[Dnsmasq-discuss] Bug: getting upstream ipv6 responses when only have local ipv6
Hi, I've been using dnsmasq on openwrt/lede and run into an issue. openwrt/lede is has dual stack enabled by default, which means that the local network has both ipv4 and ipv6. However I do not have an ipv6 tunnel or an ISP with ipv6 upstream, so I end up with a situation where I get replies to DNS queries, but end up with connection errors due to lack of external ipv6. This occurs at least with Ubuntu (Windows doesn't have the same issue because of it's DNS check to verify internet access with ipv6). It'd be good to be able to configure dnsmasq to serve only local ipv6 addresses (e.g. from hosts) but not use upstream records. Regards, Daniel ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnscrypt -dnssec problems
On May 25, 2016, at 4:08 PM, wkitt...@gmail.com wrote: > On 05/25/2016 03:24 PM, Johnny Appleseed wrote: >> dig +dnssec wikipedia.org >> ;; Truncated, retrying in TCP mode. >> >> ; <<>> DiG 9.8.3-P1 <<>> +dnssec wikipedia.org >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33183 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags: do; udp: 4096 > > why is this EDNS udp 4096 but > > [...] >> dig +dnssec wikipedia.org >> >> ; <<>> DiG 9.8.3-P1 <<>> +dnssec wikipedia.org >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13239 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags: do; udp: 1280 > > this one is only 1280?? It would seem the "EDNS ... udp: 4096" query is using dnscrypt-proxy but the "EDNS ... udp: 1280" query is not. Johnny, possibly you need "no-resolv" in your dnsmasq.conf ? I assume you have something like: -- server=127.0.0.1#2053 -- pointing to your dnscrypt-proxy instance. You may also look into using "proxy-dnssec" if you trust your upstream server's DNSSEC since it traveling over a secure dnscrypt-proxy connection. Lonnie ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnscrypt -dnssec problems
On 05/25/2016 03:24 PM, Johnny Appleseed wrote: dig +dnssec wikipedia.org ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.8.3-P1 <<>> +dnssec wikipedia.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33183 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 why is this EDNS udp 4096 but [...] dig +dnssec wikipedia.org ; <<>> DiG 9.8.3-P1 <<>> +dnssec wikipedia.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13239 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1280 this one is only 1280?? -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] HELP: gives BOGUS for valid RR with no DNNSEC
On 25/05/16 19:07, Johnny Appleseed wrote: Im using the -DNSSEC option and it keeps giving me BOGUS for sites like wikipedia.org or others. If i stop /restart sometimes it clear up, or i remove the check no-sign flag, but then Im not checking unsigned websites for RR. Is the system clock set correctly? What other dnssec related options are you using? ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] dnscrypt -dnssec problems
dig +dnssec wikipedia.org ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.8.3-P1 <<>> +dnssec wikipedia.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33183 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;wikipedia.org.INA ;; Query time: 391 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed May 25 13:17:10 2016 ;; MSG SIZE rcvd: 42 dig +dnssec wikipedia.org ; <<>> DiG 9.8.3-P1 <<>> +dnssec wikipedia.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13239 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1280 ;; QUESTION SECTION: ;wikipedia.org.INA ;; ANSWER SECTION: wikipedia.org.3INA91.198.174.192 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed May 25 13:23:38 2016 ;; MSG SIZE rcvd: 58 WHY??? WTF ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] HELP: BOGUS for valid RR and NO DS with no DNNSSEC
7 dnsmasq[6693]: cached nk11-p00-imap.mail.me.com.akadns.net is NODATA-IPv6 May 25 13:06:20 dnsmasq[6693]: query[A] wikipedia.org from 127.0.0.1 May 25 13:06:20 dnsmasq[6693]: forwarded wikipedia.org to 127.0.0.1 May 25 13:06:20 dnsmasq[6693]: query[A] www.wikipedia.org from 127.0.0.1 May 25 13:06:20 dnsmasq[6693]: forwarded www.wikipedia.org to 127.0.0.1 May 25 13:06:20 dnsmasq[6693]: dnssec-query[DS] wikipedia.org to 127.0.0.1 May 25 13:06:20 dnsmasq[6693]: dnssec-query[DS] wikipedia.org to 127.0.0.1 May 25 13:06:20 dnsmasq[6693]: dnssec-query[DNSKEY] org to 127.0.0.1 May 25 13:06:20 dnsmasq[6693]: dnssec-query[DNSKEY] org to 127.0.0.1 May 25 13:06:20 dnsmasq[6693]: reply wikipedia.org is 91.198.174.192 May 25 13:06:20 dnsmasq[6726]: query[A] wikipedia.org from 127.0.0.1 May 25 13:06:21 dnsmasq[6693]: reply www.wikipedia.org is 91.198.174.192 May 25 13:06:21 dnsmasq[6727]: query[A] www.wikipedia.org from 127.0.0.1 May 25 13:06:21 dnsmasq[6726]: forwarded wikipedia.org to 127.0.0.1 May 25 13:06:21 dnsmasq[6726]: dnssec-query[DS] wikipedia.org to 127.0.0.1 May 25 13:06:21 dnsmasq[6726]: validation wikipedia.org is BOGUS May 25 13:06:21 dnsmasq[6726]: reply wikipedia.org is 91.198.174.192 May 25 13:06:21 dnsmasq[6693]: query[A] wikipedia.org from 127.0.0.1 May 25 13:06:21 dnsmasq[6693]: forwarded wikipedia.org to 127.0.0.1 May 25 13:06:21 dnsmasq[6727]: forwarded www.wikipedia.org to 127.0.0.1 May 25 13:06:21 dnsmasq[6727]: dnssec-query[DS] wikipedia.org to 127.0.0.1 May 25 13:06:21 dnsmasq[6727]: validation www.wikipedia.org is BOGUS May 25 13:06:21 dnsmasq[6727]: reply www.wikipedia.org is 91.198.174.192 May 25 13:06:21 dnsmasq[6693]: query[A] www.wikipedia.org from 127.0.0.1 May 25 13:06:21 dnsmasq[6693]: forwarded www.wikipedia.org to 127.0.0.1 May 25 13:06:21 dnsmasq[6693]: dnssec-query[DS] wikipedia.org to 127.0.0.1 May 25 13:06:21 dnsmasq[6693]: dnssec-query[DS] wikipedia.org to 127.0.0.1 May 25 13:06:21 dnsmasq[6693]: dnssec-query[DNSKEY] org to 127.0.0.1 May 25 13:06:21 dnsmasq[6693]: dnssec-query[DNSKEY] org to 127.0.0.1 May 25 13:06:21 dnsmasq[6693]: reply wikipedia.org is 91.198.174.192 May 25 13:06:21 dnsmasq[6728]: query[A] wikipedia.org from 127.0.0.1 May 25 13:06:22 dnsmasq[6693]: reply www.wikipedia.org is 91.198.174.192 May 25 13:06:22 dnsmasq[6729]: query[A] www.wikipedia.org from 127.0.0.1 May 25 13:06:22 dnsmasq[6728]: forwarded wikipedia.org to 127.0.0.1 May 25 13:06:22 dnsmasq[6728]: dnssec-query[DS] wikipedia.org to 127.0.0.1 May 25 13:06:22 dnsmasq[6728]: validation wikipedia.org is BOGUS May 25 13:06:22 dnsmasq[6728]: reply wikipedia.org is 91.198.174.192 May 25 13:06:22 dnsmasq[6729]: forwarded www.wikipedia.org to 127.0.0.1 May 25 13:06:22 dnsmasq[6729]: dnssec-query[DS] wikipedia.org to 127.0.0.1 May 25 13:06:22 dnsmasq[6729]: validation www.wikipedia.org is BOGUS May 25 13:06:22 dnsmasq[6729]: reply www.wikipedia.org is 91.198.174.192 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] BOGUS wikipedia STOP/RESTART Now working?
