Re: [Dnsmasq-discuss] Authoritative and recursive service from the same interface

On 09/28/2018 06:46 PM, Simon Kelley wrote: On 28/09/18 23:07, Marc Heckmann wrote: Very nice, I will test this. I am curious though: what will be used for the NS record if the auth-server configuration is omitted? It appears to return an NS record of "." ie the DNS root. Which is not

Re: [Dnsmasq-discuss] No DNS server assigned to dhcp clients if port != 53 in dnsmasq.conf

On 06/30/2018 01:26 PM, richardvo...@gmail.com wrote: On Sat, Jun 30, 2018 at 8:39 AM, Gordon Hsiao > wrote: If in my dnsmasq.conf I used a different port other than 53 for dns, dnsmasq never assigns DNS server to my dhcp clients, is this a feature or a

Re: [Dnsmasq-discuss] Feature enhancement to rebind protection

Hi Kurt, I think that my one example use case may have thrown off my intent. >> It would not be a Bug if it is an appropriately selectable option for local administration to configure for their own security requirements. > I hope it's not your intent to claim that all software should support

Re: [Dnsmasq-discuss] Feature enhancement to rebind protection

wrt misdirected thread: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q1/011922.htm Some circumstances may be vulnerable to DNS rebinding attacks against global IPv6 address. Through DHPCv6-PD the local network is a uniquely identifying global subnet. This makes DNS rebinding to

[Dnsmasq-discuss] Update rebind attack protection to include IP6 delegation

This is a request for feature feasibility or acceptability. Some circumstances may be vulnerable to DNS rebinding attacks against global IPv6 address. Through DHPCv6-PD the local network is a uniquely identifying global subnet. This makes DNS rebinding to a local machine on its global IPv6 as

[Dnsmasq-discuss] Update rebind attack protection to include IP6 delegation

This is a request for feature feasibility or acceptability. Some circumstances may be vulnerable to DNS rebinding attacks against global IPv6 address. Through DHPCv6-PD the local network is a uniquely identifying global subnet. This makes DNS rebinding to a local machine on its global IPv6 as

[Dnsmasq-discuss] Feature enhancement to rebind protection

Sorry, I must have been typing and dumb thumbed the touch bad at the same time for odd results. Please see misplaced thread here: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q1/011922.html ___ Dnsmasq-discuss mailing list

Re: [Dnsmasq-discuss] FW: Cachesize

Hi Nathan, Just thinking out loud: > There is only about 1000 endpoints of various types, from residential to business. Having worked with Unbound and dnsmasq, I would say the proverb "right tool for the right job applies." I would guess not all 1000 endpoints are on one subnet, maybe

Re: [Dnsmasq-discuss] [PATCH] Delay DHCP replies for Raspberry Pi clients

On 03/29/2017 04:35 PM, Dan Sneddon wrote: > On 03/29/2017 10:43 AM, Chris Novakovic wrote: >> On 29/03/2017 18:13, Kurt H Maier wrote: >>> On Wed, Mar 29, 2017 at 02:48:48PM +0200, Floris Bos wrote: The PXE boot firmware implementation of the Raspberry Pi 3 has a bug causing it to fail

Re: [Dnsmasq-discuss] DNSSEC Trust Anchor Roll for 2017

Never mind the idiot (me). It is already implemented in V2.77TEST3. On 02/26/2017 12:46 AM, Eric Luehrsen wrote: > The next release trust-anchor.conf file should include DS record (20326) > as well as (19036). I am sure users would like a seamless transition > through new KSK int

[Dnsmasq-discuss] DNSSEC Trust Anchor Roll for 2017

The next release trust-anchor.conf file should include DS record (20326) as well as (19036). I am sure users would like a seamless transition through new KSK introduction and former KSK revocation in 2018. https://www.icann.org/resources/pages/ksk-rollover https://www.iana.org/domains/root Eric

Re: [Dnsmasq-discuss] Conditional DNS response by source

Correct is used for DHCP options and network or host binding. DNS is not linked as such. If you are using OpenWrt/LEDE as your gateway, then you have an easier to use option. LEDE 17.01(RC) supports building dnsmasq instances on designated networks. So instead of HOME and GUEST SSID on your

Re: [Dnsmasq-discuss] Bug forward upstream SERVFAIL

As dnsmasq is a stub resolver I believe it _IS_ important to consider what poppular recursive resolvers do. Bind, Unbound, and NSD do need to be reference because they do most of the heavy lifting. Bind was already discussed. Unbound not only checks for multiple response paths but caches all

Re: [Dnsmasq-discuss] IPv6 on OpenWRT

00::]' With my pull request on LEDE Original message From: Aaron Wood <wood...@gmail.com> Date: 1/23/17 00:46 (GMT-05:00) To: Eric Luehrsen <ericluehr...@hotmail.com> Cc: "BIZ: DNSMASQ List" <dnsmasq-discuss@lists.thekelleys.org.uk>

Re: [Dnsmasq-discuss] IPv6 on OpenWRT

https://github.com/lede-project/source/pull/674 - Eric Original message From: Aaron Wood <wood...@gmail.com> Date: 1/23/17 00:46 (GMT-05:00) To: Eric Luehrsen <ericluehr...@hotmail.com> Cc: "BIZ: DNSMASQ List" <dnsmasq-discuss@lists.thekelleys.org.

Re: [Dnsmasq-discuss] Bug forward upstream SERVFAIL

If you a customer of some "we build or host your website" companies, then you may also suffer then other end of this. That is your registrar does a horrible job of pushing your DNSKEY to the correct next-level server and getting a valid DSKEY ... and doing that for all redundant server chains.

Re: [Dnsmasq-discuss] IPv6 on OpenWRT

Syntax error also. option/option6 statements need a colon before the option-name --dhcp-option=option6:dns-server,[fd00::] For OpenWrt/LEDE you can use dnsmasq-dhcp6 or dnsmasq-full. If you migrate over to LEDE and do your own builds, I have a pull on github to incorporate dnsmasq-dhcp6 into

Re: [Dnsmasq-discuss] IPv6 on OpenWRT

Hi Alec, Have you tried setting `--dhcp-option=option6:dns-server,[fd00::]` for auto fill in of ULA or `--dhcp-option=option6:dns-server,[::]` auto ~ GA? By default dnsmasq will send [fe80::] LL in RA and DHCPv6, but some clients do not like DNS on LL. It also can break down in some

[Dnsmasq-discuss] How small is a 'small network'?

Any network could be grouped in small networks. Physically I would imagine your example as five floor building with IOT load of 200 per floor. If each floor is its own subnet (192.168.x.x/20 gives wiggle room to adress computation in dnsmasq), then roaming to meetings can be made seemless (some

[Dnsmasq-discuss] Interface-name not injecting name into cache

This a configuration for a router where eth0.1 and wifi are bridged to br-lan. br-lan is a proper interface as far as dnsmasq is concerned. Also note but not related, it is probably a good idea to use tags. Set a tag for each network range dhcp4 and dhcp6 with options.

Re: [Dnsmasq-discuss] Interface-name not injecting name into cache

-NAMES). domain=lanserver=/lan/ ____ From: Eric Luehrsen <ericluehr...@hotmail.com> Sent: Tuesday, October 27, 2015 8:58 PM To: BIZ: DNSMASQ List Subject: [Dnsmasq-discuss] Interface-name not injecting name into cache This a configuration for a router where eth0.1 and

[Dnsmasq-discuss] Possible Bug: DHCPV6 Does Not Make Lease Entry for DHCP CONFIRM

attached with the status in the Reply message it returns to the > client. > >My reading is that this is NOT a check that lease(s) exist, only that >the addresses are in the appropriate subnet, which they are in this >case. It's possible that I've mis-interpreted the intention of the

[Dnsmasq-discuss] Enable bogus-priv by default

Kevin, I don't think there is a flaw in your logic. You are probably 50% right. DNSMASQ is so flexible and useful it has found two significant homes and a bunch of other neat uses. Top however, (1) as a single point entry router caching DNS (ex 192.168.1.1 / X.X.X.X -> 8.8.4.4), and (2) as a

[Dnsmasq-discuss] about ipv6 prefix delegation

dhcp-option=option6:dns-server,[::] >>> This is correct but not necessary, dnsmasq does it by default. This CAN BE necessary, depending. This option has a valid use case with SLAAC+DHCPV6 (stateful or stateless) for DNSMASQ router advertisements. The default RA DNS FIELD uses the

[Dnsmasq-discuss] Possible Bug: DHCPV6 Does Not Make Lease Entry for DHCP CONFIRM

In using the latest OpenWRT 15.05 (C.C.) with DNSMASQ 2.73 is logging DHCP (v6) CONFIRM events with host names but not re-entering them into the lease file. (note, I also saw this late in 14.07 (B.B.) with DNSMASQ for that release so its not new.) A way to catch this behavior is use (client) a

[Dnsmasq-discuss] NAT Congestion Enhancement for DNS Client Port Selection

Its been awhile since I could try to simulate a good use case. In short its peeling an onion and just exposed a whole bunch of bad factors. There are other issues in these gateways. They do a lot of stuff that has no customer tuning or even visibility. This confounds any honest testing. If

[Dnsmasq-discuss] NAT Congestion Enhancement for DNS Client Port Selection

On 22/04/15 03:49, Eric Luehrsen wrote: I would like to propose that DNSMASQ move the port every 6-60 seconds random per port# and also DNSMASQ move client ports when so many requests have processed (max-concurrent reused or %10 of cache or random again?).  This will keep its profile

[Dnsmasq-discuss] NAT Congestion Enhancement for DNS Client Port Selection

A while ago, DNSMASQ changed to roaming client ports to prevent from being a sitting duck for [various response] attacks. Each new request forward is assigned a new client return port. This is a good. Further, the minimum port in the selection of ports can be pushed away from extended low-range

[Dnsmasq-discuss] High Availability: Part Deux

Jonathan If you have a second daemon running next to each DNSMASQ that just scans the shared lease file, it could issue a restart to DNSMASQ which would read the lease file (SIGUSR1). This blows out the resolving cache, but we have all seen other sledge hammer approaches that amazingly work.