date:20150414

Re: [Dnsmasq-discuss] dns server

2015-04-14 Thread Linux Luser

I'm not sure if NetworkManager's version is better or worse for your case.
My understanding was that it is specifically configured to provide DNS
services to the localhost only. I think you should install the regular
dnsmasq for your distro if you are using it as a core service for your
whole network.

On Debian-based systems, for example:

$ sudo apt-get install dnsmasq


The /etc/dnsmasq.conf file for Debian contains lots of useful defaults as
well as verbose comments above almost every option.

On Tue, Apr 14, 2015 at 7:15 PM, Thiago Farina  wrote:

> On Tue, Apr 14, 2015 at 10:56 PM, Linux Luser 
> wrote:
> > Are you running dnsmasq through NetworkManager on the server or the
> client?
> Yes, I'm running it through NetworkManager on the server. :/
>
> I have this in my NetworkManager.conf:
>
> $ cat /etc/NetworkManager/NetworkManager.conf
> [main]
> plugins=ifupdown,keyfile
> dns=dnsmasq
>
> no-auto-default=84:2B:2B:7C:96:69,
>
> [ifupdown]
> managed=false
>
> Is it better to run it standalone? How can I change this?
>
> > The version of dnsmasq for NetworkManager is compiled with different
> options
> > than standard dnsmasq installs (those that come as a package for a
> distro).
> >
> > If the /etc/dnsmasq.conf file you showed is the one that's on your
> server,
> > then you need to supply at least one more 'server' option to specify an
> > upstream server for queries that dnsmasq doesn't know the answers to.
> >
> > So, in addition to "server=/mydomain.org/192.168.0.101", you need to
> add:
> >
> > server=8.8.8.8
> >
> > That will tell dnsmasq to forward queries it doesn't know about upstream.
> > You can have more than one 'server=' line.
> >
> >
> Right. I will add this line to dnsmasq.conf as well.
>
> --
> Thiago Farina
>
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dns server

2015-04-14 Thread Thiago Farina

On Tue, Apr 14, 2015 at 10:56 PM, Linux Luser  wrote:
> Are you running dnsmasq through NetworkManager on the server or the client?
Yes, I'm running it through NetworkManager on the server. :/

I have this in my NetworkManager.conf:

$ cat /etc/NetworkManager/NetworkManager.conf
[main]
plugins=ifupdown,keyfile
dns=dnsmasq

no-auto-default=84:2B:2B:7C:96:69,

[ifupdown]
managed=false

Is it better to run it standalone? How can I change this?

> The version of dnsmasq for NetworkManager is compiled with different options
> than standard dnsmasq installs (those that come as a package for a distro).
>
> If the /etc/dnsmasq.conf file you showed is the one that's on your server,
> then you need to supply at least one more 'server' option to specify an
> upstream server for queries that dnsmasq doesn't know the answers to.
>
> So, in addition to "server=/mydomain.org/192.168.0.101", you need to add:
>
> server=8.8.8.8
>
> That will tell dnsmasq to forward queries it doesn't know about upstream.
> You can have more than one 'server=' line.
>
>
Right. I will add this line to dnsmasq.conf as well.

-- 
Thiago Farina

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dns server

2015-04-14 Thread Linux Luser

Are you running dnsmasq through NetworkManager on the server or the client?
The version of dnsmasq for NetworkManager is compiled with different
options than standard dnsmasq installs (those that come as a package for a
distro).

If the /etc/dnsmasq.conf file you showed is the one that's on your server,
then you need to supply at least one more 'server' option to specify an
upstream server for queries that dnsmasq doesn't know the answers to.

So, in addition to "server=/mydomain.org/192.168.0.101", you need to add:

server=8.8.8.8

That will tell dnsmasq to forward queries it doesn't know about upstream.
You can have more than one 'server=' line.

On Tue, Apr 14, 2015 at 6:25 PM, Thiago Farina  wrote:

> On Tue, Apr 14, 2015 at 9:51 PM, Linux Luser  wrote:
> > host-record will define a single A record for your local network. For all
> > others, you will need to specify an upstream DNS server. Example:
> >
> > server=8.8.8.8
> > server=8.8.4.4
> >
> > expand-host, domain and local should be optional (though, you probably
> want
> > to specify a domain name for your local network) if we're still just
> talking
> > about DNS.
> >
> I'm trying everything, but nothing is working from other machines. Sigh.
>
> $ cat /etc/dnsmasq.conf
> #listen-address=127.0.0.1
> domain-needed
> bogus-priv
> server=/mydomain.org/192.168.0.101
> local=/mydomain.org/
> domain=mydomain.org
>
> $ ps ax | grep dns
> 17432 ?S  0:00 /usr/sbin/dnsmasq --no-resolv
> --keep-in-foreground --no-hosts --bind-interfaces
> --pid-file=/var/run/sendsigs.omit.d/network-manager.dnsmasq.pid
> --listen-address=127.0.0.1 --conf-file=/var/run/nm-dns-dnsmasq.conf
> --cache-size=0 --proxy-dnssec --enable-dbus
> --conf-dir=/etc/NetworkManager/dnsmasq.d
>
> So I put mydomain.org.conf in dnsmasq.d
>
> $ cat /etc/NetworkManager/dnsmasq.d/mydomain.org.conf
> server=/mydomain.org/192.168.0.101
>
> Chrome error's code is: DNS_PROBE_FINISHED_BAD_CONFIG
>
> --
> Thiago Farina
>

-- 
daV.e

"The reasonable man adapts himself to the conditions that surround him...
The unreasonable man adapts surrounding conditions to himself... All
progress depends on the unreasonable man." Bernard Shaw
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dns server

2015-04-14 Thread Thiago Farina

On Tue, Apr 14, 2015 at 9:51 PM, Linux Luser  wrote:
> host-record will define a single A record for your local network. For all
> others, you will need to specify an upstream DNS server. Example:
>
> server=8.8.8.8
> server=8.8.4.4
>
> expand-host, domain and local should be optional (though, you probably want
> to specify a domain name for your local network) if we're still just talking
> about DNS.
>
I'm trying everything, but nothing is working from other machines. Sigh.

$ cat /etc/dnsmasq.conf
#listen-address=127.0.0.1
domain-needed
bogus-priv
server=/mydomain.org/192.168.0.101
local=/mydomain.org/
domain=mydomain.org

$ ps ax | grep dns
17432 ?S  0:00 /usr/sbin/dnsmasq --no-resolv
--keep-in-foreground --no-hosts --bind-interfaces
--pid-file=/var/run/sendsigs.omit.d/network-manager.dnsmasq.pid
--listen-address=127.0.0.1 --conf-file=/var/run/nm-dns-dnsmasq.conf
--cache-size=0 --proxy-dnssec --enable-dbus
--conf-dir=/etc/NetworkManager/dnsmasq.d

So I put mydomain.org.conf in dnsmasq.d

$ cat /etc/NetworkManager/dnsmasq.d/mydomain.org.conf
server=/mydomain.org/192.168.0.101

Chrome error's code is: DNS_PROBE_FINISHED_BAD_CONFIG

-- 
Thiago Farina

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dns server

2015-04-14 Thread Linux Luser

host-record will define a single A record for your local network. For all
others, you will need to specify an upstream DNS server. Example:

server=8.8.8.8
server=8.8.4.4

expand-host, domain and local should be optional (though, you probably want
to specify a domain name for your local network) if we're still just
talking about DNS.

On Tue, Apr 14, 2015 at 4:57 PM, Thiago Farina  wrote:

> On Tue, Apr 14, 2015 at 8:45 PM, Linux Luser  wrote:
> > Wouldn't host-record work?
> >
> > host-record=mydomain.org,192.168.0.101
> >
> Just that? No expand-host, domain=, local, address are necessary?
>
> > If the hosts on your network are configured to use your dnsmasq instance
> for
> > DNS, then they will get back 192.168.0.101 when doing a lookup for
> > mydomain.org.
> >
> Will they still be able to navigate to any other site (the ones
> outside my network, i.e., in the internet)?
>
> --
> Thiago Farina
>

-- 
daV.e

"The reasonable man adapts himself to the conditions that surround him...
The unreasonable man adapts surrounding conditions to himself... All
progress depends on the unreasonable man." Bernard Shaw
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dns server

2015-04-14 Thread Linux Luser

Wouldn't host-record work?

host-record=mydomain.org,192.168.0.101

If the hosts on your network are configured to use your dnsmasq instance
for DNS, then they will get back 192.168.0.101 when doing a lookup for
mydomain.org.


On Tue, Apr 14, 2015 at 4:09 PM, Thiago Farina  wrote:

> Hi,
>
> First of all, sorry for asking here in this mailing list. I tried to
> find the answer googling for it, but failed.
>
> I didn't find a way to search the archives of this mailing list
> either, so hence I'm posting here.
>
> I hope someone can help me.
>
> This was probably asked and answered many times before, so if you have
> points for it, please send it my way.
>
> I'm trying to configure dnsmasq as my dns server in my home network.
>
> I have a cisco dpc3825 router (ip 192.168.0.1) that connects to the
> internet, an Ubuntu server where I want to run dnsmasq on ip
> 192.168.0.101, and a bunch of other machines in the network.
>
> I know how to change the router to point to ubuntu server as a primary
> dns. That is not the problem. The problem is the configuration of
> dnsmasq.conf.
>
> I have a nginx running and serving a static site on this ubuntu
> server. What I want is that dnsmasq translate to the other machines in
> my network when they type mydomain.org to the ip address of my ubuntu
> server which is running nginx, so they should be able to see my site
> in my local network.
>
> I believe the configuration on the router should be something like:
>
> Primary DNS: 192.168.0.101
> Secondary DNS: 8.8.8.8
> Ternary DNS: 8.8.4.4
>
>
> But what about dnsmasq.conf? How should I configure it?
>
> Currently it has the following content:
> $ cat /etc/dnsmasq.conf
> listen-address=127.0.0.1
>
> --
> Thiago Farina
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>



-- 
daV.e

"The reasonable man adapts himself to the conditions that surround him...
The unreasonable man adapts surrounding conditions to himself... All
progress depends on the unreasonable man." Bernard Shaw
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dns server

2015-04-14 Thread Thiago Farina

On Tue, Apr 14, 2015 at 8:45 PM, Linux Luser  wrote:
> Wouldn't host-record work?
>
> host-record=mydomain.org,192.168.0.101
>
Just that? No expand-host, domain=, local, address are necessary?

> If the hosts on your network are configured to use your dnsmasq instance for
> DNS, then they will get back 192.168.0.101 when doing a lookup for
> mydomain.org.
>
Will they still be able to navigate to any other site (the ones
outside my network, i.e., in the internet)?

-- 
Thiago Farina

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] dns server

2015-04-14 Thread Thiago Farina

Hi,

First of all, sorry for asking here in this mailing list. I tried to
find the answer googling for it, but failed.

I didn't find a way to search the archives of this mailing list
either, so hence I'm posting here.

I hope someone can help me.

This was probably asked and answered many times before, so if you have
points for it, please send it my way.

I'm trying to configure dnsmasq as my dns server in my home network.

I have a cisco dpc3825 router (ip 192.168.0.1) that connects to the
internet, an Ubuntu server where I want to run dnsmasq on ip
192.168.0.101, and a bunch of other machines in the network.

I know how to change the router to point to ubuntu server as a primary
dns. That is not the problem. The problem is the configuration of
dnsmasq.conf.

I have a nginx running and serving a static site on this ubuntu
server. What I want is that dnsmasq translate to the other machines in
my network when they type mydomain.org to the ip address of my ubuntu
server which is running nginx, so they should be able to see my site
in my local network.

I believe the configuration on the router should be something like:

Primary DNS: 192.168.0.101
Secondary DNS: 8.8.8.8
Ternary DNS: 8.8.4.4


But what about dnsmasq.conf? How should I configure it?

Currently it has the following content:
$ cat /etc/dnsmasq.conf
listen-address=127.0.0.1

-- 
Thiago Farina

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] [PATCH] fix segfault when using tftp_no_fail

2015-04-14 Thread Stefan Tomanek

This change prevents dnsmasq from calling closedir() on an invalid pointer
(which happens if the TFTP directory cannot be opened). The 'else' was probably
accidently dropped while applying and refactoring patch
30d0879ed55cb67b1b735beab3d93f3bb3ef1dd2.

Signed-off-by: Stefan Tomanek 
---
 src/dnsmasq.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index a7c5da8..20b15c0 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -655,7 +655,8 @@ int main (int argc, char **argv)
  _exit(0);
}
}
- closedir(dir);
+ else
+   closedir(dir);
}
 
   for (p = daemon->if_prefix; p; p = p->next)
@@ -670,7 +671,8 @@ int main (int argc, char **argv)
  _exit(0);
}
}
- closedir(dir);
+ else
+   closedir(dir);
}
 }
 #endif
-- 
2.1.4

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmsaq potential vulnerability

2015-04-14 Thread Nick Sampanis

For the current vulnerability CVE-2015-3294 will be used.

On 10 April 2015 at 22:41, Nick Sampanis  wrote:

> Your are welcome. As I stated, the return value of setup_reply will be
> used as a size argument
> which might be a positive 32 bit value. It seems that two things can occur
> from that point.
>
> In case of a high integer write might return -1 with errno equal to
> EFAULT, in that case nothing
> significant happens from attacker's perspective. Otherwise m size bytes
> will be send to the attacker,
> which will reveal data, allocated after packet's allocation or previously
> freed data,
> which has not been initialized (zeroed out)
>
> On 9 April 2015 at 23:56, Simon Kelley  wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Thanks for this. The error is obvious, and I've just committed the
>> fix, to check the return value of skip_questions() in setup_reply().
>>
>> This is a a potential DoS attack, but I'm not clear if it's worse than
>> that. The ability to read the dnsmasq heap seems to depend on details
>> on the addresss-space layout over which the attacker has no control.
>> (Plus, there's really not much in a dnsmasq process worth learning:
>> all the data in the cache is available with a DNS query anyway!) Or am
>> I being naive?
>>
>>
>> Cheers,
>>
>> Simon.
>>
>>
>>
>> On 07/04/15 08:49, Nick Sampanis wrote:
>> > Dear sirs, I discovered one potential vulnerability in dnsmasq.
>> > More specifically, in tcp_request(), setup_reply() gets called and
>> > the returned value is used as a size argument in a write function.
>> >
>> > m = setup_reply(header, (unsigned int)size, addrp, flags,
>> > daemon->local_ttl); read_write(confd, packet, m + sizeof(u16), 0))
>> >
>> > Although, setup_reply can't return a size variable greater than
>> > packet[65535+ MAXDNAME + RRFIXEDSZ + sizeof(u16))], an ignored
>> > error value(NULL) of  skip_questions() might lead to a negative
>> > pointer value(-header)
>> >
>> > size_t setup_reply(struct dns_header *header, size_t qlen, struct
>> > all_addr *addrp, unsigned int flags, unsigned long ttl) { unsigned
>> > char *p = skip_questions(header, qlen) return p - (unsigned char
>> > *)header }
>> >
>> > read_write checks if the size argument is positive. In case of a 32
>> > bit system size_t m would be 4 bytes and read_write will
>> > automatically exit. In case of 64 bit system size_t m is 8 bytes
>> > and may turn to positive if the sign bit of the 32 bit value is 0.
>> >
>> > If m is less than 0x8000, dnsmasq will be exploited by
>> > a potential attacker who will remotely read dnsmasq heap until it
>> > crashes. If the above condition is not met, dnsmasq  exits
>> > properly.
>> >
>> >
>> >
>> > ___ Dnsmasq-discuss
>> > mailing list Dnsmasq-discuss@lists.thekelleys.org.uk
>> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>> >
>>
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v2.0.22 (GNU/Linux)
>>
>> iEYEARECAAYFAlUm54EACgkQKPyGmiibgrdnEgCfeqhbm/ffwVT/Dz7QFEvFk1Le
>> XsgAnjs384CSfLHdt5iiMk8Gngbx56A1
>> =P7th
>> -END PGP SIGNATURE-
>>
>> ___
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss@lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
>
>
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dns server

Re: [Dnsmasq-discuss] dns server

Re: [Dnsmasq-discuss] dns server

Re: [Dnsmasq-discuss] dns server

Re: [Dnsmasq-discuss] dns server

Re: [Dnsmasq-discuss] dns server

Re: [Dnsmasq-discuss] dns server

[Dnsmasq-discuss] dns server

[Dnsmasq-discuss] [PATCH] fix segfault when using tftp_no_fail

Re: [Dnsmasq-discuss] dnsmsaq potential vulnerability

10 matches

Site Navigation

Mail list logo

Footer information