Re: [Dnsmasq-discuss] Network booting with stateful IPv6 addressing

[Simon Kelley]

On 01/03/17 15:27, Derek Higgins wrote:
> On 28 February 2017 at 18:24, Simon Kelley  wrote:
> 
> 
> On 28/02/17 17:10, Derek Higgins wrote:
 On 28 February 2017 at 16:43, Simon Kelley
  wrote: Could you post (or send to me) you
 complete dnsmasq configuration. I'd

> Here you go http://paste.openstack.org/show/600808/

 expect, if the IP address associated with the MAC address is in
 use, for dnsmasq to log that and use a dynamically allocated
 address instead.

> Looking at it now, the addition of the static keyword in
> dhcp-range would be preventing this happening
> 
> Indeed. That explains that effect.


 Why not nail the IP address using the client-id of the final OS
 booted, rather thna using MAC addresses?

> I've been trying to get this to work within the constraints of
> how openstack neutron starts dnsmasq, when neutron starts a new
> instance it doesn't know (if I understand things correctly) what
> the client-id will be, so MAC would be the only way it can
> associate a particular VM to a IP address.


> 
> Sigh. This has always been a problem, and it's got worse, not better,
> in the move to IPv6.
> 
> For DHCPv4, where MAC addresses are pretty much compulsory, there's a
> hack where client is allowed to either present or not a client-id, as
> long as the MAC address is identical. (It's not allowed to present two
> different client-ids, however.)
> 
> For DHCPv6, it's difficult to rely on the MAC address, since it's only
> made available at all by using nasty ARP-snooping hacks. Plus the MAC
> address to client-id function is less well defined. Then we have the
> problem that provisioning systems know about MAC addresses, but not
> client-ids.
> 
> The only possible solution I can come up with is to add filtering of
> dhcp-host lines by tag. You could thereby arrange that the dhcp-host
> line only applied to the final OS boot, and the earlier steps could be
> left to get dynamically allocated addresses. That would require a
> way to set a tag on the final (OS) dhcp request, but that's almost
> certainly possible; you're halfway there with the ipxe6 tag.
> 
>> I'll take a look into getting this to work in the env I'm using.
> 
>> I'd imagine this is a common enough case, is there a argument here to
>> add a dnsmasq flag to allow the IDs to change? If so I'd be happy to
>> work on a patch.
> 
> 

Allowing the IDs to change is a bad idea, since in DHCPv6 they are the
only thing that identifies a client. If you lease an address to a
CLID/IAID combo, then you can't lease it to another CLID/IAID until that
lease has expired. The same applies to DHCPv4, but in some cases,
because MAC addresses are much more strongly associated with clients in
DHCPv4 land, you can get away with it, as I explained.

The solution I'm proposing is to allow dhcp-host to be conditional on a
tag that can be set only when the final OS boots, so that the
intermediate boot stages can dynamically allocated addresses and the
leases for those just expire. The trick is to find a way of
distinguishing the PXE/bootloader DHCP requests from the OS ones, using
dhcp-match and/or tag-if to do the inspection and logic. As you have the
test harness there, that would be a useful thing to look at. The patch
to dnsmasq to allow dhcp-host to be conditional on a tag is trivial.

Cheers,

Simon.





> 
> Cheers,
> 
> Simon.
> 
> 
> 
 Cheers,

 Simon.


 On 28/02/17 10:07, Derek Higgins wrote:
>>> On 27 February 2017 at 21:51, Simon Kelley
>>>  wrote: I'm slightly confused as to
>>> the problem here. The identity of a lease if defined by the
>>> Client-ID and IAID, if those change then dnsmasq will
>>> allocate a new address. That means that your boot process
>>> will go through three different addresses, but should end up
>>> with a usable and stable address. It's not as if there is a
>>> shortage of IPv6 addresses, you can afford a couple of
>>> disposable addresses that only get used during the boot.
>>>
>>> What have I missed?
>>>
 IPs are being allocated to the MAC addresses in question
 via a hostfile (see below), so I guess dnsmasq is
 attempting to allocate the same IP address mutiple times,
 as its the same MAC but can't because of the changing IDs.
>>>
 This is dnsmasq as configured be openstack newtron
>>>
 bash-4.2$ cat
 /var/lib/neutron/dhcp/5cf3b57b-72a3-4044-9528-1f5019e21826/host


> fa:16:3e:59:ef:60,host-fc00-101--2,[fc00:101::2]
 fa:16:3e:d8:9e:dd,host-fc00-101--3,[fc00:101::3]
 fa:16:3e:d2:03:61,host-fc00-101--8,[fc00:101::8],set:ccbc492d-7b5d
> -4f


> 9a-891c-92d66828f6dd


 fa:16:3e:69:89:d5,host-fc00-101--b,[fc00:101::b],set:ea1e2384-7ed7-495
> 6-

Re: [Dnsmasq-discuss] [PATCH 2/2] rev-server: reject CIDR prefixes that are not /8 /16 /24 or /32 for IPv4

[Simon Kelley]

Both patches applied.


Cheers,

Simon.


On 05/03/17 10:13, Olivier Gayot wrote:
> The rev-server directive only handles the following CIDR prefixes
> properly: /8, /16, /24, /32.
> 
> Any other value was silently converted to /16 which could result in
> unexpected behaviour.
> 
> This patch rejects any other value instead of making a silent
> conversion.



signature.asc
Description: OpenPGP digital signature
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] blocking txt-record

[Jim Alles]

OK, so a network with no mail servers (residential/SMB relying on
WebMail) it may not be an issue.
Is blocking TXT queries possible?

I found this:
"Once the initial DNS response is received by the malware, it then
iterates to the next subdomain which is 'mail'. The malware uses this
domain in another DNS TXT record query to attempt to retrieve the
Stage 4 payload associated with this infection process. The response
to this DNS request results in the transmission of the fourth stage
malware, stored within the TXT record as displayed in Figures 10 and
11. Due to the size of the Stage 4 payload, DNS makes use of TCP for
this transaction. "

here: http://blog.talosintelligence.com/2017/03/dnsmessenger.html

I have previously blocked TCP port 53 at my firewall (Untangle NGFW),
and have not observed an ill effect.

OpenDNS (Cisco Umbrella) also has the target domains blocked at this
time. My dnsmasq instance is pointed there for filtering my home
Internet.

This threat appears to be extinguished pretty well, anyway.

regards,
Jim A.

On Mon, Mar 6, 2017 at 3:47 PM, Kurt H Maier  wrote:
> On Mon, Mar 06, 2017 at 03:21:53PM -0500, Jim Alles wrote:
>>
>> Can  / should dnsmasq be used to block DNS TXT record retrieval?
>
> Blocking TXT queries wholesale will stop many SPF records from getting
> through, which can interfere with email delivery.
>
>

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] blocking txt-record

[Jim Alles]

I am looking into murky waters, and have no knowledge of what is under
the surface.

So this may need to be categorized under 'ID10T'.

Can  / should dnsmasq be used to block DNS TXT record retrieval?

reference: "DNSMessenger" @ threatpost.com

regards,

Jim A.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] RFE: --domain=#,x.x.x.x/y,local

[Marcos Mello]

Today "#" (get domain from resolv.conf) is not accepted when we use
--domain=domain,network,local syntax.

Thanks.
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] What's the easiest way to add some names to default dnsmasq in debian/ubuntu?

[Petr Mensik]

Hi Chris,

I think you create some file, for exaqmple 
/etc/NetworkManager/dnsmasq.d/hosts.conf, containing 
addn-hosts=/etc/hosts.dnsmasq.
Then you would have to create hosts.dnsmasq with hosts(5) format. Place odin 
there.

1.2.3.4   odin

You could use some hook to NetworkManager to use create special file only for 
selected network. But I never did something like that, I cannot help you with 
that.

But I think you should try to ask LAN administrator to configure DNS and DHCP 
so that you do not have to invent something yourself.
Maybe there is a name already that you do not know about.

Cheers,
Petr
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com  PGP: 65C6C973

- Original Message -
From: "Chris Green" 
To: dnsmasq-discuss@lists.thekelleys.org.uk
Sent: Friday, March 3, 2017 4:49:59 PM
Subject: [Dnsmasq-discuss] What's the easiest way to add some names to default 
dnsmasq in debian/ubuntu?

In Ubuntu systems (and maybe debian, not sure about this) dnsmasq is
run my NetworkManager to provide local DNS, the process shows up as:-

nobody1470  1022  0 15:01 ?00:00:00 /usr/sbin/dnsmasq 
--no-resolv --keep-in-foreground --no-hosts --bind-interfaces 
--pid-file=/var/run/NetworkManager/dnsmasq.pid --listen-address=127.0.1.1 
--cache-size=0 --conf-file=/dev/null --proxy-dnssec 
--enable-dbus=org.freedesktop.NetworkManager.dnsmasq 
--conf-dir=/etc/NetworkManager/dnsmasq.d

Is there any easy way to get it to recognise some local names?  I have
(in particular) a BeagleBone black on one LAN I use and it would be
really handy to be able to call it 'odin' rather than have to find its
IP address every time.

DHCP for the LAN is provided by a router which, sadly, doesn't seem to
know about local names.

Ideally 'odin' should only be present when it actually *is* present
(i.e. when I'm connected to the specific LAN where it exists), but
this isn't absolutely necessary.
 
-- 
Chris Green

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss