Re: [Dnsmasq-discuss] Single-port mode for TFTP
No, there is need to respond exact from the same port which get an request. There is no way to configure firewall and use tftp-helper in Kubernetes, it's environments is very dynamic and might use different backends, eg ipvs and iptables. Please read this issue for more information: https://github.com/kubernetes/kubernetes/issues/26718 On Tue, Dec 31, 2019, 07:20 john doe wrote: > On 12/30/2019 6:34 PM, kvaps wrote: > > On Mon, Dec 30, 2019 at 2:42 PM john doe wrote: > > > >> Isn't the below flag what you want from (1): > >> > >> "--tftp-port-range=, > >> A TFTP server listens on a well-known port (69) for connection > >> initiation, but it also uses a dynamically-allocated port for each > >> connection. Normally these are allocated by the OS, but this option > >> specifies a range of ports for use by TFTP transfers. This can be useful > >> when TFTP has to traverse a firewall. The start of the range cannot be > >> lower than 1025 unless dnsmasq is running as root. The number of > >> concurrent TFTP connections is limited by the size of the port range." > >> > >> > >> 1) http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html > >> > >> -- > >> John Doe > >> > > > > Hi John, > > > > Unfrtunately it isn't working correctly: > > > > if I run dnsmasq with static port range: > > > > dnsmasq -d --enable-tftp --tftp-port-range=69,69 > > > > It reports an error: > > > > dnsmasq-tftp: unable to get free port for TFTP > > > > when I tries to download any file > > > > You can not specify 69 here, with the current implimentation, you need > to open an other port for TFTP transfer. > > Can't you open two ports? > > Have you considered using a TFTP helper in your Firewall? > > -- > John Doe > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Single-port mode for TFTP
On 12/30/2019 6:34 PM, kvaps wrote: > On Mon, Dec 30, 2019 at 2:42 PM john doe wrote: > >> Isn't the below flag what you want from (1): >> >> "--tftp-port-range=, >> A TFTP server listens on a well-known port (69) for connection >> initiation, but it also uses a dynamically-allocated port for each >> connection. Normally these are allocated by the OS, but this option >> specifies a range of ports for use by TFTP transfers. This can be useful >> when TFTP has to traverse a firewall. The start of the range cannot be >> lower than 1025 unless dnsmasq is running as root. The number of >> concurrent TFTP connections is limited by the size of the port range." >> >> >> 1) http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html >> >> -- >> John Doe >> > > Hi John, > > Unfrtunately it isn't working correctly: > > if I run dnsmasq with static port range: > > dnsmasq -d --enable-tftp --tftp-port-range=69,69 > > It reports an error: > > dnsmasq-tftp: unable to get free port for TFTP > > when I tries to download any file > You can not specify 69 here, with the current implimentation, you need to open an other port for TFTP transfer. Can't you open two ports? Have you considered using a TFTP helper in your Firewall? -- John Doe ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] Check for SERV_NO_REBIND on unqualified domains
Hello, My home network has a DNS search domain of home.arpa and my machine's dnsmasq instance is configured with: server=/home.arpa/192.168.0.1 server=//192.168.0.1 stop-dns-rebind rebind-domain-ok=home.arpa rebind-domain-ok=// # Match unqualified domains Querying my router's FQDN works as expected: dnsmasq: query[A] gateway.home.arpa from 127.0.0.1 dnsmasq: forwarded gateway.home.arpa to 192.168.0.1 dnsmasq: reply gateway.home.arpa is 192.168.0.1 But using an unqualified domain name does not: dnsmasq: query[A] gateway from 127.0.0.1 dnsmasq: forwarded gateway to 192.168.0.1 dnsmasq: possible DNS-rebind attack detected: gateway The attached patch addresses this issue by checking for SERV_NO_REBIND when handling dotless domains. >From 0460b07108b009cff06e29eac54910ec2e7fafce Mon Sep 17 00:00:00 2001 From: guns Date: Mon, 30 Dec 2019 16:34:23 -0600 Subject: [PATCH] Check for SERV_NO_REBIND on unqualified domains --- src/forward.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/forward.c b/src/forward.c index e4745a3..0919033 100644 --- a/src/forward.c +++ b/src/forward.c @@ -125,7 +125,9 @@ static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned { unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6; *type = SERV_FOR_NODOTS; - if (serv->flags & SERV_NO_ADDR) + if ((serv->flags & SERV_NO_REBIND) && norebind) + *norebind = 1; + else if (serv->flags & SERV_NO_ADDR) flags = F_NXDOMAIN; else if (serv->flags & SERV_LITERAL_ADDRESS) { -- 2.24.1 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Single-port mode for TFTP
> dnsmasq -d --enable-tftp --tftp-port-range=1069,1069 No way, because in this case it should also listen on 1069 port. - kvaps On Mon, Dec 30, 2019 at 9:11 PM Geert Stappers wrote: > On Mon, Dec 30, 2019 at 06:36:49PM +0100, kvaps wrote: > > On Mon, Dec 30, 2019 at 2:42 PM john doe wrote: > > > Dec 30 2019, kvaps wrote: > > > > ... > > > Isn't the below flag what you want from (1): > > > > > > "--tftp-port-range=, > > > A TFTP server listens on a well-known port (69) for connection > > > initiation, but it also uses a dynamically-allocated port for each > > > connection. Normally these are allocated by the OS, but this option > > > specifies a range of ports for use by TFTP transfers. This can be > useful > > > when TFTP has to traverse a firewall. The start of the range cannot be > > > lower than 1025 unless dnsmasq is running as root. The number of > > > concurrent TFTP connections is limited by the size of the port range." > > > > > > > > > 1) http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html > > > > > > > Unfortunately it isn't working correctly, if I run dnsmasq with static > port > > range: > > > > dnsmasq -d --enable-tftp --tftp-port-range=69,69 > > > > It reports an error: > > > > dnsmasq-tftp: unable to get free port for TFTP > > > > when I try to download any file from it > > - kvaps > > > dnsmasq -d --enable-tftp --tftp-port-range=1069,1069 > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Single-port mode for TFTP
On Mon, Dec 30, 2019 at 06:36:49PM +0100, kvaps wrote: > On Mon, Dec 30, 2019 at 2:42 PM john doe wrote: > > Dec 30 2019, kvaps wrote: > > > ... > > Isn't the below flag what you want from (1): > > > > "--tftp-port-range=, > > A TFTP server listens on a well-known port (69) for connection > > initiation, but it also uses a dynamically-allocated port for each > > connection. Normally these are allocated by the OS, but this option > > specifies a range of ports for use by TFTP transfers. This can be useful > > when TFTP has to traverse a firewall. The start of the range cannot be > > lower than 1025 unless dnsmasq is running as root. The number of > > concurrent TFTP connections is limited by the size of the port range." > > > > > > 1) http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html > > > > Unfortunately it isn't working correctly, if I run dnsmasq with static port > range: > > dnsmasq -d --enable-tftp --tftp-port-range=69,69 > > It reports an error: > > dnsmasq-tftp: unable to get free port for TFTP > > when I try to download any file from it > - kvaps dnsmasq -d --enable-tftp --tftp-port-range=1069,1069 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Single-port mode for TFTP
On Mon, Dec 30, 2019 at 2:42 PM john doe wrote: > Isn't the below flag what you want from (1): > > "--tftp-port-range=, > A TFTP server listens on a well-known port (69) for connection > initiation, but it also uses a dynamically-allocated port for each > connection. Normally these are allocated by the OS, but this option > specifies a range of ports for use by TFTP transfers. This can be useful > when TFTP has to traverse a firewall. The start of the range cannot be > lower than 1025 unless dnsmasq is running as root. The number of > concurrent TFTP connections is limited by the size of the port range." > > > 1) http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html > > -- > John Doe > Hi John, Unfrtunately it isn't working correctly, if I run dnsmasq with static port range: dnsmasq -d --enable-tftp --tftp-port-range=69,69 It reports an error: dnsmasq-tftp: unable to get free port for TFTP when I try to download any file from it - kvaps ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Single-port mode for TFTP
On 12/30/2019 12:51 PM, kvaps wrote: > Hi Simon, > > We're happy to use dnsmasq for organize network booting in Kubernetes, it > have everything need: DNS-, DHCP- and TFTP-servers. > > The only problem is that TFTP protocol in its reference implementation is > not working behind the NAT, because always sends reply packets from random > port. > > Note that Kubernetes uses NAT for external services, so it's not possible > to run TFTP-server for external clients there. There is one proposed > solution for that, it suggests moving away from the RFC and implement > --single-port option for always reply from the same port which was > requested by the client. > > In this way, the TFTP-packets can be simple NAT'ed back to the client side. > > Take a look on unique features for go-tftp implementation: > https://github.com/vcabbage/go-tftp#unique-features > > And its command line client: > https://github.com/kvaps/trivialt/ > Isn't the below flag what you want from (1): "--tftp-port-range=, A TFTP server listens on a well-known port (69) for connection initiation, but it also uses a dynamically-allocated port for each connection. Normally these are allocated by the OS, but this option specifies a range of ports for use by TFTP transfers. This can be useful when TFTP has to traverse a firewall. The start of the range cannot be lower than 1025 unless dnsmasq is running as root. The number of concurrent TFTP connections is limited by the size of the port range." 1) http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html -- John Doe ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Single-port mode for TFTP
Hi Simon, We're happy to use dnsmasq for organize network booting in Kubernetes, it have everything need: DNS-, DHCP- and TFTP-servers. The only problem is that TFTP protocol in its reference implementation is not working behind the NAT, because always sends reply packets from random port. Note that Kubernetes uses NAT for external services, so it's not possible to run TFTP-server for external clients there. There is one proposed solution for that, it suggests moving away from the RFC and implement --single-port option for always reply from the same port which was requested by the client. In this way, the TFTP-packets can be simple NAT'ed back to the client side. Take a look on unique features for go-tftp implementation: https://github.com/vcabbage/go-tftp#unique-features And its command line client: https://github.com/kvaps/trivialt/ Best regards - kvaps ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss