[Dnsmasq-discuss] Do we have good way to register SLAAC clients?

[Simon Kelley]

Dnsmasq has a feature, enabled by "ra-names" which attempts to solve 
this problem for dual-stack hosts.

It works like this.

When a host gets a DHCPv4 address, dnsmasq calculates the address that 
the client would assign itself using SLAAC, and pings that address. If 
it gets a reply it adds the address and the name derived from the DHCPv4 
transaction to the DNS.

This used to work for Android, but modern Android seems to have 
implemented SLAAC privacy extensions, which makes it impossible for 
dnsmasq to predict which SLAAC address  the host will chose (by design) 
and therefore breaks the hack.

Looking at the logs on my network, it's still working for a Chromecast 
and Nest Audio, but not the Android phones.

This isn't a good solution, but it's the best I've come up with.

Simon.



On 07/06/2023 15:46, Petr Menšík wrote:
> Hello everyone.
> 
> I have attended IPv6 seminar yesterday (it was IPv6 day they said), 
> where I have asked how to make similar registration of IPv6 address 
> obtained by SLAAC with hostname of a client. They have said there 
> Android is serious about not supporting DHCPv6 and that is not going to 
> change except for Prefix Delegation.
> 
> Anyway, I have claimed on Fedora list [1] that the user friendly way to 
> type IPv6 address is to type a name instead. Which is the best feature 
> of dnsmasq I think, it provides DHCP clients registration in the dns 
> out-of-the-box. Problem is SLAAC do not have any DHCP transaction, where 
> they will tell us their name. So what works nicely on IPv4 networks, it 
> does not on IPv6-only network. Or at least usually.
> 
> I thought whether a client on trusted network should try to use DNS 
> UPDATE message  [2] on servers configured. Especially if the dns server 
> is on the same network as the client, that might allow to "register" its 
> name temporarily. If the client used domain sent over router 
> advertisement message, would it be good idea to insert a limited time 
> record just like for DHCP? Since there is no strong authentication in 
> DHCP either, maybe we could accept update coming from the IP used in the 
> record. And create also PTR record for it.
> 
> Is there any better way, how to provide more friendly names for IPv6 
> devices? Sometime we want privacy instead, but that is not needed in 
> trusted network like our own network. Apple devices use Multicast DNS to 
> announce themselves anyway. Since IPv6 addresses are longer, they should 
> have name resolution working by default. But they don't.
> 
> Do you know any best practice, how something similar is solved by other 
> vendors? How should that be improved?
> 
> Cheers,
> Petr
> 
> 1. 
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/Y4FBSNAO2NRWB3YAY6YWE5767ORZRSOY/
> 2. https://www.rfc-editor.org/rfc/rfc2136
>