Re: [Dnsmasq-discuss] Zone transfer fails without any error

2018-08-03 Thread Simon Kelley 
On 03/08/18 18:26, Wojtek Swiatek wrote:
> 
> 
> Le ven. 3 août 2018 à 19:18, Simon Kelley  > a écrit :
> 
> The serial number is initialised when dnsmasq starts up to the current
> time (seconds since 1st Jan 1970).
> 
> 
>  
> 
> 
> If your serial starts a one each time dnsmasq starts up then something
> is wrong. Maybe dnsmasq is started before the time is set in your
> machine?
> 
> 
> I run it on a "normal" server, the time is maintained via ntp (chrony
> actually).
> The problem is there when I restart dnsmasq as well:
> 
> root@srv:~# dig @127.0.0.1  swtk.info
>  soa | grep SOA
> swtk.info .              600     IN      SOA     . .
> 15 1200 180 1209600 600
> root@srv:~# systemctl stop dnsmasq.service && systemctl start
> dnsmasq.service
> root@srv:~# dig @127.0.0.1  swtk.info
>  soa | grep SOA
> swtk.info .              600     IN      SOA     . . 1
> 1200 180 1209600 600
> root@srv:~# systemctl stop dnsmasq.service && systemctl start
> dnsmasq.service
> root@srv:~# dig @127.0.0.1  swtk.info
>  soa | grep SOA
> swtk.info .              600     IN      SOA     . . 1
> 1200 180 1209600 600
> root@srv:~# date +'%s'
> 1533316912
> 
> I do not know how the first serial ended up being 15, but a restart sets
> it at 1. 
> 
> Cheers
> Wojtek
> 

What version of dnsmasq are you running?


Cheers,

Simon.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Zone transfer fails without any error

2018-08-03 Thread Wojtek Swiatek 
Le ven. 3 août 2018 à 20:58, Simon Kelley  a
écrit :

>
> What version of dnsmasq are you running?
>
>
>
2.79, this is the latest version packaged with Ubuntu bionic (the LTS
version from a few weeks ago). It seems to be the latest one if I compare
it to your download site.

root@srv ~# dnsmasq --version
Dnsmasq version 2.79  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP
conntrack ipset auth DNSSEC loop-detect inotify


Cheers
Wojtek
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Zone transfer fails without any error

2018-08-03 Thread Wojtek Swiatek 
Le ven. 3 août 2018 à 19:18, Simon Kelley  a
écrit :

> The serial number is initialised when dnsmasq starts up to the current
> time (seconds since 1st Jan 1970).
>



>
> If your serial starts a one each time dnsmasq starts up then something
> is wrong. Maybe dnsmasq is started before the time is set in your machine?
>
>
I run it on a "normal" server, the time is maintained via ntp (chrony
actually).
The problem is there when I restart dnsmasq as well:

root@srv:~# dig @127.0.0.1 swtk.info soa | grep SOA
swtk.info.  600 IN  SOA . . 15 1200 180 1209600 600
root@srv:~# systemctl stop dnsmasq.service && systemctl start
dnsmasq.service
root@srv:~# dig @127.0.0.1 swtk.info soa | grep SOA
swtk.info.  600 IN  SOA . . 1 1200 180 1209600 600
root@srv:~# systemctl stop dnsmasq.service && systemctl start
dnsmasq.service
root@srv:~# dig @127.0.0.1 swtk.info soa | grep SOA
swtk.info.  600 IN  SOA . . 1 1200 180 1209600 600
root@srv:~# date +'%s'
1533316912

I do not know how the first serial ended up being 15, but a restart sets it
at 1.

Cheers
Wojtek
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Zone transfer fails without any error

2018-08-03 Thread Simon Kelley 
The serial number is initialised when dnsmasq starts up to the current
time (seconds since 1st Jan 1970). This should ensure that it always
increases when dnsmasq is restarted. The serial number is also increased
by one when /etc/hosts is re-read by sending SIGHUP and when the DHCP
lease database changes. This should ensure it increases whenever the
zone changes without dnsmasq restarting.

If your serial starts a one each time dnsmasq starts up then something
is wrong. Maybe dnsmasq is started before the time is set in your machine?


If you're running on something like a router that doesn't have a battery
backed RTC, dnsmasq may be compiled with HAVE_BROKEN_RTC. In that case
you have to initialise the serial using the --auth-soa option. (dnsmasq
will not start up if you don't). If that's always setting the serial to
one, then that would explain the problem.


Cheers,

Simon.


On 03/08/18 17:26, Wojtek Swiatek wrote:
> 
> 
> Le ven. 3 août 2018 à 17:40,  > a écrit :
> 
> 
> > systemctl restart dnsmasq
> 
> 
> this is not a SIGHUP... the following is one correct way... it is
> chosen for
> ease and not needing to find the process' PID...
> 
>    pkill -SIGHUP dnsmasq
> 
> 
> here is another way... slightly more complicated because it does
> look up the PID...
> 
>    kill -SIGHUP ${pidof dnsmasq}
> 
> 
> you may need to use sudo if you're doing these manually from the
> command line...
> you can use the signal name or number... the following will show you
> the list of
> signals, their numbers and a brief description...
> 
>    man 7 signal
> 
> 
> 
> I know that this is not a signal but a restart of the service (I use
> signals on a regular basis in my code as well).
> My understanding is that this is a way to reload the configuration (as
> mentioned by Simon) without stopping the service.
> 
> Do you mean that the right / only way to increase the serial is by
> sending the signal?
> 
> I do not think so as it would make hosts management very awkward (one
> would need not to forget to send the signal) and
> another thread in the past mentioned that the serial is calculated in a
> smart way to always reflect changes.
> 
> Cheers
> Wojtek
> 
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Zone transfer fails without any error

2018-08-03 Thread Wojtek Swiatek 
Le ven. 3 août 2018 à 17:40,  a écrit :

>
> > systemctl restart dnsmasq
>
>
> this is not a SIGHUP... the following is one correct way... it is chosen
> for
> ease and not needing to find the process' PID...
>
>pkill -SIGHUP dnsmasq
>
>
> here is another way... slightly more complicated because it does look up
> the PID...
>
>kill -SIGHUP ${pidof dnsmasq}
>
>
> you may need to use sudo if you're doing these manually from the command
> line...
> you can use the signal name or number... the following will show you the
> list of
> signals, their numbers and a brief description...
>
>man 7 signal
>
>
>
I know that this is not a signal but a restart of the service (I use
signals on a regular basis in my code as well).
My understanding is that this is a way to reload the configuration (as
mentioned by Simon) without stopping the service.

Do you mean that the right / only way to increase the serial is by sending
the signal?

I do not think so as it would make hosts management very awkward (one would
need not to forget to send the signal) and
another thread in the past mentioned that the serial is calculated in a
smart way to always reflect changes.

Cheers
Wojtek
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Zone transfer fails without any error

2018-08-03 Thread wkitty42 

On 08/03/2018 10:29 AM, Wojtek Swiatek wrote:

Le ven. 3 août 2018 à 16:24, Simon Kelley  a écrit :

After you've made changes to /etc/hosts, you need to send SIGHUP to the
dnsmasq process to get it to re-read the file. That  should also
increment the serial. Changes to DHCP allocated addresses should also
increment the serial.

Thank you. I restart the dnsmasq via

systemctl restart dnsmasq



this is not a SIGHUP... the following is one correct way... it is chosen for 
ease and not needing to find the process' PID...


  pkill -SIGHUP dnsmasq


here is another way... slightly more complicated because it does look up the 
PID...

  kill -SIGHUP ${pidof dnsmasq}


you may need to use sudo if you're doing these manually from the command line... 
you can use the signal name or number... the following will show you the list of 
signals, their numbers and a brief description...


  man 7 signal


HTH


--
 NOTE: No off-list assistance is given without prior approval.
   *Please keep mailing list traffic on the list unless*
   *a signed and pre-paid contract is in effect with us.*

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Zone transfer fails without any error

2018-08-03 Thread Simon Kelley 
On 03/08/18 13:16, Wojtek Swiatek wrote:
> 
> 
> Le ven. 3 août 2018 à 14:06, Simon Kelley  > a écrit :
> 
> 
> What's the result of doing
> 
> dig @192.168.0.10  SOA swtk.info 
> 
> 
> It looks like that could be what's failing, rather than the actual zone
> transfer.
> 
> 
> Hello Simon
> 
> After one night spent on the subject I finally managed this morning to
> have it working (and finally read the man page from beginning to end :))
> 
> I think that what worked was to add to the config file
> 
> auth-zone=swtk.info 
> auth-sec-servers=rpi-dmz
> 
> and define rpi-dmz in /etc/hosts
> 
> Before I had only 
> 
> auth-sec-servers=192.168.0.13
> 
> which was probably not enough on its own (the docs suggested that
> parameter for zone transfers).
> 
> The transfer works but unfortunately the serial is not updated when I
> make changes (by adding hosts to /etc/hosts for instance, and maybe when
> the IPs provided by dnsmasq change (I do not know yet)). It stays at 1.
> I have to manually delete the zone on the slave to have it
> re-transferred upon changes.
> 
> Not being sure of the right etiquette for this list: should i send a new
> email with that question?
> 
> Thank you for your help!
> Wojtek
> 
>  


I'm happy to answer the second question here.

After you've made changes to /etc/hosts, you need to send SIGHUP to the
dnsmasq process to get it to re-read the file. That  should also
increment the serial. Changes to DHCP allocated addresses should also
increment the serial.



Cheers,


Simon.


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Servfail/bogus with DNSSEC and local unbound TLD

2018-08-03 Thread Simon Kelley 
Actually, my previous reply was wrong, you'll need to use the config

server=/local.tld/

to make this work.


Cheers,

Simon.

On 03/08/18 14:51, Simon Kelley wrote:
> As far as I can tell, the Pihole instructions for configuring Unbound
> specify that the local TLD should be configured as not DNSSEC signed.
> 
> As far as dnsmasq is concerned, therefore, any answers in the local TLD
> cannot be proven as valid, since they're unsigned, and it cannot be
> proven that the local TLD is unsigned, since there's no trust path from
> the root that proves that.
> 
> The BOGUS reply from dnsmasq is therefore quite correct.
> 
> THe fix for this is to tell dnsmasq that the local TLD is NOT DNSSEC signed.
> 
> something like
> 
> server=/local.tld/#
> 
> in the pihole dnsmasq config should do the trick.
> 
> 
> (Note that when researching this answer, I found a couple of corner-case
> bugs to do with this code, one of which is that the logging for that
> server line doesn't include the information that DNSSEC is disabled for
> t hat TLD. This shouldn't stop it working.
> 
> Cheers,
> 
> Simon.
> 
> 
> 
> On 03/08/18 13:14, Walter | Exclusive-IT wrote:
>>   
>>   
>>   
>>   
>>
>> Good day Sir,
>>
>> Mark, from Pi-hole, advised me to ask you about a possible DNSMasq
>> bug/issue through this channel.
>>
>> I would very much appreciate your thoughts on this issue:
>> https://github.com/pi-hole/FTL/issues/336
>>
>> Thank you in advance for your time,
>>
>> -- 
>>
>> *Met vriendelijke groet, kind regards,*
>> Walter van 't Hoff
>>
>> Exclusive-IT logo
>>
>> *Exclusive-IT*
>> t: +31 (0)6 2264 8629
>> e: wal...@exclusive-it.nl 
>> w: Exclusive-IT.nl 
>>
>> De informatie in dit e-mail bericht is vertrouwelijk en uitsluitend
>> bestemd voor de geadresseerde. Gebruik van deze informatie door anderen
>> dan de geadresseerde is niet toegestaan. Indien u dit bericht ten
>> onrechte ontvangt, wordt u verzocht de inhoud niet te gebruiken maar de
>> afzender direct te informeren door het bericht te retourneren en het
>> daarna te verwijderen. Openbaarmaking, vermenigvuldiging, verspreiding
>> en/of verstrekking van de in de e-mail ontvangen informatie aan derden
>> is niet toegestaan. Op alle diensten die wij verlenen zijn algemene
>> voorwaarden van toepassing die een beperking van onze aansprakelijkheid
>> bevatten. De algemene voorwaarden kunt u vinden en downloaden op
>> https://exclusive-it.nl/AlgemeneVoorwaarden.pdf - The information in
>> this e-mail is confidential and intended solely for the addressee. Use
>> of this information by others than the addressee is not allowed. If you
>> are not the intended recipient of this e-mail, you are hereby requested
>> to not use the contents but notify the sender immediately by returning
>> this e-mail and subsequently delete the message. Disclosure, copying,
>> distribution of the information in this e-mail to third parties is
>> prohibited and may be unlawful. All services we provide are subject to
>> our general terms and conditions which include a restriction of our
>> liability. You can find and download the general terms and conditions
>> (Dutch) on https://exclusive-it.nl/AlgemeneVoorwaarden.pdf.
>>
> 
> 
> 


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Zone transfer fails without any error

2018-08-03 Thread Wojtek Swiatek 
Le ven. 3 août 2018 à 16:24, Simon Kelley  a
écrit :

>
> After you've made changes to /etc/hosts, you need to send SIGHUP to the
> dnsmasq process to get it to re-read the file. That  should also
> increment the serial. Changes to DHCP allocated addresses should also
> increment the serial.
>

Thank you. I restart the dnsmasq via

systemctl restart dnsmasq

which reads the configuration and /etc/hosts (I see in the logs that it has
taken into account the new entries in /etc/hosts and I can resolve them).

The serial is still 1, though:

root@srv ~# dig @127.0.0.1 swtk.info soa | grep SOA
swtk.info.  600 IN  SOA . . 1 1200 180 1209600 600

Cheers
Wojtek
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Zone transfer fails without any error

2018-08-03 Thread Wojtek Swiatek 
Le ven. 3 août 2018 à 14:06, Simon Kelley  a
écrit :

>
> What's the result of doing
>
> dig @192.168.0.10 SOA swtk.info
>
>
> It looks like that could be what's failing, rather than the actual zone
> transfer.
>
>
Hello Simon

After one night spent on the subject I finally managed this morning to have
it working (and finally read the man page from beginning to end :))

I think that what worked was to add to the config file

auth-zone=swtk.info
auth-sec-servers=rpi-dmz

and define rpi-dmz in /etc/hosts

Before I had only

auth-sec-servers=192.168.0.13

which was probably not enough on its own (the docs suggested that parameter
for zone transfers).

The transfer works but unfortunately the serial is not updated when I make
changes (by adding hosts to /etc/hosts for instance, and maybe when the IPs
provided by dnsmasq change (I do not know yet)). It stays at 1.
I have to manually delete the zone on the slave to have it re-transferred
upon changes.

Not being sure of the right etiquette for this list: should i send a new
email with that question?

Thank you for your help!
Wojtek
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] FAQ? dhcp-script does not receive any action for Windows 10 dhcp client

2018-08-03 Thread Simon Kelley 
Nicolas's suggestion is a good one. The dhcp-script gets called when the
DHCP lease database changes. If the DHCP interaction doesn't update the
database, it won't get called. A DHCPINFORM query is the most obvious
way in which that could happen.


Cheers,

Simon.



On 02/08/18 09:30, Nicolas Cavallari wrote:
> On 02/08/2018 08:40, Learn wrote:
>> Hi
>>
>> Not very sure if this is a bug, but I saw dnsmasq.log:
>>
>> Aug  2 14:13:28 dnsmasq-dhcp[5748]: 4278662147 available DHCP range:
>> 172.24.1.10 -- 172.24.1.249
>> Aug  2 14:13:28 dnsmasq-dhcp[5748]: 4278662147 vendor class: MSFT 5.0
>> Aug  2 14:13:28 dnsmasq-dhcp[5748]: 4278662147 client provides name: xxx
>>
>> But my dhcp-script file does not capture anything.
>>
>> Here is my simple dhcp-script:
>>
>>> #!/bin/sh
>>>   op="${1:-op}"
>>>   mac="${2:-mac}"
>>>   ip="${3:-ip}"
>>>   hostname="${4}"
>>>   tstamp="`date '+%Y-%m-%d %H:%M:%S'`"
>>>   payload="${tstamp} ${op} ${ip} (${mac} - ${hostname})"
>>>   ddd="`date +%Y_ww%W`"
>>>   echo $payload >> /var/log/dhcp-$ddd.log
>>
>> I am sure that I could capture actions from an iPhone iOS. And my
>> Windows 10 client does lease a dhcp address.
> 
> maybe it is a DHCPINFORM ? Windows sure does funky stuff with DHCP.
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Zone transfer fails without any error

2018-08-03 Thread Simon Kelley 
On 02/08/18 22:15, Wojtek Swiatek wrote:
> Hello everyone
> 
> I wanted to set up another DNS server (unfortunately bind as, again
> unfortunately, dnsmasq does not support being a secondary server).
> 
> The zone transfer is initiated from the secondary but I see (on that
> secondary):
> 
> 02-Aug-2018 23:05:33.160 zone swtk.info/IN :
> refresh: unexpected rcode (SERVFAIL) from master 192.168.0.10#53 (source
> 0.0.0.0#0)
> 02-Aug-2018 23:06:52.662 zone swtk.info/IN :
> refresh: retry limit for master 192.168.0.10#53 exceeded (source 0.0.0.0#0)
> 02-Aug-2018 23:06:52.663 zone swtk.info/IN :
> Transfer started.
> 02-Aug-2018 23:06:52.664 transfer of 'swtk.info/IN
> ' from 192.168.0.10#53: connected using
> 192.168.0.13#40223
> 02-Aug-2018 23:06:52.665 transfer of 'swtk.info/IN
> ' from 192.168.0.10#53: failed while receiving
> responses: SERVFAIL
> 02-Aug-2018 23:06:52.666 transfer of 'swtk.info/IN
> ' from 192.168.0.10#53: Transfer status: SERVFAIL
> 02-Aug-2018 23:06:52.666 transfer of 'swtk.info/IN
> ' from 192.168.0.10#53: Transfer completed: 0
> messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)
> 02-Aug-2018 23:08:07.161 zone swtk.info/IN :
> refresh: unexpected rcode (SERVFAIL) from master 192.168.0.10#53 (source
> 0.0.0.0#0)
> 
> 
> On dnsmasq's host, when running dnsmasq with "-d -q --log-queries=extra"
> , I just see
> 
> dnsmasq: 32 192.168.0.13/34310  query[SOA]
> swtk.info  from 192.168.0.13
> dnsmasq: 33 192.168.0.13/54967  query[SOA]
> swtk.info  from 192.168.0.13
> dnsmasq: 34 10.100.10.30/60009  query[A]
> www.google.com  from 10.100.10.30
> dnsmasq: 34 10.100.10.30/60009  cached
> www.google.com  is 216.58.206.228
> 
> Is there a better indication where the problem may be located? All
> traffic between the bind and dnsmasq host is open (both ways) and a dig
> @192.168.0.10  is successful (this is the IP of the
> dnsmasq host, the same which is used in the bind transfer configuration
> file)
> 

What's the result of doing

dig @192.168.0.10 SOA swtk.info


It looks like that could be what's failing, rather than the actual zone
transfer.

Simon.


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss