gmail.com (Donald Chisholm)
Date: Mon, 26 May 2014 21:23:27 -0300
Subject: [Dnsmasq-discuss] DHCP option for Captive Portals
Message-ID: <CACHmctDnoBFQ9+n+y2Xomke391ca=v-N=yv-xJtNijkE5ivzrg@mail.gmail.com>
Hi all,
Recently I have noticed that on connect some wifi hotspots provide a popup
message indicating that the user must login to obtain Internet access.
Since the user has not yet opened a browser I figure this feature is
implemented via a DHCP option. I found references to the
proposed Captive-Portal identification in DHCP draft-wkumari-dhc-capport-00
(http://tools.ietf.org/html/draft-wkumari-dhc-capport-00) which seems to be
what I am looking for but it does not mention a proposed option number.
Anyone here know what the option is called or can point me in the direction
of how this may be implemented.
Thank you for reading,
Doanld
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140526/05a93b52/attachment.html>
From albert.aribaud at free.fr Tue May 27 05:54:02 2014
From: albert.aribaud at free.fr (Albert ARIBAUD)
Date: Tue, 27 May 2014 07:54:02 +0200
Subject: [Dnsmasq-discuss] DHCP option for Captive Portals
In-Reply-To: <CACHmctDnoBFQ9+n+y2Xomke391ca=v-N=yv-xJtNijkE5ivzrg@mail.gmail.com>
References: <CACHmctDnoBFQ9+n+y2Xomke391ca=v-N=yv-xJtNijkE5ivzrg@mail.gmail.com>
Message-ID: <20140527075402.59c35090@lilith>
Hi Donald,
Le Mon, 26 May 2014 21:23:27 -0300, Donald Chisholm
<donald.chisholm at gmail.com> a ?crit :
> Hi all,
>
> Recently I have noticed that on connect some wifi hotspots provide a popup
> message indicating that the user must login to obtain Internet access.
> Since the user has not yet opened a browser I figure this feature is
> implemented via a DHCP option. I found references to the
> proposed Captive-Portal identification in DHCP draft-wkumari-dhc-capport-00
> (http://tools.ietf.org/html/draft-wkumari-dhc-capport-00) which seems to be
> what I am looking for but it does not mention a proposed option number.
>
> Anyone here know what the option is called or can point me in the direction
> of how this may be implemented.
No idea about the option number (rather than 'name') since it still is
TBA in the RFC, but if you know of a hotspot which does this, you can
set up a machine with tcpdump or wireshark running, connect to the
hotspot , and see for yourself.
Implementing the option in dnsmasq should not prove difficult, as I
guess it is just a matter of adding the right dhcp-option line in your
dnsmasq configuration.
> Thank you for reading,
>
> Doanld
Amicalement,
--
Albert.
From cl at isbd.net Tue May 27 10:14:26 2014
From: cl at isbd.net (Chris Green)
Date: Tue, 27 May 2014 11:14:26 +0100
Subject: [Dnsmasq-discuss] Why dnsmasq got external DNS requests on one
system and not another
Message-ID: <20140527101426.GB11389@chris>
I think I have finally fathomed out why my new dnsmasq installation on
my desktop machine didn't work whereas an apparently idetical setup on
a small server did work.
I *think* it's because Network Manager puts a file in /etc/dnsmasq.d
that just has one directive in it:-
bind-interfaces
I believe this is left there from the 'dnsmasq run by Network Manager'
mode which is the default on [x]ubuntu systems.
On the small server (where everything did work OK) the bind-interfaces
directive didn't really do much as eth0 was already up and running
when dnsmasq started so dnsmasq would listen on eth0. However on my
desktop machine, for whatever reason, eth0 takes a long time to start
working (there are loads of messages about it in syslog at start-up
time) and thus bind-interfaces stops dnsmasq from listening on eth0
because it's not there when dnsmasq starts.
I've fixed it on my desktop machine simply by removing the
bind-interfaces directive. Now there are no 'listen-address' or
'interface' directives (as per the original setup) and without the
bind-interfaces directive dnsmasq listens on everything, which is
OK on my small home LAN.
Does this make sense? I.e. is my understanding correct? ... and
again is it worth adding to the FAQ if my diagnosis is correct, I
guess an interface being late to start up isn't *that* rare an
occurrence. Maybe just a note to say that one should remove the
'bind-interface' directive left there by Network Manager if installing
a 'proper' dnsmasq.
--
Chris Green
From alex_y_xu at yahoo.ca Tue May 27 11:03:17 2014
From: alex_y_xu at yahoo.ca (Alex Xu)
Date: Tue, 27 May 2014 07:03:17 -0400
Subject: [Dnsmasq-discuss] DHCP option for Captive Portals
In-Reply-To: <CACHmctDnoBFQ9+n+y2Xomke391ca=v-N=yv-xJtNijkE5ivzrg@mail.gmail.com>
References: <CACHmctDnoBFQ9+n+y2Xomke391ca=v-N=yv-xJtNijkE5ivzrg@mail.gmail.com>
Message-ID: <538470F5.3000502@yahoo.ca>
On 26/05/14 08:23 PM, Donald Chisholm wrote:
> Recently I have noticed that on connect some wifi hotspots provide a popup
> message indicating that the user must login to obtain Internet access.
> Since the user has not yet opened a browser I figure this feature is
> implemented via a DHCP option. I found references to the
> proposed Captive-Portal identification in DHCP draft-wkumari-dhc-capport-00
> (http://tools.ietf.org/html/draft-wkumari-dhc-capport-00) which seems to be
> what I am looking for but it does not mention a proposed option number.
>
> Anyone here know what the option is called or can point me in the direction
> of how this may be implemented.
this has nothing to do with dhcp. basically what Windows does is it
tries to GET a file on msft servers, and if it gets redirected or
otherwise receives the wrong page, it assumes there is a portal.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140527/fb0e91c6/attachment.sig>
From donald.chisholm at gmail.com Tue May 27 21:41:50 2014
From: donald.chisholm at gmail.com (Donald Chisholm)
Date: Tue, 27 May 2014 18:41:50 -0300
Subject: [Dnsmasq-discuss] DHCP option for Captive Portals
In-Reply-To: <538470F5.3000502@yahoo.ca>
References: <CACHmctDnoBFQ9+n+y2Xomke391ca=v-N=yv-xJtNijkE5ivzrg@mail.gmail.com>
<538470F5.3000502@yahoo.ca>
Message-ID: <CACHmctBzMJY+qH6Xrp02cozB5iiAcy6gmsTu1s4cbFMjAA-b6w@mail.gmail.com>
Thanks Alex. I was able to confirm that both my Android and Windows
machine on a new dhcp lease the machine makes a request for a particular
url and if that is redirected presents the captive portal message.
I'm going to take a closer look at the dhcp messages to confirm when this
is happening.
Thanks again
On May 27, 2014 8:06 AM, "Alex Xu" <alex_y_xu at yahoo.ca> wrote:
> On 26/05/14 08:23 PM, Donald Chisholm wrote:
> > Recently I have noticed that on connect some wifi hotspots provide a
> popup
> > message indicating that the user must login to obtain Internet access.
> > Since the user has not yet opened a browser I figure this feature is
> > implemented via a DHCP option. I found references to the
> > proposed Captive-Portal identification in DHCP
> draft-wkumari-dhc-capport-00
> > (http://tools.ietf.org/html/draft-wkumari-dhc-capport-00) which seems
> to be
> > what I am looking for but it does not mention a proposed option number.
> >
> > Anyone here know what the option is called or can point me in the
> direction
> > of how this may be implemented.
>
> this has nothing to do with dhcp. basically what Windows does is it
> tries to GET a file on msft servers, and if it gets redirected or
> otherwise receives the wrong page, it assumes there is a portal.
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140527/99b67102/attachment.html>
From donald.chisholm at gmail.com Tue May 27 21:43:23 2014
From: donald.chisholm at gmail.com (Donald Chisholm)
Date: Tue, 27 May 2014 18:43:23 -0300
Subject: [Dnsmasq-discuss] DHCP option for Captive Portals
In-Reply-To: <20140527075402.59c35090@lilith>
References: <CACHmctDnoBFQ9+n+y2Xomke391ca=v-N=yv-xJtNijkE5ivzrg@mail.gmail.com>
<20140527075402.59c35090@lilith>
Message-ID: <CACHmctCqLnqxHm-nXY-WK90FwkRUBPOR4Vs-8_PduO37xDCXhQ@mail.gmail.com>
Good idea. If I think about it I'll trace this next time I'm in a
hotspot.
On May 27, 2014 2:54 AM, "Albert ARIBAUD" <albert.aribaud at free.fr> wrote:
> Hi Donald,
>
> Le Mon, 26 May 2014 21:23:27 -0300, Donald Chisholm
> <donald.chisholm at gmail.com> a ?crit :
>
> > Hi all,
> >
> > Recently I have noticed that on connect some wifi hotspots provide a
> popup
> > message indicating that the user must login to obtain Internet access.
> > Since the user has not yet opened a browser I figure this feature is
> > implemented via a DHCP option. I found references to the
> > proposed Captive-Portal identification in DHCP
> draft-wkumari-dhc-capport-00
> > (http://tools.ietf.org/html/draft-wkumari-dhc-capport-00) which seems
> to be
> > what I am looking for but it does not mention a proposed option number.
> >
> > Anyone here know what the option is called or can point me in the
> direction
> > of how this may be implemented.
>
> No idea about the option number (rather than 'name') since it still is
> TBA in the RFC, but if you know of a hotspot which does this, you can
> set up a machine with tcpdump or wireshark running, connect to the
> hotspot , and see for yourself.
>
> Implementing the option in dnsmasq should not prove difficult, as I
> guess it is just a matter of adding the right dhcp-option line in your
> dnsmasq configuration.
>
> > Thank you for reading,
> >
> > Doanld
>
> Amicalement,
> --
> Albert.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140527/be4eecd9/attachment.html>
From woody77 at gmail.com Tue May 27 23:24:08 2014
From: woody77 at gmail.com (Aaron Wood)
Date: Tue, 27 May 2014 16:24:08 -0700
Subject: [Dnsmasq-discuss] not getting address specified in dhcp_hosts
Message-ID: <CALQXh-PjxdpPKVt+rxUYBY9FSmZgH7MRXc=YAD3-sb3dM5CFSA@mail.gmail.com>
This is a _very_ old platform, running 2.47.
What happens is that a client requests it's previous address in the DHCP
DISCOVER packet, and that's ack'd as ok by dnsmasq, even though it differs
from the address as specified in the dhcp-hosts file that's in use.
On a much newer build of dnsmasq, I see the expected (by me) behavior of
the requested address being denied, and the configured address returned.
Further, my lease change notification script is getting an "old"
notification for the requested address, but never getting a notification
that a valid lease was handed out. As such the application listening to
the lease notification events is losing track of the devices in question.
I've gone through the release notes, and I'm not seeing when this would
have changed. I can attempt to port a newer version of dnsmasq to the
system, but it's a very old version of OpenWRT (8.x), on linux 2.4...
Is this something that I can configure around?
Thanks,
Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140527/3e0fe705/attachment.html>
From simon at thekelleys.org.uk Wed May 28 16:19:20 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Wed, 28 May 2014 17:19:20 +0100
Subject: [Dnsmasq-discuss] Why dnsmasq got external DNS requests on one
system and not another
In-Reply-To: <20140527101426.GB11389@chris>
References: <20140527101426.GB11389@chris>
Message-ID: <53860C88.9060607@thekelleys.org.uk>
On 27/05/14 11:14, Chris Green wrote:
> I think I have finally fathomed out why my new dnsmasq installation on
> my desktop machine didn't work whereas an apparently idetical setup on
> a small server did work.
>
> I *think* it's because Network Manager puts a file in /etc/dnsmasq.d
> that just has one directive in it:-
> bind-interfaces
> I believe this is left there from the 'dnsmasq run by Network Manager'
> mode which is the default on [x]ubuntu systems.
>
> On the small server (where everything did work OK) the bind-interfaces
> directive didn't really do much as eth0 was already up and running
> when dnsmasq started so dnsmasq would listen on eth0. However on my
> desktop machine, for whatever reason, eth0 takes a long time to start
> working (there are loads of messages about it in syslog at start-up
> time) and thus bind-interfaces stops dnsmasq from listening on eth0
> because it's not there when dnsmasq starts.
>
> I've fixed it on my desktop machine simply by removing the
> bind-interfaces directive. Now there are no 'listen-address' or
> 'interface' directives (as per the original setup) and without the
> bind-interfaces directive dnsmasq listens on everything, which is
> OK on my small home LAN.
>
> Does this make sense? I.e. is my understanding correct? ... and
> again is it worth adding to the FAQ if my diagnosis is correct, I
> guess an interface being late to start up isn't *that* rare an
> occurrence. Maybe just a note to say that one should remove the
> 'bind-interface' directive left there by Network Manager if installing
> a 'proper' dnsmasq.
>
One effect of "bind-interfaces" is exactly that dnsmasq only listens on
interfaces hat exist when it starts up, so that's enough to explain what
you saw. Well done for finding the problem.
Cheers,
Simon.
From olaf at aepfle.de Fri May 30 10:05:17 2014
From: olaf at aepfle.de (Olaf Hering)
Date: Fri, 30 May 2014 12:05:17 +0200
Subject: [Dnsmasq-discuss] how to track changes for a given hostname
Message-ID: <20140530100517.GA32235@aepfle.de>
My dnsmasq sometimes forgets the hostname of one of my boxes. I wonder
how to track that without tweaking the source?
My reconnect script reports:
...
ssh: connect to host optiplex port 22: Connection refused
rc '255'. root at optiplex @ Fr 30. Mai 11:27:43 CEST 2014
ssh: connect to host optiplex port 22: Connection refused
rc '255'. root at optiplex @ Fr 30. Mai 11:29:01 CEST 2014
ssh: Could not resolve hostname optiplex: Name or service not known
rc '255'. root at optiplex @ Fr 30. Mai 11:30:20 CEST 2014
ssh: Could not resolve hostname optiplex: Name or service not known
rc '255'. root at optiplex @ Fr 30. Mai 11:31:40 CEST 2014
...
My setup is like this:
* A FritzBox 7360, which acts as DHCP and DNS server.
* My Workststation running openSUSE 11.4, with dnsmasq-2.70, it acts as DNS
for localhost and as DHCP proxy to provide TFTP to other hosts.
Compile time options: IPv6 GNU-getopt no-DBus i18n IDN DHCP DHCPv6
no-Lua TFTP no-conntrack ipset auth no-DNSSEC
* A Testhost named optiplex. It is reachable with IPv4 and IPv6.
When the failure above happens, my workstation fails to resolve
optiplex. Restarting dnsmasq helps.
olaf at probook:~ $ host optiplex
olaf at probook:~ $ host optiplex fritz.box
Using domain server:
Name: fritz.box
Address: fd00::a96:d7ff:feb1:1e3d#53
Aliases:
optiplex.fritz.box has address 192.168.2.102
optiplex.fritz.box has IPv6 address 2001:a60:1011:601:baac:6fff:fea3:7d0a
optiplex.fritz.box has IPv6 address 2001:a60:1011:601:30e6:8090:5088:397
optiplex.fritz.box has IPv6 address fd00::30e6:8090:5088:397
optiplex.fritz.box has IPv6 address fd00::baac:6fff:fea3:7d0a
olaf at probook:~ $ host optiplex 192.168.2.1
Using domain server:
Name: 192.168.2.1
Address: 192.168.2.1#53
Aliases:
optiplex.fritz.box has address 192.168.2.102
optiplex.fritz.box has IPv6 address 2001:a60:1011:601:baac:6fff:fea3:7d0a
optiplex.fritz.box has IPv6 address 2001:a60:1011:601:30e6:8090:5088:397
optiplex.fritz.box has IPv6 address fd00::30e6:8090:5088:397
optiplex.fritz.box has IPv6 address fd00::baac:6fff:fea3:7d0a
olaf at probook:~ $
olaf at probook:~ $ sudo su -
root's password:
root at probook:~ # rcdnsmasq restart
Shutting name service masq caching server done
Starting name service masq caching server done
root at probook:~ # logout
olaf at probook:~ $ host optiplex
optiplex.fritz.box has address 192.168.2.102
optiplex.fritz.box has IPv6 address 2001:a60:1011:601:baac:6fff:fea3:7d0a
optiplex.fritz.box has IPv6 address 2001:a60:1011:601:30e6:8090:5088:397
optiplex.fritz.box has IPv6 address fd00::30e6:8090:5088:397
optiplex.fritz.box has IPv6 address fd00::baac:6fff:fea3:7d0a
olaf at probook:~ $ host optiplex fritz.box
Using domain server:
Name: fritz.box
Address: fd00::a96:d7ff:feb1:1e3d#53
Aliases:
optiplex.fritz.box has address 192.168.2.102
optiplex.fritz.box has IPv6 address 2001:a60:1011:601:baac:6fff:fea3:7d0a
optiplex.fritz.box has IPv6 address 2001:a60:1011:601:30e6:8090:5088:397
optiplex.fritz.box has IPv6 address fd00::30e6:8090:5088:397
optiplex.fritz.box has IPv6 address fd00::baac:6fff:fea3:7d0a
olaf at probook:~ $
How can I find out why optiplex fails to resolve?
Olaf
From augustus_meyer at yahoo.de Sat May 31 13:17:04 2014
From: augustus_meyer at yahoo.de (reiner otto)
Date: Sat, 31 May 2014 14:17:04 +0100 (BST)
Subject: [Dnsmasq-discuss] How to get rid of AAAA forwards ?
Message-ID: <1401542224.24617.YahooMailNeo@web172704.mail.ir2.yahoo.com>
I have dnsmasq installed on an embedded system, with a mobile internet connection. IPV6 is completely disabled in the kernel, for all interfaces.
In the logs I still see a lot of messages like these ones:
May 29 07:41:32 localhost dnsmasq[3604]: query[AAAA] edpn.ebay.com from 192.168.60.1
May 29 07:41:32 localhost dnsmasq[3604]: cached edpn.ebay.com is <CNAME>
May 29 07:41:32 localhost dnsmasq[3604]: forwarded edpn.ebay.com to 8.8.8.8
May 29 07:41:32 localhost dnsmasq[3604]: reply edpn.g.ebay.com is NODATA-IPv6
So the request is forwarded, althogh the result is very predictadle, generating unnecessary traffic.
How to avoid these unnecessary forwards ?
(I would even apply a "dirty hack" to some src of dnsmasq, in case you can give me an initial hint.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140531/246bb7e7/attachment.html>
From zac at thetolleys.com Sun Jun 1 11:20:30 2014
From: zac at thetolleys.com (Zac Tolley)
Date: Sun, 1 Jun 2014 12:20:30 +0100
Subject: [Dnsmasq-discuss] How can I use dnsmasq to replace radvd
Message-ID: <29506959-DE83-4181-8692-7190D6F1AD7C@thetolleys.com>
I have a small network which currently uses dnsmasq for ip v4 address allocation, DNS resolution and setting things like the ip v4 router address. It?s a real simple setup, I just wanted to override the fact that my network hosts used my isp?s DNS and let me resolve the names of the servers on my network.
I?ve also setup ipv6 and run radvd but I think dnsmasq can do that too, i just don?t know how.
Any pointers?
my radvd config is
interface eth0 {
AdvSendAdvert on;
AdvManagedFlag on;
AdvOtherConfigFlag on;
AdvLinkMTU 1280;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 4;
prefix 2a01:348:6:876d::1/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
};
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140601/4617649f/attachment.html>
From albert.aribaud at free.fr Sun Jun 1 11:42:52 2014
From: albert.aribaud at free.fr (Albert ARIBAUD)
Date: Sun, 1 Jun 2014 13:42:52 +0200
Subject: [Dnsmasq-discuss] How can I use dnsmasq to replace radvd
In-Reply-To: <29506959-DE83-4181-8692-7190D6F1AD7C@thetolleys.com>
References: <29506959-DE83-4181-8692-7190D6F1AD7C@thetolleys.com>
Message-ID: <20140601134252.2710c382@lilith>
Hi Zac,
Le Sun, 1 Jun 2014 12:20:30 +0100, Zac Tolley <zac at thetolleys.com> a
?crit :
> I have a small network which currently uses dnsmasq for ip v4 address allocation, DNS resolution and setting things like the ip v4 router address. It?s a real simple setup, I just wanted to override the fact that my network hosts used my isp?s DNS and let me resolve the names of the servers on my network.
>
> I?ve also setup ipv6 and run radvd but I think dnsmasq can do that too, i just don?t know how.
>
> Any pointers?
>
> my radvd config is
>
> interface eth0 {
> AdvSendAdvert on;
> AdvManagedFlag on;
> AdvOtherConfigFlag on;
> AdvLinkMTU 1280;
> MinRtrAdvInterval 3;
> MaxRtrAdvInterval 4;
> prefix 2a01:348:6:876d::1/64 {
> AdvOnLink on;
> AdvAutonomous on;
> AdvRouterAddr on;
> };
> };
I would say something along the lines of adding this to your dnsmasq
config:
enable-ra
dhcp-range=2a01:348:6:876d::,slaac
(then fine-tune the RA parameters, also add an ra-param line, see the
man page)
If you also give (and resolve) names for your local machines, then you
might want to put "ra-names" instead of "slaac".
Amicalement,
--
Albert.
From simon at thekelleys.org.uk Sun Jun 1 20:12:33 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Sun, 01 Jun 2014 21:12:33 +0100
Subject: [Dnsmasq-discuss] How to get rid of AAAA forwards ?
In-Reply-To: <1401542224.24617.YahooMailNeo@web172704.mail.ir2.yahoo.com>
References: <1401542224.24617.YahooMailNeo@web172704.mail.ir2.yahoo.com>
Message-ID: <538B8931.8090808@thekelleys.org.uk>
On 31/05/14 14:17, reiner otto wrote:
> I have dnsmasq installed on an embedded system, with a mobile internet connection. IPV6 is completely disabled in the kernel, for all interfaces.
> In the logs I still see a lot of messages like these ones:
> May 29 07:41:32 localhost dnsmasq[3604]: query[AAAA] edpn.ebay.com from 192.168.60.1
> May 29 07:41:32 localhost dnsmasq[3604]: cached edpn.ebay.com is <CNAME>
> May 29 07:41:32 localhost dnsmasq[3604]: forwarded edpn.ebay.com to 8.8.8.8
> May 29 07:41:32 localhost dnsmasq[3604]: reply edpn.g.ebay.com is NODATA-IPv6
>
> So the request is forwarded, althogh the result is very predictadle, generating unnecessary traffic.
>
> How to avoid these unnecessary forwards ?
>
> (I would even apply a "dirty hack" to some src of dnsmasq, in case you can give me an initial hint.)
>
There's no way to do that with the stock code. It comes under the
heading of "messing with the DNS" which tends not to work well. In this
case, consider what answer you should supply.
You could provide a NODATA repsonse to each AAAA query, but that is
telling the resolver that there _is_ data at a domain name of some type.
If the domain doesn't exist, that may come back and bite you.
On the other hand, you could provide a NXDOMAIN reply, but then the
resolver will not bother to do the A query, since you told it that the
domain doesn't exist.
There a whole load of IETF work, under the title of "happy eyeballs" on
how to get systems to work well when IPv4 and IPv6 may or may not both
exist. That's a good place to start researching this.
Cheers,
Simon.
From simon at thekelleys.org.uk Sun Jun 1 20:14:23 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Sun, 01 Jun 2014 21:14:23 +0100
Subject: [Dnsmasq-discuss] how to track changes for a given hostname
In-Reply-To: <20140530100517.GA32235@aepfle.de>
References: <20140530100517.GA32235@aepfle.de>
Message-ID: <538B899F.8080408@thekelleys.org.uk>
On 30/05/14 11:05, Olaf Hering wrote:
>
> My dnsmasq sometimes forgets the hostname of one of my boxes. I wonder
> how to track that without tweaking the source?
>
> My reconnect script reports:
> ...
> ssh: connect to host optiplex port 22: Connection refused
> rc '255'. root at optiplex @ Fr 30. Mai 11:27:43 CEST 2014
> ssh: connect to host optiplex port 22: Connection refused
> rc '255'. root at optiplex @ Fr 30. Mai 11:29:01 CEST 2014
> ssh: Could not resolve hostname optiplex: Name or service not known
> rc '255'. root at optiplex @ Fr 30. Mai 11:30:20 CEST 2014
> ssh: Could not resolve hostname optiplex: Name or service not known
> rc '255'. root at optiplex @ Fr 30. Mai 11:31:40 CEST 2014
> ...
>
>
> My setup is like this:
>
> * A FritzBox 7360, which acts as DHCP and DNS server.
> * My Workststation running openSUSE 11.4, with dnsmasq-2.70, it acts as DNS
> for localhost and as DHCP proxy to provide TFTP to other hosts.
> Compile time options: IPv6 GNU-getopt no-DBus i18n IDN DHCP DHCPv6
> no-Lua TFTP no-conntrack ipset auth no-DNSSEC
>
> * A Testhost named optiplex. It is reachable with IPv4 and IPv6.
>
> When the failure above happens, my workstation fails to resolve
> optiplex. Restarting dnsmasq helps.
>
> olaf at probook:~ $ host optiplex
> olaf at probook:~ $ host optiplex fritz.box
> Using domain server:
> Name: fritz.box
> Address: fd00::a96:d7ff:feb1:1e3d#53
> Aliases:
>
> optiplex.fritz.box has address 192.168.2.102
> optiplex.fritz.box has IPv6 address 2001:a60:1011:601:baac:6fff:fea3:7d0a
> optiplex.fritz.box has IPv6 address 2001:a60:1011:601:30e6:8090:5088:397
> optiplex.fritz.box has IPv6 address fd00::30e6:8090:5088:397
> optiplex.fritz.box has IPv6 address fd00::baac:6fff:fea3:7d0a
> olaf at probook:~ $ host optiplex 192.168.2.1
> Using domain server:
> Name: 192.168.2.1
> Address: 192.168.2.1#53
> Aliases:
>
> optiplex.fritz.box has address 192.168.2.102
> optiplex.fritz.box has IPv6 address 2001:a60:1011:601:baac:6fff:fea3:7d0a
> optiplex.fritz.box has IPv6 address 2001:a60:1011:601:30e6:8090:5088:397
> optiplex.fritz.box has IPv6 address fd00::30e6:8090:5088:397
> optiplex.fritz.box has IPv6 address fd00::baac:6fff:fea3:7d0a
> olaf at probook:~ $
>
> olaf at probook:~ $ sudo su -
> root's password:
> root at probook:~ # rcdnsmasq restart
> Shutting name service masq caching server done
> Starting name service masq caching server done
> root at probook:~ # logout
> olaf at probook:~ $ host optiplex
> optiplex.fritz.box has address 192.168.2.102
> optiplex.fritz.box has IPv6 address 2001:a60:1011:601:baac:6fff:fea3:7d0a
> optiplex.fritz.box has IPv6 address 2001:a60:1011:601:30e6:8090:5088:397
> optiplex.fritz.box has IPv6 address fd00::30e6:8090:5088:397
> optiplex.fritz.box has IPv6 address fd00::baac:6fff:fea3:7d0a
> olaf at probook:~ $ host optiplex fritz.box
> Using domain server:
> Name: fritz.box
> Address: fd00::a96:d7ff:feb1:1e3d#53
> Aliases:
>
> optiplex.fritz.box has address 192.168.2.102
> optiplex.fritz.box has IPv6 address 2001:a60:1011:601:baac:6fff:fea3:7d0a
> optiplex.fritz.box has IPv6 address 2001:a60:1011:601:30e6:8090:5088:397
> optiplex.fritz.box has IPv6 address fd00::30e6:8090:5088:397
> optiplex.fritz.box has IPv6 address fd00::baac:6fff:fea3:7d0a
> olaf at probook:~ $
>
>
> How can I find out why optiplex fails to resolve?
