Re: [Dnsmasq-discuss] Format Errors using add-subnet
Albert, First let me be clear - I don't believe this is a DNSMasq issue since I can reproduce it with dig. I was just hoping with all the DNS experts on this forum that someone would have seen this issue with the Windows Server and give me some pointers on possible solutions. Second, here is an example trace of the error. No. Time SourceDestination Protocol Length Info 1 0.00 172.19.9.210 65.153.116.46 DNS 97 Standard query 0x7613 A www.google.com OPT Frame 1: 97 bytes on wire (776 bits), 97 bytes captured (776 bits) Ethernet II, Src: Shuttle_97:5f:7c (80:ee:73:97:5f:7c), Dst: JuniperN_b1:4a:e0 (0c:86:10:b1:4a:e0) Internet Protocol Version 4, Src: 172.19.9.210, Dst: 65.153.116.46 User Datagram Protocol, Src Port: 54012, Dst Port: 53 Domain Name System (query) [Response In: 2] Transaction ID: 0x7613 Flags: 0x0120 Standard query 0... = Response: Message is a query .000 0... = Opcode: Standard query (0) ..0. = Truncated: Message is not truncated ...1 = Recursion desired: Do query recursively .0.. = Z: reserved (0) ..1. = AD bit: Set ...0 = Non-authenticated data: Unacceptable Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 1 Queries www.google.com: type A, class IN Name: www.google.com [Name Length: 14] [Label Count: 3] Type: A (Host Address) (1) Class: IN (0x0001) Additional records : type OPT Name: Type: OPT (41) UDP payload size: 4096 Higher bits in extended RCODE: 0x00 EDNS0 version: 0 Z: 0x 0... = DO bit: Cannot handle DNSSEC security RRs .000 = Reserved: 0x Data length: 12 Option: CSUBNET - Client subnet Option Code: CSUBNET - Client subnet (8) Option Length: 8 Option Data: 00012000ac1309d2 Family: IPv4 (1) Source Netmask: 32 Scope Netmask: 0 Client Subnet: 172.19.9.210 No. Time SourceDestination Protocol Length Info 2 0.025748 65.153.116.46 172.19.9.210 DNS 97 Standard query response 0x7613 Format error A www.google.com OPT Frame 2: 97 bytes on wire (776 bits), 97 bytes captured (776 bits) Ethernet II, Src: JuniperN_b1:4a:e0 (0c:86:10:b1:4a:e0), Dst: Shuttle_97:5f:7c (80:ee:73:97:5f:7c) Internet Protocol Version 4, Src: 65.153.116.46, Dst: 172.19.9.210 User Datagram Protocol, Src Port: 53, Dst Port: 54012 Domain Name System (response) [Request In: 1] [Time: 0.025748000 seconds] Transaction ID: 0x7613 Flags: 0x8101 Standard query response, Format error 1... = Response: Message is a response .000 0... = Opcode: Standard query (0) .0.. = Authoritative: Server is not an authority for domain ..0. = Truncated: Message is not truncated ...1 = Recursion desired: Do query recursively 0... = Recursion available: Server can't do recursive queries .0.. = Z: reserved (0) ..0. = Answer authenticated: Answer/authority portion was not authenticated by the server ...0 = Non-authenticated data: Unacceptable 0001 = Reply code: Format error (1) Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 1 Queries www.google.com: type A, class IN Name: www.google.com [Name Length: 14] [Label Count: 3] Type: A (Host Address) (1) Class: IN (0x0001) Additional records : type OPT Name: Type: OPT (41) UDP payload size: 4096 Higher bits in extended RCODE: 0x00 EDNS0 version: 0 Z: 0x 0... = DO bit: Cannot handle DNSSEC security RRs .000 = Reserved: 0x Data length: 12 Option: CSUBNET - Client subnet Option Code: CSUBNET - Client subnet (8) Option Length: 8 Option Data: 00012000ac1309d2 Family: IPv4 (1) Source Netmask: 32 Scope Netmask: 0 Client Subnet: 172.19.9.210 From: Albert ARIBAUD Sent: Wednesday, December 7, 2016 6:20:32 AM To: Scott Bonar Cc: dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: [Dnsmasq-discuss] Format Errors using add-subnet
[Dnsmasq-discuss] Format Errors using add-subnet
When using this option (which I really need to do) for DNS queries, I get Format Errors from the upstream DNS servers if they are Windows Servers 2008 through at least 2012. Has anyone seen this and is there a workaround either in DNSMasq or Windows? Your help is appreciated. Scott Bonar ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Fail-over or high availability for dnsmaasq
On 10/25/16 11:45 PM, marcus coleman wrote: > > Hello All > > > Is there a configuration for dnsmasq to have a primary and fail-over. > Meaning if my dnsmasq server (dhcp and dns) go offline can another > machine running dnsmasq be configured to ? > > "takeover" dhcp/dns roles of the primary ? > I've done this, although somewhat manually. Essentially, I use Ansible to ensure that my configs are all in sync. Then, I use pacemaker to detect a 'host down' situation. This moves an IP alias and then clients start hitting that host. You may be able to stick nginx in front of dnsmasq and load-balance but, if you're using dynamic DNS updates and you rely on a leases file, you could get different answers based on which server you hit (that'd be bad). If all you are doing is DNS definitions and nothing dynamic, I don't see why it wouldn't work... > > thanks for any help in advance! > > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss -- Scott Mead Sr. Architect OpenSCG ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Bug with EDNS packet size and DNS server files
All, I believe I have stumbled on a bug in which the server->edns_pktsz field is not initialized to the daemon->edns_pktsz value If they are loaded from a server file. I believe this is because when read_opts() is called the servers_file option is parsed And loaded into daemon->servers_file, but not read. After all the options have been parse in read_opts, it then loops Through all the servers and initializes edns_pktsz to daemon->edns_pktsz, but because the server file has not been Read yet they are not initialize. The server file is read later on in the async_event() function. The one option that I have tested is in the function check_servers(), which called after the read_servers_file(), is as it loops through the servers, check if edns_pktsz is 0 and if it is initialize it to daemon->edns_pktsz. The best way I have found to test this is a) use the servers file as defined, b) use the add-subnet option which adds An EDNS optional record to the DNS request, and c) disable the cache. Then wireshark the DNS traffic. You will see the first request has the EDNS packet length set to 0. Some servers do not like this and return a SERVFAIL, which triggers a resend, at which point the EDNS packet length is 1024 and the request is successful. As you can see this is not optimal. Thoughts? Scott Bonar | Cradlepoint o: +1.208.489.0029 | sbo...@cradlepoint.com ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Global CNAME discussion
I have an interesting setup. I have 2 DNS servers, A and B. A hosts: .domain1 .domain2 B hosts: .domain3 .domain4 I would like to add a domain to 'A' called .global .global would be what I set all the client's search paths to and could pick from any of the domains. I may have db.global -> db.domain1 (primary) or db.domain4 (slave ) I've seen the documentation and I understand that you cannot have a cname that points to a host that lives outside the scope of a dnsmasq instance. I'm okay with that part. The strange thing, is that I tried to add this to my hosts file on the dnsmasq server A, and it still didn't seem to work, i.e. /etc/dnsmasq.hosts 192.168.1.1 db.domain4 cname=db.global, db.domain4 This still did not work. I'm just wondering if I'm missing something. On a second note, it would be cool if dnsmasq would let me assign cnames when I define a server for a specific domain i.e. dnsmasq A: server=/domain4/ip.of.dnsmasq.b cname = db.global, db.domain4 I'm not sure if that's simple or complex, but figured I would ask if it made sense or not. Thanks ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] What is the required configuration for enabling periodic RA's
Hi there, I'm trying to use dnsmasq to provide RA for stateless IPV6 configuration. Does anyone know the configuration required to get dnsmasq to send out RA's periodically? So far I seem to only see RA's be sent after a DHCP request occurs. I'm trying to set this up on a router that has a dynamic backhaul where the assigned IPV6 prefix can change abruptly. I've seen problems in the past where clients such as Windows XP seem to ignore a single RA after an IP change. The only way I've found to get this bullet proof is to use RADVD to periodically broadcast RAs. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Non-standard port and resolv.conf file
Is there anyway to have dnsmasq use the same server address parsing when using the resolv.conf file as it does when using the 'server' command line/config option? My issue is that I want to use the resolv.conf file so I don't have to restart dnsmasq, but the nameserver I am using also uses a non-standard port, i.e. not 53. On the command line I can do something like '111.222.333.444#5353', but if I put this type of format in the resolv.conf file dnsmasq does not like it. Thx -- Scott Bonar | Lead Software Engineer | 208.870.7851 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Can't set FQDN on dhcp clients
On Fri, Jun 8, 2012 at 3:25 PM, Snyder, Chris wrote: > > > -Original Message- > From: dnsmasq-discuss-boun...@lists.thekelleys.org.uk > [mailto:dnsmasq-discuss-boun...@lists.thekelleys.org.uk] On Behalf Of > Simon Kelley > Sent: Friday, June 08, 2012 2:34 PM > To: dnsmasq-discuss@lists.thekelleys.org.uk > Subject: Re: [Dnsmasq-discuss] Can't set FQDN on dhcp clients > > That config should be enough. Are you sure that your DHCP is asking for > the domain name or FQDN option and using the result? > Chris, I have a similar setup, I just set the : domain='my.domain.name.com' in /etc/dnsmasq.conf, then On the client: $ hostname scottsuse $ hostname -f scottsuse.my.domain.name.com -- dnsmasq 2.55 --Scott > > Add > > log-dhcp > > to your dhcp configuration, cycle a client and take a look the logs to > see what's going on. > > Simon. > > > I added the 'log-dhcp' and reran my tests. 'hostname' on client still > returns only 'test2'. (Client is RH5, btw.) > > What I'm confused about is that I have the mac correct for my client in > /etc/ethers, 00:0c:29:72:50:92. But the only time it seems to match > that mac is if I have the short name in both /etc/ethers and /etc/hosts. > Seems anytime I put a full FQDN in /etc/hosts or /etc/ethers for a given > client, it no longer matches the mac. For example, in cases where the > mac matches, dnsmasq assigns 192.168.56.5, which is desired behavior. > > In the log output, it is returning the 'test2' for the dhcp-option > 'hostname' and 'gopher.sra.com' for the dhcp-option 'domain-name'. > Personally, I would have expected it to return the FQDN for hostname. > > Logs below: > > Jun 8 14:23:02 kei dnsmasq[7712]: DHCP packet: transaction-id is > 1773225885 > Jun 8 14:23:02 kei dnsmasq[7712]: Available DHCP range: 192.168.56.128 > -- 192.168.56.235 > Jun 8 14:23:02 kei dnsmasq[7712]: DHCPREQUEST(eth0) 192.168.56.173 > 00:0c:29:72:50:92 > Jun 8 14:23:02 kei dnsmasq[7712]: DHCPACK(eth0) 192.168.56.173 > 00:0c:29:72:50:92 test2 > Jun 8 14:23:02 kei dnsmasq[7712]: requested options: 1:netmask, > 28:broadcast, 2:time-offset, 3:router, > Jun 8 14:23:02 kei dnsmasq[7712]: requested options: 15:domain-name, > 6:dns-server, 12:hostname, > Jun 8 14:23:02 kei dnsmasq[7712]: requested options: 40:nis-domain, > 41:nis-server, 42:ntp-server, > Jun 8 14:23:02 kei dnsmasq[7712]: requested options: 26:mtu > Jun 8 14:23:02 kei dnsmasq[7712]: tags: known > Jun 8 14:23:02 kei dnsmasq[7712]: sent size: 1 option: 53:message-type > 05 > Jun 8 14:23:02 kei dnsmasq[7712]: sent size: 4 option: > 54:server-identifier c0:a8:38:02 > Jun 8 14:23:02 kei dnsmasq[7712]: sent size: 4 option: 51:lease-time > 00:00:a8:c0 > Jun 8 14:23:02 kei dnsmasq[7712]: sent size: 4 option: 58:T1 > 00:00:54:60 > Jun 8 14:23:02 kei dnsmasq[7712]: sent size: 4 option: 59:T2 > 00:00:93:a8 > Jun 8 14:23:02 kei dnsmasq[7712]: sent size: 4 option: 1:netmask > ff:ff:ff:00 > Jun 8 14:23:02 kei dnsmasq[7712]: sent size: 4 option: 28:broadcast > c0:a8:38:ff > Jun 8 14:23:02 kei dnsmasq[7712]: sent size: 4 option: 6:dns-server > c0:a8:38:02 > Jun 8 14:23:02 kei dnsmasq[7712]: sent size: 14 option: 15:domain-name > 67:6f:70:68:65:72:2e:73:72:61:2e:63:6f... > Jun 8 14:23:02 kei dnsmasq[7712]: sent size: 5 option: 12:hostname > 74:65:73:74:32 > Jun 8 14:23:02 kei dnsmasq[7712]: sent size: 4 option: 3:router > c0:a8:38:01 > Jun 8 14:23:02 kei dnsmasq[7712]: not giving name test2.gopher.sra.com > to the DHCP lease of 192.168.56.173 because the name exists in > /etc/hosts with address 192.168.56.5 > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Only serve IP's if reservation exists?
Hello, Is there a way to have dnsmasq only serve IP's if a reservation exists for that IP? And if no IP reservation exists, for it to hold onto that IP (similar to Windows DHCP where you exclude the entire range, and then it will only serve IP's if a reservation exists)? Warm regards, Scott
Re: [Dnsmasq-discuss] DNS64 support.
Experimentation. I would like to try a machine or two with only ipv6, and since dnsmasq is already bound to 53, it'll have to do. :) It is a simple function. If a single is requested and the reply has 0 answers, forward a modified query for an A. Then, convert the A to by adding prefix 64:FF9B:: This may not fit dnsmasq now, or need to officially be included, but if the IPv6 ever catches on, this method has my vote. I guess a more complete BIND server could run on my router, but I have not yet gave up on repurposing the one I am using now. :) -- Scott On 2/11/11, Bill C Riemers wrote: > Really, you only need DNS64/NAT64 if you want to completely eliminate IPv4 > in your network. With a dual stack, e.g. using both, it is completely > unnecessary. I would say if you do need them, they are completely > different functions than what DNSMASQ provide. As such, they should be > just completely different code. > > Bill > > > On 02/11/2011 11:20 AM, Simon Kelley wrote: >> Scott Nicholas wrote: >>> Experimenting at home with IPv6... Would like to try DNS64/NAT64 and >>> dnsmasq is the logical choice to continue my DNS needs since it's >>> already used on my OpenWRT home routers. >>> >>> I read over some code a bit before bed, and believe I should have a >>> hack together in 2-3 days time that covers just the "Well Known >>> Prefix" (currently 64:FF9B::/96) with constant RDATA for PTRs. I >>> believe this to be the setup most likely for home routers. Then it's >>> simply a single command-line switch to enable DNS64 behavior or not. >>> No worries about other prefixes for me at this point. >>> >>> Tho before proceeding, was there any other work done with this by >>> anyone? Shouldn't take much I think to implement _after_ I learn at >>> least how a few things are working.. Looking to throw some ideas >>> around. I'm more a hacker/tinkerer than a programmer but I've a draft >>> to follow so it shouldn't be too whack ;) >>> >>> >> There was a brief conversation about this subject here: >> >> http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2010q4/004635.html >> >> The conclusion seems to be that it's a red-herring for dnsmasq, is that >> right? (I don't know anything about DNS64 and have no opinion). >> >> >> Simon. >> >> ___ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >
[Dnsmasq-discuss] DNS64 support.
Experimenting at home with IPv6... Would like to try DNS64/NAT64 and dnsmasq is the logical choice to continue my DNS needs since it's already used on my OpenWRT home routers. I read over some code a bit before bed, and believe I should have a hack together in 2-3 days time that covers just the "Well Known Prefix" (currently 64:FF9B::/96) with constant RDATA for PTRs. I believe this to be the setup most likely for home routers. Then it's simply a single command-line switch to enable DNS64 behavior or not. No worries about other prefixes for me at this point. Tho before proceeding, was there any other work done with this by anyone? Shouldn't take much I think to implement _after_ I learn at least how a few things are working.. Looking to throw some ideas around. I'm more a hacker/tinkerer than a programmer but I've a draft to follow so it shouldn't be too whack ;) Thanks, Scott.
Re: [Dnsmasq-discuss] Single interface, multiple subnets...
Hmmm. Well turning off dnsmasq & throwing up a quick windows DHCP server seems to work for both subnets in terms of distributing the IP's. =\ I did just test again by removing the 2nd network segment. I've placed all three machines on the same physical network. I have the 2 DHCP ranges configured in dnsmasq, and I have 2 reservations made via MAC address. The reservation for the 192.168.1.128/25 range hands out, the reservation for the 192.168.1.0/25 gives the " no address range available for DHCP request via eth0" error. So now I'm able to repro on the same physical segment, simply due to the fact that the IP reservation I've made is in a different subnet than the eth0 IP address. If I change eth0 on the DHCP server to an IP in the 192.168.1.0/25 range, then suddenly the 192.168.1.0/25 DHCP reservation works, and the 192.168.1.128/25 reservation that was working previously gives the " no address range available for DHCP request via eth0" error. So to me, this definitely has something to do with the dnsmasq configuration as it pertains to serving reservations outside of it's subnet. Regards, Scott Jarboe -Original Message- From: Simon Kelley [mailto:si...@thekelleys.org.uk] Sent: Monday, September 27, 2010 12:34 PM To: Scott Cc: dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: [Dnsmasq-discuss] Single interface, multiple subnets... Scott wrote: > The DHCP relay is the router itself, ip helper is configured which forwards > the packets. Again, the dhcp requests are being received by the dhcp > server, it simply won't serve out the address. One thing I did forget to > mention is that I have mac reservations for each server. > > The issue however, is not in the routing. If I take server1 and modify the > reservation to an IP in the dhcp server's subnet (192.168.1.128/25), the > dhcp server gives it an address. It's only when I tell the dhcp server to > give it an IP in the 192.168.1.0/25 subnet that it gives the error: "Sep 24 > 12:45:47 server1 dnsmasq[2640]: no address range available for DHCP request > via eth0". > Something is wrong somewhere: if the ip helper was doing the correct thing and setting the giaddr field in DHCP packet then the message would say "DHCP request via w.x.y.z" and not "via eth0". Can you check that your DHCP relay is set up properly? Simon.
Re: [Dnsmasq-discuss] Single interface, multiple subnets...
Sorry, typo on what I wrote here, the IP is 192.168.1.253. This did remind me though to ask, how do I specify a different gateway for different dhcp ranges? From: richardvo...@gmail.com [mailto:richardvo...@gmail.com] Sent: Monday, September 27, 2010 10:35 AM To: Scott Cc: dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: [Dnsmasq-discuss] Single interface, multiple subnets... The interface eth0 is configured as such: Ip: 192.168.0.253 Mask: 255.255.255.128 Gateway 192.168.1.129 This configuration is wrong, unless you have more routing rules you're not showing. The gateway needs to be local, which since eth0 is .0.253/25 means something .0.xxx, not .1.xxx. Any help would be…helpful. ;-) Warm regards, Scott ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Single interface, multiple subnets...
The DHCP relay is the router itself, ip helper is configured which forwards the packets. Again, the dhcp requests are being received by the dhcp server, it simply won't serve out the address. One thing I did forget to mention is that I have mac reservations for each server. The issue however, is not in the routing. If I take server1 and modify the reservation to an IP in the dhcp server's subnet (192.168.1.128/25), the dhcp server gives it an address. It's only when I tell the dhcp server to give it an IP in the 192.168.1.0/25 subnet that it gives the error: "Sep 24 12:45:47 server1 dnsmasq[2640]: no address range available for DHCP request via eth0". -Original Message- From: Simon Kelley [mailto:si...@thekelleys.org.uk] Sent: Monday, September 27, 2010 3:40 AM To: Scott Cc: dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: [Dnsmasq-discuss] Single interface, multiple subnets... Scott wrote: > Well, what I'm doing is simply trying to have DHCP IP's for 2 > different subnets (192.168.1.0/25 and 192.168.1.128/25) served out of > a single interface. The machines are on 2 different physical network > segments. The > 192.168.1.0/25 has a default gateway of 192.168.1.1, the > 192.168.1.128/25 subnet has a default gateway of 192.168.1.129. > Routing is set so that the DHCP request will route to the DHCP server. > I turn on server 1 & server 2, and though both DHCP ranges are set, > and the DHCP Request packets from both servers are received by the > DHCP server, it only serves out a DHCP address for server 2, and for > server 1 (the server which is on a different subnet & network segment) > gives the error I indicated below: "Sep 24 12:45:47 server1 > dnsmasq[2640]: no address range available for DHCP request via eth0". > How are packets routed from the network segment containing server1 to the DHCP server? If it's a different physical segment then it will be in a different broadcast domain and DHCP broadcasts from that segment won't ever make it to the server. Clearly they are, so there's something more complex happening, but you're not telling us what. The solution to this problem is almost certainly to use a DHCP-relay, but exactly how that should be done depends on the details of your routing. Cheers, Simon.
Re: [Dnsmasq-discuss] Single interface, multiple subnets...
Well, what I'm doing is simply trying to have DHCP IP's for 2 different subnets (192.168.1.0/25 and 192.168.1.128/25) served out of a single interface. The machines are on 2 different physical network segments. The 192.168.1.0/25 has a default gateway of 192.168.1.1, the 192.168.1.128/25 subnet has a default gateway of 192.168.1.129. Routing is set so that the DHCP request will route to the DHCP server. I turn on server 1 & server 2, and though both DHCP ranges are set, and the DHCP Request packets from both servers are received by the DHCP server, it only serves out a DHCP address for server 2, and for server 1 (the server which is on a different subnet & network segment) gives the error I indicated below: "Sep 24 12:45:47 server1 dnsmasq[2640]: no address range available for DHCP request via eth0". Regards, Scott -Original Message- From: Simon Kelley [mailto:si...@thekelleys.org.uk] Sent: Sunday, September 26, 2010 10:32 AM To: Scott Cc: dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: [Dnsmasq-discuss] Single interface, multiple subnets... Scott wrote: > Hello, > > > > I'm completely new to dnsmasq (and the Unix world in general [this is > running on a FreeBSD box I've built]), and I'm looking to use dnsmasq to > serve dhcp from a single interface to multiple network segments. I have > not, however, been successful so far. > > > > Now this is just a single block split into two 25 bit ranges, the DHCP > server is in the .128/25, and while it see's requests for both the .0/25 and > .128/25, it will only serve requests from the .128/25, and posts the > following for requests from the .0/25 > > "Sep 24 12:45:47 server1 dnsmasq[2640]: no address range available for DHCP > request via eth0" > > > > I had initially tried one single large range spanning both subnets, which > didn't work. I have now changed it to the below, which also hasn't worked. > > > > My dnsmasq.conf: > > dhcp-range=192.168.1.8,192.168.1.127,255.255.255.128 > > dhcp-range=192.168.1.130,192.168.1.240,255.255.255.128 > > dhcp-option=option:router,192.168.1.129 > > interface=eth0 > > > > The interface eth0 is configured as such: > > Ip: 192.168.0.253 > > Mask: 255.255.255.128 > > Gateway 192.168.1.129 > > > > Any help would be.helpful. ;-) > > > > Warm regards, > > Scott > Could you give a bit more information about your configuration: at first glance, what you're doing doesn't make any sense. You have two subnets on one interface, which is fine, but the only thing that defines which subnet a machine is on is its IP address, and DHCP allocates that address. Before the address is allocated, all that's known about a machine is that it's on a particular physical network, there's no way to pin it down to a subnet. Cheers, Simon.
[Dnsmasq-discuss] Single interface, multiple subnets...
Hello, I'm completely new to dnsmasq (and the Unix world in general [this is running on a FreeBSD box I've built]), and I'm looking to use dnsmasq to serve dhcp from a single interface to multiple network segments. I have not, however, been successful so far. Now this is just a single block split into two 25 bit ranges, the DHCP server is in the .128/25, and while it see's requests for both the .0/25 and .128/25, it will only serve requests from the .128/25, and posts the following for requests from the .0/25 "Sep 24 12:45:47 server1 dnsmasq[2640]: no address range available for DHCP request via eth0" I had initially tried one single large range spanning both subnets, which didn't work. I have now changed it to the below, which also hasn't worked. My dnsmasq.conf: dhcp-range=192.168.1.8,192.168.1.127,255.255.255.128 dhcp-range=192.168.1.130,192.168.1.240,255.255.255.128 dhcp-option=option:router,192.168.1.129 interface=eth0 The interface eth0 is configured as such: Ip: 192.168.0.253 Mask: 255.255.255.128 Gateway 192.168.1.129 Any help would be.helpful. ;-) Warm regards, Scott
[Dnsmasq-discuss] two stupid questions
1. The '--test' option as described in the manpage doesn't appear to do anything (on my Mac OS X 10.5-based box); am I doing something wrong? shouldn't the command be: /usr/local/sbin/dnsmasq --test 2. I'm unclear on how to review the logs - I see references in the documentation to sending SIGUSR1 and SIGUSR2 commands but don't understand HOW to do that. I'd like to resolve these issues to help ensure that my machine is working properly before rolling it out to the office. Thanks in advance for your help... -Chris
Re: [Dnsmasq-discuss] Prevent forwarding of requests for hosts Dnsmasq already knows about
On Feb 24, 2009, at 1:31 AM, Simon Kelley wrote: The behaviour you are requesting is how it's supposed to work, so this is a bug rather than a misfeature. It's also a rather puzzling bug, since mixing data from an "upstream" nameserver and locally- known names is very difficult for dnsmasq to do. In your example above, I assume that 192.168.0.238 comes from DHCP. The only explanation I can come up with goes like this. 1) No DHCP lease exists for laptop.example.com and something does a DNS lookup. That puts the CNAME records for laptop.example.com into the cache. 2) laptop.example.com gets a DHCP lease. which puts the A record for laptop.example.com into the cache, but the CNAME is not deleted. 3) Subsequent DNS lookups get both bits of data from the cache. This is a great theory, except that there seems to exist code to delete any existing cache entries when a DHCP-derived name is pushed into the cache, which should handle this. Does my theory fit the facts? If you restart dnsmasq (and clear the cache) does the beahviour change? You assume correctly, 192.168.0.238 comes from DHCP. It looks like the "host" command sends several requests: it asks for an A, an , and MX record for the requested host. Here's the relevant log, right after restarting dnsmasq and renewing laptop.example.com's DHCP: Feb 25 22:00:59 server dnsmasq[24614]: query[A] laptop.example.com from 192.168.0.10 Feb 25 22:00:59 server dnsmasq[24614]: DHCP laptop.example.com is 192.168.0.238 Feb 25 22:00:59 server dnsmasq[24614]: query[] laptop.example.com from 192.168.0.10 Feb 25 22:00:59 server dnsmasq[24614]: forwarded laptop.example.com to 68.94.156.1 Feb 25 22:01:00 server dnsmasq[24614]: reply laptop.example.com is Feb 25 22:01:00 server dnsmasq[24614]: reply p4p.geo.vip.re4.yahoo.com is NODATA-IPv6 Feb 25 22:01:00 server dnsmasq[24614]: query[MX] laptop.example.com from 192.168.0.10 Feb 25 22:01:00 server dnsmasq[24614]: forwarded laptop.example.com to 68.94.156.1 The A query works great, but and MX records get forwarded. I think they shouldn't be. Is this expected behavior? Ian
Re: [Dnsmasq-discuss] Prevent forwarding of requests for hosts Dnsmasq already knows about
On Feb 23, 2009, at 11:03 PM, Ian Scott wrote: I'd like Dnsmasq to not forward requests for any records to the upstream DNS servers for hosts it knows about via DHCP. It seems to be the case already for hosts in /etc/hosts: $ host server server.example.com has address 192.168.0.10 Oops; I take this part back. server.example.com had an A record and no CNAME from Yahoo. If it did actually have the CNAME, it would still show up "through" Dnsmasq. Ian
[Dnsmasq-discuss] Prevent forwarding of requests for hosts Dnsmasq already knows about
DNS for my domain out on the Internet is served by Yahoo Small Business, and they serve a wildcard CNAME for that domain: *.example.com is a CNAME for the machine hosting the web site for example.com. On my local network, I have Dnsmasq serving DNS and DHCP. For DHCP hosts, I get back both the A record from Dnsmasq and the wildcard CNAME from Yahoo. For example: $ host laptop laptop.example.com has address 192.168.0.238 laptop.example.com is an alias for p4p.geo.vip.re4.yahoo.com. laptop.example.com is an alias for p4p.geo.vip.re4.yahoo.com. p4p.geo.vip.re4.yahoo.com mail is handled by 0 . I'd like Dnsmasq to not forward requests for any records to the upstream DNS servers for hosts it knows about via DHCP. It seems to be the case already for hosts in /etc/hosts: $ host server server.example.com has address 192.168.0.10 Ian
[Dnsmasq-discuss] Re: Is there a way to "block" IPv6 address queries?
