Re: [Dnsmasq-discuss] Make dnsmasq distinguish local IPs
dnsmasq needs to listen on all IPs on the lo0 interface _except_ for the one unbound also listens on (in this case, 127.0.0.20), so that the jailed processes have dnsmasq to communicate with, and then dnsmasq can query unbound for 'outside' DNS resolution on its own jail IP. The latter happens via IPv6 only now, as dnsmasq refuses to use 127.0.0.20 with its current config, however according to sockstat, it listens on the wildcard interface despite its log message: USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS nobody dnsmasq 99396 4 udp4 *:53 *:* nobody dnsmasq 99396 5 tcp4 *:53 *:* nobody dnsmasq 99396 6 udp6 *:53 *:* nobody dnsmasq 99396 7 tcp6 *:53 *:* nobody dnsmasq 99396 10 dgram (not connected) Unbound listens on 127.0.0.20: USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS unbound unbound 29892 3 udp6 2a01:4f8:241:15df::32:53 *:* unbound unbound 29892 4 tcp6 2a01:4f8:241:15df::32:53 *:* unbound unbound 29892 5 udp4 127.0.0.20:53 *:* unbound unbound 29892 6 tcp4 127.0.0.20:53 *:* When testing, dnsmasq responds to all internal hostname queries on 127.0.0.x except for 127.0.0.20, so it seems to listen on all interfaces. FreeBSD kernel gives preference to the IP-bound (non-wildcard) socket when connecting to that socket for querying, see querying an inner jail name, jail-mariadb: # host jail-mariadb 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: jail-mariadb has address 127.0.0.24 jail-mariadb has IPv6 address 2a01:4f8:241:15df::21 # host jail-mariadb 127.0.0.5 Using domain server: Name: 127.0.0.5 Address: 127.0.0.5#53 Aliases: jail-mariadb has address 127.0.0.24 jail-mariadb has IPv6 address 2a01:4f8:241:15df::21 # host jail-mariadb 127.0.0.20 Using domain server: Name: 127.0.0.20 Address: 127.0.0.20#53 Aliases: Host jail-mariadb not found: 3(NXDOMAIN) Both 127.0.0.1 and 127.0.0.5 is a response from dnsmasq, but 127.0.0.20 is a response from unbound. This is desired, in order for the jailed processes to be able to use DNS resolution from within. What I'm trying to achieve is to make dnsmasq query 127.0.0.20 knowing the facts above, as specified in the /usr/local/etc/dnsmasq-resolv.conf: nameserver 127.0.0.20 nameserver 2a01:4f8:241:15df::32 Basically, the jails talk to their own assigned internal IPs when querying (not 127.0.0.1, that won't work because the DNS response gets dropped as the response comes from the jail's internal IP and not 127.0.0.1), it's why dnsmasq has to listen on them. Then dnsmasq will talk to the unbound jail's IP address (127.0.0.20), when querying for outside DNS. Sounds complicated, but this is what I'd like to get done, so it would work with both IPv6 AND IPv4. Cheers, -- László Károlyi http://linkedin.com/in/karolyi On 2020-07-21 17:00, Petr Menšík wrote: > How should unbound listen on lo0 if dnsmasq is already listening there? > I do not know BSD. Linux would not permit dnsmasq listening on wildcard > socket and unbound listening on the same port. > > I think listen-address would listen just on 127.0.0.1. interface=lo0 > should not be necessary. At least on Linux kernel, it means listening on > ANY IPv4/IPv6 address assigned to lo0. That would mean unbound needs > different port to listen on or different interface. I think that is not > what you want. > > What is contents of /usr/local/etc/dnsmasq-resolv.conf? > I think no-resolv should be used as well to prevent reading > /etc/resolv.conf. signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Make dnsmasq distinguish local IPs
How should unbound listen on lo0 if dnsmasq is already listening there? I do not know BSD. Linux would not permit dnsmasq listening on wildcard socket and unbound listening on the same port. I think listen-address would listen just on 127.0.0.1. interface=lo0 should not be necessary. At least on Linux kernel, it means listening on ANY IPv4/IPv6 address assigned to lo0. That would mean unbound needs different port to listen on or different interface. I think that is not what you want. What is contents of /usr/local/etc/dnsmasq-resolv.conf? I think no-resolv should be used as well to prevent reading /etc/resolv.conf. On 7/21/20 3:18 PM, László Károlyi wrote: > I've already added listen-address=127.0.0.1 to it, as it's the host > env's IP address. > > bind-interfaces has to be commented out, otherwise the jails will have > problems resolving (it's a FreeBSD host-jail resolution specific thing) Is there good explanation how this should work? How exactly are configured addresses on loopback device? Is unbound listening on lo1? > > Why would you want me to use except-interface=lo0? I _want_ it to listen > on lo0. How does ifconfig lo0 look like? Do you want to listen on all its addresses? > > For the sake of clarity, here't my cleaned dnsmasq.conf: > > domain-needed > conf-file=/usr/local/share/dnsmasq/trust-anchors.conf > dnssec > dnssec-check-unsigned > resolv-file=/usr/local/etc/dnsmasq-resolv.conf > interface=lo0 > listen-address=127.0.0.1 > no-dhcp-interface=lo0 > local-ttl=5 > dhcp-name-match=set:wpad-ignore,wpad > dhcp-ignore-names=tag:wpad-ignore > rebind-domain-ok=/rfc-ignorant.org/sorbs.net/uribl.com/surbl.org/dnswl.org/njabl.org/spamhaus.org/spamcop.net/barracudacentral.org/ > > Cheers, > -- > László Károlyi > http://linkedin.com/in/karolyi > > On 2020-07-21 14:42, Petr Menšík wrote: >> I would check what addresses it is listening on. I think it considers >> all loopback addresses its own. Probably because it would accept queries >> to that address if you stop unbound. >> >> It might help, if you configured it with this: >> bind-interfaces >> except-interface=lo0 >> listen-address=127.0.0.21 >> >> It would listen only on 127.0.0.21 and consider all other addresses not >> its own. I think it should send queries there. It should then accept: >> server=127.0.0.20 >> without ignoring it this way. >> >> On 7/20/20 4:35 PM, László Károlyi wrote: >>> Hi Petr, >>> >>> as you have seen in the original email, it is dnsmasq that refuses to >>> use the lo0 interface to communicate with the IP 127.0.0.20: >>> >>> Jul 20 13:33:23 ksol dnsmasq[99396]: ignoring nameserver 127.0.0.20 - >>> local interface >>> >>> When querying manually from the host env to the jailed unbound, I get >>> proper DNS responses. This was something I did pay extra attention to >>> get it working from the get-go. See: >>> >>> Citing my configs here makes no sense as you can see it's working already. >>> >>> Cheers, >>> -- >>> László Károlyi >>> http://linkedin.com/in/karolyi >>> >>> On 2020-07-20 16:12, Petr Menšík wrote: Hi László, are you sure it is dnsmasq, who is rejecting the communication? Unbound has by default disabled commuinication on localhost. If you have any other servers running along it, you have to use: do-not-query-localhost: no to override defaults. But that has to be done on unbound side. AFAIK dnsmasq does not have any such limitation. It does limit only per-interface, all required is to configure interface=lo, which is enabled by default. How many interface= statements do you have in configuration? Is localhost included? >>> ___ >>> Dnsmasq-discuss mailing list >>> Dnsmasq-discuss@lists.thekelleys.org.uk >>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >>> >> >> ___ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Make dnsmasq distinguish local IPs
I've already added listen-address=127.0.0.1 to it, as it's the host env's IP address. bind-interfaces has to be commented out, otherwise the jails will have problems resolving (it's a FreeBSD host-jail resolution specific thing) Why would you want me to use except-interface=lo0? I _want_ it to listen on lo0. For the sake of clarity, here't my cleaned dnsmasq.conf: domain-needed conf-file=/usr/local/share/dnsmasq/trust-anchors.conf dnssec dnssec-check-unsigned resolv-file=/usr/local/etc/dnsmasq-resolv.conf interface=lo0 listen-address=127.0.0.1 no-dhcp-interface=lo0 local-ttl=5 dhcp-name-match=set:wpad-ignore,wpad dhcp-ignore-names=tag:wpad-ignore rebind-domain-ok=/rfc-ignorant.org/sorbs.net/uribl.com/surbl.org/dnswl.org/njabl.org/spamhaus.org/spamcop.net/barracudacentral.org/ Cheers, -- László Károlyi http://linkedin.com/in/karolyi On 2020-07-21 14:42, Petr Menšík wrote: > I would check what addresses it is listening on. I think it considers > all loopback addresses its own. Probably because it would accept queries > to that address if you stop unbound. > > It might help, if you configured it with this: > bind-interfaces > except-interface=lo0 > listen-address=127.0.0.21 > > It would listen only on 127.0.0.21 and consider all other addresses not > its own. I think it should send queries there. It should then accept: > server=127.0.0.20 > without ignoring it this way. > > On 7/20/20 4:35 PM, László Károlyi wrote: >> Hi Petr, >> >> as you have seen in the original email, it is dnsmasq that refuses to >> use the lo0 interface to communicate with the IP 127.0.0.20: >> >> Jul 20 13:33:23 ksol dnsmasq[99396]: ignoring nameserver 127.0.0.20 - >> local interface >> >> When querying manually from the host env to the jailed unbound, I get >> proper DNS responses. This was something I did pay extra attention to >> get it working from the get-go. See: >> >> Citing my configs here makes no sense as you can see it's working already. >> >> Cheers, >> -- >> László Károlyi >> http://linkedin.com/in/karolyi >> >> On 2020-07-20 16:12, Petr Menšík wrote: >>> Hi László, >>> >>> are you sure it is dnsmasq, who is rejecting the communication? >>> Unbound has by default disabled commuinication on localhost. If you have >>> any other servers running along it, you have to use: >>> >>> do-not-query-localhost: no >>> >>> to override defaults. But that has to be done on unbound side. AFAIK >>> dnsmasq does not have any such limitation. It does limit only >>> per-interface, all required is to configure interface=lo, which is >>> enabled by default. >>> >>> How many interface= statements do you have in configuration? Is >>> localhost included? >> ___ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >> > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Make dnsmasq distinguish local IPs
I would check what addresses it is listening on. I think it considers all loopback addresses its own. Probably because it would accept queries to that address if you stop unbound. It might help, if you configured it with this: bind-interfaces except-interface=lo0 listen-address=127.0.0.21 It would listen only on 127.0.0.21 and consider all other addresses not its own. I think it should send queries there. It should then accept: server=127.0.0.20 without ignoring it this way. On 7/20/20 4:35 PM, László Károlyi wrote: > Hi Petr, > > as you have seen in the original email, it is dnsmasq that refuses to > use the lo0 interface to communicate with the IP 127.0.0.20: > > Jul 20 13:33:23 ksol dnsmasq[99396]: ignoring nameserver 127.0.0.20 - > local interface > > When querying manually from the host env to the jailed unbound, I get > proper DNS responses. This was something I did pay extra attention to > get it working from the get-go. See: > > Citing my configs here makes no sense as you can see it's working already. > > Cheers, > -- > László Károlyi > http://linkedin.com/in/karolyi > > On 2020-07-20 16:12, Petr Menšík wrote: >> Hi László, >> >> are you sure it is dnsmasq, who is rejecting the communication? >> Unbound has by default disabled commuinication on localhost. If you have >> any other servers running along it, you have to use: >> >> do-not-query-localhost: no >> >> to override defaults. But that has to be done on unbound side. AFAIK >> dnsmasq does not have any such limitation. It does limit only >> per-interface, all required is to configure interface=lo, which is >> enabled by default. >> >> How many interface= statements do you have in configuration? Is >> localhost included? > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [PATCH v2] DHCPv6: Honor assigning IPv6 address based on MAC address
I think more correct would be using the same DUID on both systems. There is already another option to make this working. It is possible assigning IPv6 prefix or multiple addresses. dhcp-host can provide multiple addresses to single mac, which works with different DUID quite well. It still has different addresses, but with the same base. taken from manual page: --dhcp-host=laptop,[1234:50/126] Why isn't this sufficient? On 5/26/20 10:52 AM, Pali Rohár wrote: > On Thursday 21 May 2020 16:22:03 Geert Stappers wrote: >> On Sun, May 03, 2020 at 01:23:15PM +0200, Pali Rohár wrote: >>> Currently IPv6 addresses are assigned to tuple (IAID, DUID). When system >>> changes IAID/DUID then old assigned IPv6 address cannot be reused, even >>> when in config file was DHCPv6 assignment based on MAC address (and not on >>> DUID). >>> >>> IAID/DUID is changed when rebooting from one operating system to another; >>> or after reinstalling system. In reality it is normal that DUID of some >>> machine is changed, so people rather assign also IPv6 addresses based on >>> MAC address. >>> >>> So assigning IPv6 based on MAC address in dnsmasq is currently semi-broken >> >> How to reproduce that semi-brokenness? > > Take computer with Windows/Linux dual boot systems. > > Configure MAC-based static IPv6 entry for that computer in dnsmasq and > set big enough lease time (e.g. day or more). > > Boot computer into Windows and wait until dnsmasq assign it IPv6 > address. It should match MAC-based entry in dnsmasq. Then reboot > computer into Linux system and again wait until it got assigned IPv6 > address. > > Normally it should get again same IPv6 address as it was assigned on > Windows, due to MAC-based static IPv6 entry in dnsmasq. > > But in reality that static entry is ignored by dnsmasq and rather some > "random" address is assigned. > > So assigning IPv6 addresses based on static MAC address in dnsmasq is > broken. > > You can reproduce it not only with Windows/Linux, but with any two > DHCPv6 clients which use different IAID/DUID. E.g. PXE DHCPv6 client > (for network booting) and Linux DHCPv6 client. > > dnsmasq without this patch refuse to assign MAC-based IPv6 static > address to computer with that MAC address, if that IPv6 address is still > leased to DHCPv6 client with different IAID. > > In my above example/reproducer, IPv6 address was leased to Windows > DHCPv6 client and therefore dnsmasq refused to assign it to Linux DHCPv6 > client, which in most cases have different IAID. Even both clients > (Windows and Linux) are on the same computer with same MAC address, > which matches MAC address in dnsmasq configuration file. > > That is why I called IPv6 address assignment according to MAC address as > "semi-brokenness". > >> >>> This patch tries to fix it and honors IPv6 config rules with MAC address, >>> to always assign particular IPv6 address to specific MAC address (when >>> configured). And ignores the fact if IAID/DUID was changed. >>> >>> Normally IPv6 address should be assigned by IAID/DUID (which also state >>> DHCPv6 RFCs), but dnsmasq has already some support for assigning IPv6 >>> address based on MAC address, when users configured in config file. >>> >>> So this patch just tries to fix above problem for user configuration with >>> MAC addresses. It does not change assignment based on DUID. >>> --- >>> >>> This is my original patch rebased on top of current git master branch. >> >> Acknowledge >> >> >>> Previous email with this patch probably dropped into spambox >>> and was not processed. >> >> (unspoken words + >> >> http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2020q2/014018.html ) >> >> >>> So please let me know if now this email was correctly received. >> >> Recieved the patch and was able to `git am` it. >> It did compile and passed the unittests. >> >> No further check was done. Mostly because not facing the problem that >> patch submitter has. Probably some day I will, hence the above 'How to >> reproduce that semi-brokenness?' >> >> >>> src/rfc3315.c | 55 +++ >>> 1 file changed, 47 insertions(+), 8 deletions(-) >>> >>> diff --git a/src/rfc3315.c b/src/rfc3315.c >>> index b3f0a0a..e588b13 100644 >>> --- a/src/rfc3315.c >>> +++ b/src/rfc3315.c >> ... 142 lines of actual patch ... >> >> >> Groeten >> Geert Stappers >> -- >> Silence is hard to parse >> >> ___ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] Support nftables set
Hi, I wrote a patch to add nftables set support to dnsmasq. The patch is available at https://github.com/Fugoes/dnsmasq. It is in an early stage, though I have tested it with a configuration file with ~7 nftables set rules and it works just fine. I think this feature is quite useful, e.g. Debian 10 has switched to nftables backend by default, and ipset is not available. Here are some notes on this patch: - It uses libnftables to execute nftables operations. This library is kind of a high level library. libnftables provides an interface with nft's cli interface: > int nft_run_cmd_from_buffer(struct nft_ctx *nft, const char *buf); The library does not invoke fork(). The only overhead is parsing the command. libnftables is based on libnftnl, and libnftnl is based on libnl. The overhead of parsing could be avoided by using libnftnl or even libnl. However, I could not find useful documentation of libnftnl, so I go with libnftables. - It uses a radix-tree-like data structure (as well as a hash table) to search for domain name's nftables set name. Check the src/dntree.* files for more information. nftables set's "add" command does NOT reset the target entry's timeout value, while ipset's "add" command would reset it. AFAIK, there is no direct way to implement ipset's "add" command's behavior in nftables. Any suggestions? -- Qi-An Fu ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