>
>
> Olaf
>
Look at --dhcp-script in the man page. A very simple script which logs
argv and the environment to a file should provide you with information
about the comings and going of DHCP leases.
Cheers,
Simon.
From simon at thekelleys.org.uk Mon Jun 2 20:11:01 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Mon, 02 Jun 2014 21:11:01 +0100
Subject: [Dnsmasq-discuss] not getting address specified in dhcp_hosts
In-Reply-To: <CALQXh-PjxdpPKVt+rxUYBY9FSmZgH7MRXc=YAD3-sb3dM5CFSA@mail.gmail.com>
References: <CALQXh-PjxdpPKVt+rxUYBY9FSmZgH7MRXc=YAD3-sb3dM5CFSA@mail.gmail.com>
Message-ID: <538CDA55.6080802@thekelleys.org.uk>
On 28/05/14 00:24, Aaron Wood wrote:
> This is a _very_ old platform, running 2.47.
>
> What happens is that a client requests it's previous address in the DHCP
> DISCOVER packet, and that's ack'd as ok by dnsmasq, even though it differs
> from the address as specified in the dhcp-hosts file that's in use.
>
> On a much newer build of dnsmasq, I see the expected (by me) behavior of
> the requested address being denied, and the configured address returned.
>
> Further, my lease change notification script is getting an "old"
> notification for the requested address, but never getting a notification
> that a valid lease was handed out. As such the application listening to
> the lease notification events is losing track of the devices in question.
>
> I've gone through the release notes, and I'm not seeing when this would
> have changed. I can attempt to port a newer version of dnsmasq to the
> system, but it's a very old version of OpenWRT (8.x), on linux 2.4...
>
> Is this something that I can configure around?
>
>
I'm not aware that behaviour around that has changed for a very long time.
Did you try simply stopping dnsmasq, deleting the DHCP leas database,
and then starting dnsmasq?
Cheers,
Simon.
From woody77 at gmail.com Mon Jun 2 20:28:00 2014
From: woody77 at gmail.com (Aaron Wood)
Date: Mon, 2 Jun 2014 13:28:00 -0700
Subject: [Dnsmasq-discuss] not getting address specified in dhcp_hosts
In-Reply-To: <538CDA55.6080802@thekelleys.org.uk>
References: <CALQXh-PjxdpPKVt+rxUYBY9FSmZgH7MRXc=YAD3-sb3dM5CFSA@mail.gmail.com>
<538CDA55.6080802@thekelleys.org.uk>
Message-ID: <CALQXh-Nyd07ue=XvAc4OhXVLZd=G8FbqbgrNrqgCkGoyYR4cgA@mail.gmail.com>
On Mon, Jun 2, 2014 at 1:11 PM, Simon Kelley <simon at thekelleys.org.uk>
wrote:
> On 28/05/14 00:24, Aaron Wood wrote:
> > This is a _very_ old platform, running 2.47.
> >
> > What happens is that a client requests it's previous address in the DHCP
> > DISCOVER packet, and that's ack'd as ok by dnsmasq, even though it
> differs
> > from the address as specified in the dhcp-hosts file that's in use.
> >
> > On a much newer build of dnsmasq, I see the expected (by me) behavior of
> > the requested address being denied, and the configured address returned.
> >
> > Further, my lease change notification script is getting an "old"
> > notification for the requested address, but never getting a notification
> > that a valid lease was handed out. As such the application listening to
> > the lease notification events is losing track of the devices in question.
> >
> > I've gone through the release notes, and I'm not seeing when this would
> > have changed. I can attempt to port a newer version of dnsmasq to the
> > system, but it's a very old version of OpenWRT (8.x), on linux 2.4...
> >
> > Is this something that I can configure around?
> >
> >
> I'm not aware that behaviour around that has changed for a very long time.
>
> Did you try simply stopping dnsmasq, deleting the DHCP leas database,
> and then starting dnsmasq?
Well, I tried a reboot (which effectively does that as the leases file is
in /tmp), and it didn't change the behavior. I think I'm going to try
updating it to 2.55 (same as on another platform I have which is acting
as-expected), and see if that corrects it.
-Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140602/283e9cf7/attachment.html>
From brak at gameservers.com Mon Jun 2 21:31:58 2014
From: brak at gameservers.com (Brian Rak)
Date: Mon, 02 Jun 2014 17:31:58 -0400
Subject: [Dnsmasq-discuss] Assigning leases based on relay agent IP address?
Message-ID: <538CED4E.60808@gameservers.com>
How can I use dhcp-match with the 'Relay agent IP address' part of the
packet?
I'm trying to manage DHCP for a bunch of different networks with one
DHCP server. I'd like to determine which network to use based on which
subnet the relay server's IP address is in.
I've got a bunch of lines like this:
dhcp-range=set:SUBNETID124862,10.237.2.65,10.237.2.126,auto,255.255.255.192,2h
dhcp-range=set:SUBNETID124844,10.237.4.1,10.237.4.62,auto,255.255.255.192,2h
However, when a DHCPDISCOVER comes in, dnsmasq just picks a random
network to use. As an example:
dnsmasq-dhcp[31908]: 2740340080 vendor class: udhcp 1.12.0
dnsmasq-dhcp[31908]: 2740340080 DHCPDISCOVER(eth1) 00:25:90:d7:c6:7c
dnsmasq-dhcp[31908]: 2740340080 tags: SUBNETID124844, eth1
dnsmasq-dhcp[31908]: 2740340080 DHCPOFFER(eth1) 10.237.4.39
00:25:90:d7:c6:7c
The initial DHCPDISCOVER came in via 10.237.2.65, but a completely
different subnet was used instead. (Also, is it possible to log the
relay IP address?)
tshark shows this:
Bootstrap Protocol
Message type: Boot Request (1)
...
Bootp flags: 0x0000 (Unicast)
0... .... .... .... = Broadcast flag: Unicast
.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 0.0.0.0 (0.0.0.0)
Your (client) IP address: 0.0.0.0 (0.0.0.0)
Next server IP address: 0.0.0.0 (0.0.0.0)
Relay agent IP address: 10.237.2.65 (10.237.2.65)
Client MAC address: 00:25:90:d7:c6:7c (00:25:90:d7:c6:7c)
This is with dnsmasq 2.71
From ck at conrad-kostecki.de Tue Jun 3 17:20:41 2014
From: ck at conrad-kostecki.de (Conrad Kostecki)
Date: Tue, 3 Jun 2014 17:20:41 +0000
Subject: [Dnsmasq-discuss] DNSMasq stops working and runs at 100%
Message-ID: <2bfba9448c1f4afdad7c7ea8918d4d11@DB4PR04MB265.eurprd04.prod.outlook.com>
Hi!
I am running DNSMasq 2.71, compiled on Gentoo:
net-dns/dnsmasq-2.71 USE="auth-dns conntrack dhcp dhcp-tools dnssec idn ipv6 nls tftp -dbus -lua -script (-selinux) -static"
My issue is, when my ppp-link goes down and re-establish a new connection after a few seconds due 24h disconnect, DNSMasq seems stop working. I can see, the process begins to run at 100% cpu usage and does not respond anymore. No DNS/DHCP/TFTP pakets are answered. The logging to /var/log also stop at that minute. The only solution is to killall -9 DNSMasq and restart the service again..
It this maybe something related to this? Changelog says, this should be fixed in 2.71?
- Fix total DNS failure and 100% CPU use if cachesize set to zero,
- regression introduced in 2.69. Thanks to James Hunt and
- the Ubuntu crowd for assistance in fixing this.
For example, this happened tonight:
Jun 03 01:23:18 [pppd] No response to 3 echo-requests
Jun 03 01:23:18 [pppd] Serial link appears to be disconnected.
Jun 03 01:23:18 [pppd] Connect time 4413.9 minutes.
[...]
Jun 03 01:26:11 [pppd] Connect: ppp0 <--> enp11s0.7
[...]
Jun 03 01:26:11 [pppd] PAP authentication succeeded
[...]
My pppd-link goes down and re-establish.. At the same time DNSmasq stops working and logging, but running at 100% cpu usage:
[...]
Jun 03 01:11:39 [dnsmasq-dhcp] RTR-ADVERT(tap0) XXXX:XX:XXXX:XX7b::
Jun 03 01:12:00 [dnsmasq-dhcp] RTR-ADVERT(wlp7s0) XXXX:XX:XXXX:XX2a::
Jun 03 01:14:40 [dnsmasq-dhcp] RTR-ADVERT(enp6s0) XXXX:XX:XXXX:XX40::
Jun 03 01:17:24 [dnsmasq-dhcp] RTR-ADVERT(enp5s0) XXXX:XX:XXXX:XX17::
Jun 03 01:18:03 [dnsmasq-dhcp] RTR-ADVERT(enp10s0) XXXX:XX:XXXX:XX80::
Jun 03 01:20:10 [dnsmasq-dhcp] RTR-ADVERT(wlp7s0) XXXX:XX:XXXX:XX2a::
Jun 03 01:20:48 [dnsmasq-dhcp] RTR-ADVERT(tap0) XXXX:XX:XXXX:XX7b::
Jun 03 01:23:24 [dnsmasq-dhcp] Router-Advertisment on XXXX:XX:XXXX:XX80::, old prefix for enp10s0
Jun 03 01:23:24 [dnsmasq-dhcp] Router-Advertisment on XXXX:XX:XXXX:XX40::, old prefix for enp6s0
Jun 03 01:23:24 [dnsmasq-dhcp] Router-Advertisment on XXXX:XX:XXXX:XX17::, old prefix for enp5s0
Jun 03 01:23:24 [dnsmasq-dhcp] RTR-ADVERT(enp10s0) XXXX:XX:XXXX:XX80:: old prefix
Jun 03 01:23:24 [dnsmasq-dhcp] Router-Advertisment on XXXX:XX:XXXX:XX7b::, old prefix for tap0
Jun 03 01:23:24 [dnsmasq-dhcp] Router-Advertisment on XXXX:XX:XXXX:XX2a::, old prefix for wlp7s0
Jun 03 01:23:24 [dnsmasq-dhcp] RTR-ADVERT(tap0) XXXX:XX:XXXX:XX7b:: old prefix
Jun 03 01:23:24 [dnsmasq-dhcp] RTR-ADVERT(wlp7s0) XXXX:XX:XXXX:XX2a:: old prefix
Jun 03 01:23:24 [dnsmasq-dhcp] RTR-ADVERT(enp6s0) XXXX:XX:XXXX:XX40:: old prefix
Jun 03 01:23:24 [dnsmasq-dhcp] RTR-ADVERT(enp5s0) XXXX:XX:XXXX:XX17:: old prefix
Jun 03 01:23:29 [dnsmasq-dhcp] RTR-ADVERT(tap0) XXXX:XX:XXXX:XX7b:: old prefix
Jun 03 01:23:29 [dnsmasq-dhcp] DHCPv6, IP-Bereich XXXX:XX:XXXX:XX7b::10 -- XXXX:XX:XXXX:XX7b::49, Lease Time 1d, constructed for tap0
Jun 03 01:23:29 [dnsmasq-dhcp] DHCPv4-abgeleitete IPv6 Namen on XXXX:XX:XXXX:XX7b::, constructed for tap0
Jun 03 01:23:29 [dnsmasq-dhcp] Router-Advertisment on XXXX:XX:XXXX:XX7b::, constructed for tap0
Jun 03 01:23:29 [dnsmasq-dhcp] RTR-ADVERT(tap0) XXXX:XX:XXXX:XX7b::
Jun 03 01:23:29 [dnsmasq-dhcp] Router-Advertisment on XXXX:XX:XXXX:XX7b::, old prefix for tap0
Jun 03 01:23:29 [dnsmasq-dhcp] RTR-ADVERT(tap0) XXXX:XX:XXXX:XX7b:: old prefix
<-- At this point nothing is being logged any more.
I don't know, how to debug this problem for me? Somebody has some idea?
My config: http://pastebin.com/5vW5xCeB
Conrad
From matthias.andree at gmx.de Tue Jun 3 20:04:12 2014
From: matthias.andree at gmx.de (Matthias Andree)
Date: Tue, 03 Jun 2014 22:04:12 +0200
Subject: [Dnsmasq-discuss] DNSMasq stops working and runs at 100%
In-Reply-To: <2bfba9448c1f4afdad7c7ea8918d4d11@DB4PR04MB265.eurprd04.prod.outlook.com>
References: <2bfba9448c1f4afdad7c7ea8918d4d11@DB4PR04MB265.eurprd04.prod.outlook.com>
Message-ID: <538E2A3C.9040105@gmx.de>
Am 03.06.2014 19:20, schrieb Conrad Kostecki:
> Jun 03 01:23:29 [dnsmasq-dhcp] RTR-ADVERT(tap0) XXXX:XX:XXXX:XX7b:: old prefix
> <-- At this point nothing is being logged any more.
>
> I don't know, how to debug this problem for me? Somebody has some idea?
Can you recompile with debug info, provoke the bug, then attach a
debugger (GDB) and obtain a stack backtrace?
To obtain the trace, run (replace /path/to by /usr/local/sbin or
wherever it ends up in Gentoo):
gdb /path/to/dnsmasq $(pidof dnsmasq)
Wait until GDB has started
then type:
backtrace full
From brak at gameservers.com Tue Jun 3 19:30:55 2014
From: brak at gameservers.com (Brian Rak)
Date: Tue, 03 Jun 2014 15:30:55 -0400
Subject: [Dnsmasq-discuss] Assigning leases based on relay agent IP
address?
In-Reply-To: <538CED4E.60808@gameservers.com>
References: <538CED4E.60808@gameservers.com>
Message-ID: <538E226F.20007@gameservers.com>
This seems like a bug.
I modified my config to be this instead:
dhcp-range=set:SUBNETID124862,10.237.2.65,10.237.2.126,255.255.255.192,2h
dhcp-range=set:SUBNETID124844,10.237.4.1,10.237.4.62,255.255.255.192,2h
Looking at the code, I see this in the option parser:
if (k >= 3 && strchr(a[2], '.') &&
((new->netmask.s_addr = inet_addr(a[2])) != (in_addr_t)-1))
{
new->flags |= CONTEXT_NETMASK;
leasepos = 3;
if (!is_same_net(new->start, new->end, new->netmask))
ret_err(_("inconsistent DHCP range"));
}
Perhaps I'm not understanding this, but does this mean that the netmask
value is only used if mode is not specified? That's what seems to be
happening to me.
I added a call to rfc2131.c in the 'guess the netmask for relayed
networks' section, and sure enough dnsmasq was guessing netmasks for all
my defined networks. This would explain why this was happening, since
it was guessing a class A network here.
On 6/2/2014 5:31 PM, Brian Rak wrote:
> How can I use dhcp-match with the 'Relay agent IP address' part of the
> packet?
>
>
> I'm trying to manage DHCP for a bunch of different networks with one
> DHCP server. I'd like to determine which network to use based on
> which subnet the relay server's IP address is in.
>
> I've got a bunch of lines like this:
>
> dhcp-range=set:SUBNETID124862,10.237.2.65,10.237.2.126,auto,255.255.255.192,2h
>
> dhcp-range=set:SUBNETID124844,10.237.4.1,10.237.4.62,auto,255.255.255.192,2h
>
>
> However, when a DHCPDISCOVER comes in, dnsmasq just picks a random
> network to use. As an example:
>
> dnsmasq-dhcp[31908]: 2740340080 vendor class: udhcp 1.12.0
> dnsmasq-dhcp[31908]: 2740340080 DHCPDISCOVER(eth1) 00:25:90:d7:c6:7c
> dnsmasq-dhcp[31908]: 2740340080 tags: SUBNETID124844, eth1
> dnsmasq-dhcp[31908]: 2740340080 DHCPOFFER(eth1) 10.237.4.39
> 00:25:90:d7:c6:7c
>
> The initial DHCPDISCOVER came in via 10.237.2.65, but a completely
> different subnet was used instead. (Also, is it possible to log the
> relay IP address?)
>
> tshark shows this:
>
> Bootstrap Protocol
> Message type: Boot Request (1)
> ...
> Bootp flags: 0x0000 (Unicast)
> 0... .... .... .... = Broadcast flag: Unicast
> .000 0000 0000 0000 = Reserved flags: 0x0000
> Client IP address: 0.0.0.0 (0.0.0.0)
> Your (client) IP address: 0.0.0.0 (0.0.0.0)
> Next server IP address: 0.0.0.0 (0.0.0.0)
> Relay agent IP address: 10.237.2.65 (10.237.2.65)
> Client MAC address: 00:25:90:d7:c6:7c (00:25:90:d7:c6:7c)
>
>
> This is with dnsmasq 2.71
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
From simon at thekelleys.org.uk Tue Jun 3 21:25:24 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Tue, 03 Jun 2014 22:25:24 +0100
Subject: [Dnsmasq-discuss] DNSMasq stops working and runs at 100%
In-Reply-To: <538E2A3C.9040105@gmx.de>
References: <2bfba9448c1f4afdad7c7ea8918d4d11@DB4PR04MB265.eurprd04.prod.outlook.com>
<538E2A3C.9040105@gmx.de>
Message-ID: <538E3D44.1070101@thekelleys.org.uk>
On 03/06/14 21:04, Matthias Andree wrote:
> Am 03.06.2014 19:20, schrieb Conrad Kostecki:
>> Jun 03 01:23:29 [dnsmasq-dhcp] RTR-ADVERT(tap0) XXXX:XX:XXXX:XX7b:: old prefix
>> <-- At this point nothing is being logged any more.
>>
>> I don't know, how to debug this problem for me? Somebody has some idea?
>
> Can you recompile with debug info, provoke the bug, then attach a
> debugger (GDB) and obtain a stack backtrace?
>
> To obtain the trace, run (replace /path/to by /usr/local/sbin or
> wherever it ends up in Gentoo):
>
> gdb /path/to/dnsmasq $(pidof dnsmasq)
>
> Wait until GDB has started
>
> then type:
>
> backtrace full
>
>
Doing this would be very useful.
It's worth saying that the 100% CPU bug fixed in 2.71 really does
require the cachesize to be zero for it to occur, so you seem to have
discovered a new, different bug., since you're not setting cachesize to
zero.
Cheers,
Simon.
From ck at conrad-kostecki.de Tue Jun 3 22:11:19 2014
From: ck at conrad-kostecki.de (Conrad Kostecki)
Date: Tue, 3 Jun 2014 22:11:19 +0000
Subject: [Dnsmasq-discuss] DNSMasq stops working and runs at 100%
In-Reply-To: <538E2A3C.9040105@gmx.de>
References: <2bfba9448c1f4afdad7c7ea8918d4d11@DB4PR04MB265.eurprd04.prod.outlook.com>
<538E2A3C.9040105@gmx.de>
Message-ID: <cb40acd57cf64d809e986bb46403ba67@DB4PR04MB265.eurprd04.prod.outlook.com>
> -----Urspr?ngliche Nachricht-----
> Von: Dnsmasq-discuss [mailto:dnsmasq-discuss-
> bounces at lists.thekelleys.org.uk] Im Auftrag von Matthias Andree
> Gesendet: Dienstag, 3. Juni 2014 22:04
> An: DNSMasq Mailingliste
> Betreff: Re: [Dnsmasq-discuss] DNSMasq stops working and runs at 100%
>
> Am 03.06.2014 19:20, schrieb Conrad Kostecki:
> > Jun 03 01:23:29 [dnsmasq-dhcp] RTR-ADVERT(tap0) XXXX:XX:XXXX:XX7b::
> > old prefix
> > <-- At this point nothing is being logged any more.
> >
> > I don't know, how to debug this problem for me? Somebody has some
> idea?
>
> Can you recompile with debug info, provoke the bug, then attach a debugger
> (GDB) and obtain a stack backtrace?
>
> To obtain the trace, run (replace /path/to by /usr/local/sbin or wherever it
> ends up in Gentoo):
>
> gdb /path/to/dnsmasq $(pidof dnsmasq)
>
> Wait until GDB has started
>
> then type:
>
> backtrace full
Here we go. I've recompiled DNSMasq with "make CFLAGS=-g". I hope this is correct? At least gdb finds some debug symbols..
There is an upload of the "backtrace full" output: http://pastebin.com/4gnJx3Lp
I've now managed to reproduce this situation whenever I want.
I've just to simulate, when pppd loose the connection (e.g. disconnect modem for a few sec).
Conrad
From olaf at aepfle.de Wed Jun 4 09:48:32 2014
From: olaf at aepfle.de (Olaf Hering)
Date: Wed, 4 Jun 2014 11:48:32 +0200
Subject: [Dnsmasq-discuss] how to track changes for a given hostname
In-Reply-To: <538B899F.8080408@thekelleys.org.uk>
References: <20140530100517.GA32235@aepfle.de>
<538B899F.8080408@thekelleys.org.uk>
Message-ID: <20140604094832.GA807@aepfle.de>
On Sun, Jun 01, Simon Kelley wrote:
> > How can I find out why optiplex fails to resolve?
> Look at --dhcp-script in the man page. A very simple script which logs
> argv and the environment to a file should provide you with information
> about the comings and going of DHCP leases.
localhost does not serve DHCP, it just acts as proxy. In my testing the
script does not seem to provide a hint why optiplex fails to resolve.
The script is only called for tftp.
I can poke at this some more end of next week.
Olaf
From simon at thekelleys.org.uk Wed Jun 4 11:59:01 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Wed, 04 Jun 2014 12:59:01 +0100
Subject: [Dnsmasq-discuss] DNSMasq stops working and runs at 100%
In-Reply-To: <2bfba9448c1f4afdad7c7ea8918d4d11@DB4PR04MB265.eurprd04.prod.outlook.com>
References: <2bfba9448c1f4afdad7c7ea8918d4d11@DB4PR04MB265.eurprd04.prod.outlook.com>
Message-ID: <538F0A05.4060902@thekelleys.org.uk>
On 03/06/14 18:20, Conrad Kostecki wrote:
> Jun 03 01:11:39 [dnsmasq-dhcp] RTR-ADVERT(tap0) XXXX:XX:XXXX:XX7b::
> Jun 03 01:12:00 [dnsmasq-dhcp] RTR-ADVERT(wlp7s0) XXXX:XX:XXXX:XX2a::
> Jun 03 01:14:40 [dnsmasq-dhcp] RTR-ADVERT(enp6s0) XXXX:XX:XXXX:XX40::
> Jun 03 01:17:24 [dnsmasq-dhcp] RTR-ADVERT(enp5s0) XXXX:XX:XXXX:XX17::
> Jun 03 01:18:03 [dnsmasq-dhcp] RTR-ADVERT(enp10s0) XXXX:XX:XXXX:XX80::
> Jun 03 01:20:10 [dnsmasq-dhcp] RTR-ADVERT(wlp7s0) XXXX:XX:XXXX:XX2a::
> Jun 03 01:20:48 [dnsmasq-dhcp] RTR-ADVERT(tap0) XXXX:XX:XXXX:XX7b::
> Jun 03 01:23:24 [dnsmasq-dhcp] Router-Advertisment on XXXX:XX:XXXX:XX80::, old prefix for enp10s0
> Jun 03 01:23:24 [dnsmasq-dhcp] Router-Advertisment on XXXX:XX:XXXX:XX40::, old prefix for enp6s0
> Jun 03 01:23:24 [dnsmasq-dhcp] Router-Advertisment on XXXX:XX:XXXX:XX17::, old prefix for enp5s0
> Jun 03 01:23:24 [dnsmasq-dhcp] RTR-ADVERT(enp10s0) XXXX:XX:XXXX:XX80:: old prefix
> Jun 03 01:23:24 [dnsmasq-dhcp] Router-Advertisment on XXXX:XX:XXXX:XX7b::, old prefix for tap0
> Jun 03 01:23:24 [dnsmasq-dhcp] Router-Advertisment on XXXX:XX:XXXX:XX2a::, old prefix for wlp7s0
> Jun 03 01:23:24 [dnsmasq-dhcp] RTR-ADVERT(tap0) XXXX:XX:XXXX:XX7b:: old prefix
> Jun 03 01:23:24 [dnsmasq-dhcp] RTR-ADVERT(wlp7s0) XXXX:XX:XXXX:XX2a:: old prefix
> Jun 03 01:23:24 [dnsmasq-dhcp] RTR-ADVERT(enp6s0) XXXX:XX:XXXX:XX40:: old prefix
> Jun 03 01:23:24 [dnsmasq-dhcp] RTR-ADVERT(enp5s0) XXXX:XX:XXXX:XX17:: old prefix
> Jun 03 01:23:29 [dnsmasq-dhcp] RTR-ADVERT(tap0) XXXX:XX:XXXX:XX7b:: old prefix
> Jun 03 01:23:29 [dnsmasq-dhcp] DHCPv6, IP-Bereich XXXX:XX:XXXX:XX7b::10 -- XXXX:XX:XXXX:XX7b::49, Lease Time 1d, constructed for tap0
> Jun 03 01:23:29 [dnsmasq-dhcp] DHCPv4-abgeleitete IPv6 Namen on XXXX:XX:XXXX:XX7b::, constructed for tap0
> Jun 03 01:23:29 [dnsmasq-dhcp] Router-Advertisment on XXXX:XX:XXXX:XX7b::, constructed for tap0
^^^^^^^^^^^^^^^^
> Jun 03 01:23:29 [dnsmasq-dhcp] RTR-ADVERT(tap0) XXXX:XX:XXXX:XX7b::
> Jun 03 01:23:29 [dnsmasq-dhcp] Router-Advertisment on XXXX:XX:XXXX:XX7b::, old prefix for tap0
^^^^^^^^^^^^^^^^
> Jun 03 01:23:29 [dnsmasq-dhcp] RTR-ADVERT(tap0) XXXX:XX:XXXX:XX7b:: old prefix
> <-- At this point nothing is being logged any more.
>
Thanks for the backtrace, I'm working on it. One question, are the two
addresses marked above the same, or different, in the un-redacted logs?
Cheers,
Simon.
From ck at conrad-kostecki.de Wed Jun 4 15:57:05 2014
From: ck at conrad-kostecki.de (Conrad Kostecki)
Date: Wed, 4 Jun 2014 15:57:05 +0000
Subject: [Dnsmasq-discuss] DNSMasq stops working and runs at 100%
In-Reply-To: <538F0A05.4060902@thekelleys.org.uk>
References: <2bfba9448c1f4afdad7c7ea8918d4d11@DB4PR04MB265.eurprd04.prod.outlook.com>
<538F0A05.4060902@thekelleys.org.uk>
Message-ID: <c94f4852b0604b94a45554de59be9c8f@DB4PR04MB265.eurprd04.prod.outlook.com>
> -----Urspr?ngliche Nachricht-----
> Von: Dnsmasq-discuss [mailto:dnsmasq-discuss-
> bounces at lists.thekelleys.org.uk] Im Auftrag von Simon Kelley
> Gesendet: Mittwoch, 4. Juni 2014 13:59
> An: DNSMasq Mailingliste
> Betreff: Re: [Dnsmasq-discuss] DNSMasq stops working and runs at 100%
>
> On 03/06/14 18:20, Conrad Kostecki wrote:
>
> > Jun 03 01:11:39 [dnsmasq-dhcp] RTR-ADVERT(tap0) XXXX:XX:XXXX:XX7b::
> > Jun 03 01:12:00 [dnsmasq-dhcp] RTR-ADVERT(wlp7s0) XXXX:XX:XXXX:XX2a::
> > Jun 03 01:14:40 [dnsmasq-dhcp] RTR-ADVERT(enp6s0)
> XXXX:XX:XXXX:XX40::
> > Jun 03 01:17:24 [dnsmasq-dhcp] RTR-ADVERT(enp5s0)
> XXXX:XX:XXXX:XX17::
> > Jun 03 01:18:03 [dnsmasq-dhcp] RTR-ADVERT(enp10s0)
> XXXX:XX:XXXX:XX80::
> > Jun 03 01:20:10 [dnsmasq-dhcp] RTR-ADVERT(wlp7s0) XXXX:XX:XXXX:XX2a::
> > Jun 03 01:20:48 [dnsmasq-dhcp] RTR-ADVERT(tap0) XXXX:XX:XXXX:XX7b::
> > Jun 03 01:23:24 [dnsmasq-dhcp] Router-Advertisment on
> > XXXX:XX:XXXX:XX80::, old prefix for enp10s0 Jun 03 01:23:24
> > [dnsmasq-dhcp] Router-Advertisment on XXXX:XX:XXXX:XX40::, old prefix
> > for enp6s0 Jun 03 01:23:24 [dnsmasq-dhcp] Router-Advertisment on
> > XXXX:XX:XXXX:XX17::, old prefix for enp5s0 Jun 03 01:23:24
> > [dnsmasq-dhcp] RTR-ADVERT(enp10s0) XXXX:XX:XXXX:XX80:: old prefix Jun
> > 03 01:23:24 [dnsmasq-dhcp] Router-Advertisment on
> XXXX:XX:XXXX:XX7b::,
> > old prefix for tap0 Jun 03 01:23:24 [dnsmasq-dhcp] Router-Advertisment
> > on XXXX:XX:XXXX:XX2a::, old prefix for wlp7s0 Jun 03 01:23:24
> > [dnsmasq-dhcp] RTR-ADVERT(tap0) XXXX:XX:XXXX:XX7b:: old prefix Jun 03
> > 01:23:24 [dnsmasq-dhcp] RTR-ADVERT(wlp7s0) XXXX:XX:XXXX:XX2a:: old
> > prefix Jun 03 01:23:24 [dnsmasq-dhcp] RTR-ADVERT(enp6s0)
> > XXXX:XX:XXXX:XX40:: old prefix Jun 03 01:23:24 [dnsmasq-dhcp]
> > RTR-ADVERT(enp5s0) XXXX:XX:XXXX:XX17:: old prefix Jun 03 01:23:29
> > [dnsmasq-dhcp] RTR-ADVERT(tap0) XXXX:XX:XXXX:XX7b:: old prefix Jun 03
> > 01:23:29 [dnsmasq-dhcp] DHCPv6, IP-Bereich XXXX:XX:XXXX:XX7b::10 --
> > XXXX:XX:XXXX:XX7b::49, Lease Time 1d, constructed for tap0 Jun 03
> > 01:23:29 [dnsmasq-dhcp] DHCPv4-abgeleitete IPv6 Namen on
> > XXXX:XX:XXXX:XX7b::, constructed for tap0 Jun 03 01:23:29
> > [dnsmasq-dhcp] Router-Advertisment on XXXX:XX:XXXX:XX7b::,
> constructed
> > for tap0
> ^^^^^^^^^^^^^^^^
> > Jun 03 01:23:29 [dnsmasq-dhcp] RTR-ADVERT(tap0) XXXX:XX:XXXX:XX7b::
> > Jun 03 01:23:29 [dnsmasq-dhcp] Router-Advertisment on
> > XXXX:XX:XXXX:XX7b::, old prefix for tap0
> ^^^^^^^^^^^^^^^^
> > Jun 03 01:23:29 [dnsmasq-dhcp] RTR-ADVERT(tap0) XXXX:XX:XXXX:XX7b::
> > old prefix
> > <-- At this point nothing is being logged any more.
> >
>
> Thanks for the backtrace, I'm working on it. One question, are the two
> addresses marked above the same, or different, in the un-redacted logs?
Hi Simon,
They are the same, not different. My ISP is the German Telekom. They are announcing a dynamic /56-Subnet and via PD /64 are requested with dhcpcd on my side for all interfaces.
If I reconnect fast, it can happen, that I get the same subnet again.
Conrad
From c.ruppert at babiel.com Wed Jun 4 18:46:27 2014
From: c.ruppert at babiel.com (Christian Ruppert)
Date: Wed, 4 Jun 2014 18:46:27 +0000
Subject: [Dnsmasq-discuss] DNS Notify
Message-ID: <86CC5DB1B953BB478FE070C8CDD48FC00E46AB05@s015010.office.babiel.com>
Hey Guys,
I just setup a dnsmasq to serve DHCP for our IPMI and I also wanted it to
transfer the zone to our DNS.
So I prepared a local test setup and verified whether it works or not. The
client gets the address and the A record will be added and resolved/answered by
dnsmasq but it will not notify our DNS. I started a tcpdump to capture any DNS
traffic to our DNS IP but there was nothing.
Is there really no notify or did I just forget something important? I also
looked into the sources but I couldn't find anything related to notify either.
My test config:
auth-sec-servers=10.2.2.15
auth-zone=ipmi.example.com,10.2.50.0/24
bind-interfaces
dhcp-authoritative
dhcp-host=set:ipmi,52:54:00:a2:fe:6a,foobar
dhcp-ignore=tag:!known
dhcp-option=option:dns-server,10.2.2.16,10.2.2.17
dhcp-option=option:ntp-server,10.2.2.18
dhcp-option=tag:ipmi, option:router,10.2.50.1
dhcp-range=tag:ipmi,10.2.50.20,10.2.50.76,12h
dhcp-range=tag:ipmi,10.2.50.78,10.2.50.104,12h
domain=ipmi.example.com,10.2.50.0/24
interface=br1337
log-dhcp
log-queries
port=5353
strict-order
--
Mit freundlichen Gr??en,
Christian Ruppert
--------------------------------------------
Christian Ruppert
Systemadministrator
Babiel GmbH
Erkrather Str. 224 a
D-40233 D?sseldorf
Tel: 0211-179349 0
Fax: 0211-179349 29
E-Mail: c.ruppert at babiel.com
Internet: http://www.babiel.com
Gesch?ftsf?hrer: Georg Babiel, Dr. Rainer Babiel, Harald Babiel Amtsgericht
D?sseldorf HRB 38633
~~~~~~~~~~~~~~ DISCLAIMER ~~~~~~~~~~~~~~~
The information transmitted in this electronic mail message may contain
confidential and or privileged materials. Any review, retransmission,
dissemination or other use of or taking of any action in reliance upon, this
information by persons or entities other than the intended recipient is
prohibited. If you receive such e-mails in error, please contact the sender and
delete the material from any computer.
From simon at thekelleys.org.uk Wed Jun 4 19:31:51 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Wed, 04 Jun 2014 20:31:51 +0100
Subject: [Dnsmasq-discuss] DNSMasq stops working and runs at 100%
In-Reply-To: <c94f4852b0604b94a45554de59be9c8f@DB4PR04MB265.eurprd04.prod.outlook.com>
References: <2bfba9448c1f4afdad7c7ea8918d4d11@DB4PR04MB265.eurprd04.prod.outlook.com>
<538F0A05.4060902@thekelleys.org.uk>
<c94f4852b0604b94a45554de59be9c8f@DB4PR04MB265.eurprd04.prod.outlook.com>
Message-ID: <538F7427.3090607@thekelleys.org.uk>
On 04/06/14 16:57, Conrad Kostecki wrote:
>>
>> Thanks for the backtrace, I'm working on it. One question, are the two
>> addresses marked above the same, or different, in the un-redacted logs?
>
> Hi Simon,
> They are the same, not different. My ISP is the German Telekom. They are announcing a dynamic /56-Subnet and via PD /64 are requested with dhcpcd on my side for all interfaces.
> If I reconnect fast, it can happen, that I get the same subnet again.
>
OK, it's good that you can reproduce this, and bad that I can't :(
Please could you reproduce the problem again, attach gdb as before.
Run the backtrace and check that the code is in match_netid, as before.
If it is, try the command
fin
to see if that functions returns.
If it does, try
fin
again, to see if the next function (option_filter) returns too.
If it does, try a final
fin
to see of send_ra returns.
I'm interested to know if the code is looping in match_netid or
option_filter, or if it's looping in send_ra or periodic_ra
Cheers,
Simon.
From ck at conrad-kostecki.de Thu Jun 5 05:28:53 2014
From: ck at conrad-kostecki.de (Conrad Kostecki)
Date: Thu, 5 Jun 2014 05:28:53 +0000
Subject: [Dnsmasq-discuss] DNSMasq stops working and runs at 100%
In-Reply-To: <538F7427.3090607@thekelleys.org.uk>
References: <2bfba9448c1f4afdad7c7ea8918d4d11@DB4PR04MB265.eurprd04.prod.outlook.com>
<538F0A05.4060902@thekelleys.org.uk>
<c94f4852b0604b94a45554de59be9c8f@DB4PR04MB265.eurprd04.prod.outlook.com>
<538F7427.3090607@thekelleys.org.uk>
Message-ID: <2c4f7c81f2ff47f2b5c1631b7002efe8@DB4PR04MB265.eurprd04.prod.outlook.com>
> -----Urspr?ngliche Nachricht-----
> Von: Dnsmasq-discuss [mailto:dnsmasq-discuss-
> bounces at lists.thekelleys.org.uk] Im Auftrag von Simon Kelley
> Gesendet: Mittwoch, 4. Juni 2014 21:32
> An: DNSMasq Mailingliste
> Betreff: Re: [Dnsmasq-discuss] DNSMasq stops working and runs at 100%
>
> On 04/06/14 16:57, Conrad Kostecki wrote:
>
> >>
> >> Thanks for the backtrace, I'm working on it. One question, are the
> >> two addresses marked above the same, or different, in the un-redacted
> logs?
> >
> > Hi Simon,
> > They are the same, not different. My ISP is the German Telekom. They are
> announcing a dynamic /56-Subnet and via PD /64 are requested with dhcpcd
> on my side for all interfaces.
> > If I reconnect fast, it can happen, that I get the same subnet again.
> >
>
> OK, it's good that you can reproduce this, and bad that I can't :(
>
>
> Please could you reproduce the problem again, attach gdb as before.
>
> Run the backtrace and check that the code is in match_netid, as before.
> If it is, try the command
>
> fin
>
> to see if that functions returns.
>
> If it does, try
>
> fin
>
> again, to see if the next function (option_filter) returns too.
>
> If it does, try a final
>
> fin
>
> to see of send_ra returns.
>
> I'm interested to know if the code is looping in match_netid or option_filter,
> or if it's looping in send_ra or periodic_ra
Hi Simon,
It happened in the night today. But it's interesting, that pppd was NOT disconnected this night.
Here's my backtrace and executed fin's. Only the first fin returned something. Second and third find do not return anything.
-> http://pastebin.com/FDf9g3Zk
Conrad
From simon at thekelleys.org.uk Thu Jun 5 19:51:14 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Thu, 05 Jun 2014 20:51:14 +0100
Subject: [Dnsmasq-discuss] DNS Notify
In-Reply-To: <86CC5DB1B953BB478FE070C8CDD48FC00E46AB05@s015010.office.babiel.com>
References: <86CC5DB1B953BB478FE070C8CDD48FC00E46AB05@s015010.office.babiel.com>
Message-ID: <5390CA32.1010104@thekelleys.org.uk>
On 04/06/14 19:46, Christian Ruppert wrote:
> Hey Guys,
>
> I just setup a dnsmasq to serve DHCP for our IPMI and I also wanted it to
> transfer the zone to our DNS.
> So I prepared a local test setup and verified whether it works or not. The
> client gets the address and the A record will be added and resolved/answered by
> dnsmasq but it will not notify our DNS. I started a tcpdump to capture any DNS
> traffic to our DNS IP but there was nothing.
>
> Is there really no notify or did I just forget something important? I also
> looked into the sources but I couldn't find anything related to notify either.
>
> My test config:
> auth-sec-servers=10.2.2.15
> auth-zone=ipmi.example.com,10.2.50.0/24
> bind-interfaces
> dhcp-authoritative
> dhcp-host=set:ipmi,52:54:00:a2:fe:6a,foobar
> dhcp-ignore=tag:!known
> dhcp-option=option:dns-server,10.2.2.16,10.2.2.17
> dhcp-option=option:ntp-server,10.2.2.18
> dhcp-option=tag:ipmi, option:router,10.2.50.1
> dhcp-range=tag:ipmi,10.2.50.20,10.2.50.76,12h
> dhcp-range=tag:ipmi,10.2.50.78,10.2.50.104,12h
> domain=ipmi.example.com,10.2.50.0/24
> interface=br1337
> log-dhcp
> log-queries
> port=5353
> strict-order
>
>
There's no notify. The use-case so far has been zone transfers initiated
by the secondary, the way (eg) DynDNS does it. Doing notify is on the
"nice to have" list.
Cheers,
Simon.
From simon at thekelleys.org.uk Thu Jun 5 21:42:05 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Thu, 05 Jun 2014 22:42:05 +0100
Subject: [Dnsmasq-discuss] DNSMasq stops working and runs at 100%
In-Reply-To: <2c4f7c81f2ff47f2b5c1631b7002efe8@DB4PR04MB265.eurprd04.prod.outlook.com>
References: <2bfba9448c1f4afdad7c7ea8918d4d11@DB4PR04MB265.eurprd04.prod.outlook.com>
<538F0A05.4060902@thekelleys.org.uk>
<c94f4852b0604b94a45554de59be9c8f@DB4PR04MB265.eurprd04.prod.outlook.com>
<538F7427.3090607@thekelleys.org.uk>
<2c4f7c81f2ff47f2b5c1631b7002efe8@DB4PR04MB265.eurprd04.prod.outlook.com>
Message-ID: <5390E42D.3080505@thekelleys.org.uk>
On 05/06/14 06:28, Conrad Kostecki wrote:
> It happened in the night today. But it's interesting, that pppd was NOT disconnected this night.
> Here's my backtrace and executed fin's. Only the first fin returned something. Second and third find do not return anything.
> -> http://pastebin.com/FDf9g3Zk
>
Thanks for that. I think this is a race condition, and I can't get the
timing right to reproduce it. If I'm correct. 2.72test2 should fix the
problem. Please could you test that?
Cheers,
Simon.
From simon at thekelleys.org.uk Sat Jun 7 21:15:53 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Sat, 07 Jun 2014 22:15:53 +0100
Subject: [Dnsmasq-discuss] DNSMasq stops working and runs at 100%
In-Reply-To: <5390E42D.3080505@thekelleys.org.uk>
References: <2bfba9448c1f4afdad7c7ea8918d4d11@DB4PR04MB265.eurprd04.prod.outlook.com>
<538F0A05.4060902@thekelleys.org.uk>
<c94f4852b0604b94a45554de59be9c8f@DB4PR04MB265.eurprd04.prod.outlook.com>
<538F7427.3090607@thekelleys.org.uk>
<2c4f7c81f2ff47f2b5c1631b7002efe8@DB4PR04MB265.eurprd04.prod.outlook.com>
<5390E42D.3080505@thekelleys.org.uk>
Message-ID: <53938109.2060102@thekelleys.org.uk>
On 05/06/14 22:42, Simon Kelley wrote:
> Thanks for that. I think this is a race condition, and I can't get the
> timing right to reproduce it. If I'm correct. 2.72test2 should fix the
> problem. Please could you test that?
>
Update - please test 2.72test3. That has a fundamental fix, not a band-aid.
Cheers,
Simon.
From knoeferl at gmx.de Sun Jun 8 21:24:57 2014
From: knoeferl at gmx.de (Johann Knoeferl)
Date: Sun, 8 Jun 2014 23:24:57 +0200
Subject: [Dnsmasq-discuss] How to "connect" to subnets with same domain?
Message-ID: <trinity-399a8213-4f8c-4d1c-a40e-4fb5cf73c951-1402262697096@3capp-gmx-bs38>
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140608/e3516263/attachment.html>
From knoeferl at gmx.de Sun Jun 8 21:09:45 2014
From: knoeferl at gmx.de (Johann Knoeferl)
Date: Sun, 8 Jun 2014 23:09:45 +0200
Subject: [Dnsmasq-discuss] How to "connect" to subnets with same domain?
Message-ID: <trinity-707d321c-5cc4-4c2f-9e08-8eb0dd3604e9-1402261785596@3capp-gmx-bs25>
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140608/48896f42/attachment.html>
From knoeferl at gmx.de Sun Jun 8 21:01:21 2014
From: knoeferl at gmx.de (Johann Knoeferl)
Date: Sun, 8 Jun 2014 23:01:21 +0200
Subject: [Dnsmasq-discuss] upstream server for "local domain" adresses
Message-ID: <trinity-ea25bbaf-9b12-4915-a123-72fefb816cb8-1402261281198@3capp-gmx-bs60>
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140608/ea9ef414/attachment.html>
From mykola at kyrylenko.com Mon Jun 9 08:38:02 2014
From: mykola at kyrylenko.com (Mykola Kyrylenko)
Date: Mon, 9 Jun 2014 18:08:02 +0930
Subject: [Dnsmasq-discuss] DNS based on MAC address
Message-ID: <CAONE+0UmOdkrM5sw2DjSO3Bo_AzuNmLM4LoAnGzDn6m6TX3kog@mail.gmail.com>
Hi,
I am not sure if this has been discussed before.
I have a Roku outside of USA. For me to operate it, I need to use a Smart
DNS service (Overplay).
Unfortunately, the Roku does not allow setting the DNS manually, which
means I need to do it in the router.
I tried this, but the performance of my other devices, particularly the
Panasonic TV, suffered. The TV cannot set DNS manually either.
My router is an Asus RT-N56U. I managed to Telnet in, and there is a
'/etc/dnsmasq.conf' file.
Would it be possible to set the DNS for the Roku to the Overplay one, based
on the Roku's MAC address?
All the other devices will get the default DNS from my ISP.
Looking at the configuration file, 'dhcp-host' can set the IP address based
on MAC address, and 'server' specifies the DNS based on domain. This not
quite what I want.
regards,
Mykola
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140609/b1791c17/attachment.html>
From albert.aribaud at free.fr Mon Jun 9 13:38:29 2014
From: albert.aribaud at free.fr (Albert ARIBAUD)
Date: Mon, 9 Jun 2014 15:38:29 +0200
Subject: [Dnsmasq-discuss] DNS based on MAC address
In-Reply-To: <CAONE+0UmOdkrM5sw2DjSO3Bo_AzuNmLM4LoAnGzDn6m6TX3kog@mail.gmail.com>
References: <CAONE+0UmOdkrM5sw2DjSO3Bo_AzuNmLM4LoAnGzDn6m6TX3kog@mail.gmail.com>
Message-ID: <20140609153829.1b8b88bc@lilith>
Bonjour Mykola,
Le Mon, 9 Jun 2014 18:08:02 +0930, Mykola Kyrylenko
<mykola at kyrylenko.com> a ?crit :
> Hi,
>
> I am not sure if this has been discussed before.
> I have a Roku outside of USA. For me to operate it, I need to use a Smart
> DNS service (Overplay).
> Unfortunately, the Roku does not allow setting the DNS manually, which
> means I need to do it in the router.
> I tried this, but the performance of my other devices, particularly the
> Panasonic TV, suffered. The TV cannot set DNS manually either.
>
> My router is an Asus RT-N56U. I managed to Telnet in, and there is a
> '/etc/dnsmasq.conf' file.
>
> Would it be possible to set the DNS for the Roku to the Overplay one, based
> on the Roku's MAC address?
> All the other devices will get the default DNS from my ISP.
>
> Looking at the configuration file, 'dhcp-host' can set the IP address based
> on MAC address, and 'server' specifies the DNS based on domain. This not
> quite what I want.
You can use the set: specifier in the dhcp-host clause of the Roku, then
use the tag: specifier in a dhcp-option to send the DNS. See manpage of
dnsmasqu, in the description of '--dhcp-host'.
> regards,
> Mykola
Amicalement,
--
Albert.
From Neil.Jerram at metaswitch.com Wed Jun 11 14:49:48 2014
From: Neil.Jerram at metaswitch.com (Neil Jerram)
Date: Wed, 11 Jun 2014 14:49:48 +0000
Subject: [Dnsmasq-discuss] Patch: Allow wildcard aliases in
--bridge-interface option
Message-ID: <F6885DC5CBE92C4BB4D654841E63A30FD7E2C74E@ENFIRHMBX1.datcon.co.uk>
Hi Simon,
Please would you consider the attached patch, which allows a trailing '*' wildcard
in each <alias> that is specified in the --bridge-interface option. My team is
working on a new form of host/VM networking where VM data is routed instead of
bridged, and this patch allows us to use dnsmasq as the DHCP server in that scenario.
You'll see that the patch updates the English and French man pages accordingly. It
doesn't update the Spanish one because - assuming I've understood it correctly - that
version doesn't yet mention the existing wildcarding possibility for the --interface
option; hence there wasn't some nice idiomatic text that I could reuse for
--bridge-interface.
Many thanks,
Neil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Allow-wildcard-aliases-in-bridge-interface-option.patch
Type: application/octet-stream
Size: 3853 bytes
Desc: 0001-Allow-wildcard-aliases-in-bridge-interface-option.patch
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140611/03e1ccc4/attachment.obj>
From simon at thekelleys.org.uk Wed Jun 11 20:05:42 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Wed, 11 Jun 2014 21:05:42 +0100
Subject: [Dnsmasq-discuss] upstream server for "local domain" adresses
In-Reply-To: <trinity-ea25bbaf-9b12-4915-a123-72fefb816cb8-1402261281198@3capp-gmx-bs60>
References: <trinity-ea25bbaf-9b12-4915-a123-72fefb816cb8-1402261281198@3capp-gmx-bs60>
Message-ID: <5398B696.3060508@thekelleys.org.uk>
On 08/06/14 22:01, Johann Knoeferl wrote:
> Hello,
> I am trying to use dnsmasq in an "excotic" way:
> I have two different subnets (two locations connected by OpenVPN): 192.168.6.0
> and 192.168.10.0
> Both nets use the same domain.
> Both sides use dnsmasq as DNS and DHCP server.
> On each side, local adresses are kept in the hosts file.
> Now I tried to avoid redundant information in the hosts file and only wanted to
> store the "real" local machines.
> E.g.:
> 192.168.6.1 (router1) hosts file:
> ---------------------------------------
> 192.168.6.11 00:0C:76:B0:BB:B6 * pc01 # machine 1
> 192.168.6.12 00:0C:76:B0:BB:B6 * pc01 # machine 2
> ...
> 192.168.10.1 (router2) hosts file:
> ---------------------------------------
> 192.168.10.17 00:0C:76:B0:BB:B6 * pc07 # machine 7
> 192.168.10.18 00:0C:76:B0:BB:B6 * pc08 # machine 8
> ...
> To reach all machines from net 1 (192.168.6.x) I tried the following config:
> domain-needed
> log-async=10
> no-resolv
> server=8.8.8.8
> server=192.168.180.2
> dhcp-range=192.168.6.20,192.168.6.200,168h
> domain=mydomain.lan
> expand-hosts
> read-ethers
> server=/mydomain.lan/192.168.10.1
> server=/10.168.192.in-addr.arpa/192.168.10.1
> It works almost as expected, but as soon as I do an nslookup for a machine in
> the second net (192.168.10.x) it takes quite a long time for the answer.
> Afterwards all answers take quite lon (about 5 sec). Only solution is to restart
> dnsmasq. But as soon as I ask for a machine in the second net, the problem
> occurs again.
> When I put all machines in both hosts file an remove the server=/... config, I
> don't have any delays.
> WHat is happening here? Am i abusing dnsmasq here? Is there another solution, to
> keep only the real loacal machines in the hosts file and to acces them from both
> sides?
> Or do I have to keep all machines in both hosts files?
> Thanks for any hints
> Robert
>
Are you using the same configuration on both sides? I suspect that
you're somehow creating a loop where on server send the query to the
other, which sends it back to the first, which sends it again to the
second, and so on.
The first thing to do is to set
log-queries
and look at the log files to see what's happening.
Cheers,
Simon.
From simon at thekelleys.org.uk Wed Jun 11 20:11:06 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Wed, 11 Jun 2014 21:11:06 +0100
Subject: [Dnsmasq-discuss] DNS based on MAC address
In-Reply-To: <CAONE+0UmOdkrM5sw2DjSO3Bo_AzuNmLM4LoAnGzDn6m6TX3kog@mail.gmail.com>
References: <CAONE+0UmOdkrM5sw2DjSO3Bo_AzuNmLM4LoAnGzDn6m6TX3kog@mail.gmail.com>
Message-ID: <5398B7DA.6090508@thekelleys.org.uk>
On 09/06/14 09:38, Mykola Kyrylenko wrote:
> Hi,
>
> I am not sure if this has been discussed before.
> I have a Roku outside of USA. For me to operate it, I need to use a Smart
> DNS service (Overplay).
> Unfortunately, the Roku does not allow setting the DNS manually, which
> means I need to do it in the router.
> I tried this, but the performance of my other devices, particularly the
> Panasonic TV, suffered. The TV cannot set DNS manually either.
>
> My router is an Asus RT-N56U. I managed to Telnet in, and there is a
> '/etc/dnsmasq.conf' file.
>
> Would it be possible to set the DNS for the Roku to the Overplay one, based
> on the Roku's MAC address?
> All the other devices will get the default DNS from my ISP.
>
> Looking at the configuration file, 'dhcp-host' can set the IP address based
> on MAC address, and 'server' specifies the DNS based on domain. This not
> quite what I want.
>
> regards,
> Mykola
>
>
You mean, send a different DNS server in the DHCP reply to the Roku?
Yes, that's possible. Something like
dhcp-mac=set:roku,<MAC address of Roku>
dhcp-option=tag:roku,option:dns-server,<IP of overplay DNS server>
should do the trick.
Cheers,S
Simon.
From simon at thekelleys.org.uk Wed Jun 11 20:25:29 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Wed, 11 Jun 2014 21:25:29 +0100
Subject: [Dnsmasq-discuss] Patch: Allow wildcard aliases in
--bridge-interface option
In-Reply-To: <F6885DC5CBE92C4BB4D654841E63A30FD7E2C74E@ENFIRHMBX1.datcon.co.uk>
References: <F6885DC5CBE92C4BB4D654841E63A30FD7E2C74E@ENFIRHMBX1.datcon.co.uk>
Message-ID: <5398BB39.7030501@thekelleys.org.uk>
On 11/06/14 15:49, Neil Jerram wrote:
> Hi Simon,
>
> Please would you consider the attached patch, which allows a trailing '*' wildcard
> in each <alias> that is specified in the --bridge-interface option. My team is
> working on a new form of host/VM networking where VM data is routed instead of
> bridged, and this patch allows us to use dnsmasq as the DHCP server in that scenario.
>
> You'll see that the patch updates the English and French man pages accordingly. It
> doesn't update the Spanish one because - assuming I've understood it correctly - that
> version doesn't yet mention the existing wildcarding possibility for the --interface
> option; hence there wasn't some nice idiomatic text that I could reuse for
> --bridge-interface.
>
That's very clever. Patch accepted and applied in git.
Cheers,
Simon.
From simon at thekelleys.org.uk Wed Jun 11 20:43:03 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Wed, 11 Jun 2014 21:43:03 +0100
Subject: [Dnsmasq-discuss] Assigning leases based on relay agent IP
address?
In-Reply-To: <538CED4E.60808@gameservers.com>
References: <538CED4E.60808@gameservers.com>
Message-ID: <5398BF57.2040705@thekelleys.org.uk>
On 02/06/14 22:31, Brian Rak wrote:
> How can I use dhcp-match with the 'Relay agent IP address' part of the
> packet?
>
>
> I'm trying to manage DHCP for a bunch of different networks with one
> DHCP server. I'd like to determine which network to use based on which
> subnet the relay server's IP address is in.
>
> I've got a bunch of lines like this:
>
> dhcp-range=set:SUBNETID124862,10.237.2.65,10.237.2.126,auto,255.255.255.192,2h
^^^^^
This may be confusing the parser and leading to problems.
>
> dhcp-range=set:SUBNETID124844,10.237.4.1,10.237.4.62,auto,255.255.255.192,2h
>
>
> However, when a DHCPDISCOVER comes in, dnsmasq just picks a random
> network to use. As an example:
>
> dnsmasq-dhcp[31908]: 2740340080 vendor class: udhcp 1.12.0
> dnsmasq-dhcp[31908]: 2740340080 DHCPDISCOVER(eth1) 00:25:90:d7:c6:7c
> dnsmasq-dhcp[31908]: 2740340080 tags: SUBNETID124844, eth1
> dnsmasq-dhcp[31908]: 2740340080 DHCPOFFER(eth1) 10.237.4.39
> 00:25:90:d7:c6:7c
>
> The initial DHCPDISCOVER came in via 10.237.2.65, but a completely
> different subnet was used instead. (Also, is it possible to log the
> relay IP address?)
>
> tshark shows this:
>
> Bootstrap Protocol
> Message type: Boot Request (1)
> ...
> Bootp flags: 0x0000 (Unicast)
> 0... .... .... .... = Broadcast flag: Unicast
> .000 0000 0000 0000 = Reserved flags: 0x0000
> Client IP address: 0.0.0.0 (0.0.0.0)
> Your (client) IP address: 0.0.0.0 (0.0.0.0)
> Next server IP address: 0.0.0.0 (0.0.0.0)
> Relay agent IP address: 10.237.2.65 (10.237.2.65)
> Client MAC address: 00:25:90:d7:c6:7c (00:25:90:d7:c6:7c)
>
>
> This is with dnsmasq 2.71
What you're asking for should be standard mode of operation. Check the
dhcp-range lines, as shown above. I assume you have log-dhcp in your
config? If so it should log the available subnets for each DHCP transaction.
Cheers,
Simon.
From mykola at kyrylenko.com Wed Jun 11 23:49:31 2014
From: mykola at kyrylenko.com (Mykola Kyrylenko)
Date: Thu, 12 Jun 2014 09:19:31 +0930
Subject: [Dnsmasq-discuss] DNS based on MAC address
In-Reply-To: <5398B7DA.6090508@thekelleys.org.uk>
References: <CAONE+0UmOdkrM5sw2DjSO3Bo_AzuNmLM4LoAnGzDn6m6TX3kog@mail.gmail.com>
<5398B7DA.6090508@thekelleys.org.uk>
Message-ID: <CAONE+0Wengan5SCerA1Z5jP-P=RAWk6=Z=-k=QFrBXdZsqGmEA@mail.gmail.com>
Thanks for the help. Works perfectly.
I had to install a custom firmware first, before the 'dnsmasq.conf' would
stick.
regards,
Mykola
On 12 June 2014 05:41, Simon Kelley <simon at thekelleys.org.uk> wrote:
> On 09/06/14 09:38, Mykola Kyrylenko wrote:
> > Hi,
> >
> > I am not sure if this has been discussed before.
> > I have a Roku outside of USA. For me to operate it, I need to use a
> Smart
> > DNS service (Overplay).
> > Unfortunately, the Roku does not allow setting the DNS manually, which
> > means I need to do it in the router.
> > I tried this, but the performance of my other devices, particularly the
> > Panasonic TV, suffered. The TV cannot set DNS manually either.
> >
> > My router is an Asus RT-N56U. I managed to Telnet in, and there is a
> > '/etc/dnsmasq.conf' file.
> >
> > Would it be possible to set the DNS for the Roku to the Overplay one,
> based
> > on the Roku's MAC address?
> > All the other devices will get the default DNS from my ISP.
> >
> > Looking at the configuration file, 'dhcp-host' can set the IP address
> based
> > on MAC address, and 'server' specifies the DNS based on domain. This
> not
> > quite what I want.
> >
> > regards,
> > Mykola
> >
> >
>
> You mean, send a different DNS server in the DHCP reply to the Roku?
> Yes, that's possible. Something like
>
> dhcp-mac=set:roku,<MAC address of Roku>
> dhcp-option=tag:roku,option:dns-server,<IP of overplay DNS server>
>
> should do the trick.
>
>
> Cheers,S
>
> Simon.
>
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140612/2e6aba46/attachment.html>
From wjohnson55 at comcast.net Thu Jun 12 03:01:14 2014
From: wjohnson55 at comcast.net (Bill Johnson)
Date: Wed, 11 Jun 2014 23:01:14 -0400
Subject: [Dnsmasq-discuss] DHCPOFFER rejected?
Message-ID: <539917FA.9090909@comcast.net>
A new wifi enabled thermostat has me baffled.
dnsmasq provides dhcp and dns services to my home network, on a machine
named "wardrobe" at 192.168.1.1. Wardrobe also does routing for the
network. Wardrobe runs Ubuntu 12.04 and dnsmasq 2.59. Wifi "routers"
do no routing. They are access points only.
I recently acquired a wifi enabled thermostat. Out of the box, this
thing starts up its own wifi net with a unique SSID, and advertises a
web server at 192.168.1.1. The server allows the user to tell the
device which SSID to connect to, and to provide a password for that
network. So, this thing broadcasts DHCPDISCOVER, wardrobe responds with
DHCPOFFER, and the dance breaks off, then repeats for a while, then the
thermostat reports "No IP Address", then starts trying again.
Here's what dnsmasq logs, over and over again:
Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 available DHCP
range: 192.168.1.100 -- 192.168.1.199
Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 client provides
name: Gateway3CDA93
Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508
DHCPDISCOVER(eth1) 00:d0:2d:3c:da:93
Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 tags: eth1
Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 DHCPOFFER(eth1)
192.168.1.191 00:d0:2d:3c:da:93
Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 requested
options: 1:netmask, 3:router, 6:dns-server
Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 next server:
192.168.1.1
Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 broadcast response
Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 sent size: 1
option: 53:message-type 02
Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 sent size: 4
option: 54:server-identifier 192.168.1.1
Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 sent size: 4
option: 51:lease-time 00:00:a8:c0
Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 sent size: 4
option: 58:T1 00:00:54:60
Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 sent size: 4
option: 59:T2 00:00:93:a8
Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 sent size: 4
option: 1:netmask 255.255.0.0
Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 sent size: 4
option: 28:broadcast 192.168.255.255
Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 sent size: 4
option: 3:router 192.168.1.1
Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 sent size: 4
option: 6:dns-server 192.168.1.1
I'm mystified. dnsmasq seems to be sending everything the thermostat
has requested, but the thermostat never sends DHCPREQUEST. The
thermostat is something of a black box, and "technical support" is
useless. Any ideas would be very welcome.
-- Bill Johnson
From discord at uw.edu Thu Jun 12 03:34:16 2014
From: discord at uw.edu (Colin Kincaid Williams)
Date: Wed, 11 Jun 2014 20:34:16 -0700
Subject: [Dnsmasq-discuss] dynamic dns server ?
Message-ID: <CAB-gU_sgEbia45mEGmSGrBWPdd1aNwdC4j+UOLZ8CpcU2twspQ@mail.gmail.com>
I've been asked to provide a dns solution for a lab environment. In
the lab they are spinning up VM's with virtual network interfaces, the
problem is the machines need to be able to communicate with each
other. The lab has a certain network infrastructure that I cannot
change e.g. DHCP server.
So for the VM hosts foo1.local, I would like it to resolv foo2.local,
foo3.local. More vms can be spun up all the time, and I cannot assume
i know their hostname.
These hosts all receive their ips from another DHCP server, lets call
it dhcp.local. It might be nice if I could use dnsmasq to provide them
with an IP address, because I believe that it can also add that IP
dynamically to it's hostname / DNS table.However, I have to use
dhcp.local that is not using DHCP. I saw an option to use dnsmasq as a
DHCP relay. If I chose this option, will -dhcp-relay=<local
address>,<server address>[,<interface], will I be able to get an
adress from dhcp.local, and still have the fqdn and ip added to the
DNS table on the dnsmasq server, call it dnsmasq.local.
If this won't work another thing I was thinking I could do is use the
dynamic-dnsmasq.pl script to add the host to dnsmasq.local, on the
creation of the vm.
I think I prefer using the DHCP relay, if that would work. I'm just
looking for some advice. Some other possibilities include the use of
mDNS or zeroconf...
From discord at uw.edu Thu Jun 12 04:06:41 2014
From: discord at uw.edu (Colin Kincaid Williams)
Date: Wed, 11 Jun 2014 21:06:41 -0700
Subject: [Dnsmasq-discuss] dynamic dns server ?
In-Reply-To: <CAB-gU_sgEbia45mEGmSGrBWPdd1aNwdC4j+UOLZ8CpcU2twspQ@mail.gmail.com>
References: <CAB-gU_sgEbia45mEGmSGrBWPdd1aNwdC4j+UOLZ8CpcU2twspQ@mail.gmail.com>
Message-ID: <CAB-gU_t4cYqiOuAs8=uP3=Vk5dvDanBDM_7P3TccNnRh6wMo8g@mail.gmail.com>
On second thought a dhcp forwarder probably won't work, because I
don't think I can set a dhcp server address in dhclient.conf. That
leaves using dynamic-dnsmasq.pl as my only option, unless I'm
overlooking something.
On Wed, Jun 11, 2014 at 8:34 PM, Colin Kincaid Williams <discord at uw.edu> wrote:
> I've been asked to provide a dns solution for a lab environment. In
> the lab they are spinning up VM's with virtual network interfaces, the
> problem is the machines need to be able to communicate with each
> other. The lab has a certain network infrastructure that I cannot
> change e.g. DHCP server.
>
> So for the VM hosts foo1.local, I would like it to resolv foo2.local,
> foo3.local. More vms can be spun up all the time, and I cannot assume
> i know their hostname.
>
> These hosts all receive their ips from another DHCP server, lets call
> it dhcp.local. It might be nice if I could use dnsmasq to provide them
> with an IP address, because I believe that it can also add that IP
> dynamically to it's hostname / DNS table.However, I have to use
> dhcp.local that is not using DHCP. I saw an option to use dnsmasq as a
> DHCP relay. If I chose this option, will -dhcp-relay=<local
> address>,<server address>[,<interface], will I be able to get an
> adress from dhcp.local, and still have the fqdn and ip added to the
> DNS table on the dnsmasq server, call it dnsmasq.local.
>
>
> If this won't work another thing I was thinking I could do is use the
> dynamic-dnsmasq.pl script to add the host to dnsmasq.local, on the
> creation of the vm.
>
> I think I prefer using the DHCP relay, if that would work. I'm just
> looking for some advice. Some other possibilities include the use of
> mDNS or zeroconf...
From Neil.Jerram at metaswitch.com Thu Jun 12 12:10:24 2014
From: Neil.Jerram at metaswitch.com (Neil Jerram)
Date: Thu, 12 Jun 2014 12:10:24 +0000
Subject: [Dnsmasq-discuss] Patch: Allow wildcard aliases in
--bridge-interface option
In-Reply-To: <5398BB39.7030501@thekelleys.org.uk>
References: <F6885DC5CBE92C4BB4D654841E63A30FD7E2C74E@ENFIRHMBX1.datcon.co.uk>
<5398BB39.7030501@thekelleys.org.uk>
Message-ID: <F6885DC5CBE92C4BB4D654841E63A30FD7E2CC4E@ENFIRHMBX1.datcon.co.uk>
Simon Kelley wrote:
> On 11/06/14 15:49, Neil Jerram wrote:
> > Hi Simon,
> >
> > Please would you consider the attached patch, which allows a trailing '*'
> wildcard
> > in each <alias> that is specified in the --bridge-interface option. My team
> is
> > working on a new form of host/VM networking where VM data is routed instead
> of
> > bridged, and this patch allows us to use dnsmasq as the DHCP server in that
> scenario.
> >
> > [...]
>
> That's very clever. Patch accepted and applied in git.
Many thanks!
As a followup, may I ask broadly when you might do a next dnsmasq feature
release (assuming that that would include this change)? I don't mean to
suggest any pressure one way or the other, but just to get some feeling for
your schedule or release algorithm.
Regards,
Neil
From brak at gameservers.com Thu Jun 12 14:44:09 2014
From: brak at gameservers.com (Brian Rak)
Date: Thu, 12 Jun 2014 10:44:09 -0400
Subject: [Dnsmasq-discuss] Assigning leases based on relay agent IP
address?
In-Reply-To: <5398BF57.2040705@thekelleys.org.uk>
References: <538CED4E.60808@gameservers.com>
<5398BF57.2040705@thekelleys.org.uk>
Message-ID: <5399BCB9.3000601@gameservers.com>
On 6/11/2014 4:43 PM, Simon Kelley wrote:
> On 02/06/14 22:31, Brian Rak wrote:
>> How can I use dhcp-match with the 'Relay agent IP address' part of the
>> packet?
>>
>>
>> I'm trying to manage DHCP for a bunch of different networks with one
>> DHCP server. I'd like to determine which network to use based on which
>> subnet the relay server's IP address is in.
>>
>> I've got a bunch of lines like this:
>>
>> dhcp-range=set:SUBNETID124862,10.237.2.65,10.237.2.126,auto,255.255.255.192,2h
> ^^^^^
>
> This may be confusing the parser and leading to problems.
Yep, that was exactly the cause of the issues. The 'auto' was confusing
it, so it was guessing a netmask for the subnets. It was guessing
255.0.0.0, so all the networks seemed to be available.
Once I removed 'auto', everything is working correctly. I'm not even
sure where I got that, I don't see it in the documentation.
>
>> dhcp-range=set:SUBNETID124844,10.237.4.1,10.237.4.62,auto,255.255.255.192,2h
>>
>>
>> However, when a DHCPDISCOVER comes in, dnsmasq just picks a random
>> network to use. As an example:
>>
>> dnsmasq-dhcp[31908]: 2740340080 vendor class: udhcp 1.12.0
>> dnsmasq-dhcp[31908]: 2740340080 DHCPDISCOVER(eth1) 00:25:90:d7:c6:7c
>> dnsmasq-dhcp[31908]: 2740340080 tags: SUBNETID124844, eth1
>> dnsmasq-dhcp[31908]: 2740340080 DHCPOFFER(eth1) 10.237.4.39
>> 00:25:90:d7:c6:7c
>>
>> The initial DHCPDISCOVER came in via 10.237.2.65, but a completely
>> different subnet was used instead. (Also, is it possible to log the
>> relay IP address?)
>>
>> tshark shows this:
>>
>> Bootstrap Protocol
>> Message type: Boot Request (1)
>> ...
>> Bootp flags: 0x0000 (Unicast)
>> 0... .... .... .... = Broadcast flag: Unicast
>> .000 0000 0000 0000 = Reserved flags: 0x0000
>> Client IP address: 0.0.0.0 (0.0.0.0)
>> Your (client) IP address: 0.0.0.0 (0.0.0.0)
>> Next server IP address: 0.0.0.0 (0.0.0.0)
>> Relay agent IP address: 10.237.2.65 (10.237.2.65)
>> Client MAC address: 00:25:90:d7:c6:7c (00:25:90:d7:c6:7c)
>>
>>
>> This is with dnsmasq 2.71
> What you're asking for should be standard mode of operation. Check the
> dhcp-range lines, as shown above. I assume you have log-dhcp in your
> config? If so it should log the available subnets for each DHCP transaction.
>
> Cheers,
>
> Simon.
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
From knoeferl at gmx.de Fri Jun 13 17:34:53 2014
From: knoeferl at gmx.de (Johann Knoeferl)
Date: Fri, 13 Jun 2014 19:34:53 +0200
Subject: [Dnsmasq-discuss] upstream server for "local domain" adresses
Message-ID: <trinity-39b82444-6c8d-4d53-a121-2e2d0ea537fe-1402680892968@3capp-gmx-bs16>
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140613/444a1f40/attachment.html>
From ck at conrad-kostecki.de Sat Jun 14 12:08:09 2014
From: ck at conrad-kostecki.de (Conrad Kostecki)
Date: Sat, 14 Jun 2014 12:08:09 +0000
Subject: [Dnsmasq-discuss] DNSMasq stops working and runs at 100%
In-Reply-To: <53938109.2060102@thekelleys.org.uk>
References: <2bfba9448c1f4afdad7c7ea8918d4d11@DB4PR04MB265.eurprd04.prod.outlook.com>
<538F0A05.4060902@thekelleys.org.uk>
<c94f4852b0604b94a45554de59be9c8f@DB4PR04MB265.eurprd04.prod.outlook.com>
<538F7427.3090607@thekelleys.org.uk>
<2c4f7c81f2ff47f2b5c1631b7002efe8@DB4PR04MB265.eurprd04.prod.outlook.com>
<5390E42D.3080505@thekelleys.org.uk> <53938109.2060102@thekelleys.org.uk>
Message-ID: <e4aae4286a06448daed273c8c341d9e9@DB4PR04MB265.eurprd04.prod.outlook.com>
> -----Urspr?ngliche Nachricht-----
> Von: Dnsmasq-discuss [mailto:dnsmasq-discuss-
> bounces at lists.thekelleys.org.uk] Im Auftrag von Simon Kelley
> Gesendet: Samstag, 7. Juni 2014 23:16
> An: DNSMasq Mailingliste
> Betreff: Re: [Dnsmasq-discuss] DNSMasq stops working and runs at 100%
>
> On 05/06/14 22:42, Simon Kelley wrote:
>
> > Thanks for that. I think this is a race condition, and I can't get the
> > timing right to reproduce it. If I'm correct. 2.72test2 should fix the
> > problem. Please could you test that?
> >
>
> Update - please test 2.72test3. That has a fundamental fix, not a band-aid.
Hi Simon,
It seems fixed. At least it didn't happened anymore :)
Thanks!
Conrad
From a.heider at gmail.com Sat Jun 14 20:53:25 2014
From: a.heider at gmail.com (Andre Heider)
Date: Sat, 14 Jun 2014 22:53:25 +0200
Subject: [Dnsmasq-discuss] [PATCH] Add support for libnettle with mini-gmp
Message-ID: <1402779205-9257-1-git-send-email-a.heider@gmail.com>
libnettle can be compiled with --enable-mini-gmp which does not require
an external libgmp.
To support both variants, fix one header which works everywhere and stop
linking against libgmp if HAVE_NETTLE_MINI is in COPTS.
---
Hi,
OpenWRT supports mini-gmp via CONFIG_LIBNETTLE_MINI, and I ran into a compile
error on this setup.
This patch fixes the issue, please consider applying.
Thanks,
Andre
Makefile | 2 +-
src/dnssec.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
index c58b50b..b1ab7e7 100644
--- a/Makefile
+++ b/Makefile
@@ -61,7 +61,7 @@ lua_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CON
lua_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua5.1`
nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags nettle hogweed`
nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs nettle hogweed`
-gmp_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --copy -lgmp`
+gmp_libs = `echo $(COPTS) | grep HAVE_NETTLE_MINI >/dev/null 2>&1 || echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --copy -lgmp`
sunos_libs = `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi`
version = -DVERSION='\"`$(top)/bld/get-version $(top)`\"'
diff --git a/src/dnssec.c b/src/dnssec.c
index 44d626b..446a99d 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -26,7 +26,7 @@
# include <nettle/ecc-curve.h>
#endif
#include <nettle/nettle-meta.h>
-#include <gmp.h>
+#include <nettle/bignum.h>
#define SERIAL_UNDEF -100
#define SERIAL_EQ 0
--
2.0.0
From simon at thekelleys.org.uk Mon Jun 16 20:41:58 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Mon, 16 Jun 2014 21:41:58 +0100
Subject: [Dnsmasq-discuss] dynamic dns server ?
In-Reply-To: <CAB-gU_t4cYqiOuAs8=uP3=Vk5dvDanBDM_7P3TccNnRh6wMo8g@mail.gmail.com>
References: <CAB-gU_sgEbia45mEGmSGrBWPdd1aNwdC4j+UOLZ8CpcU2twspQ@mail.gmail.com>
<CAB-gU_t4cYqiOuAs8=uP3=Vk5dvDanBDM_7P3TccNnRh6wMo8g@mail.gmail.com>
Message-ID: <539F5696.4000502@thekelleys.org.uk>
On 12/06/14 05:06, Colin Kincaid Williams wrote:
> On second thought a dhcp forwarder probably won't work, because I
> don't think I can set a dhcp server address in dhclient.conf. That
> leaves using dynamic-dnsmasq.pl as my only option, unless I'm
> overlooking something.
>
> On Wed, Jun 11, 2014 at 8:34 PM, Colin Kincaid Williams <discord at uw.edu> wrote:
>> I've been asked to provide a dns solution for a lab environment. In
>> the lab they are spinning up VM's with virtual network interfaces, the
>> problem is the machines need to be able to communicate with each
>> other. The lab has a certain network infrastructure that I cannot
>> change e.g. DHCP server.
>>
>> So for the VM hosts foo1.local, I would like it to resolv foo2.local,
>> foo3.local. More vms can be spun up all the time, and I cannot assume
>> i know their hostname.
>>
>> These hosts all receive their ips from another DHCP server, lets call
>> it dhcp.local. It might be nice if I could use dnsmasq to provide them
>> with an IP address, because I believe that it can also add that IP
>> dynamically to it's hostname / DNS table.However, I have to use
>> dhcp.local that is not using DHCP. I saw an option to use dnsmasq as a
>> DHCP relay. If I chose this option, will -dhcp-relay=<local
>> address>,<server address>[,<interface], will I be able to get an
>> adress from dhcp.local, and still have the fqdn and ip added to the
>> DNS table on the dnsmasq server, call it dnsmasq.local.
>>
>>
>> If this won't work another thing I was thinking I could do is use the
>> dynamic-dnsmasq.pl script to add the host to dnsmasq.local, on the
>> creation of the vm.
>>
>> I think I prefer using the DHCP relay, if that would work. I'm just
>> looking for some advice. Some other possibilities include the use of
>> mDNS or zeroconf...
>
I think you really need to get some control of the lab DHCP server. If
nothing else needs to talk to the VMs, and they only need to talk to
each other and the rest of the world, you could, I suppose put them on a
private RFC1918 net with a dnsmasq instance as DHCP server and NAT them
to the lab network. Nasty, but it might work.
Simon.
From simon at thekelleys.org.uk Mon Jun 16 20:44:31 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Mon, 16 Jun 2014 21:44:31 +0100
Subject: [Dnsmasq-discuss] DHCPOFFER rejected?
In-Reply-To: <539917FA.9090909@comcast.net>
References: <539917FA.9090909@comcast.net>
Message-ID: <539F572F.9030505@thekelleys.org.uk>
On 12/06/14 04:01, Bill Johnson wrote:
> A new wifi enabled thermostat has me baffled.
>
> dnsmasq provides dhcp and dns services to my home network, on a machine
> named "wardrobe" at 192.168.1.1. Wardrobe also does routing for the
> network. Wardrobe runs Ubuntu 12.04 and dnsmasq 2.59. Wifi "routers"
> do no routing. They are access points only.
>
> I recently acquired a wifi enabled thermostat. Out of the box, this
> thing starts up its own wifi net with a unique SSID, and advertises a
> web server at 192.168.1.1. The server allows the user to tell the
> device which SSID to connect to, and to provide a password for that
> network. So, this thing broadcasts DHCPDISCOVER, wardrobe responds with
> DHCPOFFER, and the dance breaks off, then repeats for a while, then the
> thermostat reports "No IP Address", then starts trying again.
> Here's what dnsmasq logs, over and over again:
>
> Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 available DHCP
> range: 192.168.1.100 -- 192.168.1.199
> Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 client provides
> name: Gateway3CDA93
> Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508
> DHCPDISCOVER(eth1) 00:d0:2d:3c:da:93
> Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 tags: eth1
> Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 DHCPOFFER(eth1)
> 192.168.1.191 00:d0:2d:3c:da:93
> Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 requested
> options: 1:netmask, 3:router, 6:dns-server
> Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 next server:
> 192.168.1.1
> Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 broadcast response
> Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 sent size: 1
> option: 53:message-type 02
> Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 sent size: 4
> option: 54:server-identifier 192.168.1.1
> Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 sent size: 4
> option: 51:lease-time 00:00:a8:c0
> Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 sent size: 4
> option: 58:T1 00:00:54:60
> Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 sent size: 4
> option: 59:T2 00:00:93:a8
> Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 sent size: 4
> option: 1:netmask 255.255.0.0
> Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 sent size: 4
> option: 28:broadcast 192.168.255.255
> Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 sent size: 4
> option: 3:router 192.168.1.1
> Jun 11 22:22:32 wardrobe dnsmasq-dhcp[17562]: 162797508 sent size: 4
> option: 6:dns-server 192.168.1.1
>
> I'm mystified. dnsmasq seems to be sending everything the thermostat
> has requested, but the thermostat never sends DHCPREQUEST. The
> thermostat is something of a black box, and "technical support" is
> useless. Any ideas would be very welcome.
>
Can you make it work with another DHCP server (ie, does the useless
technical support specify a server to use? If you can get it to work
with that server and grab the packets, we could see what's missing from
dnsmasq's answer and work out how to configure it to please the thermostat.
Simon.
From simon at thekelleys.org.uk Mon Jun 16 21:07:40 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Mon, 16 Jun 2014 22:07:40 +0100
Subject: [Dnsmasq-discuss] upstream server for "local domain" adresses
In-Reply-To: <trinity-39b82444-6c8d-4d53-a121-2e2d0ea537fe-1402680892968@3capp-gmx-bs16>
References: <trinity-39b82444-6c8d-4d53-a121-2e2d0ea537fe-1402680892968@3capp-gmx-bs16>
Message-ID: <539F5C9C.3090503@thekelleys.org.uk>
On 13/06/14 18:34, Johann Knoeferl wrote:
> -----Urspr?ngliche Nachricht-----
> Von: Dnsmasq-discuss [mailto:dnsmasq-discuss-bounces at lists.thekelleys.org.uk] Im
> Auftrag von Simon Kelley
> Gesendet: Mittwoch, 11. Juni 2014 22:06
> An: dnsmasq-discuss at lists.thekelleys.org.uk
> Betreff: Re: [Dnsmasq-discuss] upstream server for "local domain" adresses
> > Are you using the same configuration on both sides? I suspect that you're
> somehow creating a loop where on server send the query to the other, which sends
> it back to the first, which sends it again to the second, and so on.
> >
> > The first thing to do is to set
> >
> > log-queries
> >
> > and look at the log files to see what's happening.
> >
> > Cheers,
> >
> > Simon.
> >
> > _______________________________________________
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss at lists.thekelleys.org.uk
> <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk>
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> Hello Simon,
> You are right. Somehow I created a loop with my configuration:
> Router 1:
> Jun 13 18:01:16 router01 daemon.info dnsmasq[4184]: forwarded
> machine02.mydomain.lan to 192.168.10.1
> Jun 13 18:01:16 router01 daemon.info dnsmasq[4184]: query[AAAA]
> machine02.mydomain.lan from 192.168.7.13
> Jun 13 18:01:16 router01 daemon.info dnsmasq[4184]: forwarded
> machine02.mydomain.lan to 192.168.10.1
> Jun 13 18:01:16 router01 daemon.info dnsmasq[4184]: query[AAAA]
> machine02.mydomain.lan from 192.168.7.13
> Jun 13 18:01:16 router01 daemon.info dnsmasq[4184]: forwarded
> machine02.mydomain.lan to 192.168.10.1
> Jun 13 18:01:16 router01 daemon.info dnsmasq[4184]: query[AAAA]
> machine02.mydomain.lan from 192.168.7.13
> Jun 13 18:01:16 router01 daemon.info dnsmasq[4184]: forwarded
> machine02.mydomain.lan to 192.168.10.1
> Jun 13 18:01:16 router01 daemon.info dnsmasq[4184]: query[AAAA]
> machine02.mydomain.lan from 192.168.7.13
> ...
> Router 2:
> Jun 13 18:02:06 router02 daemon.info dnsmasq[12730]: query[A]
> router02.mydomain.lan from 192.168.10.11
> Jun 13 18:02:06 router02 daemon.info dnsmasq[12730]: /etc/hosts
> router02.mydomain.lan is 192.168.10.1
> Jun 13 18:02:06 router02 daemon.info dnsmasq[12730]: query[AAAA]
> machine02.mydomain.lan from 192.168.6.1
> Jun 13 18:02:06 router02 daemon.info dnsmasq[12730]: forwarded
> machine02.mydomain.lan to 192.168.6.1
> Jun 13 18:02:06 router02 daemon.info dnsmasq[12730]: query[AAAA]
> machine02.mydomain.lan from 192.168.6.1
> Jun 13 18:02:06 router02 daemon.info dnsmasq[12730]: forwarded
> machine02.mydomain.lan to 192.168.6.1
> Jun 13 18:02:06 router02 daemon.info dnsmasq[12730]: query[AAAA]
> machine02.mydomain.lan from 192.168.6.1
> ...
> In this example I asked for a DNS entry which can be found in router01 hosts file.
> Nevertheless the query goes back to router02 which can't handle it and so
> router01 is aked again.
> Both router are configuried equal - except for the ip of each other.
> My thought was that the priority is hasts file and only if an entry can not be
> found a server entry is used.
> But it seems that the server has higer priority. Is there a way to change this?
> But the more I think about it, it seems not to be clever at all, what I have done.
> If someone asks for a dns entry which isn't listed in the hosts file, i will run
> in the same problem even when I can achive to change the priority.
> What would be the best way for servering two subnets with the same local dns
> entries?
> Using complete hosts file on both sides?
> Using only one host file as master and to query it from both sides?
> Thanks for any suggestions!
>
>
The query which is looping is for the IPv6 address. I guess you don't
have IPv6 addresses in the hosts file.
Adding something like
address=/mydomain.lan/::1
will stop the looping, but might mess things up because all IPv6 queries
will get a ::1 answer (== 127.0.0.1) in IPv4-land)
Cheers,
Simon.
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
From simon at thekelleys.org.uk Mon Jun 16 21:12:27 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Mon, 16 Jun 2014 22:12:27 +0100
Subject: [Dnsmasq-discuss] DNSMasq stops working and runs at 100%
In-Reply-To: <e4aae4286a06448daed273c8c341d9e9@DB4PR04MB265.eurprd04.prod.outlook.com>
References: <2bfba9448c1f4afdad7c7ea8918d4d11@DB4PR04MB265.eurprd04.prod.outlook.com>
<538F0A05.4060902@thekelleys.org.uk>
<c94f4852b0604b94a45554de59be9c8f@DB4PR04MB265.eurprd04.prod.outlook.com>
<538F7427.3090607@thekelleys.org.uk>
<2c4f7c81f2ff47f2b5c1631b7002efe8@DB4PR04MB265.eurprd04.prod.outlook.com>
<5390E42D.3080505@thekelleys.org.uk> <53938109.2060102@thekelleys.org.uk>
<e4aae4286a06448daed273c8c341d9e9@DB4PR04MB265.eurprd04.prod.outlook.com>
Message-ID: <539F5DBB.508@thekelleys.org.uk>
On 14/06/14 13:08, Conrad Kostecki wrote:
>> -----Urspr?ngliche Nachricht-----
>> Von: Dnsmasq-discuss [mailto:dnsmasq-discuss-
>> bounces at lists.thekelleys.org.uk] Im Auftrag von Simon Kelley
>> Gesendet: Samstag, 7. Juni 2014 23:16
>> An: DNSMasq Mailingliste
>> Betreff: Re: [Dnsmasq-discuss] DNSMasq stops working and runs at 100%
>>
>> On 05/06/14 22:42, Simon Kelley wrote:
>>
>>> Thanks for that. I think this is a race condition, and I can't get the
>>> timing right to reproduce it. If I'm correct. 2.72test2 should fix the
>>> problem. Please could you test that?
>>>
>>
>> Update - please test 2.72test3. That has a fundamental fix, not a band-aid.
>
> Hi Simon,
> It seems fixed. At least it didn't happened anymore :)
Great stuff. Thanks for reporting that.
Cheers,
Simon.
>
> Thanks!
> Conrad
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
From wjohnson55 at comcast.net Tue Jun 17 13:43:29 2014
From: wjohnson55 at comcast.net (Bill Johnson)
Date: Tue, 17 Jun 2014 09:43:29 -0400
Subject: [Dnsmasq-discuss] DHCPOFFER rejected?
Message-ID: <53A04601.2020101@comcast.net>
After some experimenting with dnsmasq.conf and some help from Alex S., I
discovered that the problem was actually a nine-year-old iptables rule,
that was apparently preventing the dhcpoffer reaching the thermostat in
good shape. Odd, because this old rule has caused no problems for a
multitude of other wireless devices in the house. In any case, I got
the newest version of fwbuilder and used it to generate a new set of
iptables rules, and all is well. I guess there have been some changes
to iptables since 2005!
Thanks to Alex and Simon.
--
Bill Johnson
From simon at thekelleys.org.uk Tue Jun 17 18:56:25 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Tue, 17 Jun 2014 19:56:25 +0100
Subject: [Dnsmasq-discuss] [PATCH] Add support for libnettle with
mini-gmp
In-Reply-To: <1402779205-9257-1-git-send-email-a.heider@gmail.com>
References: <1402779205-9257-1-git-send-email-a.heider@gmail.com>
Message-ID: <53A08F59.6000001@thekelleys.org.uk>
On 14/06/14 21:53, Andre Heider wrote:
> libnettle can be compiled with --enable-mini-gmp which does not
> require an external libgmp.
>
> To support both variants, fix one header which works everywhere and
> stop linking against libgmp if HAVE_NETTLE_MINI is in COPTS. ---
>
> Hi,
>
> OpenWRT supports mini-gmp via CONFIG_LIBNETTLE_MINI, and I ran into a
> compile error on this setup.
>
> This patch fixes the issue, please consider applying.
>
> Thanks, Andre
>
That's great. I've applied it, but with significant changes.
1) I changed the preprocessor symbol to NO_GMP. That fits with others
that _remove_ dependencies.
2) I changed the mechanism so that you can get the correct effect by adding
#define NO_GMP
to src/config.h, as well as using the make command line, in the same way
as the other controls. It's not likely to be used, but if it behaves
differently, it will catch someone out, someday.
I wonder is there's something in the nettle headers that can be used to
control this automatically. Ie if linking against libnettle compiled
with --enable-mini-gmp, then do the right thing without needing
-DNO_GMP. I couldn't see anything obvious.
Cheers,
Simon.
From a.heider at gmail.com Tue Jun 17 20:19:08 2014
From: a.heider at gmail.com (Andre Heider)
Date: Tue, 17 Jun 2014 22:19:08 +0200
Subject: [Dnsmasq-discuss] [PATCH] Add support for libnettle with
mini-gmp
In-Reply-To: <53A08F59.6000001@thekelleys.org.uk>
References: <1402779205-9257-1-git-send-email-a.heider@gmail.com>
<53A08F59.6000001@thekelleys.org.uk>
Message-ID: <CAHsu+b_=xLCEWF5uH5e0gRqg0E3V3f+EL_X_BxsoSVRoXeXhhQ@mail.gmail.com>
Hi,
On Tue, Jun 17, 2014 at 8:56 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> 1) I changed the preprocessor symbol to NO_GMP. That fits with others
> that _remove_ dependencies.
>
> 2) I changed the mechanism so that you can get the correct effect by adding
>
> #define NO_GMP
>
> to src/config.h, as well as using the make command line, in the same way
> as the other controls. It's not likely to be used, but if it behaves
> differently, it will catch someone out, someday.
Alright, thanks, I'll adapt my OpenWRT patches to that.
> I wonder is there's something in the nettle headers that can be used to
> control this automatically. Ie if linking against libnettle compiled
> with --enable-mini-gmp, then do the right thing without needing
> -DNO_GMP. I couldn't see anything obvious.
In theory pkg-config should handle all that. I didn't want to break
anything for dnsmasq, hence didn't touch the gmp linkage, but if
libnettle.so properly links against a required libgmp.so you shouldn't
need to add it explicitly.
But I've seen too many cases where that doesn't work out in reality :\
Regards,
Andre
From simon at thekelleys.org.uk Wed Jun 18 20:36:24 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Wed, 18 Jun 2014 21:36:24 +0100
Subject: [Dnsmasq-discuss] DHCPOFFER rejected?
In-Reply-To: <53A04601.2020101@comcast.net>
References: <53A04601.2020101@comcast.net>
Message-ID: <53A1F848.2070505@thekelleys.org.uk>
On 17/06/14 14:43, Bill Johnson wrote:
> After some experimenting with dnsmasq.conf and some help from Alex S., I
> discovered that the problem was actually a nine-year-old iptables rule,
> that was apparently preventing the dhcpoffer reaching the thermostat in
> good shape. Odd, because this old rule has caused no problems for a
> multitude of other wireless devices in the house. In any case, I got
> the newest version of fwbuilder and used it to generate a new set of
> iptables rules, and all is well. I guess there have been some changes
> to iptables since 2005!
My guess is that it was blocking broadcasts to 255.255.255.255.
Cheers,
Simon.
>
> Thanks to Alex and Simon.
>
From simon at thekelleys.org.uk Wed Jun 18 20:46:37 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Wed, 18 Jun 2014 21:46:37 +0100
Subject: [Dnsmasq-discuss] [PATCH] Add support for libnettle with
mini-gmp
In-Reply-To: <CAHsu+b_=xLCEWF5uH5e0gRqg0E3V3f+EL_X_BxsoSVRoXeXhhQ@mail.gmail.com>
References: <1402779205-9257-1-git-send-email-a.heider@gmail.com> <53A08F59.6000001@thekelleys.org.uk>
<CAHsu+b_=xLCEWF5uH5e0gRqg0E3V3f+EL_X_BxsoSVRoXeXhhQ@mail.gmail.com>
Message-ID: <53A1FAAD.6020703@thekelleys.org.uk>
On 17/06/14 21:19, Andre Heider wrote:
> Hi,
>
> On Tue, Jun 17, 2014 at 8:56 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
>> 1) I changed the preprocessor symbol to NO_GMP. That fits with others
>> that _remove_ dependencies.
>>
>> 2) I changed the mechanism so that you can get the correct effect by adding
>>
>> #define NO_GMP
>>
>> to src/config.h, as well as using the make command line, in the same way
>> as the other controls. It's not likely to be used, but if it behaves
>> differently, it will catch someone out, someday.
>
> Alright, thanks, I'll adapt my OpenWRT patches to that.
>
>> I wonder is there's something in the nettle headers that can be used to
>> control this automatically. Ie if linking against libnettle compiled
>> with --enable-mini-gmp, then do the right thing without needing
>> -DNO_GMP. I couldn't see anything obvious.
>
> In theory pkg-config should handle all that. I didn't want to break
> anything for dnsmasq, hence didn't touch the gmp linkage, but if
> libnettle.so properly links against a required libgmp.so you shouldn't
> need to add it explicitly.
> But I've seen too many cases where that doesn't work out in reality :\
>
Me too, which is which the explicit -lgmp is added. I think the problem
that prompted that was with the option to build with those libraries
statically linked.
Cheers,
Simon.
From v.tolstov at selfip.ru Thu Jun 19 07:13:20 2014
From: v.tolstov at selfip.ru (Vasiliy Tolstov)
Date: Thu, 19 Jun 2014 11:13:20 +0400
Subject: [Dnsmasq-discuss] mdns support
Message-ID: <CACaajQtu7xZZCqDYTpjxxaT8_abwSf+qn0uAKfpjtc0VS_UxsA@mail.gmail.com>
Does anybody tries to implement mdns support to dnsmasq?
--
Vasiliy Tolstov,
e-mail: v.tolstov at selfip.ru
jabber: vase at selfip.ru
From thozza at redhat.com Thu Jun 19 10:25:05 2014
From: thozza at redhat.com (Tomas Hozza)
Date: Thu, 19 Jun 2014 06:25:05 -0400 (EDT)
Subject: [Dnsmasq-discuss] mdns support
In-Reply-To: <CACaajQtu7xZZCqDYTpjxxaT8_abwSf+qn0uAKfpjtc0VS_UxsA@mail.gmail.com>
References: <CACaajQtu7xZZCqDYTpjxxaT8_abwSf+qn0uAKfpjtc0VS_UxsA@mail.gmail.com>
Message-ID: <1347894348.12802599.1403173505765.JavaMail.zimbra@redhat.com>
----- Original Message -----
> Does anybody tries to implement mdns support to dnsmasq?
>
> --
> Vasiliy Tolstov,
> e-mail: v.tolstov at selfip.ru
> jabber: vase at selfip.ru
>From what I remember there was some discussion [1] in the past,
but not really any final decision...
[1] http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2013q4/007753.html
--
Tomas Hozza
Software Engineer - EMEA ENG Developer Experience
PGP: 1D9F3C2D
Red Hat Inc. http://cz.redhat.com
From v.tolstov at selfip.ru Thu Jun 19 19:35:42 2014
From: v.tolstov at selfip.ru (Vasiliy Tolstov)
Date: Thu, 19 Jun 2014 23:35:42 +0400
Subject: [Dnsmasq-discuss] mdns support
In-Reply-To: <1347894348.12802599.1403173505765.JavaMail.zimbra@redhat.com>
References: <CACaajQtu7xZZCqDYTpjxxaT8_abwSf+qn0uAKfpjtc0VS_UxsA@mail.gmail.com>
<1347894348.12802599.1403173505765.JavaMail.zimbra@redhat.com>
Message-ID: <CACaajQuHOknpsR6C0SfDo1KckSRxzZPTWaVM+2+12Wo9DLYDTg@mail.gmail.com>
2014-06-19 14:25 GMT+04:00 Tomas Hozza <thozza at redhat.com>:
> From what I remember there was some discussion [1] in the past,
> but not really any final decision...
>
> [1] http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2013q4/007753.html
=(. I'm try to use avahi, but it dometimes not work, also i can't
publish some addresses (process hang). And i thinkg that nss module
not needed if normal dns server able to do mdns requests.
Also avahi hardcore timeout for request to 5000msec, and ping
xxx.local address that does not have ptr record need every time
timeout for 5 secods. As i see avahi not maintained (last release more
than year ago).
--
Vasiliy Tolstov,
e-mail: v.tolstov at selfip.ru
jabber: vase at selfip.ru
From mabra at manfbraun.de Thu Jun 19 22:32:09 2014
From: mabra at manfbraun.de (mabra at manfbraun.de)
Date: Fri, 20 Jun 2014 00:32:09 +0200
Subject: [Dnsmasq-discuss] Understanding the (g)PXE options
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAAOosgHnoPqdNlUO2DUrQ/DfCgAAAEAAAAGF4TvnlHLBGjoMrJNR0SMIBAAAAAA==@manfbraun.de>
Hello !
I am seeing configuration entries like this:
dhcp-boot=net:#gpxe,gpxe.pxe
and I am asking, what the misterious "net" is in this line.
I am working since days to make some form of network
boot going, without success ...
I am on the way to find out, what all the - more or
less - messy instructions on this earth are try to tell
me .... bootps, etherboot, PXE, gPXE, iPXE,
Syslinux, PxeLinux ....
[ok, frust; the latter was not the question ... ;-) ].
Thanks anyway,
++mabra
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140620/aab9ab87/attachment-0001.html>
From dave.taht at gmail.com Thu Jun 19 23:12:42 2014
From: dave.taht at gmail.com (Dave Taht)
Date: Thu, 19 Jun 2014 16:12:42 -0700
Subject: [Dnsmasq-discuss] mdns support
In-Reply-To: <CACaajQuHOknpsR6C0SfDo1KckSRxzZPTWaVM+2+12Wo9DLYDTg@mail.gmail.com>
References: <CACaajQtu7xZZCqDYTpjxxaT8_abwSf+qn0uAKfpjtc0VS_UxsA@mail.gmail.com>
<1347894348.12802599.1403173505765.JavaMail.zimbra@redhat.com>
<CACaajQuHOknpsR6C0SfDo1KckSRxzZPTWaVM+2+12Wo9DLYDTg@mail.gmail.com>
Message-ID: <CAA93jw50iqo-LzaKYZQ3+rv0mT6Hf=t_xZzA1RyRJVF=Gan12g@mail.gmail.com>
As an outgrowth of the ietf homenet working group, the homewrt folk
are attempting to blend together mdns, an mdns proxy, and improved
address allocation schemes with dnsmasq in openwrt. They could use
some more testers, coders, and help in general. I have long planned to
integrate their work in cerowrt, and ultimately, I hope their work
lands in openwrt and other operating systems.
I would certainly like it if everything hung together tighter than it
does at the moment.
Homwrt folk can be found on #hnet-hackers on irc.
The website is:
http://www.homewrt.org/
and the relevant drafts are on the dnssd and homenet wg pages.
http://tools.ietf.org/wg/homenet/
http://datatracker.ietf.org/wg/dnssd/
I view (in the coming ipv6 era) getting addressing, naming, and
resource discovery right as pretty darn important, and the present
state of things is abominable... this appears to be a start towards
re-integrating mdns with regular dns:
http://tools.ietf.org/html/draft-cheshire-mdnsext-hybrid-02
On Thu, Jun 19, 2014 at 12:35 PM, Vasiliy Tolstov <v.tolstov at selfip.ru> wrote:
> 2014-06-19 14:25 GMT+04:00 Tomas Hozza <thozza at redhat.com>:
>> From what I remember there was some discussion [1] in the past,
>> but not really any final decision...
>>
>> [1] http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2013q4/007753.html
>
>
> =(. I'm try to use avahi, but it dometimes not work, also i can't
> publish some addresses (process hang). And i thinkg that nss module
> not needed if normal dns server able to do mdns requests.
> Also avahi hardcore timeout for request to 5000msec, and ping
> xxx.local address that does not have ptr record need every time
> timeout for 5 secods. As i see avahi not maintained (last release more
> than year ago).
>
> --
> Vasiliy Tolstov,
> e-mail: v.tolstov at selfip.ru
> jabber: vase at selfip.ru
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
--
Dave T?ht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
From v.tolstov at selfip.ru Fri Jun 20 05:31:21 2014
From: v.tolstov at selfip.ru (Vasiliy Tolstov)
Date: Fri, 20 Jun 2014 09:31:21 +0400
Subject: [Dnsmasq-discuss] mdns support
In-Reply-To: <CAA93jw50iqo-LzaKYZQ3+rv0mT6Hf=t_xZzA1RyRJVF=Gan12g@mail.gmail.com>
References: <CACaajQtu7xZZCqDYTpjxxaT8_abwSf+qn0uAKfpjtc0VS_UxsA@mail.gmail.com>
<1347894348.12802599.1403173505765.JavaMail.zimbra@redhat.com>
<CACaajQuHOknpsR6C0SfDo1KckSRxzZPTWaVM+2+12Wo9DLYDTg@mail.gmail.com>
<CAA93jw50iqo-LzaKYZQ3+rv0mT6Hf=t_xZzA1RyRJVF=Gan12g@mail.gmail.com>
Message-ID: <CACaajQu7O0r5M7WekR6do3RpkeqBLMr00LUSjE-keR1wLYGQ-w@mail.gmail.com>
2014-06-20 3:12 GMT+04:00 Dave Taht <dave.taht at gmail.com>:
> As an outgrowth of the ietf homenet working group, the homewrt folk
> are attempting to blend together mdns, an mdns proxy, and improved
> address allocation schemes with dnsmasq in openwrt. They could use
> some more testers, coders, and help in general. I have long planned to
> integrate their work in cerowrt, and ultimately, I hope their work
> lands in openwrt and other operating systems.
>
> I would certainly like it if everything hung together tighter than it
> does at the moment.
>
> Homwrt folk can be found on #hnet-hackers on irc.
>
> The website is:
>
> http://www.homewrt.org/
As i understand https://github.com/sbyx/ohybridproxy this is dns/mdns
server, that acts as dns and translate all queries via mdns?
--
Vasiliy Tolstov,
e-mail: v.tolstov at selfip.ru
jabber: vase at selfip.ru
From simon at thekelleys.org.uk Fri Jun 20 10:13:46 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Fri, 20 Jun 2014 11:13:46 +0100
Subject: [Dnsmasq-discuss] Understanding the (g)PXE options
In-Reply-To: <!&!AAAAAAAAAAAYAAAAAAAAAOosgHnoPqdNlUO2DUrQ/DfCgAAAEAAAAGF4TvnlHLBGjoMrJNR0SMIBAAAAAA==@manfbraun.de>
References: <!&!AAAAAAAAAAAYAAAAAAAAAOosgHnoPqdNlUO2DUrQ/DfCgAAAEAAAAGF4TvnlHLBGjoMrJNR0SMIBAAAAAA==@manfbraun.de>
Message-ID: <53A4095A.6030803@thekelleys.org.uk>
On 19/06/14 23:32, mabra at manfbraun.de wrote:
> Hello !
>
> I am seeing configuration entries like this:
>
> dhcp-boot=net:#gpxe,gpxe.pxe
>
> and I am asking, what the misterious "net" is in this line.
> I am working since days to make some form of network
> boot going, without success ...
This is confusing, because the syntax changed in later releases, so if
you read up-to-date documentation, it's not well covered.
First, we translate to the later syntax, where your example becomes
dhcp-boot=tag:!gpxe,gxpe.pxe
Which means: use gpxe.pxe as the boot file only if the tag "gpxe" is NOT
set.
Somewhere else in you configuration, you should have something that sets
tag "gxpe" under certain conditions.
In the later syntax, this will be done by "set:gpxe", it might be
different in old config files.
Cheers
Simon.
>
> I am on the way to find out, what all the - more or
> less - messy instructions on this earth are try to tell
> me .... bootps, etherboot, PXE, gPXE, iPXE,
> Syslinux, PxeLinux ....
>
> [ok, frust; the latter was not the question ... ;-) ].
>
> Thanks anyway,
>
> ++mabra
>
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
From jkrauska at gmail.com Mon Jun 23 17:50:23 2014
From: jkrauska at gmail.com (Joel Krauska)
Date: Mon, 23 Jun 2014 10:50:23 -0700
Subject: [Dnsmasq-discuss] Recursive Internal - NonRecursive External
Message-ID: <CAG0G1B+7mOibwOsL6Dj0_tF_o4JqjYsPVSqpnXvjnE4ySmt7Sw@mail.gmail.com>
I have a DNSserver that I would like to configure as recursive for internal
hosts and only respond to queries for locally authoritative zones
externally.
Any hints as to how I might accomplish this?
The DHCP section has the concept of <tag>s to apply different rules to
different blocks, etc.
I feel the simplest technique might be just to run two concurrent dnsmasq
processes bound to different interfaces, but maybe I'm missing something.
Any guidance would be appreciated.
Cheers,
Joel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140623/3d76dab2/attachment.html>
From davidj at nkcc.org.uk Tue Jun 24 09:08:42 2014
From: davidj at nkcc.org.uk (David Joslin)
Date: Tue, 24 Jun 2014 10:08:42 +0100
Subject: [Dnsmasq-discuss] VLANs and multiple IP addresses for one mac
address
Message-ID: <CAJ-gf5A=oth611HuTKq4nq9XTCvtxi_Xb+LX1ffLpoetO1oq8Q@mail.gmail.com>
I have a wireless network split into several vlans, each with its own
subnet, with dnsmasq serving all vlans. The wireless network is a Ubiquti
Unifi system and the access points all have static IP addresses on the
management vlan. Additionally, the access points each request IP addresses
via DHCP for the other vlans and dnsmasq correctly allocates the IP
addresses for the relevant vlans.
I noticed in dnsmasq's logs recently a bunch of 'lease not found' messages
whenever the access points attempted to renew the leases for these
addresses. The cause seems to be this: an access point's IP addresses are
all used on the same interface on the access point so when it renews these
addresses, the requests all come from the same mac address. Dnsmasq
services these requests but only the last address allocated is stored in
the lease file (I'm assuming the other addresses allocated are briefly
stored but then overwritten by subsequent allocations). So the access
points are happy enough - they have the addresses they need correctly
allocated by dnsmasq - but dnsmasq's lease file only records the last
address allocated. When the access points renew the leases, dnsmasq
generates the 'lease not found' error because there's no record of the
allocation in the lease file.
The error messages themselves are no big deal and the access points do get
the correct addresses. The problem I can foresee is that dnsmasq might
allocate addresses to other clients that it has already allocated to the
access points because it has no record of those allocations in its lease
file.
Is there any way dnsmasq can record more than 1 IP address against a mac
address? Or is there any other way round this problem? The access points
don't give any options for IP configuration apart from the address on the
management vlan; there aren't any configuration options for these DHCP
requested addresses.
Any help would be greatly appreciated.
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140624/73f53f41/attachment.html>
From rath at mglug.de Tue Jun 24 21:28:15 2014
From: rath at mglug.de (Oliver Rath)
Date: Tue, 24 Jun 2014 23:28:15 +0200
Subject: [Dnsmasq-discuss] restricting to one interface doesnt work
Message-ID: <53A9ED6F.4090904@mglug.de>
Hi list,
i try to restrict the dns of dnsmasq to one interface (3 existing
interfaces, I hided ppp0), but it seems, that it doesnt work.
My config:
server=//141.1.1.1
local=/heimserver/
address=/owncloud/192.168.0.254
dhcp-range=set:gw2,192.168.2.50,192.168.2.150,255.255.255.0,12h
dhcp-range=::,constructor:sixxs,ra-names
dhcp-range=::,constructor:p3p1,ra-names
dhcp-option=tag:gw2,128,192.168.2.254
dhcp-option=252,"http://heimserver/wpad.dat"
dhcp-option-force=208,f1:00:74:7e
dhcp-option-force=210,/opt/dmi/tftproot/
dhcp-boot=undionly.kkpxe
enable-tftp
tftp-root=/opt/dmi/tftproot
log-queries
log-dhcp
my ifconfig.
# ifconfig | grep mtu -A1
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
--
p1p1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.254 netmask 255.255.255.0 broadcast 192.168.0.255
--
p2p1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.11.254 netmask 255.255.255.0 broadcast 192.168.11.255
--
p3p1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.2.254 netmask 255.255.255.0 broadcast 192.168.2.255
So here only p3p1 is addressed here. But if i look for open ports, on
all interfaces 53 is open:
# nmap 192.168.11.254
Starting Nmap 6.25 ( http://nmap.org ) at 2014-06-24 23:16 CEST
Nmap scan report for 192.168.11.254
Host is up (0.00014s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
53/tcp open domain
749/tcp open kerberos-adm
2000/tcp open cisco-sccp
Nmap done: 1 IP address (1 host up) scanned in 0.76 seconds
heimserver dnsmasq.d # nmap 192.168.2.254
Starting Nmap 6.25 ( http://nmap.org ) at 2014-06-24 23:16 CEST
Nmap scan report for 192.168.2.254
Host is up (0.00040s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
53/tcp open domain
749/tcp open kerberos-adm
2000/tcp open cisco-sccp
Nmap done: 1 IP address (1 host up) scanned in 1.72 seconds
heimserver dnsmasq.d # nmap 192.168.0.254
Starting Nmap 6.25 ( http://nmap.org ) at 2014-06-24 23:16 CEST
Nmap scan report for heimserver.koenigsteinstr.muc (192.168.0.254)
Host is up (0.00011s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
53/tcp open domain
749/tcp open kerberos-adm
2000/tcp open cisco-sccp
for being sure, dnsmasq is the only dns-server here, i did this:
# netstat -vanpe | grep :53
netstat: no support for `AF INET (sctp)' on this system.
netstat: no support for `AF INET (sctp)' on this system.
tcp 0 0 0.0.0.0:53 0.0.0.0:*
LISTEN 0 1701253 12137/dnsmasq
tcp 0 0 192.168.0.254:5038 192.168.0.1:53788
VERBUNDEN 101 1666180 27070/asterisk
tcp6 0 0 :::53 :::*
LISTEN 0 1701256 12137/dnsmasq
udp 0 0 0.0.0.0:53
0.0.0.0:* 0 1701252
12137/dnsmasq
udp6 0 0 :::53
:::* 0 1701255
12137/dnsmasq
netstat: no support for `AF IPX' on this system.
netstat: no support for `AF AX25' on this system.
netstat: no support for `AF X25' on this system.
netstat: no support for `AF NETROM' on this system.
So whats wrong here? Has dnsmasq problems with interfaces named p1p1,
p2p1 etc. ?
Tfh!
Oliver
From simon at thekelleys.org.uk Tue Jun 24 21:30:54 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Tue, 24 Jun 2014 22:30:54 +0100
Subject: [Dnsmasq-discuss] VLANs and multiple IP addresses for one mac
address
In-Reply-To: <CAJ-gf5A=oth611HuTKq4nq9XTCvtxi_Xb+LX1ffLpoetO1oq8Q@mail.gmail.com>
References: <CAJ-gf5A=oth611HuTKq4nq9XTCvtxi_Xb+LX1ffLpoetO1oq8Q@mail.gmail.com>
Message-ID: <53A9EE0E.3020503@thekelleys.org.uk>
On 24/06/14 10:08, David Joslin wrote:
> I have a wireless network split into several vlans, each with its own
> subnet, with dnsmasq serving all vlans. The wireless network is a Ubiquti
> Unifi system and the access points all have static IP addresses on the
> management vlan. Additionally, the access points each request IP addresses
> via DHCP for the other vlans and dnsmasq correctly allocates the IP
> addresses for the relevant vlans.
>
> I noticed in dnsmasq's logs recently a bunch of 'lease not found' messages
> whenever the access points attempted to renew the leases for these
> addresses. The cause seems to be this: an access point's IP addresses are
> all used on the same interface on the access point so when it renews these
> addresses, the requests all come from the same mac address. Dnsmasq
> services these requests but only the last address allocated is stored in
> the lease file (I'm assuming the other addresses allocated are briefly
> stored but then overwritten by subsequent allocations). So the access
> points are happy enough - they have the addresses they need correctly
> allocated by dnsmasq - but dnsmasq's lease file only records the last
> address allocated. When the access points renew the leases, dnsmasq
> generates the 'lease not found' error because there's no record of the
> allocation in the lease file.
>
> The error messages themselves are no big deal and the access points do get
> the correct addresses. The problem I can foresee is that dnsmasq might
> allocate addresses to other clients that it has already allocated to the
> access points because it has no record of those allocations in its lease
> file.
>
> Is there any way dnsmasq can record more than 1 IP address against a mac
> address? Or is there any other way round this problem? The access points
> don't give any options for IP configuration apart from the address on the
> management vlan; there aren't any configuration options for these DHCP
> requested addresses.
The obvious way to fix this would be to have the access points supply a
different client-id for each VLAN. Client-ids trump MAC addresses as
unique identifiers for leases. The lack of configuration options would
seem to preclude that, however.
You could at least solve the worry about having access point addresses
re-allocated by giving them static addresses on each VLAN, associated
with the MAC address.
Cheers,
Simon.
>
> Any help would be greatly appreciated.
>
> David
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
From simon at thekelleys.org.uk Tue Jun 24 21:32:46 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Tue, 24 Jun 2014 22:32:46 +0100
Subject: [Dnsmasq-discuss] Recursive Internal - NonRecursive External
In-Reply-To: <CAG0G1B+7mOibwOsL6Dj0_tF_o4JqjYsPVSqpnXvjnE4ySmt7Sw@mail.gmail.com>
References: <CAG0G1B+7mOibwOsL6Dj0_tF_o4JqjYsPVSqpnXvjnE4ySmt7Sw@mail.gmail.com>
Message-ID: <53A9EE7E.4050109@thekelleys.org.uk>
On 23/06/14 18:50, Joel Krauska wrote:
> I have a DNSserver that I would like to configure as recursive for internal
> hosts and only respond to queries for locally authoritative zones
> externally.
>
> Any hints as to how I might accomplish this?
>
> The DHCP section has the concept of <tag>s to apply different rules to
> different blocks, etc.
>
>
> I feel the simplest technique might be just to run two concurrent dnsmasq
> processes bound to different interfaces, but maybe I'm missing something.
>
> Any guidance would be appreciated.
>
Have you looked at the
auth-zone
configuration option and its friends, in recent dnsmasq releases? That
would appear to do exactly what you want.
Cheers,
Simon.
From rath at mglug.de Tue Jun 24 21:33:01 2014
From: rath at mglug.de (Oliver Rath)
Date: Tue, 24 Jun 2014 23:33:01 +0200
Subject: [Dnsmasq-discuss] addendum
Message-ID: <53A9EE8D.4000207@mglug.de>
I forgot to add:
listen-address=192.168.2.254
But it doesnt work also.
O.
From rath at mglug.de Tue Jun 24 21:38:02 2014
From: rath at mglug.de (Oliver Rath)
Date: Tue, 24 Jun 2014 23:38:02 +0200
Subject: [Dnsmasq-discuss] addendum 2
Message-ID: <53A9EFBA.3030408@mglug.de>
This is with dnsmasq-2.71, built on gentoo system with via c3-2 processor.
Hth,
OIiver
From augustus_meyer at yahoo.de Tue Jun 24 21:42:40 2014
From: augustus_meyer at yahoo.de (reiner otto)
Date: Tue, 24 Jun 2014 22:42:40 +0100
Subject: [Dnsmasq-discuss] restricting to one interface doesnt work
In-Reply-To: <53A9ED6F.4090904@mglug.de>
References: <53A9ED6F.4090904@mglug.de>
Message-ID: <1403646160.46278.YahooMailNeo@web172704.mail.ir2.yahoo.com>
Had the same problem: dnsmsq also listened on WAN-interface, which I did not want.
SO:
# Or which to listen on by address (remember to include 127.0.0.1 if
# you use this.)
listen-address=127.0.0.1
listen-address=192.168.182.1 #eth0
listen-address=192.168.20.1 #eth1
listen-address=192.168.60.1 #eth2
listen-address=192.168.70.1 #tun0
# On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of
# working even when interfaces come and go and change address. If you
# want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine.
bind-interfaces #<------------------------------------------------------------------------------------------------
MfG :-)
Oliver Rath <rath at mglug.de> schrieb am 23:30 Dienstag, 24.Juni 2014:
Hi list,
i try to restrict the dns of dnsmasq to one interface (3 existing
interfaces, I hided ppp0), but it seems, that it doesnt work.
My config:
server=//141.1.1.1
local=/heimserver/
address=/owncloud/192.168.0.254
dhcp-range=set:gw2,192.168.2.50,192.168.2.150,255.255.255.0,12h
dhcp-range=::,constructor:sixxs,ra-names
dhcp-range=::,constructor:p3p1,ra-names
dhcp-option=tag:gw2,128,192.168.2.254
dhcp-option=252,"http://heimserver/wpad.dat"
dhcp-option-force=208,f1:00:74:7e
dhcp-option-force=210,/opt/dmi/tftproot/
dhcp-boot=undionly.kkpxe
enable-tftp
tftp-root=/opt/dmi/tftproot
log-queries
log-dhcp
my ifconfig.
# ifconfig | grep mtu -A1
lo: flags=73<UP,LOOPBACK,RUNNING>? mtu 65536
? ? ? ? inet 127.0.0.1? netmask 255.0.0.0
--
p1p1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>? mtu 1500
? ? ? ? inet 192.168.0.254? netmask 255.255.255.0? broadcast 192.168.0.255
--
p2p1: flags=4099<UP,BROADCAST,MULTICAST>? mtu 1500
? ? ? ? inet 192.168.11.254? netmask 255.255.255.0? broadcast 192.168.11.255
--
p3p1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>? mtu 1500
? ? ? ? inet 192.168.2.254? netmask 255.255.255.0? broadcast 192.168.2.255
So here only p3p1 is addressed here. But if i look for open ports, on
all interfaces 53 is open:
# nmap 192.168.11.254
Starting Nmap 6.25 ( http://nmap.org ) at 2014-06-24 23:16 CEST
Nmap scan report for 192.168.11.254
Host is up (0.00014s latency).
Not shown: 997 closed ports
PORT? ? STATE SERVICE
53/tcp? open? domain
749/tcp? open? kerberos-adm
2000/tcp open? cisco-sccp
Nmap done: 1 IP address (1 host up) scanned in 0.76 seconds
heimserver dnsmasq.d # nmap 192.168.2.254
Starting Nmap 6.25 ( http://nmap.org ) at 2014-06-24 23:16 CEST
Nmap scan report for 192.168.2.254
Host is up (0.00040s latency).
Not shown: 997 closed ports
PORT? ? STATE SERVICE
53/tcp? open? domain
749/tcp? open? kerberos-adm
2000/tcp open? cisco-sccp
Nmap done: 1 IP address (1 host up) scanned in 1.72 seconds
heimserver dnsmasq.d # nmap 192.168.0.254
Starting Nmap 6.25 ( http://nmap.org ) at 2014-06-24 23:16 CEST
Nmap scan report for heimserver.koenigsteinstr.muc (192.168.0.254)
Host is up (0.00011s latency).
Not shown: 997 closed ports
PORT? ? STATE SERVICE
53/tcp? open? domain
749/tcp? open? kerberos-adm
2000/tcp open? cisco-sccp
for being sure, dnsmasq is the only dns-server here, i did this:
# netstat -vanpe | grep :53
netstat: no support for `AF INET (sctp)' on this system.
netstat: no support for `AF INET (sctp)' on this system.
tcp? ? ? ? 0? ? ? 0 0.0.0.0:53? ? ? ? ? ? ? 0.0.0.0:*? ? ? ? ? ? ?
LISTEN? ? ? 0? ? ? ? ? 1701253? ? 12137/dnsmasq? ? ?
tcp? ? ? ? 0? ? ? 0 192.168.0.254:5038? ? ? 192.168.0.1:53788? ? ?
VERBUNDEN? 101? ? ? ? 1666180? ? 27070/asterisk? ?
tcp6? ? ? 0? ? ? 0 :::53? ? ? ? ? ? ? ? ? :::*? ? ? ? ? ? ? ? ?
LISTEN? ? ? 0? ? ? ? ? 1701256? ? 12137/dnsmasq? ? ?
udp? ? ? ? 0? ? ? 0 0.0.0.0:53? ? ? ? ? ?
0.0.0.0:*? ? ? ? ? ? ? ? ? ? ? ? ? 0? ? ? ? ? 1701252?
12137/dnsmasq? ? ?
udp6? ? ? 0? ? ? 0 :::53? ? ? ? ? ? ? ? ?
:::*? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0? ? ? ? ? 1701255?
12137/dnsmasq? ? ?
netstat: no support for `AF IPX' on this system.
netstat: no support for `AF AX25' on this system.
netstat: no support for `AF X25' on this system.
netstat: no support for `AF NETROM' on this system.
So whats wrong here? Has dnsmasq problems with interfaces named p1p1,
p2p1 etc. ?
Tfh!
Oliver
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss at lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140624/254a4aac/attachment-0001.html>
From rath at mglug.de Tue Jun 24 21:47:22 2014
From: rath at mglug.de (Oliver Rath)
Date: Tue, 24 Jun 2014 23:47:22 +0200
Subject: [Dnsmasq-discuss] [solved] Re: restricting to one interface doesnt
work
In-Reply-To: <53A9ED6F.4090904@mglug.de>
References: <53A9ED6F.4090904@mglug.de>
Message-ID: <53A9F1EA.10305@mglug.de>
Hi list,
writing together the problem sometimes brings enlightement:
"bind-interfaces" option does the wanted thing.
Thanks for reading!
Oliver
Am 24.06.2014 23:28, schrieb Oliver Rath:
> Hi list,
>
> i try to restrict the dns of dnsmasq to one interface (3 existing
> interfaces, I hided ppp0), but it seems, that it doesnt work.
>
> My config:
>
> server=//141.1.1.1
> local=/heimserver/
> address=/owncloud/192.168.0.254
> dhcp-range=set:gw2,192.168.2.50,192.168.2.150,255.255.255.0,12h
> dhcp-range=::,constructor:sixxs,ra-names
> dhcp-range=::,constructor:p3p1,ra-names
> dhcp-option=tag:gw2,128,192.168.2.254
> dhcp-option=252,"http://heimserver/wpad.dat"
> dhcp-option-force=208,f1:00:74:7e
> dhcp-option-force=210,/opt/dmi/tftproot/
> dhcp-boot=undionly.kkpxe
> enable-tftp
> tftp-root=/opt/dmi/tftproot
> log-queries
> log-dhcp
>
> my ifconfig.
>
> # ifconfig | grep mtu -A1
> lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
> inet 127.0.0.1 netmask 255.0.0.0
> --
> p1p1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> inet 192.168.0.254 netmask 255.255.255.0 broadcast 192.168.0.255
> --
> p2p1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
> inet 192.168.11.254 netmask 255.255.255.0 broadcast 192.168.11.255
> --
> p3p1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> inet 192.168.2.254 netmask 255.255.255.0 broadcast 192.168.2.255
>
>
>
> So here only p3p1 is addressed here. But if i look for open ports, on
> all interfaces 53 is open:
>
> # nmap 192.168.11.254
>
> Starting Nmap 6.25 ( http://nmap.org ) at 2014-06-24 23:16 CEST
> Nmap scan report for 192.168.11.254
> Host is up (0.00014s latency).
> Not shown: 997 closed ports
> PORT STATE SERVICE
> 53/tcp open domain
> 749/tcp open kerberos-adm
> 2000/tcp open cisco-sccp
>
> Nmap done: 1 IP address (1 host up) scanned in 0.76 seconds
> heimserver dnsmasq.d # nmap 192.168.2.254
>
> Starting Nmap 6.25 ( http://nmap.org ) at 2014-06-24 23:16 CEST
> Nmap scan report for 192.168.2.254
> Host is up (0.00040s latency).
> Not shown: 997 closed ports
> PORT STATE SERVICE
> 53/tcp open domain
> 749/tcp open kerberos-adm
> 2000/tcp open cisco-sccp
>
> Nmap done: 1 IP address (1 host up) scanned in 1.72 seconds
> heimserver dnsmasq.d # nmap 192.168.0.254
>
> Starting Nmap 6.25 ( http://nmap.org ) at 2014-06-24 23:16 CEST
> Nmap scan report for heimserver.koenigsteinstr.muc (192.168.0.254)
> Host is up (0.00011s latency).
> Not shown: 997 closed ports
> PORT STATE SERVICE
> 53/tcp open domain
> 749/tcp open kerberos-adm
> 2000/tcp open cisco-sccp
>
> for being sure, dnsmasq is the only dns-server here, i did this:
>
> # netstat -vanpe | grep :53
> netstat: no support for `AF INET (sctp)' on this system.
> netstat: no support for `AF INET (sctp)' on this system.
> tcp 0 0 0.0.0.0:53 0.0.0.0:*
> LISTEN 0 1701253 12137/dnsmasq
> tcp 0 0 192.168.0.254:5038 192.168.0.1:53788
> VERBUNDEN 101 1666180 27070/asterisk
> tcp6 0 0 :::53 :::*
> LISTEN 0 1701256 12137/dnsmasq
> udp 0 0 0.0.0.0:53
> 0.0.0.0:* 0 1701252
> 12137/dnsmasq
> udp6 0 0 :::53
> :::* 0 1701255
> 12137/dnsmasq
> netstat: no support for `AF IPX' on this system.
> netstat: no support for `AF AX25' on this system.
> netstat: no support for `AF X25' on this system.
> netstat: no support for `AF NETROM' on this system.
>
> So whats wrong here? Has dnsmasq problems with interfaces named p1p1,
> p2p1 etc. ?
>
> Tfh!
> Oliver
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
From jkrauska at gmail.com Tue Jun 24 22:34:11 2014
From: jkrauska at gmail.com (Joel Krauska)
Date: Tue, 24 Jun 2014 15:34:11 -0700
Subject: [Dnsmasq-discuss] Recursive Internal - NonRecursive External
In-Reply-To: <53A9EE7E.4050109@thekelleys.org.uk>
References: <CAG0G1B+7mOibwOsL6Dj0_tF_o4JqjYsPVSqpnXvjnE4ySmt7Sw@mail.gmail.com>
<53A9EE7E.4050109@thekelleys.org.uk>
Message-ID: <CAG0G1BJO5uYMhk+zu=nks2C3jXdjdq3rcHtOEjn+STupK32omg@mail.gmail.com>
auth-zone doesn't seem to have a relationship to recursive lookups.
I want to Allow recursive lookups to queries from some source IPs and Deny
recursive lookups to queries from outside.
I'm not quite sure I follow how authority can influence this.
(I don't actually need authoritative responses as-far-as-I-can-tell..)
Cheers,
Joel
On Tue, Jun 24, 2014 at 2:32 PM, Simon Kelley <simon at thekelleys.org.uk>
wrote:
> On 23/06/14 18:50, Joel Krauska wrote:
> > I have a DNSserver that I would like to configure as recursive for
> internal
> > hosts and only respond to queries for locally authoritative zones
> > externally.
> >
> > Any hints as to how I might accomplish this?
> >
> > The DHCP section has the concept of <tag>s to apply different rules to
> > different blocks, etc.
> >
> >
> > I feel the simplest technique might be just to run two concurrent dnsmasq
> > processes bound to different interfaces, but maybe I'm missing something.
> >
> > Any guidance would be appreciated.
> >
>
> Have you looked at the
>
> auth-zone
>
> configuration option and its friends, in recent dnsmasq releases? That
> would appear to do exactly what you want.
>
>
> Cheers,
>
>
> Simon.
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140624/5afdadfe/attachment.html>
From davidj at nkcc.org.uk Tue Jun 24 22:50:54 2014
From: davidj at nkcc.org.uk (David Joslin)
Date: Tue, 24 Jun 2014 23:50:54 +0100
Subject: [Dnsmasq-discuss] VLANs and multiple IP addresses for one mac
address
In-Reply-To: <53A9EE0E.3020503@thekelleys.org.uk>
References: <CAJ-gf5A=oth611HuTKq4nq9XTCvtxi_Xb+LX1ffLpoetO1oq8Q@mail.gmail.com>
<53A9EE0E.3020503@thekelleys.org.uk>
Message-ID: <CAJ-gf5Dcrgs5ivUMws86SmEBXuOH8KOB6PKnqRSm-Dn-mWv0Tg@mail.gmail.com>
Thanks for the reply, Simon.
How would I do that?
I already use the --dhcp-host option to allocate IP addresses by MAC
address for certain clients but these are all machines with just one IP
address on one VLAN. How would I allocate static IP addresses to these
access points when they require a different IP address per VLAN but all
with the same MAC address? Each VLAN is associated with a LAN bridge on the
machine running dnsmasq and I allocate DHCP addresses to the different
VLANs using the tag option in the --dhcp-range statements - for
example: dhcp-range=tag:br3,10.10.70.101,10.10.70.200,255.255.255.0,1440m.
This works fine. But I can't see how to allocate static IP addresses based
on VLAN membership.
Am I missing something obvious?
Cheers
David
On 24 June 2014 22:30, Simon Kelley <simon at thekelleys.org.uk> wrote:
> On 24/06/14 10:08, David Joslin wrote:
> > I have a wireless network split into several vlans, each with its own
> > subnet, with dnsmasq serving all vlans. The wireless network is a Ubiquti
> > Unifi system and the access points all have static IP addresses on the
> > management vlan. Additionally, the access points each request IP
> addresses
> > via DHCP for the other vlans and dnsmasq correctly allocates the IP
> > addresses for the relevant vlans.
> >
> > I noticed in dnsmasq's logs recently a bunch of 'lease not found'
> messages
> > whenever the access points attempted to renew the leases for these
> > addresses. The cause seems to be this: an access point's IP addresses are
> > all used on the same interface on the access point so when it renews
> these
> > addresses, the requests all come from the same mac address. Dnsmasq
> > services these requests but only the last address allocated is stored in
> > the lease file (I'm assuming the other addresses allocated are briefly
> > stored but then overwritten by subsequent allocations). So the access
> > points are happy enough - they have the addresses they need correctly
> > allocated by dnsmasq - but dnsmasq's lease file only records the last
> > address allocated. When the access points renew the leases, dnsmasq
> > generates the 'lease not found' error because there's no record of the
> > allocation in the lease file.
> >
> > The error messages themselves are no big deal and the access points do
> get
> > the correct addresses. The problem I can foresee is that dnsmasq might
> > allocate addresses to other clients that it has already allocated to the
> > access points because it has no record of those allocations in its lease
> > file.
> >
> > Is there any way dnsmasq can record more than 1 IP address against a mac
> > address? Or is there any other way round this problem? The access points
> > don't give any options for IP configuration apart from the address on the
> > management vlan; there aren't any configuration options for these DHCP
> > requested addresses.
>
> The obvious way to fix this would be to have the access points supply a
> different client-id for each VLAN. Client-ids trump MAC addresses as
> unique identifiers for leases. The lack of configuration options would
> seem to preclude that, however.
>
> You could at least solve the worry about having access point addresses
> re-allocated by giving them static addresses on each VLAN, associated
> with the MAC address.
>
> Cheers,
>
>
> Simon.
>
>
>
>
> >
> > Any help would be greatly appreciated.
> >
> > David
> >
> >
> >
> > _______________________________________________
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss at lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140624/91b0eca0/attachment.html>
From albert.aribaud at free.fr Wed Jun 25 05:24:20 2014
From: albert.aribaud at free.fr (Albert ARIBAUD)
Date: Wed, 25 Jun 2014 07:24:20 +0200
Subject: [Dnsmasq-discuss] VLANs and multiple IP addresses for one mac
address
In-Reply-To: <CAJ-gf5Dcrgs5ivUMws86SmEBXuOH8KOB6PKnqRSm-Dn-mWv0Tg@mail.gmail.com>
References: <CAJ-gf5A=oth611HuTKq4nq9XTCvtxi_Xb+LX1ffLpoetO1oq8Q@mail.gmail.com>
<53A9EE0E.3020503@thekelleys.org.uk>
<CAJ-gf5Dcrgs5ivUMws86SmEBXuOH8KOB6PKnqRSm-Dn-mWv0Tg@mail.gmail.com>
Message-ID: <20140625072420.7abf7fdf@lilith>
Hi David,
Le Tue, 24 Jun 2014 23:50:54 +0100, David Joslin <davidj at nkcc.org.uk> a
?crit :
> Thanks for the reply, Simon.
>
> How would I do that?
>
> I already use the --dhcp-host option to allocate IP addresses by MAC
> address for certain clients but these are all machines with just one IP
> address on one VLAN. How would I allocate static IP addresses to these
> access points when they require a different IP address per VLAN but all
> with the same MAC address? Each VLAN is associated with a LAN bridge on the
> machine running dnsmasq and I allocate DHCP addresses to the different
> VLANs using the tag option in the --dhcp-range statements - for
> example: dhcp-range=tag:br3,10.10.70.101,10.10.70.200,255.255.255.0,1440m.
> This works fine. But I can't see how to allocate static IP addresses based
> on VLAN membership.
>
> Am I missing something obvious?
I don't know about missing anything obvious, but i) can you also show
the dhcp-host options you use for one host? Also, just in case, try
with a tag that does not match the name of an interface (and make sure
that you change it in the VLANs' dhcp-range options as well as in the
hosts' dhcp-host options).
> Cheers
>
> David
Amicalement,
--
Albert.
From davidj at nkcc.org.uk Thu Jun 26 10:57:25 2014
From: davidj at nkcc.org.uk (David Joslin)
Date: Thu, 26 Jun 2014 11:57:25 +0100
Subject: [Dnsmasq-discuss] VLANs and multiple IP addresses for one mac
address
In-Reply-To: <20140625072420.7abf7fdf@lilith>
References: <CAJ-gf5A=oth611HuTKq4nq9XTCvtxi_Xb+LX1ffLpoetO1oq8Q@mail.gmail.com>
<53A9EE0E.3020503@thekelleys.org.uk>
<CAJ-gf5Dcrgs5ivUMws86SmEBXuOH8KOB6PKnqRSm-Dn-mWv0Tg@mail.gmail.com>
<20140625072420.7abf7fdf@lilith>
Message-ID: <CAJ-gf5CSGgdkZP9Fu45t5BbMD+ePX1ChcuqXeQU=cohFvGN8Qg@mail.gmail.com>
On 25 June 2014 06:24, Albert ARIBAUD <albert.aribaud at free.fr> wrote:
> Hi David,
>
> Le Tue, 24 Jun 2014 23:50:54 +0100, David Joslin <davidj at nkcc.org.uk> a
> ?crit :
>
> > Thanks for the reply, Simon.
> >
> > How would I do that?
> >
> > I already use the --dhcp-host option to allocate IP addresses by MAC
> > address for certain clients but these are all machines with just one IP
> > address on one VLAN. How would I allocate static IP addresses to these
> > access points when they require a different IP address per VLAN but all
> > with the same MAC address? Each VLAN is associated with a LAN bridge on
> the
> > machine running dnsmasq and I allocate DHCP addresses to the different
> > VLANs using the tag option in the --dhcp-range statements - for
> > example:
> dhcp-range=tag:br3,10.10.70.101,10.10.70.200,255.255.255.0,1440m.
> > This works fine. But I can't see how to allocate static IP addresses
> based
> > on VLAN membership.
> >
> > Am I missing something obvious?
>
> I don't know about missing anything obvious, but i) can you also show
> the dhcp-host options you use for one host? Also, just in case, try
> with a tag that does not match the name of an interface (and make sure
> that you change it in the VLANs' dhcp-range options as well as in the
> hosts' dhcp-host options).
>
?Here's the configuration for the DHCP range used on one VLAN (on interface
br1).
interface=br1
dhcp-range=tag:br1,10.10.20.101,10.10.20.200,255.255.255.0,1440m
dhcp-option=tag:br1,3,10.10.20.1?
?Here's the configuration for a couple of hosts on that VLAN.
dhcp-host=60:03:08:9D:3D:08,10.10.20.99
dhcp-host=F0:CB:A1:86:D1:6E,10.10.20.100?
What I thought Simon was suggesting was to allocate specific static
addresses to the access points that are outside the ranges that are
allocated to other clients. This would avoid the problem of dnsmasq
allocating addresses to other clients that had already been allocated to
the access points. What I'm missing here is how to reserve several
addresses for a particular access point when all the requests use the same
mac address. The requests will arrive on different interfaces (br0, br1,
br2 etc) but I can't see how to use that in the dhcp-host configuration.
That's why I think I'm missing something!
Thanks for your help.
David
--
> Albert.
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140626/9ed7bdb5/attachment.html>
From albert.aribaud at free.fr Thu Jun 26 11:45:46 2014
From: albert.aribaud at free.fr (Albert ARIBAUD)
Date: Thu, 26 Jun 2014 13:45:46 +0200
Subject: [Dnsmasq-discuss] VLANs and multiple IP addresses for one mac
address
In-Reply-To: <CAJ-gf5CSGgdkZP9Fu45t5BbMD+ePX1ChcuqXeQU=cohFvGN8Qg@mail.gmail.com>
References: <CAJ-gf5A=oth611HuTKq4nq9XTCvtxi_Xb+LX1ffLpoetO1oq8Q@mail.gmail.com>
<53A9EE0E.3020503@thekelleys.org.uk>
<CAJ-gf5Dcrgs5ivUMws86SmEBXuOH8KOB6PKnqRSm-Dn-mWv0Tg@mail.gmail.com>
<20140625072420.7abf7fdf@lilith>
<CAJ-gf5CSGgdkZP9Fu45t5BbMD+ePX1ChcuqXeQU=cohFvGN8Qg@mail.gmail.com>
Message-ID: <20140626134546.4efdf570@lilith>
Bonjour David,
Le Thu, 26 Jun 2014 11:57:25 +0100, David Joslin <davidj at nkcc.org.uk> a
?crit :
> On 25 June 2014 06:24, Albert ARIBAUD <albert.aribaud at free.fr> wrote:
>
> > Hi David,
> >
> > Le Tue, 24 Jun 2014 23:50:54 +0100, David Joslin <davidj at nkcc.org.uk> a
> > ?crit :
> >
> > > Thanks for the reply, Simon.
> > >
> > > How would I do that?
> > >
> > > I already use the --dhcp-host option to allocate IP addresses by MAC
> > > address for certain clients but these are all machines with just one IP
> > > address on one VLAN. How would I allocate static IP addresses to these
> > > access points when they require a different IP address per VLAN but all
> > > with the same MAC address? Each VLAN is associated with a LAN bridge on
> > the
> > > machine running dnsmasq and I allocate DHCP addresses to the different
> > > VLANs using the tag option in the --dhcp-range statements - for
> > > example:
> > dhcp-range=tag:br3,10.10.70.101,10.10.70.200,255.255.255.0,1440m.
> > > This works fine. But I can't see how to allocate static IP addresses
> > based
> > > on VLAN membership.
> > >
> > > Am I missing something obvious?
> >
> > I don't know about missing anything obvious, but i) can you also show
> > the dhcp-host options you use for one host? Also, just in case, try
> > with a tag that does not match the name of an interface (and make sure
> > that you change it in the VLANs' dhcp-range options as well as in the
> > hosts' dhcp-host options).
> >
>
> ?Here's the configuration for the DHCP range used on one VLAN (on interface
> br1).
> interface=br1
> dhcp-range=tag:br1,10.10.20.101,10.10.20.200,255.255.255.0,1440m
> dhcp-option=tag:br1,3,10.10.20.1?
>
> ?Here's the configuration for a couple of hosts on that VLAN.
> dhcp-host=60:03:08:9D:3D:08,10.10.20.99
> dhcp-host=F0:CB:A1:86:D1:6E,10.10.20.100?
You're using 'tag:' in both dhcp-range and dhcp-host; I believe you
should use 'set:' in dhcp-range with a different tag for each vlan, and
'tag:' in dhcp-host.
> What I thought Simon was suggesting was to allocate specific static
> addresses to the access points that are outside the ranges that are
> allocated to other clients. This would avoid the problem of dnsmasq
> allocating addresses to other clients that had already been allocated to
> the access points. What I'm missing here is how to reserve several
> addresses for a particular access point when all the requests use the same
> mac address. The requests will arrive on different interfaces (br0, br1,
> br2 etc) but I can't see how to use that in the dhcp-host configuration.
> That's why I think I'm missing something!
>
> Thanks for your help.
>
> David
Amicalement,
--
Albert.
From davidj at nkcc.org.uk Thu Jun 26 13:19:14 2014
From: davidj at nkcc.org.uk (David Joslin)
Date: Thu, 26 Jun 2014 14:19:14 +0100
Subject: [Dnsmasq-discuss] VLANs and multiple IP addresses for one mac
address
In-Reply-To: <20140626134546.4efdf570@lilith>
References: <CAJ-gf5A=oth611HuTKq4nq9XTCvtxi_Xb+LX1ffLpoetO1oq8Q@mail.gmail.com>
<53A9EE0E.3020503@thekelleys.org.uk>
<CAJ-gf5Dcrgs5ivUMws86SmEBXuOH8KOB6PKnqRSm-Dn-mWv0Tg@mail.gmail.com>
<20140625072420.7abf7fdf@lilith>
<CAJ-gf5CSGgdkZP9Fu45t5BbMD+ePX1ChcuqXeQU=cohFvGN8Qg@mail.gmail.com>
<20140626134546.4efdf570@lilith>
Message-ID: <CAJ-gf5A3EgxRMCTHK2L=0P3V6veDVub_mp2SQS2xjUZkfLXpEg@mail.gmail.com>
On 26 June 2014 12:45, Albert ARIBAUD <albert.aribaud at free.fr> wrote:
> Bonjour David,
>
> >
> > ?Here's the configuration for the DHCP range used on one VLAN (on
> interface
> > br1).
> > interface=br1
> > dhcp-range=tag:br1,10.10.20.101,10.10.20.200,255.255.255.0,1440m
> > dhcp-option=tag:br1,3,10.10.20.1?
> >
> > ?Here's the configuration for a couple of hosts on that VLAN.
> > dhcp-host=60:03:08:9D:3D:08,10.10.20.99
> > dhcp-host=F0:CB:A1:86:D1:6E,10.10.20.100?
>
> You're using 'tag:' in both dhcp-range and dhcp-host; I believe you
> should use 'set:' in dhcp-range with a different tag for each vlan, and
> 'tag:' in dhcp-host.
>
?Thanks Albert.
According to the man page, dnsmasq only allows you to ?'set' tags on
dhcp-host lines. It doesn't allow you to match tags like you can on
dhcp-range lines. This is what's confusing me. I know the tag matching
option works when I use it with 'dhcp-range' but it doesn't appear it can
be used with 'dhcp-host'. If it could I think my problem would be solved.
Maybe I'm still missing something!
David
>
> > What I thought Simon was suggesting was to allocate specific static
> > addresses to the access points that are outside the ranges that are
> > allocated to other clients. This would avoid the problem of dnsmasq
> > allocating addresses to other clients that had already been allocated to
> > the access points. What I'm missing here is how to reserve several
> > addresses for a particular access point when all the requests use the
> same
> > mac address. The requests will arrive on different interfaces (br0, br1,
> > br2 etc) but I can't see how to use that in the dhcp-host configuration.
> > That's why I think I'm missing something!
> >
> > Thanks for your help.
> >
> > David
>
> Amicalement,
> --
> Albert.
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140626/627a4497/attachment.html>
From albert.aribaud at free.fr Thu Jun 26 16:30:19 2014
From: albert.aribaud at free.fr (Albert ARIBAUD)
Date: Thu, 26 Jun 2014 18:30:19 +0200
Subject: [Dnsmasq-discuss] VLANs and multiple IP addresses for one mac
address
In-Reply-To: <CAJ-gf5A3EgxRMCTHK2L=0P3V6veDVub_mp2SQS2xjUZkfLXpEg@mail.gmail.com>
References: <CAJ-gf5A=oth611HuTKq4nq9XTCvtxi_Xb+LX1ffLpoetO1oq8Q@mail.gmail.com>
<53A9EE0E.3020503@thekelleys.org.uk>
<CAJ-gf5Dcrgs5ivUMws86SmEBXuOH8KOB6PKnqRSm-Dn-mWv0Tg@mail.gmail.com>
<20140625072420.7abf7fdf@lilith>
<CAJ-gf5CSGgdkZP9Fu45t5BbMD+ePX1ChcuqXeQU=cohFvGN8Qg@mail.gmail.com>
<20140626134546.4efdf570@lilith>
<CAJ-gf5A3EgxRMCTHK2L=0P3V6veDVub_mp2SQS2xjUZkfLXpEg@mail.gmail.com>
Message-ID: <20140626183019.1800d5a6@lilith>
Bonjour David,
Le Thu, 26 Jun 2014 14:19:14 +0100, David Joslin <davidj at nkcc.org.uk> a
?crit :
> On 26 June 2014 12:45, Albert ARIBAUD <albert.aribaud at free.fr> wrote:
>
> > Bonjour David,
> >
> > >
> > > ?Here's the configuration for the DHCP range used on one VLAN (on
> > interface
> > > br1).
> > > interface=br1
> > > dhcp-range=tag:br1,10.10.20.101,10.10.20.200,255.255.255.0,1440m
> > > dhcp-option=tag:br1,3,10.10.20.1?
> > >
> > > ?Here's the configuration for a couple of hosts on that VLAN.
> > > dhcp-host=60:03:08:9D:3D:08,10.10.20.99
> > > dhcp-host=F0:CB:A1:86:D1:6E,10.10.20.100?
> >
> > You're using 'tag:' in both dhcp-range and dhcp-host; I believe you
> > should use 'set:' in dhcp-range with a different tag for each vlan, and
> > 'tag:' in dhcp-host.
> >
>
> ?Thanks Albert.
>
> According to the man page, dnsmasq only allows you to ?'set' tags on
> dhcp-host lines. It doesn't allow you to match tags like you can on
> dhcp-range lines. This is what's confusing me. I know the tag matching
> option works when I use it with 'dhcp-range' but it doesn't appear it can
> be used with 'dhcp-host'. If it could I think my problem would be solved.
Correct, not with 'set', but:
> Maybe I'm still missing something!
Looking at the code, it seems like the interface on which a DHCP request
has arrived is automatically tagged. So I tried this:
dhcp-range=tag:eth0.42,192.168.42.1,192.168.42.10,infinite
(where eth0.42 is VLAN 42 on interface eth0, created with 'vconfig eth0
42', and assigned with address 192.168.42.42)
On a client machine, I created a VLAN42 interface too, then ran
dhclient on it, and it got a lease with address 192.168.42.1.
Is this what you wanted?
> David
Amicalement,
--
Albert.
From albert.aribaud at free.fr Thu Jun 26 16:57:45 2014
From: albert.aribaud at free.fr (Albert ARIBAUD)
Date: Thu, 26 Jun 2014 18:57:45 +0200
Subject: [Dnsmasq-discuss] VLANs and multiple IP addresses for one mac
address
In-Reply-To: <20140626183019.1800d5a6@lilith>
References: <CAJ-gf5A=oth611HuTKq4nq9XTCvtxi_Xb+LX1ffLpoetO1oq8Q@mail.gmail.com>
<53A9EE0E.3020503@thekelleys.org.uk>
<CAJ-gf5Dcrgs5ivUMws86SmEBXuOH8KOB6PKnqRSm-Dn-mWv0Tg@mail.gmail.com>
<20140625072420.7abf7fdf@lilith>
<CAJ-gf5CSGgdkZP9Fu45t5BbMD+ePX1ChcuqXeQU=cohFvGN8Qg@mail.gmail.com>
<20140626134546.4efdf570@lilith>
<CAJ-gf5A3EgxRMCTHK2L=0P3V6veDVub_mp2SQS2xjUZkfLXpEg@mail.gmail.com>
<20140626183019.1800d5a6@lilith>
Message-ID: <20140626185745.65bd9fa8@lilith>
Bonjour Albert,
Le Thu, 26 Jun 2014 18:30:19 +0200, Albert ARIBAUD
<albert.aribaud at free.fr> a ?crit :
> Bonjour David,
>
> Le Thu, 26 Jun 2014 14:19:14 +0100, David Joslin <davidj at nkcc.org.uk> a
> ?crit :
>
> > On 26 June 2014 12:45, Albert ARIBAUD <albert.aribaud at free.fr> wrote:
> >
> > > Bonjour David,
> > >
> > > >
> > > > ?Here's the configuration for the DHCP range used on one VLAN (on
> > > interface
> > > > br1).
> > > > interface=br1
> > > > dhcp-range=tag:br1,10.10.20.101,10.10.20.200,255.255.255.0,1440m
> > > > dhcp-option=tag:br1,3,10.10.20.1?
> > > >
> > > > ?Here's the configuration for a couple of hosts on that VLAN.
> > > > dhcp-host=60:03:08:9D:3D:08,10.10.20.99
> > > > dhcp-host=F0:CB:A1:86:D1:6E,10.10.20.100?
> > >
> > > You're using 'tag:' in both dhcp-range and dhcp-host; I believe you
> > > should use 'set:' in dhcp-range with a different tag for each vlan, and
> > > 'tag:' in dhcp-host.
> > >
> >
> > ?Thanks Albert.
> >
> > According to the man page, dnsmasq only allows you to ?'set' tags on
> > dhcp-host lines. It doesn't allow you to match tags like you can on
> > dhcp-range lines. This is what's confusing me. I know the tag matching
> > option works when I use it with 'dhcp-range' but it doesn't appear it can
> > be used with 'dhcp-host'. If it could I think my problem would be solved.
>
> Correct, not with 'set', but:
>
> > Maybe I'm still missing something!
>
> Looking at the code, it seems like the interface on which a DHCP request
> has arrived is automatically tagged. So I tried this:
>
> dhcp-range=tag:eth0.42,192.168.42.1,192.168.42.10,infinite
>
> (where eth0.42 is VLAN 42 on interface eth0, created with 'vconfig eth0
> 42', and assigned with address 192.168.42.42)
>
> On a client machine, I created a VLAN42 interface too, then ran
> dhclient on it, and it got a lease with address 192.168.42.1.
>
> Is this what you wanted?
Sorry, I see you're doing this already, and your issue is with
giving the right dhcp-host. My bad.
Amicalement,
--
Albert.
From albert.aribaud at free.fr Thu Jun 26 17:18:26 2014
From: albert.aribaud at free.fr (Albert ARIBAUD)
Date: Thu, 26 Jun 2014 19:18:26 +0200
Subject: [Dnsmasq-discuss] VLANs and multiple IP addresses for one mac
address
In-Reply-To: <CAJ-gf5CSGgdkZP9Fu45t5BbMD+ePX1ChcuqXeQU=cohFvGN8Qg@mail.gmail.com>
References: <CAJ-gf5A=oth611HuTKq4nq9XTCvtxi_Xb+LX1ffLpoetO1oq8Q@mail.gmail.com>
<53A9EE0E.3020503@thekelleys.org.uk>
<CAJ-gf5Dcrgs5ivUMws86SmEBXuOH8KOB6PKnqRSm-Dn-mWv0Tg@mail.gmail.com>
<20140625072420.7abf7fdf@lilith>
<CAJ-gf5CSGgdkZP9Fu45t5BbMD+ePX1ChcuqXeQU=cohFvGN8Qg@mail.gmail.com>
Message-ID: <20140626191826.294de94e@lilith>
Bonjour David,
Le Thu, 26 Jun 2014 11:57:25 +0100, David Joslin <davidj at nkcc.org.uk> a
?crit :
> On 25 June 2014 06:24, Albert ARIBAUD <albert.aribaud at free.fr> wrote:
>
> > Hi David,
> >
> > Le Tue, 24 Jun 2014 23:50:54 +0100, David Joslin <davidj at nkcc.org.uk> a
> > ?crit :
> >
> > > Thanks for the reply, Simon.
> > >
> > > How would I do that?
> > >
> > > I already use the --dhcp-host option to allocate IP addresses by MAC
> > > address for certain clients but these are all machines with just one IP
> > > address on one VLAN. How would I allocate static IP addresses to these
> > > access points when they require a different IP address per VLAN but all
> > > with the same MAC address? Each VLAN is associated with a LAN bridge on
> > the
> > > machine running dnsmasq and I allocate DHCP addresses to the different
> > > VLANs using the tag option in the --dhcp-range statements - for
> > > example:
> > dhcp-range=tag:br3,10.10.70.101,10.10.70.200,255.255.255.0,1440m.
> > > This works fine. But I can't see how to allocate static IP addresses
> > based
> > > on VLAN membership.
> > >
> > > Am I missing something obvious?
> >
> > I don't know about missing anything obvious, but i) can you also show
> > the dhcp-host options you use for one host? Also, just in case, try
> > with a tag that does not match the name of an interface (and make sure
> > that you change it in the VLANs' dhcp-range options as well as in the
> > hosts' dhcp-host options).
> >
>
> ?Here's the configuration for the DHCP range used on one VLAN (on interface
> br1).
> interface=br1
> dhcp-range=tag:br1,10.10.20.101,10.10.20.200,255.255.255.0,1440m
> dhcp-option=tag:br1,3,10.10.20.1?
>
> ?Here's the configuration for a couple of hosts on that VLAN.
> dhcp-host=60:03:08:9D:3D:08,10.10.20.99
> dhcp-host=F0:CB:A1:86:D1:6E,10.10.20.100?
>
> What I thought Simon was suggesting was to allocate specific static
> addresses to the access points that are outside the ranges that are
> allocated to other clients. This would avoid the problem of dnsmasq
> allocating addresses to other clients that had already been allocated to
> the access points. What I'm missing here is how to reserve several
> addresses for a particular access point when all the requests use the same
> mac address. The requests will arrive on different interfaces (br0, br1,
> br2 etc) but I can't see how to use that in the dhcp-host configuration.
> That's why I think I'm missing something!
Ok, pulling back a level or two in the discussion tree since I'd
gonethe wrong path, I have now tried the following:
dhcp-range=<start1>,<stop1>...
dhcp-range=tag:<vlan-if>,<start2>,<stop2>...
dhcp-host=<eth-addr>,<ethwlan-addr>,<name1>,<ip-in-range1>
dhcp-host=<eth-addr>,<ethwlan-addr>,<name2>,<ip-in-range2>
I deleted the dnsmasq lease file in /var, ran dnsmasq -d, and from the
host with given eth (or wlan) addr, did a dhclient on the main interface
and on the VLAN-ed one. Each interface got its own IP as specified in
the dhcp-host for the IP range corresponding to the interface, and both
names got registered in DNS with the right IP address.
It appears no tag is needed, and the right dhcp-option is found based
on the subnet where the static IP belongs.
Does this fulfill your requirements?
I did not try with IPv6 and especially with auto-addition of SLAAC
IPv6 addresses to the DNS zone, though.
> Thanks for your help.
>
> David
Amicalement,
--
Albert.
From nehaljw.kkd1 at gmail.com Fri Jun 27 07:27:49 2014
From: nehaljw.kkd1 at gmail.com (Nehal J Wani)
Date: Fri, 27 Jun 2014 12:57:49 +0530
Subject: [Dnsmasq-discuss] old event to dhcp-script on lease expiry
Message-ID: <CAG6NSrnp1MeSBz6_DqWxKn_BRxHzu2TYTM+EHc4CwongYtuJTw@mail.gmail.com>
Hi!
I am trying to understand whether an 'old' event is generated or not
when a lease expires. To experiment this, I used
Dnsmasq version 2.72test3-5-gcdb755c
I launch dnsmasq like this:
sudo /sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default6.conf
--dhcp-script=/tmp/script.sh
Contents of script:
#!/bin/bash echo $@ >> /tmp/out
env >> /tmp/out
echo "--------------------------------------------" >> /tmp/out
Contents of default6.conf:
strict-order pid-file=/var/run/libvirt/network/default6.pid
except-interface=lo bind-dynamic interface=virbr3
dhcp-range=192.168.150.128,192.168.150.254,2m
dhcp-no-override
dhcp-range=2001:db8:ca2:2:1::10,2001:db8:ca2:2:1::ff,2m
dhcp-leasefile=/var/lib/libvirt/dnsmasq/default6.leases
dhcp-lease-max=367
dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default6.hostsfile
addn-hosts=/var/lib/libvirt/dnsmasq/default6.addnhosts enable-ra
When I run 'service network restart' inside my guest machine, I see
that the script is exec'ed with 'old' event. Now, I see that the lease
file /var/lib/libvirt/dnsmasq/default6.leases keeps getting updated
after every 2 minutes, since the lease expires, but the script
/tmp/script.sh doesn't get invoked when the lease gets renewed. Is
this expected? I don't see any 'old' event for the renewed lease.
Regards,
Nehal J Wani
From simon at thekelleys.org.uk Fri Jun 27 18:02:55 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Fri, 27 Jun 2014 19:02:55 +0100
Subject: [Dnsmasq-discuss] old event to dhcp-script on lease expiry
In-Reply-To: <CAG6NSrnp1MeSBz6_DqWxKn_BRxHzu2TYTM+EHc4CwongYtuJTw@mail.gmail.com>
References: <CAG6NSrnp1MeSBz6_DqWxKn_BRxHzu2TYTM+EHc4CwongYtuJTw@mail.gmail.com>
Message-ID: <53ADB1CF.2060702@thekelleys.org.uk>
On 27/06/14 08:27, Nehal J Wani wrote:
> Hi!
>
> I am trying to understand whether an 'old' event is generated or not
> when a lease expires. To experiment this, I used
> Dnsmasq version 2.72test3-5-gcdb755c
> I launch dnsmasq like this:
> sudo /sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default6.conf
> --dhcp-script=/tmp/script.sh
>
> Contents of script:
> #!/bin/bash echo $@ >> /tmp/out
> env >> /tmp/out
> echo "--------------------------------------------" >> /tmp/out
>
> Contents of default6.conf:
> strict-order pid-file=/var/run/libvirt/network/default6.pid
> except-interface=lo bind-dynamic interface=virbr3
> dhcp-range=192.168.150.128,192.168.150.254,2m
> dhcp-no-override
> dhcp-range=2001:db8:ca2:2:1::10,2001:db8:ca2:2:1::ff,2m
> dhcp-leasefile=/var/lib/libvirt/dnsmasq/default6.leases
> dhcp-lease-max=367
> dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default6.hostsfile
> addn-hosts=/var/lib/libvirt/dnsmasq/default6.addnhosts enable-ra
>
> When I run 'service network restart' inside my guest machine, I see
> that the script is exec'ed with 'old' event. Now, I see that the lease
> file /var/lib/libvirt/dnsmasq/default6.leases keeps getting updated
> after every 2 minutes, since the lease expires, but the script
> /tmp/script.sh doesn't get invoked when the lease gets renewed. Is
> this expected? I don't see any 'old' event for the renewed lease.
>
> Regards,
> Nehal J Wani
>
An "old" event is not generated when a lease is _renewed_ (ie when the
only thing that changes is the expiration time) unless the option
leasefile-ro is set. Note that setting leasefile-ro has a bunch of other
effects too.
When a lease _expires_ (ie the end time of the lease is reached without
it being renewed) then a a "del" event is generated.
Cheers,
Simon.
From nehaljw.kkd1 at gmail.com Fri Jun 27 18:40:32 2014
From: nehaljw.kkd1 at gmail.com (Nehal J Wani)
Date: Sat, 28 Jun 2014 00:10:32 +0530
Subject: [Dnsmasq-discuss] old event to dhcp-script on lease expiry
In-Reply-To: <53ADB1CF.2060702@thekelleys.org.uk>
References: <CAG6NSrnp1MeSBz6_DqWxKn_BRxHzu2TYTM+EHc4CwongYtuJTw@mail.gmail.com>
<53ADB1CF.2060702@thekelleys.org.uk>
Message-ID: <CAG6NSr=Kqk-vgG75AjKZ3rn_s6YdxNK3rCmOLtq5foh=6QpVXg@mail.gmail.com>
> An "old" event is not generated when a lease is _renewed_ (ie when the
> only thing that changes is the expiration time) unless the option
> leasefile-ro is set. Note that setting leasefile-ro has a bunch of other
> effects too.
>
> When a lease _expires_ (ie the end time of the lease is reached without
> it being renewed) then a a "del" event is generated.
So, if I understand correctly, there is no way to maintain the leases
file database *and* have my own script catch all events? Why does
dnsmasq put such restrictions? It would be cool to have both
concurrently.
Another question, not very much related to dnsmasq, is that when a
machine receives a lease for a particular period, when should it query
the DHCP again for a new lease? Is it bound to do so, by some RFC? Or
is a matter of choice by the developer?
--
Nehal J Wani
From albert.aribaud at free.fr Fri Jun 27 19:23:47 2014
From: albert.aribaud at free.fr (Albert ARIBAUD)
Date: Fri, 27 Jun 2014 21:23:47 +0200
Subject: [Dnsmasq-discuss] old event to dhcp-script on lease expiry
In-Reply-To: <CAG6NSr=Kqk-vgG75AjKZ3rn_s6YdxNK3rCmOLtq5foh=6QpVXg@mail.gmail.com>
References: <CAG6NSrnp1MeSBz6_DqWxKn_BRxHzu2TYTM+EHc4CwongYtuJTw@mail.gmail.com>
<53ADB1CF.2060702@thekelleys.org.uk>
<CAG6NSr=Kqk-vgG75AjKZ3rn_s6YdxNK3rCmOLtq5foh=6QpVXg@mail.gmail.com>
Message-ID: <20140627212347.5002db35@lilith>
Hi Nehal,
Le Sat, 28 Jun 2014 00:10:32 +0530, Nehal J Wani
<nehaljw.kkd1 at gmail.com> a ?crit :
> Another question, not very much related to dnsmasq, is that when a
> machine receives a lease for a particular period, when should it query
> the DHCP again for a new lease? Is it bound to do so, by some RFC? Or
> is a matter of choice by the developer?
As you suspect, this matter (along with many others related to DHCP)
is dealt with by an RFC, namely RFC 2131. See in particular section
4.4.5, "Reacquisition and expiration".
<http://www.ietf.org/rfc/rfc2131.txt>
Amicalement,
--
Albert.
From simon at thekelleys.org.uk Fri Jun 27 19:28:00 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Fri, 27 Jun 2014 20:28:00 +0100
Subject: [Dnsmasq-discuss] old event to dhcp-script on lease expiry
In-Reply-To: <CAG6NSr=Kqk-vgG75AjKZ3rn_s6YdxNK3rCmOLtq5foh=6QpVXg@mail.gmail.com>
References: <CAG6NSrnp1MeSBz6_DqWxKn_BRxHzu2TYTM+EHc4CwongYtuJTw@mail.gmail.com> <53ADB1CF.2060702@thekelleys.org.uk>
<CAG6NSr=Kqk-vgG75AjKZ3rn_s6YdxNK3rCmOLtq5foh=6QpVXg@mail.gmail.com>
Message-ID: <53ADC5C0.4020000@thekelleys.org.uk>
On 27/06/14 19:40, Nehal J Wani wrote:
>> An "old" event is not generated when a lease is _renewed_ (ie when the
>> only thing that changes is the expiration time) unless the option
>> leasefile-ro is set. Note that setting leasefile-ro has a bunch of other
>> effects too.
>>
>> When a lease _expires_ (ie the end time of the lease is reached without
>> it being renewed) then a a "del" event is generated.
>
> So, if I understand correctly, there is no way to maintain the leases
> file database *and* have my own script catch all events? Why does
> dnsmasq put such restrictions?
That's correct. The reason for the behaviour is mainly historical. At
first, the script received just the events needed to log the existance
of leases. Later, the ability to use the script to maintain the lease
database was added, and for that, changes to the expiration time had to
be noted. THe old behaviour (when leasefile-ro is not set) stayed for
backwards compatibility.
> It would be cool to have both
> concurrently.
As a pragmatic approach, the patch to get the behaviour you want is very
small.
>
> Another question, not very much related to dnsmasq, is that when a
> machine receives a lease for a particular period, when should it query
> the DHCP again for a new lease? Is it bound to do so, by some RFC? Or
> is a matter of choice by the developer?
The server can include the information in the lease. There are three
options which it can include. The length of the lease is mandatory, and
there are two options called T1 and T2. T1 is the time after which the
client should renew the lease by doing unicast to the server which gave
it the lease. T2 is the time after which the client should try
broadcasting if it fails to renew the lease, to give the other half of a
failover pair a chance to reply. T1 defaults to half of the lease time,
and T2 to 7/8ths of the leasetime. In practise it's very rare to use
other values for these. Dnsmasq always send T1 as half lease time and T2
as 7/8th the lease time. It doesn't allow them to be configured
differently. The RFC the details this is RFC 2131.
Cheers,
Simon.
>
From davidj at nkcc.org.uk Fri Jun 27 19:35:09 2014
From: davidj at nkcc.org.uk (David Joslin)
Date: Fri, 27 Jun 2014 20:35:09 +0100
Subject: [Dnsmasq-discuss] VLANs and multiple IP addresses for one mac
address
In-Reply-To: <20140626191826.294de94e@lilith>
References: <CAJ-gf5A=oth611HuTKq4nq9XTCvtxi_Xb+LX1ffLpoetO1oq8Q@mail.gmail.com>
<53A9EE0E.3020503@thekelleys.org.uk>
<CAJ-gf5Dcrgs5ivUMws86SmEBXuOH8KOB6PKnqRSm-Dn-mWv0Tg@mail.gmail.com>
<20140625072420.7abf7fdf@lilith>
<CAJ-gf5CSGgdkZP9Fu45t5BbMD+ePX1ChcuqXeQU=cohFvGN8Qg@mail.gmail.com>
<20140626191826.294de94e@lilith>
Message-ID: <CAJ-gf5CND4qTr-LGk_=x+rV7bZAqg2CO2zOrQBJN+NeAdxONUQ@mail.gmail.com>
>
> Ok, pulling back a level or two in the discussion tree since I'd
> gonethe wrong path, I have now tried the following:
>
> dhcp-range=<start1>,<stop1>...
> dhcp-range=tag:<vlan-if>,<start2>,<stop2>...
> dhcp-host=<eth-addr>,<ethwlan-addr>,<name1>,<ip-in-range1>
> dhcp-host=<eth-addr>,<ethwlan-addr>,<name2>,<ip-in-range2>
>
> I deleted the dnsmasq lease file in /var, ran dnsmasq -d, and from the
> host with given eth (or wlan) addr, did a dhclient on the main interface
> and on the VLAN-ed one. Each interface got its own IP as specified in
> the dhcp-host for the IP range corresponding to the interface, and both
> names got registered in DNS with the right IP address.
>
> It appears no tag is needed, and the right dhcp-option is found based
> on the subnet where the static IP belongs.
>
> Does this fulfill your requirements?
>
> I did not try with IPv6 and especially with auto-addition of SLAAC
> IPv6 addresses to the DNS zone, though.
>
?Bonjour Albert.
Well what do you know! It works! I had assumed that some sort of tag
matching was needed to get the right address for the right VLAN/interface.
But I followed what you suggested and included multiple dhcp-host lines,
all with the same mac address, but with different IPs from the different
subnets and the right addresses got allocated. It must be a bit of dhcp
magic in Simon's code!
Thanks for all your help.
David
>
> > Thanks for your help.
> >
> > David
>
> Amicalement,
> --
> Albert.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140627/51f0dddf/attachment.html>
From nehaljw.kkd1 at gmail.com Fri Jun 27 20:43:52 2014
From: nehaljw.kkd1 at gmail.com (Nehal J Wani)
Date: Sat, 28 Jun 2014 02:13:52 +0530
Subject: [Dnsmasq-discuss] old event to dhcp-script on lease expiry
In-Reply-To: <53ADC5C0.4020000@thekelleys.org.uk>
References: <CAG6NSrnp1MeSBz6_DqWxKn_BRxHzu2TYTM+EHc4CwongYtuJTw@mail.gmail.com>
<53ADB1CF.2060702@thekelleys.org.uk>
<CAG6NSr=Kqk-vgG75AjKZ3rn_s6YdxNK3rCmOLtq5foh=6QpVXg@mail.gmail.com>
<53ADC5C0.4020000@thekelleys.org.uk>
Message-ID: <CAG6NSr=qfyE5A8n29bZ6xwhFT-yZwAQWHQzJa6Mnmxcabf+7Pw@mail.gmail.com>
On Sat, Jun 28, 2014 at 12:58 AM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> On 27/06/14 19:40, Nehal J Wani wrote:
>>> An "old" event is not generated when a lease is _renewed_ (ie when the
>>> only thing that changes is the expiration time) unless the option
>>> leasefile-ro is set. Note that setting leasefile-ro has a bunch of other
>>> effects too.
>>>
>>> When a lease _expires_ (ie the end time of the lease is reached without
>>> it being renewed) then a a "del" event is generated.
>>
>> So, if I understand correctly, there is no way to maintain the leases
>> file database *and* have my own script catch all events? Why does
>> dnsmasq put such restrictions?
>
> That's correct. The reason for the behaviour is mainly historical. At
> first, the script received just the events needed to log the existance
> of leases. Later, the ability to use the script to maintain the lease
> database was added, and for that, changes to the expiration time had to
> be noted. THe old behaviour (when leasefile-ro is not set) stayed for
> backwards compatibility.
>
>> It would be cool to have both
>> concurrently.
>
> As a pragmatic approach, the patch to get the behaviour you want is very
> small.
>
Recently, an API for querying leases info guest machines was pushed in
libvirt and will most likely be available in 1.2.6. Since this library
is used by many people around the world, and we have our custom lease
file helper, which maintains a separate database for leases in JSON
format, if we just enable leasefile-ro, then we will loose the lease
file generated by dnsmasq, and we don't want that. Hence, sending a
patch is fine by me, but will you be willing to have this option
available in dnsmasq?
>>
>> Another question, not very much related to dnsmasq, is that when a
>> machine receives a lease for a particular period, when should it query
>> the DHCP again for a new lease? Is it bound to do so, by some RFC? Or
>> is a matter of choice by the developer?
>
> The server can include the information in the lease. There are three
> options which it can include. The length of the lease is mandatory, and
> there are two options called T1 and T2. T1 is the time after which the
> client should renew the lease by doing unicast to the server which gave
> it the lease. T2 is the time after which the client should try
> broadcasting if it fails to renew the lease, to give the other half of a
> failover pair a chance to reply. T1 defaults to half of the lease time,
> and T2 to 7/8ths of the leasetime. In practise it's very rare to use
> other values for these. Dnsmasq always send T1 as half lease time and T2
> as 7/8th the lease time. It doesn't allow them to be configured
> differently. The RFC the details this is RFC 2131.
>
Thanks for all this info.
Query1: If the lease time is say, 10 minutes, then T1 will be 5
minutes. Then according to the RFC, the machine should ask for a
renewal of the lease from the DHCP server using the unicast method? In
this case, no event will be generated? But you said that, "The old
behaviour (when leasefile-ro is not set) stayed for backwards
compatibility."
Query2: What does dnsmasq do if the machine sends no request for
renewal at all? Will it just delete the lease?
From simon at thekelleys.org.uk Fri Jun 27 21:23:52 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Fri, 27 Jun 2014 22:23:52 +0100
Subject: [Dnsmasq-discuss] old event to dhcp-script on lease expiry
In-Reply-To: <CAG6NSr=qfyE5A8n29bZ6xwhFT-yZwAQWHQzJa6Mnmxcabf+7Pw@mail.gmail.com>
References: <CAG6NSrnp1MeSBz6_DqWxKn_BRxHzu2TYTM+EHc4CwongYtuJTw@mail.gmail.com> <53ADB1CF.2060702@thekelleys.org.uk> <CAG6NSr=Kqk-vgG75AjKZ3rn_s6YdxNK3rCmOLtq5foh=6QpVXg@mail.gmail.com> <53ADC5C0.4020000@thekelleys.org.uk>
<CAG6NSr=qfyE5A8n29bZ6xwhFT-yZwAQWHQzJa6Mnmxcabf+7Pw@mail.gmail.com>
Message-ID: <53ADE0E8.4010008@thekelleys.org.uk>
On 27/06/14 21:43, Nehal J Wani wrote:
> On Sat, Jun 28, 2014 at 12:58 AM, Simon Kelley <simon at thekelleys.org.uk> wrote:
>> On 27/06/14 19:40, Nehal J Wani wrote:
>>>> An "old" event is not generated when a lease is _renewed_ (ie when the
>>>> only thing that changes is the expiration time) unless the option
>>>> leasefile-ro is set. Note that setting leasefile-ro has a bunch of other
>>>> effects too.
>>>>
>>>> When a lease _expires_ (ie the end time of the lease is reached without
>>>> it being renewed) then a a "del" event is generated.
>>>
>>> So, if I understand correctly, there is no way to maintain the leases
>>> file database *and* have my own script catch all events? Why does
>>> dnsmasq put such restrictions?
>>
>> That's correct. The reason for the behaviour is mainly historical. At
>> first, the script received just the events needed to log the existance
>> of leases. Later, the ability to use the script to maintain the lease
>> database was added, and for that, changes to the expiration time had to
>> be noted. THe old behaviour (when leasefile-ro is not set) stayed for
>> backwards compatibility.
>>
>>> It would be cool to have both
>>> concurrently.
>>
>> As a pragmatic approach, the patch to get the behaviour you want is very
>> small.
>>
>
> Recently, an API for querying leases info guest machines was pushed in
> libvirt and will most likely be available in 1.2.6. Since this library
> is used by many people around the world, and we have our custom lease
> file helper, which maintains a separate database for leases in JSON
> format, if we just enable leasefile-ro, then we will loose the lease
> file generated by dnsmasq, and we don't want that. Hence, sending a
> patch is fine by me, but will you be willing to have this option
> available in dnsmasq?
Yes. For that application, you clearly don't want a third-party patch.
At very least I'd be willing to add a boolean option to dnsmasq which
enables "old" events when the lease expiry time changes, independent of
leasefile-ro.
>
>>>
>>> Another question, not very much related to dnsmasq, is that when a
>>> machine receives a lease for a particular period, when should it query
>>> the DHCP again for a new lease? Is it bound to do so, by some RFC? Or
>>> is a matter of choice by the developer?
>>
>> The server can include the information in the lease. There are three
>> options which it can include. The length of the lease is mandatory, and
>> there are two options called T1 and T2. T1 is the time after which the
>> client should renew the lease by doing unicast to the server which gave
>> it the lease. T2 is the time after which the client should try
>> broadcasting if it fails to renew the lease, to give the other half of a
>> failover pair a chance to reply. T1 defaults to half of the lease time,
>> and T2 to 7/8ths of the leasetime. In practise it's very rare to use
>> other values for these. Dnsmasq always send T1 as half lease time and T2
>> as 7/8th the lease time. It doesn't allow them to be configured
>> differently. The RFC the details this is RFC 2131.
>>
>
> Thanks for all this info.
> Query1: If the lease time is say, 10 minutes, then T1 will be 5
> minutes. Then according to the RFC, the machine should ask for a
> renewal of the lease from the DHCP server using the unicast method? In
> this case, no event will be generated?
The primary key of the lease database is the IP address. Everything else
about a lease can change as long as the IP address remains. Think of an
"old" event as saying "The lease for this IP address has changed in some
way". The change could be to the associated hostname, or client-ID or
MAC address. "old" events are generated for all existing leases when
dnsmasq starts, just to synchronise things. Or it could be that new
information about the lease has become available* When leasefile-ro is
set then the expiry time of the lease is included in this. When the
expiry time changes because the client renewed the lease, then the "old"
method gets called. Without leasefile-ro, them changes _just_ to the
expiry time don't count as changes to the lease.
* There are lots of things supplied to the script that aren't stored in
the lease database, for instance vendor-class and user-class, and relay
options such at circuit-id. When dnsmasq starts, these aren't known, so
the "old" method is invoked without them. Once the client makes a DHCP
transaction, they become known and the "old" method could be invoked
again with the extra information.
> But you said that, "The old
> behaviour (when leasefile-ro is not set) stayed for backwards
> compatibility."
> Query2: What does dnsmasq do if the machine sends no request for
> renewal at all? Will it just delete the lease?
Once the lease reaches its expiry time, it will be deleted, and a "del"
event sent to the script.
Cheers,
Simon.
>
From nehaljw.kkd1 at gmail.com Mon Jun 30 09:39:03 2014
From: nehaljw.kkd1 at gmail.com (Nehal J Wani)
Date: Mon, 30 Jun 2014 15:09:03 +0530
Subject: [Dnsmasq-discuss] Query regarding --leasefile-ro
Message-ID: <CAG6NSrms3cELonkF7kkzJk=uG1DW7mXAojmZ=1vCViYBWiiMAA@mail.gmail.com>
Hi!
The man page of dnsmasq (under the section "-9, --leasefile-ro"), states:
When called like this the script should write the saved state of the
lease database, in dnsmasq leasefile format, to stdout and exit with
zero exit code.
Q1. What is the purpose of printing to stdout? I guess it is for
dnsmasq to know the information of previous leases, but I am not sure.
Q2. What all information do I need to print in 'dnsmasq leasefile
format' ? What is the exact format? Is there an example for this (like
the example file macscript)?
Q3. Apart from the leases, dnsmasq also prints some extra information
like "duid 00:01:00:01:1b:40:8d:94:00:25:64:8b:e4:2c" in the lease
file. Is this also mandatory to print to stdout in case I use
leasefile-ro ?
Thanking You,
Nehal J Wani
From simon at thekelleys.org.uk Mon Jun 30 18:57:52 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Mon, 30 Jun 2014 19:57:52 +0100
Subject: [Dnsmasq-discuss] Query regarding --leasefile-ro
In-Reply-To: <CAG6NSrms3cELonkF7kkzJk=uG1DW7mXAojmZ=1vCViYBWiiMAA@mail.gmail.com>
References: <CAG6NSrms3cELonkF7kkzJk=uG1DW7mXAojmZ=1vCViYBWiiMAA@mail.gmail.com>
Message-ID: <53B1B330.2000201@thekelleys.org.uk>
On 30/06/14 10:39, Nehal J Wani wrote:
> Hi!
>
> The man page of dnsmasq (under the section "-9, --leasefile-ro"), states:
> When called like this the script should write the saved state of the
> lease database, in dnsmasq leasefile format, to stdout and exit with
> zero exit code.
>
> Q1. What is the purpose of printing to stdout? I guess it is for
> dnsmasq to know the information of previous leases, but I am not sure.
Exactly that. Dnsmasq keeps a working copy of the lease database in
memory, and it calls the lease script whenever this changes so that the
lease-script can maintain the external copy in whatever non-volatile
storage it wants (a database, disk file, NVRAM, etc). When dnsmasq first
starts it has to copy the state of the lease database from the
non-volatile storage to the in-memory copy. It does this by running the
lease-script with the "init" method and the lease-script should dump the
contents of the database. The reason the format is exactly the same as
the lease-file and to stdout is that the whole thing can be done simply
by replacing 'fopen(leasefile)' with 'popen(lease-script, "init")', the
rest of the code is unchanged.
> Q2. What all information do I need to print in 'dnsmasq leasefile
> format' ? What is the exact format? Is there an example for this (like
> the example file macscript)?
The file starts with IPv4 leases, one per line. There are five fields on
each line, seperated by spaces.
Expiry time - decimal number, seconds since start of epoch
MAC address - a hex "ARP type", followed by '-' followed by zero to 16
hex bytes, separated by ':'. If the ARP type is 1, for ethernet (this is
most common) then the ARP type is skipped, UNLESS the MAC address in
zero length. So
99-00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
01-
00:11:22:33:44:55
are valid strings.
IP address in dotted-quad format.
Hostname, as specified in RFC 1123, para 2.1, or '*' if no hostname known.
Client-id, up to 255 hex bytes separated by ':', or * if no client-id
known.
Next, if DHCPv6 is in use there may be a single line
duid 00:11:22:33
which records the DUID used by the server. Max length of a duid is not
specified in the standards, I think. dnsmasq limits it to 85 bytes. The
longest defined DUID format is currently about 28 bytes, I think.
If the duid line exists, then it will be followed by the DHCPv6 leases,
one per line, five fields as for IPv4. The fields are different.
Expiry time - same definition as for IPv4.
IP address - in standard hex-and-colons format
IAID Unsigned 32-bit decimal number, possibly preceded by "T" for a
temporary lease.
Hostname - same as IPv4
Client DUID - same representation as IPv4 client-ID.
> Q3. Apart from the leases, dnsmasq also prints some extra information
> like "duid 00:01:00:01:1b:40:8d:94:00:25:64:8b:e4:2c" in the lease
> file. Is this also mandatory to print to stdout in case I use
> leasefile-ro ?
If you don't want to support DHCPv6, then you don't need the duid and
the DHCPv6 lease format. It would be a pity not to support DHPCv6 though.
Cheers,
Simon.
>
> Thanking You,
Happy to help with any of this.
> Nehal J Wani
>
From nehaljw.kkd1 at gmail.com Mon Jun 30 19:46:14 2014
From: nehaljw.kkd1 at gmail.com (Nehal J Wani)
Date: Tue, 1 Jul 2014 01:16:14 +0530
Subject: [Dnsmasq-discuss] Query regarding --leasefile-ro
In-Reply-To: <53B1B330.2000201@thekelleys.org.uk>
References: <CAG6NSrms3cELonkF7kkzJk=uG1DW7mXAojmZ=1vCViYBWiiMAA@mail.gmail.com>
<53B1B330.2000201@thekelleys.org.uk>
Message-ID: <CAG6NSr=LyUBSKDNxTBLUfjMB=7MdKofw4Gk6J5RRQHshcgUupg@mail.gmail.com>
On Tue, Jul 1, 2014 at 12:27 AM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> On 30/06/14 10:39, Nehal J Wani wrote:
>> Hi!
>>
>> The man page of dnsmasq (under the section "-9, --leasefile-ro"), states:
>> When called like this the script should write the saved state of the
>> lease database, in dnsmasq leasefile format, to stdout and exit with
>> zero exit code.
>>
>> Q1. What is the purpose of printing to stdout? I guess it is for
>> dnsmasq to know the information of previous leases, but I am not sure.
>
>
> Exactly that. Dnsmasq keeps a working copy of the lease database in
> memory, and it calls the lease script whenever this changes so that the
> lease-script can maintain the external copy in whatever non-volatile
> storage it wants (a database, disk file, NVRAM, etc). When dnsmasq first
> starts it has to copy the state of the lease database from the
> non-volatile storage to the in-memory copy. It does this by running the
> lease-script with the "init" method and the lease-script should dump the
> contents of the database. The reason the format is exactly the same as
> the lease-file and to stdout is that the whole thing can be done simply
> by replacing 'fopen(leasefile)' with 'popen(lease-script, "init")', the
> rest of the code is unchanged.
>
>> Q2. What all information do I need to print in 'dnsmasq leasefile
>> format' ? What is the exact format? Is there an example for this (like
>> the example file macscript)?
>
> The file starts with IPv4 leases, one per line. There are five fields on
> each line, seperated by spaces.
>
> Expiry time - decimal number, seconds since start of epoch
>
> MAC address - a hex "ARP type", followed by '-' followed by zero to 16
> hex bytes, separated by ':'. If the ARP type is 1, for ethernet (this is
> most common) then the ARP type is skipped, UNLESS the MAC address in
> zero length. So
>
> 99-00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
> 01-
> 00:11:22:33:44:55
>
> are valid strings.
>
> IP address in dotted-quad format.
>
> Hostname, as specified in RFC 1123, para 2.1, or '*' if no hostname known.
>
> Client-id, up to 255 hex bytes separated by ':', or * if no client-id
> known.
>
>
> Next, if DHCPv6 is in use there may be a single line
>
> duid 00:11:22:33
>
> which records the DUID used by the server. Max length of a duid is not
> specified in the standards, I think. dnsmasq limits it to 85 bytes. The
> longest defined DUID format is currently about 28 bytes, I think.
>
> If the duid line exists, then it will be followed by the DHCPv6 leases,
> one per line, five fields as for IPv4. The fields are different.
>
> Expiry time - same definition as for IPv4.
>
> IP address - in standard hex-and-colons format
>
> IAID Unsigned 32-bit decimal number, possibly preceded by "T" for a
> temporary lease.
>
> Hostname - same as IPv4
>
> Client DUID - same representation as IPv4 client-ID.
>
>
>> Q3. Apart from the leases, dnsmasq also prints some extra information
>> like "duid 00:01:00:01:1b:40:8d:94:00:25:64:8b:e4:2c" in the lease
>> file. Is this also mandatory to print to stdout in case I use
>> leasefile-ro ?
>
> If you don't want to support DHCPv6, then you don't need the duid and
> the DHCPv6 lease format. It would be a pity not to support DHPCv6 though.
>
That explains almost everything.
Yes, libvirt wants to support DHCPv6. Right now, the leases helper
program of ours takes in whatever useful information is available and
dumps it to a JSON formatted database.
Example of our custom leases file content:
[
{
"iaid": "1221229",
"ip-address": "2001:db8:ca2:2:1::95",
"mac-address": "52:54:00:12:a2:6d",
"hostname": "Fedora20",
"client-id": "00:04:1a:c1:d9:6b:5a:0a:e2:bc:f8:4b:1e:37:2e:38:22:55"
,
"expiry-time": 1393244216
},
{
"ip-address": "192.168.150.208",
"mac-address": "52:54:00:11:56:b3",
"hostname": "Wani-PC",
"client-id": "01:52:54:00:11:56:b3",
"expiry-time": 1393244248
}
]
Q1. The libvirt leases helper script/program takes in whatever
variable value it receives and stores it unmodified. So, my question
is, is it safe to just print the content of each lease in the
field-format that you specified just by copying these values which I
received earlier as either argument or environment variable (so that
my code doesn't have to worry about the details about ARP type, etc)?
Q1. What harm will we encounter in case we don't store the server DUID
and not print out when the 'init' argument is received?
Take a sneakpeak at our leasehelper program:
http://libvirt.org/git/?p=libvirt.git;a=blob;f=src/network/leaseshelper.c
Thanking You,
Nehal J Wani
From simon at thekelleys.org.uk Mon Jun 30 20:31:02 2014
From: simon at thekelleys.org.uk (Simon Kelley)
Date: Mon, 30 Jun 2014 21:31:02 +0100
Subject: [Dnsmasq-discuss] Query regarding --leasefile-ro
In-Reply-To: <CAG6NSr=LyUBSKDNxTBLUfjMB=7MdKofw4Gk6J5RRQHshcgUupg@mail.gmail.com>
References: <CAG6NSrms3cELonkF7kkzJk=uG1DW7mXAojmZ=1vCViYBWiiMAA@mail.gmail.com> <53B1B330.2000201@thekelleys.org.uk>
<CAG6NSr=LyUBSKDNxTBLUfjMB=7MdKofw4Gk6J5RRQHshcgUupg@mail.gmail.com>
Message-ID: <53B1C906.5090200@thekelleys.org.uk>
On 30/06/14 20:46, Nehal J Wani wrote:
> On Tue, Jul 1, 2014 at 12:27 AM, Simon Kelley <simon at thekelleys.org.uk> wrote:
>> On 30/06/14 10:39, Nehal J Wani wrote:
>>> Hi!
>>>
>>> The man page of dnsmasq (under the section "-9, --leasefile-ro"), states:
>>> When called like this the script should write the saved state of the
>>> lease database, in dnsmasq leasefile format, to stdout and exit with
>>> zero exit code.
>>>
>>> Q1. What is the purpose of printing to stdout? I guess it is for
>>> dnsmasq to know the information of previous leases, but I am not sure.
>>
>>
>> Exactly that. Dnsmasq keeps a working copy of the lease database in
>> memory, and it calls the lease script whenever this changes so that the
>> lease-script can maintain the external copy in whatever non-volatile
>> storage it wants (a database, disk file, NVRAM, etc). When dnsmasq first
>> starts it has to copy the state of the lease database from the
>> non-volatile storage to the in-memory copy. It does this by running the
>> lease-script with the "init" method and the lease-script should dump the
>> contents of the database. The reason the format is exactly the same as
>> the lease-file and to stdout is that the whole thing can be done simply
>> by replacing 'fopen(leasefile)' with 'popen(lease-script, "init")', the
>> rest of the code is unchanged.
>>
>>> Q2. What all information do I need to print in 'dnsmasq leasefile
>>> format' ? What is the exact format? Is there an example for this (like
>>> the example file macscript)?
>>
>> The file starts with IPv4 leases, one per line. There are five fields on
>> each line, seperated by spaces.
>>
>> Expiry time - decimal number, seconds since start of epoch
>>
>> MAC address - a hex "ARP type", followed by '-' followed by zero to 16
>> hex bytes, separated by ':'. If the ARP type is 1, for ethernet (this is
>> most common) then the ARP type is skipped, UNLESS the MAC address in
>> zero length. So
>>
>> 99-00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff
>> 01-
>> 00:11:22:33:44:55
>>
>> are valid strings.
>>
>> IP address in dotted-quad format.
>>
>> Hostname, as specified in RFC 1123, para 2.1, or '*' if no hostname known.
>>
>> Client-id, up to 255 hex bytes separated by ':', or * if no client-id
>> known.
>>
>>
>> Next, if DHCPv6 is in use there may be a single line
>>
>> duid 00:11:22:33
>>
>> which records the DUID used by the server. Max length of a duid is not
>> specified in the standards, I think. dnsmasq limits it to 85 bytes. The
>> longest defined DUID format is currently about 28 bytes, I think.
>>
>> If the duid line exists, then it will be followed by the DHCPv6 leases,
>> one per line, five fields as for IPv4. The fields are different.
>>
>> Expiry time - same definition as for IPv4.
>>
>> IP address - in standard hex-and-colons format
>>
>> IAID Unsigned 32-bit decimal number, possibly preceded by "T" for a
>> temporary lease.
>>
>> Hostname - same as IPv4
>>
>> Client DUID - same representation as IPv4 client-ID.
>>
>>
>>> Q3. Apart from the leases, dnsmasq also prints some extra information
>>> like "duid 00:01:00:01:1b:40:8d:94:00:25:64:8b:e4:2c" in the lease
>>> file. Is this also mandatory to print to stdout in case I use
>>> leasefile-ro ?
>>
>> If you don't want to support DHCPv6, then you don't need the duid and
>> the DHCPv6 lease format. It would be a pity not to support DHPCv6 though.
>>
>
> That explains almost everything.
> Yes, libvirt wants to support DHCPv6. Right now, the leases helper
> program of ours takes in whatever useful information is available and
> dumps it to a JSON formatted database.
>
> Example of our custom leases file content:
> [
> {
> "iaid": "1221229",
> "ip-address": "2001:db8:ca2:2:1::95",
> "mac-address": "52:54:00:12:a2:6d",
> "hostname": "Fedora20",
> "client-id": "00:04:1a:c1:d9:6b:5a:0a:e2:bc:f8:4b:1e:37:2e:38:22:55"
> ,
> "expiry-time": 1393244216
> },
> {
> "ip-address": "192.168.150.208",
> "mac-address": "52:54:00:11:56:b3",
> "hostname": "Wani-PC",
> "client-id": "01:52:54:00:11:56:b3",
> "expiry-time": 1393244248
> }
> ]
>
> Q1. The libvirt leases helper script/program takes in whatever
> variable value it receives and stores it unmodified. So, my question
> is, is it safe to just print the content of each lease in the
> field-format that you specified just by copying these values which I
> received earlier as either argument or environment variable (so that
> my code doesn't have to worry about the details about ARP type, etc)?
Yes, completely. The only think you have to worry about the distinction
between ipv4 and ipv6 leases. The second field of a lease line can is
either the MAC address (IPv4) or the IAID, so you need to copy either
argv[2] or the contents of $DNSMASQ_IAID there, depending on the flavour
of the lease. Similary, the fifth field is either the client-id for IPv4
(from $DNSMASQ_CLIENT_ID) or the DUID (from argv[2]) You can reliably
distinguish between IPv4 and IPv6 leases by looking for the presence of
$DNSMASQ_IAID, the way the mactable script does.
>
> Q1. What harm will we encounter in case we don't store the server DUID
> and not print out when the 'init' argument is received?
You'll break DHCPv6. If the DUID is recreated it will have a different
value (it includes the time of creation), and the clients won't accept
answers from the server, as they will have the old DUID stored as part
of the lease. The value to provide is always in $DNSMASQ_SERVER_DUID for
any call with a DHCPv6 lease, so the simplest thing might be to store
that with _each_ lease. When responding to an "init" call, just look to
see if there are any IPv6 leases. If there are provide the DUID from any
one (they'll all be the same) before dumping them all.
>
> Take a sneakpeak at our leasehelper program:
> http://libvirt.org/git/?p=libvirt.git;a=blob;f=src/network/leaseshelper.c
That looks sensible. I guess from these questions that you're thinking
about storing the lease database just in the custom format, and using
--leasefile-ro
Cheers,
Simon.