Re: [Dnsmasq-discuss] Is there some way I can tell dnsmasq to give a negative reply to any IPv6 query?
You are right. It is a mis-config. If you have the time and interest, I'd appreciate any help you (or the list) can give on correcting the mis-config... Here's the story: As noted, my ISP does not provide IPv6 and has no plans to provide it in the future. I've emailed their technical help line and asked when they might provide IPv6, and got absolute total stony silence in reply. But I wanted to try experimenting with making my home LAN dual-stack, and fortunately, Hurricane Electric (HE) provides a free (no cost) easy-to-set-up tunnel service for folks like me. So I signed up with HE and got a /48 IPv6 subnet for my local home LAN. I bought an inexpensive netgate box (nowadays, I'd use a Raspberry Pi4B) and set it up running Debian as a gateway to HE for my LAN. It worked great! I was able to access IPv6-only sites and able to login directly from outside the home LAN (without any firewall pinholes) to the auto-configured IPv6 address of the machines on my LAN. And thereby lies the catch. With this setup, any hacker with an IPv6 connection can connect to and try to hack any of the machines on my LAN. I'd like to prevent that with the equivalent of an IPv4 NAT whereby incoming IPv6 packets are filtered so that anything that is not part of an established connection initiated from inside the LAN will be dropped. I'm sure it's possible but I'm finding the "iptables" documentation pretty opaque. Anybody who can point me to a worked example from someone who has done this successfully will be a friend for life. So I disabled forwarding for IPv6 on the netgate machine -- or at least I thought I did. It appears that somehow the IPv6 subnet address was still leaking out and all the machines on my LAN were convinced that the netgate machine was still acting as a gateway. On that assumption, I unplugged the netgate, so that such leakage would be physically impossible, and -- lo and behold -- the problems went away! Now, what I'd like to do -- but need help doing -- is to set up an iptables firewall to prevent outside access via IPv6, so I can continue experimenting and contributing to world-wide acceptance of IPv6. Thanks! Rick PS: My original question still stands, though as more of a request for new feature: It would be nice have some way to tell dnsmasq to give a negative reply to any IPv6 query for IPv4-only nets. And vice versa -- give a negative reply to any IPv4 query for IPv6-only nets. Is such a thing possible? On Thu, Sep 23, 2021, at 1:56 AM, Trey Sis wrote: > There's something wrong with your setup. Did you manually configure an > IPv6 address for your machine? wget shouldn't try the IPv6 address if > there is no route to the destination. > > Cheers, > > Treysis > > On 9/23/2021 10:02, Rick Thomas wrote: >> My ISP does not support IPv6 at all. Recently I have been having trouble >> connecting (web and/or ssh) to hosts outside of my local home LAN that have >> both IPv4 and IPv6 addresses. >> >> For example: >> >> rbthomas@monk:~$ host www.google.com >> www.google.com has address 142.251.33.68 >> www.google.com has IPv6 address 2607:f8b0:400a:806::2004 >> rbthomas@monk:~$ wget www.google.com >> --2021-09-22 18:23:06-- http://www.google.com/ >> Resolving www.google.com (www.google.com)... 2607:f8b0:400a:806::2004, >> 142.251.33.68 >> Connecting to www.google.com >> (www.google.com)|2607:f8b0:400a:806::2004|:80... ^C >> >> >> Is there some way I can tell dnsmasq to give a negative reply to any IPv6 >> query? >> >> I'm using the debian dnsmasq package version 2.85-1 >> >> Thanks! >> Rick >> >> ___ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Is there some way I can tell dnsmasq to give a negative reply to any IPv6 query?
My ISP does not support IPv6 at all. Recently I have been having trouble connecting (web and/or ssh) to hosts outside of my local home LAN that have both IPv4 and IPv6 addresses. For example: rbthomas@monk:~$ host www.google.com www.google.com has address 142.251.33.68 www.google.com has IPv6 address 2607:f8b0:400a:806::2004 rbthomas@monk:~$ wget www.google.com --2021-09-22 18:23:06-- http://www.google.com/ Resolving www.google.com (www.google.com)... 2607:f8b0:400a:806::2004, 142.251.33.68 Connecting to www.google.com (www.google.com)|2607:f8b0:400a:806::2004|:80... ^C Is there some way I can tell dnsmasq to give a negative reply to any IPv6 query? I'm using the debian dnsmasq package version 2.85-1 Thanks! Rick ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Ready for dnssec key signing key rollover on Oct 11? [SOLVED]
H… On further study, it seems that (in Debian Stretch, at least) the root KSK’s used by dnsmasq are taken from the file /usr/share/dns/root.ds, which is provided by the package dns-root-data; and that package seems to be part of the standard Stretch installation. That file lists both keys (the new “20326” and the old “19036”). So it’s all set to go. No need to panic… (-: Enjoy! Rick ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Ready for dnssec key signing key rollover on Oct 11?
What do I need to do to be ready for the DNSSEC Root KSK (key signing key) rollover on October 11, 2018? As mentioned in CircleID article at http://www.circleid.com/posts/20181005_how_to_prepare_for_dnssec_root_ksk_rollover_on_october_11_2018/ and the ICANN page at • https://www.icann.org/kskroll I’m running a more or less stock-out-of-the-box Debian Stretch with the latest (for Stretch) dnsmasq version 2.76-5+deb9u1. > cat /usr/share/dnsmasq-base/trust-anchors.conf > # The root DNSSEC trust anchor, valid as at 30/01/2014 > > # Note that this is a DS record (ie a hash of the root Zone Signing Key) > # If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml > > trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 Which, IIUC, says it’s using root trust anchor ID 19036 extracted on Jan 30, 2014, not ID 20326 extracted any time in the last 12 months. Is there an update I have missed applying? I see that Debian Sid is on version 2.79-1. Thanks! Rick ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] redundant/resiliant dnsmasq servers?
My home network recently suffered 5 hours of downtime because the dnsmasq server crashed and took out my DNS and DHCP service. Is it possible to run a backup instance of dnsmasq on a different server so this wouldn't happen again? How would I configure this? I can (and do) have two dnsmasq/DNS servers (with identical /etc/hosts files). That works fine. But when I try to have two dnsmasq/DHCP servers (with identical /etc/ethers files) things get confused and some clients go for long periods without working network attachment. Thanks! Rick ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Any way to set the lease-time for hosts derived from /etc/ethers?
On May 8, 2015, at 8:55 PM, richardvo...@gmail.com wrote: > > > On Fri, May 8, 2015 at 2:35 PM, Simon Kelley wrote: > On 04/05/15 12:42, Rick Thomas wrote: > > > > Is there any way to set the lease time for a client derived from the > > /etc/ethers file? > > > > I can set a lease time for a lease derived from a “dhcp-range” or > > “dhcp-host” config statement, but I can’t find any way to set it for > > the “implied” dhcp-host config when the host comes from /etc/ethers > > via a “read-ethers” config. > > > > You can't put a lease time in /etc/ethers. The format of the ethers file > is defined outside dnsmasq and doesn't have the syntax to represent it. > > You can keep the /etc/ethers file and include lease times separately in > dhcp-hosts configs with just a MAC addresses or hostname and lease time. > > You presumably have a “dhcp-range static" option already configured, since it > is needed for read-ethers to work, and the lease time can be set there for > the entire group, but not individually. I actually don’t have a “dhcp-range static” option configured, since I want to provide dhcp for “guest” systems as well as for those fixed systems on the LAN that should have static IP addresses. And this (some dynamic, some static from /etc/ethers) works fine (except for the noted inability to specify a lease time for the fixed-address hosts). So I’m not sure what you mean when you say that dhcp-range static “is needed for read-ethers to work.” Can I, for example, have: dhcp-range=192.168.1.200,192.168.1.220,120m dhcp-range=192.168.1.1,192.168.1.199,static,infinite dhcp-range=192.168.1.221,192.168.1.254,static,infinite read-ethers Presumably this would have /etc/ethers allocate permanent addresses outside of the 200-220 range, while dnsmasq would allocate addresses in the 200-220 range with lease time of 2 hours? Would that work? Thanks! Rick ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Any way to set the lease-time for hosts derived from /etc/ethers?
Is there any way to set the lease time for a client derived from the /etc/ethers file? I can set a lease time for a lease derived from a “dhcp-range” or “dhcp-host” config statement, but I can’t find any way to set it for the “implied” dhcp-host config when the host comes from /etc/ethers via a “read-ethers” config. Thanks! Rick ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
