Re: [Dnsmasq-discuss] Client does not receive BOOTPREPLY
On 20/01/14 07:29, Roeland Douma wrote: Hi, I am setting up dnsmasq over at my parents but have an issue with 1 client (a raspberry pi) not getting a response to his BOOTPREQUEST. All the other hosts (my laptop, my phone etc) all do get an valid lease so it seems something weird is happening. So a little more detail about the setup. There is the modem from the ISP (lets call it M) that just acts as a gateway. DHCP is turned off. Then there is the server (lets call it S) that runs a lot of stuff including dnsmasq. And then finally there is the client (let call it C). Now they are all connected via wired ethernet via a big switch. When C does a BOOTPREQUEST it does not get a response. However I see the BOOTPREQUEST appear on S and S does send a response. I tried to debug using dhcpdump and something weird does show. The BOOTPREQUEST on C looks normal. And in the IP part it nicely shows: IP: 0.0.0.0 (mac-of-C) > 255.255.255.255 (ff:ff:ff:ff:ff:ff) Also the correct MAC is displayed in the CHADDR field. When running dhcpdump on S it show the BOOTPREQUEST coming in: IP: 0.0.0.0 (mac-of-C) > 255.255.255.255 (ff:ff:ff:ff:ff:ff) which matches of course. But the BOOTPREPLY shows: 192.168.178.100 (mac-of-S) > 192.168.178.222 (mac-of-M) The CHADDR does match the mac-of-C I do not get why S wants to send the reply to M? Any idea's or suggestions on what to do next? I am running dnsmasq-2.66. Look at the ARP table on S. I wonder if M is doing gratuitous ARPs? Cheers, Simon. Thanks in advance for any help. Cheers, --Roeland ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] How to reload changes to /etc/dnsmasq.d/mydomain without restarting DNSMASQ
On 21/01/14 10:37, Jerome Sheed wrote: Hi, Is it possible to reload changes (e.g. new ip / DNS for mydomain) without restarting DNSMASQ? If possible i'd like it to re-read the /etc/dnsmasq.d/mydomain file for changes (new ip's / DNS entries) without restarting DNSMASQ (and causing problems for my network users as DNS resolution will drop). I've read that this doesn't seem to be possible due to the way DNSMASQ starts, but I can't confirm that. That's correct. If the stuff in mydomain is just IP/names, you can put them in an /etc/hosts - format file instead, and read it using --addn-hosts. That would be re-read by sending SIGHUP. Cheers, Simon. Any help would be appreciated. Thanks and Regards, ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq 2.62-3 as DHCPv6-Server and RA-Server: Bug sending router's link-local instead of global address as gateway and DNS-server?
On 21/01/14 13:02, Martin Babutzka wrote: Thanks for the replies! I hesitantly updated to dnsmasq-2.68 since I first wanted to stick to the version provided with Debian wheezy. The quiet-options really reduce the amount of syslog messages except for: "dnsmasq-dhcp[23663]: no address range available for DHCPv6 request via eth5" Concerning the link-local addresses it actually looks like this is the default when advertising gateways in local networks. Unfortunately other software to proxy/relay dhcpv6 and ra can not handle it properly. It is basically possible to also advertise the routers global address (see here: http://www.macfreek.nl/memory/Non-Local_IPv6_Router_Advertisement and the RFC here: http://tools.ietf.org/html/rfc6275#section-7.2 ). Is this option also available in dnsmasq? In radvd it is called "AdvRouterAddr on;". There are two different thinks here: the router address and the DNS server address. I think that the router address is always taken as the source address of the RA packets, and therefore has to be link-local. The DNS server address is advertised as the global address in DHCPv6 and the link-local address in RA, by default. You can force a particular address in RA and DHCpv6 by using dhcp-option, indeed you can specify the option is all zeros to specify the global address. This applies to both DHCPv6 and RA so dhcp-option=option6:dns-server,[::] will force the dhcpv6 DNS address to be the global address (no change) and the RA DNS address to be the same, which is what you want, I think. The next release adds the ability to specify link-local, ULA or global addresses. Cheers, Simon. Many regards, Martin Kevin Darbyshire-Bryant hat am 21. Januar 2014 um 12:16 geschrieben: On 21/01/2014 10:40, Martin Babutzka wrote: Hello, We are using this great piece of software so far as DNS cacher but want to implement it also as IPv6 server by now. DHCPv4 is handled by another software at the moment (isc-dhcp-server) but we think the dnsmasq 2.62-3 is quite suitable for our need of an DHCPv6- and RA-server. I activated the features in dnsmasq.conf which I think should set-up a working DHCPv6/RA-Server (see compressed config file below). From then on the server distributed ipv6-addresses from the correct range. Unfortunately some error occured: As wanted it also distributed Gateway and DNS-server but it used the LINK-LOCAL v6 address of the corresponding interface instead of the Global configured address (2010:7d0:904:1202::1). Is this a bug or misconfiguration? Another independent question: With this configuration dnsmasq starts to be pretty noisy in the syslog. Is there any option to reduce the verbosity once the system works? v2.68 includes 'quiet-dhcp, quiet-dhcp6 & quiet-ra' options which significantly help the syslog noise. I think it's correct behaviour to advertise the link-local address. Hope that helps. Kevin ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Proposal and sample code: actions replacing ipsets??
Apologies for so-far ignoring this interesting discussion. My brain is currently full of DNSSEC with very little bandwidth for other things. I promise to try and fix that soon. Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dhcp-pd, and autoassigned internal interfaces issues
On 21/01/14 16:19, Dave Taht wrote: I have finally got my first-ever comcast ipv6 set of users up, and we have a problem with the interrelationship between addresses assigned dynamically by dhcpv6-pd and other means in dnsmasq 2.68. What happens now is that dhcpv6-pd works but dnsmasq 2.68 filters out the interface 13: sw00: mtu 1500 qlen 1000 inet6 2601:X:Y:9a1::1/64 scope global dynamic valid_lft 182420sec preferred_lft 182420sec so sends no ras. adding a second "stable" interface dnsmasq picks up. inet6 2601:3:8180:9a1::2/64 scope global valid_lft forever preferred_lft forever this check was not in dnsmasq 2.66, and was put in later for fairly sound reasons (like you don't want to start serving RAs on a SLAAC assigned address), but in the dhcp-pd case or otherwise assigned by the router (6in4) case, we do. Anyway the below patch "fixes it" but I'd like there to be some clear indicator of where things came from somehow. Comparing the code in bpf.c (for *BSD) and netlink.c (for Linux) I think it's clear what's meant: exclusion of privacy addresses and addresses installed as a result of RAs received. The patch covers the first of those, but there doesn't seem to be a Linux equivalent of the BSD IN6_IFF_AUTOCONF flag to detect RA-originated addresses. I looked at the kernel source, and there's no candidate I can see. I suspect that this patch is the best that can be done. Cheers, Simon. From 4f55df81d69d20230e18c90d772904372b2b90a4 Mon Sep 17 00:00:00 2001 From: Jonas Gorski Date: Wed, 8 Jan 2014 11:55:08 +0100 Subject: [PATCH] allow dhcp range construction with non-permanent addresses The linux kernel treats all addresses with a limited lifetime as being non permanent, but when taking over the prefix livetimes from upstream assigned prefixes through DHCP, addresses will always have a limited lifetime. Still reject temporary addresses, as they indicate autoconfigured interfaces. Contributed by T-Labs, Deutsche Telekom Innovation Laboratories Signed-off-by: Jonas Gorski --- src/netlink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/netlink.c b/src/netlink.c index 3be94ee..d5de4ab 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -265,7 +265,7 @@ int iface_enumerate(int family, void *parm, int (*callback)()) if (ifa->ifa_flags & IFA_F_DEPRECATED) flags |= IFACE_DEPRECATED; -if (ifa->ifa_flags & IFA_F_PERMANENT) +if (!(ifa->ifa_flags & IFA_F_TEMPORARY)) flags |= IFACE_PERMANENT; if (addrp && callback_ok) ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] dhcp-pd, and autoassigned internal interfaces issues
I have finally got my first-ever comcast ipv6 set of users up, and we have a problem with the interrelationship between addresses assigned dynamically by dhcpv6-pd and other means in dnsmasq 2.68. What happens now is that dhcpv6-pd works but dnsmasq 2.68 filters out the interface 13: sw00: mtu 1500 qlen 1000 inet6 2601:X:Y:9a1::1/64 scope global dynamic valid_lft 182420sec preferred_lft 182420sec so sends no ras. adding a second "stable" interface dnsmasq picks up. inet6 2601:3:8180:9a1::2/64 scope global valid_lft forever preferred_lft forever this check was not in dnsmasq 2.66, and was put in later for fairly sound reasons (like you don't want to start serving RAs on a SLAAC assigned address), but in the dhcp-pd case or otherwise assigned by the router (6in4) case, we do. Anyway the below patch "fixes it" but I'd like there to be some clear indicator of where things came from somehow. >From 4f55df81d69d20230e18c90d772904372b2b90a4 Mon Sep 17 00:00:00 2001 >From: Jonas Gorski >Date: Wed, 8 Jan 2014 11:55:08 +0100 >Subject: [PATCH] allow dhcp range construction with non-permanent addresses The linux kernel treats all addresses with a limited lifetime as being non permanent, but when taking over the prefix livetimes from upstream assigned prefixes through DHCP, addresses will always have a limited lifetime. Still reject temporary addresses, as they indicate autoconfigured interfaces. Contributed by T-Labs, Deutsche Telekom Innovation Laboratories Signed-off-by: Jonas Gorski --- src/netlink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/netlink.c b/src/netlink.c index 3be94ee..d5de4ab 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -265,7 +265,7 @@ int iface_enumerate(int family, void *parm, int (*callback)()) if (ifa->ifa_flags & IFA_F_DEPRECATED) flags |= IFACE_DEPRECATED; -if (ifa->ifa_flags & IFA_F_PERMANENT) +if (!(ifa->ifa_flags & IFA_F_TEMPORARY)) flags |= IFACE_PERMANENT; if (addrp && callback_ok) -- Dave Täht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Proposal and sample code: actions replacing ipsets??
On 20 Jan 2014, at 16:41, Ed W wrote: > On 18/01/2014 16:59, Lee Essen wrote: >> Hi, >> >> I’ve been a long time user of the ipset functionality of dnsmasq which has >> been fantastic for selective domain-based routing using iptables. Recently >> I’ve been looking at using a different device to handle my routing, separate >> to the dnsmasq instance … obviously that makes it difficult to make use of >> the ipset's. >> >> Specifically I’m looking at a MikroTik device which can maintain it’s own >> lists (I’m sure it’s really ipsets under the covers.) In the same way as >> iptables, it can build “lists” based on src or dst address of incoming >> packets. >> >> I started to look at adjusting the ipset code so that rather than add to >> sets, it would send a udp packet to a given address but with a src address >> matching the address that would have been added to the ipset … in that way >> you can match specific udp packets on a different machine and use that to >> build the “list”. Thus allowing the dnsmasq instance to be separate from >> your firewall. >> >> In the process of trying to modify the code it was easier to add a more >> generic “action” concept than add individual support for udp sending. Plus >> you might want to do other things as well … potentially run a script/lua >> etc? (obviously with performance considered.) >> >> So, I have put together a patch that changes the ipset functionality into >> “action”, where you can specify either ipset or udp as an action. >> >> For example: >> >> action=/google.com/google.co.uk/ipset=fred,udp=1.2.3.4:7800,udp=2.3.4.5:345 >> action=/sun.com/udp=10.0.0.1:4500 >> >> It’s only an idea, but I thought rather than keeping it as a personal patch >> I’d share it and see if anyone thinks it has any merit. > > I have a slightly related requirement. I have a router with several internet > routes, one might be a very slow (dialup) satellite based service (300 > bytes/sec) and another a broadband wifi connection. I need to constrain DNS > requests going to the satellite route quite significantly as it's easy to > flood the interface (in fact this is happening now as the roundtrip times > will often be 10-30 seconds for a response (queues on the remote side) and > the request might be repeated multiple times during that period, leading to > many duplicate answers and much wasted time). > > What I really need is to possibly serve stale data while the dialup > connection is offline, and when online rate limit and possibly refuse to > serve certain requests, eg virus updaters, push messaging, etc. > > Right now I have a situation where I can setup a firewall to allow only > POP/SMTP and DNS, but as soon as an ipad/laptop hits the connection, it's > getting initially close to saturated with DNS requests for push messages, > update ips, etc (connections to which will later get dropped by the firewall, > but the DNS lookups are killing me. We recently saw a badly behaving AV > scanner consuming several MB per hour in dns traffic checking for > updates...). Also packets are sent to every upstream DNS server, which is > sensible for when on wifi, but is halving the limited bandwidth when on > satellite > > I am easing into considering whether to add a DNS proxy so that I can do all > kinds of scriptable stuff here, but it seems valuable to try and figure out > whether it could be more generally included into dnsmasq > > I guess the generic solution here is something Simon has resisted in the > past, but something like an embedded fast interpreter (say lua) which can be > hooked into the request and reply chain to make decisions... I guess this is > something like squids ecap. Performance is obviously going to be affected, > but I guess such a requirement wouldn't be deployed for high performance > situations anyway... > > So the more generic solution might cover situations such as: > - Modify TTL in response > - Rate limit/deny/route upstream requests based on some aspect of the source > request > - Perform some action based on the response, eg update ipset, custom logging, > inform centralised fail2ban instance, etc. > > I guess we should start with: has this got any wings at all? > > I might be interested in sponsoring Simon to make such an enhancement. (I > think we have exchanged emails on a similar idea in the past?) Anyone else > want to pitch in? > > Ed W Hi Ed, I really like Lus so I messed around with some code for this today, at least the reply bit … it’s pretty easy to get some really basic functionality, but there are a whole load of considerations. It would need to be outside of the existing ‘helper’ mechanism for scripts because it needs to wait for a result, plus there are issues with where you hook into, given caching etc. Actually the more I played with it the more I convinced myself that it’s not such a good idea … at least for trying to implement as an afterthought. If dnsmasq had been bui
Re: [Dnsmasq-discuss] dnsmasq 2.62-3 as DHCPv6-Server and RA-Server: Bug sending router's link-local instead of global address as gateway and DNS-server?
Thanks for the replies! I hesitantly updated to dnsmasq-2.68 since I first wanted to stick to the version provided with Debian wheezy. The quiet-options really reduce the amount of syslog messages except for: "dnsmasq-dhcp[23663]: no address range available for DHCPv6 request via eth5" Concerning the link-local addresses it actually looks like this is the default when advertising gateways in local networks. Unfortunately other software to proxy/relay dhcpv6 and ra can not handle it properly. It is basically possible to also advertise the routers global address (see here: http://www.macfreek.nl/memory/Non-Local_IPv6_Router_Advertisement and the RFC here: http://tools.ietf.org/html/rfc6275#section-7.2 ). Is this option also available in dnsmasq? In radvd it is called "AdvRouterAddr on;". Many regards, Martin > Kevin Darbyshire-Bryant hat am 21. Januar 2014 > um 12:16 geschrieben: > > On 21/01/2014 10:40, Martin Babutzka wrote: > > > > Hello, > > > > We are using this great piece of software so far as DNS cacher but want > > to implement it also as IPv6 server by now. DHCPv4 is handled by another > > software at the moment (isc-dhcp-server) but we think the dnsmasq 2.62-3 is > > quite suitable for our need of an DHCPv6- and RA-server. > > > > I activated the features in dnsmasq.conf which I think should set-up a > > working DHCPv6/RA-Server (see compressed config file below). From then on > > the server distributed ipv6-addresses from the correct range. Unfortunately > > some error occured: As wanted it also distributed Gateway and DNS-server but > > it used the LINK-LOCAL v6 address of the corresponding interface instead of > > the Global configured address (2010:7d0:904:1202::1). Is this a bug or > > misconfiguration? > > > > Another independent question: With this configuration dnsmasq starts to > > be pretty noisy in the syslog. Is there any option to reduce the verbosity > > once the system works? > > > > > > > v2.68 includes 'quiet-dhcp, quiet-dhcp6 & quiet-ra' options which > > > significantly help the syslog noise. > > I think it's correct behaviour to advertise the link-local address. > > Hope that helps. > > Kevin > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq 2.62-3 as DHCPv6-Server and RA-Server: Bug sending router's link-local instead of global address as gateway and DNS-server?
On 21/01/2014 10:40, Martin Babutzka wrote: > Hello, > > We are using this great piece of software so far as DNS cacher but > want to implement it also as IPv6 server by now. DHCPv4 is handled by > another software at the moment (isc-dhcp-server) but we think the > dnsmasq 2.62-3 is quite suitable for our need of an DHCPv6- and > RA-server. > > I activated the features in dnsmasq.conf which I think should set-up a > working DHCPv6/RA-Server (see compressed config file below). From then > on the server distributed ipv6-addresses from the correct range. > Unfortunately some error occured: As wanted it also distributed > Gateway and DNS-server but it used the LINK-LOCAL v6 address of the > corresponding interface instead of the Global configured address > (2010:7d0:904:1202::1). Is this a bug or misconfiguration? > > Another independent question: With this configuration dnsmasq starts > to be pretty noisy in the syslog. Is there any option to reduce the > verbosity once the system works? > v2.68 includes 'quiet-dhcp, quiet-dhcp6 & quiet-ra' options which significantly help the syslog noise. I think it's correct behaviour to advertise the link-local address. Hope that helps. Kevin smime.p7s Description: S/MIME Cryptographic Signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] dnsmasq 2.62-3 as DHCPv6-Server and RA-Server: Bug sending router's link-local instead of global address as gateway and DNS-server?
Hello, We are using this great piece of software so far as DNS cacher but want to implement it also as IPv6 server by now. DHCPv4 is handled by another software at the moment (isc-dhcp-server) but we think the dnsmasq 2.62-3 is quite suitable for our need of an DHCPv6- and RA-server. I activated the features in dnsmasq.conf which I think should set-up a working DHCPv6/RA-Server (see compressed config file below). From then on the server distributed ipv6-addresses from the correct range. Unfortunately some error occured: As wanted it also distributed Gateway and DNS-server but it used the LINK-LOCAL v6 address of the corresponding interface instead of the Global configured address (2010:7d0:904:1202::1). Is this a bug or misconfiguration? Another independent question: With this configuration dnsmasq starts to be pretty noisy in the syslog. Is there any option to reduce the verbosity once the system works? Many thanks, Martin Below you can find the compressed dnsmasq-config file: domain-needed strict-order except-interface=eth1 dhcp-range=2010:7d0:904:1202::2, 2010:7d0:904:1202::1000, 64, 12h enable-ra dhcp-option=option6:dns-server,[::],[1234::88] cache-size=4096___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] How to reload changes to /etc/dnsmasq.d/mydomain without restarting DNSMASQ
Hi, Is it possible to reload changes (e.g. new ip / DNS for mydomain) without restarting DNSMASQ? If possible i'd like it to re-read the /etc/dnsmasq.d/mydomain file for changes (new ip's / DNS entries) without restarting DNSMASQ (and causing problems for my network users as DNS resolution will drop). I've read that this doesn't seem to be possible due to the way DNSMASQ starts, but I can't confirm that. Any help would be appreciated. Thanks and Regards, ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss