Re: [Dnsmasq-discuss] No more random source port
Bonjour, Le Tue, 21 Mar 2017 14:30:28 +0200 Risto Suominen a écrit: > Zyxel doesn't have a problem with same source port: > > https://www.dropbox.com/s/wxdl480hwr39j12/dns-03.pcap?dl=1 > > Same commands as in pcap-01. > > Risto I can't see why your dnsmasq would only use one port. This would be the behavior for -Q0 (or -Q45807, but your dnsmasq does not have this option in its command line. Did you check apparmor or SELinux? Amicalement, -- Albert. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Limiting the number of IP addressess in DNS reply
Hello everyone, we are using dnsmasq with local hosts file, which lists all servers providing a given service. So the hosts file looks something like this: 172.26.1.245 service1 172.26.1.246 service1 172.26.1.247 service1 172.26.1.248 service1 172.26.1.249 service2 ... In this case, dnsmasq returns a list of IP addresses when you query for service1 and the list is randomized (or shifted by one apparently, which is OK), so it serves as a primitive load balancer too, because the apps will pick the first one. All is well. But the problem arises, when there are many servers, that provide service1. Because dnsmasq returns all of the IPs, the response does not fit into a UDP packet (I assume) and some of the client apps have problem with that. For example, dig will work, but will print at the beginning: ;; Truncated, retrying in TCP mode. As I wrote, some apps, that we have little control over, cannot cope with that. Now the question: Can dnsmasq be made to return only a limited number of addresses? Three would be enough, as long as they would be more or less randomly distributed in each request. Thanks for any ideas, how to solve this. Michal ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Blacklist selection per dhcp-host?
I am currently using addn-hosts for DNS blacklisting. All of the dhcp client machines on my network use static assignment via dhcp-host entries in the config file. Running dnsmasq version 2.48 on Centos 6 (yes, I'm aware its old but that seems to be the most recent version in the Centos 6 repo). On a few dhcp client machines, the blacklist causes problems because the user of those machines depends upon vendor websites that link to domains in the blacklist. Because I obtain the blacklists from third parties, editing them isn't a great option (assuming I could even figure out which entries to remove). So for those client machines, I am using the "net:" facility with dhcp-options to force them to use a different DNS server, that being my router which in turn points to the ISP's DNS servers. This is not a very satisfactory work-around, as those clients aren't able to resolve addresses internal to my network. Is there a way to disable/enable (or select) a blacklist on a per dhcp-client basis? Can dnsmasq be configured to listen for DNS queries on two network interfaces and apply the blacklist to only one of them? Or run two instances of dnsmasq on two different network interfaces, and only one of them respond to DHCP requests? I can install a newer version of dnsmasq if needed. Thanks. -- Art Greenberg a...@artg.tv ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] No more random source port
Hi, 2017-03-21 16:23 UTC+02.00, /dev/rob0 : > > Did you ever show us the contents of this --conf-dir? It could have > a file with "query-port". > -- Good point. I forgot. I did check it, though, and the directory was empty. Risto ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] No more random source port
On Mon, Mar 20, 2017 at 09:22:55PM +0200, Risto Suominen wrote: > 2017-03-20 21:05 UTC+02.00, Albert ARIBAUD : > > > > You said the command line did not change. Which is it exactly? I > > usually do a "cat /proc//cmdline | tr '\0' '\n' > > to make sure I see the real command line of the running dnsmasq. > > > /usr/sbin/dnsmasq > --no-resolv > --keep-in-foreground > --no-hosts > --bind-interfaces > --pid-file=/var/run/NetworkManager/dnsmasq.pid > --listen-address=127.0.1.1 > --cache-size=0 > --conf-file=/dev/null > --proxy-dnssec > --enable-dbus=org.freedesktop.NetworkManager.dnsmasq > --conf-dir=/etc/NetworkManager/dnsmasq.d Did you ever show us the contents of this --conf-dir? It could have a file with "query-port". -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] No more random source port
Zyxel doesn't have a problem with same source port: https://www.dropbox.com/s/wxdl480hwr39j12/dns-03.pcap?dl=1 Same commands as in pcap-01. Risto ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] No more random source port
Hi Albert, 2017-03-21 0:03 UTC+02.00, Albert ARIBAUD : > > Source IP is not the same in both pcaps. 1st pcap queries 8.8.8.8 and > 192.168.1.1 from 192.168.1.33, while 2nd pcap queries are from > 192.168.1.100. Can you clarify your network setup? > IP is differerent, but MAC is the same. I'm currently using Zyxel router (pcap 1), because it's working. With TP-Link router (pcap 2) I don't reach the Internet, because of the DNS problem. So, I simply plugged my computer to different routers. In both cases the router's DHCP server gave me IP and DNS addresses, Zyxel: 192.168.1.33 and 8.8.8.8 (its own address is 192.168.1.1). TP-Link: 192.168.1.100 and 192.168.1.1 (its own address). Possibly the problem with TP-Link depends on this behaviour (forwarding DNS requests). (NAT routers typically allocate random ports internally for forwarded requests.) I might change Zyxel's setup so that it gives me its own address as DNS, to see how it behaves in that situation. In TP-Link I have not found a way to do the opposite. Risto ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss