Re: [Dnsmasq-discuss] Fwd: dnsmasq localise-queries + addn-hosts
Ah, yes in more complex networking environments it definitely makes more sense to use the destination address! I don't believe my case is affected by that, and definitely breaking things isn't ideal. An option to localise based on source IP definitely sounds like the right approach to me, although I have no idea what the dev toll would be. I also suspect and hope it's an option which would be generally useful to people outside just my use case! On Thu, 9 Apr 2020, at 20:20, Simon Kelley wrote: > > > On 09/04/2020 16:47, Jake Howard wrote: > > Hi, > > > > Thanks for the clarification! Yeah definitely sounds like it's Docker's > > iptables /magic/ causing the issues here. > > > > Any thoughts on a solve? Either on my end our a code change? Is using > > the destination address correct, or should it really be using the > > source? Configuration would probably help this one! > > Using the destination address is definitely correct: the point of this > is to reply to the DNS query with an answer which is "nearest" to the > source of the DNS query, by returning the address of the interface the > query arrives on, and not the addresses of other interfaces within the > machine. If it changes to using the source address, then a whole slew of > cases which work now would break. Namely where the source of the query > is on another network and the path from the source to the host running > dnsmasq includes a router. > > I don't know is the above is an issue for your use case. If not, an > option to use source addresses might make sense. Do you absolutely need > this to work, because of incomplete routing, or is it a minor > optimisation? If the former, completing the routing tables might be an > easier fix. > > > Simon. > > > > > > > Thanks, > > - Jake Howard > > > > On Wed, 8 Apr 2020, at 16:44, Simon Kelley wrote: > >> On 06/04/2020 17:35, Jake Howard wrote: > >> > Hello, > >> > > >> > Here's an info dump, which hopefully gives a bit more context: > >> > > >> > Hosts file: > >> > > >> > 192.168.1.200 some.domain > >> > 10.23.0.2 some.domain > >> > > >> > Log entry: > >> > > >> > Apr 6 17:03:58 dnsmasq[549]: query[A] some.domain from 192.168.1.92 > >> > Apr 6 17:03:58 dnsmasq[549]: /hosts.conf some.domain is 192.168.1.200 > >> > Apr 6 17:03:58 dnsmasq[549]: /hosts.conf some.domain is 10.23.0.2 > >> > > >> > > >> > Local Shell: > >> > > >> > $ dig some.domain @10.23.0.2 +short > >> > 192.168.1.200 > >> > 10.23.0.2 > >> > > >> > $ dig some.domain @192.168.1.200 +short > >> > 192.168.1.200 > >> > 10.23.0.2 > >> > > >> > (Local machine is on both the10. and 192.168. networks just fine) > >> > > >> > Network setup inside the container (ip a): > >> > > >> > 1: lo: mtu 65536 qdisc noqueue state UNKNOWN > >> > group default qlen 1000 > >> > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > >> > inet 127.0.0.1/8 scope host lo > >> > valid_lft forever preferred_lft forever > >> > 121: eth0@if122: mtu 1500 qdisc > >> > noqueue state UP group default > >> > link/ether 02:42:ac:1c:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 > >> > inet 172.28.0.2/16 brd 172.28.255.255 scope global eth0 > >> > valid_lft forever preferred_lft forever > >> > > >> > Can't say i'm entirely sure what "destination address of the query" is, > >> > and how / why it differs from the source address shown in the log. If > >> > it's using the return address it can see, it's possible it's using the > >> > 172.28 address, and hence isn't switching correctly? > >> > > >> > How is the destination address calculated, is there something I can do > >> > to make this work as needed? Alternatively, is something in dnsmasq not > >> > playing correctly? > >> > > >> > Thanks! > >> > >> The destination address is the address after @ in your dig commands. The > >> query has source address 192.168.1.92 (that's what's logged) and > >> destination address 10.23.0.2 or 192.168.1.200 which were the packet > >> gets delivered to. It's that which is used to do the localisation in > >> dnsmasq. > >> > >> The problem is that neither of those addresses appears on the interface, > >> that's 172.28.0.2. So all that scary iptables stuff from docker that Dan > >> posted above is rewriting the source address of the packets originally > >> to either addresse to 172.28.0.2 and in the process, loosing the > >> information which dnsmasq could use to distinguish them. > >> > >> Simon. > >> > >> > >> > >> > > >> > On Sun, 5 Apr 2020, at 21:49, Simon Kelley wrote: > >> >> > >> >> > >> >> On 05/04/2020 14:48, Jake Howard wrote: > >> >> >> > >> >> >> Dnsmasq uses the _destination_ address of the query. I'm not > >> familiar > >> >> >> with Docker. Is it using NAT? > >> >> > > >> >> > Can't say i'm especially familiar with Docker's networking stack, > >> but it > >> >> > definitely looks and feels like something NAT-ish to me! > >> >> > Interestingly enough, the log entry for where the query came from is > >> >> > correctly detected, but I guess it's not u
Re: [Dnsmasq-discuss] ignore mac address for one of the dhcp
On Mon, Apr 13, 2020 at 10:18:31AM -0400, John Siu wrote: > On Mon, Apr 13, 2020 at 4:54 AM Geert Stappers wrote: > > On Sun, Apr 12, 2020 at 03:14:33PM -0400, John Siu wrote: > > > I am running dnsmasq on a multiple port box. Following are dhcp config > > > for the lan and dmz ports: > > > > > > --- > > > > > > ## LAN > > > dhcp-range=tag:lan,::1,constructor:lan,ra-names,72h # IPv6 > > > dhcp-range=tag:lan,172.16.168.130,172.16.168.250,72h # IPv4 > > > dhcp-option=tag:lan,option:router,172.16.168.1 # option 3 default gw > > > dhcp-option=tag:lan,option:dns-server,172.16.168.1 > > > > > > ## DMZ > > > dhcp-range=tag:dmz,::1,constructor:dmz,ra-names,72h # IPv6 > > > dhcp-range=tag:dmz,10.10.10.100,10.10.10.120,72h # IPv4 > > > dhcp-option=tag:dmz,option:router,10.10.10.1 # option 3 default gw > > > dhcp-option=tag:dmz,option:dns-server,10.10.10.1 > > > > > > --- > > > > > > They work correctly for network connected to those ports. > > > > I wonder how. > > > > I mean: The provided information looks incomplete to me. > > Might be due an attempt to make the config more generic. > > > > > > > Following is the complete 92-dhcp.conf file I am using. It is not generic. > I have interface name "lan" and "dmz" setup in network config. Ah > --- > log-dhcp > quiet-dhcp > quiet-dhcp6 > quiet-ra > > enable-ra > > ## LAN > dhcp-range=tag:lan,::1,constructor:lan,ra-names,72h # IPv6 > dhcp-range=tag:lan,172.16.168.130,172.16.168.250,72h # IPv4 > dhcp-option=tag:lan,option:router,172.16.168.1 # option 3 default gw > dhcp-option=tag:lan,option:dns-server,172.16.168.1 # option 6 dns > #dhcp-option=tag:lan,option:ntp-server,172.16.168.1 > > ## DMZ > dhcp-range=tag:dmz,::1,constructor:dmz,ra-names,72h # IPv6 > dhcp-range=tag:dmz,10.10.10.100,10.10.10.120,72h # IPv4 > dhcp-option=tag:dmz,option:router,10.10.10.1 # option 3 default gw > dhcp-option=tag:dmz,option:dns-server,10.10.10.1 # option 6 dns > #dhcp-option=tag:dmz,option:ntp-server,10.10.10.1 > > ## Lease > dhcp-hostsfile=/etc/dnsmasq.d/extra/dhcp.hosts > dhcp-leasefile=/etc/dnsmasq.d/extra/dhcp.lease > --- > > > > However, I am having issue with the switch which connect to both dmz > > > and lan ports with different VLANs. As those VLAN ports share the same > > > mac address, sometimes the switch will pick up IP from the lan side, > > > and sometimes from the dmz side. > > > > > > How can I make dnsmasq only serve IP on the lan side for this specific mac > > > address? > > > > Tell more about what you have. > > > The switch is a Netgear GS908E. It has 8 ports. I setup 2 vlan, one for > dmz, one for lan. So there is one cable from my server dmz port to the dmz > vlan, same for lan. Thanks. I'm not used to interface names like 'lan' or 'dmz'. I'm used to interface names like 'eth0' and 'enp181s0f2' > The switch is configure to use dhcp for its ip. OK, Acknowledge. (As in "I respect your design decission" ) > However, it requests dhcp from all ports. As a result, sometime it pick up > 172.x.x.x, and sometimes it pickup 10.x.x.x address. (and that is the challenge we are facing) I have been reading the dnsmasq manual page (again ;-) But I could not find a clear solution for coping with duplicate MAC-addresses. The is `--dhcp-ignore=tag:...` no use in this case. Idea (wild idea?) dhcp-host:01:00:18:4D:C0:3F:0E,172.16.168.251,12h In other words: Make a "static reserveration" for the swith in LAN Regards Geert Stappers -- Silence is hard to parse ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] ignore mac address for one of the dhcp
On Mon, Apr 13, 2020 at 4:54 AM Geert Stappers wrote: > On Sun, Apr 12, 2020 at 03:14:33PM -0400, John Siu wrote: > > I am running dnsmasq on a multiple port box. Following are dhcp config > for > > the lan and dmz ports: > > > > --- > > > > ## LAN > > dhcp-range=tag:lan,::1,constructor:lan,ra-names,72h # IPv6 > > dhcp-range=tag:lan,172.16.168.130,172.16.168.250,72h # IPv4 > > dhcp-option=tag:lan,option:router,172.16.168.1 # option 3 default gw > > dhcp-option=tag:lan,option:dns-server,172.16.168.1 > > > > ## DMZ > > dhcp-range=tag:dmz,::1,constructor:dmz,ra-names,72h # IPv6 > > dhcp-range=tag:dmz,10.10.10.100,10.10.10.120,72h # IPv4 > > dhcp-option=tag:dmz,option:router,10.10.10.1 # option 3 default gw > > dhcp-option=tag:dmz,option:dns-server,10.10.10.1 > > > > --- > > > > They work correctly for network connected to those ports. > > I wonder how. > > I mean: The provided information looks incomplete to me. > Might be due an attempt to make the config more generic. > > > Following is the complete 92-dhcp.conf file I am using. It is not generic. I have interface name "lan" and "dmz" setup in network config. --- log-dhcp quiet-dhcp quiet-dhcp6 quiet-ra enable-ra ## LAN dhcp-range=tag:lan,::1,constructor:lan,ra-names,72h # IPv6 dhcp-range=tag:lan,172.16.168.130,172.16.168.250,72h # IPv4 dhcp-option=tag:lan,option:router,172.16.168.1 # option 3 default gw dhcp-option=tag:lan,option:dns-server,172.16.168.1 # option 6 dns #dhcp-option=tag:lan,option:ntp-server,172.16.168.1 ## DMZ dhcp-range=tag:dmz,::1,constructor:dmz,ra-names,72h # IPv6 dhcp-range=tag:dmz,10.10.10.100,10.10.10.120,72h # IPv4 dhcp-option=tag:dmz,option:router,10.10.10.1 # option 3 default gw dhcp-option=tag:dmz,option:dns-server,10.10.10.1 # option 6 dns #dhcp-option=tag:dmz,option:ntp-server,10.10.10.1 ## Lease dhcp-hostsfile=/etc/dnsmasq.d/extra/dhcp.hosts dhcp-leasefile=/etc/dnsmasq.d/extra/dhcp.lease --- > However, I am having issue with the switch which connect to both dmz > > and lan ports with different VLANs. As those VLAN ports share the same > > mac address, sometimes the switch will pick up IP from the lan side, > > and sometimes from the dmz side. > > > > How can I make dnsmasq only serve IP on the lan side for this specific > mac > > address? > > Tell more about what you have. > > The switch is a Netgear GS908E. It has 8 ports. I setup 2 vlan, one for dmz, one for lan. So there is one cable from my server dmz port to the dmz vlan, same for lan. The switch is configure to use dhcp for its ip. However, it requests dhcp from all ports. As a result, sometime it pick up 172.x.x.x, and sometimes it pickup 10.x.x.x address. > Regards > Geert Stappers > -- > Silence is hard to parse > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] ignore mac address for one of the dhcp
On Sun, Apr 12, 2020 at 03:14:33PM -0400, John Siu wrote: > I am running dnsmasq on a multiple port box. Following are dhcp config for > the lan and dmz ports: > > --- > > ## LAN > dhcp-range=tag:lan,::1,constructor:lan,ra-names,72h # IPv6 > dhcp-range=tag:lan,172.16.168.130,172.16.168.250,72h # IPv4 > dhcp-option=tag:lan,option:router,172.16.168.1 # option 3 default gw > dhcp-option=tag:lan,option:dns-server,172.16.168.1 > > ## DMZ > dhcp-range=tag:dmz,::1,constructor:dmz,ra-names,72h # IPv6 > dhcp-range=tag:dmz,10.10.10.100,10.10.10.120,72h # IPv4 > dhcp-option=tag:dmz,option:router,10.10.10.1 # option 3 default gw > dhcp-option=tag:dmz,option:dns-server,10.10.10.1 > > --- > > They work correctly for network connected to those ports. I wonder how. I mean: The provided information looks incomplete to me. Might be due an attempt to make the config more generic. > However, I am having issue with the switch which connect to both dmz > and lan ports with different VLANs. As those VLAN ports share the same > mac address, sometimes the switch will pick up IP from the lan side, > and sometimes from the dmz side. > > How can I make dnsmasq only serve IP on the lan side for this specific mac > address? Tell more about what you have. Regards Geert Stappers -- Silence is hard to parse ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
