Re: [Dnsmasq-discuss] Sort of sync DNS servers in a VPN connected network
Did you mean to send this three times? On Fri, May 11, 2018 at 05:07:01PM -0700, m...@farmwald.com wrote: > I have a home network (call it 10.2.0.0/16) and multiple VPN > connected networks (10.x.0.0/16). > I would like each of the 10.x networks to have a separate dnsmasq, > with their own DHCP and DNS server. > However I'd like the 10.2 DNS server to hold DNS information for > all of the networks. Thus I could first check the local (10.x) and > then the home (10.2) DNS, ensuring I get information for all > devices, no matter where the host is. > I can't see an easy way to do this, but maybe I'm missing something. Sounds like this: http://rob0.nodns4.us/dnsmasq.html Sorry, I just noticed that I never managed to link that from the main page, so it probably does not rank well in search engines. Note that you don't need to reinvent the DNS notify concept. In fact you can keep it simple as in my howto, with static entries for the various remote sites. If one of the sites is unreachable via the VPN, no problem if those names fail to resolve. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Dnsmaq giving default gateway address as dns server on DHCP offer
On Fri, Aug 04, 2017 at 09:53:52PM -0700, Anoop Ravi wrote: > I am using dnsmasq as dns and dhcp server on my device. Somehow > dnsmasq is not giving correct dns server address to my clients. > Instead it is giving default gateway ip. I have correct dns servers > listed in resolv.conf and my dnsmasq.conf is pointing to correct > resolv file using "resolv-file" parameter. I am running dnsmasq as > below. > > dnsmasq -u nobody -q --dhcp-authoritative -C /var/dnsmasq.conf > > From the logs,I could see that it is reading resolv.conf > > reading /etc/resolv.conf > using nameserver xx.xx.xx.xx#53 > using nameserver xx.xx.xx.xx#53 > using nameserver xx.xx.xx.xx#53 > > While client connects, I can see that dnsmasq offering default > gateway address as dns-server ip. > > sent size: 4 option: 6 dns-server x.x.x.x > > Is there anything wrong in my parameters? why is not giving > correct dns servers? Nothing in your post indicates why you think that's incorrect; dnsmasq IS a DNS server. Typically that's what you want, for all local DHCP clients to use dnsmasq as DNS server. The point being: to have local name resolution and to have one central cache for external names. Yes, there is an option you can use in dnsmasq.conf to change the nameserver[s] given to DHCP clients, but why do you want that? See the dnsmasq(8) manual for details. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] No more random source port
On Mon, Mar 20, 2017 at 09:22:55PM +0200, Risto Suominen wrote: > 2017-03-20 21:05 UTC+02.00, Albert ARIBAUD <albert.arib...@free.fr>: > > > > You said the command line did not change. Which is it exactly? I > > usually do a "cat /proc//cmdline | tr '\0' '\n' > > to make sure I see the real command line of the running dnsmasq. > > > /usr/sbin/dnsmasq > --no-resolv > --keep-in-foreground > --no-hosts > --bind-interfaces > --pid-file=/var/run/NetworkManager/dnsmasq.pid > --listen-address=127.0.1.1 > --cache-size=0 > --conf-file=/dev/null > --proxy-dnssec > --enable-dbus=org.freedesktop.NetworkManager.dnsmasq > --conf-dir=/etc/NetworkManager/dnsmasq.d Did you ever show us the contents of this --conf-dir? It could have a file with "query-port". -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] returns REFUSED when first response comes from non-recursive server
On Mon, Feb 27, 2017 at 04:40:14PM +0100, Daniel Pocock wrote: > On 27/02/17 13:31, Chris Novakovic wrote: > > On 27/02/17 10:04, Daniel Pocock wrote: > >> > >> I've observed the following problem: > >> > >> - dnsmasq is sending queries to 5 servers, one of them is not > >> recursive and only answers for a private domain > >> > >> - if the first response dnsmasq receives comes from the > >> non-recursive server (REFUSED), then dnsmasq is sending a > >> REFUSED response to the client > >> > >> - dnsmasq subsequently receives a response from one of the > >> recursive servers > > > > This is expected behaviour. One possibility is to configure > > dnsmasq to forward requests to the non-recursive server only > > for the private domain, e.g.: > > > > --server=/private.domain/non.recursive.server.ip > > > > and a matching --rev-server directive if appropriate. > > The router is running OpenWRT, I could make that change manually > but then I wouldn't be able to fully manage it with the GUI any > more. > > Can you confirm if this is the only way it can work according to > the DNS spec, or is it a dnsmasq design decision? --server without the domain specified MUST be a recursive server, willing to resolve your queries for any names. --server/domain.example/ip.add.re.ss will only send queries for domain.example (and *.domain.example) to ip.add.re.ss. > Could a software approach be taken by default, waiting to see > if any resolver provides a positive response before sending > back REFUSED to the client? I don't see a valid use case for this. You have a configuration error, by listing a non-recursive server among your upstream recursive servers. Perhaps the OpenWRT people didn't know enough about dnsmasq to support this situation, or perhaps they didn't care. But dnsmasq documentation of --server is clear enough about it. Another problem you will have is when one of the actual upstream recursive servers replies for "domain.example" with incorrect data. (Side note: simple is good; listing more recursive servers will generally not improve performance. If some of the servers you're listing are not reliable enough, try one of the Google Public DNS addresses, or run your own recursive resolver.) -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Overlapping/duplicate subnets
On Wed, Feb 22, 2017 at 02:55:30PM +0100, S. M. Hossein Hamidi wrote: > I am new to dnsmasq and my mind is busy with a DHCP scenario that I > would like to consult with you before getting my hands dirty. > > Suppose that we have several subnets which are behind a NAT device > which additionally acts as a DHCP relay agent. I know that using > DHCP relay agent information option, I can distinguish between > different subnets. However, the additional constraint is to use > duplicate or overlapping subnets instead of distinct subnets. That is a very strange constraint. RFC 1918 is quite large enough; it's not necessary to share your netblocks. And how will your NAT device distinguish one segment with a shared netblock from another segment using the same netblock? Sounds like broken IP networking to me. Compliant IP stacks do routing based on IP address blocks. > Since, the traffic comes from each segment goes through NAT, it > wouldn't be any problem to use duplicate IP addresses, knowing > that each segment has its own autonomy. But again, how does the NAT device do this? > So, may I know if can I exploit tagging feature of dnsmasq so > that it can handle separate potentially overlapping leases for > each subnet? I'm pretty sure this would not be possible in dnsmasq nor in ISC dhcpd. Either one could do a single netblock shared among many distinct segments, but each would only be able to give out any one address to only one client. But wait and see what Simon says. :) -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [PATCH] Accept /32 and /0 as valid CIDR prefixes for rev-server directive
On Tue, Feb 14, 2017 at 12:31:21AM +0100, olivier.ga...@sigexec.com wrote: > [ excerpt from the man page ] > The rev-server directive provides a syntactic sugar to make > specifying address-to-name queries easier. For example > --rev-server=1.2.3.0/24,192.168.0.1 is exactly equivalent to > --server=/3.2.1.in-addr.arpa/192.168.0.1 > > It is not mentioned in the man page but specifying anything but /8 > or /24 as the CIDR prefix has the same effect as specifying /16. > > It is not a big deal for subnets on non-octet boundaries since they > cannot be represented using a single in-addr.arpa address. However, > it is unconvenient for /32 and /0 prefixes while their analogous > server directives behave as expected. E.g. the following server > directives work as expected: > > server=/42.10.168.192.in-addr.arpa/1.2.3.4 > server=/in-addr.arpa/1.2.3.4 > > but the following do not: > > rev-server=192.168.10.42/32,1.2.3.4 > rev-server=192.168.10.42/0,1.2.3.4 The second is a bad example, and to my mind it should not work, because x.x.x.x/0 is not a valid CIDR expression unless each x=0. Did you try "rev-server=0.0.0.0/0,1.2.3.4"? From the patch I am supposing you did and got 0.0.in-addr.arpa as the zone? > and, in practice, they behave the same as: > > server=/168.192.in-addr.arpa/1.2.3.4 > server=/168.192.in-addr.arpa/1.2.3.4 > > This strange behaviour is fixed by accepting /32 and /0 CIDR > prefixes as valid values. Any other value will still be > considered the same as /16. A /0 zone is very strange and likely to break most reverse address resolution, but a /32 zone is not unusual at all; I run 8 /32 in-addr.arpa zones for my /29 netblock. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Problem using dnsmasq as dhcp
On Wed, Jan 04, 2017 at 06:38:30PM +0100, Archimede Pitagorico wrote: > it was arule in the PREROUTING chain of the raw > table: > > rpfilter --invert -j DROP > > that caused messages incoming from clients to be dropped. And here's another problem: be careful with filtering in the raw table. Filtering should be done in the filter table (which, go figure, may be why they named it "filter".) > > > It is easy to modify the rule to allow dhcp traffic > through, so problem solved. > > > > I have another question however about this: > > ISCs dhcp server uses a lower-level > networkmodel than dnsmasq, and can work despite > iptables rules to the contrary. > > How can an app bypass the kernel firewall? Can you please > suggest a reference for me to understand better? Well, that's overstating it a bit. ISC dhcpd uses raw sockets, and those are (like tcpdump) seen before the netfilter subsystem. But note, a complete DHCP exchange is "DORA": Discover by the client; Offer by the server; Request by the client; and Ack by the server. With dhcpd only DO are not blockable. RA certainly are. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Bug forward upstream SERVFAIL
On Tue, Nov 22, 2016 at 04:18:55PM +, Chris Novakovic wrote: > On 22/11/16 15:03, Martin Wetterwald wrote: > > We found what we think is a bug (at least a not wanted > > behaviour), but it seems it's actually a feature, when looking at > > commits 4ace25c5 and 51967f980 (pasted at the end of this email). > > 4ace25c5 is a red herring: that provides REFUSED responses with the > behaviour you're looking for. Whether the same behaviour ought to > be applied to SERVFAIL responses is for Simon to decide: the commit > message for 51967f980 isn't clear about why SERVFAIL should be > considered a "successful" upstream response, but I'm sure there was > a reason, and I'm sure he can fill us in. SERVFAIL can sometimes be considered "successful" depending on circumstances. If all the authoritative NS hosts for a zone are returning SERVFAIL for queries, then indeed, that's as best as can be done. But the problem could be on the recursive resolver, such as [for one example] cache poisoning causing DNSSEC validation failure. Unfortunately dnsmasq is not in a position to know which it is. I think the most prudent thing for dnsmasq to do on SERVFAIL is to attempt the query with other upstream servers, if possible. But an answer needs to be provided to the client before its own timeout value. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Help: Changes when service dnsmasq start is executed
On Mon, Nov 21, 2016 at 01:43:24PM +, Rahul Jain wrote: > I want to know about all the changes(internally as in files etc) > when "service dnsmasq start" is executed. I noticed one change that This question should be directed to your distro. Whilst Simon might have some involvement with implementing the init scripts on certain distros, it cannot be answered without knowing what distro (and the version thereof) you are using. > it edits the /etc/resolv.conf. The reason is when I set the add-mac > option in /etc/dnsmasq.conf and start the dnsmasq service, I'm able > to get the EDNS0 option in a dns query but when I compiled from the > source and ran it, the same thing doesn't happen. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Improve privacy by randomly selecting DNS server from a whitelist
and if so, how. (Maybe there's a package, or a setting, > that does exactly what I'm after, and I've just never heard of it.) > Please reply to me off-list if the answer is not relevant to > Dnsmasq. The iptables statistic match is probably not in stock openwrt, so that must be installed. What I do, and have posted before on this list about, is to run dnsmasq for DHCP and local names, using a local resolver (on an alternate port, because dnsmasq gets ports 53) as its one upstream server. I use BIND named(8) for this, with a simple configuration. If you are interested in this and can't find it in the list archives, post again. You won't have named in stock openwrt, so you would need to install it. Any other recursive resolver could do it also; the only catch is that it must be able to bind on an alternate port. I like BIND, but on an embedded platform it's probably much bigger than others. Look at pdns-recursor and unbound. > - whether, if the desired functionality is not currently readily > available within OpenWRT, but could be made available by extending > Dnsmasq, any of you on the list would be keen to implement that > functionality (Simon Kelley, maybe?), or to donate funds towards > such an effort. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC check unsigned vs sharepoint.com
On Fri, Sep 09, 2016 at 03:24:34PM +0100, Kevin Darbyshire-Bryant wrote: > Having some issues with my 'onedrive for business' application > which in turn uses 'sharepoint.com'. Short version: dnsmasq 2.76 > thinks sharepoint.com is bogus. Directly querying upstream servers > is okay: > > # drill -D @8.8.8.8 sharepoint.com > ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 45014 > ;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 > ;; QUESTION SECTION: > ;; sharepoint.com. IN A > > ;; ANSWER SECTION: > sharepoint.com. 20224 IN CNAME sharepoint.microsoft.com. This is broken. > sharepoint.microsoft.com. 3346IN A 64.4.6.100 > sharepoint.microsoft.com. 3346IN A 65.55.39.10 snip > If I disable 'check unsigned' on the router's dnsmasq instance > things work ok. > > Why does dnsmasq think bogus, but google think ok? $ dig sharepoint.com. any @f.gtld-servers.net. +norec +dnssec ; <<>> DiG 9.10.3 <<>> sharepoint.com. any @f.gtld-servers.net. +norec +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23615 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 9 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;sharepoint.com.IN ANY ;; AUTHORITY SECTION: sharepoint.com. 172800 IN NS ns1.bdm.microsoftonline.com. sharepoint.com. 172800 IN NS ns2.bdm.microsoftonline.com. sharepoint.com. 172800 IN NS ns3.bdm.microsoftonline.com. sharepoint.com. 172800 IN NS ns4.bdm.microsoftonline.com. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20160915044336 2016090806 27452 com. xNERKmnAlkb3XiEf76OahP52D10WKZLu7GcWpYhVT4be0SBbmq9Kn+XV AnaMG/Ywu1/4VPyMfDxnw+XJLMXLn3NJN7TbNLA9Z0TqcpbRZcnTq1Na cO9/iuAx32Oaf5pbJIwuSS7HAhfDY4tahpYuSYDz8xOQzyf5W6wnjWAL sAc= 3HGLO8KLU2RJ9G8IIOE1U9FPP77E8J3F.com. 86400 IN NSEC3 1 1 0 - 3HGMM5Q6EQANHO53VDJUCIMH8GVFL0BU NS DS RRSIG 3HGLO8KLU2RJ9G8IIOE1U9FPP77E8J3F.com. 86400 IN RRSIG NSEC3 8 2 86400 20160915042007 20160908031007 27452 com. sVonxyL0/UgM+9KOG56hO1KezbbM8nzXaEDQYkfJISKVXy+P4m3vF1CX pO54bvTDo+msHBjNfNnjZ/4W7NnCutFTs0MNGXYZHOmXJE0B58KXW3Ui xsS8lzMlvGKvRuqwe3sHVi1K7TVz2BS96oxljuQ2LXpB+m0MX3eyMt5l zO8= ... Microsoft has a broken implementation here. They have put a CNAME where NS already exists. Some resolvers are fooled and will go along with it, but apparently dnsmasq can't do that while checking DNSSEC. If you are paying them, complain. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] using dnsmasq with 4 upstream servers
On Fri, Sep 02, 2016 at 01:23:44PM +0200, Daniel Steglich wrote: > I've got 4 upstream DNS Servers from my ISP (2 IPv4, 2 IPv6) and > use all of them in /etc/resolv.conf. I think you'd be better off to simplify this. Furthermore I am always leery of trusting ISP nameservers. Sooner or later the ISP bosses get the idea to increase revenue with NXDOMAIN redirection. Really, I'd trust Google before an ISP (but my own solution is to point dnsmasq at my own local caching resolver.) > I start sending DNS SRV querys from a client to dnsmasq DNS relay > every 5 seconds. > > Each request is sent to four DNS upstream servers (primary DNS v4, > secondary DNS v4, primary DNS v6, secondary DNS v6). The answer > from the fastest server is used. > As the requests are DNS SRV records, the reply is not cached by > dnsmasq. What? Why not? Caching is done based on TTL, not based on the RRtype. If the upstream server gives you a zero TTL, then that record is not cached ... regardless of RRtype. > During my tests the first IPv6 DNS server was always the fastest > replying server and for this reason the answer from this server > is passed to the client always, Do the answers from other upstream servers differ? > After some time the dnsmasq relay is not forwarding the requests to > the four known DNS servers any more but only sends out the requests > to either the first IPv4 DNS server or the first IPv6 DNS server. > So only one server is used. After about 20 seconds (4 requests > later) the dnsmasq process falls back to the expected behaviour of > sending the request to all known DNS Servers. I guess there is an implied "but the server fails to answer" in this, and it presents yet another reason why you might want to consider these ISP nameservers unreliable. > does anybody knows the reason for this? See --all-servers and --server in the manual. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] What does os02 mean here?
On Fri, Jul 22, 2016 at 07:46:50PM +0800, 水静流深 wrote: > There is a line in dnsmasq configuration file. > > dhcp-host=00:0C:29:5E:F2:6F,192.168.1.201,os02 > > What does os02 mean here? That's the hostname associated with the client. Even if the client reports a different hostname when requesting the lease, the hostname used in the config will be what is served in DNS. PS: Simon, I saw a typo in my version of the man page under "--dhcp-host": "omit" is misspelled. Sorry for not patching, but this should be a simple fix. :) (And maybe you already have it fixed, my version is not current.) -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq to provide public DNS service
On Thu, Jul 14, 2016 at 03:35:58PM +0200, Albert ARIBAUD wrote: > Le Thu, 14 Jul 2016 00:21:20 + (UTC) > T o n g <mlist4sunt...@yahoo.com> a écrit: > > > After struggled for a few days, I finally decided that I should > > reply, to bring some closure on this. Thank you for all these > > days of your tireless help. However, my conclusion is still the > > same as my first post -- dnsmasq is unable to provide public DNS > > service -- It can be used as DNS server for local host, or local > > network, but just not for the general public. We've ruled out > > everything possible, and the only thing left is dnsmasq. > > Your conclusion is wrong; the only thing you can conclude from your > trials is that dnsmasq will not operate properly in an environment > which does not conform to Internet standards -- and *that* is > hardly a surprise. Agreed. One simple way to test (and to disprove) Tong's conclusion is to try it with other software, BIND or unbound or pdns-recursor, for example, and to see how those work. > > I.e., if there is any probelm with my ISP or my hosting provider, I > > wouldn't have been able to start a working second SSH session > > listening to port 53 (instead of 22). > > You are again not concluding properly. DNS requires *UDP* port 53 as > well as *TCP* port 53. Your assumption that DNS somehow can do with > *TCP* port 53 alone is unfounded and plain wrong. > > > In other words, all else the same, swap in SSH to listen to port 53, > > it works; swap in dnsmasq, and it fails. With all else the same, > > dnsmasq is the only problem. > > This experiment only proves that *TCP* port 53 works between your > home and box, but that was apready proven by previous tests I > suggested. However, dnsmasq requires *UDP* port 53 -- and due to a > crippled access, you cannot use that UDP port, contrary to a > considerable quantity of other persons who daily prove that dnsmasq > can be used way beyond a LAN. I'll agree that dnsmasq as an authoritative server to the Internet might not be insane, but dnsmasq as resolver for an ISP or larger network is not a good idea. It's only forwarding queries, not actually doing the recursion itself. > > Thanks anyway for all your helps. > > You're welcome. :) And a very good job on your part for trying to help. Unfortunately this matter feels very much like an "XY" problem: "I want to do X, I think Y would do it for me, so I am asking how to do Y." As is common in such cases, "Y" makes little sense. If Tong should decide to bring this up again, I would strongly suggest asking about "X", the real goal. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq to provide public DNS service
On Sun, Jul 03, 2016 at 10:40:05PM +, T o n g wrote: > On Sat, 02 Jul 2016 21:27:11 +0200, Albert ARIBAUD wrote: > >> > >> And, yes, basically I'm creating an open DNS server, and since > >> nobody is doing that, I can't find any information on how to > >> set it up properly. > > > > Nobody should do that indeed, because it is a very bad idea: > > your machine may then serve as an amplifier for DDoS attacks. > > I'm more interested to know how to do that than actually provide > the DNS service. BTW, on to that thought, how the ISP or Google's > DNS server able to avoid being an amplifier for DDoS attacks? Having some familiarity with this, I can address this question, while staying out of Albert's way as he valiantly tried to address the Big Picture. :) First off, Google is an entirely different thing, having little in common with ISP recursive servers. Well, not quite, as the attacks are the same, but the potential defenses are more limited. See: https://en.wikipedia.org/wiki/Ingress_filtering BCP 38 (and BCP 84 for upstream providers) can help quite a lot. Basically if you know you're receiving a certain source IP address from the wrong place, you know it's a spoof, and drop it. Unfortunately most ISPs and backbones have not implemented this, so the spammers & scammers spoof away. An ISP has another tool, however: the firewall. They maintain strict separation between recursive service for their own users and authoritative service for their own zones. The latter are open to the world, and refuse recursion from everywhere. The former are only open to their own networks, and those are the networks that would be allowed recursion. Still, this is not enough, because an ISP of any size will be hosting botnets galore within their own address space. Note that an internal botnet host spoofing an external IP address will be able to reach the recursive servers, but recursion would be refused. That's good, but that still sends a REFUSED "reply" to the spoofed IP address. So the recursive servers need a second layer of defense: a firewall which drops anything from outside their networks. (It's also useful in large ISPs to subdivide networks into different parts, and to provide resolver farms which are limited to one part only, rather than open to the ISP's entire network.) Now the ISP recursive servers are not participating in external amplification attacks, but what if the spoofed IP address was internal to that ISP? So far there's no protection. And here's where common ground exists between ISP resolvers and Google Public DNS. https://kb.isc.org/article/AA-01304/ https://kb.isc.org/article/AA-01316/ Recursive client rate limiting is a relatively new feature in ISC BIND. It's currently the best that can be done. I strongly suspect that Google also implements a feature like this. Running recursive nameservers for an ISP is a specialised job. One should not take on that responsibility without adequate preparation and resources. Running a "responsible" open resolver is even more specialised. Google surely devotes quite a lot of expert manpower to the task. I suspect they also are continually monitoring the service for spikes and other attack indicators. Dnsmasq is a wonderful piece of software which does a very nice job at meeting the needs of most small, simple sites. I do not think it's well suited for ISP use, and especially not for use as an open resolver. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] How to conditionally forward a query based on the source IP?
On Sun, Jun 12, 2016 at 02:45:17PM +, Wojtek Swiatek wrote:
> I am trying to find a way to forward a DNS request to a specifc DNS
> server, based on the IP address of the requesting host.
>
> In other words I would like dnsmasq to forward (as an example)
> queries from the host 10.10.10.1's to DNS server 8.8.8.8 and when
> the query comes from any another host - to 8.8.4.4.
>
> Is this something achievable with dnsmasq? (I found a way to do it
> based on the target domain, but this is not what I am looking for).
This would be trivial to do in BIND, using view and acl features.[1]
However, even there, it sounds quite strange. Why do you need this?
If you're using dnsmasq in front of a BIND named with views, just go
straight to the named.
[1]
acl eight { 10.10.10.1; };
acl four { any; };
view eight {
match-clients { eight; };
forwarders { 8.8.8.8; };
};
view four {
match-clients { four; };
forwarders { 8.8.4.4; };
};
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC on lookups of *.paypal.com no longer work
On Sat, May 14, 2016 at 08:55:58PM +0200, Uwe Schindler wrote: > > > Well, that's the smoking gun. Dnsmasq is doing the right thing, > > > and your upstream server at 212.202.215.1 is broken. I realise > > > that doesn't solve the problem, but at least you know where to > > > work now :) > > > > > > (the reason dnsmasq is returning SERVFAIL is that there's a > > > chain-of-trust from the root that says paypal.com is signed, > > > If the answer to the paypal.com query isn't signed, it may be > > > a false answer, so it can't be trusted.) > > > > Of course this is the right thing to do! > > > > I will contact the upstream provider and ask them to fix this! > > > > Interestingly, two of their three IPv4 DNS servers have the > > problem. The 3rd one and all three IPv6 DNS servers are working > > fine. This explains why it sometimes worked. > > > > Maybe a good idea is: If a DNSSEC query fails and DNSMASQ knows > > more servers, retry on others, too? > > What do you think about this proposal? Hmm. I think the story illustrates the importance of controlling your own upstream resolver, or at least of using one you know you can trust. I think there are two main reasons why signatures are broken: 1. Domain manager had an error in signing and/or keys (usually a software problem with signing) 2. DNS hijacking (not necessarily of malicious intent) Sometimes people get started validating DNSSEC and lose their will to be doing so after a SERVFAIL or two. Those folks are better off disabling validation. But you're not necessarily among them, it seems; you're just getting occasionally broken replies from the upstream server. The problem I have with your idea is that you don't really have an automated means to determine the problem upstream. You simply cannot rely on a broken upstream server if you're going to validate. So you fall back on 8.8.8.8 for any DNSSEC failure ... but wouldn't you be better off just using 8.8.8.8 and dumping the broken one? I've said before what I do ... I have *both* dnsmasq and named running; dnsmasq on port 53 and named on 127.0.0.1:1035. The named is doing recursion only. Yes, I'm hard core. :) -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dig for an ip address returns A record instead of NXDOMAIN
On Thu, Mar 31, 2016 at 10:10:37AM +0200, Albert ARIBAUD wrote: > Le Wed, 30 Mar 2016 16:59:07 -0400 > Jeff Weber <jwe...@cofront.net> a écrit: > > > The behavior I'm seeing it that any host with dnsmasq in it's > > query path when running dig returns an A record the response is > > NOERROR and the answer section has an A record which looks like > > > > 192.168.100.100. 0 IN A 192.168.100.100 > > > > If I perform a dig against the upstream server directly I receive > > an NXDOMAIN. > > > > I made the assumption that dnsmasq was creating this response > > was coming from dnsmasq. I'll do a more detailed investigation > > to validate that is true. > > I can confirm this behavior on a dnsmasq v2.62 configured with Sorry Jeff and Albert, I should have been more explicit. Yes, these zero-TTL A records for "ip.add.re.ss." are indeed coming from dnsmasq. I was only pointing out that to see them means that you're misusing "dig". So Jeff's question was valid and his observation was correct. The question remains, how to control this feature of dnsmasq. I went through the man page just now and did not see anything which looked likely to do it. > static leases plus a static list of local hosts (so that name > resolution works even when host is down). Running dig from the server > itself, thus asking dnsmasq directly, yields the following: > > $ dig jdoe > ... > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25422 > ... > ;; ANSWER SECTION: > jdoe. 0 IN A 192.168.0.1 > ... > $ dig -x 192.168.0.1 > ... > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5779 > ... > 192.168.0.1. 0 IN A 192.168.0.1 > ... Um, I think you had a copy/paste error/omission here, Albert. As I mentioned, -x changes the query type to PTR and the query name to .in-addr.arpa. dig -x elements.are.reversed.here Try it, it's really not very smart. :) dig's BIND brother host(1) is a bit more user-friendly in this regard, because it acts on a dotted quad as you might expect, not requiring the "-x" to do the reversal and query for PTR. > Its local upstream is an unbound server on the same machine and > on port: > > $ dig -p 1234 192.168.0.1 > ... > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61710 > ... Here without the -x the query is for an A record for "192.168.0.1." in the "1" top-level domain. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dig for an ip address returns A record instead of NXDOMAIN
On Wed, Mar 30, 2016 at 01:05:32PM -0400, Jeff Weber wrote: > I'm using dnsmasq as a local dns cache on some servers and I've > noticed recently (due to some buggy software) that if you dig for > an ip address you get an A record back which is set to that ip The proper use of dig of an IP address (for example, 192.0.2.53) is "dig -x 192.0.2.53". This changes the query to a type PTR for 53.2.0.192.in-addr.arpa. By default dig queries for A, and "dig 192.0.2.53" will cause a recursive server to ask the root servers for a "53" top-level domain. The fact that ICANN has not yet tried to turn all-numeric TLDs into money makers notwithstanding, there is no protocol reason why it cannot be done. > address. I went through the manual and wasn't able to find an > option which seems like it could make this configurable. Is there a > way to turn this response into an NXDOMAIN instead of returning the > synthesized A record? > > I'm using dnsmasq verision 2.66 on a Centos 7 machine. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] redundant/resiliant dnsmasq servers?
On Sat, Mar 26, 2016 at 11:06:39AM +0100, Matthias Andree wrote: > Regarding failover or backups, be sure to check dhcp-authoritative. > It does not appear that dnsmasq has facilities to share its leases > database with other software. You'd probably have to cook > synchronization on your own with scripts or lua scripts. And it's probably worth noting that a major design goal of dnsmasq is to remain simple. It targets (and nicely fills) most common needs, and unlike many network services, you don't have to devote a lot of time to learn how to run and manage it. I'm sure if Simon can figure out a simple way to do failover, he will, but I don't expect it. :) Right now the best option for failover seems to be ISC DHCP 4.3, or possibly Kea for the adventurous (a failover protocol does not seem to be implemented yet, but lease database sharing is possible with another possible point of failure: mysql or PostgreSQL.) -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Facing compilation issue with dnsmasq
On Thu, Feb 25, 2016 at 12:04:11PM +, Mariappan Rajendran wrote: > I just downloaded the dnsmasq latest version from GIT and facing > the below error when i compile. > Please suggest to resolve this. > > hadmin@ICSCHELAP1003:~/Mari$ git clone https://github.com/guns/dnsmasq > Cloning into 'dnsmasq'... > remote: Counting objects: 7776, done. > remote: Total 7776 (delta 0), reused 0 (delta 0), pack-reused 7776 > Receiving objects: 100% (7776/7776), 7.88 MiB | 23.00 KiB/s, done. > Resolving deltas: 100% (5206/5206), done. > Checking connectivity... done. > > > root@ICSCHELAP1003:/home/hadmin/Mari/dnsmasq# make install > Package libidn was not found in the pkg-config search path. > Perhaps you should add the directory containing `libidn.pc' > to the PKG_CONFIG_PATH environment variable > No package 'libidn' found snip > Do i have to build the libidn first, if yes from where to compile ? > > Here is my system config: > Ubuntu 14.04 kernel version - 3.13.0-32-generic Ubuntu provides a libidn package. You simply need to install it; there might be one called "libidn-devel" which contains the header files needed at compile time. While you're at it you should review your environment to be sure other compile-time needs are met. Ubuntu probably provides a metapackage which will do this. You might also consider learning how to build a .deb so your installed software can be managed by your OS packaging system. Consult Ubuntu documentation for help with these issues. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] disabling reverse dns lookup in dnsmasq
On Wed, Feb 17, 2016 at 09:12:29PM +0100, Guy Wijnants wrote:
> Is there a way to enable reverse lookup for a certain type of
> network in dnsmasq? Like requests comming from 192.168.0.0/24 and
> and disable reverse lookup for the rest?
$Subject notwithstanding, note that the OP in this thread was not
really asking about REVERSE lookup; it was about disabling RECURSIVE
queries.
Nevertheless we can't gripe at you for thread hijacking when your
question actually brings the thread in line with its Subject. :)
I can't speak authoritatively (pardon the pun) on this, but I am
pretty sure you'd need a feature like BIND's view feature for this;
dnsmasq is about simple configuration and commonly-used features.
Most sites don't need views (and many who do set up views have
overcomplicated things. ;) )
In BIND you'd have one view which is authoritative for all of the
in-addr.arpa zone:
...
view "no-reverse" {
match-clients { 192.168.0.0/24; };
...
zone "in-addr.arpa" IN {
type master;
file "in-addr.arpa";
};
};
view "default" {
match-clients { "any"; };
...
};
...
...where the "in-addr.arpa" zone file has only SOA and NS with no
other records such as PTR.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] What if external DNS unreachable or timed out
On Thu, Feb 12, 2015 at 08:43:20PM -0500, Nikolay P wrote: I am wondering what will happen if none of the external DNS servers are reachable or suddenly (for any reason) a DNS query to external servers timed out. Will Dnsmasq reply to the client's request from cache? Assume that this particular query is performed frequently and it should be in Dnsmasq cache. If the record is cached, dnsmasq is not going to ask an upstream nameserver. If a query is made to an upstream nameserver, that means the record is NOT in the cache. Then if the upstream query times out or otherwise fails, that's what dnsmasq will tell the client. So, will the Dnsmasq reply to the client's request from cache if none of the external servers replied? No, it wasn't cached. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq: failed to create listening socket: Address already in use
On Fri, Aug 01, 2014 at 07:01:09PM +0430, Mahmood Naderan wrote: However, I get error when trying to start the dnsmasq service | [root@localhost mahmood]# /etc/init.d/dnsmasq status dnsmasq is stopped [root@localhost mahmood]# /etc/init.d/dnsmasq start Starting dnsmasq: dnsmasq: failed to create listening socket: Address already in use [FAILED] | netstat command shows the following information | [root@localhost mahmood]# netstat -anlp | grep -w LISTEN LISTEN in netstat terms only includes TCP, as you can see. DHCP servers need to bind UDP port 68. Nameservers need to bind UDP 53. More of interest here would be to see UDP sockets (-u). tcp0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1252/rpcbind tcp0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1445/cupsd tcp0 0 127.0.0.1:250.0.0.0:* LISTEN 1685/master tcp0 0 0.0.0.0:46556 0.0.0.0:* LISTEN 1348/rpc.statd tcp0 0 :::111 :::* LISTEN 1252/rpcbind tcp0 0 :::80 :::* LISTEN 4884/httpd tcp0 0 ::1:631 :::* LISTEN 1445/cupsd tcp0 0 :::51096:::* LISTEN 1348/rpc.statd | What missconfiguration causes such error and how can I fix that? I don't know. Maybe you have enabled another DHCP server, or perhaps another nameserver? -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] split networks with split DNS?
On Tue, Jul 29, 2014 at 09:40:45PM -0400, krux wrote: Did you ever figure this out? I am struggling with the same and am unable to find a solution. I don't think this will be a feature in dnsmasq. For something like this, you would have to run BIND and use views. Or as the OP said, you could use a separate dnsmasq instance per network, each binding only the appropriate IP address/interface. Dnsmasq is a fine piece of software; I like it a lot. And it is a much easier way to get started and to have things working as you need. But (by design) it cannot meet every need. If it could, it wouldn't be so simple to use. :) Don't be afraid of BIND. While it is very powerful, it's also straightforward, well documented, and well supported. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Configuration to kick off devices after a certain time
On Mon, Jul 28, 2014 at 08:45:05PM +0200, Elrippo wrote: I have dnsmasq running on an Ubuntu 12.04 server with Ethernet and wlan (hostapd) networks. I have a wlan network with 3 subnets, where one subnet is used for testing. I would prefer an option where I can define that users, devices are kicked off after 15min for an hour. Is this, or some kind of, option implemented in dnsmasq? dnsmasq is a DHCP and DNS server. As a DHCP server, it could give a lease valid for only 15 minutes, but no, there's no such feature to enforce an hour (nor other specified) penalty time between leases. What happens if a client reboots and forgets its lease in that interval? In that case the only thing the server can do is deny a lease. (Again: *if* such a feature existed.) Conversely, what about a renegade client which keeps the leased address beyond the valid period? The DHCP server has no way to reclaim stolen leases. As a DNS server, it could refuse or hijack the client's queries during a penalty period, but there too, dnsmasq does not have a feature like that. I think the closest you will get to your goal is by implementing something in your firewall. It won't be trivial to get it right there, either. I would look at -m recent and maybe also -m set to begin with. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Configuration to kick off devices after a certain time
On Tue, Jul 29, 2014 at 12:30:18AM +0200, Elrippo wrote: I am aware of doing some iptables rules for kicking of a subnet IP for a certain amount of time, but I just didn't want to start with iptables, especially for every IP on that subnet. I'm not sure what you mean. If you're dealing with groups of addresses, try ipset(8) and the iptables set match. I'll give it a try ;) Thanks again for your help, maybe i'll post a feature request for implementation, so this lease kick off hasn't to be done by a webserver like in hotels. I don't know what you have seen, but it's still not technically possible, even with the features I described. (Well, the DNS hijacking might come close, but a malicious rulebreaker could use IP addresses.) -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Tue, Apr 01, 2014 at 11:54:28AM -0500, I wrote: ^^ On Tue, Mar 25, 2014 at 07:08:44PM -0400, Alex Xu wrote: On 25/03/14 07:03 PM, sven falempin wrote: my concern of nettle vs openssl is the amount of review and testing nettle did get compared to something more widely(!) used openssl something being used a lot != something being good Absolutely true, but in the context of open source software, especially cryptographic software, more use also tends to mean more code review. April Fools! ;) I'm not really qualified to judge here what is best; I can only point out what I, as a user, think about it. I'll trust Simon's judgment, but I hope he has considered these concerns. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Tue, Mar 25, 2014 at 07:08:44PM -0400, Alex Xu wrote: On 25/03/14 07:03 PM, sven falempin wrote: my concern of nettle vs openssl is the amount of review and testing nettle did get compared to something more widely(!) used something being used a lot != something being good Absolutely true, but in the context of open source software, especially cryptographic software, more use also tends to mean more code review. I'm not really qualified to judge here what is best; I can only point out what I, as a user, think about it. I'll trust Simon's judgment, but I hope he has considered these concerns. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Does DNSSEC require nettle and gmp, or nettle with gmp?
On Tue, Apr 01, 2014 at 10:45:44AM -0700, Dave Taht wrote: And thus I enthusiastically support other OSes than linux, other dns servers besides bind, and other crypto libraries besides openssl. One named to rule them all One named to find them One named to bring them all And in the darkness BIND them. :) -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Speed comparison dnsmasq - unbound?
On Sun, Feb 16, 2014 at 07:38:37AM +0100, Oliver Rath wrote: did somebody some speed comparison tests for the dns caching functionality between dnsmasq and unbound (http://unbound.net/)? Compare apples to apples. You're not doing that. Dnsmasq is a DNS forwarder. Unbound is a DNS resolver. Unbound actually does the work of accepting recursive queries and then performing the iterative queries to find the answer. Dnsmasq simply hands off these queries to a backend resolver, such as BIND named or unbound. Accordingly, I'd expect dnsmasq to be faster, but noting that the comparison is meaningless. Ive read that unbound is the fastest dns caching server including dnssec support, but I could imagine, that dnsmasq has the same speed (or better). I've read a lot of things on the Internet. Some of them might have been true. Unqualified claims of speed are usually bogus. Such claims are especially difficult to establish in the realm of DNS, because your apparent speed is largely dependent upon random third parties' servers and the speed of their Internet connections. Do you have a link to these speed studies? I'd like to see them. Unbound is the new standard dns caching server in FreeBSD 10 and replaces bind. IIUC that's only partly true. BIND is a complete DNS implementation, whereas unbound is only a caching resolver. Those who are serving authoritative DNS to the world also need an authoritative DNS server such as BIND named or NLNetLabs' NSD. Note, best practice usually demands separation of authoritative DNS service from recursive service. Unbound/NSD were began with this understanding, whereas BIND has roots going back to the very beginnings of DNS. (The fact that named can do it all in one notwithstanding, this is not what ISC recommends. But it is a convenience for some small, internal-only sites, where that might override security concerns.) Just for interest. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSMasq and DNS reflection attacks
installations which use dnsmasq, since sometimes they are provisioned with real addresses. I'd expect to see problems in the future with IPv6, since far more people will be using globally routable addresses with IPv6. The reason that this happens is that --bind-interfaces uses the bare-minimum BSD sockets API only. Detecting which interface a packet arrived on, rather than the address to which it was sent, needs non-portable API, and is impossible on some platforms (openBSD, for instance) --bind-interfaces is a works everywhere least common denominator. It's also useful when you're running multiple instances of dnsmasq on one host, which is why most people use it. The fix is to use either the default listening mode, or if running multiple instances, the new --bind-dynamic mode. --bind-dynamic is only available on Linux, and --bind-interfaces is the only mode available on openBSD, so BSD users have rather more problems here. Summary. There's a problem is you want to accept queries in an internal interface with a globally routable address and use --bind-interfaces. The fix is to remove --bind-interfaces and, if necessary, replace it with --bind-dynamic. This fix is not applicable on all platforms, The Real Soon Now 2.67 release logs a very prominent warning if the dangerous combination is configured. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dhcp-range but no port 67
On Fri, Jun 28, 2013 at 03:45:02PM +0200, andreas graeper wrote: dnsmasq 2.48 on centos64 (standard-repos) i set dhcp-range=172.27.6.150,172.27.10.180,255.255.0.0,12h but there is no port 67 open (nmap) How did you test this? By default nmap scans TCP; DHCP is UDP. root@chestnut:~# nmap -sU -p52-54,66-68 192.168.8.97 Starting Nmap 6.01 ( http://nmap.org ) at 2013-06-28 18:08 CDT Nmap scan report for chestnut.rob0.nodns4.us (192.168.8.97) Host is up (0.0087s latency). PORT STATE SERVICE 52/udp closedxns-time 53/udp open domain 54/udp closedxns-ch 66/udp closedsqlnet 67/udp open|filtered dhcps 68/udp closeddhcpc Nmap done: 1 IP address (1 host up) scanned in 1.36 seconds -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Can I set up dnsmasq to act as a local caching recursive DNS server?
On Sat, Jun 22, 2013 at 09:05:25PM +1000, Robert S wrote:
I am having difficulties with lookups by spamassassin - I'm
getting these messages:URIBL_BLOCKED ADMINISTRATOR NOTICE:
The query to URIBL was blocked.See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
I've been advised that my URIBL query traffic may be
aggregated with many others and that I need to use a local
caching recursive DNS server.
This is also true of Spamhaus and other major DNSBLs.
Is dnsmasq able to do this? I've been using it for quite a
few years and am not keen to switch to something else.
This isn't a problem for me, because my mail server is also an
authoritative NS server, and it runs BIND named. I only run dnsmasq
in SOHO settings.
That said, I don't trust ISP (nor other external) caches. I set up
dnsmasq to use a local named listening on an alternate port. The
dnsmasq.conf (dnsmasq.d/ if you prefer) and named.conf are both
rather simple:
dnsmasq.conf :
# we use nameserver 127.0.0.1 in resolv.conf
no-resolv
server=127.0.0.1#1053
# other settings not shown
named.conf :
options {
directory /var/named;
listen-on port 1053 { 127.0.0.1; };
# this also lets me control my own DNSSEC
#dnssec-accept-expired yes;
dnssec-lookaside auto;
dnssec-validation auto;
};
(This assumes a recent enough BIND version for DNSSEC support, which
is not the case in older RHEL/CentOS and recent OpenBSD.)
Is it overkill to run two daemons which do the same thing? Perhaps,
but these do not do the same thing. Dnsmasq is a DHCP server and
authoritative nameserver; named here is only caching/recursive. It
has long been considered a best practice to separate authoritative
from caching/recursive name service.
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] How to make dnsmasq continue querying other servers when the previous one returned NXDOMAIN?
On Sat, May 11, 2013 at 09:43:48PM +0300, Evgeniy Afonichev wrote: I'm trying to use dnsmasq as forwarding dns server in the following way - if first server returns NXDOMAIN then dnsmasq should ask another server from the list Perhaps you'd get better help here if you described the ultimate goal, why you want to do this? AFAIK this is not possible (but I haven't gone through the man page to see if there's an option for this purpose.) my dnsmasq.conf file all-servers no-poll server=192.168.0.1 server=192.168.0.2 strict-order log output $ dnsmasq -d -q --conf-file=dnsmasq.conf dnsmasq: started, version 2.59 cachesize 150 dnsmasq: compile time options: IPv6 GNU-getopt DBus i18n DHCP TFTP conntrack IDN dnsmasq: using nameserver 192.168.0.1#53 dnsmasq: using nameserver 192.168.0.2#53 dnsmasq: read /etc/hosts - 8 addresses dnsmasq: using nameserver 192.168.0.1#53 dnsmasq: using nameserver 192.168.0.2#53 dnsmasq: using nameserver 192.168.0.1#53 dnsmasq: query[A] github.example.com from 172.18.194.4 dnsmasq: forwarded github.example.com to 192.168.0.1 dnsmasq: reply github.example.com is NXDOMAIN-IPv4 dnsmasq: query[A] github.example.com from 172.18.194.4 dnsmasq: cached github.example.com is NXDOMAIN-IPv4 as we can see - as soon as the first server 192.168.0.1 returns NXDOMAIN, dnsmasq returns NXDOMAIN too no matter if there's still another server 192.168.0.2, which can resolve the required domain. How to make dnsmasq continue querying other servers when the previous one returned NXDOMAIN? My best guess here is that github.example.com (or example.com itself) is somehow representing a special name, one for which 192.168.0.2 might be authoritative. In that case, you need to specify the domain in the server directive: server=/github.example.com/192.168.0.2 Do this in addition to server=192.168.0.2 if 192.168.0.2 should also be providing resolver service for you. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] IPV6 preference
On Wed, May 08, 2013 at 05:43:01AM -0700, Ray Klassen wrote: Is there a way of configuring dnsmasq to always return an ipv6 address on a DNS request if there are both ipv4 and ipv6 available? I wouldn't think so. A client either asks for an A record (ipv4) or (ipv6), it does not ask for an address. I've got an an ipv6 tunnel that, for certain sites, I'd like all traffic to be directed to. Problem is (i think) that DNS is round robining addresses and sometimes returns an ipv4 address which No, as above, the client only gets A if it asks for A. That said, resolver clients most likely can be configured to prefer ipv6 over ipv4. See the documentation for your resolver(s). routes traffic away from the tunnel. I suppose I could force this using a hosts file, but the addresses for that site are pretty dynamic or so I'm given to understand. Maybe you want to point to a remote server for those names: server=/certain.sites.example/2001:db8::1ce:c01d -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Local upstream server
On Mon, Apr 15, 2013 at 04:30:52AM +0200, Moritz Warning wrote: Can I add a domain specific upstream server using a different port than 53? Dnsmasq already uses that port. This is what I do with BIND named on port 1053. server=127.0.0.1#1053 See --server in the man page. What you might want is something similar to this: server=/example.dht/127.0.0.1#1053 This uses 127.0.0.1:1053 for names under and including only example.dht. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq for road warriors
On Tue, Nov 13, 2012 at 12:13:07PM +0100, s...@sltosis.org wrote: On Mon, Nov 12, 2012 at 06:11:43PM -0600, richardvo...@gmail.com wrote: On Sun, Nov 11, 2012 at 5:05 PM, /dev/rob0 r...@gmx.co.uk wrote: On 10/11/2012 15:54, /dev/rob0 wrote: Seems to me that dnsmasq is a better nscd replacement, and it has a place in mobile computing. # we use this dnsmasq as this system's own resolver no-resolv On Sat, Nov 10, 2012 at 05:46:10PM -0600, richardvo...@gmail.com wrote: no-resolv is doing more harm than good. dnsmasq is smart enough to ignore 127.0.0.1 in /etc/resolv.conf And it will automatically pick up DHCP-assigned DNS servers which written there. But you don't understand. The point of dnsmasq on a laptop is to serve ONLY that machine and its local processes. /etc/resolv.conf must contain ONLY nameserver 127.0.0.1. If there are other nameservers listed, the system resolver will be contacting them; possibly getting different results, and ... well, this discussion would not be relevant to the dnsmasq list. I don't know where you got this piece of misinformation. Multiple nameserver entries in /etc/resolv.conf work fine, as long as the localhost entry (pointing to dnsmasq) comes first. It will work fine, but the system resolver might end up querying an nameserver other than dnsmasq(localhost) which is exactly, if I understood correctly, what /dev/rob0 wants to avoid. Yes. And thanks to Richard for making me look in the resolv.conf(5) manual. The listing order is the priority, but there's always a chance that lookups could fall through from 127.0.0.1 to other nameservers, and I don't want that. That said, dnsmasq will poll your alternate resolv.conf for change automatically, unless requested otherwise (--no-poll), so I see no need to restart it after a change. Aha! I missed --no-poll. This looks to be pretty easy, then, using --resolv-file. (And --no-resolv is moot.) This is actually what I was doing* on my laptop, a custom dhcp client hook will fill an alternate resolv.conf file : /etc/resolv.conf-dnsmasq (used by dnsmasq), and ensure /etc/resolv.conf only contains the localhost nameserver with optionnal supplementary parameters (search,...) Thanks! This is obviously usefull for dnsmasq cache and other features (eg: server=//), but also for some services/daemons which don't poll /etc/resolv.conf for change on their own(eg: postfix) Hehe, it seemed a bit crazy to run server software on a laptop, but at least I'm not putting Postfix on there. (Yet? ;) ) For the archives, here's what I ended up with on the laptop: no-dhcp-interface=lo listen-address=127.0.0.1 no-resolv resolv-file=/var/lib/dhcpcd/resolv.conf user=dnsmasq group=dnsmasq server=/rob0.vpn/192.168.6.1 server=/6.168.192.in-addr.arpa/192.168.6.1 /etc/resolv.conf contains only nameserver 127.0.0.1. (It could just as well not exist, because the default resolver behavior is to query DNS from 127.0.0.1.) And dhcpcd(8) is writing domain_name_servers to /var/lib/dhcpcd/resolv.conf. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq for road warriors
On Tue, Nov 13, 2012 at 09:42:34PM +, Ed W wrote: On 13/11/2012 15:03, /dev/rob0 wrote: And dhcpcd(8) is writing domain_name_servers to /var/lib/dhcpcd/resolv.conf. How do you remove servers from that file when the link goes down? Why would I care? If I have no connection, nothing will resolve, unless already cached. :) What if two connections try to add the same entries and then one of them goes down? That does not happen. I only have one DHCP client. If I plug in on the wired network, I turn off the wireless. I forgot to mention, I don't use Network Manager and the like. I'm mostly on wireless with this thing, and wpa_supplicant.conf(5) manages wireless connections. Thanks for your interest, Ed. I think we're good here. :) -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq for road warriors
On 10/11/2012 15:54, /dev/rob0 wrote: Seems to me that dnsmasq is a better nscd replacement, and it has a place in mobile computing. # we use this dnsmasq as this system's own resolver no-resolv On Sat, Nov 10, 2012 at 05:46:10PM -0600, richardvo...@gmail.com wrote: no-resolv is doing more harm than good. dnsmasq is smart enough to ignore 127.0.0.1 in /etc/resolv.conf And it will automatically pick up DHCP-assigned DNS servers which written there. But you don't understand. The point of dnsmasq on a laptop is to serve ONLY that machine and its local processes. /etc/resolv.conf must contain ONLY nameserver 127.0.0.1. If there are other nameservers listed, the system resolver will be contacting them; possibly getting different results, and ... well, this discussion would not be relevant to the dnsmasq list. Some DHCP clients have an option to update a different file with the DNS servers, in that case use dnsmasq's resolv-file option. Either this, or DHCP hooks as Ed mentioned, is the way to go. Actually DHCP hooks are needed in either case, as dnsmasq must be signalled to reread its configuration (I guess that means stop and restart, which is sad because it loses the cache.) On Sun, Nov 11, 2012 at 08:34:38PM +, Ed W wrote: Try: http://roy.marples.name/projects/openresolv Eww, no. That's a kludge, and again, it totally misses the point of this dnsmasq instance exclusively providing DNS to local processes. This was brought to the dnsmasq mailing list for a reason: I am indeed using dnsmasq. Speaking of cruft, maybe that's not a bad thing? What will dnsmasq do with multiple upstream servers? server=192.168.40.1 server=192.168.0.1 server=192.168.1.1 server=8.8.4.4 When we're at a site where one of those is our router, that should respond much faster than 8.8.4.4 can. OTOH, it could cause intermittent errors with local names; 8.8.4.4 is not going to know minipax.rob0.lan. Can we priortise upstream servers? --all-servers implies that this can be done somehow, but I don't know how ... is it merely the order in which they are listed in the config (or on the command line)? When not using --all-servers, how does dnsmasq decide when to try a different one, and which one will be tried in that case? Random selection, rotating sequential, fixed top-down priority? Nothing wrong with dhcp hooks. Setup things as advanced as you need. Dnsmasq regularly sends *all* requests to *all* nameservers and picks the fastest responding. So it will choose a faster responding server where there are several options This goes against what the manual says. See --all-servers in the man page. What you describe is only applicable when --all-servers was specified. I don't think I would want that. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] dnsmasq for road warriors
Seems to me that dnsmasq is a better nscd replacement, and it has a place in mobile computing. # we use this dnsmasq as this system's own resolver no-resolv # I'm not sure if both of these are needed; we only want DNS and # only on loopback; we serve only this machine. no-dhcp-interface=lo listen-address=127.0.0.1 user=dnsmasq group=dnsmasq # When connected to VPN, these names/addresses resolve. When not # connected, they don't, but that's okay, because we can't get to # them anyway. server=/rob0.vpn/192.168.6.1 server=/6.168.192.in-addr.arpa/192.168.6.1 # upstream: Google Public DNS server=8.8.4.4 The problem here is when you might not want to use 8.8.4.4, such as when you're at a dnsmasq site where internal DNS is working. The solution, I guess, would be a hook in the DHCP client to write the DHCP-obtained nameserver[s] to a dnsmasq.d/file to include, and signal or restart dnsmasq. Problem with that solution: will dnsmasq.d get crufty, or do we just reuse the same file? Also, what if one of the mobile connections is not handled by DHCP, such as some cellular data connections? Speaking of cruft, maybe that's not a bad thing? What will dnsmasq do with multiple upstream servers? server=192.168.40.1 server=192.168.0.1 server=192.168.1.1 server=8.8.4.4 When we're at a site where one of those is our router, that should respond much faster than 8.8.4.4 can. OTOH, it could cause intermittent errors with local names; 8.8.4.4 is not going to know minipax.rob0.lan. Can we priortise upstream servers? --all-servers implies that this can be done somehow, but I don't know how ... is it merely the order in which they are listed in the config (or on the command line)? When not using --all-servers, how does dnsmasq decide when to try a different one, and which one will be tried in that case? Random selection, rotating sequential, fixed top-down priority? Ideally we'd want something which you set up one time and is mostly done; something that should work at regular sites you frequent, as well as most public hotspots. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Unable to connect by hostname for local machines
On Tue, Oct 23, 2012 at 06:49:19AM -0600, dnsm...@ailsby.net wrote:
On 12-10-22 10:32 PM, /dev/rob0 wrote:
On Mon, Oct 22, 2012 at 09:24:34PM -0600, dnsm...@ailsby.net wrote:
I am trying to setup dnsmasq so that I can use the OpenDNS
servers for my younger children, and then have all other devices
use a different dns server (Google's).
snip
Any ideas on what I need to do so that the devices in the ip
range 192.168.1.10 to 192.168.1.99 can use hostnames to connect
to each other? Is there any other information that is needed to
understand this issue?
Probably what you want to do is to use a different upstream server
for the big people and little people machines. And I know of no
trivial way to do that in a single instance of dnsmasq. It might
require two instances (one of them being DNS-only.) And I'm not
sure that would be easy, either.
This could be done with BIND named using views (and there too,
you would benefit from the above CIDR suggestion.) But then you
wouldn't have the ease of setup of dynamic DNS that dnsmasq
offers.
Thanks for the clear response. I will have to see if there is
some other way to get to my desired end point.
Hmmm. Maybe.
What about dnsmasq on port 1035 instead of 53? This gives the best of
both worlds, mostly. What you lose is the ability to easily override
any given name in the global DNS by putting it in your hosts(5) file.
But you do have dnsmasq as DHCP server and as authoritative NS for
your internal hostnames, plus having your DHCP dynamic pool hosts
using OpenDNS. (There's no benefit in using Google forwarders over
recursion, so the example below uses a hints zone in the default
view.)
This is untested and made with minimal reference to the BIND 9 ARM
and the dnsmasq(8) manual, so caveat emptor, and comments, additions
and corrections are appreciated.
named.conf(5):
acl dhcp { 192.168.1.128/26; }; # .128-.191
# not really using these but define them anyway
acl statics { 192.168.1.64/27; }; # .64-.95
acl lan { 192.168.1.0/24; }; # .0-.255
# options section omitted; mostly defaults will do, but you will
# typically want to set a path which is used for any file
# arguments without absolute paths, such as a zone file or hints
# file. Remember if you want to serve any zones, even localhost,
# to declare that zone in both views.
# matches DHCP clients
view dhcp {
match-clients { dhcp; };
zone ailsby.lan IN {
type forward;
# for named running on the router
forwarders { 127.0.0.1 port 1035 };
# for named running on an internal host
#forwarders { 192.168.1.1 port 1035 };
};
zone . IN {
type forward;
forwarders { open.dns.hosts.here; };
};
};
# matches anything else
view default {
match-clients { any; };
zone ailsby.lan IN {
type forward;
# for named running on the router
forwarders { 127.0.0.1 port 1035 };
# for named running on an internal host
#forwarders { 192.168.1.1 port 1035 };
};
zone . IN {
type hint;
file /path/to/root.hints;
};
};
dnsmasq config includes your static hosts and:
port 1035
no-resolv # we should never be asked names we don't know
domain=ailsby.lan
dhcp-range=192.168.1.128,192.168.1.191
# use this if named is running on the router
dhcp-option=option:dns-server,0.0.0.0
# use this if named is running on an internal server
#dhcp-option=option:dns-server,192.168.1.65
This is actually the opposite of my own home config, where named
listens on 1035 and dnsmasq on 53, but I don't need multiple views.
Simon, I know you want to keep dnsmasq simple, but have you
considered implementing views? Probably not feasible, I guess.
Aforementioned DNS overrides, which are so easy in dnsmasq, would
require a zone with two declarations in the above scheme. (That zone
could be the same as ailsby.lan, forwarding to dnsmasq, but it
quickly gets difficult to manage in any case.)
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if /dev/rob0 is in the Subject:
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Unable to connect by hostname for local machines
On Mon, Oct 22, 2012 at 09:24:34PM -0600, dnsm...@ailsby.net wrote: I am trying to setup dnsmasq so that I can use the OpenDNS servers for my younger children, and then have all other devices use a different dns server (Google's). The program that I am having is that I cannot use the hostname of any of my local devices to connect, I can only do it via the ip Neither Google nor OpenDNS knows the names and addresses of your internal hosts. If you are setting your machines to use these external nameservers, you're not using the DNS feature of dnsmasq. address. This happens with my ubuntu server, and osx machines. My windows laptop does not have an issue, and can ping other devices by hostname. As far as I can tell, all else is working properly. The devices that are supposed to use OpenDNS are, and the ones that should use google's dns are. My setup: * tomatousb on my router * dnsmasq is version 2.61 * static dns set to the OpenDNS ips * static ips assigned to the machines I want to use the google dns servers * dynamic ips assigned to the machines to use the OpenDNS servers. Set to the range of 192.168.1.100 to 192.168.1.199 A style suggestion: I would use CIDR-style ranges rather than decimal-style. For example, 192.168.1.128-196 can be addressed in a single CIDR expression, 192.168.1.128/26. Options set for dnsmasq: # Range of IPs that are set up as static (computers that should have unrestricted DNS) dhcp-range=set:green,192.168.1.10,192.168.1.99 dhcp-option=net:green, 3, 192.168.1.1 #Assigns green gateway to these clients dhcp-option=net:green, 6, 8.8.8.8 #Assigns green' DNS server to these clients (google). Any ideas on what I need to do so that the devices in the ip range 192.168.1.10 to 192.168.1.99 can use hostnames to connect to each other? Is there any other information that is needed to understand this issue? Probably what you want to do is to use a different upstream server for the big people and little people machines. And I know of no trivial way to do that in a single instance of dnsmasq. It might require two instances (one of them being DNS-only.) And I'm not sure that would be easy, either. This could be done with BIND named using views (and there too, you would benefit from the above CIDR suggestion.) But then you wouldn't have the ease of setup of dynamic DNS that dnsmasq offers. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] MX forwarding
Simon is on holiday and might not be able to answer very soon. The only other nugget I can toss out is this one: On Thu, Aug 23, 2012 at 10:26:25AM -0400, Gene Czarcinski wrote: I checked my dnsmasq.conf and I have local=/xxx/, domain xxx, XXX is a valid top-level domain, so it might not be a good choice for your internal domain. That said, it was chosen to be easy to block, because many sites will want to do that. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] MX forwarding
On Thu, Aug 23, 2012 at 11:41:17AM -0400, Gene Czarcinski wrote: On 08/23/2012 10:44 AM, /dev/rob0 wrote: On Thu, Aug 23, 2012 at 10:26:25AM -0400, Gene Czarcinski wrote: I checked my dnsmasq.conf and I have local=/xxx/, domain xxx, XXX is a valid top-level domain, so it might not be a good choice for your internal domain. That said, it was chosen to be easy to block, because many sites will want to do that. Actually, that was just for the example. With the real testing I used domain names such as test, bigboy, and thisisit. Ah, I just figured it was the actual domain because I could think of no reason why you'd want to mung names like test, bigboy, and thisisit. :) -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] server-side dynamic resolving
On Mon, Aug 13, 2012 at 05:17:49PM +0200, Chris Wilson wrote: Running a real DNS server and dnsmasq on the same host might be be tricky. You might need to add an IP alias on the server and bind bind to that alias, and dnsmasq's DNS server to the main IP address. It's not tricky at all, and it's much simpler than that. I use an alternate port for named: [named.conf or included file] listen-on 127.0.0.1 port 1035; and tell dnsmasq to ignore resolv.conf and use named as its upstream resolver: [dnsmasq.conf or included file] no-resolv server=127.0.0.1#1035 You can use multiple listen-on directives in named.conf(5) if needed. FWIW I have posted about this on this list in the past. I like dnsmasq as DHCP server and for the relative ease of administration. On Mon, Aug 13, 2012 at 07:10:58PM +0200, John Hallam wrote: * If you are wondering, why two caches, the reason is that dnsmasq allows me to redirect troublemaker domains to the black hole easily, while dnscache is a somewhat-paranoid full recursive caching resolver. (The dnsmasq has to forward queries to the dnscache; the reverse doesn't work straightforwardly.) FSVO full and paranoid. dnscache does not support DNSSEC signature verification, does it? Is anybody hacking on it since its abandonment? -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Using dhcp-host hostname as address for DNS
On Sun, Jul 29, 2012 at 11:25:49PM +0200, gabriel wrote: On 07/29/2012 06:39 PM, Simon Kelley wrote: On 26/07/12 13:31, gabriel wrote: My question is whether it would be possible to have a single line config statement for mac-ip-hostname mapping. But I want to have the DNS entries permanently preserved resp. dns mappings without prior dhcp ip negotiation. Actually this means I don't want DNS to be dynamic. Is this somehow configurable? Yes. Put the hostname-IP address mapping in /etc/hosts and the mac_address-hostname mappings in /etc/dnsmasq.conf in dhcp-host lines. so: in /etc/hosts 1.2.3.4 myhost in /etc/dnsmasq.conf dhcp=host=00:11:22:33:44:55,myhost So this means that I can't maintain my hosts in a single file with only one statement? Single statement, not that I know of. Single file, sure. See -A, --address in the man page. in /etc/dnsmasq.conf : dhcp=host=00:11:22:33:44:55,myhost address=/myhost/1.2.3.4 -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] multi-homed server with same hostname on 2 subnets
On Sat, Jul 21, 2012 at 12:49:38PM -0700, Craig Yoshioka wrote: Sorry, typo the lines should have been: dhcp-host=eth0,myserver,192.168.0.10 dhcp-host=eth1,myserver,192.168.1.10 On Jul 21, 2012, at 12:44 PM, Craig Yoshioka crai...@me.com wrote: I have a server using two interfaces for different subnets, with the same hostname on both. The subnets are: 192.168.0.0/24 192.168.1.0/24 FWIW 192.168.0.0/23 are the worst possible choices because they conflict with what most off-the-shelf routers use. If you ever need to connect your networks to another, such as via a VPN, you might find out why. I've gotten each interface to get the correct IP from dnsmasq using: dhcp-host=eth0,myserver,192.168.0.10 dhcp-host=eth0,myserver,192.168.1.10 but when dnsmasq is asked to resolve the address of myserver it always answers with 192.168.1.10 regardless of what subnet the request came from. What's the proper way to setup this up? See -y, --localise-queries in the dnsmasq(8) manual. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] New job vacancy - see details
On Thu, Jul 19, 2012 at 09:37:56AM +0100, Simon Kelley wrote: OK, the new regexp caught three of the warmits overnight, so that's looking good. I've added the list to my Spamassassin bypass, so I'll be more aware if this mutates and they start to get through again. Awesome, thank you. I looked at that expression again, and it could have been more complete, which may be why you had a hard time understanding it. ^From: .*@.*@ That matches any From header with more than one @ sign, as all the spams had. I hope that fixes things, we don't want to lose subscribers! Thanks again. Those of you who are in the UK (I am not, only my German email address is :) ) please consider taking some action against these nasty spammers. They're easily traceable, and these spams on here might result in some substantial fines. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] spam on the list
On Mon, Jun 18, 2012 at 06:44:59PM +0100, dnsmasq-disc...@thekelleys.org.uk wrote: Date: Mon, 18 Jun 2012 18:44:59 +0100 From: dnsmasq-disc...@thekelleys.org.uk, wzeatbr...@thekelleys.org.uk, andrewhe...@thekelleys.org.uk, si...@thekelleys.org.uk, bwarnockj...@thekelleys.org.uk To: dnsmasq-disc...@thekelleys.org.uk, wzeatbr...@thekelleys.org.uk, andrewhe...@thekelleys.org.uk, si...@thekelleys.org.uk, bwarnockj...@thekelleys.org.uk Subject: [Dnsmasq-discuss] Cosultant and promotion company looking for liason from your area List-Id: Dnsmasq discussion dnsmasq-discuss.lists.thekelleys.org.uk A simple expression in Mailman can block most of these: ^From: .*@.*@ I wouldn't use that to drop mail, but it's safe to hold them for approval by the moderator. You won't get very many, and they'll usually be spam. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] A (possibly bad) idea: failover in dnsmasq
On Fri, May 25, 2012 at 01:17:57PM +0200, Jan-Piet Mens wrote: Being very lightweight, dnsmasq must not be bloated by having a huge MySQL or other database attached to it. I'd suggest SQLite as a possibility. Easy to include, and as they say: Small. Fast. Reliable. Choose any three. http://sqlite.org/ I'm not sure how/if this would help with the goal of failover, but I think it might be worth considering if there is to be external database/storage for dnsmasq. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] resolve subdomains / name-based vhosts
On Sun, Apr 15, 2012 at 05:29:43PM +0200, go4un...@hushmail.com wrote: the question i have isn't dnsmasq specific, but i hope in this forum are a lot of dns cracks (i call me a newbie). i hav a dyndns account for my dynamic ip, so that i can reach my home lan from the internet. i also have a registered domain. futher i can create in my dyndns account cnames for subdomains. Hostnames, not subdomains. Subdomain implies delegation to another authority. For example, the uk. domain delegates to org.uk. which in turn delegates to thekelleys.org.uk. examples: - - foo1.mydomain.org You probably don't own mydomain.org. Please don't use real domain names as examples. We have example.org (and others) for that. - - foo2.mydomain.org - - foo2.mydomain.org what i have in mind is to run an apache2 server using name-based vhosts for a school. example: - - foo1.mydomain.org - - foo2.mydomain.org - - foo3.mydomain.org now my question is, when a studend uses for example foo1.mydomain.org in his browser, could the browser find my name- based vhost (all vhost are behind the same router (wan-ip), or do i have to configure for each vhost a different port. It seems like one thing you are not understanding is the concept of HTTP virtual hosts. All you have to do in dnsmasq is to list each name with that IP address in /etc/hosts(5): 192.168.16.32 foo1.example.edu 192.168.16.32 foo2.example.edu 192.168.16.32 foo3.example.edu the router runs dnsmasq. does dnsmasq have to find out which subdomain leads to the wan-ip? or is there another possibility to find out, which subdomain leads to the wan-ip? The WAN IP address has nothing to do with this. The whole point of dnsmasq is to have the external names resolve to internal addresses. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Feature Request(s)
On Thu, Mar 15, 2012 at 10:24:44AM -0700, Rob Zwissler wrote: Yah, seems to me it would make more sense to key off the IP address (or have that come first in the config) as it seems to make more sense to organize zone files by IP, and since you can have multiple A's per IP but not multiple IPs per PTR. You CAN have as many PTR records as you want on any name. However, it's unlikely to do anything useful. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Feature Request(s)
On Thu, Mar 15, 2012 at 03:14:08PM -0500, richardvo...@gmail.com wrote: On Thu, Mar 15, 2012 at 2:34 PM, /dev/rob0 r...@gmx.co.uk wrote: On Thu, Mar 15, 2012 at 10:24:44AM -0700, Rob Zwissler wrote: Yah, seems to me it would make more sense to key off the IP address (or have that come first in the config) as it seems to make more sense to organize zone files by IP, and since you can have multiple A's per IP but not multiple IPs per PTR. You CAN have as many PTR records as you want on any name. However, it's unlikely to do anything useful. Since the PTR name contains the IP, by definition different IPs means different PTR records. There is nothing preventing you from having as many PTRs on a single in-addr.arpa name as you might wish. Here's a silly example: $ dig 78.247.23.216.in-addr.arpa. any @216.23.247.74 ;; QUESTION SECTION: ;78.247.23.216.in-addr.arpa.IN ANY ;; ANSWER SECTION: 78.247.23.216.in-addr.arpa. 7200 IN SOA ns.slackbuilds.org. hostmaster.ns.slackbuilds.org. 2012031502 28800 7200 864000 7200 78.247.23.216.in-addr.arpa. 7200 IN NS ns2.slackbuilds.org. 78.247.23.216.in-addr.arpa. 7200 IN PTR c78.nodns4.us. 78.247.23.216.in-addr.arpa. 7200 IN PTR look.here.another.ptr.78.247.23.216.in-addr.arpa. 78.247.23.216.in-addr.arpa. 7200 IN PTR third.ptr.wow. 78.247.23.216.in-addr.arpa. 7200 IN A 216.23.247.79 78.247.23.216.in-addr.arpa. 7200 IN TXT A TXT record also. 78.247.23.216.in-addr.arpa. 7200 IN TXT CNAME record is the one thing we cannot do. SOA, NS, three PTRs, A, and two TXTs on that name. Silly stuff, yet quite within the range of DNS legitimacy. My point is, however, that resolvers won't know what to do with multiple PTRs on the same name. Similarly, you can add PTR records in forward zones. There's no limit to the fun, fine in DNS. But no resolver would ask for these PTRs (unless in an RFC 2317 CNAME reference.) See, I even missed the trailing dot on the middle PTR for fun. Or pure sloppiness. :) In 877gylpki8@benfinney.id.au On Fri, Mar 16, 2012 at 09:27:59AM +1100, Ben Finney wrote: /dev/rob0 r...@gmx.co.uk writes: You CAN have as many PTR records as you want on any name. However, it's unlikely to do anything useful. It can be quite useful, since machines can have multiple NICs on the same network (for redundancy, among other reasons) each presenting a different IP address. I thought we were talking about multiple PTRs on the same name. Different IP addresses would mean different in-addr.arpa names. It sounds like you are talking about multiple identical PTR values, where the in-addr.arpa names differ. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Announce: release candidate dnsmasq-2.60rc1
On Tue, Feb 28, 2012 at 08:05:41PM +, Simon Kelley wrote: The DHCPv6 code is looking pretty good now (thanks all testers). So good, in fact, that I think it's time to start moving gently towards a release. I've just created 2.60rc1, available at Just a thought ... having added DHCPv6, perhaps this warrants a major release, i.e., 3.0? :) -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Using a secondary set of nameservers for dynamic blocking
On Sun, Aug 07, 2011 at 03:05:25PM +0100, Sam Crawford wrote: I'm looking to selectively block certain domains using dnsmasq by rewriting responses. I realise this can already be done statically through config files, but I want this to be more dynamic and intend to operate a set of DNS servers that maintains a list of blocked I think the thing to change in this grand scheme is what the set of DNS servers will return. They could be authoritative for blocked domains, and recursive for everything else. In that case no code hacks are necessary; you simply use these servers as the upstream servers for dnsmasq. It's also possible to use dnsmasq in this upstream role, loading a list of blocked domains as a hosts file, SIGHUP (IIRC) when it changes. domains (as this will be (a) a large list and (b) be used by numerous clients, so should be centrally managed). So, I'm imaging the query flow would go a little like this: 1) Client in LAN makes A query for www.example.com to dnsmasq 2) dnsmasq forwards query to ISP-hosted resolver 3) dnsmasq receives response from ISP-hosted resolver 4) dnsmasq sends query to special DNS server to check for blocked status 5) dnsmasq receives response from special 'blocked' DNS server 6) If the query to the 'blocked' DNS server dnsmasq returns success (a certain magic number), then return the real response to the user (obtained in step 3), otherwise a spoofed address (e.g. localhost) What RRtype would this magic number be? My idea also requires no protocol-level hacks. Having done domain blocking before, I would recommend that the address returned for A query point to a special HTTP host with a page telling the user that the domain was blocked, and why. A simple static HTML page (which is also used as the 404 page) would suffice. (Of course, I'd intend to introduce caching in steps 4/5 as dnsmasq does normally for its forwarding functionality). A couple of questions arise: 1) Is this a sensible thing to be doing in dnsmasq? Is there something else that does it natively that I've overlooked? 2) Can anyone point me towards where I should start looking in the source to incorporate the changes? Any advice would be greatly appreciated. I've searched the mailing list archives and couldn't find anything quite like this. DNS-level domain blocking is not a new idea. http://pgl.yoyo.org/as/ was helpful in my project back in '05 or so. OpenDNS implements a domain blocking feature as well. http://www.malwaredomains.com/ may also be of interest. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] Is the file in /lib/resolvconf/list-records still used with Ubuntu 11.04
On Mon, Jul 04, 2011 at 02:56:12PM +0200, Nick wrote: I'm using dnsmasq as a local cache on my Ubuntu desktops, and came across the reference to this file in the config file /etc/resolconf/update.d/dnsmasq. It doesn't exist on my systems. What should it contain, if anything? Is it still relevant? I think resolvconf is a Debian-specific package. It is not a part of dnsmasq, and thus this list is not the best place from which to seek support for it. I would suggest Google and Ubuntu help forums. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] Switching from ISC dhcpd and IPv6 DNS
On Thu, Apr 21, 2011 at 08:06:50PM +0100, Freddie Witherden wrote: On 21/04/11 19:49, Bill C Riemers wrote: Strange why would you want use_tempaddr=1? If you use_tempaddr=0, you addresses will be assigned based on the radvd network prefix and the mac address of the device. You IPv6 addresses will be the same everytime, unless your network prefix changes, or you change a mac address of a device. I consider it to be a very serious privacy concern. Advertising ones MAC address to the public internet makes tracing cookies look like Swiss Banking laws. I may well be wrong but I think that Windows may even enable such tempaddr mischief by default. I don't understand. A MAC address is only relevant in a physical network segment. You simply *must* give a MAC address to hosts on your segment in order to have networking. But beyond that segment, there's no meaning to a MAC. Sure, someone can look it up and find out what kind of NIC or embedded device you bought. But no, I don't see a serious privacy concern here. Am I missing something, or are you? -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] Setting up NXDOMAIN response
On Thu, Apr 14, 2011 at 07:22:14PM +0530, Vijay Sharma wrote: Is it possible to configure dnsmasq so that it returns NXDOMAIN response for a list of existing valid hostnames? Read about -S, --local, --server in the man page. You simply declare yourself authoritative for those names, and no forwarding will be done. So if no IP is specified, they are NXDOMAIN. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] ptr records - different behavior on CentOS and Debian ?
On Wed, Apr 13, 2011 at 11:30:31AM +0530, Mohit Chawla wrote: On Wed, Apr 13, 2011 at 1:19 AM, Mohit Chawla mohit.chawla.bin...@gmail.com wrote: I need to validate the correct behavior of dnsmasq when serving ptr records. I must have missed something before, things are working similarly on CentOS and Debian. Although I haven't added any ptr-record lines in the hosts file, answers to ptr queries are being returned successfully. Is this correct ? The hosts(5) file format is far simpler than a DNS zone file or a dnsmasq(8) config file. IP.add.re.ss name [alias ...]. dnsmasq assumes that the presence of a hosts listing for IP.add.re.ss means that you want a PTR for ss.re.add.IP.in-addr.arpa. to have that name. You can't put any specific DNS records in there; it's the job of dnsmasq to translate hosts into DNS. In addition, PTRs are returned for IP addresses subject to DHCP leases. I don't know how multiple hosts listings for the same IP address are handled by dnsmasq, but I'll bet it's in the [very] fine manual. :) -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] ptr records - different behavior on CentOS and Debian ?
On Wed, Apr 13, 2011 at 10:25:55PM +0530, Mohit Chawla wrote: On Wed, Apr 13, 2011 at 9:25 PM, /dev/rob0 r...@gmx.co.uk wrote: The hosts(5) file format is far simpler than a DNS zone file or a dnsmasq(8) config file. IP.add.re.ss name [alias ...]. dnsmasq assumes that the presence of a hosts listing for IP.add.re.ss means that you want a PTR for ss.re.add.IP.in-addr.arpa. to have that name. You can't put any specific DNS records in there; it's the job of dnsmasq to translate hosts into DNS. Cool, thanks ! Then I guess the --ptr-record option is for the dnsmasq config file instead. Right. I like using a dnsmasq.d directory for things like that, where records for a specific purpose are in their own modular file: conf-dir=/etc/dnsmasq.d -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] txt-record service discovery
On Thu, Mar 03, 2011 at 04:29:22AM -0500, Weedy wrote: After pouring over the dox I came to the syntax of: txt-record=_pdl-datastream._tcp.openwrt.lan.,product=(HP LaserJet 1200) txt-record=_pdl-datastream._tcp.openwrt.lan.,pdl=application/vnd.hp-PCL txt-record=_pdl-datastream._tcp.openwrt.lan.,pdl=application/vnd.cups-postscript txt-record=_pdl-datastream._tcp.openwrt.lan.,usb_MFG=HP txt-record=_pdl-datastream._tcp.openwrt.lan.,usb_MDL=HP LaserJet 1200,note=Basement txt-record=_pdl-datastream._tcp.openwrt.lan.,note=Basement Obviously this doesn't work or I would not be posting. Perhaps you could be more specific about what is not working: 1. If dig _pdl-datastream._tcp.openwrt.lan. txt shows all those records, dnsmasq did its part, and is working fine. Whatever uses those TXT records for service discovery is probably not on topic here. 2. If not, complete information would be required, to help you. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] Listen to two interfaces?
On Tue, Nov 30, 2010 at 12:52:08PM -0600, Frederick C. Damen wrote: Query: How does dnsmasq associate the interface with the dhcp-range? I do not detect an explicit connection, i.e. tags shared between config entries. I assume the implicit association is that the IP address assigned to the interface outside of dnsmasq, e.g. ifconfig, needs to be within the address range within dhcp-range Within the netblock, yes, but it should not be within the range itself. Refer to my example below: # eth0 being 192.168.4.1/24 interface=eth0 dhcp-range=192.168.4.128,192.168.4.191,255.255.255.0,12h 192.168.4.1 and the entire range are within 192.168.4.0/24. # wlan0 being 192.168.5.1/24 interface=wlan0 dhcp-range=192.168.5.64,192.168.5.127,255.255.255.0,12h 192.168.5.1 and the entire range are within 192.168.5.0/24. assigned within dnsmasq. (and dnsmasq marks the interfaces IP address as used). What happens to the dhcp-range that does not include one of the interfaces ip addresses? I don't know, but I would expect it to be logged as an error. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] Dynamic DNS
On Thu, Jun 24, 2010 at 09:32:01PM +0200, clemens fischer wrote: /dev/rob0 wrote: On Thu, Jun 24, 2010 at 09:51:57AM +0100, Alberto Cuesta-Canada wrote: are there any plans of implementing Dynamic DNS for dnsmasq? There is a perl script that adds that functionality here: http://psydev.syw4e.info/new/dynamic-dnsmasq/dynamic-dnsmasq.pl I don't understand all the desire to invent new protocols for dynamic DNS. RFC 2136 handles it quite well. If dnsmasq were to add another protocol, it should be RFC 2136. Dyndns.org's protocol is not a standard. Some years back, before I really understood 2136, I wrote a perl/CGI frontend for nsupdate(8) which does something similar without Clarification: if I had known then what I know now, I would have solved my issue by generating a key and using nsupdate(8) over the Internet, rather than HTTP. As per below, I do NOT know enough about 2136 to figure a way for it to scale. I'm not sure I understand enough about Alberto's issue to offer any suggestions, but perhaps the 2136/nsupdate idea would help. He mentioned in followup that a Kerberos-based authentication server might be under consideration, and that sounds promising. FWIW, Alberto, Windows clients do speak 2136. I think they do it by default, regardless of the type of nameserver they're contacting. A confusing thing about Alberto's description is the apparent idea that dnsmasq does not support dynamic DNS. On the contrary, that's what it does, exceptionally well, by combining the DHCPd with the nameserver. Dynamic DNS for DHCP clients is a strong point for dnsmasq. exposing another root-owned TCP socket to the world. By means of permissions on a copy of the key, I was able to allow the httpd(8) user to run nsupdate after authenticating the user. I just skimmed through RFC 2136. From a practical standpoint, it has a serious flaw in sections 3.3.1 and 3.3.2: 3.3.1. Next, the requestor's permission to update the RRs named in the Update Section may be tested in an implementation dependent fashion or using mechanisms specified in a subsequent Secure DNS Update protocol. What good is such a drastic DNS operation when no authentication is defined? Other than that the RFC reads like a stripped down version of Hmm? You can use dnssec-keygen(8) keys for authentication. I admit, I don't know as practical a way to do it in the real world; DynDNS's protocol and my HTTP+nsupdate hack are handy for associating one user's records with one authentication credential. I guess a secure way to do it is to give each user his/her own key and a separate zone. But that would not scale. I don't know how to link a key with only one RR name. I could ask the BIND folks. nsupdate's technical manual (if such a thing exists). The benefit to not defining it there is that any mechanisms can be used. Arriving at this conclusion leaves us looking at eg. dyndns's protocol. I think it's one of the worst alternatives in this context: dnsmasq often runs in local link areas, where people can easily snoop the credentials, and it mocks up an HTTP server, which is quite complicated for this task. That's why I think my HTTP+nsupdate hack was better than DynDNS's protocol. No special client needed, just a web browser (or a scriptable HTTP client like wget(1).) A much simpler approach would be for the client to send the base64(sha1(user:password:hostname)) (a hash of user, password and desired, preregistered hostname) to some special host and maybe wait for the ACK. That could be decoupled from dnsmasq, which is propably not the right place to implement it. Agreed. I can think of many hacks, any of which would be preferable to adding a non-standard protocol to dnsmasq. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] Dynamic DNS
On Thu, Jun 24, 2010 at 09:51:57AM +0100, Alberto Cuesta-Canada wrote: are there any plans of implementing Dynamic DNS for dnsmasq? There is a perl script that adds that functionality here: http://psydev.syw4e.info/new/dynamic-dnsmasq/dynamic-dnsmasq.pl I don't understand all the desire to invent new protocols for dynamic DNS. RFC 2136 handles it quite well. If dnsmasq were to add another protocol, it should be RFC 2136. Dyndns.org's protocol is not a standard. Some years back, before I really understood 2136, I wrote a perl/CGI frontend for nsupdate(8) which does something similar without exposing another root-owned TCP socket to the world. By means of permissions on a copy of the key, I was able to allow the httpd(8) user to run nsupdate after authenticating the user. (Perhaps your perl script could be amended to run as the dnsmasq user; I think that would be a very good idea.) Another thing I'm not understanding is why is this needed? Are you running dnsmasq as authoritative nameserver for the world? I hope Simon will correct me if I'm wrong, but I don't see that as a typical role for dnsmasq. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] configurable stop-dns-rebind?
On Tue, May 11, 2010 at 01:02:30AM +0200, clemens fischer wrote: rbl-domain is the better way. Dnsmasq would still need to add to the internal structure keeping server info indicating that the stop-dns-rebind is disabled for the rbl-domains. I would suggest that RBL is not the proper term, it is DNSBL. RBL refers specifically to the MAPS RBL. I've never had the issue, because I don't use --stop-dns-rebind. I have VPN-linked RFC 1918 netblocks that I want to resolve on the other ends of the VPN. So, maybe the exceptions need to be broader than just for DNSBLs? -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] wrong response code for no SRV record
[ top-posting fixed ] Simon Kelley wrote: I think you have mis-interpreted the way this works. NXDOMAIN means that there is no data in the DNS for the given domain. That is not what's happening here. The example line returns a valid SRV record for _ldap._tcp.example.com which happens to be empty. The domain refers to _ldap._tcp.example.com and not the domain which may be returned as part of the reply. Have you encountered real-world problems with the existing behaviour? On Sat, May 01, 2010 at 02:59:25PM +0530, Rahul Amaram wrote: Well yes. I have encountered some problems with this. I am using Kerberos in my company LAN. While performing kinit on my system, the SRV record for _kerberos-master.udp.EXAMPLE.COM is looked up. Show the dig(1) results to demonstrate this. Is EXAMPLE.COM your company LAN domain? Does _kerberos-master.udp.EXAMPLE.COM exist in the form of any RR type, SRV or otherwise? Show what Kerberos is actually looking up. Is it as you said, _kerberos-master.udp.EXAMPLE.COM, or is is perhaps as per the documented LDAP example, _kerberos-master._udp.EXAMPLE.COM? Now if an NXDOMAIN is not returned but instead the default port 1 with empty host is returned, the kinit command tries to further resolve that empty host (which I think is replaced with ROOT somehow) and this causes a extereme slowdown of kinit. I think there should be some configuration option to say that an NXDOMAIN should be returned for a particular SRV record. This would be really helpful. What are your thoughts about this? Useless. NXDOMAIN, as Simon explained, means that there is no record of any RR type for the given name. If you want NXDOMAIN, define yourself as authoritative for any level of the parent domain[s] in question. local=/EXAMPLE.COM/ or, if you only want the SRV subdomains: local=/_tcp.EXAMPLE.COM/ local=/_udp.EXAMPLE.COM/ Then, any name NOT defined under those domains will be NXDOMAIN. I suspect you have misdiagnosed your original issue. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] wrong response code for no SRV record
On Tue, May 04, 2010 at 03:29:27PM +0530, Rahul Amaram wrote: Thanks a lot for your response. Please find my responses inline. Btw, your last suggestion has helped me achieve the desired result That's good, glad to hear it. though I still feel it would be great to have dnsmasq return NXDOMAIN only for a particular domain and forward the remainig domain queries to upstream servers. For example, dnsmasq should be configurable such that query for _kerberos-master._udp.example.com is returned as NXDOMAIN where as queries for _kerberos._udp.example.com and _kpasswd._udp.example.com are forwarded to upstream server. Something like address=/_kerberos-master._udp.example.com/nxdomain Actually I think this would work, but I'm not able to try it now: local=/_kerberos-master._udp.example.com/ With no listings in /etc/hosts that should return NXDOMAIN, not consulting upstream servers. On Tuesday 04 May 2010 01:43 PM, /dev/rob0 wrote: Show what Kerberos is actually looking up. Is it as you said, _kerberos-master.udp.EXAMPLE.COM, or is is perhaps as per the documented LDAP example, _kerberos-master._udp.EXAMPLE.COM? I do not understand the difference. If the kerberos realm is The difference is the leading underscore on the second segment, ._udp. versus .udp. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] Two questions about the cache and how dnsmasq forwards queries
On Tue, Feb 16, 2010 at 09:42:33AM +0100, SamLT wrote:
Simon:
Maybe your ISPs DNS server is playing games?
I think my ISP also REDIRECTs DNS traffic to their nameservers,
since, I get the same result using google public dns service. (and
this doesn't happen @home with an other ISP).
Well, this is going to be... fun!
snip
I'd like to collect as much information as I can before I contact
my ISP, eventhough I think they'll just ignore me anyway...
What I do, and whilst it seemed ugly at first, I grew to like and
appreciate it: I run ISC BIND named(8) on an alternate port, totally
ignoring ISP upstream resolvers.
True, a redirection would still be a problem, but this could be an
easy way to gather more facts.
BIND as recursion-only is quite simple. And the dnsmasq interface is
also simple:
no-resolv
server=127.0.0.1#1053
# the following to prevent duplicate caching
cache-size=0
And of course, nameserver 127.0.0.1 in resolv.conf (and protect it
from your DHCP client, if applicable.)
The named.conf(5) file:
options {
directory /var/named;
listen-on port 1053 { 127.0.0.1; };
};
controls {
inet 127.0.0.1 port 1035 allow { localhost; };
};
zone . IN {
type hint;
file named.root;
};
(using the root hints file which can be obtained at
ftp://ftp.internic.net/domain/named.root installed as
/var/named/named.root and readable by the named user.)
named can run entirely as a non-root process this way. You might
want to use a shell alias for rndc(8) to use 1035 rather than 953;
but in this configuration I have little need for rndc. Note, since
only 127.0.0.1 is bound, there is no need for access controls; only
shell users on the same host could query named directly. If that
worries you, get rid of your untrusted shell users. :) In Linux you
could restrict to the dnsmasq user like this:
iptables -vI OUTPUT -d 127.0.0.1 -p tcp --dport 1053 -j REJECT
iptables -vI OUTPUT -d 127.0.0.1 -p udp --dport 1053 -j DROP
iptables -vI OUTPUT -d 127.0.0.1 -p tcp --dport 1053 -m owner \
--uid-owner dnsmasq -j ACCEPT
iptables -vI OUTPUT -d 127.0.0.1 -p udp --dport 1053 -m owner \
--uid-owner dnsmasq -j ACCEPT
(Note the use of -I, the order of these commands is important; they
yield rules at the top of filter/OUTPUT in reverse order. First
ACCEPT from dnsmasq user; then DROP or REJECT from any other.)
The ISC folks and DNS gurus I have met generally recommend keeping
recursion separate from authoritative DNS service, and this does the
job well.
I have not encountered an ISP doing DNS redirection. I'd be very
angry if I did!
--
Offlist mail to this address is discarded unless
/dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] Not Resolving DHCP addresses
On Wed, Dec 23, 2009 at 04:01:19PM -0800, Andy Leak wrote: Now DHCP addresses are being resolved just fine, and everything is working 100% ok. Here's what I did: - went to lunch - did a little christmas shopping - then came back and everything was working fine Now I am curious why this problem occurred, and what happened to resolve the issue. Any ideas?? Very simple: dnsmasq(8) can only serve names that are in its lists, either hosts(5) or the leases file. If you start up a new dnsmasq on an existing network, it has no magical means of knowing what leases the previous DHCP daemon gave out. Over time, leases expired and your hosts came in to renew them. Your dnsmasq didn't know these were renewals. Thanks for DNSMASQ - it is really a great program. Your shopping should have included a goodie for Simon! ;) [the OP] I've got a new DNSMASQ installation. - DHCP assigns addresses fine - DNS resolution for external and fixed addresses is fine - BUT - DNS resolution for DHCP addresses is not working Here's my dnsmasq.conf file... domain-needed domain=x expand-hosts resolv-file=/etc/resolv.conf.dnsmasq dhcp-range=192.168.4.100,192.168.4.200,24h local=/x/ log-queries no-negcache dhcp-authoritative when I do nslookup xxx (where xxx is the name of a dhcp machine) i get nslookup(1) is buggy and not a good tool. I recommend that you become familiar with host(1) and dig(1). All three are provided by BIND. The ISC folks have threatened to drop nslookup. ** server can't find xxx.x: NXDOMAIN when i look at the dnsmasq log, and the dnsmasq.leases file, everything seems to be ok... You looked, and at the time, xxx was in the lease file? I bet it wasn't. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
[Dnsmasq-discuss] server=... remote reverse DNS fails
192.in-addr.arpa. 86400 IN NS BASIL.ARIN.NET. 192.in-addr.arpa. 86400 IN NS HENNA.ARIN.NET. 192.in-addr.arpa. 86400 IN NS Z.ARIN.NET. 192.in-addr.arpa. 86400 IN NS X.ARIN.NET. 192.in-addr.arpa. 86400 IN NS Y.ARIN.NET. 192.in-addr.arpa. 86400 IN NS DILL.ARIN.NET. 192.in-addr.arpa. 86400 IN NS INDIGO.ARIN.NET. ;; Received 180 bytes from 128.8.10.90#53(D.ROOT-SERVERS.NET) in 96 ms 168.192.in-addr.arpa. 86400 IN NS blackhole-1.iana.org. 168.192.in-addr.arpa. 86400 IN NS blackhole-2.iana.org. ;; Received 104 bytes from 192.55.83.32#53(BASIL.ARIN.NET) in 208 ms 168.192.in-addr.arpa. 300 IN SOA prisoner.iana.org. hostmaster.root-servers.org. 2002040800 1800 900 604800 604800 ;; Received 121 bytes from 192.175.48.6#53(blackhole-1.iana.org) in 106 ms arpa. 172800 IN NS F.ROOT-SERVERS.NET. arpa. 172800 IN NS G.ROOT-SERVERS.NET. arpa. 172800 IN NS B.ROOT-SERVERS.NET. arpa. 172800 IN NS E.ROOT-SERVERS.NET. arpa. 172800 IN NS M.ROOT-SERVERS.NET. arpa. 172800 IN NS A.ROOT-SERVERS.NET. arpa. 172800 IN NS I.ROOT-SERVERS.NET. arpa. 172800 IN NS H.ROOT-SERVERS.NET. arpa. 172800 IN NS C.ROOT-SERVERS.NET. arpa. 172800 IN NS L.ROOT-SERVERS.NET. arpa. 172800 IN NS K.ROOT-SERVERS.NET. ;; Received 496 bytes from 192.58.128.30#53(J.ROOT-SERVERS.NET) in 221 ms 192.in-addr.arpa. 86400 IN NS BASIL.ARIN.NET. 192.in-addr.arpa. 86400 IN NS HENNA.ARIN.NET. 192.in-addr.arpa. 86400 IN NS Z.ARIN.NET. 192.in-addr.arpa. 86400 IN NS X.ARIN.NET. 192.in-addr.arpa. 86400 IN NS Y.ARIN.NET. 192.in-addr.arpa. 86400 IN NS DILL.ARIN.NET. 192.in-addr.arpa. 86400 IN NS INDIGO.ARIN.NET. ;; Received 180 bytes from 128.8.10.90#53(D.ROOT-SERVERS.NET) in 96 ms 168.192.in-addr.arpa. 86400 IN NS blackhole-1.iana.org. 168.192.in-addr.arpa. 86400 IN NS blackhole-2.iana.org. ;; Received 104 bytes from 192.55.83.32#53(BASIL.ARIN.NET) in 208 ms 168.192.in-addr.arpa. 300 IN SOA prisoner.iana.org. hostmaster.root-servers.org. 2002040800 1800 900 604800 604800 ;; Received 121 bytes from 192.175.48.6#53(blackhole-1.iana.org) in 106 ms This is all nothing but a minor annoyance for me, but I thought it might be worth looking into. [1] Slamd64 is/was a port of 32-bit Slackware to x86_64, probably in the process of being phased out since Slackware 13 had a x86_64 version. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] iptables configuration drops packets
On Fri May 16 2008 13:30:01 Adam Hardy wrote: I set up iptables myself today after using an obtusely written script for some time. I don't think this one is much better. :( Start simpler. A good starting point is Rusty's Packet Filtering HOWTO, Really Quick Guide: http://netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-5.html I am trying to work out whether everything is in order and I am seeing logs from iptables saying that it is dropping packets from the Routine logging is an easy way to DoS yourself. When you have it all working, stop the -j LOG rules. machine every 12 minutes, which doesn't make sense - here's a line from the log: May 16 19:21:10 isengard kernel: dropped from OUTPUT IN= OUT=eth1 SRC=192.168.0.2 DST=192.168.0.255 LEN=237 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=217 Assuming that the --log-prefix is correct and that your iptables machine's IP address is 192.168.0.2, do tell, WHY are you blocking OUTPUT? What is your threat model? My rule of thumb: if you have to ask for help with iptables, you need ACCEPT policy (and no blocking) in OUTPUT. The machine is running dhclient3 and dnsmasq and it acts as a Irrelevant. I'm trying to find out what the broadcast address is for and I'm pretty much in the dark despite looking around the mailing list and google. This is the old Netbios protocol, kludged up by Microsoft in the 1990's, to enable peer-to-peer file sharing on IP networks without proper DNS services. I think you can turn it off in Samba's nmbd(8). But your best bet is to just stop blocking OUTPUT. You most likely also do not want much if any filtering on your LAN interface. You should only filter INPUT and FORWARD traffic on your external interface. If you really have a threat inside your RFC 1918 netblocks, I would suggest a physical approach: pull the plug on it. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] iptables configuration drops packets
On Sat May 17 2008 11:18:38 Adam Hardy wrote: Assuming that the --log-prefix is correct and that your iptables machine's IP address is 192.168.0.2, do tell, WHY are you blocking OUTPUT? What is your threat model? Basically I have 3 housemates who I allow on the wireless LAN with their laptops, and of course they all run windows, so I just want to make sure. I'd rather not run the risk of someone leaving their PC on with a spam cannon trojan running. I've forbidden Outlook and MSIE, so perhaps I'm being too keen, but I figured I'd log what OUTPUT drops and figure out where it's coming from and whether it's kosher or not, and adapt when necessary. In that case, as best as I can tell, you are not understanding what OUTPUT is. Built-in chains in the filter table: INPUT :Packets destined to the iptables machine OUTPUT :Packets originated from the iptables machine FORWARD:All other (neither source nor dest. is local) Any given packet hits exactly one chain, with the exception of the loopback interface, which first hits OUTPUT and then INPUT. Note also that the PREROUTING and OUTPUT chains in the nat table can change the filter chain any given packet would hit. Your housemates would be sending FORWARD traffic, coming in the LAN interface, going out the Internet/external one. Here's a good netfilter help site: http://danieldegraaf.afraid.org/info/iptables/examples Unfortunately seems to be down now, but it's in the Google cache. (Dynamic IP, I think it will be back later.) -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] uh, domain concats unwanted...
On Thu May 1 2008 10:34:05 AJ Weber wrote: OK, I'm looking thru my dnsmasq.conf, but can't justify why this is happening...nor how it's eventually coming-up with a valid IP address. Valid? However, it didn't block an advert site on my first test, and so I did a nslookup from my laptop...this was the output... Just Say No to nslookup. dig(1) is the preferred tool. Server: broh.nn.com Address: 192.168.1.128 Non-authoritative answer: Name:view.atdmt.com.nn.com Address: 208.67.217.132 132.217.67.208.in-addr.arpa. 86400 IN PTR hit-nxdomain.opendns.com. The nn.com is set in my domain= option in my config. However, as I read it, it should only be used to decorate simple names from the hosts-file. Why is it being appended to FQDNs? Maybe broken or misconfigured system resolver? See, dig(1) will only use DNS, and only with the name it is given (exception, see +search.) Furthermore, how the heck did that name then resolve from the upstream DNS server??? Um, maybe a broken upstream nameserver? [1] view.atdmt.com IS in the black-hole-hosts file that I added using view.atdmt.com. 240 IN A 206.16.21.31 addn-hosts, but again, it's a FQDN, so it shouldn't be getting the domain appended. Can anyone help me explain where my config might be wrong? Munging makes DNS problems especially difficult to ... resolve. [1] I know this goes against the spirit of simplicity which is dnsmasq, but I always run my own named backend for recursion. It binds on port 35, which is used as such in dnsmasq.conf : server=127.0.0.1#35 -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] digging SOA records doesn't work
On Thu March 20 2008 14:35:14 Vaidotas Kaminskas wrote: I'm using version 2.35-1 from debian etch. I cannot dig for SOA records while behind dnsmasq: # dig soa google.com $ /usr/sbin/dnsmasq --version Dnsmasq version 2.41 Copyright (C) 2000-2008 Simon Kelley Compile time options IPv6 GNU-getopt no-ISC-leasefile no-DBus I18N TFTP and DiG 9.4.1-P1 soa google.com. works for me. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] domain per interface
On Wed March 19 2008 11:28:37 Simon Kelley wrote: I think that in ISC dhcpd/named, this could be done with a subnet declaration block with option domain-name wifi.example.net; inside it, and of course a corresponding dynamic zone declaration in named.conf. That's another avenue I don't want to pursue, because I want to keep dnsmasq for authoritative DNS. (I'm using named for recursion only, on port 35, with dnsmasq using server=127.0.0.1#35.) Simon, am I out of luck here? Yes. This has come up before. The problem is that no domain information is stored in the lease database: dnsmasq assumes that the domain is that given by --domain. To support multiple domains, the lease file format would need to change, which is a compatibility problem. Or maybe separate files, take the domain from the filename? Just a thought: /var/state/dnsmasq/$DOMAIN.leases ? I guess I could also do dhcp-script and nsupdate(8) to update a zone in named.conf. But even then, will the dnsmasq block it? If dnsmasq knows the answer, named is never consulted. What about this: server=/wifi.example.net/127.0.0.1#35 server=/3.168.192.in-addr.arpa/127.0.0.1#35 Will dnsmasq ignore the names it has served to DHCP clients? DHCP names take preference over server config, sorry. Before I saw this, I thought it was working fine. I can axfr the 3.168.192.in-addr.arpa. zone, which means dnsmasq consults named on port 35, but individual PTR queries are indeed intercepted by dnsmasq. The whole thing is incredibly silly (I was intoxicated when I got the idea, so I did it anyway), but it was a cute idea. I could switch to ISC if it was worth the trouble, but it isn't. Please file this under feature requests that should only be considered if they don't create too much complexity, because the whole point of using dnsmasq in the first place was for simplicity. :) -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] domain per interface
On Tue March 18 2008 18:42:44 richardvo...@gmail.com wrote: If all else fails, you can run two instances of dnsmasq with two separate config files, each bound to a different interface. Indeed, but that's something I would like to avoid. Here's what I have now: dnsmasq.conf : ... dhcp-range=wifi,192.168.3.127,192.168.3.192,255.255.255.0,12h dhcp-option=wifi,15,wifi.example.net ... (where 192.168.3.1 is the wireless interface IP address) But that only works for the domain pushed to clients, not for the domain used by dnsmasq for forward/reverse DNS names of clients. I get search wifi.example.net in their resolver files, but that's rather useless, since no names have .wifi.example.net. in them. I think that in ISC dhcpd/named, this could be done with a subnet declaration block with option domain-name wifi.example.net; inside it, and of course a corresponding dynamic zone declaration in named.conf. That's another avenue I don't want to pursue, because I want to keep dnsmasq for authoritative DNS. (I'm using named for recursion only, on port 35, with dnsmasq using server=127.0.0.1#35.) Simon, am I out of luck here? I guess I could also do dhcp-script and nsupdate(8) to update a zone in named.conf. But even then, will the dnsmasq block it? If dnsmasq knows the answer, named is never consulted. What about this: server=/wifi.example.net/127.0.0.1#35 server=/3.168.192.in-addr.arpa/127.0.0.1#35 Will dnsmasq ignore the names it has served to DHCP clients? -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] ipconfig /registerdns and split DNS
On Friday 08 December 2006 09:44, Rune Kock wrote: ***HOWEVER***, the ipconfig /registerdns command does NOT seem to work Microsoft has made proprietary extensions so that the members of an active directory domain can register in DNS in a secure way. The I don't know Windows much (does anyone??) but I think this is their implementation of RFC's 2136 and 3007. I know that on my ISC named, there's one Win2K client which is being logged as it attempts to register itself in DNS. I presume the ISC named wouldn't see / understand this if it was being done using some proprietary method. I wouldn't expect dnsmasq to implement these RFC's. If it did, we'd find our beloved dnsmasq was as complex and difficult as ISC dhcpd + BIND. :) Hey, I *like* ISC. But I also like ... hearing fingernails on chalkboards![1] ;) Seriously, the ISC solution has its place, and dnsmasq occupies a different niche. I think it should stay that way. [1] With apologies to Chuck Barris and his horrible/wonderful The Gong Show. Apologies also to anyone [un]fortunate enough to remember it. :) -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] dnsmasq failing to compile
On Saturday 02 December 2006 21:56, Philip Wall wrote: Getting this during compile of a fresh dnsmasq 2.35 Kernel 2.6.19 They changed a bunch of things in this kernel. Slamd64 11 (slackware 64bit version) gcc 3.4.6 Previous versions had no problem building $ time make -j5 make I18N=-DNO_GETTEXT -f ../bld/Makefile -C src dnsmasq make[1]: Entering directory `/home/common/src/dnsmasq-2.35/src' cc -O2 -DNO_GETTEXT `echo | ../bld/pkg-wrapper pkg-config --cflags dbus-1` -Wall -W -c cache.c cc -O2 -DNO_GETTEXT `echo | ../bld/pkg-wrapper pkg-config --cflags dbus-1` -Wall -W -c rfc1035.c cc -O2 -DNO_GETTEXT `echo | ../bld/pkg-wrapper pkg-config --cflags dbus-1` -Wall -W -c util.c cc -O2 -DNO_GETTEXT `echo | ../bld/pkg-wrapper pkg-config --cflags dbus-1` -Wall -W -c option.c cc -O2 -DNO_GETTEXT `echo | ../bld/pkg-wrapper pkg-config --cflags dbus-1` -Wall -W -c forward.c cc -O2 -DNO_GETTEXT `echo | ../bld/pkg-wrapper pkg-config --cflags dbus-1` -Wall -W -c isc.c cc -O2 -DNO_GETTEXT `echo | ../bld/pkg-wrapper pkg-config --cflags dbus-1` -Wall -W -c network.c cc -O2 -DNO_GETTEXT `echo | ../bld/pkg-wrapper pkg-config --cflags dbus-1` -Wall -W -c dnsmasq.c cc -O2 -DNO_GETTEXT `echo | ../bld/pkg-wrapper pkg-config --cflags dbus-1` -Wall -W -c dhcp.c cc -O2 -DNO_GETTEXT `echo | ../bld/pkg-wrapper pkg-config --cflags dbus-1` -Wall -W -c lease.c cc -O2 -DNO_GETTEXT `echo | ../bld/pkg-wrapper pkg-config --cflags dbus-1` -Wall -W -c rfc2131.c cc -O2 -DNO_GETTEXT `echo | ../bld/pkg-wrapper pkg-config --cflags dbus-1` -Wall -W -c netlink.c cc -O2 -DNO_GETTEXT `echo | ../bld/pkg-wrapper pkg-config --cflags dbus-1` -Wall -W -c dbus.c cc -O2 -DNO_GETTEXT `echo | ../bld/pkg-wrapper pkg-config --cflags dbus-1` -Wall -W -c bpf.c cc -O2 -DNO_GETTEXT `echo | ../bld/pkg-wrapper pkg-config --cflags dbus-1` -Wall -W -c helper.c cc -o dnsmasq cache.o rfc1035.o util.o option.o forward.o isc.o network.o dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o helper.o `echo | ../bld/pkg-wrapper pkg-config --libs dbus-1` make[1]: Leaving directory `/home/common/src/dnsmasq-2.35/src' real0m3.050s user0m4.116s sys 0m0.476s $ cat /etc/slackware-version ; gcc --version Slackware 10.2.1 (x86_64) gcc (GCC) 3.4.6 ... Perhaps you're missing some requisite library? But anyway, dnsmasq is provided in both Slackware and Slamd64: $ locate dnsmasq | grep '\.tgz$' /home/common/slamd64-10.2b/slackware/n/dnsmasq-2.24-x86_64-1.tgz /home/common/slamd64-11.0/slackware/n/dnsmasq-2.33-x86_64-1.tgz /home/common/slackware-10.1/slackware/n/dnsmasq-2.20-i486-1.tgz /home/common/slackware-10.2/slackware/n/dnsmasq-2.23-i486-1.tgz /home/common/slackware-11.0/slackware/n/dnsmasq-2.33-i486-1.tgz ... so you could: 1. installpkg it 2. Edit and run Fred's dnsmasq.SlackBuild cc -O2 -DNO_GETTEXT `echo | ../bld/pkg-wrapper pkg-config --cflags dbus-1` -Wall -W -c netlink.c netlink.c: In function `iface_enumerate': netlink.c:159: warning: implicit declaration of function `IFA_RTA' netlink.c:159: warning: initialization makes pointer from integer without a cast netlink.c:160: error: dereferencing pointer to incomplete type netlink.c:162: error: dereferencing pointer to incomplete type netlink.c:166: error: dereferencing pointer to incomplete type netlink.c:172: error: `IFA_LOCAL' undeclared (first use in this function) netlink.c:172: error: (Each undeclared identifier is reported only once netlink.c:172: error: for each function it appears in.) netlink.c:174: error: `IFA_BROADCAST' undeclared (first use in this function) netlink.c:181: error: dereferencing pointer to incomplete type netlink.c:185: error: dereferencing pointer to incomplete type netlink.c:190: error: `IFA_ADDRESS' undeclared (first use in this function) netlink.c:197: error: dereferencing pointer to incomplete type netlink.c:197: error: dereferencing pointer to incomplete type make[1]: *** [netlink.o] Error 1 make[1]: Leaving directory `/www/src/dnsmasq-2.35/src' make: *** [dnsmasq] Error 2 I'm running on a 2.6.18.2 kernel with /usr/src/linux pointing to linux-2.6.15.5 sources. So yes, maybe the 2.6.19 kernel is your problem. Although I have it on good authority that 2.6.19 is perfect, and any problems with it are your own %*^$*! fault. Linus said so. :) -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] How to use dnsmasq as a dhcp server only
On Monday 23 October 2006 11:30, Claudio Roberto Cussuol wrote: It's easier and more flexible to use dnsmasq for authoritative DNS. Is it possible? It would be great. But, I've read in dnsmasq site it is only a dns forwarder and it would not support the authoritative mode. Sure, it's authoritative. Anything in /etc/hosts (or your designated file[s]) will be served as authoritative data. Furthermore you get reverse lookups included at no additional charge! :) That is *much* more difficult to do in BIND. Is there any option to disable the dns cache and keep dnsmasq running as a dhcp server only? I don't know. But I set one up where BIND named is listening on localhost:35, and dnsmasq uses that for recursion. Works quite well. Yes, i tried this and it works. But i still would like to use something simpler. Using only one dns service. Think of it in djbdns terms. DJB makes the point that recursion is a different job than authoritative name service, so he implemented them as separate daemons: dnscache and tinydns respectively. Furthermore, even BIND people (which I am one, sort of) will recommend keeping the functions separate, at least with views, if not using separate processes (or machines) altogether. IWFM, and I'm happy with it. -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
