[Dnsmasq-discuss] host in subnet LAN cannot resolve name in outer LAN
Hello, I am trying to build a subnet where dnsmasq is the DHCP/DNS server. This seems like a very common case but I cannot find any information on solving the problem. TL;DR the hosts in the subnet LAN cannot resolve hosts in the outer LAN, although they can ping them by ip and of course also resolve names in the internet at large. The top level network is 192.168.46.0/24, consisting of a black box router connected to the internet at large and connected to local hosts via WIFI. Under this are three hosts (more, but these are the relevant ones). Newton is a laptop running Linux Mint, home46 is a Raspberry Pi running Raspbian, and home52 is another Rpi which is the head node for the subnet, which is 192.168.52.0/24. This subnet is implemented with ethernet. Newton, home46, home52 all connect to the router via wifi. So far this is a very standard home network and these hosts can ping each other using names such as newton.local, home46.local, and home52.local. I know very well that .local is a terrible choice for a TLD, but the router is in charge of this. Changing out the router is a different topic for a different time. I believe that this subnet uses mDNS to map between names and ip addresses on the subnet. router | (192.168.46.0/24, this is .local) | || newton home46 | | (wlan0) home52 | (eth0) | -- (192.168.46.0/24, this is .52.lan) | | | rpi0 rpi1 rpi2 home52 is the interesting host. It runs dnsmasq to provide DHCP and DNS services to rpi0, rpi1, and rpi2 on the interface eth0. There are iptables rules which route traffic between wlan0 and eth0 on home52. Everything works and rpi0, rpi1, rpi2 can all ping each other by name as well as hosts in the internet at large, e.g. www.google.com. rpi0,rpi1,rpi2 can also ping hosts newton and home46, but ONLY by ip address, not by name. If I "ping newton.local" from rpi2 I get the following in the dnsmasq log on home52, from systemctl status dnsmasq: home52 dnsmasq[851]: query[SOA] local from 192.168.52.100 home52 dnsmasq[851]: forwarded local to 8.8.4.4 home52 dnsmasq[851]: forwarded local to 8.8.8.8 home52 dnsmasq[851]: forwarded local to 192.168.46.1 and of course all of this is wrong. So how can I get dnsmasq to serve hosts in the subnet with names from the outer net? Note: I want the hosts in the subnet to be zeroconf -- they must not know anything about the outer net. Suggestions about modifying their /etc/hosts file are not useful and in any case the ip addresses in the outer subnet are subject to change after rebooting, since they are all provided by DHCP from the router. dnsmasq.conf: # Use interface eth0 interface=eth0 # Explicitly specify the address to listen on listen-address=192.168.52.1 # Bind to the interface to make sure we aren't sending things elsewhere bind-interfaces # don't forward unqualified names (e.g. myserver) domain-needed # won't forward some non-routed addresses bogus-priv # won't forward requests for the intranet subdomain local=/52.lan/ # append the domain (below) to all hosts domain=52.lan # Assign IP addresses between 192.168.52.50 and 192.168.52.150 # with a 12 hour lease time dhcp-range=192.168.52.50,192.168.52.150,12h # Forward DNS requests to the local DNS and then Google DNS server=192.168.52.1 server=8.8.8.8 server=8.8.4.4 # Use the /etc/ethers file to specify static mappings # read-ethers # log DNS queries, for debugging log-queries --- /etc/hosts file 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 127.0.1.1 home52 192.168.52.1 home52.52.lan - commands to set up iptables sysctl -w net.ipv4.ip_forward=1 iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT \ -m state --state ESTABLISHED,RELATED ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Problem with TFTP in dnsmasq
On Wed, Jun 09, 2021 at 12:53:40PM +, Brown, Aaron M. wrote: > From: Geert Stappers ; Sent: Wednesday, June 9, 2021 03:58 > > > And which permissions has file 'test.txt'? > > The file test.txt is 755 as well. Acknowledge > > Please explicite that the filename is 'test.txt' for the tftp GET. > > ( not '/tftp/test.txt' ) > > I just verified to be sure. Yes, I'm using the command tftp> GET test.txt > I've also tried variations like tftp> GET "test.txt" just to be sure > (even knowing they'd probably throw invalid command errors). Ack > >> Anyone have any ideas? > > >Only a wild guess: > >Dnsmasq process has NOT the privelege to send. > > >I don't know if such thing exists, but I'm thinking "capabilities". > >Capabilities as in > >https://manpages.debian.org/buster/manpages/capabilities.7.en.html > > Wild guess or not, I'll dig into this today, thank you for a possible lead! Further option: Tell how and where dnsmasq is started. Groeten Geert Stappers -- Silence is hard to parse ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Problem with TFTP in dnsmasq
On Wed, Jun 09, 2021 at 06:02:55PM +0200, john doe wrote: > On 6/9/2021 2:31 PM, Brown, Aaron M. wrote: > > > I'll assume that you have an other DHCP serverdishing out IP addresses. > > > > I do and proxyDHCP is going to be my only option. > > > > > If you want Dnsmasq to provide dhcp and PXE booting, you might > > > want to remove 'proxy' from the above range. > > > > I mean, sure, but I'm not even to the point of worrying about PXE > > booting. I can't get a basic GET from the TFTP server which is the > > issue. If the TFTP server isn't working, then nothing else down the > > chain of PXE is going to work. I guess what I'm saying is, I'm not > > worried about configuring up dhcpProxy and PXE yet since TFTP isn't > > even operating correctly (and I don't know why). > > > > My understanding is that, in 'proxy' mode, dnsmasq will only provide PXE > related stuff so tftp as such will never work. > > Can't you manage to find a way to test without 'proxy' to see how it goes? It is something worth to explore ... Groeten Geert Stappers -- Silence is hard to parse ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Problem with TFTP in dnsmasq
On 6/9/2021 2:31 PM, Brown, Aaron M. wrote: I'll assume that you have an other DHCP serverdishing out IP addresses. I do and proxyDHCP is going to be my only option. If you want Dnsmasq to provide dhcp and PXE booting, you might want to remove 'proxy' from the above range. I mean, sure, but I'm not even to the point of worrying about PXE booting. I can't get a basic GET from the TFTP server which is the issue. If the TFTP server isn't working, then nothing else down the chain of PXE is going to work. I guess what I'm saying is, I'm not worried about configuring up dhcpProxy and PXE yet since TFTP isn't even operating correctly (and I don't know why). My understanding is that, in 'proxy' mode, dnsmasq will only provide PXE related stuff so tftp as such will never work. Can't you manage to find a way to test without 'proxy' to see how it goes? -- John Doe ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Problem with TFTP in dnsmasq
> Please, more respect for yourself. > You are doing great. Do known that you detected that you are stuck. > It was you who made the step to ask mankind for help. I was being silly, but thank you for the kind words. > And which permissions has file 'test.txt'? The file test.txt is 755 as well. > Please explicite that the filename is 'test.txt' for the tftp GET. > ( not '/tftp/test.txt' ) I just verified to be sure. Yes, I'm using the command tftp> GET test.txt I've also tried variations like tftp> GET "test.txt" just to be sure (even knowing they'd probably throw invalid command errors). >> Anyone have any ideas? >Only a wild guess: >Dnsmasq process has NOT the privelege to send. >I don't know if such thing exists, but I'm thinking "capabilities". >Capabilities as in >https://manpages.debian.org/buster/manpages/capabilities.7.en.html Wild guess or not, I'll dig into this today, thank you for a possible lead! amb -Original Message- From: Geert Stappers Sent: Wednesday, June 9, 2021 03:58 To: dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: [Dnsmasq-discuss] Problem with TFTP in dnsmasq On Tue, Jun 08, 2021 at 08:54:45PM +, Brown, Aaron M. wrote: > Hello all, > > I'm having trouble getting dnsmasq and tftp to work and I'm tearing my > hair out. I'm hoping someone can potentially hit me with the clue by > four and point out what dumb thing I'm missing. Please, more respect for yourself. You are doing great. Do known that you detected that you are stuck. It was you who made the step to ask mankind for help. Short: Be kind enough to respond to this posting. > In the bigger scope, I'm trying to get PXE booting setup on a server, > but at the moment before I even get to anything more complicated, I'm > struggling just to get TFTP to work. I have set up my > /etc/dnsmasq.conf file as the following: > > interface=bond0 > port=0 > enable-tftp > tftp-root=/tftp > log-dhcp > dhcp-range=,proxy > dhcp-no-override > > dnsmasq is up and running without errors. I put a simple file in /tftp > called "test.txt". The /tftp directory has been set to 755 permissions. And which permissions has file 'test.txt'? > I then go to client computer and using a tftp client attempt to GET > the test.txt file but it times out without retrieving the file. Please explicite that the filename is 'test.txt' for the tftp GET. ( not '/tftp/test.txt' ) > There is no firewall running when I do this on either server or client > and I can ping from both client and server to each other. Acknowledge. > On the server, I see in a tcpdump of port 69 that the client is making > RRQ requests. When I look at the status of the dnsmasq service I see: > > Jun 08 16:13:46 dnsmasq-tftp[258381]: failed sending > /tftp/test.txt to > > There's a similar message in /var/log/syslog as well for dnsmasq-tftp > failing to send the file. > I've been pouring over the docs/man pages and the sample .conf file, > but I'm clearly not understanding what I'm missing. It is surely an interresting problem. > Anyone have any ideas? Only a wild guess: Dnsmasq process has NOT the privelege to send. I don't know if such thing exists, but I'm thinking "capabilities". Capabilities as in https://manpages.debian.org/buster/manpages/capabilities.7.en.html > I've searched the web for similar problems, but I haven't been able to > find anything that resembles my situation. Usually people seem to have > issues after this point with what TFTP is passing out, not just > getting TFPT up and running. :-) Acknowledge on "your question is very valid". Otherwise I would have ignored it. Backgrond information at http://www.catb.org/~esr/faqs/smart-questions.html > Server OS: Ubuntu 20.04 Server > Client OS: Ubuntu 20.04 Desktop > > Aaron M Brown > Engineering College Computing > Desktop Administrator > NI1013A - 419.530.8022 Groeten Geert Stappers P.S. Dnsmasq tftp works for me ... -- Silence is hard to parse ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Problem with TFTP in dnsmasq
> I'll assume that you have an other DHCP serverdishing out IP addresses. I do and proxyDHCP is going to be my only option. >If you want Dnsmasq to provide dhcp and PXE booting, you might want to remove >'proxy' from the above range. I mean, sure, but I'm not even to the point of worrying about PXE booting. I can't get a basic GET from the TFTP server which is the issue. If the TFTP server isn't working, then nothing else down the chain of PXE is going to work. I guess what I'm saying is, I'm not worried about configuring up dhcpProxy and PXE yet since TFTP isn't even operating correctly (and I don't know why). amb -Original Message- From: john doe Sent: Wednesday, June 9, 2021 03:25 To: dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: [Dnsmasq-discuss] Problem with TFTP in dnsmasq On 6/8/2021 10:54 PM, Brown, Aaron M. wrote: > Hello all, > > I'm having trouble getting dnsmasq and tftp to work and I'm tearing my hair > out. I'm hoping someone can potentially hit me with the clue by four and > point out what dumb thing I'm missing. > > In the bigger scope, I'm trying to get PXE booting setup on a server, but at > the moment before I even get to anything more complicated, I'm struggling > just to get TFTP to work. I have set up my /etc/dnsmasq.conf file as the > following: > > interface=bond0 > port=0 > enable-tftp > tftp-root=/tftp > log-dhcp > dhcp-range=,proxy > From (1): "Dnsmasq supports PXE "proxy-DHCP", in this case another DHCP server on the network is responsible for allocating IP addresses, and dnsmasq simply provides the information given in --pxe-prompt and --pxe-service to allow netbooting. This mode is enabled using the proxy keyword in --dhcp-range." I'll assume that you have an other DHCP serverdishing out IP addresses. > dhcp-no-override > > dnsmasq is up and running without errors. I put a simple file in /tftp called > "test.txt". The /tftp directory has been set to 755 permissions. > If you want Dnsmasq to provide dhcp and PXE booting, you might want to remove 'proxy' from the above range. HTH. 1) https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html -- John Doe ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Patch with option to filter A records
Dropping the patch file as attachment. On 6/5/2021 18:20, Trey Sis wrote: For some reason I didn't receive all mails from the list in my inbox, so I'll reply to this mail. Also sorry if I mess something up. I haven't used a mailing list in over two decades. On 6/5/2021 17:37, Geert Stappers via Dnsmasq-discuss wrote: On Sat, Jun 05, 2021 at 03:34:59PM +0200, Trey Sis wrote: Is there any chance for such a patch to make it into official dnsmasq? Are pull-requests on github acted on? That would be my preferred method, otherwise I will post the patch here. Cheers, Treysis Patch: >From bd22a36f76e35a0dc6c8be8996056318fec96e5e Mon Sep 17 00:00:00 2001 From: treysis Date: Sat, 5 Jun 2021 15:27:26 +0200 Subject: [PATCH] Add option to filter A record requests --- src/dnsmasq.h | 3 ++- src/option.c | 3 +++ src/rfc1035.c | 11 +++ 3 files changed, 16 insertions(+), 1 deletion(-) That patch did not apply cleanly. With some manual work it did apply. Except to see the reworked version here soon. Hopefully is Author left intact. (I'm about to `git send-email` a patch that is not mine ). And the original patch lacks update of the manual page, it is where I chip in. Cheers Geert Stappers P.S. https://git-send-email.io/ for instructions on email patches. See "Linux kernel development all over the place" in it. Thanks for the tip. I'll have a look at that for future use. The patch probably didn't apply because I just copy it here. The source code is a bit inconsistent in using a mix of spaces and tabs for indentation. Tabs probably got lost when copying. Thanks also for taking care of the manpage! Happy to see this hopefully land in upstream :) Cheers, Treysis ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss From 57c7fcb0b3caccae7376f71ab1a9ae74f0e7f6d9 Mon Sep 17 00:00:00 2001 From: treysis Date: Sat, 5 Jun 2021 15:27:26 +0200 Subject: [PATCH] Add option to filter A record requests --- src/dnsmasq.h | 3 ++- src/option.c | 3 +++ src/rfc1035.c | 11 +++ 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/src/dnsmasq.h b/src/dnsmasq.h index b27737b..2fec7d1 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -272,7 +272,8 @@ struct event_desc { #define OPT_LOG_DEBUG 62 #define OPT_UMBRELLA 63 #define OPT_UMBRELLA_DEVID 64 -#define OPT_LAST 65 +#define OPT_FILTER_A 65 +#define OPT_LAST 66 #define OPTION_BITS (sizeof(unsigned int)*8) #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) ) diff --git a/src/option.c b/src/option.c index cacfaa6..43dc3cb 100644 --- a/src/option.c +++ b/src/option.c @@ -171,6 +171,7 @@ struct myoption { #define LOPT_DYNHOST 362 #define LOPT_LOG_DEBUG 363 #define LOPT_UMBRELLA 364 +#define LOPT_FILTER_A 365 #ifdef HAVE_GETOPT_LONG static const struct option opts[] = @@ -347,6 +348,7 @@ static const struct myoption opts[] = { "dynamic-host", 1, 0, LOPT_DYNHOST }, { "log-debug", 0, 0, LOPT_LOG_DEBUG }, { "umbrella", 2, 0, LOPT_UMBRELLA }, +{ "filter-a", 0, 0, LOPT_FILTER_A }, { NULL, 0, 0, 0 } }; @@ -530,6 +532,7 @@ static struct { { LOPT_DUMPMASK, ARG_ONE, "", gettext_noop("Mask which packets to dump"), NULL }, { LOPT_SCRIPT_TIME, OPT_LEASE_RENEW, NULL, gettext_noop("Call dhcp-script when lease expiry changes."), NULL }, { LOPT_UMBRELLA, ARG_ONE, "[=]", gettext_noop("Send Cisco Umbrella identifiers including remote IP."), NULL }, + { LOPT_FILTER_A, OPT_FILTER_A, NULL, gettext_noop("Filter all A requests."), NULL }, { 0, 0, NULL, NULL, NULL } }; diff --git a/src/rfc1035.c b/src/rfc1035.c index 9bc5ef2..1043773 100644 --- a/src/rfc1035.c +++ b/src/rfc1035.c @@ -1843,6 +1843,17 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, } } + /* filter A forwards */ + if (qtype == T_A && option_bool(OPT_FILTER_A)) + { + /* return a null reply */ + ans = 1; + if (!dryrun) + log_query(F_CONFIG | F_IPV6 | F_NEG, name, , NULL); + break; + } + /* end of filtering A */ + if (!ans) return 0; /* failed to answer a question */ } ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Problem with TFTP in dnsmasq
On Tue, Jun 08, 2021 at 08:54:45PM +, Brown, Aaron M. wrote: > Hello all, > > I'm having trouble getting dnsmasq and tftp to work and I'm tearing > my hair out. I'm hoping someone can potentially hit me with the clue > by four and point out what dumb thing I'm missing. Please, more respect for yourself. You are doing great. Do known that you detected that you are stuck. It was you who made the step to ask mankind for help. Short: Be kind enough to respond to this posting. > In the bigger scope, I'm trying to get PXE booting setup on a server, > but at the moment before I even get to anything more complicated, I'm > struggling just to get TFTP to work. I have set up my /etc/dnsmasq.conf > file as the following: > > interface=bond0 > port=0 > enable-tftp > tftp-root=/tftp > log-dhcp > dhcp-range=,proxy > dhcp-no-override > > dnsmasq is up and running without errors. I put a simple file in /tftp > called "test.txt". The /tftp directory has been set to 755 permissions. And which permissions has file 'test.txt'? > I then go to client computer and using a tftp client attempt to GET > the test.txt file but it times out without retrieving the file. Please explicite that the filename is 'test.txt' for the tftp GET. ( not '/tftp/test.txt' ) > There is no firewall running when I do this on either server or client > and I can ping from both client and server to each other. Acknowledge. > On the server, I see in a tcpdump of port 69 that the client is making > RRQ requests. When I look at the status of the dnsmasq service I see: > > Jun 08 16:13:46 dnsmasq-tftp[258381]: failed sending > /tftp/test.txt to > > There's a similar message in /var/log/syslog as well for dnsmasq-tftp > failing to send the file. > I've been pouring over the docs/man pages and the sample .conf file, > but I'm clearly not understanding what I'm missing. It is surely an interresting problem. > Anyone have any ideas? Only a wild guess: Dnsmasq process has NOT the privelege to send. I don't know if such thing exists, but I'm thinking "capabilities". Capabilities as in https://manpages.debian.org/buster/manpages/capabilities.7.en.html > I've searched the web for similar problems, but I haven't been able > to find anything that resembles my situation. Usually people seem to > have issues after this point with what TFTP is passing out, not just > getting TFPT up and running. :-) Acknowledge on "your question is very valid". Otherwise I would have ignored it. Backgrond information at http://www.catb.org/~esr/faqs/smart-questions.html > Server OS: Ubuntu 20.04 Server > Client OS: Ubuntu 20.04 Desktop > > Aaron M Brown > Engineering College Computing > Desktop Administrator > NI1013A - 419.530.8022 Groeten Geert Stappers P.S. Dnsmasq tftp works for me ... -- Silence is hard to parse ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Problem with TFTP in dnsmasq
On 6/8/2021 10:54 PM, Brown, Aaron M. wrote: Hello all, I'm having trouble getting dnsmasq and tftp to work and I'm tearing my hair out. I'm hoping someone can potentially hit me with the clue by four and point out what dumb thing I'm missing. In the bigger scope, I'm trying to get PXE booting setup on a server, but at the moment before I even get to anything more complicated, I'm struggling just to get TFTP to work. I have set up my /etc/dnsmasq.conf file as the following: interface=bond0 port=0 enable-tftp tftp-root=/tftp log-dhcp dhcp-range=,proxy > From (1): "Dnsmasq supports PXE "proxy-DHCP", in this case another DHCP server on the network is responsible for allocating IP addresses, and dnsmasq simply provides the information given in --pxe-prompt and --pxe-service to allow netbooting. This mode is enabled using the proxy keyword in --dhcp-range." I'll assume that you have an other DHCP serverdishing out IP addresses. > dhcp-no-override > dnsmasq is up and running without errors. I put a simple file in /tftp called "test.txt". The /tftp directory has been set to 755 permissions. If you want Dnsmasq to provide dhcp and PXE booting, you might want to remove 'proxy' from the above range. HTH. 1) https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html -- John Doe ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss