Re: [Dnsmasq-discuss] dnsmasq using 100% cpu on router
The router isn't being used for wi-fi. We have a Ubiquiti Unifi wi-fi system throughout the building. The router is just routing (and providing dns, dhcp etc). David On 23 April 2014 02:43, Weedy weedy2...@gmail.com wrote: On 22 Apr 2014 15:10, David Joslin dav...@nkcc.org.uk wrote: Hi I have an Asus rt-n16 router running the Shibby version of the Tomato firmware which includes dnsmasq version 2.69test3. It's in use in a building that frequently has 50+ users on a wireless network and dnsmasq has performed extremely well with very little load on the router. However, we've recently run a couple of conferences in the building and the number of people using the wireless network has been just over 100. Even if you fix this you should look into better hardware. 480mhz and broadcom radios at your loads worries the hell out of me. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] IPv6 dhcp/ra-issue
On 21/04/14 14:28, Oliver Rath wrote: Hi list, Im trying to give my network-computers IPv6-Addresses constructed from ppp0. In my config I get from my provider i.e. these (dynamic) IPv4 and IPv6-addresses: # ifconfig ppp0 ppp0: flags=4305UP,POINTOPOINT,RUNNING,NOARP,MULTICAST mtu 1492 inet 80.137.126.83 netmask 255.255.255.255 destination 87.186.224.66 inet6 fe80::43c:5b54:cea:b7ea prefixlen 10 scopeid 0x20link inet6 2003:62:487f:b168:43c:5b54:cea:b7ea prefixlen 64 scopeid 0x0global ppp txqueuelen 3 (Punkt-zu-Punkt Verbindung) RX packets 2546359 bytes 3258224683 (3.0 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1550070 bytes 133189854 (127.0 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 One of my additional interfaces has this address: # ifconfig p3p1 p3p1: flags=4163UP,BROADCAST,RUNNING,MULTICAST mtu 1500 inet 192.168.2.254 netmask 255.255.255.0 broadcast 192.168.2.255 inet6 fe80::210:f3ff:fe07:f7bf prefixlen 64 scopeid 0x20link ether 00:10:f3:07:f7:bf txqueuelen 1000 (Ethernet) RX packets 2806761 bytes 3337921408 (3.1 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1832066 bytes 326375284 (311.2 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 If I understand right, ive got an IPv6-subnet with the ability of ~250 clients (Telekom Germany), directly addressable from internet. Now i want to configure dnsmasq in a way, that the clients get IPv4- (works, internal only) and IPv6-addresses in a from internet addressable way. Imho the fe80.. number is the *router*-ipv6-address, the 2003:... the *host* ipv6-address. Now my clients should also get an ipv6-router *and* -host address. Is this right? My dnsmasq.conf (stripped): except-interface=ppp0 dhcp-range=set:gw2,192.168.2.50,192.168.2.150,255.255.255.0,12h dhcp-range=tag:gw2,::,constructor:ppp0 ddhcp-option=tag:gw2,128,192.168.2.254 enable-ra dhcp-option=mtu,1492 dhcp-option=option6:dns-server,[::] dhcp-option=252,http://heimserver/wpad.dat; log-queries log-dhcp Now I would assume, that my clientpc (p3p1 is bridged with wlan-ap) would get an fe80:.. and another, from internet routable address. While my card has the mac-address 00:21:6a:37:3f:72, i would assume getting an IPv6 address like 2003:62:487f:b168:0021:6aFF:FE373f:72, but he doesnt: wlan0 on my client-pc: # ifconfig wlan0 wlan0 Link encap:Ethernet Hardware Adresse 00:21:6a:37:3f:72 inet Adresse:192.168.2.100 Bcast:192.168.2.255 Maske:255.255.255.0 inet6-Adresse: fe80::221:6aff:fe37:3f72/64 Gültigkeitsbereich:Verbindung UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1 RX-Pakete:2981577 Fehler:0 Verloren:0 Überläufe:0 Fenster:0 TX-Pakete:2979080 Fehler:0 Verloren:0 Überläufe:0 Träger:0 Kollisionen:0 Sendewarteschlangenlänge:1000 RX-Bytes:3059635559 (3.0 GB) TX-Bytes:2883630423 (2.8 GB) Here /var/log/syslog on my client (sorry for the german parts): Apr 21 14:57:29 hp dhclient: DHCPREQUEST of 192.168.2.100 on wlan0 to 255.255.255.255 port 67 (xid=0x48327e63) Apr 21 14:57:29 hp dhclient: DHCPACK of 192.168.2.100 from 192.168.2.254 Apr 21 14:57:29 hp dhclient: bound to 192.168.2.100 -- renewal in 21016 seconds. Apr 21 14:57:29 hp dhclient: DHCPACK of 192.168.2.100 from 192.168.2.254 Apr 21 14:57:29 hp dhclient: bound to 192.168.2.100 -- renewal in 21016 seconds. Apr 21 14:57:29 hp NetworkManager[827]: info (wlan0): DHCPv4 state changed preinit - reboot Apr 21 14:57:29 hp NetworkManager[827]: info address 192.168.2.100 Apr 21 14:57:29 hp NetworkManager[827]: info prefix 24 (255.255.255.0) Apr 21 14:57:29 hp NetworkManager[827]: info gateway 192.168.2.254 Apr 21 14:57:29 hp NetworkManager[827]: info hostname 'hp' Apr 21 14:57:29 hp NetworkManager[827]: info nameserver '192.168.2.254' Apr 21 14:57:29 hp NetworkManager[827]: info Activation (wlan0) Stage 5 of 5 (IPv4 Configure Commit) scheduled... Apr 21 14:57:29 hp NetworkManager[827]: info Activation (wlan0) Stage 5 of 5 (IPv4 Commit) started... Apr 21 14:57:29 hp avahi-daemon[801]: Joining mDNS multicast group on interface wlan0.IPv4 with address 192.168.2.100. Apr 21 14:57:29 hp avahi-daemon[801]: New relevant interface wlan0.IPv4 for mDNS. Apr 21 14:57:29 hp avahi-daemon[801]: Registering new address record for 192.168.2.100 on wlan0.IPv4. Apr 21 14:57:30 hp NetworkManager[827]: info (wlan0): device state change: ip-config - secondaries (reason 'none') [70 90 0] Apr 21 14:57:30 hp NetworkManager[827]: info Activation (wlan0) Stage 5 of 5 (IPv4 Commit) complete. Apr 21 14:57:30 hp NetworkManager[827]: info (wlan0): device state change: secondaries - activated (reason 'none') [90 100 0] Apr 21 14:57:30 hp NetworkManager[827]: info NetworkManager
Re: [Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures
I will argue that a better place to report dnssec validation errors is the dnsmasq list. On Wed, Apr 23, 2014 at 8:31 AM, Aaron Wood wood...@gmail.com wrote: Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: query[A] e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net from 172.30.42.99 Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8 Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: dnssec-query[DS] e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8 Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.4.4 Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8 Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: reply e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net is BOGUS DS Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: validation result is BOGUS Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: reply e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net is 2.20.28.186 This one validates via verisign, however. -Aaron ___ Cerowrt-devel mailing list cerowrt-de...@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cerowrt-devel -- Dave Täht NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures
On 23/04/14 16:42, Dave Taht wrote: I will argue that a better place to report dnssec validation errors is the dnsmasq list. On Wed, Apr 23, 2014 at 8:31 AM, Aaron Wood wood...@gmail.com wrote: Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: query[A] e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net from 172.30.42.99 Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8 Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: dnssec-query[DS] e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8 Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.4.4 Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: forwarded e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net to 8.8.8.8 Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: reply e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net is BOGUS DS Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: validation result is BOGUS Wed Apr 23 15:13:05 2014 daemon.info dnsmasq[29719]: reply e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net is 2.20.28.186 This one validates via verisign, however. Something strange in that domain. Turning off DNSSEC with the checking-disabled bit, the original A-record query is OK ; DiG 9.8.1-P1 +cd @8.8.8.8 a e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 45416 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net. IN A ;; ANSWER SECTION: e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net. 19 IN A 23.195.61.15 ;; Query time: 112 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Apr 23 16:52:06 2014 ;; MSG SIZE rcvd: 81 But a query for DS on the same domain, which is what dnsmasq does next, returns SERVFAIL, _even_with_ checking disabled. ; DiG 9.8.1-P1 +cd @8.8.8.8 ds e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 44148 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net. IN DS ;; Query time: 149 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Apr 23 16:52:30 2014 ;; MSG SIZE rcvd: 65 Dnsmasq does the DS query next because the answer to the A query comes back unsigned, so dnsmasq is looking for a DS record that proves this is OK. It's likely that Verisign does that top-down (starting from the root) whilst dnsmasq does it bottom up. Hence Verisign never finds the broken DS, whilst dnsmasq does. That's as good an analysis as I can produce right now. Anyone who can shed more light, please do. (And yes, please report DNSSEC problems on the dnsmasq-discuss list for preference.) Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [Cerowrt-devel] more dnssec failures
On 23/04/14 18:29, Dave Taht wrote: On Wed, Apr 23, 2014 at 10:18 AM, Aaron Wood wood...@gmail.com wrote: On Wed, Apr 23, 2014 at 6:44 PM, Robert Bradley robert.bradl...@gmail.com wrote: ; DiG 9.8.1-P1 +cd @8.8.8.8 a e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net snip rest of NOERROR response But a query for DS on the same domain, which is what dnsmasq does next, returns SERVFAIL, _even_with_ checking disabled. ; DiG 9.8.1-P1 +cd @8.8.8.8 ds e3191.dscc.akamaiedge.net.0.1.cn.akamaiedge.net snip SERVFAIL response This looks identical to the *.cloudflare.com issue I had last week. In both cases, using Level 3's 4.2.2.2 instead of Google DNS works fine, and 8.8.8.8 returns SERVFAIL for DS lookups. This looks like a bug in Google's DNS servers as opposed to dnsmasq... A question about dnsmasq and multiple servers. If I listed both 4.2.2.2 and 8.8.8.8 in my dnsmasq configuration, how would dnsmasq behave in this case? would it query both for the DS? or just stick with the first server to start responding with an A-record? By default dnsmasq probes for a best upstream dns server periodically and uses that. subsequent queries needed to do DNSSEC validation of an initial answer are always sent to the same server which provided that answer. Simon. (I confess that I don't know the details of DNS very well) -Aaron ___ Cerowrt-devel mailing list cerowrt-de...@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cerowrt-devel ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