5 13:20:28 dnsmasq[6813]: reply www.verisign.com is 72.13.63.55 May 25 13:20:46 dnsmasq[6813]: query[A] wikipedia.org from 127.0.0.1 May 25 13:20:46 dnsmasq[6813]: forwarded wikipedia.org to 127.0.0.1 May 25 13:20:47 dnsmasq[6813]: validation result is INSECURE May 25 13:20:47 dnsmasq[6813]: reply wikipedia.org is 91.198.174.192 May 25 13:20:51 dnsmasq[6813]: query[A] csi.gstatic.com from 127.0.0.1 why? Almost every time i restart I have to play with dnsmasq because its giving BOGUS for known websites. This is not reliable if this is doing this all the time. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Segmentation fault with newest dnsmasq 2.76
Hi, I've noticed that dnsmasq gets killed once a VPN client (SoftEther VPN with bridge configuration) tries to aquire an IP. ● dnsmasq.service - A lightweight DHCP and caching DNS server Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled) Active: failed (Result: signal) since Mi 2016-05-25 20:16:02 CEST; 13s ago Docs: man:dnsmasq(8) Process: 10868 ExecStart=/usr/bin/dnsmasq -k --enable-dbus --user=dnsmasq --pid-file (code=killed, signal=SEGV) Process: 10863 ExecStartPre=/usr/bin/dnsmasq --test (code=exited, status=0/SUCCESS) Main PID: 10868 (code=killed, signal=SEGV) Mai 25 20:14:41 raspberry dnsmasq-dhcp[10868]: read /etc/ethers - 22 addresses Mai 25 20:14:41 raspberry systemd[1]: Started A lightweight DHCP and caching DNS server. Mai 25 20:16:02 raspberry dnsmasq-dhcp[10868]: DHCPDISCOVER(br0) ca:53:c6:b7:2d:59 Mai 25 20:16:02 raspberry dnsmasq-dhcp[10868]: DHCPOFFER(br0) 192.168.188.20 ca:53:c6:b7:2d:59 Mai 25 20:16:02 raspberry systemd[1]: dnsmasq.service: Main process exited, code=killed, status=11/SEGV Mai 25 20:16:02 raspberry systemd[1]: dnsmasq.service: Unit entered failed state. Mai 25 20:16:02 raspberry systemd[1]: dnsmasq.service: Failed with result 'signal'. This did not happen with 2.75 and before: ● dnsmasq.service - A lightweight DHCP and caching DNS server Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; vendor preset: disabled) Active: active (running) since Mi 2016-05-25 20:16:55 CEST; 4min 38s ago Docs: man:dnsmasq(8) Process: 11011 ExecStartPre=/usr/bin/dnsmasq --test (code=exited, status=0/SUCCESS) Main PID: 11018 (dnsmasq) Tasks: 1 (limit: 512) CGroup: /system.slice/dnsmasq.service └─11018 /usr/bin/dnsmasq -k --enable-dbus --user=dnsmasq --pid-file Mai 25 20:16:55 raspberry dnsmasq[11018]: read /etc/hosts - 26 addresses Mai 25 20:16:55 raspberry dnsmasq-dhcp[11018]: read /etc/ethers - 22 addresses Mai 25 20:17:05 raspberry dnsmasq-dhcp[11018]: DHCPDISCOVER(br0) ca:53:c6:b7:2d:59 Mai 25 20:17:05 raspberry dnsmasq-dhcp[11018]: DHCPOFFER(br0) 192.168.188.20 ca:53:c6:b7:2d:59 Mai 25 20:17:05 raspberry dnsmasq-dhcp[11018]: DHCPREQUEST(br0) 192.168.188.20 ca:53:c6:b7:2d:59 Mai 25 20:17:05 raspberry dnsmasq-dhcp[11018]: DHCPACK(br0) 192.168.188.20 ca:53:c6:b7:2d:59 w987098 Mai 25 20:17:05 raspberry dnsmasq-dhcp[11018]: DHCPINFORM(br0) 192.168.188.20 00:8e:18:1b:1f:35:58:f2:42:b4:be:95:a7:32:34:8e:23 Mai 25 20:17:05 raspberry dnsmasq-dhcp[11018]: DHCPACK(br0) 192.168.188.20 00:8e:18:1b:1f:35:58:f2:42:b4:be:95:a7:32:34:8e:23 w987098 I'm using RPi3 with Arch Linux arm. I just want to give you this to your information; if you need further please let me know. Best Regards, Andreas ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] HELP: gives BOGUS for valid RR with no DNNSEC
Im using the -DNSSEC option and it keeps giving me BOGUS for sites like wikipedia.org or others. If i stop /restart sometimes it clear up, or i remove the check no-sign flag, but then Im not checking unsigned websites for RR. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq lease file not updating properly
Hi, Le Wed, 25 May 2016 19:17:31 +0530 Gopi Krishna M a écrit: > Hi All, > > I have been using dnsmasq 2.70 vesrion as dhcp server for ipv4 and > ipv6. My lease file is not getting updated properly when > running dnsmasq. It is updating properly for ipv4 but not correct > for ipv6. > > #cat /etc/dnsmasq_new.leases > 2082886681 00:80:48:4b:83:12 192.168.10.161 host-mysy * > duid 00:01:00:01:43:b8:34:78:00:80:a3:a0:bb:38 > 2082843195 1212908306 *18:2001:2002:2003:: ** > 00:01:00:01:00:80:10:7e:ea:09 > > It is marked as above and its actual lease ip is > *2001:2002:2003::10a* but its not showing. Meanwhile even if we > connect multiple clients then the same *18:2001:2002:2003:: *is > getting repeated. Meanwhile it is not showing the > proper mac also. > > for your kind ref: > > config file > # cat /etc/dnsmasq_gateway.conf > interface=lan0 > except-interface=lo > bind-interfaces > dhcp-range=192.168.10.20, 192.168.10.254, 14h > dhcp-range=2001:2002:2003::105, 2001:2002:2003::110, 64, 14h > enable-ra > > Interface IP: 192.168.10.1 > IPv6: 2001:2002:2003::100 > > running as > > > *dnsmasq -C /etc/dnsmasq_gateway.conf -l /etc/dnsmasq_new.leases* > Please tell your suggestions. > > Note: Clients are getting IPv4 and IPv6 properly. Everything is fine > apart from updating the lease file. Compiled for ARM(linux 3.10) > > Thanks in advance. > > Regards, > Gopi krishna M (anyone feel free to correct me if I got the following wrong) You are using SLAAC for IPv6 configuration. In this mode, it is the client, not the DHCP server, which selects its own IPv6. Therefore there are no actual IPv6 leases: dnsmasq just informs the client about the /64 subnet under which the client, not dnsmasq, shall select its address; the client does not inform dnsmasq back. This is /probably/ why the actual address does not show up in the lease file. If you want dnsmasq to control which address the client receives (and possibly log this in the lease file) then you should use DHCPv6 rather than SLAAC. Amicalement, -- Albert. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] dnsmasq lease file not updating properly
Hi All, I have been using dnsmasq 2.70 vesrion as dhcp server for ipv4 and ipv6. My lease file is not getting updated properly when running dnsmasq. It is updating properly for ipv4 but not correct for ipv6. #cat /etc/dnsmasq_new.leases 2082886681 00:80:48:4b:83:12 192.168.10.161 host-mysy * duid 00:01:00:01:43:b8:34:78:00:80:a3:a0:bb:38 2082843195 1212908306 *18:2001:2002:2003:: ** 00:01:00:01:00:80:10:7e:ea:09 It is marked as above and its actual lease ip is *2001:2002:2003::10a* but its not showing. Meanwhile even if we connect multiple clients then the same *18:2001:2002:2003:: *is getting repeated. Meanwhile it is not showing the proper mac also. for your kind ref: config file # cat /etc/dnsmasq_gateway.conf interface=lan0 except-interface=lo bind-interfaces dhcp-range=192.168.10.20, 192.168.10.254, 14h dhcp-range=2001:2002:2003::105, 2001:2002:2003::110, 64, 14h enable-ra Interface IP: 192.168.10.1 IPv6: 2001:2002:2003::100 running as *dnsmasq -C /etc/dnsmasq_gateway.conf -l /etc/dnsmasq_new.leases* Please tell your suggestions. Note: Clients are getting IPv4 and IPv6 properly. Everything is fine apart from updating the lease file. Compiled for ARM(linux 3.10) Thanks in advance. Regards, Gopi krishna M -- DISCLAIMER The information in this e-mail is confidential and may be subject to legal privilege. It is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you have received this communication in error, please address with the subject heading "Received in error," send to i...@msystechnologies.com, then delete the e-mail and destroy any copies of it. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. The views, opinions, conclusions and other information expressed in this electronic mail and any attachments are not given or endorsed by the company unless otherwise indicated by an authorized representative independent of this message. MSys cannot guarantee that e-mail communications are secure or error-free, as information could be intercepted, corrupted, amended, lost, destroyed, arrive late or incomplete, or contain viruses, though all reasonable precautions have been taken to ensure no viruses are present in this e-mail. As our company cannot accept responsibility for any loss or damage arising from the use of this e-mail or attachments we recommend that you subject these to your virus checking procedures prior to use ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss