date:20160711

Re: [Dnsmasq-discuss] Dnsmasq responding with SOA instead of A

2016-07-11 Thread Aaron Germuth

Hello,

I've looked at the messages with Wireshark and found the DNS portions are
byte-identical (other than transaction id). Everything else looks similar
other than source IP. Not sure where to go from here.

Thanks,

Aaron

On Mon, Jul 11, 2016 at 3:43 PM Albert ARIBAUD 
wrote:

> Hi again Aaron,
>
> Le Mon, 11 Jul 2016 21:53:21 +
> Aaron Germuth  a écrit:
>
> > Hey Albert,
> >
> > Thanks for the reply and sorry about that. The dig command used is
> >
> > dig @100.108.108.176 b.local.example.com A.
> >
> > 100.108.108.176 is the IP of my dns server. This dns server has an
> > entry in /etc/hosts mapping
> > b.local.example.com -> 1.2.3.50.
> >
> > My domain 'example.com' has a RR:
> > local.example.com  NS 3600   MY_DNS_SERVER.com
> >
> > I'm expecting the following dig response (which i get when running it
> > locally on my dns server):
> >
> > ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @100.108.108.176
> > b.local.example.com ; (1 server found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24172
> > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:
> > 0
> >
> > ;; QUESTION SECTION:
> > ;b.local.example.com. IN A
> >
> > ;; ANSWER SECTION:
> > b.local.example.com. 600 IN A 1.2.3.50
> >
> > ;; Query time: 0 msec
> > ;; SERVER: 100.108.108.176#53(100.108.108.176)
> > ;; WHEN: Mon Jul 11 17:38:03 EDT 2016
> > ;; MSG SIZE  rcvd: 51
> >
> > The response if ran from the other computer is:
> >
> > ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @100.108.108.176
> > b.local.example.com ; (1 server found)
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25320
> > ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL:
> > 0 ;; WARNING: recursion requested but not available
> >
> > ;; QUESTION SECTION:
> > ;b.local.example.com. IN A
> >
> > ;; AUTHORITY SECTION:
> > local.example.com. 600 IN SOA   MY_DNS_SERVER.com.
> > hostmaster.MY_DNS_SERVER.com
> > . 1468262852
> > 1200 180 1209600 600
> >
> > ;; Query time: 60 msec
> > ;; SERVER: 100.108.108.176#53(100.108.108.176)
> > ;; WHEN: Mon Jul 11 14:32:23 PDT 2016
> > ;; MSG SIZE  rcvd: 1
> >
> > The only filtering I've done is changing the domain to example.com and
> > replacing MY_DNS_SERVER url. Otherwise its copy paste. I don't think
> > the exact URL should matter?
>
> I don't think it does, except of course that no one can reproduce your
> tests, but I can understand that you don't want to disclose your
> domain(s) or IP(s).
>
> > Let me know if you need anything else.
>
> I've already got way more info than I can handle -- I'm not DNS guru. :)
> What I know is that auth-server should treat *all* requests on eth0 the
> same way, so any difference in response is due to queries not being the
> same.
>
> The only difference I see is that the second query seems to have
> requested recursion but not the first, so they are different somehow.
> Maybe some of these differences can explain the different answers?
>
> I suggest you capture DNS traffic on the dnsmasq host using tcpdump, run
> both queries, and compare the corresponding captures field by field and
> analyze each difference found. Of course, the captures will be full of
> sensitive data, so you'll have to do the comparison yourself, but then
> you could for instance report here which fields are different.
>
> > Thanks,
> >
> > Aaron
>
> Amicalement,
> --
> Albert.
>
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] DNSSEC and Mozilla domains not working

2016-07-11 Thread mmmfotografie


On 11-7-2016 23:08, Simon Kelley wrote:

I just tried all those domains using 2.76 and 8.8.8.8 upstream and all
behaved correctly. 194.109.9.99 won't talk to me, so I can't try that.

The upstream is clearly answering the direct question OK, but the
stalling of some of the DNSSEC queries needed to verify it. That could
be an upstream problem, or a problem with the authoritative servers for
the domain. ftp.mozilla.org is signed, but it's a CNAME to
cloudfront.org, so the DS from .org proving that cloudfront.org is not
signed is also required.

Are you still seeing the problem now, or has this resolved itself?

Cheers,

Simon.


Thanks Simon for your reply and testing. I have now tried with 8.8.8.8 
and I have the same problem.


I see that the DNSSEC on firefox.com and mozilla.com are now disabled 
and I don't get a "ad" on them when I use dig and the output of DNSmask 
states INSECURE. So maybe Mozilla is now working around that problem.


mozilla.org will not resolve on 8.8.8.8 or 194.109.9.9  and the 
ftp.mozilla goes indeed through Cloudfront bit is not secure.

.
.
.
I have been testing a few setting...a lot of settings and combinations 
in the past hours and have now way to get a good response from DNSmasq.


I first use "/dig +dnssec +multi mozilla.org @127.0.0.1/" which seems to 
have more patience in waiting for a response. DNSmasq seems to do only 
one try when using dig and not three as with nslookup. DNSmasq is 
thinking about four seconds and then give a valid response using dig.


dnsmasq: dnssec-query[DNSKEY] mozilla.org to 8.8.8.8
dnsmasq: reply mozilla.org is DNSKEY keytag 22205, algo 7
dnsmasq: reply mozilla.org is DNSKEY keytag 65337, algo 7
dnsmasq: reply mozilla.org is DNSKEY keytag 44421, algo 7
dnsmasq: reply mozilla.org is DNSKEY keytag 42422, algo 7
dnsmasq: validation result is SECURE
dnsmasq: reply mozilla.org is 63.245.215.20

So on my standard upstream server:
dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99
dnsmasq: reply mozilla.org is DNSKEY keytag 65337, algo 7
dnsmasq: reply mozilla.org is DNSKEY keytag 22205, algo 7
dnsmasq: reply mozilla.org is DNSKEY keytag 44421, algo 7
dnsmasq: reply mozilla.org is DNSKEY keytag 42422, algo 7
dnsmasq: validation result is SECURE
dnsmasq: reply mozilla.org is 63.245.215.20

Now the information is in the cache and a next request is instant.

Also ftp.mozilla.org is instant now but insecure:

dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99
dnsmasq: validation result is INSECURE
dnsmasq: reply ftp.mozilla.org is 
dnsmasq: reply d34chcsvb7ug62.cloudfront.net is 52.85.250.4
dnsmasq: query[] ftp.mozilla.org from 192.168.21.190
dnsmasq: cached ftp.mozilla.org is 
dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99
dnsmasq: validation result is INSECURE
dnsmasq: reply ftp.mozilla.org is 

And if I don't use dig mozilla.org or ftp.mozilla.org before the 
nslookup, it times out again:


dnsmasq: reply . is DNSKEY keytag 46551, algo 8
dnsmasq: reply . is DNSKEY keytag 19036, algo 8
dnsmasq: reply org is DS keytag 9795, algo 7, digest 1
dnsmasq: reply org is DS keytag 9795, algo 7, digest 2
dnsmasq: dnssec-query[DS] mozilla.org to 194.109.9.99
dnsmasq: dnssec-query[DNSKEY] org to 194.109.9.99
dnsmasq: reply org is DNSKEY keytag 3177, algo 7
dnsmasq: reply org is DNSKEY keytag 2097, algo 7
dnsmasq: reply org is DNSKEY keytag 9795, algo 7
dnsmasq: reply org is DNSKEY keytag 17883, algo 7
dnsmasq: reply mozilla.org is DS keytag 44421, algo 7, digest 1
dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99
dnsmasq: query[] ftp.mozilla.org from 192.168.21.190
dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99
dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99
dnsmasq: query[A] ftp.mozilla.org from 192.168.21.190
dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99
dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99
dnsmasq: query[] ftp.mozilla.org from 192.168.21.190
dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99
dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99

Cheers, Marcel
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Dnsmasq responding with SOA instead of A

2016-07-11 Thread Albert ARIBAUD

Hi again Aaron,

Le Mon, 11 Jul 2016 21:53:21 +
Aaron Germuth  a écrit:

> Hey Albert,
> 
> Thanks for the reply and sorry about that. The dig command used is
> 
> dig @100.108.108.176 b.local.example.com A.
> 
> 100.108.108.176 is the IP of my dns server. This dns server has an
> entry in /etc/hosts mapping
> b.local.example.com -> 1.2.3.50.
> 
> My domain 'example.com' has a RR:
> local.example.com  NS 3600   MY_DNS_SERVER.com
> 
> I'm expecting the following dig response (which i get when running it
> locally on my dns server):
> 
> ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @100.108.108.176
> b.local.example.com ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24172
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:
> 0
> 
> ;; QUESTION SECTION:
> ;b.local.example.com. IN A
> 
> ;; ANSWER SECTION:
> b.local.example.com. 600 IN A 1.2.3.50
> 
> ;; Query time: 0 msec
> ;; SERVER: 100.108.108.176#53(100.108.108.176)
> ;; WHEN: Mon Jul 11 17:38:03 EDT 2016
> ;; MSG SIZE  rcvd: 51
> 
> The response if ran from the other computer is:
> 
> ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @100.108.108.176
> b.local.example.com ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25320
> ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL:
> 0 ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;b.local.example.com. IN A
> 
> ;; AUTHORITY SECTION:
> local.example.com. 600 IN SOA   MY_DNS_SERVER.com.
> hostmaster.MY_DNS_SERVER.com
> . 1468262852
> 1200 180 1209600 600
> 
> ;; Query time: 60 msec
> ;; SERVER: 100.108.108.176#53(100.108.108.176)
> ;; WHEN: Mon Jul 11 14:32:23 PDT 2016
> ;; MSG SIZE  rcvd: 1
> 
> The only filtering I've done is changing the domain to example.com and
> replacing MY_DNS_SERVER url. Otherwise its copy paste. I don't think
> the exact URL should matter?

I don't think it does, except of course that no one can reproduce your
tests, but I can understand that you don't want to disclose your
domain(s) or IP(s).

> Let me know if you need anything else.

I've already got way more info than I can handle -- I'm not DNS guru. :)
What I know is that auth-server should treat *all* requests on eth0 the
same way, so any difference in response is due to queries not being the
same.

The only difference I see is that the second query seems to have
requested recursion but not the first, so they are different somehow.
Maybe some of these differences can explain the different answers?

I suggest you capture DNS traffic on the dnsmasq host using tcpdump, run
both queries, and compare the corresponding captures field by field and
analyze each difference found. Of course, the captures will be full of
sensitive data, so you'll have to do the comparison yourself, but then
you could for instance report here which fields are different.

> Thanks,
> 
> Aaron

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Dnsmasq responding with SOA instead of A

2016-07-11 Thread Aaron Germuth

Hey Albert,

Thanks for the reply and sorry about that. The dig command used is

dig @100.108.108.176 b.local.example.com A.

100.108.108.176 is the IP of my dns server. This dns server has an entry in
/etc/hosts mapping
b.local.example.com -> 1.2.3.50.

My domain 'example.com' has a RR:
local.example.com  NS 3600   MY_DNS_SERVER.com

I'm expecting the following dig response (which i get when running it
locally on my dns server):

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @100.108.108.176 b.local.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24172
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;b.local.example.com. IN A

;; ANSWER SECTION:
b.local.example.com. 600 IN A 1.2.3.50

;; Query time: 0 msec
;; SERVER: 100.108.108.176#53(100.108.108.176)
;; WHEN: Mon Jul 11 17:38:03 EDT 2016
;; MSG SIZE  rcvd: 51

The response if ran from the other computer is:

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @100.108.108.176 b.local.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25320
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;b.local.example.com. IN A

;; AUTHORITY SECTION:
local.example.com. 600 IN SOA   MY_DNS_SERVER.com.
hostmaster.MY_DNS_SERVER.com
. 1468262852 1200
180 1209600 600

;; Query time: 60 msec
;; SERVER: 100.108.108.176#53(100.108.108.176)
;; WHEN: Mon Jul 11 14:32:23 PDT 2016
;; MSG SIZE  rcvd: 1

The only filtering I've done is changing the domain to example.com and
replacing MY_DNS_SERVER url. Otherwise its copy paste. I don't think the
exact URL should matter?

Let me know if you need anything else.

Thanks,

Aaron

On Mon, Jul 11, 2016 at 2:26 PM Albert ARIBAUD 
wrote:

> Hi Aaron,
>
> Le Mon, 11 Jul 2016 20:20:56 +
> Aaron Germuth  a écrit:
>
> > Hey guys,
> >
> > I'm trying to run my own dnsmasq instance on a computer. I want it to
> > be authoritative for my domain (local.example.com). However I am
> > getting different results for the same query from different computers.
> >
> > dig @100.108.108.176 b.local.example.com. A
> >
> > When I run this from the dns server itself (100.108.108.176) I get an
> > ip as a response and the following in the logs:
> >
> > Jul 11 14:47:53 MY_DNS_SERVER.com dnsmasq[30817]: query[A]
> > b.local.example.com from 100.108.108.176
> > Jul 11 14:47:53 MY_DNS_SERVER.com dnsmasq[30817]: /etc/hosts 1.2.3.50
> > is b.local.example.com
> >
> > When I run this from a different computer on a different network I do
> > not get an IP. Instead dig returns an a SOA pointing to itself
> > (MY_DNS_SERVER.com). Furthermore, the logs show the following:
> >
> > Jul 11 14:49:29 MY_DNS_SERVER.com dnsmasq[30817]: auth[A]
> > b.local.example.com from 172.27.88.26
> > Jul 11 14:49:29 MY_DNS_SERVER.com dnsmasq[30817]: auth
> > b.local.example.com is NODATA-IPv4
> >
> > I'm not sure whats happening. It seems it interprets one as a
> > query[A] and one auth[A]. It seems in the 2nd response it thinks it
> > doesn't know how to handle that domain so it returns who it thinks is
> > authoritative for that domain, which is itself. This is what my
> > dnsmasq.conf looks like:
> >
> > auth-server=MY_DNS_SERVER.com,eth0
> > auth-zone=local.example.com,eth0
> >
> > log-queries
> >
> > #do not read resolv.conf to find servers where to lookup dns
> > no-resolv
> > #do not poll resolve.conf for changes
> > no-poll
> >
> > #address to use when address not local
> > server=8.8.8.8
> > server=4.4.4.4
> >
> > local=/local.example.com/
> > domain=local.example.com
> >
> > If you need any more information, let me know.
>
> First thing you should do is not to filter out or explain the dig
> commands you use and their results, but instead to just copy-paste the
> command and its output. Here, for instance, none of what you provide
> allows checking how the request was sent exactly, and what principal
> and additional info was returned.
>
> > Thanks,
> >
> > Aaron
>
> Amicalement,
> --
> Albert.
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Dnsmasq responding with SOA instead of A

2016-07-11 Thread Albert ARIBAUD

Hi Aaron,

Le Mon, 11 Jul 2016 20:20:56 +
Aaron Germuth  a écrit:

> Hey guys,
> 
> I'm trying to run my own dnsmasq instance on a computer. I want it to
> be authoritative for my domain (local.example.com). However I am
> getting different results for the same query from different computers.
> 
> dig @100.108.108.176 b.local.example.com. A
> 
> When I run this from the dns server itself (100.108.108.176) I get an
> ip as a response and the following in the logs:
> 
> Jul 11 14:47:53 MY_DNS_SERVER.com dnsmasq[30817]: query[A]
> b.local.example.com from 100.108.108.176
> Jul 11 14:47:53 MY_DNS_SERVER.com dnsmasq[30817]: /etc/hosts 1.2.3.50
> is b.local.example.com
> 
> When I run this from a different computer on a different network I do
> not get an IP. Instead dig returns an a SOA pointing to itself
> (MY_DNS_SERVER.com). Furthermore, the logs show the following:
> 
> Jul 11 14:49:29 MY_DNS_SERVER.com dnsmasq[30817]: auth[A]
> b.local.example.com from 172.27.88.26
> Jul 11 14:49:29 MY_DNS_SERVER.com dnsmasq[30817]: auth
> b.local.example.com is NODATA-IPv4
> 
> I'm not sure whats happening. It seems it interprets one as a
> query[A] and one auth[A]. It seems in the 2nd response it thinks it
> doesn't know how to handle that domain so it returns who it thinks is
> authoritative for that domain, which is itself. This is what my
> dnsmasq.conf looks like:
> 
> auth-server=MY_DNS_SERVER.com,eth0
> auth-zone=local.example.com,eth0
> 
> log-queries
> 
> #do not read resolv.conf to find servers where to lookup dns
> no-resolv
> #do not poll resolve.conf for changes
> no-poll
> 
> #address to use when address not local
> server=8.8.8.8
> server=4.4.4.4
> 
> local=/local.example.com/
> domain=local.example.com
> 
> If you need any more information, let me know.

First thing you should do is not to filter out or explain the dig
commands you use and their results, but instead to just copy-paste the
command and its output. Here, for instance, none of what you provide
allows checking how the request was sent exactly, and what principal
and additional info was returned.

> Thanks,
> 
> Aaron

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] DNSSEC and Mozilla domains not working

2016-07-11 Thread Simon Kelley

On 10/07/16 09:21, Marcel Mutter wrote:
> I have enabled a few weeks ago DNSSEC and all seems to be working.
> Yesterday I wanted to visit Mozilla.org and nothing happened. I see in
> that the request is being sent to the upstream nameserver however
> nothing is displayed by dnsmasq as response, I am running then "dnsmasq
> -d" with log enabled so I can see in realtime the output.
> 
> dnsmasq: query[A] ftp.mozilla.org from 192.168.xxx.xxx
> dnsmasq: forwarded ftp.mozilla.org to 194.109.9.99
> dnsmasq: dnssec-query[DS] org to 194.109.9.99
> dnsmasq: dnssec-query[DNSKEY] . to 194.109.9.99
> dnsmasq: reply . is DNSKEY keytag 19036, algo 8
> dnsmasq: reply . is DNSKEY keytag 60615, algo 8
> dnsmasq: reply . is DNSKEY keytag 46551, algo 8
> dnsmasq: reply org is DS keytag 9795, algo 7, digest 1
> dnsmasq: reply org is DS keytag 9795, algo 7, digest 2
> dnsmasq: dnssec-query[DS] mozilla.org to 194.109.9.99
> dnsmasq: dnssec-query[DNSKEY] org to 194.109.9.99
> dnsmasq: reply org is DNSKEY keytag 2097, algo 7
> dnsmasq: reply org is DNSKEY keytag 3177, algo 7
> dnsmasq: reply org is DNSKEY keytag 9795, algo 7
> dnsmasq: reply org is DNSKEY keytag 17883, algo 7
> dnsmasq: reply mozilla.org is DS keytag 44421, algo 7, digest 1
> dnsmasq: dnssec-query[DNSKEY] mozilla.org to 194.109.9.99
> 
> Also the same with mozilla.org and mozilla.com and firefox.com
> 
> The upstreamserver 194.109.9.99 is using Unbound.
> 
> When I directly to the upstream nameserver I get a good response. I am
> running dnsmasq 2.76-1 for Debian on the moment and I have updated it a
> few a hours ago from 2.72-3.
> 

I just tried all those domains using 2.76 and 8.8.8.8 upstream and all
behaved correctly. 194.109.9.99 won't talk to me, so I can't try that.

The upstream is clearly answering the direct question OK, but the
stalling of some of the DNSSEC queries needed to verify it. That could
be an upstream problem, or a problem with the authoritative servers for
the domain. ftp.mozilla.org is signed, but it's a CNAME to
cloudfront.org, so the DS from .org proving that cloudfront.org is not
signed is also required.

Are you still seeing the problem now, or has this resolved itself?

Cheers,

Simon.



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] Dnsmasq responding with SOA instead of A

2016-07-11 Thread Aaron Germuth

Hey guys,

I'm trying to run my own dnsmasq instance on a computer. I want it to be
authoritative for my domain (local.example.com). However I am getting
different results for the same query from different computers.

dig @100.108.108.176 b.local.example.com. A

When I run this from the dns server itself (100.108.108.176) I get an ip as
a response and the following in the logs:

Jul 11 14:47:53 MY_DNS_SERVER.com dnsmasq[30817]: query[A]
b.local.example.com from 100.108.108.176
Jul 11 14:47:53 MY_DNS_SERVER.com dnsmasq[30817]: /etc/hosts 1.2.3.50 is
b.local.example.com

When I run this from a different computer on a different network I do not
get an IP. Instead dig returns an a SOA pointing to itself
(MY_DNS_SERVER.com). Furthermore, the logs show the following:

Jul 11 14:49:29 MY_DNS_SERVER.com dnsmasq[30817]: auth[A]
b.local.example.com from 172.27.88.26
Jul 11 14:49:29 MY_DNS_SERVER.com dnsmasq[30817]: auth b.local.example.com is
NODATA-IPv4

I'm not sure whats happening. It seems it interprets one as a query[A] and
one auth[A]. It seems in the 2nd response it thinks it doesn't know how to
handle that domain so it returns who it thinks is authoritative for that
domain, which is itself. This is what my dnsmasq.conf looks like:

auth-server=MY_DNS_SERVER.com,eth0
auth-zone=local.example.com,eth0

log-queries

#do not read resolv.conf to find servers where to lookup dns
no-resolv
#do not poll resolve.conf for changes
no-poll

#address to use when address not local
server=8.8.8.8
server=4.4.4.4

local=/local.example.com/
domain=local.example.com

If you need any more information, let me know.

Thanks,

Aaron
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Clarify/Improve DNSSEC related SIGHUP handling

2016-07-11 Thread Simon Kelley

Ah yes, I see the problem. Patch applied. Sorry it took so long :-(

Cheers,

Simon.


On 11/07/16 08:54, Kevin Darbyshire-Bryant wrote:
> 
> 
> Hi Simon,
> 
> Please could you consider the attached patch.  It solves a problem that
> using dnssec-timestamp also effectively enabled dnssec-no-timecheck.
> The result of which is that an unfortunately timed SIGHUP could
> accidentally enable dnssec timestamp checking.  In combination with
> dnssec-check-unsigned that could prove 'challenging' :-)
> 
> The patch matches the behaviour as is documented in the manpage.
> 
> kind regards,
> 
> Kevin
> 
> 
> 
> 
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [PATCH] fix for netlink ENOBUF problem

2016-07-11 Thread Simon Kelley

Great stuff. Thanks chasing this. Patch applied.



Cheers,

Simon.


On 11/07/16 13:17, Ivan Kokshaysky wrote:
> Hi Simon,
> 
> as expected, the second patch works well for us. Please apply.
> 
> Ivan.
> 
> diff --git a/src/netlink.c b/src/netlink.c
> index 049247b..8cd51af 100644
> --- a/src/netlink.c
> +++ b/src/netlink.c
> @@ -188,11 +188,17 @@ int iface_enumerate(int family, void *parm, int 
> (*callback)())
>   }
>  
>for (h = (struct nlmsghdr *)iov.iov_base; NLMSG_OK(h, (size_t)len); h 
> = NLMSG_NEXT(h, len))
> - if (h->nlmsg_seq != seq || h->nlmsg_pid != netlink_pid || h->nlmsg_type 
> == NLMSG_ERROR)
> + if (h->nlmsg_pid != netlink_pid || h->nlmsg_type == NLMSG_ERROR)
> {
>   /* May be multicast arriving async */
>   nl_async(h);
> }
> + else if (h->nlmsg_seq != seq)
> +   {
> + /* May be part of incomplete response to previous request after
> +ENOBUFS. Drop it. */
> + continue;
> +   }
>   else if (h->nlmsg_type == NLMSG_DONE)
> return callback_ok;
>   else if (h->nlmsg_type == RTM_NEWADDR && family != AF_UNSPEC && family 
> != AF_LOCAL)
> 


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [PATCH] fix for netlink ENOBUF problem

2016-07-11 Thread Ivan Kokshaysky

Hi Simon,

as expected, the second patch works well for us. Please apply.

Ivan.

diff --git a/src/netlink.c b/src/netlink.c
index 049247b..8cd51af 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -188,11 +188,17 @@ int iface_enumerate(int family, void *parm, int 
(*callback)())
}
 
   for (h = (struct nlmsghdr *)iov.iov_base; NLMSG_OK(h, (size_t)len); h = 
NLMSG_NEXT(h, len))
-   if (h->nlmsg_seq != seq || h->nlmsg_pid != netlink_pid || h->nlmsg_type 
== NLMSG_ERROR)
+   if (h->nlmsg_pid != netlink_pid || h->nlmsg_type == NLMSG_ERROR)
  {
/* May be multicast arriving async */
nl_async(h);
  }
+   else if (h->nlmsg_seq != seq)
+ {
+   /* May be part of incomplete response to previous request after
+  ENOBUFS. Drop it. */
+   continue;
+ }
else if (h->nlmsg_type == NLMSG_DONE)
  return callback_ok;
else if (h->nlmsg_type == RTM_NEWADDR && family != AF_UNSPEC && family 
!= AF_LOCAL)

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] Clarify/Improve DNSSEC related SIGHUP handling

2016-07-11 Thread Kevin Darbyshire-Bryant




Hi Simon,

Please could you consider the attached patch.  It solves a problem that
using dnssec-timestamp also effectively enabled dnssec-no-timecheck.
The result of which is that an unfortunately timed SIGHUP could
accidentally enable dnssec timestamp checking.  In combination with
dnssec-check-unsigned that could prove 'challenging' :-)

The patch matches the behaviour as is documented in the manpage.

kind regards,

Kevin



>From f94c6d70aaaea0511ef3c7667093b4b54952804e Mon Sep 17 00:00:00 2001
From: Kevin Darbyshire-Bryant 
Date: Fri, 27 May 2016 10:23:47 +0100
Subject: [PATCH] Improve dnssec SIGHUP behaviour

Signed-off-by: Kevin Darbyshire-Bryant 
---
 src/dnsmasq.c | 7 ---
 src/dnsmasq.h | 1 +
 src/dnssec.c  | 5 +++--
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 045ec53..a47273f 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -750,7 +750,8 @@ int main (int argc, char **argv)
   
   my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
   
-  if (option_bool(OPT_DNSSEC_TIME))
+  daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
+  if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until 
first cache reload"));
   
   if (rc == 1)
@@ -1226,10 +1227,10 @@ static void async_event(int pipe, time_t now)
   {
   case EVENT_RELOAD:
 #ifdef HAVE_DNSSEC
-   if (option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME))
+   if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && 
option_bool(OPT_DNSSEC_TIME))
  {
my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps"));
-   reset_option_bool(OPT_DNSSEC_TIME);
+   daemon->dnssec_no_time_check = 0;
  } 
 #endif
/* fall through */
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 1896a64..be27ae0 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -992,6 +992,7 @@ extern struct daemon {
 #endif
 #ifdef HAVE_DNSSEC
   struct ds_config *ds;
+  int dnssec_no_time_check;
   int back_to_the_future;
   char *timestamp_file;
 #endif
diff --git a/src/dnssec.c b/src/dnssec.c
index 3c77c7d..64358fa 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -522,15 +522,16 @@ static int check_date_range(u32 date_start, u32 date_end)
  if (utime(daemon->timestamp_file, NULL) != 0)
my_syslog(LOG_ERR, _("failed to update mtime on %s: %s"), 
daemon->timestamp_file, strerror(errno));
  
+ my_syslog(LOG_INFO, _("system time considered valid, now checking 
DNSSEC signature timestamps."));
  daemon->back_to_the_future = 1;
- set_option_bool(OPT_DNSSEC_TIME);
+ daemon->dnssec_no_time_check = 0;
  queue_event(EVENT_RELOAD); /* purge cache */
} 
 
   if (daemon->back_to_the_future == 0)
return 1;
 }
-  else if (option_bool(OPT_DNSSEC_TIME))
+  else if (daemon->dnssec_no_time_check)
 return 1;
   
   /* We must explicitly check against wanted values, because of SERIAL_UNDEF */
-- 
1.9.1

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Dnsmasq responding with SOA instead of A

Re: [Dnsmasq-discuss] DNSSEC and Mozilla domains not working

Re: [Dnsmasq-discuss] Dnsmasq responding with SOA instead of A

Re: [Dnsmasq-discuss] Dnsmasq responding with SOA instead of A

Re: [Dnsmasq-discuss] Dnsmasq responding with SOA instead of A

Re: [Dnsmasq-discuss] DNSSEC and Mozilla domains not working

[Dnsmasq-discuss] Dnsmasq responding with SOA instead of A

Re: [Dnsmasq-discuss] Clarify/Improve DNSSEC related SIGHUP handling

Re: [Dnsmasq-discuss] [PATCH] fix for netlink ENOBUF problem

Re: [Dnsmasq-discuss] [PATCH] fix for netlink ENOBUF problem

[Dnsmasq-discuss] Clarify/Improve DNSSEC related SIGHUP handling

11 matches

Site Navigation

Mail list logo

Footer information