Re: [Dnsmasq-discuss] CERT Vulnerability VU#598349
On 10/09/18 00:19, klondike wrote: > Hi Simon, > > El 08/09/18 a las 19:17, Simon Kelley escribió: >> The question is, should the above configuration be "baked in" to the code? > > Yes. In general it is considered against good practice to provide insane > defaults and in this case this entails software and not configuration > defaults. > > Keep in mind that dnsmasq is used by a wide variety of users nowadays, > not only home routers and embedded but also as a simple DHCP/DNS server > in NAT setups, for example by NetworkManager or libvirt. Getting all of > these users to update the way in which they generate dnsmasq > configurations may be impractical as oposed to the rare case of allowing > the names in such a blacklist. > > Because of this it would be best to let dnsmasq to default to safe > behaviour (filtering known bad names like wpad) and allowing users to > disable this behaviour via a configuration/command line directive. That > way the next update will fix the problem for the majority of users out > of the box whilst still allowing the few with a legitimate interest in > allowing overriding of entries like wpad to do so. > > If you need help writting such a patch I can try to get some time to do so. > > Sincerely, > > Klondike So, if I read the replies so far correctly, we have votes both for "ignore wpad by default, and give an option to switch that off" and "don't ignore wpad by default, but add the code to do so to the example config file." The first is a bit of a problem, if you have dhcp-name-match=set:wpad-ignore,wpad dhcp-ignore-names=tag:wpad-ignore either in a global config file, or baked into the code. there's no way to unset the wpad-ignore tag, or override the dhcp-ignore-names directive. The second is easier to achieve, but the example config file is a little unloved these days. I kind of lost the habit of adding each new configuration option in there. Cheers, Simon. signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] clients of DHCPv6 with constructed IPv6 address range are not notified on address range change
On 10/09/18 19:51, Andrey Vakhitov wrote: > Hello Simon & Uwe, > >> unfortunately that problem is seen often with providers in Germany, although >> the large ones no longer >> do it (or allow to disable the disconnect). The problem is that German >> providers automatically >> disconnect the PPPoE connection every 24 hrs. After reconnecting you get a >> new address (IPv4) and >> prefix (IPv6). Since the changes we did (deprecating prefixes) this works >> fine for standard router >> advertisements. But won't help for DHCPv6. > > This is exactly my case, my ISP is o2. > >>> Dnsmasq doesn't implement RECONFIGURE. It probably should. The main >>> problem, from a quick look at the RFC, is that RECONFIGURE mandates >>> use of security mechanism, and dnsmasq doesn't implement that either! > > I know that it's against RFC but some routers (like the fritzbox I'm using, > very popular choice in Germany) actually send RECONFIGURE without > authentication. This is BTW the reason for introduction of "noauthrequired" > config option in dhcpcd ;-) I wonder if a very simple RECONFIGURE implementation would work here: Just send a non-specific RECONFIGURE message to all clients when a new IPV6 network turns up? Without security. That would be fairly simple to implement and to configure. Cheers, Simon. > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] WG: clients of DHCPv6 with constructed IPv6 address range are not notified on address range change
On 15/09/18 10:05, Andrey Vakhitov wrote: > Hello Uwe, > >>> My recommendation to the reporter: >>> - Don't use stateful DHCPv6 in Germany, that does not work well. You >>> clients should get the addresses using router advertisements. For static > hosts assign static names in your own domain. The "ra-names" >>> assigns both the IPv4 and IPv6 address to the SLAAC name, so lookup >>> works fine. With router advertisements, DNSmasq will send "deprecated" > >> As you correctly recognized, the reason for usage of stateful DHCPv6 was > to get correct dynamic name resolution for IPv6. >> I also see the combination of DHCPv4 with SLAAC as possible workaround, > I've to try it > > I've set it up as you suggested, initially name resolution seems to work > fine. But after some days of operation (and some nightly reconnects) dnsmasq > seems to loose associated IPv6 adresses: DNS request reports only IPv6 > address assigned via DHCP. The SLAAC-based IPv6 addresses on hosts are > present and correct. How can I investigate and fix this issue? Hmm, not easy. Look in the log for lines that look like DHCPv4-derived IPv6 names on which should occur after a reconnect with a different address which causes new DHCP address ranges to be constructed. After that happens, dnsmasq will take a guess at the IPv6 addresses that hosts will assign themselves, based on the network address and the MAC address of the host (transformed into EUI-64) It then starts to ping those addresses, and when it gets a reply, it will log SLAAC_CONFIRM(interface) and start using the address/name in the DNS. Once confirmed, the addresses remain valid until the DHCPv4 lease it's based on expires or goes though init-reboot state or the MAC address or interface it's accessible by changes. The only other thing that will delete these addresses in a new address appearing and a new dhcp range being created, hence it's interesting to look at what happens in the logs after each of those events. Cheers, Simon. > > Best regards, > -- > Andrey Vakhitov > > E-Mail: and...@vakhitov.netStuttgart, Germany > > > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
