Re: [Dnsmasq-discuss] Update rebind attack protection to include IP6 delegation
> Some circumstances may be vulnerable to DNS rebinding attacks > against global IPv6 address. Through DHPCv6-PD the local network is > a uniquely identifying global subnet. This makes DNS rebinding to a > local machine on its global IPv6 as easy as traditional RFC1918. It > would be a good idea to eliminate any local network IP (RFC1918 or > otherwise) from global DNS responses. I would consider that a BUG (Actually it does exist as bug ... in AVM Fritz!Boxes). Public IPs are public IPs are public IPs. One of the benefits of IPv6 is, that everybody incl. normal private users, can finally get *public* IPs for all devices. This effectively removes the need to use different IPs (and sometimes even ports) for access to the very same ressources, depending on if you are at home/at your office or outside. That means I can put up a web server on 2001:db8:dead::beef, create an record for it and use that new host name from inside as well as from the outside of my LAN. No need to use 192.168.blah.blubb:80 from inside and bla.dyn.com:88 from the outside So actually I want my hostnames to resolve anywhere, also at home. -- Kind regards Ziggy SpaceRat ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Windows ipv6 hostname
Toke Høiland-Jørgensen wrote: > will use the same address on every network). So I would expect more and > more clients to adopt the privacy-preserving approach. I believe > NetworkManager has support for it on Linux, but am not sure if it's > enabled by default. New installations of Debian and Ubuntu enable it by default. >>> A way to get naming is to use ohybridproxy: >> Thanks for the information, but I have managed to compile ohybridproxy > Haven't had time to play with it myself yet, so can't be of much help ohybridproxy won't help: It is limited to mDNS/avahi. Windows does not support mDNS/avahi. It would help though if DNSMasq contained a combined mDNS/LLMNR resolver. If one compiles avahi with an LLMNR patch, it can resolve hosts that do mDNS and hosts that do LLMNR: root@linux ~ # avahi-resolve -6n windows.local windows.local fe80::96de:80ff:fe12:3456 It should be possible to add the LLMNR-patched resolver part of avahi to DNSMasq. -- Mit freundlichen Grüssen Ziggy SpaceRat ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Ignore single hosts for DHCPv4 but not for DHCPv6/SLAAC, SLAAC name resolution
Greetings, I would like to know if there is any way to achieve this: While I generally assign IPv4 addresses to all hosts in my network, I do not want to do this for a few ones (Those that I've already switched to IP(v6)-only operation). I know that I can disable DHCP entirely for a specific host using dhcp-host=00:1d:ec:12:34:56,ignore but what I want is more like dhcp-host=00:1d:ec:12:34:56,hostname -» Gets no IPv4 address and no IPv6 address (as none entered), but the entry is still used for host name probing in conjunction with SLAAC. However what this really does is: Gets a random IPv4 (and/or IPv6) address from the pool(s). Is there any way I can configure this for *single* hosts? - DHCPv4 completely disabled - DHCPv6 announcing DNS server only (Just O flag) - Still able to resolve name based on SLAAC For the SLAAC resolution, I know that DNSMasq tries this: When a DHCP host entry exists, DNSMasq builds the stateless address this MAC would result in without the bullshit extensions and then pings that host. I also see why *this* method can not work for hosts without DHCP address assigning: DNSMasq doesn't notice *when* they configure their addresses, as the triggering event (DHCP) is missing. But I have two different approaches which might work even better: 1. Periodically check the NDP neighbourhood for hosts and/or 2. Build the stateless address when the host's name gets queried and ping it (Same method as now, just a different/additional trigger) Would of course delay the response but it's better than no resolution at all ... BTW: Hosts that are configured for DHCPv4 on the host side but are ignored by DNSMasq are causing terribly high CPU load while they hammer DNSMasq for a DHCP lease ... -- Kind regards Ziggy SpaceRat ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss