Re: [Dnsmasq-discuss] Network booting with stateful IPv6 addressing
On 01/03/17 15:27, Derek Higgins wrote: > On 28 February 2017 at 18:24, Simon Kelleywrote: > > > On 28/02/17 17:10, Derek Higgins wrote: On 28 February 2017 at 16:43, Simon Kelley wrote: Could you post (or send to me) you complete dnsmasq configuration. I'd > Here you go http://paste.openstack.org/show/600808/ expect, if the IP address associated with the MAC address is in use, for dnsmasq to log that and use a dynamically allocated address instead. > Looking at it now, the addition of the static keyword in > dhcp-range would be preventing this happening > > Indeed. That explains that effect. Why not nail the IP address using the client-id of the final OS booted, rather thna using MAC addresses? > I've been trying to get this to work within the constraints of > how openstack neutron starts dnsmasq, when neutron starts a new > instance it doesn't know (if I understand things correctly) what > the client-id will be, so MAC would be the only way it can > associate a particular VM to a IP address. > > Sigh. This has always been a problem, and it's got worse, not better, > in the move to IPv6. > > For DHCPv4, where MAC addresses are pretty much compulsory, there's a > hack where client is allowed to either present or not a client-id, as > long as the MAC address is identical. (It's not allowed to present two > different client-ids, however.) > > For DHCPv6, it's difficult to rely on the MAC address, since it's only > made available at all by using nasty ARP-snooping hacks. Plus the MAC > address to client-id function is less well defined. Then we have the > problem that provisioning systems know about MAC addresses, but not > client-ids. > > The only possible solution I can come up with is to add filtering of > dhcp-host lines by tag. You could thereby arrange that the dhcp-host > line only applied to the final OS boot, and the earlier steps could be > left to get dynamically allocated addresses. That would require a > way to set a tag on the final (OS) dhcp request, but that's almost > certainly possible; you're halfway there with the ipxe6 tag. > >> I'll take a look into getting this to work in the env I'm using. > >> I'd imagine this is a common enough case, is there a argument here to >> add a dnsmasq flag to allow the IDs to change? If so I'd be happy to >> work on a patch. > > Allowing the IDs to change is a bad idea, since in DHCPv6 they are the only thing that identifies a client. If you lease an address to a CLID/IAID combo, then you can't lease it to another CLID/IAID until that lease has expired. The same applies to DHCPv4, but in some cases, because MAC addresses are much more strongly associated with clients in DHCPv4 land, you can get away with it, as I explained. The solution I'm proposing is to allow dhcp-host to be conditional on a tag that can be set only when the final OS boots, so that the intermediate boot stages can dynamically allocated addresses and the leases for those just expire. The trick is to find a way of distinguishing the PXE/bootloader DHCP requests from the OS ones, using dhcp-match and/or tag-if to do the inspection and logic. As you have the test harness there, that would be a useful thing to look at. The patch to dnsmasq to allow dhcp-host to be conditional on a tag is trivial. Cheers, Simon. > > Cheers, > > Simon. > > > Cheers, Simon. On 28/02/17 10:07, Derek Higgins wrote: >>> On 27 February 2017 at 21:51, Simon Kelley >>> wrote: I'm slightly confused as to >>> the problem here. The identity of a lease if defined by the >>> Client-ID and IAID, if those change then dnsmasq will >>> allocate a new address. That means that your boot process >>> will go through three different addresses, but should end up >>> with a usable and stable address. It's not as if there is a >>> shortage of IPv6 addresses, you can afford a couple of >>> disposable addresses that only get used during the boot. >>> >>> What have I missed? >>> IPs are being allocated to the MAC addresses in question via a hostfile (see below), so I guess dnsmasq is attempting to allocate the same IP address mutiple times, as its the same MAC but can't because of the changing IDs. >>> This is dnsmasq as configured be openstack newtron >>> bash-4.2$ cat /var/lib/neutron/dhcp/5cf3b57b-72a3-4044-9528-1f5019e21826/host > fa:16:3e:59:ef:60,host-fc00-101--2,[fc00:101::2] fa:16:3e:d8:9e:dd,host-fc00-101--3,[fc00:101::3] fa:16:3e:d2:03:61,host-fc00-101--8,[fc00:101::8],set:ccbc492d-7b5d > -4f > 9a-891c-92d66828f6dd fa:16:3e:69:89:d5,host-fc00-101--b,[fc00:101::b],set:ea1e2384-7ed7-495 > 6-
Re: [Dnsmasq-discuss] [PATCH 2/2] rev-server: reject CIDR prefixes that are not /8 /16 /24 or /32 for IPv4
Both patches applied. Cheers, Simon. On 05/03/17 10:13, Olivier Gayot wrote: > The rev-server directive only handles the following CIDR prefixes > properly: /8, /16, /24, /32. > > Any other value was silently converted to /16 which could result in > unexpected behaviour. > > This patch rejects any other value instead of making a silent > conversion. signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] blocking txt-record
OK, so a network with no mail servers (residential/SMB relying on WebMail) it may not be an issue. Is blocking TXT queries possible? I found this: "Once the initial DNS response is received by the malware, it then iterates to the next subdomain which is 'mail'. The malware uses this domain in another DNS TXT record query to attempt to retrieve the Stage 4 payload associated with this infection process. The response to this DNS request results in the transmission of the fourth stage malware, stored within the TXT record as displayed in Figures 10 and 11. Due to the size of the Stage 4 payload, DNS makes use of TCP for this transaction. " here: http://blog.talosintelligence.com/2017/03/dnsmessenger.html I have previously blocked TCP port 53 at my firewall (Untangle NGFW), and have not observed an ill effect. OpenDNS (Cisco Umbrella) also has the target domains blocked at this time. My dnsmasq instance is pointed there for filtering my home Internet. This threat appears to be extinguished pretty well, anyway. regards, Jim A. On Mon, Mar 6, 2017 at 3:47 PM, Kurt H Maierwrote: > On Mon, Mar 06, 2017 at 03:21:53PM -0500, Jim Alles wrote: >> >> Can / should dnsmasq be used to block DNS TXT record retrieval? > > Blocking TXT queries wholesale will stop many SPF records from getting > through, which can interfere with email delivery. > > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] blocking txt-record
I am looking into murky waters, and have no knowledge of what is under the surface. So this may need to be categorized under 'ID10T'. Can / should dnsmasq be used to block DNS TXT record retrieval? reference: "DNSMessenger" @ threatpost.com regards, Jim A. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] RFE: --domain=#,x.x.x.x/y,local
Today "#" (get domain from resolv.conf) is not accepted when we use --domain=domain,network,local syntax. Thanks. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] What's the easiest way to add some names to default dnsmasq in debian/ubuntu?
Hi Chris, I think you create some file, for exaqmple /etc/NetworkManager/dnsmasq.d/hosts.conf, containing addn-hosts=/etc/hosts.dnsmasq. Then you would have to create hosts.dnsmasq with hosts(5) format. Place odin there. 1.2.3.4 odin You could use some hook to NetworkManager to use create special file only for selected network. But I never did something like that, I cannot help you with that. But I think you should try to ask LAN administrator to configure DNS and DHCP so that you do not have to invent something yourself. Maybe there is a name already that you do not know about. Cheers, Petr -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: 65C6C973 - Original Message - From: "Chris Green"To: dnsmasq-discuss@lists.thekelleys.org.uk Sent: Friday, March 3, 2017 4:49:59 PM Subject: [Dnsmasq-discuss] What's the easiest way to add some names to default dnsmasq in debian/ubuntu? In Ubuntu systems (and maybe debian, not sure about this) dnsmasq is run my NetworkManager to provide local DNS, the process shows up as:- nobody1470 1022 0 15:01 ?00:00:00 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/var/run/NetworkManager/dnsmasq.pid --listen-address=127.0.1.1 --cache-size=0 --conf-file=/dev/null --proxy-dnssec --enable-dbus=org.freedesktop.NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d Is there any easy way to get it to recognise some local names? I have (in particular) a BeagleBone black on one LAN I use and it would be really handy to be able to call it 'odin' rather than have to find its IP address every time. DHCP for the LAN is provided by a router which, sadly, doesn't seem to know about local names. Ideally 'odin' should only be present when it actually *is* present (i.e. when I'm connected to the specific LAN where it exists), but this isn't absolutely necessary. -- Chris Green ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss