[Dnsmasq-discuss] [PATCH] auth-zone to ignore more non-global addresses

Simon Kelley simon at thekelleys.org.uk
Wed Jan 21 20:05:45 GMT 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 20/01/15 20:33, Alexander Clouter wrote:
>> Two observations:
>> 
>> 1) The patch as it stands doesn't just affect authoritative DNS 
>> answers - it filters those addresses from "ordinary" internal
>> DNS requests too.
> 
> Boo!
> 
>> 2) Following from that, there's a good chance that there are
>> dnsmasq installations that rely on theses addresses (RFC1918 and
>> ULA expecially)
>> 
>> So at least, there needs to be a distincion between internal and
>> auth requests, and/or some ability to configure this.
> 
> I'll try to figure out a fix for that if you think this patch has
> legs.
> 
>> I'm intriqued, why are you assigning "real" addresses to the
>> loopback interface.
> 
> Most of it comes from whether you think of IP assignments as a per 
> interface, or per host, I tend to roll using the latter.
> 
> When trying to make a decision where to assign a host IP (what then
> ends up in DNS, inc your PTR records) it becomes awkward when
> interfaces come and go.  So where do you put it?
> 
> I tend to deal with this problem by treating IP assignments as
> something a host has, rather than something you assign to a
> particular interface. This is something that network operators tend
> to do, mainly as often you need IP addresses that are always
> present regardless of the state of the interfaces (for example
> management IPs).
> 
> In my particular situation I have a /56 (or /48) prefix IPv6 that
> might be dynamic given to me via DHCPv6-PD.  I want to slice up the
> allocation across the possibly multiple LAN interfaces, but I also
> want an IP assigned to router its-self to then appear in DNS.   I
> could mark an interface as the 'primary'/'master' interface, but
> with interfaces coming and going, I may make the wrong
> choice...plus my scripts get complicated.  So I prefer the simpler
> path of just dumped the IP on the loopback interface and move onto
> some other more interesting problem :)
> 
> Make sense, vaguely?

Makes perfect sense.

Here's my take on the problem. There are actually two things to think
about.

First --interface-name, this generates A and AAAA records based on the
addresses associated with an interface. These records are available in
the internal DNS view provided by dnsmasq, and (possibly) the external
(auth-zone) view as well (but with caveats, see below). The current
code filters link-local addresses, since they're unlikely to be useful
in a DNS context. If you're going to be using this with lo, then
filtering 127.0.0.0/8 and ::1 is useful too. That's not in there just
because I never imagined anyone _would_ do this with lo :)

Second, --auth-zone.

This, really describes a filter which determines which of the DNS
records dnsmasq knows about (from /etc/hosts, DHCP leases, other
config files) get to appear in the exported DNS zone. There are two
filters: the domain (so only DNS records in the domain appear) and the
subnet(s), so for A and AAAA queries, records only appear if the
address is in one of the subnets. One way to specify the allowed
subnets says "use all the subnets (or all the IPv4 subnets, or all the
IPv6 subnets) associated with interface x.

In your original example, you could have got the same effect by you
did by listing the allowed subnets explictly

-
-interface-name=digriz.wormnet.eu,2002:4d4b:6a22:8::/64,2a01:348:45:8::/64,fd2a:7fba:ff04:8::/64

But I guess those prefixes are dynamic, so this is a bit of a pain,
and incidentally  why it's possible to specify the subnets indirectly
using interfaces.

One possible solution  to this might be to make the filter language in
- --auth-zone allow _exclusion_ of subnets as well as inclusion, say
somthing like

exclude:fd00::/8

for ULA addresses.

So now you could do

- -auth-zone=digriz.wormnet.eu,lo,ppp0,br0/6,exclude:fd00::/8

Which will give you all the A and AAAA addresses in the
subnets/prefixes associated with those interfaces, except the ULA
addresses. Extending that to exclude RFC1918 is trivial.

Comments?

Cheers,

Simon.



> 
> Cheers
> 
>> On 18/01/15 17:17, Alexander Clouter wrote:
>>> This patch makes sure dnsmasq does not put any non-global 
>>> addresses (loopback, rfc1918, and ULA addresses) into the 
>>> authoritive zone file, in particular when global addresses are 
>>> added to the loopback interface.
>>> 
>>> The following configuration shows this behaviour: ---- # ip
>>> addr show dev lo 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc
>>> noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>> inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft
>>> forever inet6 2002:4d4b:6a22:8::/64 scope global valid_lft
>>> forever preferred_lft forever inet6 2a01:348:45:8::/64 scope
>>> global valid_lft forever preferred_lft forever inet6
>>> fd2a:7fba:ff04:8::/64 scope global valid_lft forever
>>> preferred_lft forever inet6 ::1/128 scope host valid_lft
>>> forever preferred_lft forever
>>> 
>>> # dnsmasq .... \ --auth-server=digriz.wormnet.eu,ppp0 \ 
>>> --server=/digriz.wormnet.eu/ \ 
>>> --interface-name=digriz.wormnet.eu,lo \ 
>>> --interface-name=digriz.wormnet.eu,ppp0 \ 
>>> --auth-zone=digriz.wormnet.eu,lo,ppp0,br0/6 \ 
>>> --domain=digriz.wormnet.eu,192.168.1.0/24,local ----
>>> 
>>> Without this patch, you see externally: ---- alex at marmot:~$
>>> host digriz.wormnet.eu 77.75.106.34 Using domain server: Name: 
>>> 77.75.106.34 Address: 77.75.106.34#53 Aliases:
>>> 
>>> digriz.wormnet.eu has address 127.0.0.1 digriz.wormnet.eu has 
>>> address 77.75.106.34 digriz.wormnet.eu has IPv6 address ::1 
>>> digriz.wormnet.eu has IPv6 address fd2a:7fba:ff04:8:: 
>>> digriz.wormnet.eu has IPv6 address 2a01:348:45:8:: 
>>> digriz.wormnet.eu has IPv6 address 2002:4d4b:6a22:8:: 
>>> digriz.wormnet.eu has IPv6 address 
>>> 2a01:348:ad51:1539:6524:39bd:2da6:e349 ----
>>> 
>>> With the patch, you see: ---- alex at marmot:~$ host
>>> digriz.wormnet.eu 77.75.106.34 Using domain server: Name:
>>> 77.75.106.34 Address: 77.75.106.34#53 Aliases:
>>> 
>>> digriz.wormnet.eu has address 77.75.106.34 digriz.wormnet.eu
>>> has IPv6 address 2a01:348:45:8:: digriz.wormnet.eu has IPv6
>>> address 2002:4d4b:6a22:8:: digriz.wormnet.eu has IPv6 address 
>>> 2a01:348:ad51:1539:6524:39bd:2da6:e349 ----
>>> 
>>> Signed-off-by: Alexander Clouter <alex+dnsmasq at digriz.org.uk>
>>> -- src/network.c |    6 ++++-- 1 files changed, 4
>>> insertions(+), 2 deletions(-)
>>> 
>>> --- a/src/network.c    2015-01-04 19:09:25.086396076 +0000 +++ 
>>> b/src/network.c    2015-01-04 19:29:04.402377390 +0000 @@
>>> -302,10 +302,12 @@ #endif } } -  + +  if ((addr->sa.sa_family
>>> == AF_INET && !private_net(addr->in.sin_addr, 1)) #ifdef
>>> HAVE_IPV6 -  if (addr->sa.sa_family != AF_INET6 || 
>>> !IN6_IS_ADDR_LINKLOCAL(&addr->in6.sin6_addr)) +    || 
>>> (addr->sa.sa_family == AF_INET6 && 
>>> !IN6_IS_ADDR_LOOPBACK(&addr->in6.sin6_addr) && 
>>> !IN6_IS_ADDR_LINKLOCAL(&addr->in6.sin6_addr) && 
>>> !IN6_IS_ADDR_ULA(&addr->in6.sin6_addr)) #endif +    ) { struct 
>>> interface_name *int_name; struct addrlist *al;
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUwAaYAAoJEBXN2mrhkTWici0QAJbKTNqCbAyCaqTLrlDsh+wu
CtEKHRnqICWX75IFFoDzqoCEzdNWaafZPPrH3Pd3kVK9A5xtl245zBYjmVzhtt9f
VtbttPmebzVUYbfekkusLGZ5Qfe0AFfdDAbsRcFyIx3oZrYwyoJPiHuNA3Wxm/sa
itnJVVeOOZsNO14UTAoiNZ3QTutRcft0U08m+P50aAczV8sOBqBbfoF0zp2d1YLm
wX+E9hL84Lb4tRt3fsFK/bRUQn1HnKe9MD61szHwz9ldx/Aa2qy0yY4+2/dUbetq
if0tB5kcu+W3cAN4ozRejIj+dmFD6Hur1x6g0kM2HDKGBBUc8hOxvvIlb1ip3Dyo
fGFONkXn1IDvVzTWYNm1I0w4+7wjEEL3wpZ0XkRMe/lL2lf5xY08sj80esJmSf1b
l4m8hR5iCbrEqzdwLzZsUQQYHiM7SVtxPbw99q9x2Nl0/jeejm1abjwoWkyvz/AF
VPvYlnckXnpda+rD6UxJHbvOL/fCFM9N8Xhql1uDzXqdjJWSuVMPaMG8xFubQa+M
tD4VKwLfXb8hCF5ZB6Ypf7a2mAX2WTSoL8NvlS76QrONAf75XEhcD+o2m8CuO02P
Beo5+yrO5ecGwb+1LpfT8YYLdJEEqpP1kcfWl3ayJnglXd6vslS0YXIU7aJODOs5
YsYh0+suU1GSfkDvfs+F
=1VBm
-----END PGP SIGNATURE-----

More information about the Dnsmasq-discuss mailing list