[Dnsmasq-discuss] Windows ipv6 hostname

Uwe Schindler uwe at thetaphi.de
Thu Dec 22 16:35:16 GMT 2016


Hi,

Windows hosts generally have 2 problems, so assigning a DNS name with IPv6 address using "ra-names" only works under the following circumstances:

- The Windows firewall must allow ICMP Echo (PING) requests to go through (IPv6). And here comes the problem: By default the Windows firewall blocks pings on IPv4 and IPv6. Dnsmasq pings the possible SLAAC defined IPv6 address to see if it is valid. And that does not work by default.
- Windows has to assign the IPv6 address using the official SLAAC algorithm! Unfortunately with randomized-ideftifiers enabled (also the default), the auto-assigned IPv6 addresses are not created form the MAC address using the SLAAC algorithm. You have to disable randomized-identifiers to make this work.

With above default, Windows hides its IPv6 address completely and you cannot guess it.

Important: Randomized-Identifiers has nothing to do with privacy extensions (with privacy extensions, the IPv6 address is still SLAAC conform, but IPv6 hosts use a second address for *outgoing* connections only. The SLAAC address is still there and can be pinged).

On my windows machines I have disabled randomized-identifiers, but they still use privacy extensions. In additions pinging is enabled in the firewall. Then everything works. This is not the fault of dnsmasq, there is nothing it can do better - maybe instead of pinging it can use some different approach to "verify" the IP address (something like a IPv6 like ARP request only).

Uwe

-----
Uwe Schindler
Achterdiek 19, D-28357 Bremen
http://www.thetaphi.de
eMail: uwe at thetaphi.de

> -----Original Message-----
> From: Dnsmasq-discuss [mailto:dnsmasq-discuss-
> bounces at lists.thekelleys.org.uk] On Behalf Of Pali Rohár
> Sent: Thursday, December 22, 2016 1:49 PM
> To: Markus Hartung <mail at hartmark.se>
> Cc: dnsmasq-discuss at lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] Windows ipv6 hostname
> 
> On Thursday 22 December 2016 11:24:53 Markus Hartung wrote:
> > On 2016-12-21 14:08, Michael Stilkerich wrote:
> > > Well, dnsmasq needs to get the hostname to assign to a machine from
> > > someplace. I don't know
> > > all the possible places (search the manual page for that), but I
> > > can
> > >
> > > think of:
> > >   1) Dnsmasq configuration (dhcp-host options)
> > >   2) /etc/ethers if enabled
> > >   3) suggested with the DHCPv4 request by the client
> > >
> > > I think Windows 10 should suggest a hostname (3), at least it seems
> > > to do for me. I have manually assigned
> > > a hostname on the Windows computer, and dnsmasq knows and assigns
> > > it.
> >
> > On 2016-12-20 12:53, Pali Rohár wrote:
> > > Another option is to stop using SLAAC and start using DHCPv6 where
> > > you have full control of assigned IPv6 addresses.
> > >
> > > Such feature like host will "randomly" chose address is unsuitable
> > > for setup when you need to have control of which address is
> > > assigned to which device (e.g in this setup when you want to
> > > assign AAAA record).
> >
> > I have managed to get DHCPv6 working now, I thought that windows 10
> > didn't have any support for it.
> 
> Windows Vista has (good quality) support for DHCPv6 and IIRC new
> versions of Windowses uses same/similar implementation. So I think
> Windows 10 should work (no idea if some advanced configuration is
> needed)... Also at that time Windows Vista had correct implementation of
> using RA prefix together with assigned DHCPv6 address. (In contrast
> common linux ISC DHCPv6 client is still broken and hardcode /64 prefix
> even if RA announce different).
> 
> > It turned out that my ufw on my
> > ubuntu server were blocking the DHCPv6. I was in my simple mind just
> > assuming that DHCP and DHCPv6 used same ports
> 
> It is common behaviour that all firewalls block everything except some
> exceptions. It is also good for security reasons.
> 
> DHCP is using IPv4 and DHCPv6 is obviously using IPv6. And IPv6 network
> stack is independent of IPv4, so you need to configure your firewall
> differently for IPv4 and IPv6 (e.g. iptables vs. ip6tables).
> 
> And because DHCP and DHCPv6 are *different* protocols, they should not
> be used on same ports. If you look at DNS there is no DNSv6 or so. DNS
> is same over IPv4 and IPv6.
> 
> You cannot ask for IPv6 address via DHCP or IPv4 via DHCPv6. But you can
> resolve AAAA record (IPv6) via IPv4 connection to DNS, so hence DNS is
> only one.
> 
> If you cannot memorize number of tcp or udp ports for some services,
> just look into /etc/services file.
> 
> $ grep -E -i 'dhcp|bootp' /etc/services
> bootps          67/tcp                          # BOOTP server
> bootps          67/udp
> bootpc          68/tcp                          # BOOTP client
> bootpc          68/udp
> dhcpv6-client   546/tcp
> dhcpv6-client   546/udp
> dhcpv6-server   547/tcp
> dhcpv6-server   547/udp
> 
> > Still no hostname in the lease-file. However, I tried creating a
> > virtual win10 host and it seems to correctly set the hostname.
> >
> > $ cat /var/lib/misc/dnsmasq.leases
> > 1482450696 3e:fa:72:5b:c7:02 192.168.1.184 * 01:3e:fa:72:5b:c7:02
> > 1482454218 08:00:27:60:fb:f2 192.168.1.108 budweiser
> > 01:08:00:27:60:fb:f2 1482454219 34078759 2001:470:28:6ac::b8c2
> > budweiser
> > 00:01:00:01:1f:6b:f9:80:08:00:27:60:fb:f2
> > 1482454045 171899506 2001:470:28:6ac::e82c *
> > 00:03:00:01:3e:fa:72:5b:c7:02
> >
> > Note that the host budweiser correcly gets a host entry in the file.
> > And ping:ing the hostname on ipv4 and ipv6 yields the correct
> > ip-address.
> 
> So if some Windows 10 host is working fine and another not, then some
> configuration is really needed... You have one working configuration of
> Windows 10 so you will need to (somehow) reuse it for non-working one.
> 
> > Been doing some wireshark-ing and found this request on the working
> > host:
> >
> > Frame 1998: 210 bytes on wire (1680 bits), 210 bytes captured (1680
> > bits) on interface 0
> > Ethernet II, Src: PcsSyste_60:fb:f2 (08:00:27:60:fb:f2), Dst:
> > IPv6mcast_01:00:02 (33:33:00:01:00:02)
> > Internet Protocol Version 6, Src: fe80::a00:27ff:fe60:fbf2, Dst:
> > ff02::1:2 User Datagram Protocol, Src Port: 546, Dst Port: 547
> > DHCPv6
> >      Message type: Request (3)
> >      Transaction ID: 0xe6d3a2
> >      Elapsed time
> >      Client Identifier
> >      Server Identifier
> >      Identity Association for Non-temporary Address
> >      Fully Qualified Domain Name
> >          Option: Fully Qualified Domain Name (39)
> >          Length: 24
> >          Value: 000962756477656973657208686172746d61726b02736500
> >          0000 0... = Reserved: 0x00
> >          .... .0.. = N bit: Server should perform DNS updates
> >          .... ..0. = O bit: Server has not overridden client's S bit
> > preference
> >          .... ...0 = S bit: Server should not perform forward DNS
> > updates Client FQDN: budweiser.hartmark.se
> 
> So working host send us FQDN.
> 
> >      Vendor Class
> >          Option: Vendor Class (16)
> >          Length: 14
> >          Value: 0000013700084d53465420352e30
> >          Enterprise ID: Microsoft (311)
> >          vendor-class-data: MSFT 5.0
> 
> And working host tell use it Microsoft DHCP client.
> 
> >      Option Request
> >          Option: Option Request (6)
> >          Length: 8
> >          Value: 0011001700180027
> >          Requested Option code: Vendor-specific Information (17)
> >          Requested Option code: DNS recursive name server (23)
> >          Requested Option code: Domain Search List (24)
> >          Requested Option code: Fully Qualified Domain Name (39)
> >
> > and this is the request for the broken host:
> > Frame 786: 160 bytes on wire (1280 bits), 160 bytes captured (1280
> > bits) on interface 0
> > Ethernet II, Src: 3e:fa:72:5b:c7:02 (3e:fa:72:5b:c7:02), Dst:
> > IPv6mcast_01:00:02 (33:33:00:01:00:02)
> > Internet Protocol Version 6, Src: fe80::3cfa:72ff:fe5b:c702, Dst:
> > ff02::1:2 User Datagram Protocol, Src Port: 546, Dst Port: 547
> > DHCPv6
> >      Message type: Request (3)
> >      Transaction ID: 0x83e70d
> >      Elapsed time
> >      Client Identifier
> >      Server Identifier
> >      Identity Association for Non-temporary Address
> >      Option Request
> >          Option: Option Request (6)
> >          Length: 8
> >          Value: 0011001700180027
> >          Requested Option code: Vendor-specific Information (17)
> >          Requested Option code: DNS recursive name server (23)
> >          Requested Option code: Domain Search List (24)
> >          Requested Option code: Fully Qualified Domain Name (39)
> 
> So non working host did not send FQDN.
> 
> > however it seems it tries to update its dns record like this:
> > 973    84.385064    192.168.1.184    195.178.160.145    DNS 200
> > Dynamic update 0xf052 SOA hartmark.se CNAME AAAA A AAAA
> > 2001:470:28:6ac::e834 AAAA 2001:470:28:6ac:3cfa:72ff:fe5b:c702 A
> > 192.168.1.184
> >
> > 974    84.389532    195.178.160.145    192.168.1.184    DNS 200
> > Dynamic update response 0xf052 Not implemented SOA hartmark.se
> CNAME
> > AAAA A AAAA 2001:470:28:6ac::e834 AAAA
> > 2001:470:28:6ac:3cfa:72ff:fe5b:c702 A 192.168.1.184
> >
> > I need to do some more digging, but perhaps someone knows why the
> > hosts tries to do differently. And is the dynamic update dns some
> > microsoft dns server thingy?
> 
> I remember that Windowses act differently if they are configured to be
> part of domain or if they have set some domain name or if they have
> configured some workgroup or if they have enabled sharing for small home
> networks... This is just my observation and maybe one of those settings
> is different on working and non working host?
> 
> I could not help you with Windows 10, but try to look at different
> network settings in Windows. Maybe you find something...
> 
> --
> Pali Rohár
> pali.rohar at gmail.com




More information about the Dnsmasq-discuss mailing list