Re: [Dnsmasq-discuss] dns server
I'm not sure if NetworkManager's version is better or worse for your case. My understanding was that it is specifically configured to provide DNS services to the localhost only. I think you should install the regular dnsmasq for your distro if you are using it as a core service for your whole network. On Debian-based systems, for example: $ sudo apt-get install dnsmasq The /etc/dnsmasq.conf file for Debian contains lots of useful defaults as well as verbose comments above almost every option. On Tue, Apr 14, 2015 at 7:15 PM, Thiago Farina wrote: > On Tue, Apr 14, 2015 at 10:56 PM, Linux Luser > wrote: > > Are you running dnsmasq through NetworkManager on the server or the > client? > Yes, I'm running it through NetworkManager on the server. :/ > > I have this in my NetworkManager.conf: > > $ cat /etc/NetworkManager/NetworkManager.conf > [main] > plugins=ifupdown,keyfile > dns=dnsmasq > > no-auto-default=84:2B:2B:7C:96:69, > > [ifupdown] > managed=false > > Is it better to run it standalone? How can I change this? > > > The version of dnsmasq for NetworkManager is compiled with different > options > > than standard dnsmasq installs (those that come as a package for a > distro). > > > > If the /etc/dnsmasq.conf file you showed is the one that's on your > server, > > then you need to supply at least one more 'server' option to specify an > > upstream server for queries that dnsmasq doesn't know the answers to. > > > > So, in addition to "server=/mydomain.org/192.168.0.101", you need to > add: > > > > server=8.8.8.8 > > > > That will tell dnsmasq to forward queries it doesn't know about upstream. > > You can have more than one 'server=' line. > > > > > Right. I will add this line to dnsmasq.conf as well. > > -- > Thiago Farina > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dns server
On Tue, Apr 14, 2015 at 10:56 PM, Linux Luser wrote: > Are you running dnsmasq through NetworkManager on the server or the client? Yes, I'm running it through NetworkManager on the server. :/ I have this in my NetworkManager.conf: $ cat /etc/NetworkManager/NetworkManager.conf [main] plugins=ifupdown,keyfile dns=dnsmasq no-auto-default=84:2B:2B:7C:96:69, [ifupdown] managed=false Is it better to run it standalone? How can I change this? > The version of dnsmasq for NetworkManager is compiled with different options > than standard dnsmasq installs (those that come as a package for a distro). > > If the /etc/dnsmasq.conf file you showed is the one that's on your server, > then you need to supply at least one more 'server' option to specify an > upstream server for queries that dnsmasq doesn't know the answers to. > > So, in addition to "server=/mydomain.org/192.168.0.101", you need to add: > > server=8.8.8.8 > > That will tell dnsmasq to forward queries it doesn't know about upstream. > You can have more than one 'server=' line. > > Right. I will add this line to dnsmasq.conf as well. -- Thiago Farina ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dns server
Are you running dnsmasq through NetworkManager on the server or the client? The version of dnsmasq for NetworkManager is compiled with different options than standard dnsmasq installs (those that come as a package for a distro). If the /etc/dnsmasq.conf file you showed is the one that's on your server, then you need to supply at least one more 'server' option to specify an upstream server for queries that dnsmasq doesn't know the answers to. So, in addition to "server=/mydomain.org/192.168.0.101", you need to add: server=8.8.8.8 That will tell dnsmasq to forward queries it doesn't know about upstream. You can have more than one 'server=' line. On Tue, Apr 14, 2015 at 6:25 PM, Thiago Farina wrote: > On Tue, Apr 14, 2015 at 9:51 PM, Linux Luser wrote: > > host-record will define a single A record for your local network. For all > > others, you will need to specify an upstream DNS server. Example: > > > > server=8.8.8.8 > > server=8.8.4.4 > > > > expand-host, domain and local should be optional (though, you probably > want > > to specify a domain name for your local network) if we're still just > talking > > about DNS. > > > I'm trying everything, but nothing is working from other machines. Sigh. > > $ cat /etc/dnsmasq.conf > #listen-address=127.0.0.1 > domain-needed > bogus-priv > server=/mydomain.org/192.168.0.101 > local=/mydomain.org/ > domain=mydomain.org > > $ ps ax | grep dns > 17432 ?S 0:00 /usr/sbin/dnsmasq --no-resolv > --keep-in-foreground --no-hosts --bind-interfaces > --pid-file=/var/run/sendsigs.omit.d/network-manager.dnsmasq.pid > --listen-address=127.0.0.1 --conf-file=/var/run/nm-dns-dnsmasq.conf > --cache-size=0 --proxy-dnssec --enable-dbus > --conf-dir=/etc/NetworkManager/dnsmasq.d > > So I put mydomain.org.conf in dnsmasq.d > > $ cat /etc/NetworkManager/dnsmasq.d/mydomain.org.conf > server=/mydomain.org/192.168.0.101 > > Chrome error's code is: DNS_PROBE_FINISHED_BAD_CONFIG > > -- > Thiago Farina > -- daV.e "The reasonable man adapts himself to the conditions that surround him... The unreasonable man adapts surrounding conditions to himself... All progress depends on the unreasonable man." Bernard Shaw ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dns server
On Tue, Apr 14, 2015 at 9:51 PM, Linux Luser wrote: > host-record will define a single A record for your local network. For all > others, you will need to specify an upstream DNS server. Example: > > server=8.8.8.8 > server=8.8.4.4 > > expand-host, domain and local should be optional (though, you probably want > to specify a domain name for your local network) if we're still just talking > about DNS. > I'm trying everything, but nothing is working from other machines. Sigh. $ cat /etc/dnsmasq.conf #listen-address=127.0.0.1 domain-needed bogus-priv server=/mydomain.org/192.168.0.101 local=/mydomain.org/ domain=mydomain.org $ ps ax | grep dns 17432 ?S 0:00 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/var/run/sendsigs.omit.d/network-manager.dnsmasq.pid --listen-address=127.0.0.1 --conf-file=/var/run/nm-dns-dnsmasq.conf --cache-size=0 --proxy-dnssec --enable-dbus --conf-dir=/etc/NetworkManager/dnsmasq.d So I put mydomain.org.conf in dnsmasq.d $ cat /etc/NetworkManager/dnsmasq.d/mydomain.org.conf server=/mydomain.org/192.168.0.101 Chrome error's code is: DNS_PROBE_FINISHED_BAD_CONFIG -- Thiago Farina ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dns server
host-record will define a single A record for your local network. For all others, you will need to specify an upstream DNS server. Example: server=8.8.8.8 server=8.8.4.4 expand-host, domain and local should be optional (though, you probably want to specify a domain name for your local network) if we're still just talking about DNS. On Tue, Apr 14, 2015 at 4:57 PM, Thiago Farina wrote: > On Tue, Apr 14, 2015 at 8:45 PM, Linux Luser wrote: > > Wouldn't host-record work? > > > > host-record=mydomain.org,192.168.0.101 > > > Just that? No expand-host, domain=, local, address are necessary? > > > If the hosts on your network are configured to use your dnsmasq instance > for > > DNS, then they will get back 192.168.0.101 when doing a lookup for > > mydomain.org. > > > Will they still be able to navigate to any other site (the ones > outside my network, i.e., in the internet)? > > -- > Thiago Farina > -- daV.e "The reasonable man adapts himself to the conditions that surround him... The unreasonable man adapts surrounding conditions to himself... All progress depends on the unreasonable man." Bernard Shaw ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dns server
Wouldn't host-record work? host-record=mydomain.org,192.168.0.101 If the hosts on your network are configured to use your dnsmasq instance for DNS, then they will get back 192.168.0.101 when doing a lookup for mydomain.org. On Tue, Apr 14, 2015 at 4:09 PM, Thiago Farina wrote: > Hi, > > First of all, sorry for asking here in this mailing list. I tried to > find the answer googling for it, but failed. > > I didn't find a way to search the archives of this mailing list > either, so hence I'm posting here. > > I hope someone can help me. > > This was probably asked and answered many times before, so if you have > points for it, please send it my way. > > I'm trying to configure dnsmasq as my dns server in my home network. > > I have a cisco dpc3825 router (ip 192.168.0.1) that connects to the > internet, an Ubuntu server where I want to run dnsmasq on ip > 192.168.0.101, and a bunch of other machines in the network. > > I know how to change the router to point to ubuntu server as a primary > dns. That is not the problem. The problem is the configuration of > dnsmasq.conf. > > I have a nginx running and serving a static site on this ubuntu > server. What I want is that dnsmasq translate to the other machines in > my network when they type mydomain.org to the ip address of my ubuntu > server which is running nginx, so they should be able to see my site > in my local network. > > I believe the configuration on the router should be something like: > > Primary DNS: 192.168.0.101 > Secondary DNS: 8.8.8.8 > Ternary DNS: 8.8.4.4 > > > But what about dnsmasq.conf? How should I configure it? > > Currently it has the following content: > $ cat /etc/dnsmasq.conf > listen-address=127.0.0.1 > > -- > Thiago Farina > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -- daV.e "The reasonable man adapts himself to the conditions that surround him... The unreasonable man adapts surrounding conditions to himself... All progress depends on the unreasonable man." Bernard Shaw ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dns server
On Tue, Apr 14, 2015 at 8:45 PM, Linux Luser wrote: > Wouldn't host-record work? > > host-record=mydomain.org,192.168.0.101 > Just that? No expand-host, domain=, local, address are necessary? > If the hosts on your network are configured to use your dnsmasq instance for > DNS, then they will get back 192.168.0.101 when doing a lookup for > mydomain.org. > Will they still be able to navigate to any other site (the ones outside my network, i.e., in the internet)? -- Thiago Farina ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] dns server
Hi, First of all, sorry for asking here in this mailing list. I tried to find the answer googling for it, but failed. I didn't find a way to search the archives of this mailing list either, so hence I'm posting here. I hope someone can help me. This was probably asked and answered many times before, so if you have points for it, please send it my way. I'm trying to configure dnsmasq as my dns server in my home network. I have a cisco dpc3825 router (ip 192.168.0.1) that connects to the internet, an Ubuntu server where I want to run dnsmasq on ip 192.168.0.101, and a bunch of other machines in the network. I know how to change the router to point to ubuntu server as a primary dns. That is not the problem. The problem is the configuration of dnsmasq.conf. I have a nginx running and serving a static site on this ubuntu server. What I want is that dnsmasq translate to the other machines in my network when they type mydomain.org to the ip address of my ubuntu server which is running nginx, so they should be able to see my site in my local network. I believe the configuration on the router should be something like: Primary DNS: 192.168.0.101 Secondary DNS: 8.8.8.8 Ternary DNS: 8.8.4.4 But what about dnsmasq.conf? How should I configure it? Currently it has the following content: $ cat /etc/dnsmasq.conf listen-address=127.0.0.1 -- Thiago Farina ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] fix segfault when using tftp_no_fail
This change prevents dnsmasq from calling closedir() on an invalid pointer (which happens if the TFTP directory cannot be opened). The 'else' was probably accidently dropped while applying and refactoring patch 30d0879ed55cb67b1b735beab3d93f3bb3ef1dd2. Signed-off-by: Stefan Tomanek --- src/dnsmasq.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/dnsmasq.c b/src/dnsmasq.c index a7c5da8..20b15c0 100644 --- a/src/dnsmasq.c +++ b/src/dnsmasq.c @@ -655,7 +655,8 @@ int main (int argc, char **argv) _exit(0); } } - closedir(dir); + else + closedir(dir); } for (p = daemon->if_prefix; p; p = p->next) @@ -670,7 +671,8 @@ int main (int argc, char **argv) _exit(0); } } - closedir(dir); + else + closedir(dir); } } #endif -- 2.1.4 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmsaq potential vulnerability
For the current vulnerability CVE-2015-3294 will be used. On 10 April 2015 at 22:41, Nick Sampanis wrote: > Your are welcome. As I stated, the return value of setup_reply will be > used as a size argument > which might be a positive 32 bit value. It seems that two things can occur > from that point. > > In case of a high integer write might return -1 with errno equal to > EFAULT, in that case nothing > significant happens from attacker's perspective. Otherwise m size bytes > will be send to the attacker, > which will reveal data, allocated after packet's allocation or previously > freed data, > which has not been initialized (zeroed out) > > On 9 April 2015 at 23:56, Simon Kelley wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Thanks for this. The error is obvious, and I've just committed the >> fix, to check the return value of skip_questions() in setup_reply(). >> >> This is a a potential DoS attack, but I'm not clear if it's worse than >> that. The ability to read the dnsmasq heap seems to depend on details >> on the addresss-space layout over which the attacker has no control. >> (Plus, there's really not much in a dnsmasq process worth learning: >> all the data in the cache is available with a DNS query anyway!) Or am >> I being naive? >> >> >> Cheers, >> >> Simon. >> >> >> >> On 07/04/15 08:49, Nick Sampanis wrote: >> > Dear sirs, I discovered one potential vulnerability in dnsmasq. >> > More specifically, in tcp_request(), setup_reply() gets called and >> > the returned value is used as a size argument in a write function. >> > >> > m = setup_reply(header, (unsigned int)size, addrp, flags, >> > daemon->local_ttl); read_write(confd, packet, m + sizeof(u16), 0)) >> > >> > Although, setup_reply can't return a size variable greater than >> > packet[65535+ MAXDNAME + RRFIXEDSZ + sizeof(u16))], an ignored >> > error value(NULL) of skip_questions() might lead to a negative >> > pointer value(-header) >> > >> > size_t setup_reply(struct dns_header *header, size_t qlen, struct >> > all_addr *addrp, unsigned int flags, unsigned long ttl) { unsigned >> > char *p = skip_questions(header, qlen) return p - (unsigned char >> > *)header } >> > >> > read_write checks if the size argument is positive. In case of a 32 >> > bit system size_t m would be 4 bytes and read_write will >> > automatically exit. In case of 64 bit system size_t m is 8 bytes >> > and may turn to positive if the sign bit of the 32 bit value is 0. >> > >> > If m is less than 0x8000, dnsmasq will be exploited by >> > a potential attacker who will remotely read dnsmasq heap until it >> > crashes. If the above condition is not met, dnsmasq exits >> > properly. >> > >> > >> > >> > ___ Dnsmasq-discuss >> > mailing list Dnsmasq-discuss@lists.thekelleys.org.uk >> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >> > >> >> -BEGIN PGP SIGNATURE- >> Version: GnuPG v2.0.22 (GNU/Linux) >> >> iEYEARECAAYFAlUm54EACgkQKPyGmiibgrdnEgCfeqhbm/ffwVT/Dz7QFEvFk1Le >> XsgAnjs384CSfLHdt5iiMk8Gngbx56A1 >> =P7th >> -END PGP SIGNATURE- >> >> ___ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >> > > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss