[Dnsmasq-discuss] ipv6 question
hey folks, I have ipv6 running on my raspberry pi at home. It has 2 interfaces, one inside and one outside. The outside interface gets an ipv6 addr from my isp via dhcp. I have dnsmasq running on my pi giving out ipv4 addresses on the inside interface. I also now want to give out ipv6 addressses as well, but I want the ipv6 addresses given out on the "inside" to be accessible from outside on the internet.. i.e. publicly routable addresses.. Im being told this can easily be done with ipv6, and Ive done some reasearch and configuration, but I cant seem to get it to work.. In my dnsmasq config, I have bogus-priv enable-ra # Construct a valid IPv6 range from reading the address set on the interface. # The ::1 part refers to the ifid in dhcp6c.conf. Make sure you get this right or dnsmasq will get confused. dhcp-range=tag:eth0,::1d17,constructor:eth0, ra-names, 12h eth0 is my "inside" interface. the :1d17/128 is the tail end of the address that I got from my isp. Am I on the right track? regards, db -- ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSMASQ Not Sending ACK?
Hello, Does anyone have an issue if we make the change below? If we keep the code then at the very least the code should log why we are failing. Take Care Jason > On Sep 28, 2017, at 4:44 PM, Jason Kary <jkary...@yahoo.com> wrote: > > Hi Folks, > > I was able to fix the problem by removing the following code: > > lines 1107-1108 in rfc2131.c: > > if (option_addr(opt).s_addr != override.s_addr) > return 0; > > Once I commented out this if statement the client was able to obtain the > correct IP address via DHCP Relay. The return 0 was causing the dnsmasq > process to just silently ignore the DHCP Request packet. > > I do not understand what the above code is checking for and why it is > returning 0. Maybe someone can help me the context a bit better? > > Take Care > Jason > >> On Sep 25, 2017, at 4:11 PM, Jason Kary <jkary...@yahoo.com >> <mailto:jkary...@yahoo.com>> wrote: >> >> Hi Chris, >> >> I cloned the GIT repository and tested with version 2.78test2-gb697fbb >> >> I’m still seeing the server fail to respond to the request message: >> >> Frame 40189 (388 bytes on wire, 388 bytes captured) >>Arrival Time: Sep 25, 2017 20:59:01.142813000 >>[Time delta from previous captured frame: 0.000646000 seconds] >>[Time delta from previous displayed frame: 0.000646000 seconds] >>[Time since reference or first frame: 149.170698000 seconds] >>Frame Number: 40189 >>Frame Length: 388 bytes >>Capture Length: 388 bytes >>[Frame is marked: False] >>[Protocols in frame: eth:ip:udp:bootp] >> Ethernet II, Src: 58:ac:78:b1:38:e1 (58:ac:78:b1:38:e1), Dst: >> 00:0c:29:cf:10:0b (00:0c:29:cf:10:0b) >>Destination: 00:0c:29:cf:10:0b (00:0c:29:cf:10:0b) >>Address: 00:0c:29:cf:10:0b (00:0c:29:cf:10:0b) >> ...0 = IG bit: Individual address (unicast) >> ..0. = LG bit: Globally unique address >> (factory default) >>Source: 58:ac:78:b1:38:e1 (58:ac:78:b1:38:e1) >>Address: 58:ac:78:b1:38:e1 (58:ac:78:b1:38:e1) >> ...0 = IG bit: Individual address (unicast) >> ..0. = LG bit: Globally unique address >> (factory default) >>Type: IP (0x0800) >> Internet Protocol, Src: 33.33.33.33 (33.33.33.33), Dst: 10.168.101.20 >> (10.168.101.20) >>Version: 4 >>Header length: 20 bytes >>Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00) >>0001 00.. = Differentiated Services Codepoint: Unknown (0x04) >> ..0. = ECN-Capable Transport (ECT): 0 >> ...0 = ECN-CE: 0 >>Total Length: 374 >>Identification: 0xbd9b (48539) >>Flags: 0x00 >>0.. = Reserved bit: Not Set >>.0. = Don't fragment: Not Set >>..0 = More fragments: Not Set >>Fragment offset: 0 >>Time to live: 255 >>Protocol: UDP (0x11) >>Header checksum: 0x4acd [correct] >>[Good: True] >>[Bad : False] >>Source: 33.33.33.33 (33.33.33.33) >>Destination: 10.168.101.20 (10.168.101.20) >> User Datagram Protocol, Src Port: bootps (67), Dst Port: bootps (67) >>Source port: bootps (67) >>Destination port: bootps (67) >>Length: 354 >>Checksum: 0x95d3 [validation disabled] >>[Good Checksum: False] >>[Bad Checksum: False] >> Bootstrap Protocol >>Message type: Boot Request (1) >>Hardware type: Ethernet >>Hardware address length: 6 >>Hops: 1 >>Transaction ID: 0x21696b65 >>Seconds elapsed: 0 >>Bootp flags: 0x (Unicast) >>0... = Broadcast flag: Unicast >>.000 = Reserved flags: 0x >>Client IP address: 0.0.0.0 (0.0.0.0) >>Your (client) IP address: 0.0.0.0 (0.0.0.0) >>Next server IP address: 0.0.0.0 (0.0.0.0) >>Relay agent IP address: 33.33.33.33 (33.33.33.33) >>Client MAC address: 00:0c:29:65:e0:ea (00:0c:29:65:e0:ea) >>Client hardware address padding: >>Server host name not given >>Boot file name not given >>Magic cookie: (OK) >>Option: (t=53,l=1) DHCP Message Type = DHCP Request >>Option: (53) DHCP Message Type >>Length: 1 >>Value: 03 >>Option: (t=54,l=4) DHCP Server Identifier = 10.168.101.20 >>Option: (54) DHCP Server Identifier >
Re: [Dnsmasq-discuss] DNSMASQ Not Sending ACK?
Hi Folks, I was able to fix the problem by removing the following code: lines 1107-1108 in rfc2131.c: if (option_addr(opt).s_addr != override.s_addr) return 0; Once I commented out this if statement the client was able to obtain the correct IP address via DHCP Relay. The return 0 was causing the dnsmasq process to just silently ignore the DHCP Request packet. I do not understand what the above code is checking for and why it is returning 0. Maybe someone can help me the context a bit better? Take Care Jason > On Sep 25, 2017, at 4:11 PM, Jason Kary <jkary...@yahoo.com> wrote: > > Hi Chris, > > I cloned the GIT repository and tested with version 2.78test2-gb697fbb > > I’m still seeing the server fail to respond to the request message: > > Frame 40189 (388 bytes on wire, 388 bytes captured) >Arrival Time: Sep 25, 2017 20:59:01.142813000 >[Time delta from previous captured frame: 0.000646000 seconds] >[Time delta from previous displayed frame: 0.000646000 seconds] >[Time since reference or first frame: 149.170698000 seconds] >Frame Number: 40189 >Frame Length: 388 bytes >Capture Length: 388 bytes >[Frame is marked: False] >[Protocols in frame: eth:ip:udp:bootp] > Ethernet II, Src: 58:ac:78:b1:38:e1 (58:ac:78:b1:38:e1), Dst: > 00:0c:29:cf:10:0b (00:0c:29:cf:10:0b) >Destination: 00:0c:29:cf:10:0b (00:0c:29:cf:10:0b) >Address: 00:0c:29:cf:10:0b (00:0c:29:cf:10:0b) > ...0 = IG bit: Individual address (unicast) > ..0. = LG bit: Globally unique address > (factory default) >Source: 58:ac:78:b1:38:e1 (58:ac:78:b1:38:e1) >Address: 58:ac:78:b1:38:e1 (58:ac:78:b1:38:e1) > ...0 = IG bit: Individual address (unicast) > ..0. = LG bit: Globally unique address > (factory default) >Type: IP (0x0800) > Internet Protocol, Src: 33.33.33.33 (33.33.33.33), Dst: 10.168.101.20 > (10.168.101.20) >Version: 4 >Header length: 20 bytes >Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00) >0001 00.. = Differentiated Services Codepoint: Unknown (0x04) > ..0. = ECN-Capable Transport (ECT): 0 > ...0 = ECN-CE: 0 >Total Length: 374 >Identification: 0xbd9b (48539) >Flags: 0x00 >0.. = Reserved bit: Not Set >.0. = Don't fragment: Not Set >..0 = More fragments: Not Set >Fragment offset: 0 >Time to live: 255 >Protocol: UDP (0x11) >Header checksum: 0x4acd [correct] >[Good: True] >[Bad : False] >Source: 33.33.33.33 (33.33.33.33) >Destination: 10.168.101.20 (10.168.101.20) > User Datagram Protocol, Src Port: bootps (67), Dst Port: bootps (67) >Source port: bootps (67) >Destination port: bootps (67) >Length: 354 >Checksum: 0x95d3 [validation disabled] >[Good Checksum: False] >[Bad Checksum: False] > Bootstrap Protocol >Message type: Boot Request (1) >Hardware type: Ethernet >Hardware address length: 6 >Hops: 1 >Transaction ID: 0x21696b65 >Seconds elapsed: 0 >Bootp flags: 0x (Unicast) >0... = Broadcast flag: Unicast >.000 = Reserved flags: 0x >Client IP address: 0.0.0.0 (0.0.0.0) >Your (client) IP address: 0.0.0.0 (0.0.0.0) >Next server IP address: 0.0.0.0 (0.0.0.0) >Relay agent IP address: 33.33.33.33 (33.33.33.33) >Client MAC address: 00:0c:29:65:e0:ea (00:0c:29:65:e0:ea) >Client hardware address padding: >Server host name not given >Boot file name not given >Magic cookie: (OK) >Option: (t=53,l=1) DHCP Message Type = DHCP Request >Option: (53) DHCP Message Type >Length: 1 >Value: 03 >Option: (t=54,l=4) DHCP Server Identifier = 10.168.101.20 >Option: (54) DHCP Server Identifier >Length: 4 >Value: 0AA86514 >Option: (t=50,l=4) Requested IP Address = 10.168.102.128 >Option: (50) Requested IP Address >Length: 4 >Value: 0AA86680 >Option: (t=55,l=18) Parameter Request List >Option: (55) Parameter Request List >Length: 18 >Value: 011C02790F060C28292A1A770379F921FC2A >1 = Subnet Mask >28 = Broadcast Address >2 = Time Offset >121 = Classless Static Route >15 = Domain Name >6 = Domain Name Server >12 = Host Name >40 = Network Information Service Domain >41 = Network Information Service Servers >42 = Ne
Re: [Dnsmasq-discuss] DNSMASQ Not Sending ACK?
Hi Folks, I wanted to follow up and see if anyone is available to help debug this issue? I won’t have the test bed available to me to help out for much longer. Is there some sort of debug that I could collect to help with the analysis? Take Care Jason > On Sep 25, 2017, at 4:11 PM, Jason Kary <jkary...@yahoo.com> wrote: > > Hi Chris, > > I cloned the GIT repository and tested with version 2.78test2-gb697fbb > > I’m still seeing the server fail to respond to the request message: > > Frame 40189 (388 bytes on wire, 388 bytes captured) >Arrival Time: Sep 25, 2017 20:59:01.142813000 >[Time delta from previous captured frame: 0.000646000 seconds] >[Time delta from previous displayed frame: 0.000646000 seconds] >[Time since reference or first frame: 149.170698000 seconds] >Frame Number: 40189 >Frame Length: 388 bytes >Capture Length: 388 bytes >[Frame is marked: False] >[Protocols in frame: eth:ip:udp:bootp] > Ethernet II, Src: 58:ac:78:b1:38:e1 (58:ac:78:b1:38:e1), Dst: > 00:0c:29:cf:10:0b (00:0c:29:cf:10:0b) >Destination: 00:0c:29:cf:10:0b (00:0c:29:cf:10:0b) >Address: 00:0c:29:cf:10:0b (00:0c:29:cf:10:0b) > ...0 = IG bit: Individual address (unicast) > ..0. = LG bit: Globally unique address > (factory default) >Source: 58:ac:78:b1:38:e1 (58:ac:78:b1:38:e1) >Address: 58:ac:78:b1:38:e1 (58:ac:78:b1:38:e1) > ...0 = IG bit: Individual address (unicast) > ..0. = LG bit: Globally unique address > (factory default) >Type: IP (0x0800) > Internet Protocol, Src: 33.33.33.33 (33.33.33.33), Dst: 10.168.101.20 > (10.168.101.20) >Version: 4 >Header length: 20 bytes >Differentiated Services Field: 0x10 (DSCP 0x04: Unknown DSCP; ECN: 0x00) >0001 00.. = Differentiated Services Codepoint: Unknown (0x04) > ..0. = ECN-Capable Transport (ECT): 0 > ...0 = ECN-CE: 0 >Total Length: 374 >Identification: 0xbd9b (48539) >Flags: 0x00 >0.. = Reserved bit: Not Set >.0. = Don't fragment: Not Set >..0 = More fragments: Not Set >Fragment offset: 0 >Time to live: 255 >Protocol: UDP (0x11) >Header checksum: 0x4acd [correct] >[Good: True] >[Bad : False] >Source: 33.33.33.33 (33.33.33.33) >Destination: 10.168.101.20 (10.168.101.20) > User Datagram Protocol, Src Port: bootps (67), Dst Port: bootps (67) >Source port: bootps (67) >Destination port: bootps (67) >Length: 354 >Checksum: 0x95d3 [validation disabled] >[Good Checksum: False] >[Bad Checksum: False] > Bootstrap Protocol >Message type: Boot Request (1) >Hardware type: Ethernet >Hardware address length: 6 >Hops: 1 >Transaction ID: 0x21696b65 >Seconds elapsed: 0 >Bootp flags: 0x (Unicast) >0... = Broadcast flag: Unicast >.000 = Reserved flags: 0x >Client IP address: 0.0.0.0 (0.0.0.0) >Your (client) IP address: 0.0.0.0 (0.0.0.0) >Next server IP address: 0.0.0.0 (0.0.0.0) >Relay agent IP address: 33.33.33.33 (33.33.33.33) >Client MAC address: 00:0c:29:65:e0:ea (00:0c:29:65:e0:ea) >Client hardware address padding: >Server host name not given >Boot file name not given >Magic cookie: (OK) >Option: (t=53,l=1) DHCP Message Type = DHCP Request >Option: (53) DHCP Message Type >Length: 1 >Value: 03 >Option: (t=54,l=4) DHCP Server Identifier = 10.168.101.20 >Option: (54) DHCP Server Identifier >Length: 4 >Value: 0AA86514 >Option: (t=50,l=4) Requested IP Address = 10.168.102.128 >Option: (50) Requested IP Address >Length: 4 >Value: 0AA86680 >Option: (t=55,l=18) Parameter Request List >Option: (55) Parameter Request List >Length: 18 >Value: 011C02790F060C28292A1A770379F921FC2A >1 = Subnet Mask >28 = Broadcast Address >2 = Time Offset >121 = Classless Static Route >15 = Domain Name >6 = Domain Name Server >12 = Host Name >40 = Network Information Service Domain >41 = Network Information Service Servers >42 = Network Time Protocol Servers >26 = Interface MTU >119 = Domain Search [TODO] >3 = Router >121 = Classless Static Route >249 = Private/Classless Static Route (Microsoft) >33 = Static Route >252 = Private/Proxy autodiscovery >
Re: [Dnsmasq-discuss] DNSMASQ Not Sending ACK?
Hi Chris, Thank you for the update. We are running version 2.66 Take Care Jason > On Sep 22, 2017, at 8:44 AM, Chris Novakovic <ch...@chrisn.me.uk> wrote: > > On 22/09/2017 13:42, Chris Novakovic wrote: >> If you're using 2.76, > > It's implied by my later comment, but I should also clarify that this > bug affects 2.77 as well as 2.76. > . ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] localise-queries does not work with ipv6
Hello Simon, In dnsmasq.conf: interface-name=martino,lan # 10.10.10.1, 2a07:f32:8fe8:8a61::1 interface-name=martino,guest # 10.11.0.1, 2a07:f32:8fe8:8a63::1 interface-name=martino,remote # 10.10.11.1, 2a07:f32:8fe8:8a62::1 localise-queries zx2c4@thinkpad ~ $ host martino 10.10.10.1 Using domain server: Name: 10.10.10.1 Address: 10.10.10.1#53 Aliases: martino has address 10.10.10.1 martino has IPv6 address 2a07:f32:8fe8:8a61::1 martino has IPv6 address 2a07:f32:8fe8:8a63::1 martino has IPv6 address 2a07:f32:8fe8:8a62::1 You'll notice it correctly filters the v4, but totally fails to do any v6 filtering. Even worse: zx2c4@thinkpad ~ $ host martino 2a07:f32:8fe8:8a61::1 Using domain server: Name: 2a07:f32:8fe8:8a61::1 Address: 2a07:f32:8fe8:8a61::1#53 Aliases: martino has address 10.10.10.1 martino has address 10.10.11.1 martino has address 10.11.0.1 martino has IPv6 address 2a07:f32:8fe8:8a61::1 martino has IPv6 address 2a07:f32:8fe8:8a63::1 martino has IPv6 address 2a07:f32:8fe8:8a62::1 Here it doesn't do any filtering at all. It seems like localise-queries is broken with v6? Jason ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] interface-specific DNS entries
--localise-queries Sorry for the noise. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] interface-specific DNS entries
Hey folks, I use the interface-name directive like this: interface-name=martino,lan interface-name=martino,guest interface-name=martino,remote This has the consequence of seeing all the IPs at once for this domain: zx2c4@thinkpad ~ $ host martino martino has address 10.10.10.1 martino has address 10.11.0.1 martino has address 10.10.11.1 Instead of this, I'd like for dnsmasq to return lan's IP when the DNS request comes via lan, guest's IP when the DNS request comes via guest, and remote's IP when the DNS request comes via remote. Is it possible to bind certain DNS responses to a particular interface? More generally, it'd be nice to be able to use the tag: directive with DNS entries, such as: interface-name=tag:lan,martino,lan interface-name=tag:guest,martino,guest interface-name=tag:remote,martino,remote Thanks, Jason ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Using nftables internal "ipset" rule
Hey Simon, Fast forward 5 years from when I wrote the original ipset patch for dnsmasq, and I too have a need for nftables support with it. Did you ever figure out how to add nft sets to dnsmasq? If not, maybe I'll take a stab at it in the next few months. Jason ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Leases file fields
Hello list, I'm about to write a simple CGI script to parse my dnsmasq.leases file and present the information in a web page, with MAC address vendors looked up and included. I'd just like to know the exact definition of the last field on each line. It is either a single asterisk for hosts whose MAC addresses are known (in /etc/ethers) or it's a repeat of the MAC address of the device with the ethertype included, for example: 1493791865 9c:5c:8e:xx:xx:xx 192.168.128.125 jm-desktop * 1493751088 48:5a:b6:xx:xx:xx 192.168.128.145 jm-chromebook 01:48:5a:b6:xx:xx:xx Is there a more precise description? I couldn't find any details in the man page. Thanks. Jason ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] bug:DHCP Relay not responding with DHCP OFFER.
Hi Dan, Thank you for the update. This appears to have resolved my issue. Take Care Jason > On May 1, 2017, at 2:35 PM, Dan Sneddon <dsned...@redhat.com> wrote: > > Your routing table is wrong. You have both 10.168.101.0/24 and > 10.168.102.0/24 both set up as local subnets (see the 0.0.0.0 gateway). > The remote subnet should be routed through the local router, so your > route would appear something like this: > > 10.168.101.0 0.0.0.0 255.255.255.0 U 0 0 0 ens160 > 10.168.102.0 10.168.101.1 255.255.255.0 U 0 0 0 ens160 > > -- > Dan Sneddon | Senior Principal Software Engineer > dsned...@redhat.com | redhat.com/openstack > dsneddon:irc | @dxs:twitter > > On 04/27/2017 02:02 PM, Jason Kary wrote: >> Hi Folks, >> >> I have a basic setup for DHCP relay across VLANS in DNSMASQ. >> >> My configuration file looks like: >> >> >>bogus-priv >>interface=ens160 >>log-dhcp >>dhcp-range=10.168.102.100,10.168.102.150,255.255.255.0,12h >> >> >> The client and server are running on a VMs in separate VLANS. DHCP >> requests appear to be coming across: >> >> >>root@DHCP-UBUNTU-SERVER:~# tcpdump -i ens160 port 67 or port 68 -n >>tcpdump: verbose output suppressed, use -v or -vv for full protocol >>decode >>listening on ens160, link-type EN10MB (Ethernet), capture size >>262144 bytes >>03:58:40.966944 IP 10.168.102.1.67 > 10.168.101.20.67: BOOTP/DHCP, >>Request from 00:0c:29:65:e0:ea, length 322 >>03:58:46.487767 IP 10.168.102.1.67 > 10.168.101.20.67: BOOTP/DHCP, >>Request from 00:0c:29:65:e0:ea, length 322 >>03:58:54.424895 IP 10.168.102.1.67 > 10.168.101.20.67: BOOTP/DHCP, >>Request from 00:0c:29:65:e0:ea, length 322 >>03:59:07.795712 IP 10.168.102.1.67 > 10.168.101.20.67: BOOTP/DHCP, >>Request from 00:0c:29:65:e0:ea, length 322 >>03:59:19.196022 IP 10.168.102.1.67 > 10.168.101.20.67: BOOTP/DHCP, >>Request from 00:0c:29:65:e0:ea, length 322 >> >>root@DHCP-UBUNTU-SERVER:~# iptables -L >>Chain INPUT (policy ACCEPT) >>target prot opt source destination >> >>Chain FORWARD (policy ACCEPT) >>target prot opt source destination >> >>Chain OUTPUT (policy ACCEPT) >>target prot opt source destination >>root@DHCP-UBUNTU-SERVER:~# >> >> >> The syslog log indicates the DCHP OFFERS are ‘supposed’ to be going out >> however nothing is seen on the wire. >> >> >>Apr 27 04:03:26 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>available DHCP range: 10.168.102.100 -- 10.168.102.150 >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>DHCPDISCOVER(ens160) 00:0c:29:65:e0:ea >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>tags: ens160 >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>DHCPOFFER(ens160) 10.168.102.128 00:0c:29:65:e0:ea >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>requested options: 1:netmask, 28:broadcast, 2:time-offset, >>121:classless-static-route, >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>requested options: 15:domain-name, 6:dns-server, 12:hostname, >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>requested options: 40:nis-domain, 41:nis-server, 42:ntp-server, >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>requested options: 26:mtu, 119:domain-search, 3:router, >>121:classless-static-route, >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>requested options: 249, 33:static-route, 252, 42:ntp-server >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>next server: 10.168.101.20 >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>sent size: 1 option: 53 message-type 2 >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>sent size: 4 option: 54 server-identifier 10.168.101.20 >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>sent size: 4 option: 51 lease-time 12h >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>sent size: 4 option: 58 T1 6h >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>sent size: 4 optio
Re: [Dnsmasq-discuss] bug:DHCP Relay not responding with DHCP OFFER.
Hello, The VLAN setup is pretty basic: interface Vlan1001 no shutdown mtu 9216 no ip redirects ip address 10.168.101.1/24 interface Vlan1002 no shutdown mtu 9216 no ip redirects ip address 10.168.102.1/24 ip dhcp relay address 10.168.101.20 ip dhcp relay source-interface Vlan1002 Single host running ESXi connected to single router. Take Care Jason > On Apr 28, 2017, at 5:36 PM, Simon Kelley <si...@thekelleys.org.uk> wrote: > > On 27/04/17 22:02, Jason Kary wrote: >> Hi Folks, >> >> I have a basic setup for DHCP relay across VLANS in DNSMASQ. >> >> My configuration file looks like: >> >> >>bogus-priv >>interface=ens160 >>log-dhcp >>dhcp-range=10.168.102.100,10.168.102.150,255.255.255.0,12h >> >> >> The client and server are running on a VMs in separate VLANS. DHCP >> requests appear to be coming across: >> >> >>root@DHCP-UBUNTU-SERVER:~# tcpdump -i ens160 port 67 or port 68 -n >>tcpdump: verbose output suppressed, use -v or -vv for full protocol >>decode >>listening on ens160, link-type EN10MB (Ethernet), capture size >>262144 bytes >>03:58:40.966944 IP 10.168.102.1.67 > 10.168.101.20.67: BOOTP/DHCP, >>Request from 00:0c:29:65:e0:ea, length 322 >>03:58:46.487767 IP 10.168.102.1.67 > 10.168.101.20.67: BOOTP/DHCP, >>Request from 00:0c:29:65:e0:ea, length 322 >>03:58:54.424895 IP 10.168.102.1.67 > 10.168.101.20.67: BOOTP/DHCP, >>Request from 00:0c:29:65:e0:ea, length 322 >>03:59:07.795712 IP 10.168.102.1.67 > 10.168.101.20.67: BOOTP/DHCP, >>Request from 00:0c:29:65:e0:ea, length 322 >>03:59:19.196022 IP 10.168.102.1.67 > 10.168.101.20.67: BOOTP/DHCP, >>Request from 00:0c:29:65:e0:ea, length 322 >> >>root@DHCP-UBUNTU-SERVER:~# iptables -L >>Chain INPUT (policy ACCEPT) >>target prot opt source destination >> >>Chain FORWARD (policy ACCEPT) >>target prot opt source destination >> >>Chain OUTPUT (policy ACCEPT) >>target prot opt source destination >>root@DHCP-UBUNTU-SERVER:~# >> >> >> The syslog log indicates the DCHP OFFERS are ‘supposed’ to be going out >> however nothing is seen on the wire. >> >> >>Apr 27 04:03:26 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>available DHCP range: 10.168.102.100 -- 10.168.102.150 >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>DHCPDISCOVER(ens160) 00:0c:29:65:e0:ea >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>tags: ens160 >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>DHCPOFFER(ens160) 10.168.102.128 00:0c:29:65:e0:ea >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>requested options: 1:netmask, 28:broadcast, 2:time-offset, >>121:classless-static-route, >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>requested options: 15:domain-name, 6:dns-server, 12:hostname, >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>requested options: 40:nis-domain, 41:nis-server, 42:ntp-server, >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>requested options: 26:mtu, 119:domain-search, 3:router, >>121:classless-static-route, >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>requested options: 249, 33:static-route, 252, 42:ntp-server >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>next server: 10.168.101.20 >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>sent size: 1 option: 53 message-type 2 >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>sent size: 4 option: 54 server-identifier 10.168.101.20 >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>sent size: 4 option: 51 lease-time 12h >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>sent size: 4 option: 58 T1 6h >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>sent size: 4 option: 59 T2 10h30m >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>sent size: 4 option: 1 netmask 255.255.255.0 >>Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 >>sent size: 4 option: 28 broadcast 10.168.102.255 >>
[Dnsmasq-discuss] bug:DHCP Relay not responding with DHCP OFFER.
Hi Folks, I have a basic setup for DHCP relay across VLANS in DNSMASQ. My configuration file looks like: bogus-priv interface=ens160 log-dhcp dhcp-range=10.168.102.100,10.168.102.150,255.255.255.0,12h The client and server are running on a VMs in separate VLANS. DHCP requests appear to be coming across: root@DHCP-UBUNTU-SERVER:~# tcpdump -i ens160 port 67 or port 68 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes 03:58:40.966944 IP 10.168.102.1.67 > 10.168.101.20.67: BOOTP/DHCP, Request from 00:0c:29:65:e0:ea, length 322 03:58:46.487767 IP 10.168.102.1.67 > 10.168.101.20.67: BOOTP/DHCP, Request from 00:0c:29:65:e0:ea, length 322 03:58:54.424895 IP 10.168.102.1.67 > 10.168.101.20.67: BOOTP/DHCP, Request from 00:0c:29:65:e0:ea, length 322 03:59:07.795712 IP 10.168.102.1.67 > 10.168.101.20.67: BOOTP/DHCP, Request from 00:0c:29:65:e0:ea, length 322 03:59:19.196022 IP 10.168.102.1.67 > 10.168.101.20.67: BOOTP/DHCP, Request from 00:0c:29:65:e0:ea, length 322 root@DHCP-UBUNTU-SERVER:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination root@DHCP-UBUNTU-SERVER:~# The syslog log indicates the DCHP OFFERS are ‘supposed’ to be going out however nothing is seen on the wire. Apr 27 04:03:26 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 available DHCP range: 10.168.102.100 -- 10.168.102.150 Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 DHCPDISCOVER(ens160) 00:0c:29:65:e0:ea Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 tags: ens160 Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 DHCPOFFER(ens160) 10.168.102.128 00:0c:29:65:e0:ea Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 requested options: 1:netmask, 28:broadcast, 2:time-offset, 121:classless-static-route, Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 requested options: 15:domain-name, 6:dns-server, 12:hostname, Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 requested options: 40:nis-domain, 41:nis-server, 42:ntp-server, Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 requested options: 26:mtu, 119:domain-search, 3:router, 121:classless-static-route, Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 requested options: 249, 33:static-route, 252, 42:ntp-server Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 next server: 10.168.101.20 Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 sent size: 1 option: 53 message-type 2 Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 sent size: 4 option: 54 server-identifier 10.168.101.20 Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 sent size: 4 option: 51 lease-time 12h Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 sent size: 4 option: 58 T1 6h Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 sent size: 4 option: 59 T2 10h30m Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 sent size: 4 option: 1 netmask 255.255.255.0 Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 sent size: 4 option: 28 broadcast 10.168.102.255 Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 sent size: 4 option: 3 router 10.168.102.1 Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 sent size: 4 option: 6 dns-server 10.168.101.20 Apr 27 04:03:29 DHCP-UBUNTU-SERVER dnsmasq-dhcp[17767]: 1121794364 sent size: 20 option: 82 agent-id 01:0a:01:08:00:06:00:4c:4f:2a:00:2f:02:06… I’ve been trying to trace this issue and it is like the sendmsg system call is not working properly. I believe routing is setup properly on the DHCP server. root@DHCP-UBUNTU-SERVER:~# netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 172.31.13.1 0.0.0.0 UG0 0 0 ens192 10.168.101.00.0.0.0 255.255.255.0 U 0 0 0 ens160 10.168.102.00.0.0.0 255.255.255.0 U 0 0 0 ens160 172.31.13.0 0.0.0.0 255.255.255.0 U 0 0 0 ens192 root@DHCP-UBUNTU-SERVER:~# Can anyone seen something obvious that I am doing wrong? Take Care Jason___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] DLV and DnsMasq
Hello! I have Ubuntu 15.04. How can I enable DLV (Domain Lookaside Validation) for DNSSEC for DNSMasq? I have already enabled DNSSEC with appropriate trust anchor, but I cannot find any option for DLV. I was used to BIND, which has an option for lookaside validation, so how can I do this in dnsmasq? Regards, Jason ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dhcp-host match based on set of tags
Hi Peter, We discussed a solution and Simon said it was good but it has not yet been implemented. https://www.mail-archive.com/dnsmasq-discuss%40lists.thekelleys.org.uk/msg09297.html Simon, with 2.75 out the door already, is this something we could revisit? Thanks, -- Jason Kincl HPC Systems Administrator National Center for Computational Sciences Oak Ridge National Laboratory From: Dnsmasq-discuss on behalf of Peter Holmberg Date: Friday, August 21, 2015 at 3:51 AM To: "dnsmasq-discuss@lists.thekelleys.org.uk" Subject: Re: [Dnsmasq-discuss] dhcp-host match based on set of tags Hi! I know this is an old post but i try to solve a similar problem as this. And wonder if you solved it? And in that case how? /Peter ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] No new lease for Option 82 requests until old one times out
Hi, Sorry for bringing up such an old thread but I was circling back onto this problem and I wonder if we could revisit it. On 17/09/14 09:49, Joachim Nilsson wrote: Hi Simon, I've found a little problem with how Option 82 circuit-id/remote-id works. Everything is fine in the below setup until I replace the client with a replacement unit that has a different MAC. [client]---LAN1---[dhcrelay]---LAN2---[dnsmasq] dhcp-range=subnet0,tag:!static,192.168.2.100,192.168.2.199,255.255.255.0,864000 dhcp-circuitid=set:cid0,Eth6 tag-if=set:static,set:tag0,tag:cid0 dhcp-range=tag:tag0,192.168.2.99,192.168.2.99,255.255.255.0,864000 When 'client' is replaced the request from the new client reaches dnsmasq, which responds with no address available. I figured this is because the pool for the static IP only has one entry, bound to the old client's MAC. Indeed, it is not until the lease for the old client times out that the new client receives an offer. I guess this behavior is by design ... I was thinking that adding 'tag:tag0' to the --dhcp-host setting would have been perfect for Option 82, since they're basically static leases anyway -- the same port on a given switch should always receive the same IP ... so adding tag support, in addition to the already existing mac and client-id, seemed at least to me useful. What do you think? Allowing dhcp-host matching by tag is a good idea, but it's not the complete solution to this problem. You've spotted the catch, which is that the address you want is already bound to a different MAC/client-id. If you could select a dhcp-host line by tag, ie dhcp-circuitid=set:cid0,Eth6 dhcp-host=tag:cid0,192.168.2.99 then when the MAC address changed, you just get a different error: not using configured address 192.168.2.99 because it is leased to old MAC address To make this work, you'd need some extra semantics, either explicit or implicit, to enable the old binding to be abandoned. Abandoning a binding is dangerous, since when it granted the lease, the server was promising the client exclusive use of the IP address. There is precedent for this: the form of dhcp-host which has more than one MAC address allows exactly then abandonment of a lease to one MAC address in favour of the other one. It would be possible to define the dhcp-host=tag:cid0,192.168.2.99 form as having the same properties, or require some special keyword to enable this behaviour. What about dhcp-host=*,tag:cid0,192.168.2.99? This syntax already exists for disregarding the client id and relying only on the MAC address only and it is similar to what we are saying, disregard the MAC and match on tag only. This should give us enough to be explicit about abandoning the old binding. What do you think? I think this covers Neil's points as well, part from the PXE one. There is already some logic that tries to do the right thing when the same MAC address sometimes presents a client-id, and sometimes doesn't. It doesn't solve the case of two different client-ids at differnet points in the netboot, AFAIK. Cheers, Simon. Regards /Joachim ___ Dnsmasq-discuss mailing list Dnsmasq-discuss at lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss Thanks, Jason Kincl ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [PATCH v2] Optimize ipset/server/local/address/rebind-domain-ok performance
I wrote something similar here a while back: http://git.zx2c4.com/domain-lookup-tree/about/ Your algorithm looks potentially more efficient. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] No new lease for Option 82 requests until old one times out
Hi, I completely agree with Joachim and have also run into this issue while using Option-82. Also, since each lease is tied to a client identifier, I have seen issues where the PXE client will give a different identifier from the OS and DNSMasq will refuse to hand out the IP thinking that the pool is exhausted. This specific problem has been discussed before[1] on the list. But I think if we could get away from using dhcp-range with Option-82 and use dhcp-host with tag:tag syntax then we could solve these problems. I also asked about dhcp-host with tags on this list[2] a few weeks ago but Joachim¹s post is significantly more elegant and descriptive. Thanks! [1] http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2014q1/008067.html [2] http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2014q3/008785.html -- Jason Kincl On 9/17/14, 7:00 AM, dnsmasq-discuss-requ...@lists.thekelleys.org.uk dnsmasq-discuss-requ...@lists.thekelleys.org.uk wrote: Date: Wed, 17 Sep 2014 10:49:16 +0200 From: Joachim Nilsson troglo...@gmail.com To: dnsmasq discuss dnsmasq-discuss@lists.thekelleys.org.uk Subject: [Dnsmasq-discuss] No new lease for Option 82 requests until old one times out Message-ID: 54194b0c.7010...@gmail.com Content-Type: text/plain; charset=utf-8; format=flowed Hi Simon, I've found a little problem with how Option 82 circuit-id/remote-id works. Everything is fine in the below setup until I replace the client with a replacement unit that has a different MAC. [client]---LAN1---[dhcrelay]---LAN2---[dnsmasq] dhcp-range=subnet0,tag:!static,192.168.2.100,192.168.2.199,255.255.255.0,8 64000 dhcp-circuitid=set:cid0,Eth6 tag-if=set:static,set:tag0,tag:cid0 dhcp-range=tag:tag0,192.168.2.99,192.168.2.99,255.255.255.0,864000 When 'client' is replaced the request from the new client reaches dnsmasq, which responds with no address available. I figured this is because the pool for the static IP only has one entry, bound to the old client's MAC. Indeed, it is not until the lease for the old client times out that the new client receives an offer. I guess this behavior is by design ... I was thinking that adding 'tag:tag0' to the --dhcp-host setting would have been perfect for Option 82, since they're basically static leases anyway -- the same port on a given switch should always receive the same IP ... so adding tag support, in addition to the already existing mac and client-id, seemed at least to me useful. What do you think? Regards /Joachim ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] dhcp-host match based on set of tags
Hi, So I have a situation where I can guarantee that a given set of tags is unique by using DHCP Option 82 (dhcp-circuitid and dhcp-remoteid) and I want to give a IP address to that single host but the only way to do that is to create a single IP pool and match on those tags. But then I get into lease management issues if the MAC changes on that port so what I really want is to use dhcp-host but it cannot match on tags. Is this something that could be adapted to work or does it break all things DHCP? Thanks! -- Jason Kincl HPC Systems Administrator National Center for Computational Sciences Oak Ridge National Laboratory e-mail kinc...@ornl.gov Phone (865)-574-7704 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Dnsmasq cache does not fetch new value after cache expired for some record
HI friends: I am using dnsmasq as the local dns cache. Everything is OK but we found a very strange problem for one DNS records : api.m.duoku.com It is ok to resolv this api.m.duoku.com as dnsmasq starts up. But after the cache expired(the TTL is 3600), dnsmasq do not fetch new record result from upstream servers but return a NXDOMAIN result: For now, I have only found problem with his DNS record. It works fine for other DNS records! -- # dig api.m.duoku.com ; DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5 api.m.duoku.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 33100 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;api.m.duoku.com.INA ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Feb 27 12:39:21 2014 ;; MSG SIZE rcvd: 33 - After I restarted dnsmasq using /etc/init.d/dnsmasq, it returned to normal. But after the cache expired, I need to restart again! The upstream servers are running Unbound, and they are OK to resolv api.m.duoku.com, and I never have to restart Unbound for the problelm! So I highly suspend it is the problem of dnsmasq! -- $ cat /etc/resolv.dnsmasq.conf nameserver 120.132.147.28 nameserver 58.83.143.47 nameserver 216.12.201.200 nameserver 159.253.130.212 nameserver 208.43.166.72 nameserver 103.6.152.201 -- # cat /etc/dnsmasq.conf | grep -v '^#' | sed -e '/^$/d' resolv-file=/etc/resolv.dnsmasq.conf listen-address=127.0.0.1 no-dhcp-interface=127.0.0.1 bind-interfaces no-hosts cache-size=1000 log-queries conf-dir=/etc/dnsmasq.d # uname -a Linux xxx.boyaa.com 2.6.18-348.1.1.el5 #1 SMP Tue Jan 22 16:19:19 EST 2013 x86_64 x86_64 x86_64 GNU/Linux # cat /etc/redhat-release CentOS release 5.8 (Final) Tikanga # rpm -qa | grep dnsmasq dnsmasq-2.45-1.1.el5_3 - So anyone can help this problem? Thank you very much! ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Enable HAVE_IPSET by default
Hi Simon, It's just occurred to me that no router developer is going to know to turn HAVE_IPSET on, and hence, it won't be available immediately on any devices, which is a bummer. Further, unless the --ipset= options are used, HAVE_IPSET doesn't contribute at _all_ to the runtime of the app. And even further, if HAVE_LINUX_NETWORK isn't enabled, HAVE_IPSET is automatically disabled. Makes sense, then, I think, to uncomment HAVE_IPSET by default. How about it? Jason ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [Request for Comments] Optimized Nearest-Domain Lookup
On Wed, Feb 20, 2013 at 3:17 PM, Kaspar Schleiser kas...@schleiser.dewrote: Could you elaborate on how your tree works? Went ahead and annotated the source: http://git.zx2c4.com/domain-lookup-tree/tree/domain-lookup.c Should be way easier to understand what's up. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [Request for Comments] Optimized Nearest-Domain Lookup
On Wed, Feb 20, 2013 at 9:53 PM, Jason A. Donenfeld ja...@zx2c4.com wrote: Okie dokie, benchmark time! 2012 Intel Core i7, gcc 4.7.2. Looks like gcc was optimizing out the legacy test. Fixed that, and added some data verification. zx2c4@thinkpad ~/Projects/domain-lookup-tree $ make cc -march=native -pipe -fomit-frame-pointer -flto -O3test.c domain-lookup.c domain-lookup.h -o test cc -march=native -pipe -fomit-frame-pointer -flto -O3benchmark.c domain-lookup.c domain-lookup.h -o benchmark zx2c4@thinkpad ~/Projects/domain-lookup-tree $ ./benchmark [+] Populating in memory word list. [+] Creating random lists of domains to query. [+] Populating domain lookup tree. [+] Performing lookup benchmarks: [*] New method took 0.37 seconds. [*] Old method took 188.77 seconds. [+] Verifying that new and old methods produced identical results: [*] New and old methods produced the same results. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [Request for Comments] Optimized Nearest-Domain Lookup
Hi Simon Folks, Currently when dnsmasq processes server=/.../, address=/.../, local=/.../, ipset=/.../, and similar, it find the nearest match for a domain name by iterating through all the keys, and keeping track of which one had the largest match length. This gets the job done and is fairly, simple. But it also could be optimized quite a bit. This might be a bit verbose for dnsmasq's tastes, and maybe the notion smells a bit too much of My First Computer Science Data Structure kind of thing, but perhaps this might be a welcome optimization. I present you with domain-lookup-tree, a simple set of C functions that store domain names in a tree structure: http://git.zx2c4.com/domain-lookup-tree/about/ It should be relatively straightforward. I wrote it specifically with dnsmasq in mind, so if you're interested, I'd be thrilled to see it replace the current nieve matching technique. Thoughts? Comments? Ideas? Jason ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [Request for Comments] Optimized Nearest-Domain Lookup
On Wed, Feb 20, 2013 at 3:17 PM, Kaspar Schleiser kas...@schleiser.dewrote: Could you elaborate on how your tree works? Did you do any benchmarks? Each node represents a domain component. * - [com - [zx2c4 - [data, blog ], kexec ], org - [slashdot ] ] It splits the domain string by the period, and then walks the components backward. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [Request for Comments] Optimized Nearest-Domain Lookup
On Wed, Feb 20, 2013 at 3:17 PM, Kaspar Schleiser kas...@schleiser.dewrote: Did you do any benchmarks? Okie dokie, benchmark time! 2012 Intel Core i7, gcc 4.7.2. With gcc's -O3: zx2c4@thinkpad ~/Projects/domain-lookup-tree $ ./benchmark New method took 0.43 seconds. Old method took 2.75 seconds. Without -O3: zx2c4@thinkpad ~/Projects/domain-lookup-tree $ ./benchmark New method took 0.41 seconds. Old method took 325.94 seconds. Benchmarking code is in previously linked git repository. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [Request for Comments] Optimized Nearest-Domain Lookup
On Wed, Feb 20, 2013 at 5:46 PM, Simon Kelley si...@thekelleys.org.ukwrote: I'm currently snowed under (at least partially with your earlier good work) so I may not get to this for a while. No problem. Upstreaming the ipset code is a much bigger priority in my book. This optimization code is mainly just something to play around with. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [PATCH] Netfilter IPSet Support
On Sun, Feb 17, 2013 at 6:28 PM, Simon Kelley si...@thekelleys.org.ukwrote: Fantastic! I'm beating my way though my my inbox and just caught up with you. I was intending to put this off to the first thing in 2.67, rather than the last thing in 2.66, but having got this far, I'm not so sure. Wonderful! You even wrote the man-page text! Queries which arise mainly from a fresh pair of eyes: 1) Do we need to support HAVE_OLD_IPSET? I can see more reason for 2.4 kernels that 2.6, but I think most routers are using modern kernels now? We really do need to support old ipset. Lots of broadcom-based routers run 2.6.22, because that's the kernel version broadcom has released their drivers for. They're extremely widespread, so supporting it is really a must. If we do need to support both, I'd like to do both in one binary, just to reduce the potential build confusion. This shouldn't be _too big_ of a problem. I'm rewriting things now to check utsname on the first invocation of the function, and then route accordingly. The only potential problem is that since we can't rely on the existence of the ipset-netlink headers on older systems, I'll have to import some of those constant values. Personally I think it's much much much cleaner to have them separate compile time options, but I understand the build confusion issue too. Am I right that the setsockopt method only supports IPv4? So we can't support just that. Older ipsets only support IPv4. They're still extremely useful, but it's a limitation. 2) Can we get by without adding a dependency on libmnl? Do we want to? even if we don't, we can replace the code which starts The ipset userland tool uses libmnl, so it's already on the user's system if they're using ipset. However, this isn't the case if they're using old ipset, so it might be best to move away from libmnl. I'm investigating that right now. mnl = mnl_socket_open(NETLINK_**NETFILTER); and ends mnl_socket_close(mnl); with something which uses the already-existing netlink socket created in src/netlink.c, and avoid the overhead of making a new netlink socket on each iteration? Worry about process_reply() being called from the TCP-request code-path, from a forked process. I think the netlink socket inherited by the forked process will still be OK. If we do stick with libmnl, implementing this will be no problem. 3) (af == AF_INET ? sizeof(ipaddr-addr.addr4) : sizeof(ipaddr-addr.addr4)), second addr4 should be addr6? Good catch. 4) The code should compile if HAVE_IPV6 is not set even if the headers don't define AF_INET6 Roger that. 5) Compile-time options need to be added to the prepocessor stuff defining the compile_opts string in src/config.c I actually added this after the initial email in the git repository -- http://git.zx2c4.com/dnsmasq-ipset/ . Cheers, Simon. __**_ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.**thekelleys.org.ukDnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.**uk/mailman/listinfo/dnsmasq-**discusshttp://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH v2 3/3] ipset: Update man page and example config to reflect new option.
From: Jason A. Donenfeld ja...@zx2c4.com --- dnsmasq.conf.example | 4 man/dnsmasq.8| 6 ++ 2 files changed, 10 insertions(+) diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example index 5215c2a..9a0dbd7 100644 --- a/dnsmasq.conf.example +++ b/dnsmasq.conf.example @@ -69,6 +69,10 @@ # --address (and --server) work with IPv6 addresses too. #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 +# Add the IPs of all queries to yahoo.com, google.com, and their +# subdomains to the vpn and search ipsets: +#ipset=/yahoo.com/google.com/vpn,search + # You can control how dnsmasq talks to a server: this forces # queries to 10.1.2.3 to be routed via eth1 # server=10.1.2.3@eth1 diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index b8dcfc7..941e84d 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -412,6 +412,12 @@ additional facility that /#/ matches any domain. Thus answered from /etc/hosts or DHCP and not sent to an upstream nameserver by a more specific --server directive. .TP +.B --ipset=/domain/[domain/]ipset[,ipset] +Places the resolved IP addresses of queries for the specified domains +in the specified netfilter ip sets. Domains and subdomains are matched +in the same way as --address. These ip sets must already exist. See +ipset(8) for more details. +.TP .B \-m, --mx-host=mx name[[,hostname],preference] Return an MX record named mx name pointing to the given hostname (if given), or -- 1.8.1.2 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH v2 2/3] ipset: Parse new --ipset option and match domains in forward.c
From: Jason A. Donenfeld ja...@zx2c4.com The matching logic is the same as for --address. extract_address is responsible for calling out to add_to_ipset. --- src/dnsmasq.h | 10 +- src/forward.c | 20 ++- src/option.c | 64 +++ src/rfc1035.c | 24 +- 4 files changed, 115 insertions(+), 3 deletions(-) diff --git a/src/dnsmasq.h b/src/dnsmasq.h index 832e04a..9732487 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -430,6 +430,12 @@ struct server { struct server *next; }; +struct ipsets { + char **sets; + char *domain; + struct ipsets *next; +}; + struct irec { union mysockaddr addr; struct in_addr netmask; /* only valid for IPv4 */ @@ -779,6 +785,7 @@ extern struct daemon { struct iname *if_names, *if_addrs, *if_except, *dhcp_except, *auth_peers; struct bogus_addr *bogus_addr; struct server *servers; + struct ipsets *ipsets; int log_fac; /* log facility */ char *log_file; /* optional log file */ int max_logs; /* queue limit */ @@ -903,7 +910,8 @@ size_t setup_reply(struct dns_header *header, size_t qlen, struct all_addr *addrp, unsigned int flags, unsigned long local_ttl); int extract_addresses(struct dns_header *header, size_t qlen, char *namebuff, - time_t now, int is_sign, int checkrebind, int checking_disabled); + time_t now, char **ipsets, int is_sign, int checkrebind, + int checking_disabled); size_t answer_request(struct dns_header *header, char *limit, size_t qlen, struct in_addr local_addr, struct in_addr local_netmask, time_t now); int check_for_bogus_wildcard(struct dns_header *header, size_t qlen, char *name, diff --git a/src/forward.c b/src/forward.c index fb0b4c4..f5e95a1 100644 --- a/src/forward.c +++ b/src/forward.c @@ -439,9 +439,27 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind, int checking_disabled) { unsigned char *pheader, *sizep; + char **sets = 0; int munged = 0, is_sign; size_t plen; +#ifdef HAVE_IPSET + /* Similar algorithm to search_servers. */ + struct ipsets *ipset_pos; + unsigned int namelen = strlen(daemon-namebuff); + unsigned int matchlen = 0; + for (ipset_pos = daemon-ipsets; ipset_pos; ipset_pos = ipset_pos-next) { + unsigned int domainlen = strlen(ipset_pos-domain); + char *matchstart = daemon-namebuff + namelen - domainlen; + if (namelen = domainlen hostname_isequal(matchstart, ipset_pos-domain) +(domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) +domainlen = matchlen) { + matchlen = domainlen; + sets = ipset_pos-sets; + } + } +#endif + /* If upstream is advertising a larger UDP packet size than we allow, trim it so that we don't get overlarge requests for the client. We can't do this for signed packets. */ @@ -494,7 +512,7 @@ static size_t process_reply(struct dns_header *header, time_t now, SET_RCODE(header, NOERROR); } - if (extract_addresses(header, n, daemon-namebuff, now, is_sign, check_rebind, checking_disabled)) + if (extract_addresses(header, n, daemon-namebuff, now, sets, is_sign, check_rebind, checking_disabled)) { my_syslog(LOG_WARNING, _(possible DNS-rebind attack detected: %s), daemon-namebuff); munged = 1; diff --git a/src/option.c b/src/option.c index 3fc3e03..899f4a1 100644 --- a/src/option.c +++ b/src/option.c @@ -127,6 +127,7 @@ struct myoption { #define LOPT_AUTHSOA 316 #define LOPT_AUTHSFS 317 #define LOPT_AUTHPEER 318 +#define LOPT_IPSET 319 #ifdef HAVE_GETOPT_LONG static const struct option opts[] = @@ -259,6 +260,7 @@ static const struct myoption opts[] = { auth-soa, 1, 0, LOPT_AUTHSOA }, { auth-sec-servers, 1, 0, LOPT_AUTHSFS }, { auth-peer, 1, 0, LOPT_AUTHPEER }, +{ ipset, 1, 0, LOPT_IPSET }, { NULL, 0, 0, 0 } }; @@ -397,6 +399,7 @@ static struct { { LOPT_AUTHSOA, ARG_ONE, serial[,...], gettext_noop(Set authoritive zone information), NULL }, { LOPT_AUTHSFS, ARG_DUP, NS[,NS...], gettext_noop(Secondary authoritative nameservers for forward domains), NULL }, { LOPT_AUTHPEER, ARG_DUP, ipaddr[,ipaddr...], gettext_noop(Peers which are allowed to do zone transfer), NULL }, + { LOPT_IPSET, ARG_DUP, /domain/ipset[,ipset...], gettext_noop(Specify ipsets to which matching domains should be added), NULL }, { 0, 0, NULL, NULL, NULL } }; @@ -2021,6 +2024,67 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma daemon-servers = newlist; break; } +case LOPT_IPSET: +#ifndef HAVE_IPSET + ret_err(_(recompile with HAVE_IPSET defined to enable ipset directives
[Dnsmasq-discuss] [PATCH v2 0/3] ipset: Add Netfilter IPSet Support to DNSMasq
From: Jason A. Donenfeld ja...@zx2c4.com This version 2 of the ipset patchset makes a few important changes: - No HAVE_OLD_IPSET anymore. HAVE_IPSET will enable both, and the correct code will then be called depending on the running kernel. - libmnl is no longer used. All this code was replaced with something even more lightweight that should build on old systems. - The netfilter socket is reused between ipset insertions. Note that other netlink sockets used in dnsmasq cannot be reused because they're part of a different netlink class, but we're smart about reusing the one we do allocate. - HAVE_IPV6 is now respected, so new code paths won't break on non- ipv6 systems. - compile_opts and various other small fixes Jason A. Donenfeld (3): ipset: Integrate ipset.c into build system. ipset: Parse new --ipset option and match domains in forward.c ipset: Update man page and example config to reflect new option. Makefile | 2 +- dnsmasq.conf.example | 4 + man/dnsmasq.8| 6 ++ src/config.h | 14 +++- src/dnsmasq.h| 15 +++- src/forward.c| 20 - src/ipset.c | 220 +++ src/option.c | 64 +++ src/rfc1035.c| 24 +- 9 files changed, 364 insertions(+), 5 deletions(-) create mode 100644 src/ipset.c -- 1.8.1.2 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH v2 1/3] ipset: Integrate ipset.c into build system.
From: Jason A. Donenfeld ja...@zx2c4.com --- Makefile | 2 +- src/config.h | 14 +++- src/dnsmasq.h | 5 ++ src/ipset.c | 220 ++ 4 files changed, 239 insertions(+), 2 deletions(-) create mode 100644 src/ipset.c diff --git a/Makefile b/Makefile index c9cdb90..7240fbf 100644 --- a/Makefile +++ b/Makefile @@ -65,7 +65,7 @@ version = -DVERSION='\`$(top)/bld/get-version $(top)`\' objs = cache.o rfc1035.o util.o option.o forward.o network.o \ dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ - dhcp-common.o outpacket.o radv.o slaac.o auth.o + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ dns-protocol.h radv-protocol.h diff --git a/src/config.h b/src/config.h index cff278d..9c8e785 100644 --- a/src/config.h +++ b/src/config.h @@ -97,6 +97,10 @@ HAVE_CONNTRACK a build-dependency on libnetfilter_conntrack, but the resulting binary will still run happily on a kernel without conntrack support. +HAVE_IPSET +define this to include the ability to selectively add resolved ip addresses +to given ipsets. + HAVE_AUTH define this to include the facility to act as an authoritative DNS server for one or more zones. @@ -136,7 +140,7 @@ RESOLVFILE /* #define HAVE_DBUS */ /* #define HAVE_IDN */ /* #define HAVE_CONNTRACK */ - +/* #define HAVE_IPSET */ /* Default locations for important system files. */ @@ -323,6 +327,10 @@ HAVE_SOCKADDR_SA_LEN #undef HAVE_AUTH #endif +#ifndef HAVE_LINUX_NETWORK +#undef HAVE_IPSET +#endif + /* Define a string indicating which options are in use. DNSMASQP_COMPILE_OPTS is only defined in dnsmasq.c */ @@ -381,6 +389,10 @@ static char *compile_opts = no- #endif conntrack +#ifndef HAVE_IPSET +no- +#endif +ipset #ifndef HAVE_AUTH no- #endif diff --git a/src/dnsmasq.h b/src/dnsmasq.h index 21a309c..832e04a 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -1117,6 +1117,11 @@ void emit_dbus_signal(int action, struct dhcp_lease *lease, char *hostname); # endif #endif +/* ipset.c */ +#ifdef HAVE_IPSET +int add_to_ipset(const char *setname, const struct all_addr *ipaddr, int af, int remove); +#endif + /* helper.c */ #if defined(HAVE_SCRIPT) int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd); diff --git a/src/ipset.c b/src/ipset.c new file mode 100644 index 000..fcf6e25 --- /dev/null +++ b/src/ipset.c @@ -0,0 +1,220 @@ +/* ipset.c is Copyright (c) 2013 Jason A. Donenfeld ja...@zx2c4.com. All Rights Reserved. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 dated June, 1991, or + (at your option) version 3 dated 29 June, 2007. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see http://www.gnu.org/licenses/. +*/ + +#include dnsmasq.h +#include string.h +#include errno.h +#include sys/types.h +#include sys/socket.h +#include sys/utsname.h +#include arpa/inet.h +#include linux/version.h +#include linux/netlink.h +#include linux/netfilter/nfnetlink.h +#ifndef NFNL_SUBSYS_IPSET +#define NFNL_SUBSYS_IPSET 6 +#define IPSET_ATTR_DATA 7 +#define IPSET_ATTR_IP 1 +#define IPSET_ATTR_IPADDR_IPV4 1 +#define IPSET_ATTR_IPADDR_IPV6 2 +#define IPSET_ATTR_PROTOCOL 1 +#define IPSET_ATTR_SETNAME 2 +#define IPSET_CMD_ADD 9 +#define IPSET_CMD_DEL 10 +#define IPSET_MAXNAMELEN 32 +#define IPSET_PROTOCOL 6 +#else +#include linux/netfilter/ipset/ip_set.h +#endif +#ifdef HAVE_IPSET + +#define NL_ALIGN(len) (((len)+3) ~(3)) +static const struct sockaddr_nl snl = { .nl_family = AF_NETLINK }; + +static inline void add_attr(struct nlmsghdr *nlh, uint16_t type, size_t len, const void *data) +{ + struct nlattr *attr = (void *)nlh + NL_ALIGN(nlh-nlmsg_len); + uint16_t payload_len = NL_ALIGN(sizeof(struct nlattr)) + len; + attr-nla_type = type; + attr-nla_len = payload_len; + memcpy((void *)attr + NL_ALIGN(sizeof(struct nlattr)), data, len); + nlh-nlmsg_len += NL_ALIGN(payload_len); +} + +static int netlink_netfilter_sock() +{ + static int fd = -2; + if (fd == -2) { + fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER); + if (fd 0) + return -1; + if (bind(fd, (struct sockaddr *)snl, sizeof(snl)) 0) { + fd = -1; + return -1; + } + } + return fd; +} + +static int
Re: [Dnsmasq-discuss] ipset-dns: Integrate Netfilter IPSet Support
On Sat, Feb 16, 2013 at 5:28 PM, Mr Dash Four mr.dash.f...@googlemail.com wrote: If the set is of type hash:net, then you can use nomatch. In other words: In an effort to prevent this thread from going off-topic, it's worth noting that the hash:net functionality of ipset has nothing to do with and does not replace the dnsmasq-ipset patches. It is very frequently the case that it is not possible to know aprioi the IP ranges used by a particular service, and instead the best way is via DNS lookup; see prior emails for more detail. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] ipset-dns: Integrate Netfilter IPSet Support
Hi Simon, On Fri, Feb 15, 2013 at 3:05 PM, Simon Kelley si...@thekelleys.org.uk wrote: It looks like the extra code is quite small, so I'd certainly consider it. Wonderful! I've extracted heavy lifting code into a separate file (attached as ipset.c), and licensed it under the same license as dnsmasq so that you can just copy and paste. Given that the server=/.../ matching already exists and that the difficult netlink part has already been written, adding this to dnsmasq should be very trivial. Do you take account of the time-to-live of DNS records, or are ipsets create-only? IPs can be both added and removed to and from ipsets. Ipset itself doesn't have a built-in TTL mechanism, but it would be trivial to just remove IPs from the ipset at the sametime dnsmasq purges its cache. This isn't always the desired behavior, however -- if I have connected to an IP address that was added to an ipset via its DNS lookup, I don't want it to be removed from the ipset while I'm still connected to it, even if the DNS TTL is up. In any case, I've added a remove argument to the ipset function so that you can easily add this functionality behind a switch. Looking forward! Thanks Simon. Jason /* ipset.c: add or remove an ip address to an ipset. * * Copyright (C) 2013 Jason A. Donenfeld ja...@zx2c4.com. All Rights Reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; version 2 dated June, 1991, or * (at your option) version 3 dated 29 June, 2007. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see http://www.gnu.org/licenses/. * * For Linux = 2.6.32, compile with -lmnl. For Linux = 2.6.16 or = 2.4.36, compile with -DOLD_IPSET. */ #include string.h #include errno.h #include sys/types.h #include sys/socket.h #include arpa/inet.h #ifndef OLD_IPSET #include libmnl/libmnl.h #include linux/netfilter/nfnetlink.h #include linux/netfilter/ipset/ip_set.h #endif /* ipaddr should be either in_addr or in6_addr in network byte order. * In other words, verbatium of what is in the DNS record. If remove * is non-zero, the requested ipaddr is removed instead of added. */ int add_to_ipset(const char *setname, const void *ipaddr, int af, int remove) { #ifndef OLD_IPSET struct nlmsghdr *nlh; struct nfgenmsg *nfg; struct mnl_socket *mnl; struct nlattr *nested[2]; char buffer[256]; ssize_t received; int port, rc; rc = 0; if (strlen(setname) = IPSET_MAXNAMELEN) { errno = ENAMETOOLONG; return -1; } if (af != AF_INET af != AF_INET6) { errno = EAFNOSUPPORT; return -1; } nlh = mnl_nlmsg_put_header(buffer); nlh-nlmsg_type = (remove ? IPSET_CMD_DEL : IPSET_CMD_ADD) | (NFNL_SUBSYS_IPSET 8); nlh-nlmsg_flags = NLM_F_REQUEST; nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(struct nfgenmsg)); nfg-nfgen_family = af; nfg-version = NFNETLINK_V0; nfg-res_id = htons(0); mnl_attr_put_u8(nlh, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL); mnl_attr_put(nlh, IPSET_ATTR_SETNAME, strlen(setname) + 1, setname); nested[0] = mnl_attr_nest_start(nlh, IPSET_ATTR_DATA); nested[1] = mnl_attr_nest_start(nlh, IPSET_ATTR_IP); mnl_attr_put(nlh, (af == AF_INET ? IPSET_ATTR_IPADDR_IPV4 : IPSET_ATTR_IPADDR_IPV6) | NLA_F_NET_BYTEORDER, (af == AF_INET ? sizeof(struct in_addr) : sizeof(struct in6_addr)), ipaddr); mnl_attr_nest_end(nlh, nested[1]); mnl_attr_nest_end(nlh, nested[0]); mnl = mnl_socket_open(NETLINK_NETFILTER); if (mnl = 0) return -1; if (mnl_socket_bind(mnl, 0, MNL_SOCKET_AUTOPID) 0) { rc = -1; goto close; } if (mnl_socket_sendto(mnl, nlh, nlh-nlmsg_len) 0) { rc = -1; goto close; } close: mnl_socket_close(mnl); return rc; #else int sock, rc; socklen_t size; struct ip_set_req_adt_get { unsigned op; unsigned version; union { char name[32]; uint16_t index; } set; char typename[32]; } req_adt_get; struct ip_set_req_adt { unsigned op; uint16_t index; uint32_t ip; } req_adt; rc = 0; if (strlen(setname) = sizeof(req_adt_get.set.name)) { errno = ENAMETOOLONG; return -1; } if (af != AF_INET) { errno = EAFNOSUPPORT; return -1; } sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (sock 0) return -1; req_adt_get.op = 0x10; req_adt_get.version = 3; strcpy(req_adt_get.set.name, setname); size = sizeof(req_adt_get); if (getsockopt(sock, SOL_IP, 83, req_adt_get, size) 0) { rc = -1; goto close; } req_adt.op = remove ? 0x102 : 0x101; req_adt.index = req_adt_get.set.index; req_adt.ip = ntohl(*(uint32_t *)ipaddr); if (setsockopt(sock, SOL_IP, 83, req_adt, sizeof(req_adt)) 0) { rc = -1; goto close
Re: [Dnsmasq-discuss] ipset-dns: Integrate Netfilter IPSet Support
On Fri, Feb 15, 2013 at 10:42 PM, sven falempin sven.falem...@gmail.com wrote: Previsouly i propose a patch to filter out some domain, i understand filtering should be done by iptables, but only if you think linux. Is it possible to use a version of this code to filter some domain out and/or to allow just a subset of domains ? I'm sure it's possible to warp ipset to do all sorts of things for you. It's pretty generic and flexible. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] ipset-dns: Integrate Netfilter IPSet Support
Simon, The attached patch wires ipset into the dnsmasq build system. I'm assuming the integration and config syntax is something you want to do yourself rather than have me do it. After applying the patch, you will be able to call: int add_to_ipset(const char *setname, const void *ipaddr, int af, int remove); Hope this helps! Jason 0001-Wire-up-ipset-to-build-system.patch Description: Binary data ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] ipset-dns: Integrate Netfilter IPSet Support
On Fri, Feb 15, 2013 at 11:30 PM, John Brendler brendle...@gmail.com wrote: I use ipsets and have written scripts for handling them dynamically. I think this is a very interesting idea. I'd benefit from hearing some elaboration on the use cases you have in mind. I think this might also help Simon understand how best to integrate. Sure. There are some decent examples on http://git.zx2c4.com/ipset-dns/about/. Check out the Why? section as well as the sample script. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] Netfilter IPSet Support
Hi Simon, Another update to reduce the amount of work for you. This thread should supersede the other one. I made ipset.c a bit nicer for dnsmasq by using struct all_addr. New patch to replace all old ones: View: http://git.zx2c4.com/dnsmasq-ipset/commit/?id=b93018649a533a341b724e3323011714a84d5ef0 Patch: http://git.zx2c4.com/dnsmasq-ipset/patch/?id=b93018649a533a341b724e3323011714a84d5ef0 I added some sample code for where it could be successfully integrated with a simple /* TODO */ that should be filled out with the server lookup / matching logic, which I'll leave to you: View: http://git.zx2c4.com/dnsmasq-ipset/commit/?id=954a63cda0fa08e5ed0f18a81a226669c3dc5039 Patch: http://git.zx2c4.com/dnsmasq-ipset/patch/?id=954a63cda0fa08e5ed0f18a81a226669c3dc5039 If I do further work on this, the code will be found at: http://git.zx2c4.com/dnsmasq-ipset/ Looking forward. Jason ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [PATCH] Netfilter IPSet Support
Hah, forget that. I just wrote the entire thing, including configuration, and it works great. I'll send full patches to the mailing list shortly. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH 0/3] ipset: Add Netfilter IPSet Support do DNSMasq
Services like YouTube and Netflix use tons of ranges of IP addresses that fluctuate wildly and aren't predictable. However, they're always from a given subdomain using DNS, like *.c.youtube.com. I'd like to have firewall rules for these IP addresses -- route them over this interface, that interface, rate limit them like this, or that, etc. An efficient way to do this is by adding IP addresses to a netfilter ipset and using iptables' ipset match support. With services that use lots of IPs spread out over ranges but instead use DNS, the only way to do this is to have the DNS forwarder add the resolved IPs to an ipset before returning the IP to the client. This series of patches adds an --ipset option to dnsmasq which adds resolved ips for specified domains to a given list of ipsets using the netlink on newer kernels and setsockopt on older kernels. --ipset=/google.com/yahoo.com/search,vpn That option will add all resolved IPs for Google and Yahoo domains and subdomains to two ipsets -- search and vpn. (Sub)-domain matching is conducted in the same way as with --address. --ipset=resolved --ipset=/#/resolved These two options are identical. They each add all resolved domains to the resolved ipset. If this mailing list post becomes stale, the latest series of patches may be found at http://git.zx2c4.com/dnsmasq-ipset. Jason A. Donenfeld (3): ipset: Integrate ipset.c into build system. ipset: Parse new --ipset option and match domains in forward.c ipset: Update man page and example config to reflect new option. Makefile | 5 +- dnsmasq.conf.example | 4 ++ man/dnsmasq.8| 6 +++ src/config.h | 6 +++ src/dnsmasq.h| 17 +- src/forward.c| 20 ++- src/ipset.c | 143 +++ src/option.c | 64 +++ src/rfc1035.c| 14 - 9 files changed, 274 insertions(+), 5 deletions(-) create mode 100644 src/ipset.c -- 1.8.1.2 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH 2/3] ipset: Parse new --ipset option and match domains in forward.c
The matching logic is the same as for --address. extract_address is responsible for calling out to add_to_ipset. --- src/dnsmasq.h | 12 ++- src/forward.c | 20 ++- src/option.c | 64 +++ src/rfc1035.c | 14 - 4 files changed, 107 insertions(+), 3 deletions(-) diff --git a/src/dnsmasq.h b/src/dnsmasq.h index f1dffe8..95bd464 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -430,6 +430,14 @@ struct server { struct server *next; }; +#if defined(HAVE_IPSET) || defined(HAVE_OLD_IPSET) +struct ipsets { + char **sets; + char *domain; + struct ipsets *next; +}; +#endif + struct irec { union mysockaddr addr; struct in_addr netmask; /* only valid for IPv4 */ @@ -779,6 +787,7 @@ extern struct daemon { struct iname *if_names, *if_addrs, *if_except, *dhcp_except, *auth_peers; struct bogus_addr *bogus_addr; struct server *servers; + struct ipsets *ipsets; int log_fac; /* log facility */ char *log_file; /* optional log file */ int max_logs; /* queue limit */ @@ -903,7 +912,8 @@ size_t setup_reply(struct dns_header *header, size_t qlen, struct all_addr *addrp, unsigned int flags, unsigned long local_ttl); int extract_addresses(struct dns_header *header, size_t qlen, char *namebuff, - time_t now, int is_sign, int checkrebind, int checking_disabled); + time_t now, char **ipsets, int is_sign, int checkrebind, + int checking_disabled); size_t answer_request(struct dns_header *header, char *limit, size_t qlen, struct in_addr local_addr, struct in_addr local_netmask, time_t now); int check_for_bogus_wildcard(struct dns_header *header, size_t qlen, char *name, diff --git a/src/forward.c b/src/forward.c index fb0b4c4..ea0bdf4 100644 --- a/src/forward.c +++ b/src/forward.c @@ -439,9 +439,27 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind, int checking_disabled) { unsigned char *pheader, *sizep; + char **sets = 0; int munged = 0, is_sign; size_t plen; +#if defined(HAVE_IPSET) || defined(HAVE_OLD_IPSET) + /* Similar algorithm to search_servers. */ + struct ipsets *ipset_pos; + unsigned int namelen = strlen(daemon-namebuff); + unsigned int matchlen = 0; + for (ipset_pos = daemon-ipsets; ipset_pos; ipset_pos = ipset_pos-next) { + unsigned int domainlen = strlen(ipset_pos-domain); + char *matchstart = daemon-namebuff + namelen - domainlen; + if (namelen = domainlen hostname_isequal(matchstart, ipset_pos-domain) +(domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) +domainlen = matchlen) { + matchlen = domainlen; + sets = ipset_pos-sets; + } + } +#endif + /* If upstream is advertising a larger UDP packet size than we allow, trim it so that we don't get overlarge requests for the client. We can't do this for signed packets. */ @@ -494,7 +512,7 @@ static size_t process_reply(struct dns_header *header, time_t now, SET_RCODE(header, NOERROR); } - if (extract_addresses(header, n, daemon-namebuff, now, is_sign, check_rebind, checking_disabled)) + if (extract_addresses(header, n, daemon-namebuff, now, sets, is_sign, check_rebind, checking_disabled)) { my_syslog(LOG_WARNING, _(possible DNS-rebind attack detected: %s), daemon-namebuff); munged = 1; diff --git a/src/option.c b/src/option.c index 3fc3e03..15fbd41 100644 --- a/src/option.c +++ b/src/option.c @@ -127,6 +127,7 @@ struct myoption { #define LOPT_AUTHSOA 316 #define LOPT_AUTHSFS 317 #define LOPT_AUTHPEER 318 +#define LOPT_IPSET 319 #ifdef HAVE_GETOPT_LONG static const struct option opts[] = @@ -259,6 +260,7 @@ static const struct myoption opts[] = { auth-soa, 1, 0, LOPT_AUTHSOA }, { auth-sec-servers, 1, 0, LOPT_AUTHSFS }, { auth-peer, 1, 0, LOPT_AUTHPEER }, +{ ipset, 1, 0, LOPT_IPSET }, { NULL, 0, 0, 0 } }; @@ -397,6 +399,7 @@ static struct { { LOPT_AUTHSOA, ARG_ONE, serial[,...], gettext_noop(Set authoritive zone information), NULL }, { LOPT_AUTHSFS, ARG_DUP, NS[,NS...], gettext_noop(Secondary authoritative nameservers for forward domains), NULL }, { LOPT_AUTHPEER, ARG_DUP, ipaddr[,ipaddr...], gettext_noop(Peers which are allowed to do zone transfer), NULL }, + { LOPT_IPSET, ARG_DUP, /domain/ipset[,ipset...], gettext_noop(Specify ipsets to which matching domains should be added), NULL }, { 0, 0, NULL, NULL, NULL } }; @@ -2021,6 +2024,67 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma daemon-servers = newlist; break; } +case LOPT_IPSET: +#if !defined(HAVE_IPSET) !defined(HAVE_OLD_IPSET) +
[Dnsmasq-discuss] [PATCH 1/3] ipset: Integrate ipset.c into build system.
Old kernels use HAVE_OLD_IPSET while newer kernels use HAVE_IPSET. --- Makefile | 5 +- src/config.h | 6 +++ src/dnsmasq.h | 5 ++ src/ipset.c | 143 ++ 4 files changed, 157 insertions(+), 2 deletions(-) create mode 100644 src/ipset.c diff --git a/Makefile b/Makefile index c9cdb90..e0f6b90 100644 --- a/Makefile +++ b/Makefile @@ -59,13 +59,14 @@ ct_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFI ct_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack` lua_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua5.1` lua_libs =`echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua5.1` +ipset_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IPSET $(PKG_CONFIG) --libs libmnl` sunos_libs = `if uname | grep SunOS /dev/null 21; then echo -lsocket -lnsl -lposix4; fi` version = -DVERSION='\`$(top)/bld/get-version $(top)`\' objs = cache.o rfc1035.o util.o option.o forward.o network.o \ dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ - dhcp-common.o outpacket.o radv.o slaac.o auth.o + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ dns-protocol.h radv-protocol.h @@ -74,7 +75,7 @@ all : $(BUILDDIR) @cd $(BUILDDIR) $(MAKE) \ top=$(top) \ build_cflags=$(version) $(dbus_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) \ - build_libs=$(dbus_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) \ + build_libs=$(dbus_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(ipset_libs) $(sunos_libs) \ -f $(top)/Makefile dnsmasq clean : diff --git a/src/config.h b/src/config.h index cff278d..3959b6c 100644 --- a/src/config.h +++ b/src/config.h @@ -97,6 +97,12 @@ HAVE_CONNTRACK a build-dependency on libnetfilter_conntrack, but the resulting binary will still run happily on a kernel without conntrack support. +HAVE_IPSET +HAVE_OLD_IPSET +define this to include the ability to selectively add resolved ip addresses +to given ipsets. HAVE_IPSET for Linux = 2.6.32, and HAVE_OLD_IPSET for +Linux = 2.6.16 or = 2.4.36. + HAVE_AUTH define this to include the facility to act as an authoritative DNS server for one or more zones. diff --git a/src/dnsmasq.h b/src/dnsmasq.h index 21a309c..f1dffe8 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -1117,6 +1117,11 @@ void emit_dbus_signal(int action, struct dhcp_lease *lease, char *hostname); # endif #endif +/* ipset.c */ +#if defined(HAVE_IPSET) || defined(HAVE_OLD_IPSET) +int add_to_ipset(const char *setname, const struct all_addr *ipaddr, int af, int remove); +#endif + /* helper.c */ #if defined(HAVE_SCRIPT) int create_helper(int event_fd, int err_fd, uid_t uid, gid_t gid, long max_fd); diff --git a/src/ipset.c b/src/ipset.c new file mode 100644 index 000..b241ed4 --- /dev/null +++ b/src/ipset.c @@ -0,0 +1,143 @@ +/* ipset.c is Copyright (c) 2013 Jason A. Donenfeld ja...@zx2c4.com. All Rights Reserved. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 dated June, 1991, or + (at your option) version 3 dated 29 June, 2007. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see http://www.gnu.org/licenses/. +*/ + +#include dnsmasq.h + +#if defined(HAVE_IPSET) || defined(HAVE_OLD_IPSET) +#include string.h +#include errno.h +#include sys/types.h +#include sys/socket.h +#include arpa/inet.h +#if defined(HAVE_IPSET) +#include libmnl/libmnl.h +#include linux/netfilter/nfnetlink.h +#include linux/netfilter/ipset/ip_set.h +#endif +#endif + +/* ipaddr should be either in_addr or in6_addr in network byte order. + * In other words, verbatium of what is in the DNS record. If remove + * is non-zero, the requested ipaddr is removed instead of added. */ +#if defined(HAVE_IPSET) +int add_to_ipset(const char *setname, const struct all_addr *ipaddr, int af, int remove) +{ + struct nlmsghdr *nlh; + struct nfgenmsg *nfg; + struct mnl_socket *mnl; + struct nlattr *nested[2]; + char buffer[256]; + int rc; + + rc = 0; + + if (strlen(setname) = IPSET_MAXNAMELEN) { + errno = ENAMETOOLONG; + return -1; + } + if (af != AF_INET af != AF_INET6) { + errno = EAFNOSUPPORT
[Dnsmasq-discuss] [PATCH 3/3] ipset: Update man page and example config to reflect new option.
--- dnsmasq.conf.example | 4 man/dnsmasq.8| 6 ++ 2 files changed, 10 insertions(+) diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example index 5215c2a..9a0dbd7 100644 --- a/dnsmasq.conf.example +++ b/dnsmasq.conf.example @@ -69,6 +69,10 @@ # --address (and --server) work with IPv6 addresses too. #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 +# Add the IPs of all queries to yahoo.com, google.com, and their +# subdomains to the vpn and search ipsets: +#ipset=/yahoo.com/google.com/vpn,search + # You can control how dnsmasq talks to a server: this forces # queries to 10.1.2.3 to be routed via eth1 # server=10.1.2.3@eth1 diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index b8dcfc7..941e84d 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -412,6 +412,12 @@ additional facility that /#/ matches any domain. Thus answered from /etc/hosts or DHCP and not sent to an upstream nameserver by a more specific --server directive. .TP +.B --ipset=/domain/[domain/]ipset[,ipset] +Places the resolved IP addresses of queries for the specified domains +in the specified netfilter ip sets. Domains and subdomains are matched +in the same way as --address. These ip sets must already exist. See +ipset(8) for more details. +.TP .B \-m, --mx-host=mx name[[,hostname],preference] Return an MX record named mx name pointing to the given hostname (if given), or -- 1.8.1.2 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] ipset-dns: Integrate Netfilter IPSet Support
Hi Simon Crew, Services like YouTube and Netflix use tons of ranges of IP addresses that fluctuate wildly and aren't predictable. However, they're always from a given subdomain using DNS, like *.c.youtube.com. I'd like to have firewall rules for these IP addresses -- route them over this interface, that interface, rate limit them like this, or that, etc. An efficient way to do this is by adding IP addresses to a netfilter ipset and using iptables' ipset match support. With services that use lots of IPs spread out over ranges but instead use DNS, the only way to do this is to have the DNS forwarder add the resolved IPs to an ipset before returning the IP to the client. I've written ipset-dns, a super trivial DNS forwarder that's meant to be plugged into dnsmasq's server=/.../ directive. http://git.zx2c4.com/ipset-dns/about/ But forwarding one forwarder to another forwarder is ugly, and ideally this functionality would just be plugged directly into dnsmasq: dnsmasq.conf: ipset=/c.youtube.com/netflix.com/vpnset This would add all the IPs returned for those queries to the provided ipset (vpnset in this case). Is there much interest in this feature? Is it something you'd consider adding? Thanks, Jason Donenfeld ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] split networks with split DNS?
I've recently setup a guest network which uses the same physical gateway as my home network (both plug into same device). I have dnsmasq serving dhcp to each network (completely separate subnets). My only problem is a small cleanup item. Here's approximately what my network looks like: /--\ | home net|dnsmasq/GW | 10.16.5.0/24 |---\ /-\ \--/ \---|10.16.5.1| | 192.168.1.1|---/.../Internet /---\ /---|192.168.5.1 | | guest net |---/ \-/ |192.168.5.0/24 | \---/ When I'm on the guest network confirming that my firewall rules keep them separate, I can't ping or connect to known hosts on the other network. However, I can learn their IP addresses. Because dnsmasq is managing both networks, it will happily tell members of the guest network the ip address of hosts on the home network. :( I'm not too worried about it, since the firewall prevents any contact, but it just seems unclean. Is there a config option I've missed in my digging that will prevent this cross-talk? I'd like to avoid running two processes. Also, the interface:eth0,... doesn't seem to work for the domain, is there a way to give each network their own domain? thx, Jason. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] git/svn/cvs? dnscrypt support?
On Tue, Dec 13, 2011 at 09:53:09AM +, Simon Kelley wrote: On 08/12/11 15:48, Jason wrote: I found this [1] comment from 2010 regarding source control. Have you considered migrating to one? I only ask because I'm partial to git (I use it all day, every day ;-) ), and I'd like to submit a patch. Please do. Oops, it'll have to wait. My patch was going to be integrating dnscrypt into dnsmasq... I hope it, or something similar takes off. I'm in the process of updating the OS and hardware for thekelleys.org.uk and once I've moved nearly a decade of accumulated configuration and tweaking onto a current OS version and made it live, I'll be in a position to do stuff like making git access available. I'm planning on doing the cut-over during the Christmas holidays, so it's not far off. Glad to hear it! I saw this announcement [2] crop up, with code here [3] and I was wondering about adding the feature directly into dnsmasq. Obviously, opendns is the first to implement it, but hopefully others will roll it out as well. The licensing seems very favorable (basically, MIT/BSD). It would be nice if they made a library dnsmasq could link against... My gut feeling is to wait and see if it rolls out more generally. No problem, there. I'm waiting to see the server code. It is hopeful to see commits going in every day. That's a good sign. thx, Jason.
Re: [Dnsmasq-discuss] git/svn/cvs? dnscrypt support?
Ed, On Sun, Dec 11, 2011 at 05:11:45PM +, Ed W wrote: On 08/12/2011 15:48, Jason wrote: I saw this announcement [2] crop up, with code here [3] and I was wondering about adding the feature directly into dnsmasq. Obviously, opendns is the first to implement it, but hopefully others will roll it out as well. ... [1] http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2010q2/003922.html [2] http://it.slashdot.org/story/11/12/08/1353203/opendns-releases-dns-encryption-tool [3] https://github.com/opendns/dnscrypt-proxy I'm a touch cynical about anything that says cryptography, but doesn't have a mathematician obviously behind it and endorsing it. It's just too easy to invent crypto that you can't break, but doesn't withstand proper prying eyes/minds. Very true. The counter argument tends to be that something is better than nothing, but there is a hidden cost which is that of writing and maintaining code There be dragons... So with that in mind, are there any discussions for/against this move by opendns? I believe that the original idea comes via DJB? Yes, based on the commit history (hint, hint) [1], they've incorporated suggestions from a recent review of his. Some of the code was originally his as well [2], NaCl. I read that opendns have picked an unusual curve to run with as the standard crypto choice? Are their any benchmarks on performance? Not that I've seen. Cool idea - just curious to see how it's going to get set in stone for final implementation? Server code needs to be released? Convert to library with a stable api so many other dns projects can integrate it without rolling their own code? thx, Jason. [1] https://github.com/opendns/dnscrypt-proxy/commit/628eaa9dfc2fd1b5d55ead505efb1febf6227feb [2] https://github.com/opendns/dnscrypt-proxy/blob/bc0125e24fde91d8a6c60d7976d5a6bd4b85d9ab/COPYING
[Dnsmasq-discuss] git/svn/cvs? dnscrypt support?
Simon, I found this [1] comment from 2010 regarding source control. Have you considered migrating to one? I only ask because I'm partial to git (I use it all day, every day ;-) ), and I'd like to submit a patch. I saw this announcement [2] crop up, with code here [3] and I was wondering about adding the feature directly into dnsmasq. Obviously, opendns is the first to implement it, but hopefully others will roll it out as well. The licensing seems very favorable (basically, MIT/BSD). It would be nice if they made a library dnsmasq could link against... thx, Jason. [1] http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2010q2/003922.html [2] http://it.slashdot.org/story/11/12/08/1353203/opendns-releases-dns-encryption-tool [3] https://github.com/opendns/dnscrypt-proxy
Re: [Dnsmasq-discuss] Enabling Reverse Lookup In A Live Environment
Paul, I don't think my upstream provider, ATT, has delegated the reverse lookup to me because, when I do a reverse lookup from outside my network, nothing shows up in the firewall log. Also, the reverse lookup says unable to resolve 4.5.6.7. So I think the request is just being dumped. And yes, I have my SPF records in place with my domain registrar via their name servers. Thanks, Jason Paul Chambers wrote: Hmm... that's not how I understood it to work (not that I'm a DNS expert...) I thought reverse lookups worked their way down through the IP netblock assignments, and it would be up to the entity that ;owns' your IP address (i.e. your ISP) to resolve reverse lookups, or have some mechanism to delegate to you (latter is rare, AFAIK). Usually an ISP resolves it to some generated name like 12-34-56-78.static.ispname.com. If your ISP isn't responding to reverse lookups for your IP address at all, I'm pretty sure their configuration is broken, and it's not something you'll be able to fix/work around. Are you sure it's not resolving at all? looking at the full mail headers of your post, the first IP address from the Received: lines does reverse-resolve (to 206-169-206-62.vtc.net.) Now if you want your domain name to be returned instead of the ISP's, that will require the co-operation of your ISP, either to change the name returned in their records, or to delegate the request to you. Only if it's delegated to you, do you need to worry about answering the query using dnsmasq. I doubt your ISP would even consider delegating for less than a small block of routeable IPs (and probably not even then). Again, take this with a pinch of salt, since I'm no DNS expert. I'm sure others will correct me if I'm off-base. On a completely different tangent, you don't happen to have SPF records defined for your domain, do you? that's a possible alternate cause of the behavior you described. Paul Jason Wallace wrote: Friends, I am currently running dnsmasq for a small lan as a dhcp and dns server. I recently switched upstream providers and my new provider seems unable to do the reverse lookups for me. So, much of the email from my domain is getting bounced because the reverse lookup doesn't succeed. I would like to set up dnsmasq to answer reverse lookup requests, but I don't quite know how to begin. Here's some info regarding my network: 1. The network is NATted, by the machine that runs dnsmasq. 2. Inside my lan, my domain, .com, resolves to a local machine (email server), 10.1.1.2, for instance. 3. Outside my lan, dnsmasq would have to answer that the global IP, 5.6.7.8, resolves to my domain name, .com. 4. Right now, my network does not answer DNS requests from outside. 5. My domain registrar is also doing the forward DNS on their name servers. 6. My upstream provider (ISP) is not the domain registrar. All the details above are fabricated, of course. Question 1: Will this even work? How can I tell if my NAT machine is even receiving the reverse dns requests? Question 2: Assuming that my machine is interrogated for reverse DNS, how do I implement it in dnsmasq in a live environment minimizing downtime. Especially regarding that the domain name resolves one way to my lan and another way (in reverse) to the internet? Jason Wallace ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Enabling Reverse Lookup In A Live Environment
Friends, I am currently running dnsmasq for a small lan as a dhcp and dns server. I recently switched upstream providers and my new provider seems unable to do the reverse lookups for me. So, much of the email from my domain is getting bounced because the reverse lookup doesn't succeed. I would like to set up dnsmasq to answer reverse lookup requests, but I don't quite know how to begin. Here's some info regarding my network: 1. The network is NATted, by the machine that runs dnsmasq. 2. Inside my lan, my domain, .com, resolves to a local machine (email server), 10.1.1.2, for instance. 3. Outside my lan, dnsmasq would have to answer that the global IP, 5.6.7.8, resolves to my domain name, .com. 4. Right now, my network does not answer DNS requests from outside. 5. My domain registrar is also doing the forward DNS on their name servers. 6. My upstream provider (ISP) is not the domain registrar. All the details above are fabricated, of course. Question 1: Will this even work? How can I tell if my NAT machine is even receiving the reverse dns requests? Question 2: Assuming that my machine is interrogated for reverse DNS, how do I implement it in dnsmasq in a live environment minimizing downtime. Especially regarding that the domain name resolves one way to my lan and another way (in reverse) to the internet? Jason Wallace
Re: [Dnsmasq-discuss] illegal domain in dhcp-config directive
On Tue, Jul 29, 2008 at 07:40:52AM -0400, Jason Dixon wrote: On Tue, Jul 29, 2008 at 07:48:32AM +0100, Simon Kelley wrote: Jason Dixon wrote: Thanks to the recent vulnerability, I'm upgrading an older dnsmasq system from version 2.34 to 2.45. I've installed it and attempted to run it, but I get the following error. dnsmasq: illegal domain 04-06.lab.foobar.com in dhcp-config directive. The same configuration works fine with 2.34, so I presume something has changed in the configuration syntax or default settings. I haven't found anything on Google or in the FAQ about this error, nor do I see any dhcp-config directives in our config files or the sample config. Here is the relevant line from our config: dhcp-host=00:0c:29:02:1f:06,ubuntu-8.04-06.lab.foobar.com,172.16.0.105 It doesn't appear to be anything specifically with that line. We have a couple hundred of these loaded by dnsmasq. If I comment out that one, the next preceding one will error. I'm not experienced with dnsmasq, so I'm putting myself at the mercy of this list. Any help will be greatly appreciated. :) As far as I can see, this error can only be occuring because the domain part of the name your applying to that host doesn't match the domain specified for dnsmasq to use by the domain=domain config option. AFAIK dnsmasq has never allowed you to send a FQDN to a host unless it matches the domain setting (this is to avoid hosts impersonating, eg www.microsoft.com) but the check in this case has been moved from run-time, where it will log an error, to a fatal error at start-up The fix may be as simple as adding domain=04-06.lab.foobar.com (and you can remove the domain parts from all the dhcp-host lines as well, if you wish. If they stay, they must match the domain given) We have mixed domains in our configuration. I see the following line in the main dnsmasq.conf, which would account for most of the dhcp-host entries: local=/lab.foobar.com/wifi.foobar.com/ I see no domain directives anywhere. I suspect that adding 04-06.lab.foobar.com to the local directive might be sufficient, but I'm just guessing. And yes, this configuration works fine with dnsmasq-2.34. I tried various changes to our configuration but couldn't find a working set. I'm including a subset of our configuration here so you can see what might be causing the issue. The only bits I've left out include redundant information (e.g. dhcp-host). Just to reiterate, this works under 2.34 but is broken under 2.45. # cat /etc/dnsmasq.conf | grep -v '^$' | grep -v '^\#' filterwin2k local=/lab.foobar.com/wifi.foobar.com/ interface=eth0 expand-hosts dhcp-option=3,172.16.0.1 dhcp-option=42,0.0.0.0 conf-file=/etc/dnsmasq.lab.conf conf-file=/etc/dnsmasq.wifi.conf # cat /etc/dnsmasq.lab.conf | grep -v '^$' | grep -v '^\#' dhcp-range=lab,172.16.0.10,172.16.0.81,12h dhcp-option=lab,15,lab.foobar.com dhcp-host=00:0e:0c:bc:17:70,lab01.lab.foobar.com,172.16.0.10 dhcp-host=00:0c:29:ff:96:a7,solaris.lab.foobar.com,172.16.0.6 dhcp-host=00:0c:29:ff:96:xx,windows.lab.foobar.com,172.16.0.7 dhcp-host=00:0c:29:db:8a:b3,centos.lab.foobar.com,172.16.0.5 dhcp-host=00:0c:29:3c:58:01,centos-4.4-01.lab.foobar.com,172.16.0.82 # cat /etc/dnsmasq.wifi.conf | grep -v '^$' | grep -v '^\#' dhcp-range=wifi,172.16.0.200,172.16.0.250,3d dhcp-option=wifi,15,wifi.foobar.com Thanks, -- Jason Dixon OmniTI Computer Consulting, Inc. jdi...@omniti.com 443.325.1357 x.241
Re: [Dnsmasq-discuss] illegal domain in dhcp-config directive
On Mon, Aug 04, 2008 at 04:16:41PM +0100, Simon Kelley wrote: Jason Dixon wrote: I tried various changes to our configuration but couldn't find a working set. I'm including a subset of our configuration here so you can see what might be causing the issue. The only bits I've left out include redundant information (e.g. dhcp-host). Just to reiterate, this works under 2.34 but is broken under 2.45. # cat /etc/dnsmasq.conf | grep -v '^$' | grep -v '^\#' filterwin2k local=/lab.foobar.com/wifi.foobar.com/ interface=eth0 expand-hosts dhcp-option=3,172.16.0.1 dhcp-option=42,0.0.0.0 conf-file=/etc/dnsmasq.lab.conf conf-file=/etc/dnsmasq.wifi.conf # cat /etc/dnsmasq.lab.conf | grep -v '^$' | grep -v '^\#' dhcp-range=lab,172.16.0.10,172.16.0.81,12h dhcp-option=lab,15,lab.foobar.com dhcp-host=00:0e:0c:bc:17:70,lab01.lab.foobar.com,172.16.0.10 dhcp-host=00:0c:29:ff:96:a7,solaris.lab.foobar.com,172.16.0.6 dhcp-host=00:0c:29:ff:96:xx,windows.lab.foobar.com,172.16.0.7 dhcp-host=00:0c:29:db:8a:b3,centos.lab.foobar.com,172.16.0.5 dhcp-host=00:0c:29:3c:58:01,centos-4.4-01.lab.foobar.com,172.16.0.82 # cat /etc/dnsmasq.wifi.conf | grep -v '^$' | grep -v '^\#' dhcp-range=wifi,172.16.0.200,172.16.0.250,3d dhcp-option=wifi,15,wifi.foobar.com Are the names in your dhcp-host entries _all_ name.lab.foobar.com? If so, the simply adding domain=lab.foobar.com will fix things. I imagine that under 2.34 you will have seen lots of complaints logged about this, 2.45 has turned soft errors into hard ones. If there are names in more than one domain, the problem in more complicated to fix: you may need to try the new multi-domain code. Yes, adding the domain=lab.foobar.com and changing the last section of dhcp-host's to remove the unwanted extra subdomain .4-0index. fixes the error. Thanks for your help! -- Jason Dixon OmniTI Computer Consulting, Inc. jdi...@omniti.com 443.325.1357 x.241
[Dnsmasq-discuss] illegal domain in dhcp-config directive
Thanks to the recent vulnerability, I'm upgrading an older dnsmasq system from version 2.34 to 2.45. I've installed it and attempted to run it, but I get the following error. dnsmasq: illegal domain 04-06.lab.foobar.com in dhcp-config directive. The same configuration works fine with 2.34, so I presume something has changed in the configuration syntax or default settings. I haven't found anything on Google or in the FAQ about this error, nor do I see any dhcp-config directives in our config files or the sample config. Here is the relevant line from our config: dhcp-host=00:0c:29:02:1f:06,ubuntu-8.04-06.lab.foobar.com,172.16.117.105 It doesn't appear to be anything specifically with that line. We have a couple hundred of these loaded by dnsmasq. If I comment out that one, the next preceding one will error. I'm not experienced with dnsmasq, so I'm putting myself at the mercy of this list. Any help will be greatly appreciated. :) Thanks, -- Jason Dixon OmniTI Computer Consulting, Inc. jdi...@omniti.com 443.325.1357 x.241
Re: [Dnsmasq-discuss] illegal domain in dhcp-config directive
On Tue, Jul 29, 2008 at 07:48:32AM +0100, Simon Kelley wrote: Jason Dixon wrote: Thanks to the recent vulnerability, I'm upgrading an older dnsmasq system from version 2.34 to 2.45. I've installed it and attempted to run it, but I get the following error. dnsmasq: illegal domain 04-06.lab.foobar.com in dhcp-config directive. The same configuration works fine with 2.34, so I presume something has changed in the configuration syntax or default settings. I haven't found anything on Google or in the FAQ about this error, nor do I see any dhcp-config directives in our config files or the sample config. Here is the relevant line from our config: dhcp-host=00:0c:29:02:1f:06,ubuntu-8.04-06.lab.foobar.com,172.16.117.105 It doesn't appear to be anything specifically with that line. We have a couple hundred of these loaded by dnsmasq. If I comment out that one, the next preceding one will error. I'm not experienced with dnsmasq, so I'm putting myself at the mercy of this list. Any help will be greatly appreciated. :) Thanks, As far as I can see, this error can only be occuring because the domain part of the name your applying to that host doesn't match the domain specified for dnsmasq to use by the domain=domain config option. AFAIK dnsmasq has never allowed you to send a FQDN to a host unless it matches the domain setting (this is to avoid hosts impersonating, eg www.microsoft.com) but the check in this case has been moved from run-time, where it will log an error, to a fatal error at start-up The fix may be as simple as adding domain=04-06.lab.foobar.com (and you can remove the domain parts from all the dhcp-host lines as well, if you wish. If they stay, they must match the domain given) We have mixed domains in our configuration. I see the following line in the main dnsmasq.conf, which would account for most of the dhcp-host entries: local=/lab.foobar.com/wifi.foobar.com/ I see no domain directives anywhere. I suspect that adding 04-06.lab.foobar.com to the local directive might be sufficient, but I'm just guessing. And yes, this configuration works fine with dnsmasq-2.34. -- Jason Dixon OmniTI Computer Consulting, Inc. jdi...@omniti.com 443.325.1357 x.241
[Dnsmasq-discuss] Wildcard lookups question?
Gang, Question: If I use the dnsmasq.conf file format to miss-address an ad server, etc, does this entry get placed in the hash table along with the entries from the hosts file and therefore remain fast and efficient? I'd like to move the entries for sites I'm blocking from the hosts to /etc/dnsmasq.conf.more in the address=/baddomain.com/127.0.0.1 format to take advantage of the wildcard feature, but I have many many domains (I'm the guy that has 700k domains to block, remember?). Jason
[Dnsmasq-discuss] Dnsmasq with Gigantic hosts file
Hello all, I'm considering replacing squidguard, a filtering redirector for the squid cache proxy, with a BIG hosts file and dnsmasq (716,093 entries!). Currently, my network serves less than 10 clients(dns only, no dhcp), but may reach 200 in the next few years. Will this work. It'd be nice to consolidate the functions and have the option to shutdown the squid cache. Also, squidguard can block a specific url inside a domain, ie, www.goodsite.com/badarea/badstuff.html. Can dnsmasq emulate this? I know this is outside the design intent of dnsmasq, but it's not a bad application. Jason
[Dnsmasq-discuss] Hostnames not being added to dnsmasq.leases file
I have DNSMASQ configured to run on a CentOS 4 server. It is acting as both the DNS and DHCP server. All is working fine, except that when I connect another linux machine to the network, the host name on the client machine doesn't show up in the dnsmasq.leases file. Instead I get: 1166770800 00:14:22:9b:10:47 172.16.41.40 * * Because of the above, I cannot ping the linux machine by machine name. When I plug a Windows XP machine into the network I get correct hostname resolution 1166770990 00:16:17:a8:c4:23 172.16.189.188 pommel 01:00:16:17:a8:c4:23 In this case, I can ping the machine named pommel. The linux machines host file is: 127.0.0.1 MYLINUXBOXlocalhost localhost.localdomain Any advice would be greatly appreciated. Below is the settings in my dnsmasq.conf file. dnsmasq.conf domain-needed bogus-priv interface=eth0 expand-hosts domain=mydomain.com dhcp-range=172.16.0.0,172.16.255.255,168h dhcp-option=1,255.255.0.0 dhcp-option=3,172.16.0.1 dhcp-option=6,172.16.0.1 dhcp-option=28,172.16.255.255 dhcp-lease-max=500 dhcp-leasefile=/var/lib/misc/dnsmasq.leases dhcp-authoritative log-queries -- *Jason Baker */IT Coordinator/ *Glastender Inc.* 5400 North Michigan Road Saginaw, Michigan 48604 USA 800.748.0423 Phone: 989.752.4275 ext. 228 Fax: 989.752. www.glastender.com http://www.glastender.com