Re: [Dnsmasq-discuss] Single-port mode for TFTP
On 30/12/2019 11:51, kvaps wrote: > Hi Simon, > > We're happy to use dnsmasq for organize network booting in Kubernetes, > it have everything need: DNS-, DHCP- and TFTP-servers. > > The only problem is that TFTP protocol in its reference implementation > is not working behind the NAT, because always sends reply packets from > random port. > > Note that Kubernetes uses NAT for external services, so it's not > possible to run TFTP-server for external clients there. There is one > proposed solution for that, it suggests moving away from the RFC and > implement --single-port option for always reply from the same port which > was requested by the client. > > In this way, the TFTP-packets can be simple NAT'ed back to the client side. > > Take a look on unique features for go-tftp implementation: > https://github.com/vcabbage/go-tftp#unique-features > > And its command line client: > https://github.com/kvaps/trivialt/ > > Best regards > - kvaps > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > Patch done. --tftp-single-port is an option. I tested with all the tftp-clients easily available and it worked fine. http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=66f62650c353e901264a4cf0729d35dbc0ae284d Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [PATCH] Check for SERV_NO_REBIND on unqualified domains
On 30/12/2019 23:07, Sung Pae wrote: > Hello, > > My home network has a DNS search domain of home.arpa and my machine's dnsmasq > instance is configured with: > > server=/home.arpa/192.168.0.1 > server=//192.168.0.1 > stop-dns-rebind > rebind-domain-ok=home.arpa > rebind-domain-ok=// # Match unqualified domains > > Querying my router's FQDN works as expected: > > dnsmasq: query[A] gateway.home.arpa from 127.0.0.1 > dnsmasq: forwarded gateway.home.arpa to 192.168.0.1 > dnsmasq: reply gateway.home.arpa is 192.168.0.1 > > But using an unqualified domain name does not: > > dnsmasq: query[A] gateway from 127.0.0.1 > dnsmasq: forwarded gateway to 192.168.0.1 > dnsmasq: possible DNS-rebind attack detected: gateway > > The attached patch addresses this issue by checking for SERV_NO_REBIND when > handling dotless domains. > > Patch applied, thanks. Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq can be tricked to send invalid RAs
On 05/01/2020 13:25, Michal Zatloukal wrote: > Hello. > I recently decided to move my dnsmasq+6in4 tunnel setup from Raspbian > to the latest Ubuntu. To keep a long story short, after some > (mis)configuration I ended up with an interface with an IPv6 GUA, but > with no LLA [0] (a bug/oversight in netplan, I guess [1]). dnsmasq > does not protest this and will send RAs sourced with GUA, which will > fail validation according to RFC 4861, section 6.1.2. > Not really a problem for my case (AFAIK, an interface should never > lose/stay without its LLA) , just thought you should know. > > Cheers, > MZ > > [0] Should be reproducible by: > ip addr add dev 2001:db8::1/64 > ip -6 addr flush dev scope link > Then for dnsmasq config, use > dhcp-range=::,constructor:,ra-names > [1] https://bugs.launchpad.net/ubuntu/+source/netplan.io/+bug/1810971 > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > I don't seem to be able to reproduce this easily, the ip -6 addr flush either doesn't delete the LL address, or it gets added back in very short order. Nevertheless, http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=378fa56888767ff58762a338c3425647b98bf59e should fix the problem is and when it occurs. Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] dnsmasq can be tricked to send invalid RAs
Hello. I recently decided to move my dnsmasq+6in4 tunnel setup from Raspbian to the latest Ubuntu. To keep a long story short, after some (mis)configuration I ended up with an interface with an IPv6 GUA, but with no LLA [0] (a bug/oversight in netplan, I guess [1]). dnsmasq does not protest this and will send RAs sourced with GUA, which will fail validation according to RFC 4861, section 6.1.2. Not really a problem for my case (AFAIK, an interface should never lose/stay without its LLA) , just thought you should know. Cheers, MZ [0] Should be reproducible by: ip addr add dev 2001:db8::1/64 ip -6 addr flush dev scope link Then for dnsmasq config, use dhcp-range=::,constructor:,ra-names [1] https://bugs.launchpad.net/ubuntu/+source/netplan.io/+bug/1810971 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss