Re: [Dnsmasq-discuss] dnsmasq and AD flag forwarding

[Simon Kelley]

On 11/12/13 13:52, Tomas Hozza wrote:

Hi.

I have been trying to understand what --proxy-dnssec option does.


From what I understand if NOT used, dnsmasq will NOT forward the

AD flag set by the upstream server to its clients.

If the --proxy-dnssec option is used, dnsmasq WILL forward the
AD flag in the DNS answer IF it was set by the upstream server.

If this is correct, then the dnsmasq behaviour differs.

I run:
[root@localhost ~]# dnsmasq -d --bind-interfaces --interface=lo 
--server=8.8.8.8 --no-resolv
dnsmasq: started, version 2.68 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 
no-Lua TFTP no-conntrack ipset auth
dnsmasq: using nameserver 8.8.8.8#53
dnsmasq: read /etc/hosts - 2 addresses


and then on the same machine I run DIG:
[root@localhost ~]# dig @127.0.0.1 nic.cz

;  DiG 9.9.4-RedHat-9.9.4-8.fc20  @127.0.0.1 nic.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 35121
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;nic.cz.IN  A

;; ANSWER SECTION:
nic.cz. 865 IN  A   217.31.205.50

;; Query time: 29 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 11 14:47:11 CET 2013
;; MSG SIZE  rcvd: 51

[root@localhost ~]# dig @127.0.0.1 nic.cz

;  DiG 9.9.4-RedHat-9.9.4-8.fc20  @127.0.0.1 nic.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 39434
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;nic.cz.IN  A

;; ANSWER SECTION:
nic.cz. 863 IN  A   217.31.205.50

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 11 14:47:13 CET 2013
;; MSG SIZE  rcvd: 40


You can see that after dnsmasq caches the answer it sets AD flag for
every subsequent query received from client.

If I set the the --cache-size=0, AD flag is never set. Also subsequent
queries look fine.


However if I run dnsmasq as follows:
[root@localhost ~]# dnsmasq -d --bind-interfaces --interface=lo 
--server=8.8.8.8 --no-resolv --cache-size=0 --proxy-dnssec
dnsmasq: started, version 2.68 cache disabled
dnsmasq: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 
no-Lua TFTP no-conntrack ipset auth
dnsmasq: using nameserver 8.8.8.8#53
dnsmasq: read /etc/hosts - 2 addresses

Then the AD flag is never forwarded to the client:
[root@localhost ~]# dig @127.0.0.1 nic.cz

;  DiG 9.9.4-RedHat-9.9.4-8.fc20  @127.0.0.1 nic.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 34661
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;nic.cz.IN  A

;; ANSWER SECTION:
nic.cz. 670 IN  A   217.31.205.50

;; Query time: 26 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 11 14:50:25 CET 2013
;; MSG SIZE  rcvd: 51

[root@localhost ~]# dig @127.0.0.1 nic.cz

;  DiG 9.9.4-RedHat-9.9.4-8.fc20  @127.0.0.1 nic.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 44968
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;nic.cz.IN  A

;; ANSWER SECTION:
nic.cz. 1034IN  A   217.31.205.50

;; Query time: 25 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 11 14:50:30 CET 2013
;; MSG SIZE  rcvd: 51

[root@localhost ~]# dig @8.8.8.8 nic.cz

;  DiG 9.9.4-RedHat-9.9.4-8.fc20  @8.8.8.8 nic.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 17357
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;nic.cz.IN  A

;; ANSWER SECTION:
nic.cz. 993 IN  A   217.31.205.50

;; Query time: 23 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Dec 11 14:51:10 CET 2013
;; MSG SIZE  rcvd: 51


As you can see, the 8.8.8.8 server sets the AD flag in the response.

Is this a bug or am I doing something wrong?


I can see at least one bug in the code: in the code-path taken to answer 
a query from the cache, the value of the AD flag is never changed: it 
simply takes the value that it had in the query. I guess the 
authenticated status of the data should be cached, and used to provide 
this information.


I'm currently deep into work to provide DNSSEC validation in dnsmasq, 
and all of this code is therefore subject to massive revision in the 
near 

Re: [Dnsmasq-discuss] Load balancing between multiple forward servers

[Simon Kelley]

On 11/12/13 17:32, Dallas Engelken wrote:

Hi,

Running, dnsmasq version 2.48.

In my config, I have

server=/my.domain/1.2.3.4
server=/my.domain/2.3.4.5

But when I query www.my.domain, all queries go to 1.2.3.4, and never
2.3.4.5

I have also tried enabling *all-servers* as well in the config, but
according to the log, it never sends queries to both 1.2.3.4 and 2.3.4.5

Is this not possible? Or am I missing something here?



The second (2.3.4.5) will be used in some circumstances (if a query to 
the first times out, or the first returns an error), but servers for 
particular domains aren't load-balanced in the same way as genera;-query 
servers. This is arguably not optimal, but changing it is probably done 
by a major rewrite of some fairly knarly code, and it's never got to the 
top of the TODO list.



Cheers,

Simon.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] DHCPv6 problem

[Mohammad Jamal Mohiuddin]

Sir i was trying to establish a DHCPv6 server with dnsmasq

The conf file is


interface = wlan0
dhcp-range=fd00::2,fd00::500, 64, 12h
enable-ra



Iam getting the error : dnsmasq: only one tag allowed at line 567 of
/etc/dnsmasq.conf



Please solve
---

This e-mail is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. If you are not the
intended recipient, please contact the sender by reply e-mail and destroy
all copies and the original message. Any unauthorized review, use,
disclosure, dissemination, forwarding, printing or copying of this email
is strictly prohibited and appropriate legal action will be taken.
---

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] DHCPv6 same host different subnets

[Roy Marples]

Hi

According to this:
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2013q3/007464.html

This should work
dhcp-host=id:00:01:00:01:XXX,[2a01:348:31:2::2],fred
dhcp-host=id:00:01:00:01:XXX,[2a01:348:31:3::2],fred

But it fails. I get the last address assigned to the 2a01:348:31:2 
subnet request.
This is running 2.68 on NetBSD, not tested the above config with earlier 
versions.


Thanks

Roy

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] FreeBSD complement to Linux's netlink: route(4) socket

[Matthias Andree]

Am 09.12.2013 17:58, schrieb Simon Kelley:

 OK, using this, I've implemented dynamic interface-address discovery for
 *BSD. Available now in git and as 2.69test1. This is very useful as it
 stands, since it makes the dynamic DHCPv6 address-range facility using
 the constructor: keyword work on *BSD.
 
 Unfortunately, it doesn't make --bind-dynamic work, and least not in a
 useful way. The problem is that when new interface addresses come along,
 dnsmasq has to bind sockets to them at low ports. This is not allowed
 when running as non-root, and of course dnsmasq drops root once it's
 started.
 
 On Linux, this problem is solved by using process capabilities: the
 dnsmasq process retains the ability to bind low ports when it gives away
 the rest of the root privileges. I don'r think there's a direct
 equivalent to capabilities in *BSD. Is there another way to allow a
 non-root process to bind low ports?

A. There is a system-wide feature that enables certain uid/gids to bind
particular tcp or udp ports.

http://www.freebsd.org/doc/handbook/mac-portacl.html - check the
Example.  Note that TrustedBSD/MAC is dubbed experimental.

Minimum survival on FreeBSD 9.2:

1. These are preparations the sysadmin would have to make:

# kldload mac_portacl
# sysctl security.mac.portacl.rules=uid:53:tcp:53,uid:53:udp:53

2. And that tells dnsmasq to drop privileges to user 53 (I hope it
understands UID, else try bind - it has uid 53 on my system):

dnsmasq -u 53  [options [...]]


B. If you find that too cumbersome due to the global nature, the
traditional way would be using a helper process that retains privileges,
opens the socket, binds it and passes it and the file descriptor to the
unprivileged process.
http://www.lst.de/~okir/blackhats/node121.html or
http://www.thomasstover.com/uds.html perhaps.


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss