Re: [Dnsmasq-discuss] Dnsmasq-discuss Digest, Vol 138, Issue 13

2016-11-22 Thread Albert ARIBAUD 
Bonjour,

Le Tue, 22 Nov 2016 17:47:09 +
Rahul Jain  a écrit:

> Hi Albert, thank you for replying. I have access to the source code
> of the router and all it's internals.
> 
> I can download the source code of dnsmasq, compile and build it for
> the router(not on the router) but I need to run the dnsmasq as a
> service which I can't do on mipsel-linux because it doesn't contain
> anything equivalent to "service". So I'm generating the binary on a
> ubuntu(16.04 LTS) system and using that in the router running
> mipsel-linux.

Er... If your router does not contain anything equivalent to "service",
then there is no point in trying to run "service dnsmasq start" on this
router.

> On the ubuntu system, when I run dnsmasq with add-mac in the
> configuration, I'm able to see EDNS0 option in the dns query. This is
> happening only when I installed and run dnsmasq from apt-get. When I
> tried to compile it and run it from the same configurations, I'm not
> able to see the EDNS0 option.

I assume you are talking about some PC with Ubuntu running on it? This
is a different system than your router and there is no reason that this
PC should behave the same as the router, and you simply cannot infer
much from one system to the other.

> Now I'm left with two things, one is to
> install dnsmasq from the apt-get on mipsel-linux which is not
> possible because it does not have apt-get or any other package
> manager and the second option being to compile the source for the
> router.

I suspect this conclusion is premature.

For one thing, do you have the right tools to build a binary for your
router? Do you know which kernel it runs (not simply the version, but
the actual kernel headers)? Do you know which C library it uses? Do you
know which compiler toolchain was used to build this system? Do you have
all these thinkgs -- kernel, lib, toolchain -- in working order? Can
you rebuild the whole router system? If no, then compiling is IMO not
a valid option right now.

> So for now, I want to compile the dnsmasq source code on my ubuntu
> system or for the router, not from the apt-get, and want the EDNS0
> option in the dns query.

I believe this is not the right approach to solve your problem (which,
IIUC, is to be able to enable the "add-mac" option on the dnsmasq which 
runs on your router; if this is not what you are actually trying to
achieve, then do correct me).

First, to run your Ubuntu's own dnsmasq with the add-mac option enabled
does not require any compilation; adding a single one-line file at the
right place is all it takes -- I've just checked this on the very
Xubuntu machine I am writing this mail on.

Second, even once you've done it, it will be of no use for the dnsmasq
on your router, because your router is not a Ubuntu system, and nothing
will happen if you add the same file in the same location -- a location
which quite possibly does not even exist on your router.

But there are good chances that on that router, there is /another/
location, where adding (or modifying) /another/ file in /another/ way
will have the effect you are looking for.

My suggestion is that you forget the whole "building on Ubuntu" thing
for now, and even the "building" thing at all, and concentrate on your
router, to find that location and file which control the options of your
router's dnsmasq.

As /dev/rob0 and I told you, you are having a system question, not a
dnsmasq question. The right way to tackle it is not to look in dnsmasq,
but to look in the system (and in the /right/ system).

A good start would be to indicate which router it is that you are
working on, and which firmware it runs.

HTH

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Dnsmasq-discuss Digest, Vol 138, Issue 13

2016-11-22 Thread Rahul Jain 
Hi Albert, thank you for replying. I have access to the source code of the 
router and all it's internals.

I can download the source code of dnsmasq, compile and build it for the 
router(not on the router) but I need to run the dnsmasq as a service which I 
can't do on mipsel-linux because it doesn't contain anything equivalent to 
"service". So I'm generating the binary on a ubuntu(16.04 LTS) system and using 
that in the router running mipsel-linux.

On the ubuntu system, when I run dnsmasq with add-mac in the configuration, I'm 
able to see EDNS0 option in the dns query. This is happening only when I 
installed and run dnsmasq from apt-get. When I tried to compile it and run it 
from the same configurations, I'm not able to see the EDNS0 option. Now I'm 
left with two things, one is to install dnsmasq from the apt-get on 
mipsel-linux which is not possible because it does not have apt-get or any 
other package manager and the second option being to compile the source for the 
router.

So for now, I want to compile the dnsmasq source code on my ubuntu system or 
for the router, not from the apt-get, and want the EDNS0 option in the dns 
query.


From: Albert ARIBAUD 
Sent: Tuesday, November 22, 2016 7:14:08 PM
To: Rahul Jain
Cc: dnsmasq-discuss@lists.thekelleys.org.uk
Subject: Re: [Dnsmasq-discuss] Dnsmasq-discuss Digest, Vol 138, Issue 13

Hi Rahul,

Le Tue, 22 Nov 2016 05:51:17 +
Rahul Jain  a écrit:

> Hi, thank you for the insight. Actually, I want this implementation
> on my router(which is running mipsel-linux), can't just simply
> install on it. Therefore, I have to run the binary there but I'm not
> getting the MAC address of the connected clients when I add the
> add-mac option in the conf file.

Ok, so IIUC, you do not have access to the source code of the system
installed on your router, and especially you do not have access to the
source code and build instructions to rebuild your router's dnsmasq.

But you do have access to the router's filesystem, right? So you can
inspect its services scripts and find out what it does and why the
add-mac option is not passed to dnsmasq.

Amicalement,
--
Albert.
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Bug forward upstream SERVFAIL

2016-11-22 Thread /dev/rob0 
On Tue, Nov 22, 2016 at 04:18:55PM +, Chris Novakovic wrote:
> On 22/11/16 15:03, Martin Wetterwald wrote:
> > We found what we think is a bug (at least a not wanted 
> > behaviour), but it seems it's actually a feature, when looking at 
> > commits 4ace25c5 and 51967f980 (pasted at the end of this email).
> 
> 4ace25c5 is a red herring: that provides REFUSED responses with the 
> behaviour you're looking for. Whether the same behaviour ought to 
> be applied to SERVFAIL responses is for Simon to decide: the commit 
> message for 51967f980 isn't clear about why SERVFAIL should be 
> considered a "successful" upstream response, but I'm sure there was 
> a reason, and I'm sure he can fill us in.

SERVFAIL can sometimes be considered "successful" depending on 
circumstances.

If all the authoritative NS hosts for a zone are returning SERVFAIL 
for queries, then indeed, that's as best as can be done.

But the problem could be on the recursive resolver, such as [for one 
example] cache poisoning causing DNSSEC validation failure.

Unfortunately dnsmasq is not in a position to know which it is.

I think the most prudent thing for dnsmasq to do on SERVFAIL is to 
attempt the query with other upstream servers, if possible.  But an 
answer needs to be provided to the client before its own timeout 
value.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Bug forward upstream SERVFAIL

2016-11-22 Thread Chris Novakovic 
On 22/11/16 15:03, Martin Wetterwald wrote:
> We found what we think is a bug (at least a not wanted behaviour), but
> it seems it's actually a feature, when looking at commits 4ace25c5 and
> 51967f980 (pasted at the end of this email).

4ace25c5 is a red herring: that provides REFUSED responses with the
behaviour you're looking for. Whether the same behaviour ought to be
applied to SERVFAIL responses is for Simon to decide: the commit message
for 51967f980 isn't clear about why SERVFAIL should be considered a
"successful" upstream response, but I'm sure there was a reason, and I'm
sure he can fill us in.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] Bug forward upstream SERVFAIL

2016-11-22 Thread Martin Wetterwald 
Hello,

At OVH, we use dnsmasq in our product OverTheBox, an OpenWRT based
router.

We found what we think is a bug (at least a not wanted behaviour), but
it seems it's actually a feature, when looking at commits 4ace25c5 and
51967f980 (pasted at the end of this email).


If you have say 4 upstreams, and one of them has a problem: it will
always give SERVFAIL responses back to dnsmasq. The problem is that
dnsmasq will immediately forward the SERVFAIL response back to the
client, even if other upstreams are working (providing the SERVFAIL
answer is the first to arrive).

If dnsmasq has several upstreams, isn't it to make it more robust?
Shouldn't dnsmasq try as much as possible to be independent of upstream
errors?


You will find by Pull Request here:
https://github.com/MartinWetterwald/dnsmasq/pull/1/files

You could cherry-pick my commit if you agree with this behaviour.


Best Regards, Martin Wetterwald


commit 51967f9807665dae403f1497b827165c5fa1084b
Author: Simon Kelley 
Date:   Tue Mar 25 21:07:00 2014 +

SERVFAIL is an expected error return, don't try all servers.




commit 4ace25c5d6c30949be9171ff1c524b2139b989d3
Author: Chris Novakovic 
Date:   Mon Jan 25 21:54:35 2016 +

Treat REFUSED (not SERVFAIL) as an unsuccessful upstream response

Commit 51967f9807665dae403f1497b827165c5fa1084b began treating SERVFAIL
as a successful response from an upstream server (thus ignoring future
responses to the query from other upstream servers), but a typo in that
commit means that REFUSED responses are accidentally being treated as
successful instead of SERVFAIL responses.

This commit corrects this typo and provides the behaviour intended by
commit 51967f9: SERVFAIL responses are considered successful (and will
be sent back to the requester), while REFUSED responses are considered
unsuccessful (and dnsmasq will wait for responses from other upstream
servers that haven't responded yet).

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Dnsmasq-discuss Digest, Vol 138, Issue 13

2016-11-22 Thread Albert ARIBAUD 
Hi Rahul,

Le Tue, 22 Nov 2016 05:51:17 +
Rahul Jain  a écrit:

> Hi, thank you for the insight. Actually, I want this implementation
> on my router(which is running mipsel-linux), can't just simply
> install on it. Therefore, I have to run the binary there but I'm not
> getting the MAC address of the connected clients when I add the
> add-mac option in the conf file.

Ok, so IIUC, you do not have access to the source code of the system
installed on your router, and especially you do not have access to the
source code and build instructions to rebuild your router's dnsmasq.

But you do have access to the router's filesystem, right? So you can
inspect its services scripts and find out what it does and why the
add-mac option is not passed to dnsmasq.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss