Re: [Dnsmasq-discuss] Dynamic DNS

[clemens fischer]

/dev/rob0 wrote:

> FWIW, Alberto, Windows clients do speak 2136. I think they do it by 
> default, regardless of the type of nameserver they're contacting.
> 
> A confusing thing about Alberto's description is the apparent idea 
> that dnsmasq does not support dynamic DNS. On the contrary, that's 
> what it does, exceptionally well, by combining the DHCPd with the 
> nameserver. Dynamic DNS for DHCP clients is a strong point for 
> dnsmasq.

This might be a good idea!  Dnsmasq allows to include files and reread
them when they are modified.

Option "addn-hosts" comes to mind: an update script might append/replace
records like " " in a file.

>> What good is such a drastic DNS operation when no authentication is
>> defined?  Other than that the RFC reads like a stripped down version
>> of
> 
> Hmm? You can use dnssec-keygen(8) keys for authentication. I admit,
> I don't know as practical a way to do it in the real world; DynDNS's
> protocol and my HTTP+nsupdate hack are handy for associating one
> user's records with one authentication credential.

DNSSEC is an entirely different beast.  It is to generate key-signing-
and zone-signing keys for verifying DNS responses.

You propably meant ddns-confgen(8), which is used to TSIG authenticate
within a DNS operation.  But the problem is not how to make a secure
key, /dev/random would be enough for that, but how to send it to some
agent.

> That's why I think my HTTP+nsupdate hack was better than DynDNS's 
> protocol. No special client needed, just a web browser (or a 
> scriptable HTTP client like wget(1).)

Right.

I'm using a script whenever I get a new IP (${newip} in the script) from
the provider by DHCP:

  #!/bin/sh
  # bin/dyndns-update.sh
  # _date: 20100222-1628_
  #
  # /l/etc/named.conf
  # /etc/dhcpcd.exit-hook
  # 
  
  iam="${0##*/}"
  ex=0
  usage="${iam}: use ${iam}  "
  nsupdate="/usr/local/bin/nsupdate"
  nsupdate_opts=""
  nsupdate_opts="${nsupdate_opts} -l"
  nsupdate_opts="${nsupdate_opts} -k /usr/local/etc/bind9/tsig-update.key"
  zone="${1:?${usage}}"
  newip="${2:?${usage}}"
  spf1="v=spf1 ip4:${newip} a XXX XXX ~all"
  
  update_rr="
  zone ${zone}
  prereq yxdomain ${zone}
  update delete ${zone} 300 IN A
  update add ${zone} 300 IN A ${newip}
  update delete ${zone} 3600 IN TXT
  update add ${zone} 3600 IN TXT \"${spf1}\"
  send
  answer
  "
  
  echo "${update_rr}" | ${nsupdate} ${nsupdate_opts}
  ex=$?
  exit ${ex}

and the key is made like this:

  # ddns-confgen -k /l/etc/bind9/tsig-update.key -s XXX.eu.org


clemens

Re: [Dnsmasq-discuss] Dynamic DNS

[/dev/rob0]

On Thu, Jun 24, 2010 at 09:32:01PM +0200, clemens fischer wrote:
> /dev/rob0 wrote:
> 
> > On Thu, Jun 24, 2010 at 09:51:57AM +0100, Alberto Cuesta-Canada wrote:
> >
> >> are there any plans of implementing Dynamic DNS for dnsmasq? 
> >>  
> >> There is a perl script that adds that functionality here:
> >> http://psydev.syw4e.info/new/dynamic-dnsmasq/dynamic-dnsmasq.pl
> > 
> > I don't understand all the desire to invent new protocols for dynamic 
> > DNS. RFC 2136 handles it quite well. If dnsmasq were to add another
> > protocol, it should be RFC 2136. Dyndns.org's protocol is not a 
> > standard.
> > 
> > Some years back, before I really understood 2136, I wrote a perl/CGI 
> > frontend for nsupdate(8) which does something similar without 

Clarification: if I had known then what I know now, I would have 
solved my issue by generating a key and using nsupdate(8) over the 
Internet, rather than HTTP. As per below, I do NOT know enough about 
2136 to figure a way for it to scale.

I'm not sure I understand enough about Alberto's issue to offer any 
suggestions, but perhaps the 2136/nsupdate idea would help. He 
mentioned in followup that a Kerberos-based authentication server 
might be under consideration, and that sounds promising.

FWIW, Alberto, Windows clients do speak 2136. I think they do it by 
default, regardless of the type of nameserver they're contacting.

A confusing thing about Alberto's description is the apparent idea 
that dnsmasq does not support dynamic DNS. On the contrary, that's 
what it does, exceptionally well, by combining the DHCPd with the 
nameserver. Dynamic DNS for DHCP clients is a strong point for 
dnsmasq.

> > exposing another root-owned TCP socket to the world. By means of 
> > permissions on a copy of the key, I was able to allow the httpd(8) 
> > user to run nsupdate after authenticating the user.
> 
> I just skimmed through RFC 2136.  From a practical standpoint, it has
> a serious flaw in sections 3.3.1 and 3.3.2:
> 
>   3.3.1. Next, the requestor's permission to update the RRs named in
>   the Update Section may be tested in an implementation dependent
>   fashion or using mechanisms specified in a subsequent Secure DNS
>   Update protocol.
> 
> What good is such a drastic DNS operation when no authentication is
> defined?  Other than that the RFC reads like a stripped down version of

Hmm? You can use dnssec-keygen(8) keys for authentication. I admit, I 
don't know as practical a way to do it in the real world; DynDNS's 
protocol and my HTTP+nsupdate hack are handy for associating one 
user's records with one authentication credential.

I guess a secure way to do it is to give each user his/her own key 
and a separate zone. But that would not scale. I don't know how to 
link a key with only one RR name. I could ask the BIND folks.

> nsupdate's technical manual (if such a thing exists).  The benefit to
> not defining it there is that any mechanisms can be used.  Arriving at
> this conclusion leaves us looking at eg. dyndns's protocol.  I think
> it's one of the worst alternatives in this context:  dnsmasq often runs
> in local link areas, where people can easily snoop the credentials, and
> it mocks up an HTTP server, which is quite complicated for this task.

That's why I think my HTTP+nsupdate hack was better than DynDNS's 
protocol. No special client needed, just a web browser (or a 
scriptable HTTP client like wget(1).)

> A much simpler approach would be for the client to send the
> base64(sha1("user:password:hostname")) (a hash of user, password and
> desired, preregistered hostname) to some special host and maybe wait for
> the ACK.  That could be decoupled from dnsmasq, which is propably not
> the right place to implement it.

Agreed. I can think of many hacks, any of which would be preferable 
to adding a non-standard protocol to dnsmasq.
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

Re: [Dnsmasq-discuss] Problems with dnsmasq configuration

[richardvo...@gmail.com]

On Fri, Jun 25, 2010 at 8:22 AM, Danijel Šili  wrote:
> Ok, I found out named is part of bind9 so I uninstalled that and now dnsmasq
> starts up normally. I also gave static IP to all 3 interfaces and now I have
> internet connection on my linux box and my other computers see each other
> and linux box normally, but no internet connection there. Probably problem
> with iptables so I'll take this now to ubuntuforums
> (http://ubuntuforums.org/showthread.php?p=9509066).
>
> Thanks for the help

Glad things are working.

Sounds like there is a small bug in dnsmasq if the error was that the
DNS port was in use but the message mentioned the DHCP port.  Whenever
Simon sees this thread I'm sure he'll make any necessary fixes.


>
> P.S.
> sorry for replying, havent used mailing lists on gmail yet.
>
>>Taking this back to the list.
>>
>>http://linux.die.net/man/8/named
>>
>>Also, running netstat *should* have showed you not only what network
>>programs were running, but what port numbers they were using.
>>Depending on what parameters you used, you might get well-known ports
>>as names or numbers -- dns is 53 and dhcp uses the bootp ports, 67 and
>>68.
>>
>>If you want to use dnsmasq in the dns caching role, then yes you'll
>>want to disable or uninstall named.
>>
>>
>>On Fri, Jun 25, 2010 at 12:01 AM, Danijel Šili  wrote:
>>>
 named looks like a conflict for the DNS port, don't see any DHCP
 conflicts

 If you wanted to use DHCP only, no DNS, try using the "port=0" option.
>>>
>>> If I wanted DHCP only I would've used dhcp3-server
>>> I dont even know what named is, and I dont think I installed it myself,
>>> should I just remove it?
>>>
>>>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
>

Re: [Dnsmasq-discuss] Problems with dnsmasq configuration

[Danijel Šili]

Ok, I found out named is part of bind9 so I uninstalled that and now dnsmasq
starts up normally. I also gave static IP to all 3 interfaces and now I have
internet connection on my linux box and my other computers see each other
and linux box normally, but no internet connection there. Probably problem
with iptables so I'll take this now to ubuntuforums (
http://ubuntuforums.org/showthread.php?p=9509066).

Thanks for the help

P.S.
sorry for replying, havent used mailing lists on gmail yet.

>Taking this back to the list.
>
>http://linux.die.net/man/8/named
>
>Also, running netstat *should* have showed you not only what network
>programs were running, but what port numbers they were using.
>Depending on what parameters you used, you might get well-known ports
>as names or numbers -- dns is 53 and dhcp uses the bootp ports, 67 and
>68.
>
>If you want to use dnsmasq in the dns caching role, then yes you'll
>want to disable or uninstall named.
>
>
>On Fri, Jun 25, 2010 at 12:01 AM, Danijel Šili  wrote:
>>
>>> named looks like a conflict for the DNS port, don't see any DHCP
conflicts
>>>
>>> If you wanted to use DHCP only, no DNS, try using the "port=0" option.
>>
>> If I wanted DHCP only I would've used dhcp3-server
>> I dont even know what named is, and I dont think I installed it myself,
>> should I just remove it?
>>
>>

Re: [Dnsmasq-discuss] Dynamic DNS

[Alberto Cuesta-Canada]

Hi /dev/rob0,
 
I'm no expert in network protocols, and DNS is just one of the many things I 
need to manage, I run dnsmasq precisely for its simplicity and ease of use, and 
most of the research below was made by a workmate (cc'ed), so I could be asking 
stupid questions, apologies in advance :)
 
I blame Microsoft for me wanting a Dynamic DNS protocol, I need single sign on 
security for a datacenter that involves Windows 2008, XenServer and Ubuntu 
machines, Active Directory can be used for all of them, so I decided to give it 
a try. The problem is that Active Directory is designed to run with the Windows 
DNS Server service, which uses dynamic dns to manage a number of records.
 
I definitely don't want to use the windows DNS server, so I wondered if I could 
trick Active Directory to use dnsmasq as its dns server. I think dynamic dns is 
not implemented, and I'd say it will never be, but it still looks like a worthy 
discussion item.
 
Probably I'll need to research a kerberos-based single sign-on system instead 
and run authentication from a linux server, anyway.
 
Cheers,
 
/dev/rob0 wrote:

> On Thu, Jun 24, 2010 at 09:51:57AM +0100, Alberto Cuesta-Canada wrote:
>
>> are there any plans of implementing Dynamic DNS for dnsmasq?
>> 
>> There is a perl script that adds that functionality here:
>> http://psydev.syw4e.info/new/dynamic-dnsmasq/dynamic-dnsmasq.pl 
>> 
>>  
>
> I don't understand all the desire to invent new protocols for dynamic
> DNS. RFC 2136 handles it quite well. If dnsmasq were to add another
> protocol, it should be RFC 2136. Dyndns.org's protocol is not a
> standard.
>
> Some years back, before I really understood 2136, I wrote a perl/CGI
> frontend for nsupdate(8) which does something similar without
> exposing another root-owned TCP socket to the world. By means of
> permissions on a copy of the key, I was able to allow the httpd(8)
> user to run nsupdate after authenticating the user.
>
> Another thing I'm not understanding is why is this needed? Are you
> running dnsmasq as authoritative nameserver for the world? I hope
> Simon will correct me if I'm wrong, but I don't see that as a
> typical role for dnsmasq.
 
Alberto Cuesta-Canada
GaaS Team Lead
Excelian Ltd.
+44 (0) 7942633361

The information contained in this email and any attached files are confidential 
and intended solely for the addressee(s). The email may be legally privileged 
or prohibited from disclosure and unauthorised use. If you are not the named 
addressee you may not use, copy, or disclose this information to any other 
person. If you received this message in error please notify the sender 
immediately and delete it from your system. 

Any opinion or views contained in this email message are those of the sender, 
and do not represent those of the Company in any way and reliance should not be 
placed upon its contents. Unless otherwise stated, this email message is not 
intended to be contractually binding. Where an Agreement exists between our 
respective companies and there is conflict between the contents of this email 
message and the Agreement then the terms of that Agreement shall prevail.

Excelian
50 Featherstone Street
London
EC1Y 8RT
Tel: +44 (0) 20 7336 9595
Fax: +44 (0) 20 7336 9596
www.Excelian.com
_
This e-mail has been scanned for viruses by MessageLabs. For further 
information visit http://www.messagelabs.com

Excelian subscribes to cleaner and greener methods of working. Help take 
responsibility for the environment. Please don't print this email unless you 
absolutely have to.

Re: [Dnsmasq-discuss] Having problems using cmd line --not getting static-route option

[richardvo...@gmail.com]

On Thu, Jun 24, 2010 at 11:07 PM,   wrote:
> Hello,
>
> Hopefully someone can help me out.  I'm running dnsmasq version 2.55 on
> linux 2.6.28
> Starting it with a command line argument in the following fashion (I split
> up the line for easier reading)
>
> /usr/local/sbin/dnsmasq -o -f -b -D --clear-on-reload -Q 2007 -i eth0
> -F interface:eth0,set:eth_intf,192.168.13.100,192.168.13.150,60
> --dhcp-option=tag:eth_intf,option:static-route,192.168.13.31,192.168.13.31
>
> The DHCP gets served up fine but wireshark does not show the static-route
> option getting served up.  If I understand correctly, any
>
> Any ideas?

>From the man page:

--dhcp-option-force=[tag:,[tag:,]][encap:,][vi-encap:,][vendor:[],],[[,]]
This works in exactly the same way as --dhcp-option except that the
option will always be sent, even if the client does not ask for it in
the parameter request list. This is sometimes needed, for example when
sending options to PXELinux.


>
> Thanks,
>
> KF
>
>
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
>

Re: [Dnsmasq-discuss] Problems with dnsmasq configuration

[richardvo...@gmail.com]

Taking this back to the list.

http://linux.die.net/man/8/named

Also, running netstat *should* have showed you not only what network
programs were running, but what port numbers they were using.
Depending on what parameters you used, you might get well-known ports
as names or numbers -- dns is 53 and dhcp uses the bootp ports, 67 and
68.

If you want to use dnsmasq in the dns caching role, then yes you'll
want to disable or uninstall named.


On Fri, Jun 25, 2010 at 12:01 AM, Danijel Šili  wrote:
>
>> named looks like a conflict for the DNS port, don't see any DHCP conflicts
>>
>> If you wanted to use DHCP only, no DNS, try using the "port=0" option.
>
> If I wanted DHCP only I would've used dhcp3-server
> I dont even know what named is, and I dont think I installed it myself,
> should I just remove it?
>
>

Re: [Dnsmasq-discuss] Having problems using cmd line --not getting static-route option

[kfriedman]

Hello,
 
Hopefully someone can help me out.  I'm running dnsmasq version 2.55 on linux 
2.6.28
Starting it with a command line argument in the following fashion (I split up 
the line for easier reading)
 
/usr/local/sbin/dnsmasq -o -f -b -D --clear-on-reload -Q 2007 -i eth0 
-F interface:eth0,set:eth_intf,192.168.13.100,192.168.13.150,60 
--dhcp-option=tag:eth_intf,option:static-route,192.168.13.31,192.168.13.31
 
The DHCP gets served up fine but wireshark does not show the static-route 
option getting served up.  If I understand correctly, any 
 
Any ideas?
 
Thanks,
 
KF
  
 
 

Re: [Dnsmasq-discuss] Problems with dnsmasq configuration

[richardvo...@gmail.com]

On Thu, Jun 24, 2010 at 5:05 PM, Danijel Šili  wrote:
> I'm 99% sure this is due to me not doing something right, but seeing as
> nobody on ubuntuforums ( http://ubuntuforums.org/showthread.php?p=9504944 )
> was able to help me, I wanted to ask here for help.
>
> My config is:
> # /etc/dnsmasq.conf
>
> domain-needed
> bogus-priv
> address=/doubleclick.net/127.0.0.1
> except-interface=eth0
> dhcp-range=interface:eth1,192.168.1.10,192.168.1.127,12h
> dhcp-range=interface:eth2,192.168.2.10,192.168.2.127,12h
> log-queries
>
> (eth0 is lan card toward ADSL router, eth1 is lan card toward wireless AP,
> and eth2 is lan card toward wired switch)
>
> Every time I start dnsmasq I get "failed to bind DHCP server socket: Address
> already in use". Googling this error for dnsmasq prompted me to run "netstat
> -antuevp" (and netstat with various other parameters) as well as "lsof -i"
> and I always got only portmap, rpc.statd, smbd, sshd, mysqld, named, samba
> and apache2 in the list of programs. I used to have dhcpd but I did remove
> it.

named looks like a conflict for the DNS port, don't see any DHCP conflicts

If you wanted to use DHCP only, no DNS, try using the "port=0" option.

>
> Thanks for any help you might be able to give.
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
>