Re: [Dnsmasq-discuss] IPv6 RA issues when bound to IPv4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dnsmasq needs to advertise the global address, I think. Receiving RAs shouldn't be a problem, dnsmasq binds the correct multicast address. Cheers, Simon. On 16/07/15 16:27, Michal Zatloukal wrote: Hi all, I'm using dnsmasq (2.68-1ubuntu0.1) on a machine where the need to run tftpd-hpa along with dnsmasq's own tftp server has arisen (both on just IPv4). I decided to use the secondary IP address feature in Linux networking system to bind tftpd-hpa to the secondary IP address, and set up dnsmasq to bind the following: - primary IPv4 address - localhost IPv4 - For IPv6, I put in localhost, global and link-local addresses. IIUC, RA can't work in this config, since the destination on RS is multicast ff02::2 and therefore aren't delivered to any of the sockets opened by dnsmasq. Now, which IPv6 address do I enter so that IPv6 router announcements work correctly? (Is it even possible?) - adding ff02::2 doesn't work, dnsmasq reports error in syslog - cannot bind to this address. - replacing all IPv6 addresses with :: allows dnsmasq to start and bind to wildcard IPv6, but it seems incoming RS packets are ignored - nothing appears in syslog when clients send solicitation. Is the filtering code in DSNmasq perhaps not expecting a wildcard address in the listen-address parameter and filters packets against it? Regards, MZ ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCAAGBQJVp+6bAAoJEBXN2mrhkTWitrYP/i/4dcuoEBWJohhXhjMS6lI7 G9/jw80md0bSwzyddi8k+8+SM+oPqMBmnaqh9TWJ5pQT0j8rQsNd06ByJ85cfk4k 2k5QKJoc1o6dfA/E6bJU9DtxMUqupBdQZdOo6c+b57nRRxwubXXmJe2qpDUFV1wQ Z3INhtdVAHwNBAM1+amDGMrps1dmOv+cBKr81jpoX/ySvUL1j5nG2cMz+wi4ux2Y 0xf4RKsH2WqUOwVpVfmYMe/Mc5V2thdG6xpwdZ+qzMbrux/RWeNJ+4r/G7+mSS7l TeAKtFkT5mrhxMIbrmC49a12WQtBZBpaAHUuSwkesGAytPelpuU5e3TwgvP0WCc8 QXoDGRm1YntM1dlu24TOPPz5jRk9L9qrJnzpXf1lyiojxpzsvRJa+Ei8uu2IWg4q 75eVCs1wX4hLMmf9J7L759KpBrhqPoV2vu5J15vwsfXmP4bCIcDAuQOSLDiJjGXV My3oeNw9Rws6qKCFYZX8YQ7SRtNDA7ssEM/aneJKTUMB7k6O3i41z2Y7DRP2m9uf u5Yo3HUi9B+1G9fICNnicxZdAh5hLKilo4Fvswvn5dEMgo3LMkHiGUgHLebhsJWe 68UwmvFmmZyStg1wd4qBJ4eUKIRpsvWgvaUA+Huv+nzfco2GOM8tZVPb2WAq+XFj Ct+n7zarBZQeIS0Ku/kJ =Gn77 -END PGP SIGNATURE- ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Help in DNS amplification attack
HI, using dnsmasq version 2.70, as mention in CHANGELOG that dns amplification attack has been fixed in this version. but when checked this one https://help.1and1.com/servers-c37684/parallels-plesk-c37703/troubleshooting-c85156/check-for-the-dns-amplification-attack-vulnerability-a791842.html its not fixed, so anyone can help me this case how to fix this.?? Thanks, AS ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Help in DNS amplification attack
Hi AS, Le Thu, 16 Jul 2015 11:40:42 +0530, @shuToSH Ch@tURveDI ashutosh.chaturvedi...@gmail.com a écrit : HI, using dnsmasq version 2.70, as mention in CHANGELOG that dns amplification attack has been fixed in this version. but when checked this one https://help.1and1.com/servers-c37684/parallels-plesk-c37703/troubleshooting-c85156/check-for-the-dns-amplification-attack-vulnerability-a791842.html its not fixed, so anyone can help me this case how to fix this.?? Maybe I'm mistaken, but I think what this page actually tests for is whether a given 1and1 hosted machine is an open DNS, not whether it has a bug which allows DNS amplicifation. Indeed being an open DNS makes the machine prone to being used for DNS amplification attacks, but: 1) this test is specifically for 1and1 machines. Is your machine hosted by 1and1? 2) Whether a machine running dnsmasq is an open DNS or not depends on *configuration*, not source code -- the fix is a correct configuration (of dnsmasq and/or iptables/ip6tables). Thanks, AS Amicalement, -- Albert. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Help in DNS amplification attack
Hi again AS, Le Thu, 16 Jul 2015 15:39:56 +0530, @shuToSH Ch@tURveDI ashutosh.chaturvedi...@gmail.com a écrit : NO, i am using router from LAN i am sending query like (nslookup 1and1.com IP of LAN), and dnsmasq listening on LAN, and WAN Internet reachable. i am also not sure this is issue or not. Is your dnsmasq the autoritative name server for a domain that you manage? If not, then you don't need it to be reachable from outside the LAN, and if you configure it to not be reachable from outside the LAN, then it cannot be used for DNS amplification attacks. Thanks, AS Amicalement, -- Albert. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] dhcp-range as a set doesn't seem to work for me.
Hi all, So my question is why does the enclosed config not work? It never seems to activate any of the sets unless I use pxe boot. Here is some background: I have large network. I have 11 subnets that need a dhcp proxy. I have a Network Access Control (NAC) application that has a very limited DHCP implementation that must be used on the registration networks. When the techs unbox a machine, and try to image, the machine isn't known by the NAC so it stays in the registration network. I am trying to use dnsmasq to give bootp options to a tftpboot solution on different servers (10.99.1.72, 10.99.2.61). I use ubuntu 14.04 LTS but removed the pre installed dnsmasq. I compiled tarball currently on the site (2.73) using make and make install. Then modified the /etc/init.d/dnsmasq file so it found the new location of the file. I am trying not to use PXE but left the information in there for reference. If I use PXE, dnsmasq works but the filename gets the label put on and the client tries to download SMSBoot\x64\wdsnbp.com.0 which doesn't exist. I left the dhcp-boot in as I thought that should work and seems to be formatted correctly if I didn't want to put the servername in my local hosts file. I have also included the syslog entries for my last test run to show no sets are being done. *** Config *** port=0 log-dhcp dhcp-no-override dhcp-range=set:South, 10.201.0.0, proxy, 255.255.0.0 dhcp-range=set:South, 10.202.0.0, proxy, 255.255.0.0 dhcp-range=set:South, 10.204.0.0, proxy, 255.255.0.0 dhcp-range=set:South, 10.205.0.0, proxy, 255.255.0.0 dhcp-range=set:South, 10.207.0.0, proxy, 255.255.0.0 dhcp-range=set:South, 10.212.0.0, proxy, 255.255.0.0 dhcp-option=tag:South, 66, 10.99.1.72 dhcp-option=tag:South, 67, SMSBoot\x64\wdsnbp.com #dhcp-boot=tag:South, SMSBoot\x64\wdsnbp.com,,10.99.1.72 #pxe-service=tag:South, X86PC, Boot from network,SMSBoot\x64\wdsnbp.com ,10.99.1.72 dhcp-range=set:North, 10.206.0.0, proxy, 255.255.0.0 dhcp-range=set:North, 10.214.0.0, proxy, 255.255.0.0 dhcp-range=set:North, 10.216.0.0, proxy, 255.255.0.0 dhcp-range=set:North, 10.217.0.0, proxy, 255.255.0.0 dhcp-range=set:North, 10.219.0.0, proxy, 255.255.0.0 dhcp-boot=tag:North, SMSBoot\x64\wdsnbp.com, 10.99.2.61, 10.99.2.61 Syslog Jul 16 15:02:39 fog-helper-s dnsmasq[25873]: started, version 2.73 DNS disabled Jul 16 15:02:39 fog-helper-s dnsmasq[25873]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify Jul 16 15:02:39 fog-helper-s dnsmasq-dhcp[25873]: DHCP, proxy on subnet 10.219.0.0 Jul 16 15:02:39 fog-helper-s dnsmasq-dhcp[25873]: DHCP, proxy on subnet 10.217.0.0 Jul 16 15:02:39 fog-helper-s dnsmasq-dhcp[25873]: DHCP, proxy on subnet 10.216.0.0 Jul 16 15:02:39 fog-helper-s dnsmasq-dhcp[25873]: DHCP, proxy on subnet 10.214.0.0 Jul 16 15:02:39 fog-helper-s dnsmasq-dhcp[25873]: DHCP, proxy on subnet 10.206.0.0 Jul 16 15:02:39 fog-helper-s dnsmasq-dhcp[25873]: DHCP, proxy on subnet 10.212.0.0 Jul 16 15:02:39 fog-helper-s dnsmasq-dhcp[25873]: DHCP, proxy on subnet 10.207.0.0 Jul 16 15:02:39 fog-helper-s dnsmasq-dhcp[25873]: DHCP, proxy on subnet 10.205.0.0 Jul 16 15:02:39 fog-helper-s dnsmasq-dhcp[25873]: DHCP, proxy on subnet 10.204.0.0 Jul 16 15:02:39 fog-helper-s dnsmasq-dhcp[25873]: DHCP, proxy on subnet 10.202.0.0 Jul 16 15:02:39 fog-helper-s dnsmasq-dhcp[25873]: DHCP, proxy on subnet 10.201.0.0 Jul 16 15:03:06 fog-helper-s dnsmasq-dhcp[25873]: 3115234045 available DHCP subnet: 10.205.0.0/255.255.0.0 Jul 16 15:03:06 fog-helper-s dnsmasq-dhcp[25873]: 3115234045 vendor class: PXEClient:Arch:0:UNDI:002001 Jul 16 15:03:21 fog-helper-s dnsmasq-dhcp[25873]: 3081679613 available DHCP subnet: 10.205.0.0/255.255.0.0 Jul 16 15:03:21 fog-helper-s dnsmasq-dhcp[25873]: 3081679613 vendor class: PXEClient:Arch:0:UNDI:002001 Jul 16 15:03:23 fog-helper-s dnsmasq-dhcp[25873]: 3098456829 available DHCP subnet: 10.205.0.0/255.255.0.0 Jul 16 15:03:23 fog-helper-s dnsmasq-dhcp[25873]: 3098456829 vendor class: PXEClient:Arch:0:UNDI:002001 Jul 16 15:03:53 fog-helper-s dnsmasq-dhcp[25873]: 517559989 available DHCP subnet: 10.205.0.0/255.255.0.0 -- David R. Cooper Network Analyst East Stroudsburg Area School District http://www.esasd.net david-coo...@esasd.net 570-424-8500 x10613 -- -- CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and contains confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email, and destroy all copies of the original message. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