I guess I should clarify; I'm not trying to "be kind to my DNS server" (although that's a nice side effect) so much as improve responsiveness for client machines. Assume my connectivity to the public DNS is slow, congested, lossy, etc. I want to reduce the several second delay on every address lookup due to misguided client software hoping for IPv6 reachability that isn't actually there. >That's negative caching. The way it's done is specified in RFC 2308 and >dnsmasq supports it. The crucial thing is that there needs to be an SOA >record in the authority section of the reply in order for a negative >cache entry to be generated. I've noticed that recently my ISP's >nameservers have stopped including an NS section. They probably think >doing that will reduce the load on their nameservers. Poor fools. RFC 2308 says: A negative answer that resulted from a no data error (NODATA) should be cached such that it can be retrieved and returned in response to another query for the same that resulted in the cached negative response. I don't think this is working for me in 2.22. >I suspect that your ISP has done the same thing. Try running a query >using "dig" for an unknown domain and see what you get: it should look >like this: >;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4694 >but if it looks like this instead, that's the source of the problem. >;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25755 Does this help? [No, I don't see any NS records included.] % dig www.nonxx.net in ; <<>> DiG 8.3 <<>> www.nonxx.net in ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31092 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUERY SECTION: ;; www.nonxx.net, type = , class = IN ;; AUTHORITY SECTION: net.3H IN SOA a.gtld-servers.net. nstld.verisign-grs.com. ( 1113256832 ; serial 30M ; refresh 15M ; retry 1W ; expiry 15M ) ; minimum ;; Total query time: 25 msec ;; FROM: me to SERVER: 206.13.28.12 ;; WHEN: Mon Apr 11 15:01:10 2005 ;; MSG SIZE sent: 31 rcvd: 104 % dig www.cnn.com in ; <<>> DiG 8.3 <<>> www.cnn.com in ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42213 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUERY SECTION: ;; www.cnn.com, type = , class = IN ;; ANSWER SECTION: www.cnn.com.2m14s IN CNAME cnn.com. ;; AUTHORITY SECTION: cnn.com.8m50s IN SOAbender.turner.com. hostmaster.tbsnames.turner.com. ( 2005040700 ; serial 15M ; refresh 5M ; retry 1W ; expiry 15M ) ; minimum ;; Total query time: 16 msec ;; FROM: me to SERVER: 206.13.28.12 ;; WHEN: Mon Apr 11 15:01:53 2005 ;; MSG SIZE sent: 29 rcvd: 113 % dig cnn.com in ; <<>> DiG 8.3 <<>> cnn.com in ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51456 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUERY SECTION: ;; cnn.com, type = , class = IN ;; AUTHORITY SECTION: cnn.com.3m56s IN SOAbender.turner.com. hostmaster.tbsnames.turner.com. ( 2005040700 ; serial 15M ; refresh 5M ; retry 1W ; expiry 15M ) ; minimum ;; Total query time: 16 msec ;; FROM: me to SERVER: 206.13.28.12 ;; WHEN: Mon Apr 11 15:02:09 2005 ;; MSG SIZE sent: 25 rcvd: 95 It shouldn't be hard to duplicate my tests. To recap, there are now three open issues: 1) Is negative caching functioning as expected? [For queries when dnsmasq has been compiled with -DNO_IPV6] 2) Is cached NXDOMAIN information being used to its full extent? 3) Is it practical to--as an option--intercept IPv6 address lookups as previously described? -=EPS=-
[Dnsmasq-discuss] Is there a way to "block" IPv6 address queries?
This example uses a FreeBSD 4.x installation, in which most user applications invoke the getaddrinfo(3)* API for name-to-address resolution. By default, this tries both IPv6 and IPv4, giving preference to the former. *FreeBSD man pages: http://www.freebsd.org/cgi/man.cgi My Internet Service Provider du jour only believes in IPv4, so even "successful" IPv6 resolution is nonproductive: % ftp ftp.isc.org ftp: connect to address 2001:4f8:0:2::18: No route to host Trying 204.152.184.110... Connected to ftp.isc.org. 220 Welcome to ftp.isc.org. That's an unusual case, of course. Nearly all the sites I care about simply don't "do" IPv6, and have no plans to adopt it in the foreseeable future. Now, I've compiled dnsmasq with -DNO_IPV6. This merely prevents dnsmasq itself from doing inappropriate things. But watch what happens when it's used: # dnsmasq -h -u bind -g dialer -i lo0 -b -r /etc/resolv.conf,sbc-sf -n -D -d -q dnsmasq: started, version 2.22 cachesize 150 dnsmasq: setting --bind-interfaces option because of OS limitations dnsmasq: cleared cache dnsmasq: reading /etc/resolv.conf,sbc-sf dnsmasq: using nameserver 206.13.31.12#53 dnsmasq: using nameserver 206.13.28.12#53 dnsmasq: query[] www.sfgate.com from 127.0.0.1 dnsmasq: forwarded www.sfgate.com to 206.13.28.12 dnsmasq: forwarded www.sfgate.com to 206.13.31.12 dnsmasq: query[A] www.sfgate.com from 127.0.0.1 dnsmasq: forwarded www.sfgate.com to 206.13.28.12 dnsmasq: reply www.sfgate.com is dnsmasq: reply sfgate.com is 66.35.240.8 dnsmasq: query[] www.sfgate.com from 127.0.0.1 dnsmasq: forwarded www.sfgate.com to 206.13.28.12 dnsmasq: query[A] www.sfgate.com from 127.0.0.1 dnsmasq: cached www.sfgate.com is dnsmasq: cached sfgate.com is 66.35.240.8 dnsmasq: query[] sfgate.com from 127.0.0.1 dnsmasq: forwarded sfgate.com to 206.13.28.12 dnsmasq: query[A] sfgate.com from 127.0.0.1 dnsmasq: cached sfgate.com is 66.35.240.8 Notice how the public DNS keeps being hammered with identical queries, which, of course, have identical results [no error, no records returned]. The whole point of using a caching DNS server was to eliminate redundant network traffic. Dnsmasq has cut it in half, but it really should be doing much better. It's true, that on this machine, some applications (such as ftp and ssh) offer command-line options to restrict queries to IPv4- only. But many do not, and there's no other convenient means to make this the default. While I could conceivably use LD_PRELOAD to override getaddrinfo(3) [along with its "predecessors" getipnodebyname(3) and gethostbyname2(3)], this is awkward at best. Recompilation to remove the IPv6 bits entirely is even more distasteful. None of this helps in a production environment, where queries would originate on other LAN clients, with differing operating systems, configurations, etc. So what am I looking for? (1) a means to alleviate repeated forwarding when no records of a given type (, MX, TXT, etc.) have been determined to exist for a [NOERROR] domain. (2) a "deep six" option that might work as follows: If an query comes in that can not be answered from the cache, forward an A instead. If that comes back with NXDOMAIN, pass it along. Otherwise, save the A record, and [non-authoritatively?] respond that no records exist. A subsequent A query would be satisfied from the cache. Comments? -=EPS=-
[Dnsmasq-discuss] dnsmasq 2.21 breaks file names containing commas
I'm using a command line like: dnsmasq -h -u bind -g dialer -i lo0 -b -r /etc/resolv.conf,isp1 -n -D -d -q to provide local DNS caching on a mobile FreeBSD 4.x system. This worked rather well up through 2.20, but now fails due to an ill-conceived addition to dnsmasq-2.21/src/option.c [lines 232-235]: if (optarg) for (p = optarg; *p; p++) if (*p == ',') *p = '\001'; This causes dnsmasq to die when it fails to open /etc/resolv.conf^Aisp1. 1) Treat argv[] as read-only. The only legitimate reason to scribble over it is to subvert ps(1), and then only if something like setproctitle(3) isn't available on the target platform. 2) All characters (other than NUL, obviously) should be acceptable in file names. The only printable character traditionally eschewed is the colon(:). I suggest reverting to the way things were in 2.20, and considering other approaches to achieve the desired results. -=EPS=-
[Dnsmasq-discuss] 2 subnets, bridged
I'm a happy dnsmasq user now looking to step into more advanced configurations. Rather than buy a Linksys WRT54G and use custom firmware, I'd like to configure my (routing) multi-homed LEAF/Bering PC to instead bridge my wired and wireless segments. I'd like to assign each side of the bridge a seperate portion of the total bridged address space. Can I do this with dnsmasq? My (possibly naive) hope is that I can construct Shorewall zones for each side of the bridge to construct per-zone firewall rules while still allowing wired and wireless nodes to communicate without restriction (mostly to play games that rely on broadcast UDP for discovering partners =). I _think_ I'll want to assign IP addresses to each interface on my router, and run two instances of dnsmasq to respond to incoming queries on each interface. Then configure dnsmasq to hand out DHCP addresses with the _bridge_ address as the default gateway. Before I start down a possible dead-end, can anyone offer guidance / suggestions? Cheers, Scott -- ski...@skippy.net | http://skippy.net/
[Dnsmasq-discuss] Different DNS lookup for different subnets?
I've got a linux box running DNSMasq serving as a router/firewall with several subnets underneath it (for lan, dmz, guests). I'd like to have a generic hostname for the box that I could use to access the router from any of the subnets. In other words router.domain.local would return 192.168.101.1 or 192.168.102.1 or 192.168.103.1 depending on which subnet the user is in. Is there anyway to set this up with DNSMasq? Any suggestions for another way to handle this besides just making lots of alias names for the box for each IP address (e.g. router-lan, router-dmz, router-guest)? Thanks!
[Dnsmasq-discuss] DHCP service to multiple subnets?
I searched the net looking to see if this question had been answered somewhere, but didn't see anything. I'm putting together a Linux router box to serve as the main gateway/firewall for my office and would like to use DNSMasq on it for DNS and DHCP. This box has several ethernet ports on it and each will be statically assigned to a different subnet (one for the internet connection, one for local machines, one for DMZ machines, and one for guest machines with internet access but no local access) If possible I'd like to use DNSMasq to provide DHCP services to each of the subnets. Basically any machine attaching through eth3 would get one subnet, machines attaching through eth2 would get a different subnet, etc. Is this possible? It seems like there's sufficient capabilities to do this, but it's not obvious to me how it would be done. Thanks for your help!