Re: [Dnsmasq-discuss] [PATCH] Delay DHCP replies for Raspberry Pi clients

[Albert ARIBAUD]

Hi again,

Le Wed, 29 Mar 2017 17:24:45 +0200
Floris Bos <b...@je-eigen-domein.nl> a écrit:

> Hi,
> 
> On 03/29/2017 05:02 PM, Albert ARIBAUD wrote:
> > Le Wed, 29 Mar 2017 14:48:48 +0200
> > Floris Bos <b...@je-eigen-domein.nl> a écrit:
> >  
> >> The PXE boot firmware implementation of the Raspberry Pi 3
> >> has a bug causing it to fail if it receives replies
> >> instantly.
> >>
> >> As a workaround ensure there is a minimum delay of one
> >> second if the client is a Pi.
> >>
> >> On Linux it looks up the exact receive time of the UDP
> >> packet with the SIOCGSTAMP ioctl to prevent multiple
> >> delays if multiple packets come in around the same time,
> >> or if there already was a delay caused by a ping check.  
> > Just a side question: can't / won't the boot firmware be fixed?  
> 
> There is a fix.
> However that requires sticking a SD card with the newer boot firmware
> in the Pi, and leaving it in permanently.
> 
> To be able to PXE boot without SD card, the firmware in the ROM of
> the SoC has to be used, which is not reflashable, and -at least for
> the devices currently out there- comes with this bug.

Oh, OK, so that's not an upgradable firmware, that's the ROM boot. Pity.

Thanks for the clarification!

> Yours sincerely,
> 
> Floris Bos

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Debugging dnsmasq on Ubuntu

[Albert ARIBAUD]

Hi Joel,

Le Wed, 29 Mar 2017 09:43:33 -0500
Joel Whitehouse  a écrit:

> I'm running ubuntu 14, which uses dnsmasq as a local resolver on 
> 127.0.1.1.  When I issue a dig query, dig informs me it's using 
> 127.0.1.1 as its resolver:
> 
> ;; Query time: 3 msec
> ;; SERVER: 127.0.1.1#53(127.0.1.1)
> ;; WHEN: Wed Mar 29 09:36:06 CDT 2017
> ;; MSG SIZE  rcvd: 63
> 
> 
> However, I would like to know what host dnsmasq is using as its 
> resolver.  On my system, `ps ax' shows that dnsmasq is started with
> the command:
> 
> /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts 
> --bind-interfaces 
> --pid-file=/run/sendsigs.omit.d/network-manager.dnsmasq.pid 
> --listen-address=127.0.1.1 
> --conf-file=/var/run/NetworkManager/dnsmasq.conf --cache-size=0 
> --proxy-dnssec --enable-dbus=org.freedesktop.NetworkManager.dnsmasq 
> –conf-dir=/etc/NetworkManager/dnsmasq.d
> 
> 
> Both the file /var/run/NetworkManager/dnsmasq.conf and the directory 
> /etc/NetworkManager/dnsmasq.d/ are empty, so it's likely that dnsmasq
> is receiving its resovlers from Network Manager over the dbus
> interface.
> 
> 
> Is there any way to get dnsmasq to log when it issues a new query to
> a resolver?

You can spy on DBus -- I think that's what Network Manager uses to
configure dnsmasq on the fly.

> -Joel

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] [PATCH] Delay DHCP replies for Raspberry Pi clients

[Albert ARIBAUD]

Hi,

Le Wed, 29 Mar 2017 14:48:48 +0200
Floris Bos  a écrit:

> The PXE boot firmware implementation of the Raspberry Pi 3
> has a bug causing it to fail if it receives replies
> instantly.
> 
> As a workaround ensure there is a minimum delay of one
> second if the client is a Pi.
> 
> On Linux it looks up the exact receive time of the UDP
> packet with the SIOCGSTAMP ioctl to prevent multiple
> delays if multiple packets come in around the same time,
> or if there already was a delay caused by a ping check.

Just a side question: can't / won't the boot firmware be fixed?

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] No more random source port

[Albert ARIBAUD]

Bonjour,

Le Tue, 21 Mar 2017 14:30:28 +0200
Risto Suominen  a écrit:

> Zyxel doesn't have a problem with same source port:
> 
> https://www.dropbox.com/s/wxdl480hwr39j12/dns-03.pcap?dl=1
> 
> Same commands as in pcap-01.
>
> Risto

I can't see why your dnsmasq would only use one port. This would be the
behavior for -Q0 (or -Q45807, but your dnsmasq does not have this option
in its command line.

Did you check apparmor or SELinux?

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] No more random source port

[Albert ARIBAUD]

Hi again Risto,

Le Mon, 20 Mar 2017 23:27:07 +0200
Risto Suominen  a écrit:

> This is the pcap against TP-link:
> 
> https://www.dropbox.com/s/c1edxlpmar8euvi/dns-02.pcap?dl=1
> 
> This time I only did:
> 
> 1) 'host google.com 192.168.1.1'
> 2) 'host google.fi 192.168.1.1'
> 
> The rest of the requests came through dnsmasq, and received no answer.
> They are repeated forever.

Source IP is not the same in both pcaps. 1st pcap queries 8.8.8.8 and
192.168.1.1 from 192.168.1.33, while 2nd pcap queries are from
192.168.1.100. Can you clarify your network setup?

> Risto

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] No more random source port

[Albert ARIBAUD]

Hi Risto,

Le Mon, 20 Mar 2017 21:22:55 +0200
Risto Suominen <risto.suomi...@gmail.com> a écrit:

> 2017-03-20 21:05 UTC+02.00, Albert ARIBAUD <albert.arib...@free.fr>:
> >
> > (I don't see the point of this restruction but hey, that's TP-Link's
> > choice.)
> >  
> I might use the word 'bug' instead of 'choice'.
> >
> > Ok, so the OS is not limiting the ports per se.
> >
> > You said the command line did not change. Which is it exactly? I
> > usually do a "cat /proc//cmdline | tr '\0' '\n' to
> > make sure I see the real command line of the running dnsmasq.
> >  
> /usr/sbin/dnsmasq
> --no-resolv
> --keep-in-foreground
> --no-hosts
> --bind-interfaces
> --pid-file=/var/run/NetworkManager/dnsmasq.pid
> --listen-address=127.0.1.1
> --cache-size=0
> --conf-file=/dev/null
> --proxy-dnssec
> --enable-dbus=org.freedesktop.NetworkManager.dnsmasq
> --conf-dir=/etc/NetworkManager/dnsmasq.d
> 
> Risto

Ok, so exactly the same options as I have on my Xubuntu, and my local
dnsmasq is 2.75 too, and it uses random ports.

So, back to the basics: let's start with a capture of DNS traffic. Can
you run wireshark or tcpdump on your Lubuntu and capture a few requests
for resolution?

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] No more random source port

[Albert ARIBAUD]

Bonjour,

Le Mon, 20 Mar 2017 20:54:51 +0200
Risto Suominen <risto.suomi...@gmail.com> a écrit:

> Hi Albert,
> 
> 2017-03-20 20:30 UTC+02.00, Albert ARIBAUD <albert.arib...@free.fr>:
> >
> > I don't kow about dnsmasq per se, but the range of ports an
> > application can use is controlled by the kernel -- on my 16.04
> > Xubuntu, that is defined by /proc/sys/net/ipv4/ip_local_port_range.
> > Does your system limit this range?
> >  
> 32768 60999
> >
> > Not sure what you mean exactly. "Same port" as what?
> >  
> Same as in previous request. The router is another forwarder for the
> DNS requests (dnsmasq is the first).

(I don't see the point of this restruction but hey, that's TP-Link's
choice.)

> To give an example:
> 
> - $ host xxx 127.0.1.1 -> no response (via dnsmasq to router)
> - $ host xxx 192.168.1.1 -> response (directly to router)
> 
> The difference is that 'host' uses varying random source ports, and
> 'dnsmasq' uses one preallocated random source port.

Ok, so the OS is not limiting the ports per se.

You said the command line did not change. Which is it exactly? I
usually do a "cat /proc//cmdline | tr '\0' '\n' to make
sure I see the real command line of the running dnsmasq.

> Risto

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] No more random source port

[Albert ARIBAUD]

Hi Risto,

Le Mon, 20 Mar 2017 19:33:01 +0200
Risto Suominen  a écrit:

> Hi,
> 
> I'm running Lubuntu 16.04 with dnsmasq 2.75-1ubuntu0.16.04.1 under
> NetworkManager's control.
> 
> When forwarding DNS requests, dnsmasq uses same source port (per
> interface) every time.
> 
> Compared to Ubuntu 14.04 with dnsmasq 2.68-1ubuntu0.1, which used
> different ports.
> 
> The command line options for dnsmasq have not changed between these
> versions, and there is no config file either.
> 
> So, I wonder, is there some change in dnsmasq itself that could
> explain this behaviour change?

I don't kow about dnsmasq per se, but the range of ports an application
can use is controlled by the kernel -- on my 16.04 Xubuntu, that is
defined by /proc/sys/net/ipv4/ip_local_port_range. Does your system
limit this range?

> My problem is that my 4G router (TP-Link TL-MR6400) won't answer to
> the requests coming from same port.

Not sure what you mean exactly. "Same port" as what?

> Risto

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] DHCP DISCOVER and DHCPACK on different subnets getting lost

[Albert ARIBAUD]

Hi Grant,

Le Thu, 16 Mar 2017 20:36:53 +1100
Grant Traynor  a écrit:

Only on this point:

> There is no DHCPNACK offered by dnsmasq?
> 
> It almost seems as though it's ignoring the subnet when it offers the
> IP address?

Dnsmasq will send DHCPNAKs only if it is configured as authoritative
(that is, it can assume that no other DNS server can answer). How is
yours configured?

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Don't forward queries if another RR is present

[Albert ARIBAUD]

Hi,

A few inlin comments.
Le Mon, 13 Mar 2017 11:51:44 -0400
Alex Xu  a écrit:

> I tried searching for this topic but only found tangentially related
> topics.
> 
> If we have "--host-record=example.com,127.0.0.1,", then "dig a
> example.com" will return 127.0.0.1 as expected. However, "dig 
> example.com" will return 2606:2800:220:1:248:1893:25c8:1946. In order
> to suppress this behavior, we must specify "--server=/example.com/",
> which has the side effect of additionally suppressing requests for
> subdomains, i.e. "dig a www.example.com" returns NODATA.
> 
> I think this behavior is highly counter-intuitive, but even worse is
> if some upstream has RR "example.com IN CNAME otherexample.com". Then,
> reportedly with some clients the CNAME may be cached separately and
> chased for a subsequent A query, thus resulting in a contradictory
> answer. Moreover, I believe this is a violation of RFC 1034 (section
> 3.6.2), which specifies:
> 
> > If a CNAME RR is present at a node, no other data should be
> > present; this ensures that the data for a canonical name and its
> > aliases cannot be different.  This rule also insures that a cached
> > CNAME can be used without checking with an authoritative server for
> > other RR types.  
> 
> In this case, I think we can reasonably interpret the first instance
> of "present" as meaning 'loaded in dnsmasq' and the second as
> 'returned for any query'. So for the previous example, since an 
> query returns a CNAME, A queries must also return CNAME, not any data
> for example.com.
> 
> Therefore, I believe this behavior should be changed so that queries
> are not forwarded if some RR known to dnsmasq exists for that name,
> possibly with some special directive implemented ("add-record"?) for
> the existing behavior. I doubt there is anybody relying on this
> behavior (possibly even more people expecting the opposite), but some
> global directive could also be added to do the right thing (or the
> wrong thing, having the right thing as default).

Am I right in thinking that the issue here is due to the host-record
specifies an IPv4 and without an IPv6?

IOW, with...

 host-record=example.com,127.0.0.1,::1

... there would not be a problem, right?

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] resolving server's hostname

[Albert ARIBAUD]

Hi Carl,

Le Sat, 18 Feb 2017 21:53:52 -0600
Carl Karsten  a écrit:

> [...]
> 
> so if I set no-hosts, how does dnsmaq figure out how to resolve
>> dc10b?

Just the same way it does any other machine; the fact that a machine is
a name server does not make its name(s) or IP address(es) any special
in the *content* of the zone it serves.

For instance:

- some zone admins will want the local DHCP and DNS server(s) to not
  have any entry in the local zone, because no machine in the LAN is
  supposed to need refering them by name.

- some zone admins will want to give the DHCP server the name "dhcp"
  and the DNS server the name "dns" because they want to be able to
  not remember the actual IP address for them.

- some zone admins will want every machine on the LAN to have a name
  which describes the make and model of the machine, e.g. "rpi-1234",
  and they want this to apply to servers too.

- etc.

So, really, as far as the zone contents is concerned, dnsmasq does not
care whether an entry in it is the DNS server, DHCP server, or neither.
If you want the local machines to know that dc10b is 10.20.1.3, then
you should have an entry in the zone for it. Whether you do that with
an /etc/hosts line, or you use no-hosts and put a host-record option in
your dnsmasq configuration file is up to you. Either method works.

> ore really, what should I be doing so that 'things work as I expect' ?

What you should do is define what you expect :) -- i.e. decide how you
want to manage the content of your LAN zone.

For instance, in my case I want the the host running my dnsmasq known
by both a 'given name' and several functional names, and I want *all*
LAN host names in a single file different from he dnsmasq configuration
file, so I use addn-hosts to point dnsmasq to this file, which contains
among others the 'given' and functional names of the dnsmasq server
itself.

But how /you/ do it is really for /you/ to decide; the way /I/ do may
not fit your needs.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] resolving server's hostname

[Albert ARIBAUD]

Hi Carl,

Le Sat, 18 Feb 2017 09:31:19 -0600
Carl Karsten  a écrit:

> dc10b is the dnsmasq server

Ok; and I assume that you are running 'host' on another machine, right?

> I am using a modified version of this:
> https://anonscm.debian.org/git/debconf-video/ansible.git/tree/roles/dhcp-server

Can't say it tells me much. :)

> I haven't checked in the mods yet because things are still a little
> wonky. git diff ... skimmed, don't see anything that would affect
> dnsmasq.
> 
> juser@dc10b:~$ cat /etc/dnsmasq.d/local.conf
> ## Ansible managed
> 
> interface=eth-local
> domain=lca2017.lan
> dhcp-range=10.20.1.10,10.20.1.254,6h
> dhcp-option-force=210,/srv/tftp/
> dhcp-boot=pxelinux.0
> dhcp-authoritative
> enable-tftp
> tftp-root=/srv/tftp

And what's the /etc/hosts?

> Hmm, on an openwtt ap running dnsmasq:
> 
> root@tpap:~# cat /etc/resolv.conf
> search lan
> nameserver 127.0.0.1
> 
> root@tpap:~# cat /etc/hosts
> 127.0.0.1 localhost
> 
> root@tpap:~# nslookup tpap
> Server:127.0.0.1
> Address 1: 127.0.0.1 localhost
> Name:  tpap
> Address 1: 192.168.1.2 tpap.lan

What's 'tpap' supposed to be?

Anyway, my guess: your dnsmasq server has its own name listed in
its /etc/hosts with 127.0.1.1 as the matching IP, and your dnsmasq
config does not contain option no-hosts, so your dnsmasq uses
its /etc/hosts when resolving a name; ergo, it resolves its own name to
127.0.1.1.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] resolving server's hostname

[Albert ARIBAUD]

Hi Carl,

Le Fri, 17 Feb 2017 02:06:16 -0600
Carl Karsten  a écrit:

> juser@dc10b:~$ host dc10b
> dc10b has address 127.0.1.1
> 
> It should be 10.20.1.3
> 
> How do I make that happen?

Hmm... Can you elaborate on the context of your problem? This does not
happen to me -- my machine even has an entry in its own /etc/hosts with
its name tied to 127.0.0.1 but a host or dig will return its LAN
address.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Reading the dhcp.leases file

[Albert ARIBAUD]

Hi Sam,

Le Sat, 11 Feb 2017 16:06:55 -0600
Sam Weber  a écrit:

> In our system, when a change occurs to the DNS entries we want
> dnsmasq to respond to, we scan the directory of active entries and
> then grep the dhcp.leases file to see if the entry exists there.  If
> the entry is not found in the leases file, we omit it.  Once the scan
> and check is completed, we write a new hosts file and then send
> SIGHUP to dnsmasq so it knows to read the new file.  This works well
> most of the time.  Sometimes, however, a perfectly valid entry is not
> found in the dhcp.leases file so we incorrectly omit the entry from
> the dnsmasq hosts file.  We can see that the leases file gets written
> very often in our system, and we think that sometimes we must be
> reading the leases file whilst dnsmasq is writing it, resulting in
> our reading the file when a value of interest has not yet been
> written.  Is this idea of our sometimes reading an incomplete leases
> file a possibility?  Is there a workaround other than reading the
> leases file several times?

Not sure I understand your problem right, so I'll rephrase it and let
you tell me if that's what you do and want to happen:

- you have a list of names associated with IP addresses;

- you want to filter this list, keeping only the entries where the IP
  address is currently being leased;

- you want the filtered list to be used by dnsmasq in its name
  resolution process.

- you want the list to be kept up to date with the current leases.

- IOW, you want DHCP clients that get an IP which appears in your
  list one to be assigned the corresponding name in the DNS, and you
  want the DNS to NOT map names in this list if the corresponding
  IP is not leased right now.

Is that it?

If so, /maybe/ dhcp-script is what you need or at least can help you
detect when you need to run your update, as it would give you a sign
that the leases just changed.

But it seems to me what you are doing is not really different from
what dnsmasq already does (i.e. reflexting DHCP names into the DNS) when
the MAC-to-IP mapping is done with static leases and each dhcp-host line
specifies a name.

If this is indeed what you are doing, then maybe you can achieve that
with options dhcp-hostsfile and dhcp-ignore-names.

You'd use dhcp-hostsfile to point to your list written as a list of
dhcp-host options, minus the "dhcp-host=" prefix.

You'd specify dhcp-ignore-names to make sure no host can overrule your
list and choose its own name in its DHCP requests.

You would then only have to tell dnsmasq whenever your list changes by
sending it SIGHUP, but you would not have to care about DHCP leases
being granted or released, as that is automatically reflected in the
DNS part of dnsmasq. 

HTH (again, IIUC)

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Conditional DNS response by source

[Albert ARIBAUD]

Hi,

Or if you want to keep a single LAN overall, you could run a second
dnsmasq instance on the same device but a different (additional) LAN
IPs, running DNS only, and configure the DHCP part of the original
dnsmasq instance to tag DHCP leases given to the children machine(s) and
to pass such tagged clients the alternate IP as the DNS instead of the
original IP.

The second dnsmasq instance would only catch the youtube domain and use
the original instance as its upstream for anything else, so that any LAN
DNS record configured on the original dnsmasq would automatically be
see by the children machine(s) too.

Amicalement,
Albert.

Le Wed, 8 Feb 2017 00:53:24 +
Eric Luehrsen  a écrit:

> Correct  is used for DHCP options and network or host binding.
> DNS is not linked as such. If you are using OpenWrt/LEDE as your
> gateway, then you have an easier to use option. LEDE 17.01(RC)
> supports building dnsmasq instances on designated networks. So
> instead of HOME and GUEST SSID on your WiFi, you could have PARENT
> and CHILD SSID for example. Then configure dnsmasq uniquely to each.
> 
> https://lede-project.org/docs/user-guide/dns_configuration (keyword 
> instance)
> 
> 
> 
> On 02/07/2017 05:10 PM, Kevin Elliott wrote:
> > Hello,
> >
> > I would like to return a different DNS response according to source.
> > The objective is to override youtube.com  for
> > all queries from my children's devices to make a simple parental
> > control.
> >
> > dnsmasq DHCP supports tag sets, but as far as I can tell the tag
> > conditional switch does not apply to any of the DNS config, e.g.
> > forward DNS queries from hosts with tag X to server Y.
> >
> > Is anything like this possible with dnsmasq?
> >
> > I thought about running a 2nd dns server on a different port and use
> > dhcp dns-server option to redirect but I couldn't see how to
> > specify a non-standard port in the DHCP dns-server option either.
> >
> > Thanks for any advice,
> > Kevin
> >
> >
> > ___
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss@lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >  
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq always answer dhcp NAK

[Albert ARIBAUD]

Hi again Nikita,

Le Sat, 21 Jan 2017 00:19:02 -0800
"Nikita N."  a écrit:

> Hi,
> yes indeed, we are facing some kind of "stochastic bug", which happens
> randomly, otherwise that client network driver works usually fine.
> Also yes, that network card is not produced anymore,nor there is any
> bug support from the producer.
> Anyway, too bad dnsmasq cant handle this.
> I was infact hoping dnsmasq would handle this too, because it is very
> similar to the cases when a client changes network (routed
> correctly,no bug) when dnsmasq already answers such cases with a
> NAK+Message=wrong network.
> 
> Otherwise, the last resource I have (beside reboot) is forging a fake
> DHCP NAK with some hacker net tool... it feels awful even just typing
> isn it... :P
> Albert thanks, do you know of such specific alternate "standalone
> daemon which would spy on the DHCP traffic" you can suggest me (under
> linux of course)?
> Or an easy net tool to easily forge fake UDP frames you can suggest?
> Thanks

I assume you mean you don't want to actually code such a daemon in a
compilable language such as C, and are instead looking for something to
just install and configure without too much hassle?

Then there is scapy, a Python swiss-army-knife network application. Its
the man page says it can replace "hping, parts of nmap, arpspoof,
arp-sk, arping, tcpdump, tshark, p0f, ..."

See http://www.secdev.org/projects/scapy/demo.html for an introduction.
It shows interactive uses, but this being Python, scapy is scriptable.
It is also testable: you can feed it a pcap file and have it output to
a pcap file too. It knows DHCP at least to some point.

You should quite probably be able to write a script that recognizes
DHCP REQUESTs with mismatching IP layer and DHCP layer IPv4 addresses,
and craft the corresponding DHCP NAKs.

If, however, resources are scarce (e.g., in an embedded product), then
maybe you would be better off developing a C language daemon (possibly
based on libpcap if this library is already present on the DHCP server
marchine).

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq always answer dhcp NAK

[Albert ARIBAUD]

Hi again Nikita,

Le Fri, 20 Jan 2017 13:24:10 -0800
"Nikita N."  a écrit:

> Hi Albert,
> thank you for your answer, but my config already has
> --dhcp-authoritative.

OK, then. Have you tested that it does indeed work? (and you have also
tested that the normal/correct DHCP leasing scenario indeed works?

> I will try to explain the problem in more details, showing the
> Wireshark-style "bugged" frame, popping up on the wire:
> -Ethernet II, Src: correct_mac_aa:bb:cc (mac_client), Dst:
> correct_gateway_dd:ee:ff (mac_gateway)
> -Internet Protocol Version 4, Src: 1.2.3.4 (1.2.3.4), Dst: 10.0.0.1
> (correct_gateway_ip)
> -User Datagram Protocol, Src Port: 68 (68), Dst Port: 67 (67)
> -Bootstrap Protocol (Request)
> --Client IP address: 1.2.3.4 (1.2.3.4)
> --Your (client) IP address: 1.2.3.4 (1.2.3.4)
> --Client MAC address: correct_mac_aa:bb:cc (mac_client)
> --Option: (53) DHCP Message Type (Request)
> --Option: (61) Client identifier
> --Option: (60) Vendor class identifier
> --Option: (55) Parameter Request List
> ---Parameter Request List Item: (1) Subnet Mask
> ---Parameter Request List Item: (121) Classless Static Route
> ---Parameter Request List Item: (33) Static Route
> ---Parameter Request List Item: (3) Router
> ---Parameter Request List Item: (6) Domain Name Server
> ---Parameter Request List Item: (15) Domain Name
> ---Parameter Request List Item: (28) Broadcast Address
> ---Parameter Request List Item: (51) IP Address Lease Time
> ---Parameter Request List Item: (58) Renewal Time Value
> ---Parameter Request List Item: (59) Rebinding Time Value
> ---Parameter Request List Item: (119) Domain Search
> --Option: (255) End
> 
> The mac correct_mac is the correct mac of the bugged client, that is
> always correct.
> The ip 1.2.3.4 is the bug, this value changes randomly time by time
> (no workaround), it can be anything: but luckily is coherent (same)
> in the relevant positions of the single DHCP frame.

And it always matches the IP layer address? Because if it does, then
the frame is valid; that is what a machine moved from one subnet to
another might do, and a DHCP server (dnsmasq or other) is designed to
handle this.

> Finally, as you notice, the relevant "Option: (50) Requested IP
> Address" is always missing.

IIUC option 50 is not required, so I don't think its absence causes
dnsmasq to skip answering this.

> What I need is: dnsmasq sends a DHCP Answer NAK with
> Dst:correct_mac_aa:bb:cc (and possibly also ip Dst:1.2.3.4 whatever)
> How can I set this?

That's what --dhcp-authoritative is about. Hence my suggestion to
test with a working client that the server is indeed running in
authoritative mode.

> Thanks

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq always answer dhcp NAK

[Albert ARIBAUD]

Le Fri, 20 Jan 2017 11:20:17 -0800
"Nikita N."  a écrit:

> Hi,
> I would like to know what is the setting, to force dnsmasq to *ALWAYS*
> answer every wrong/bugged DHCP Request, with a standard DHCP NAK.
> I have a bugged client which randomly (bugged driver) sends DHCP
> Requests with a wrong/bugged IP, dnsmasq default behavior is not to
> answer nothing: unfortunately when that happens the client hangs
> forever waiting for the DHCP answer (only workaround is reboot).
> Now, I want to force dnsmasq to answer NAK to every wrong/bugged DHCP
> request incoming (instead of keeping silent).
> Thanks.

Hi Nikita,

As per 'man dnsmasq', what you want is probably --dhcp-authoritative.
The man page says this about it:

Should be set when dnsmasq is definitely the only DHCP server
on a network.  For DHCPv4, it changes the behaviour from strict
RFC compliance so that DHCP requests on unknown leases from
unknown hosts  are  not  ignored.  This  allows new hosts to
get a lease without a tedious  timeout  under all
circumstances.  It  also allows dnsmasq to rebuild its lease
database without each client needing to reacquire a lease,  if
the  database is  lost.  For DHCPv6  it  sets  the  priority in
replies to 255 (the maximum) instead of 0 (the minimum).

Note however that this will do what you want or not, depending on what
you mean by 'bugged'. If you mean "a request that could be legitimate
in some circumstances but is not valid here", then --dhcp-authoritative
will do the job. If you mean "a request which may have been randomly
damaged" then there's no way dnsmasq will catch all these.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Finding actual DNS server used

[Albert ARIBAUD]

Hi Weedy,

Le Sun, 15 Jan 2017 17:23:18 -0500
Weedy  a écrit:

> >> http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html#lbAG
> >>
> >> An API of sorts was added some time last year  
> >
> > I've gone through the NOTES section you are referring to, but I
> > don't see exactly which API you are referring to. Could you provide
> > more precise indications?  
> 
> I was talking about "statistics are also available in the DNS as
> answers to queries of class CHAOS and type TXT in domain bind". Which
> is why I said API of sorts.

Hey, it does indeed work!

$ dig +short chaos txt servers.bind
"fe80:::::%enp4s0#53 144 0" "192.168.x.x#53 126 0"

> You already went into detail on DBus control, that would be considered
> a more legit API

I would not say one is 'more legit' than the other, as both are
legitimate uses of valid protocol features; and yours has the advantage
that it's easier to parse.

Thanks!

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Finding actual DNS server used

[Albert ARIBAUD]

Hi Chris,

Le Sun, 15 Jan 2017 20:31:28 +
Chris Green <c...@isbd.net> a écrit:

> On Sun, Jan 15, 2017 at 04:54:11PM +0100, Albert ARIBAUD wrote:
> > Bonjour,
> > 
> > Le Sun, 15 Jan 2017 12:36:47 +
> > Chris Green <c...@isbd.net> a écrit:
> >   
> > > On Sun, Jan 15, 2017 at 12:14:42PM +0100, Albert ARIBAUD wrote:  
> > > > > > - read the configuration file(s) dnsmasq uses and find
> > > > > > "server=" lines in it, and read the /etc/resolv* tree, if
> > > > > > dnsmasq uses them, and that will give the list of servers
> > > > > > dnmasq uses at any point in time.
> > > > > >   
> > > > > There aren't any! These are systems where dnsmasq is run by
> > > > > Network Manager rather than directly, thus there is no spcific
> > > > > dnsmasq configuration file.
> > > > 
> > > > ... and then the configuration is known from the dnsmasq process
> > > > command line. So let me amend my statement above: "... read the
> > > > configuration options, from the dnsmasq process command line if
> > > > it contains any, and from the configuration file or files if
> > > > applicable".   
> > > chris@t430$ ps -ef | grep dnsmasq
> > > nobody1579  1031  0 Jan14 ?
> > > 00:00:01 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground
> > > --no-hosts --bind-interfaces
> > > --pid-file=/var/run/NetworkManager/dnsmasq.pid
> > > --listen-address=127.0.1.1 --cache-size=0 --conf-file=/dev/null
> > > --proxy-dnssec
> > > --enable-dbus=org.freedesktop.NetworkManager.dnsmasq
> > > --conf-dir=/etc/NetworkManager/dnsmasq.d chris@t430$ 
> > > 
> > > 
> > > ... and there's nothing in /etc/NetworkManager/dnsmasq.d  
> > 
> > Then Network Manager sets the DNS via DBus, as the configuration
> > (on command line) allows it. You can most probably find which DNS
> > servers are set by spying on DBus, using dbus-monitor. You can even
> > set up a bash script which shows a list of them in real time.
> >   
> Is there any description anywhere of how to do this?

A ready-made solution with zero effort? Non, there is none.

A solution with some effort? In my case, 10 minutes of searching how to
filter dbus-monitor by interface, starting with near-zero knowledge of
DBus, and strictly zero knowledge of dbus-monitor, and ending up with
the following proof-of-concept running on my machine:

1. Run this command in a shell:

sudo dbus-monitor --system \
"interface=org.freedesktop.NetworkManager.dnsmasq"

(your interface may not be the same. Run

dbus-send --system --dest=org.freedesktop.DBus
--type=method_call --print-reply /org/freedesktop/DBus
org.freedesktop.DBus.ListNames | grep dnsmasq

and you'll know the interface to use.

2. Force a connection renewal through Network Manager (or by unplugging
   and replugging the client's RJ45 if that's how it gets network
   access).

3. See the dbus-monitor running in the shell display dumps of the
   SetServersEx method calls, complete with server IPs as arguments.

If you want to automate that, you'll need to do some parsing. Or maybe
use Python, which provides a dbus module; this should make extracting
the method arguments easier.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Finding actual DNS server used

[Albert ARIBAUD]

Bonjour,

Le Sun, 15 Jan 2017 12:36:47 +
Chris Green <c...@isbd.net> a écrit:

> On Sun, Jan 15, 2017 at 12:14:42PM +0100, Albert ARIBAUD wrote:
> > > > - read the configuration file(s) dnsmasq uses and find "server="
> > > >   lines in it, and read the /etc/resolv* tree, if dnsmasq uses
> > > > them, and that will give the list of servers dnmasq uses at any
> > > > point in time.
> > > > 
> > > There aren't any! These are systems where dnsmasq is run by
> > > Network Manager rather than directly, thus there is no spcific
> > > dnsmasq configuration file.  
> > 
> > ... and then the configuration is known from the dnsmasq process
> > command line. So let me amend my statement above: "... read the
> > configuration options, from the dnsmasq process command line if it
> > contains any, and from the configuration file or files if
> > applicable". 
> chris@t430$ ps -ef | grep dnsmasq
> nobody1579  1031  0 Jan14 ?00:00:01 /usr/sbin/dnsmasq
> --no-resolv --keep-in-foreground --no-hosts --bind-interfaces
> --pid-file=/var/run/NetworkManager/dnsmasq.pid
> --listen-address=127.0.1.1 --cache-size=0 --conf-file=/dev/null
> --proxy-dnssec
> --enable-dbus=org.freedesktop.NetworkManager.dnsmasq
> --conf-dir=/etc/NetworkManager/dnsmasq.d chris@t430$ 
> 
> 
> ... and there's nothing in /etc/NetworkManager/dnsmasq.d

Then Network Manager sets the DNS via DBus, as the configuration
(on command line) allows it. You can most probably find which DNS
servers are set by spying on DBus, using dbus-monitor. You can even set
up a bash script which shows a list of them in real time.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Finding actual DNS server used

[Albert ARIBAUD]

Le Sun, 15 Jan 2017 09:58:38 +0100
Albert ARIBAUD <albert.arib...@free.fr> a écrit:

> Speaking of which, my first hunch re your problem is that it's not a
> dnsmasq problem, but a problem with the client's networking
> configuration. I suspect it connects through some VPN and gets an
> additional (or replacement) DNS, and that at some point the VPN
> connection goes bad and the client reverts (in part or in full) to its
> original DNS.

... or it could be that the VPN connection still runs OK but your
client screwed up its DNS setup upon renewal of its local DHCP lease.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Finding actual DNS server used

[Albert ARIBAUD]

Hi Lars,

Le Sun, 15 Jan 2017 10:21:01 +0200
Lars Noodén <lars.noo...@gmail.com> a écrit:

> On 01/15/2017 09:55 AM, Albert ARIBAUD wrote:
> > Hi Lars,
> > 
> > Le Sat, 14 Jan 2017 20:18:13 +0200
> > Lars Noodén <lars.noo...@gmail.com> a écrit:
> >...  
> >>  Because it's not my system and it is remote, I
> >> have to go step by step, slowly.  
> > 
> > ... Do you mean that you have good control of the remote system but
> > have to go there physically to run tests, or that you do not have
> > control of the system and must ask someone else to perform tests
> > there? This makes a difference in the way you can run your tests  
> 
> I have to describe the steps in e-mail and they are then carried out
> on site by a non-technical person.

Argh.

> >> Since everything on that system, in
> >> regards to DNS, is going via Dnsmasq, I'd like to see what it has
> >> loaded and is using.  
> > 
> > This bring me back to your description of the bug above: "somewhere
> > early on the DNS fails". What do you mean with that? Did you check
> > that the client keeps sinding DNS requests to your dnsmasq?  
> 
> The client application (Blink) will apparently default to Google's DNS
> if it cannot connect to the server right away.  What's happening is
> that half the time DNS replies, half the time it times out.  Thus the
> client can start to register with the SIP server, but then fails to
> publish its presence or be able to initiate a call.
> 
> > ... Or is
> > it that they come back from your dnsmasq with an error code for
> > domains which you know your dns should resolve properly?  
> 
> It seems to be this -- sometimes.
> 
> So is the short answer that there's no direct or easy way to poll a
> running Dnsmasq instance and see what it's pointing to?  If so, then
> I'll not bother the list more with this issue.  However, may I put in
> a feature request if there is a wish list?

See my other replies, but I'll make the main suggestion: the way to get
the info you want (and more, which might be useful for your diagnostics)
is to run tcpdump on the dnsmasq host on the "any' interface (or run
two tcpdumps, one on the interface used to talk to the client, one on
the interface used to talk to the Internet) with a capture filter set
for DHCP and DNS protocols, and write the capture into a file (or two,
if running two tcpdump instances). Then if you have two captures you
can use Wireshark's mergecap tool to merge them into a single one. Last,
you open the single capture file in Wireshark and see:

- whether your client was sent out a DHCP reply configuring DNS servers

- which DNS requests your client sent to dnsmasq

- which DNS requests your dnsmasq sent to which upstream server

- which DNS replies your dnsmasq received from which upstream server

- which DNS replies your client received from dnsmasq

That's the info you're asking for (of course, I assume you have control
of the host running dnsmasq) and much more. The method can be useful
for diagnosing other network or protocol issues as well.

Speaking of which, my first hunch re your problem is that it's not a
dnsmasq problem, but a problem with the client's networking
configuration. I suspect it connects through some VPN and gets an
additional (or replacement) DNS, and that at some point the VPN
connection goes bad and the client reverts (in part or in full) to its
original DNS.

In any case, the test above will give you a hint about that too: if you
see that the client stops sending requests at some point, you can
pretty much conclude it stopped using your dnsmasq as its DNS (you can
even know when it last did, and compare that with logs from the client
if you can get the non-tech person to do it.

BTW: I suspect there is no way to get the non-tech person to install a
remote access client (even ssh would be enough) and also no way for
you to get root privileges on it?

> Regards,
> /Lars

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Finding actual DNS server used

[Albert ARIBAUD]

Hi Chris,

Le Sat, 14 Jan 2017 19:27:28 +
Chris Green  a écrit:

(re getting dnsmasq to say which upstream servers it uses)

> Why is is so difficult to provide this information?  At the very least
> it would provide a confidence check that all is working as intended.
> It might very well help if something isn't working too.

It is not difficult at all to get this information. It's just that
dnsmasq does not provide any "API" to get it, because it's easy to get
it  otherwise for diagnosis purposes.

For diagnosis, the operator can:

- read the configuration file(s) dnsmasq uses and find "server="
  lines in it, and read the /etc/resolv* tree, if dnsmasq uses them,
  and that will give the list of servers dnmasq uses at any point in
  time.

- log DNS queries, which will give the additional info about
  which client actually queried dnsmasq, which queries were cached vs
  sent upstream (to which server), and what the answer was.

- run tcpdump or wireshark on the dnsmasq host or on the DNS client (or
  both for troubleshooting e.g. timing-related issues). This will give
  a full view of DNS exchanges on the considerd machine, to the last
  bit, litterally.

So, from a diagnosis point of view, pulling the actual list of servers
from a running dnsmasq is not that much of a need.

I don't mean to say that such an "API" would be unneeded for other
requirements than network troubleshooting, and if it existed, I would
use and suggest it for troubleshooting too; but here, I mean to say
that helping solving Lars' problem does not require such an "API".

I feel that Lars' question was more "How can I troubleshoot my possibly
dnsmasq-related issue?" rather than "How can I find which servers my
dnsmasq uses?", and for this, we have the means above, which emcompass
the one Lars asks for and go well beyond -- plus, the first step to
troubleshooting an issue is to get the situation as precise as
possible, possibly ignoring the initially assumed cause (here the list
of upstream servers may be actually correct and the issue may be on the
client side, so the "API" question should be set aside, and getting a
more precise view of the issue should come first).

> For example if my machine can't connect to another machine on the LAN
> but can see the outside world it suggests it's getting DNS from
> something other than my Pi DNS server.  If I could check what DNS it
> is using then it would confirm that either it has got it's DNS set up
> from somewhere else or that it has got the right DNS (the Pi) but that
> the Pi is set up wrong somehow.

This case can be tested (and boy do I know it) with the host command on
the client as Jim suggested (although I personally use dig).

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Finding actual DNS server used

[Albert ARIBAUD]

Hi again Chris,

Le Sat, 14 Jan 2017 16:06:39 +
Chris Green <c...@isbd.net> a écrit:

> On Sat, Jan 14, 2017 at 03:40:52PM +0100, Albert ARIBAUD wrote:
> > > I've not spotted anything in the manual page that stands out for
> > > that purpose.  
> > 
> > There is not much point for it, is there? I mean, if dnsmasq has
> > upstream servers (possibly per request domain) and acts as a local
> > server, it is so that DNS clients on the LAN do *not* have to know
> > these upstream servers.
> > 
> > Or maybe I am missing something. What is your use case?
> >   
> Well for one it's useful to be able to check whether dnsmasq is using
> a sensible DNS server.  

Whatever server dnsmasq uses, it does so because its configuration
tells it to. The servers in this configuration are there either
because they were put in there by the dnamasq host admin (e.g., for
handling unqualified names as LAN names), or because the host has one
or more interfaces on which it is a DHCP client, not server, and the
actual DHCP server announces a DNS server which e.g. the Network
Manager added to the dnsmasq config. Do you see another case?

> On my home LAN I have a full dnsmasq running on a Raspberry Pi and
> point all the other systems at that for DNS.  The other systems
> include a number of xubuntu Linux systems which run the 'local only'
> dnsmasq which is run automatically by Network Manager.

Pretty much the same here on the very machine I am typing on right
now except my LAN's dnsmasq does not run on a RPi. :)

> Thus in my case, to prove that everything is working as intended, I'd
> like to be able to see that all systems (except the Raspberry Pi) are
> using the Raspberry Pi as their DNS server.  In addition I might also
> want to check what upstream servers the Pi is using.

I don't understand your problem... The local dnsmasq on my Xubuntu
machine takes its servers from its only source of DNS server IPs: the
DHCP (and RA) info it receives from my LAN's dnsmasq, and I control that
(as you control that on your RPi's dnsmasq), therefore I *know* which
DNS servers my Xubuntu machine can use.

Why do you think any of your Xubuntu machine would use a DNS server it
was not provided through DHCP or RA ?

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Finding actual DNS server used

[Albert ARIBAUD]

Hi Lars,

Le Sat, 14 Jan 2017 14:40:14 +0200
Lars Noodén  a écrit:

> How can I get an already running instance of Dnsmasq to tell which DNS
> servers it is using to resolve new queries upstream?
> 
> Specifically how can this be done in distros like Ubuntu and Linux
> Mint, which have setups like this::
> 
> # cat /etc/resolv.conf
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by
> resolvconf(8)
> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE
> OVERWRITTEN nameserver 127.0.1.1
> 
> 
> # ps auxw |grep dnsmasq
> nobody2711  0.0  0.0  31028  3276 ?S13:27   0:00
> /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts
> --bind-interfaces
> --pid-file=/run/sendsigs.omit.d/network-manager.dnsmasq.pid
> --listen-address=127.0.1.1
> --conf-file=/var/run/NetworkManager/dnsmasq.conf --cache-size=0
> --proxy-dnssec --enable-dbus=org.freedesktop.NetworkManager.dnsmasq
> --conf-dir=/etc/NetworkManager/dnsmasq.d
> 
> I've not spotted anything in the manual page that stands out for that
> purpose.

There is not much point for it, is there? I mean, if dnsmasq has
upstream servers (possibly per request domain) and acts as a local
server, it is so that DNS clients on the LAN do *not* have to know
these upstream servers.

Or maybe I am missing something. What is your use case?

> Regards,
> Lars

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Should every allocated (by DHCP) address be in /var/lib/misc/dnsmasq.leases?

[Albert ARIBAUD]

Hi Chris,

Le Wed, 11 Jan 2017 15:09:54 +
Chris Green  a écrit:

> I have a mystery IP on my LAN which looks as if it has been allocated
> by my dnsmasq process but it isn't in /var/lib/misc/dnsmasq.leases.
> 
> Is there anywhere else that I could look to see how/when dnsmasq
> allocated an IP?
>
> This is a small home LAN running on 192.168.1.xxx subnet with dnsmasq
> running on a raspberrypi.

If your dnsmasq's config has --log-dhcp, then you should find IP
allocations mentioned in your syslog (or whatever is systemd's
equivalent if applicable).

Otherwise yes, /var/lib/misc/dnsmasq.leases contains all leases
currently in use (IIRC, when a client properly drops the lease, it is
removed from the file).

Now, just because there is an IP on your network which is within your
dnsmasq's DHCP range does not mean it has been allocated by it. It
could just as well be that some host decided to use this IP on your
network.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] How to answer DNS for a host that has not gotten a lease?

[Albert ARIBAUD]

,

Le Thu, 29 Dec 2016 07:58:26 +
John Hanks  a écrit:

> Hi,
> 
> I frequently set up static dhcp-host entries for hosts that won't
> boot for some time or may go away for long periods but I'd still like
> to have dnsmasq respond to DNS queries based on this host/static IP.
> Currently I accomplish this by having a script which parses my
> dhcp-host entries and builds a host file for all the entries. Is
> there any way to tell dnsmasq to do answer for hosts that may not
> have gotten a dhcp lease yet so that I don't need to do this
> double-entry?

Er... If the DHCP protocol required a host to already have a DHCP lease
in order to get a lease from a DHCP server, not many leases would be
sent out, since a host /always/ begins its DHCP life without a lease. :)

So, I am probably misunderstanding your problem.

Can you describe your LAN setup and the detailed step-by-step example
where dnsmasq should answer and dos not?

> Thank you,
> 
> jbh

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Sequential IP doesn't look for unused IPs

[Albert ARIBAUD]

(TL;DR: skip to last paragraph of my reply)

Hi Alec,

Le Sat, 24 Dec 2016 18:13:46 -0500
Alec Robertson  a écrit:

> I understand what you’re saying but I was suggesting this should be a
> feature enhancement. All the other routers I have used work the way I
> have described, be it NETGEAR, Asus, Huawei, etc.

Oh, ok. I was misled by the negative form in your message subject, which
I read as pointing a perceived misbehavior as opposed to suggesting a
new one.

So, have I got it right that your point can be summed up as follows:

"1. Right now, dnsmasq's DHCP server feature allocates IP based on
either one of the two following (summarized) strategies:

a) Select the IP based on a hash of the MAC, or

b) Select the oldest free IP available.

2. It is suggested to add a strategy which would be summarized as:

c) Select the lowest free IP."

If so, then I'm sorry about the misunderstanding: while I could have
helped on a perceived or real misbehavior diagnosis, I am not involved
in any part of developing dnsmasq so my feedback on a feature request
would be worthless.

However, I do have a question about this feature request; please bear
with me for a minute there.

I do understand that strategy c above is easily implemented (it's
basically a context-insensitive loop) as opposed to the other two, so
it makes sense to implement that when developing a DHCP server from
scratch, I do not see what benefit it brings to a DHCP server which
already has two allocation options in place. IOW, what does option c
bring that options a or b don't?

Obviously, option c reduces the number of different IPs allocated over
time with respect to option b, as option b goes through the whole
range while option does not. But then, option a also keeps the number
of allocated IPs to a minimum.

There is a difference, though, between options c and a: option c keeps
that minimum set of IPs tight, whereas option a (possibly) spreads the
set over the whole range.

So, the real distinguishing feature of option c is "keep the allocated
IPs as grouped near the range base as possible".

But that's a /characteristic/, not a /benefit/ -- at least, I cannot
see the benefit yet.

So I suspect there is something in the currently available options a
and b which causes an issue in your use of dnsmasq to the point of
making you want to see option c implemented.

Now, this something may actually be solved by implementing option c, or
it may be a symptom of another problem for which there is a better
solution than option c.

As I don't remember having seen a similar request (I might have missed
it, though), I suspect that it is not widely seen as a solution, which
makes me lean toward the "there is a better solution" side, but that's
only a hunch; hence my questioning, to either get rid of a false hunch,
or see it confirm and get to a better solution to your problem.

And for that, we need the problem laid out (as opposed to laying out the
perceived solution)

So the question becomes in fact why is a 'tight low range' IP
allocation strategy needed exactly, or more precisely, what is the
problem that you have which dnsmasq's existing IP allocation strategies
cause, or at least do not solve?

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Sequential IP doesn't look for unused IPs

[Albert ARIBAUD]

Bonjour,

Le Sat, 24 Dec 2016 16:15:23 -0500
Alec Robertson  a écrit:

> My apologies for the unclear explanation.
> 
> For background I am using OpenWRT/LEDE r2544-a032940, on a TP-LINK
> Archer C7.
> 
> For a test, if you set the leasetime to be very short, say 2 minutes
> and connect multiple devices, they will at first be given IPs in
> sequential order starting from the lowest allowed IP address, say
> 192.168.0.20. So, the next device will be 192.168.0.21, the next
> 192.168.0.22 and so on…
> 
> If the device at 192.168.0.20 gets disconnected for over 2 minutes,
> its lease expires. If the device reconnects to the network, it will
> be given the IP address say 192.168.0.24, despite 192.168.0.20 being
> available. The next new device added to the network will be given
> 192.168.0.25.
>
> So, 192.168.0.20 will never be assigned again, unless the network is
> entirely reset, i.e. dnsmasq is completely reset back to defaults.
> 
> Does that make a bit more sense?

It is certainly much more unambiguous, and appears to be consistent with
my very first analysis of your problem.

You seem to be thinking that (with --dhcp-sequential-ip, which I assume
is specified in the case you describe) dnsmasq should have reused the
IP address 192.168.0.20 as soon as possible after it was released.

Now let's see the dnsmasq manpage description of --dhcp-sequential-ip:

  Dnsmasq is designed to choose  IP  addresses  for  DHCP clients
  using a hash of the client's MAC address. This normally allows a
  client's address to remain stable long-term, even if the client
  sometimes  allows its DHCP lease to expire. In this default mode
  IP addresses are distributed  pseudo-randomly  over  the entire
  available address range. There are sometimes circumstances (typ-
  ically server deployment) where it is more convenient to have IP
  addresses  allocated  sequentially,  starting  from  the  lowest
  available address, and setting this flag enables this mode. Note
  that  in  the  sequential  mode,  clients which allow a lease to
  expire are much more likely to move IP address; for this reason
  it should not be generally used.

Clearly, the documentation tates that a client which releases an IP
address is likely to move IP address -- IOW, if IP address 192.168.0.20
is released, then it is likely that it *won't* be allocated again soon.

This description is contrary to what you seem to be expecting.

I do therefore stand by my initial comment : I suspect you are making
an inexact assumption as to how --dhcp-sequential-ip works.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Sequential IP doesn't look for unused IPs

[Albert ARIBAUD]

Hi again Alec,

Le Sat, 24 Dec 2016 06:55:09 -0800
Alec Robertson  a écrit:

> Thank you for your replies.
> 
> What I mean (as I said I didn’t explain it very well), is that the
> sequential IP feature results in lots of empty IP addresses, so
> effectively you end up with a much smaller range of possible IP
> addresses.
>
> I was requesting the ability for dnsmasq to look through the entire
> possible range of IP addresses and if it finds one that is not
> assigned, it assigns that first before then working its way up from
> the last assigned address.

Sorry, but I understand this less than I understood your first
message :) -- there is no such concept of an "empty IP adresses" and the
range of IP addresses available via DHCP does not depend on the
allocation process (though the range of adresses actually used will
depend on the method... and on the bumber and timings of the client
requests, as the manpage hints).

To clarify your problem and your need, the best would be to give a step
by step example up to the point where the problematic situation occurs,
and compare it with the expected situation, e.g.

"1) The server is started with a range of available IPs from
192.168.0.1 to 192.168.0.30.

2) client A requests an IP and gets 192.168.0.1.

3) ...

...

N) 'X' then happens."

I would prefer to see 'Y' happen, rather than 'X', at step N."

This mode of problem description will be far less susceptible to
ambiguity.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Sequential IP doesn't look for unused IPs

[Albert ARIBAUD]

Hi Alec,

Le Fri, 23 Dec 2016 20:04:55 -0500
Alec Robertson  a écrit:

> When using sequential IP, the IP allocation should start from the
> lowest available IP address.
> 
> However, if the lease time is quite short for the clients, the
> clients can renew their IP addresses and be given IP addresses that
> don’t use the entire range available, meaning that you could have a
> range that starts at say 1 but this IP address is never used again
> because the sequential IP system does not look for IPs that aren’t
> “filled”. Instead, it simply goes for the lowest available IP that is
> available after the last one that was allocated.
> 
> I am sorry for my very poor description but I tried the best I could
> to explain this problem.

There might be a misunderstanding about "sequential" here.

You seem to think that dhcp-sequential-ip will cause dnsmasq to
react to every request by searching upward from the range start for the
first available IP.

I suspect what it does for every request is search for the first
available IP from the last point it had reached so far; beginning at
the range start is just what happens for the very first request
received.

IOW, you think it always allocates the lowest currently free IP whereas
I suspect it will actually allocate the lowest free IP above the last
one allocated.

My suspicion comes from the fact that the sequential behavior is
probably named after its visible effect, i.e. going over the full range
in sequence even if older IP were freed in between. 

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Fwd: no IP from Linux/DNSmasq for NT-workstation

[Albert ARIBAUD]

Hi Bill,

Le Sat, 10 Dec 2016 14:06:05 +0100 bill
evergreen  a écrit:

> Hello Albert,
> 
> [...]

Your issue is not related to dnsmasq as far as I can tell, so I would
suggest we keep discussing it offline (I've answered your previous
mail already) and return to the list only once  dnsmasq is involved. :)

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] listen-backlog option to override default (too small) value

[Albert ARIBAUD]

Hi Donatas,

Le Wed, 7 Dec 2016 14:43:22 +0200
Donatas Abraitis  a écrit:

> Hi folks,
> 
> for our case at Hostinger, we have a problem while too much
> TcpListenOverflows:
> [root@us-imm-dns1 ~]# nstat -az | grep TcpExtListenOverflows
> TcpExtListenOverflows   2990.0
> [root@us-imm-dns1 ~]# ss -ntl sport = :53
> State   Recv-Q Send-Q
> Local
> Address:Port
> Peer Address:Port LISTEN  0
> 5
> *:53
> *:*
> LISTEN  0
> 5
> :::53
> :::*
> 
> probe kernel.function("tcp_check_req")
> {
> tcphdr = __get_skb_tcphdr($skb);
> dport = __tcp_skb_dport(tcphdr)
> if ($sk->sk_ack_backlog > $sk->sk_max_ack_backlog)
> printf("listen queue for port(%d): %d/%d\n",
> dport,
> $sk->sk_ack_backlog,
> $sk->sk_max_ack_backlog);
> }
> 
> [root@us-imm-dns1 ~]# staprun overflow.ko
> listen queue for port(53): 13/5
> listen queue for port(53): 13/5
> listen queue for port(53): 14/5
> 
> here is the proposed patch:
> 
> commit fa610cd424b905720832afc8636373bb132f49c1
> Author: Donatas Abraitis 
> Date:   Sun Dec 9 09:58:51 2012 +0200
> 
> Add `listen-backlog` option to override default 5 (too small)
> 
> diff --git a/src/dnsmasq.h b/src/dnsmasq.h
> index 4b55bb5..b717df3 100644
> --- a/src/dnsmasq.h
> +++ b/src/dnsmasq.h
> @@ -980,6 +980,7 @@ extern struct daemon {
>struct dhcp_netid_list *force_broadcast, *bootp_dynamic;
>struct hostsfile *dhcp_hosts_file, *dhcp_opts_file, *dynamic_dirs;
>int dhcp_max, tftp_max, tftp_mtu;
> +  int listen_backlog;
>int dhcp_server_port, dhcp_client_port;
>int start_tftp_port, end_tftp_port;
>unsigned int min_leasetime;
> diff --git a/src/network.c b/src/network.c
> index d87d08f..1e9d188 100644
> --- a/src/network.c
> +++ b/src/network.c
> @@ -746,7 +746,7 @@ static int make_sock(union mysockaddr *addr, int
> type, int dienow)
> 
>if (type == SOCK_STREAM)
>  {
> -  if (listen(fd, 5) == -1)
> +  if (listen(fd, daemon->listen_backlog) == -1)
> goto err;
>  }
>else if (family == AF_INET)
> diff --git a/src/option.c b/src/option.c
> index d0d9509..220303e 100644
> --- a/src/option.c
> +++ b/src/option.c
> @@ -159,6 +159,7 @@ struct myoption {
>  #define LOPT_SCRIPT_ARP347
>  #define LOPT_DHCPTTL   348
>  #define LOPT_TFTP_MTU  349
> +#define LOPT_BACKLOG   350
> 
>  #ifdef HAVE_GETOPT_LONG
>  static const struct option opts[] =
> @@ -190,6 +191,7 @@ static const struct myoption opts[] =
>  { "domain-suffix", 1, 0, 's' },
>  { "interface", 1, 0, 'i' },
>  { "listen-address", 1, 0, 'a' },
> +{ "listen-backlog", 1, 0, LOPT_BACKLOG },
>  { "local-service", 0, 0, LOPT_LOCAL_SERVICE },
>  { "bogus-priv", 0, 0, 'b' },
>  { "bogus-nxdomain", 1, 0, 'B' },
> @@ -394,6 +396,7 @@ static struct {
>{ 't', ARG_ONE, "", gettext_noop("Specify default
> target in an MX record."), NULL },
>{ 'T', ARG_ONE, "", gettext_noop("Specify time-to-live in
> seconds for replies from /etc/hosts."), NULL },
>{ LOPT_NEGTTL, ARG_ONE, "", gettext_noop("Specify
> time-to-live in seconds for negative caching."), NULL },
> +  { LOPT_BACKLOG, ARG_ONE, "", gettext_noop("Set the backlog
> queue limit."), NULL },
>{ LOPT_MAXTTL, ARG_ONE, "", gettext_noop("Specify
> time-to-live in seconds for maximum TTL to send to clients."), NULL },
>{ LOPT_MAXCTTL, ARG_ONE, "", gettext_noop("Specify
> time-to-live ceiling for cache."), NULL },
>{ LOPT_MINCTTL, ARG_ONE, "", gettext_noop("Specify
> time-to-live floor for cache."), NULL },
> @@ -2286,7 +2289,11 @@ static int one_opt(int option, char *arg, char
> *errstr, char *gen_err, int comma
>   ret_err(gen_err); /* error */
> break;
>}
> -
> +
> +case LOPT_BACKLOG: /* --listen-backlog */
> +  if (!atoi_check(arg, >listen_backlog))
> +ret_err(gen_err);
> +  break;
>  case 'a':  /* --listen-address */
>  case LOPT_AUTHPEER: /* --auth-peer */
>do {
> @@ -4517,6 +4524,7 @@ void read_opts(int argc, char **argv, char
> *compile_opts)
>daemon->cachesize = CACHESIZ;
>daemon->ftabsize = FTABSIZ;
>daemon->port = NAMESERVER_PORT;
> +  daemon->listen_backlog = 5;
>daemon->dhcp_client_port = DHCP_CLIENT_PORT;
>daemon->dhcp_server_port = DHCP_SERVER_PORT;
>daemon->default_resolv.is_default = 1;

I am not qualified to determine if your patch is the right solution to
your problem, but FWIW, I find this patch clear enough and I assume you
have tested it :) and that it actually solves the issue for you. The
only two remarks I have are:

- it would be nice to also add a description for the option
  and its rationale to the manpage;

- is there a way for dnsmasq to detect excessive backlog and emit a
  diagnostic message pointing the operator to the existence and use of
  the listen-backlog 

Re: [Dnsmasq-discuss] Format Errors using add-subnet

[Albert ARIBAUD]

Hi Scott,

Le Mon, 5 Dec 2016 20:10:44 +
Scott Bonar  a écrit:

> When using this option (which I really need to do) for DNS queries, I
> get Format Errors from the upstream DNS servers if they are Windows
> Servers 2008 through at least 2012.  Has anyone seen this and is
> there a workaround either in DNSMasq or Windows?
> 
> Your help is appreciated.

Maybe an actual example (ideally with a Wireshark or tcdump capture)
could help pinpoint the issue.

> Scott Bonar

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] no IP from Linux/DNSmasq for NT-workstation

[Albert ARIBAUD]

Hi Bill,

Le Sat, 3 Dec 2016 15:43:33 +0100
bill evergreen  a écrit:

> Hello List

> Unfortunaletly the DHCP-client of the NT4-box does not receive an IP,
> neither its working with static IP's for the NT4 workstation :-(

> Any ideas what am I doing wrong?
> 
> Any feedback is appreciated very much! Thank's a lot!
> 
> Bill

Well, static IP issues mean you've got a networking problem with this
machine, which you have to solve before you even consider how it behaves
with dnsmasq.

I suggest you go back to the very basics and try to ping the NT machine
from another one which you know is working).

A few remarks:

> Linux Mint-box
> **
> - DNSmasq 2.68-1
> - IP of USB: 192.168.42.20
> - IP of eth0: 192.168.42.30

Er... Same subnet on both interfaces?

> NT4-Workstation (if configured manually)
> ***
> - IP: 192.168.42.40

Try and ping the NT4 machine from the Mint machine after having
disabled the USB interface on it (i.e., using only ethernets). Does
this work?

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] DNSMasq only listens on container (virbr0) and not main network (eno1)

[Albert ARIBAUD]

Hi David,

Le Fri, 2 Dec 2016 19:02:37 +0100
Albert ARIBAUD <albert.arib...@free.fr> a écrit:

> Hi Davis,

Apologies for the typo.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] DNSMasq only listens on container (virbr0) and not main network (eno1)

[Albert ARIBAUD]

Hi Davis,

Le Tue, 29 Nov 2016 09:54:15 -0600
"David Biers"  a écrit:

> I have a DNSMasq server running on an old PowerEdge 2950, CentOS 7.x
> x64
> 
>  
> 
> My configuration is specifying that I want it to listen on the public
> IP address (192.168.200.2) but it will only listen on the containers
> virtual bridge adapter (192.168.122.1).
> 
>  
> 
> Is there any way to force this?  I have
> "listen-address=192.168.200.2" in the configuration but it doesn't
> seem to want to follow this.

Is any of your interfaces actually set to this public IP address?
More generally, can you describe the network configuration of your
dnsmasq host and of the clients it should answer to?

> Thanks

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Address configuration with wildcard

[Albert ARIBAUD]

Hi Joachim,

Le Sat, 26 Nov 2016 15:01:47 +0100
Joachim Zobel  a écrit:

> Hi.
> 
> Is there a way to have address configuration entries with wildcards.
> 
> I tried
> 
> address=/alt#-mtalk.google.com/127.0.0.1
> 
> but it did not work with e.g. alt8-mtalk.google.com

From

$ man dnsmasq

and looking for '--address' (and then for '--server'):

1. domain specifications in --address are the same as domain
   specifications in --server except for the addition of a '#' domain
   specification meaning "any domain" (rather than "any part of a
   domain" as you seemed to be assuming).

2. domain specifications in --server only allow domain names or the
   empty string '//' which means "unqualified domain names only".

So no, you can't have wildcards in --address domain names.

You do however have implicit "left side wildcards", as a domain spec of
"thisorthis.net" will match any domain /ending/ in "thisorthat.net", if
you can work with that.

The only way to get the behaviour you are looking for in dnsmasq would
be to modify the search_servers() function in src/forward.c -- without
of course introducing any bug or impeding efficiency especially under
high loads.

> Sincerely,
> 
> Joachim

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Dnsmasq-discuss Digest, Vol 138, Issue 13

[Albert ARIBAUD]

Bonjour,

Le Tue, 22 Nov 2016 17:47:09 +
Rahul Jain  a écrit:

> Hi Albert, thank you for replying. I have access to the source code
> of the router and all it's internals.
> 
> I can download the source code of dnsmasq, compile and build it for
> the router(not on the router) but I need to run the dnsmasq as a
> service which I can't do on mipsel-linux because it doesn't contain
> anything equivalent to "service". So I'm generating the binary on a
> ubuntu(16.04 LTS) system and using that in the router running
> mipsel-linux.

Er... If your router does not contain anything equivalent to "service",
then there is no point in trying to run "service dnsmasq start" on this
router.

> On the ubuntu system, when I run dnsmasq with add-mac in the
> configuration, I'm able to see EDNS0 option in the dns query. This is
> happening only when I installed and run dnsmasq from apt-get. When I
> tried to compile it and run it from the same configurations, I'm not
> able to see the EDNS0 option.

I assume you are talking about some PC with Ubuntu running on it? This
is a different system than your router and there is no reason that this
PC should behave the same as the router, and you simply cannot infer
much from one system to the other.

> Now I'm left with two things, one is to
> install dnsmasq from the apt-get on mipsel-linux which is not
> possible because it does not have apt-get or any other package
> manager and the second option being to compile the source for the
> router.

I suspect this conclusion is premature.

For one thing, do you have the right tools to build a binary for your
router? Do you know which kernel it runs (not simply the version, but
the actual kernel headers)? Do you know which C library it uses? Do you
know which compiler toolchain was used to build this system? Do you have
all these thinkgs -- kernel, lib, toolchain -- in working order? Can
you rebuild the whole router system? If no, then compiling is IMO not
a valid option right now.

> So for now, I want to compile the dnsmasq source code on my ubuntu
> system or for the router, not from the apt-get, and want the EDNS0
> option in the dns query.

I believe this is not the right approach to solve your problem (which,
IIUC, is to be able to enable the "add-mac" option on the dnsmasq which 
runs on your router; if this is not what you are actually trying to
achieve, then do correct me).

First, to run your Ubuntu's own dnsmasq with the add-mac option enabled
does not require any compilation; adding a single one-line file at the
right place is all it takes -- I've just checked this on the very
Xubuntu machine I am writing this mail on.

Second, even once you've done it, it will be of no use for the dnsmasq
on your router, because your router is not a Ubuntu system, and nothing
will happen if you add the same file in the same location -- a location
which quite possibly does not even exist on your router.

But there are good chances that on that router, there is /another/
location, where adding (or modifying) /another/ file in /another/ way
will have the effect you are looking for.

My suggestion is that you forget the whole "building on Ubuntu" thing
for now, and even the "building" thing at all, and concentrate on your
router, to find that location and file which control the options of your
router's dnsmasq.

As /dev/rob0 and I told you, you are having a system question, not a
dnsmasq question. The right way to tackle it is not to look in dnsmasq,
but to look in the system (and in the /right/ system).

A good start would be to indicate which router it is that you are
working on, and which firmware it runs.

HTH

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Dnsmasq-discuss Digest, Vol 138, Issue 13

[Albert ARIBAUD]

Hi Rahul,

Le Tue, 22 Nov 2016 05:51:17 +
Rahul Jain  a écrit:

> Hi, thank you for the insight. Actually, I want this implementation
> on my router(which is running mipsel-linux), can't just simply
> install on it. Therefore, I have to run the binary there but I'm not
> getting the MAC address of the connected clients when I add the
> add-mac option in the conf file.

Ok, so IIUC, you do not have access to the source code of the system
installed on your router, and especially you do not have access to the
source code and build instructions to rebuild your router's dnsmasq.

But you do have access to the router's filesystem, right? So you can
inspect its services scripts and find out what it does and why the
add-mac option is not passed to dnsmasq.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmask respond to non-local network

[Albert ARIBAUD]

Hi Joseph,

Le Fri, 18 Nov 2016 15:56:07 +
Joseph C Bond IV  a écrit:

> I have tried doing this, but it created some bigger problems. The
> moment I added a second IP to the same interface my external router
> was unable to route traffic correctly from the Raspberry PI onto my
> VPN connection. I was still able to connect to the Raspberry PI when
> in the same network, but NO traffic was possible from the VPN to or
> from the Raspberry PI.
> 
> Removing the second IP on the interface returned the system to normal.

See below.

> Any other way I can make dnsmasq respond to requests from the other
> subnet? Or is there a way to disable the protection that dnsmasq has
> that prevents it from replying to a different subnet?

You'll need one machine sitting on both networks, either the dnsmasq
server or a DNS relay; and if your dnsmasq server could not properly
work with two IPs, then there is no reason the relay would work any
better. So in any case, you need to get a machine running with one IP
on each subnet.

Since you've tried already with your dnsmasq machine, let's start from
there. When you tried adding an IP address to it:

- how /exactly/ did you proceed? (which commands? which arguments?..)

- what output did the /route/ command produce before adding the
  second address? After adding the second address?

> Thank you again for any help.

NP.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmask respond to non-local network

[Albert ARIBAUD]

Hi Joseph,

Le Thu, 17 Nov 2016 15:57:48 +
Joseph C Bond IV  a écrit:

> Sorry if this has been answered elsewhere but I can't seem to find
> the answer anywhere.
> 
> I have a Raspberry PI 3 running a copy of dnsmasq to provide DHCP and
> DNS services for my local network. This works perfectly.
> 
> My internal network is 192.168.21.1/24. The Raspberry PI is on a
> static IP within this network. My external router assigns any VPN
> client an address within the 192.168.23.1/24 network and does all
> required routing so that clients on that network can reach hosts on
> the internal network.
> 
> When I connect via VPN obviously my system has a 192.168.23.x address
> and dnsmasq ignores all DNS queries.
> 
> How can I tell dsnmasq to reply to DNS queries from the
> 192.168.23.1/24 network as well?

Do the two subnets coexist on the same physical segment(s)? If so, then
giving the host running your dnmasq an IP address in the 23.* subnet
*should* get you there.

(watch out for other services, though, which you may or may not want to
run on both subnets.)

> Thank you in advance for all your help.



Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Measuring dnsmasq performance

[Albert ARIBAUD]

Hi,

Le Wed, 9 Nov 2016 22:58:53 + John Knight 
a écrit:

> Hi All,
> 
> I have been tasked with measuring performance of dnsmasq on our
> routers.  My guess is that dnsmasq has already been analyzed... so I
> am hoping to leverage any work that has already been done.
> Specifically, I am hoping to find out what tools are recommended to
> measure dnsmasq dns and dhcp performance?  Has dnsmasq 2.76's
> performance been measured already?  If so, have results been
> published?  And lastly, has there been any performance improvements
> to dnsmasq since dnsmasq 2.55?
> 
> Thanks for your help.
> 
> Best Regards,
> 
> John Knight

I don't really have answers to your questions, and I am sorry that I
will actually add more questions in fact, because the way you spelled
your question I am wondering whether we are looking at a technical or
PHB request if you'l allow me. :)

So:

What do you mean by performance? Network? CPU? Memory? Filesystem? And
in each of these categories, what factor exactly are you looking at?

Amicalement,
Albert.


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Dynapic IP

[Albert ARIBAUD]

Hi,

Le Fri, 28 Oct 2016 22:58:25 + (UTC)
Gopalkrishna Mudaliar  a écrit:

> Hello All    I am trying to return the IP address of domains
> (DNS response) depending on a specific pattern that computes (decide
> ) IP to be returned. Eg http://my100.machine1.com    return
> 192.168.1.100 http://my101.machine1.com      return
> 192.168.1.101         http://myhost2.machine1.com     return
> 192.168.1.100  

>   The logic to decide the IP is something internal.

What do you mean exactly by that?

/If/ you just want to have a map between a name and IP address, that
can be achieved using a "hosts file" -- but I suspect it is more
complicated than that.

>  Could any help me where can i make this change. I have been
> trying to understand the code but didn't get the point to add my
> logic. I looked at files.   rfc1035.c, forward.c, cache.c.
> Would really appreciate  if any one could help me understand the flow
> or any pointers. 
> 
> ThanksKrishna.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Dnsmasq not resolving addresses for an hour

[Albert ARIBAUD]

Hi John,

Le Tue, 18 Oct 2016 22:36:07 +
John Knight  a écrit:

> Hi All,

> The main while(1) loop uses select() to determine if it has work to
> do.  In most cases, it appears to use timeout of 0, which I believe
> means just wait indefinitely for work on the file descriptors.  Other
> times, it appears that the timeout is set to a quarter second when
> doing a tftp transfer or polling the dbus.
> 
> Now what concerns me is that when a "retry later" condition occurs,
> we may get stuck on the select() for a long period of time.  Alas, I
> do not know how frequent one might expect to see work arrive on the
> file descriptors that select is watching, so I don't really know if
> this is a long time or not.  It seems though that in this failure
> scenario, the poll_resolv() function does NOT get called very often
> at all.

Actually, if dnsmasq does not receive any request from clients, it does
not need to poll servers, so I would ask: does the select() include
descriptors for client requests (either UDP datagrams received, or TCP
connections opened)? If so, I think it will exit just when necessary
and no tiemout is needed; otherwise, you are right that a timeout is
required.

Also, it may be improbable that select() does not return for a whole
hour; but then, is every return from select() followed by a resolv file
poll, or can select() return and then be entered again without polling
the resolv files? I am thinking, for instance, about cached answers
which do not need servers if their TTL is long enough.

> My gut feeling is that there always needs to be a timeout on the
> select call as the poll_resolv() should be called fairly frequently.
> The code that exists today where poll_resolv() normally is called
> from this loop suggests a poll rate of about once a second.  This
> definitely does not happen today.  By just adding a my_syslog()
> message to the top of poll_resolv(), it is very clear from the
> logfile that it is not called often, and way to infrequently to
> resolve the "retry later" condition in a timely manner.

Can you compare when poll_resolv() is called wrt when the select() is
exited -- and for what reason?

> Going forward, as the next thing for me to try, I am going to add a
> timeout for the select... perhaps a modest once a second or two.

I would personally investigate further on a gut feeling without
changing the code behavior, because my changes might have unwanted
effects which can actually hide the root cause I am looking for -- but
to each his/her own.

> But I would like to know what you all of think of this... does this
> make sense to do?  Is there ever a case where we might not get any
> work on the files select is monitoring for nearly an hour?  I am
> trying to make sense of this issue.

Not entirely sure what you mean with "Is there ever a case where we
might not get any work on the files select is monitoring for nearly an
hour"; I will assume you mean "Is there a normal case where dnsmasq
would not poll for changes in resolv files for an hour". If so, then I
would say it depends on how much traffic dnsmasq receives and how much
of it can be answered from cache.

> Thanks,
> 
> John Knight

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Dnsmasq not resolving addresses for an hour

[Albert ARIBAUD]

Hi,

Le Fri, 14 Oct 2016 19:09:31 +0200
Albert ARIBAUD <albert.arib...@free.fr> a écrit:

> How exactly is that second  is totally related to how dnsmasq
> handles time?

Ahem. Rolling that back.

How is that second issue related to now dnsmasq handles time?

With apologies.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Dnsmasq not resolving addresses for an hour

[Albert ARIBAUD]

Hi,

Le Fri, 14 Oct 2016 19:46:13 +0500
"Vladislav Grishenko"  a écrit:

> > But timeouts can occur, TTLs can get past, etc. To treat those
> > properly, dnsmasq needs to know how much time has flown while it
> > was sleeping (if it ever does, of course).  
> 
> It does (actually not due sleeping, more likely to timer
> granulation), can be easily checked in code. Despite the fact that
> sleeping DHCP/DNS servers looks quite ridiculous, if dnsmasq code
> without HAVE_BROKEN_RTC has issue with time goes backward too much,
> it needs to be fixed.

I think we can agree on this. :)

> Not with changing the clock source, because
> it'll just mask the problem

Well, IIUC, here the source of the problem *is* the clock source --
namely, that CLOCK_REALTIME is used for measuring elapsed time but is
not monotonic and therefore ill-suited for measuring elapsed time.
Switching to CLOCK_MONOTONIC, which is, well, monotonic, is certainly
not "masking the problem". Switching to CLOCK_BOOTTIME, which is "more
monotonic" yet, is an even better solution if applicable.

>, but with proper dealing with such kind
> of time values. And, seems John have already found last_change
> variable wasn't static, didn’t check it by myself yet.

How exactly is that second  is totally related to how dnsmasq
handles time?

> Best Regards, Vladislav Grishenko

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Dnsmasq not resolving addresses for an hour

[Albert ARIBAUD]

Hi Vladislav,

Le Fri, 14 Oct 2016 11:52:33 +0500
"Vladislav Grishenko"  a écrit:

> Hi, Albert,
> 
> > 1. HAVE_BROKEN_RTC should be used for, well, broken RTCs. Here, we
> > are not dealing with broken RTC.  
> 
> Root issue from original mail:
> > One of which acknowledges potential problem if the clock goes
> > backwards...  
> As for me it's indeed broken RTC behavior, not?

The clock and the RTC are two different things.

The RTC is what keeps time in between power-offs. It has backup power
(frequently on PCs it is a CR20xx battery) and a slow autonomous clock
source (typically a 32 kHz crystal). IT is not set or read frequently
while the system is on, because it is usually slow to access.

So while it is on, the system keeps track of the time not through the
RTC but through some internal clock reference which is easier and
faster to read and set. It is this clock reference which gets read
every time a process needs to known what time is "now", and it is what
gets affected by NTP etc.

> > 2. The man mage for times() states that "a portable application
> > would be wise to avoid using [the] value [returned by times()]. To
> > measure changes in elapsed time, use clock_gettime(2) instead".  
> 
> Because start value of posix's times() return value may vary across
> kernel versions & UNIX impl., combined with possibility of value
> overflow the clock_t range. Since we don’t care neither about initial
> boot value nor about sleep/suspended time (files can't be modified
> when suspended, right?)

But timeouts can occur, TTLs can get past, etc. To treat those properly,
dnsmasq needs to know how much time has flown while it was sleeping (if
it ever does, of course).

> - the only possible issue is overflow. Since
> times() not counting CPU ticks in sleep/supspended mode, suggestion
> clock_gettime here is about using CLOCK_MONOTONIC which is almost the
> same, but with no-overflow API.

Hm... I believe that's what my proposal amounts to on systems where
CLOCK_BOOTTIME is not available.

> > - otherwise, if CLOCK_MONOTONIC is defined (it should always) and if
> >   clock_gettime(CLOCK_MONOTONIC,...) succeeds at run time, use
> > that;  
> 
> Even with defined CLOCK_MONOTONIC, the real presence of this clock
> source can be retrieved from kernel in runtime only.

Indeed, hence my double test suggestion: one must test the existence
of CLOCK_MONOTONIC and only call clock_gettime(CLOCK_MONOTONIC...) if
it exists, and mone must test the return value of clock_gettime() in
case dnsmasq runs on an older kernel/glic than it was compiled and
built against.

> Yes, there're
> old running kernels with no CLOCK_MONOTONIC, clock_gettime() returns
> EINVAL. Same check is true for CLOCK_BOOTTIME. 

Exact, hence my "returns success" conditional.

> Best Regards, Vladislav Grishenko

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Dnsmasq not resolving addresses for an hour

[Albert ARIBAUD]

Hi,

I think it is preferable not to use HAVE_BROKEN_RTC for at least two
reasons, in increasing order of importance:

1. HAVE_BROKEN_RTC should be used for, well, broken RTCs. Here, we
are not dealing with broken RTC.

2. The man mage for times() states that "a portable application would be
   wise to avoid using [the] value [returned by times()]. To measure
   changes in elapsed time, use clock_gettime(2) instead".

But you are right that CLOCK_BOOTTIME is Linux specific (I did mention
that, in fact).

So my proposal would become:

- if CLOCK_BOOTTIME is defined as compile time, and if
  clock_gettime(CLOCK_BOOTTIME,...) succeeds at run time, use that;

- otherwise, if CLOCK_MONOTONIC is defined (it should always) and if 
  clock_gettime(CLOCK_MONOTONIC,...) succeeds at run time, use that;

- otherwise, if CLOCK_REALTIME is defined (it should always) and if 
  clock_gettime(CLOCK_REALTIME,...) succeeds at run time, use that;

- otherwise, as a last resort, use times().

Amicalement,
Albert.

Le Thu, 13 Oct 2016 20:15:15 + (UTC)
Vladislav Grishenko <themiron...@gmail.com> a écrit:

> Hi,
> Why not just use existing HAVE_BROKEN_RTC?CLOCK_BOOTIME is
> linux-specific, non-portable, absent in older (but still running)
> kernels and logically is the same as CLOCK_MONOTONIC except counting
> suspended/sleep time. In turn using CLOCK_MONOTONIC is already there
> in times() form when HAVE_BROKEN_RTC is enabled.
> 
> Best Regards, Vladislav Grishenko
> 
>   _
> From: John Knight <john.kni...@belkin.com>
> Sent: четверг, октября 13, 2016 11:00 ПП
> Subject: Re: [Dnsmasq-discuss] Dnsmasq not resolving addresses for an
> hour To: Albert ARIBAUD <albert.arib...@free.fr>
> Cc:  <dnsmasq-discuss@lists.thekelleys.org.uk>
> 
> 
> Hi Albert,
> 
> That sounds like a very good idea to use CLOCK_BOOTTIME. Good
> suggestion.
> 
> When I did a search for difftime in the source code... there are
> quite a few calls... each one is a potential issue with respect to
> time going backwards.  I only see one instance that actually
> considers the case if time goes backwards and that is in dnsmasq.c
> where it does difftime(now, daemon->last_resolv) and compares the
> result to both > 1.0 and < -1.0.   So in general, I am somewhat
> concerned about possible affects of changing time on dnsmasq.  We
> have seen some issues in the past which we suspected were probably
> caused by changing the time, so your suggested change could
> potentially fix some other issues.
> 
> Thanks!
> 
> John
> 
> 
> 
> 
> -Original Message-
> From: Albert ARIBAUD [mailto:albert.arib...@free.fr]
> Sent: Thursday, October 13, 2016 2:16 AM
> To: John Knight
> Cc: dnsmasq-discuss@lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] Dnsmasq not resolving addresses for an
> hour
> 
> Hi,
> 
> Just a generic comment: from what I can see, all absolute times in
> dnsmasq are returned bu dnsmasq_time() which calls either times() or
> time(). This, IIUC, corresponds to CLOCK_REALTIME in clock_gettime(),
> which is indeed affected when (re)setting the time.
> 
> Maybe a fix to time jump issues would be (in Linux at least) to
> replace time() with clock_gettime(CLOCK_BOOTTIME,...) which seems to
> have been designed to get around discontinuities caused by
> settimeofday().
> 
> Note: maybe dates used for logging purposes should still use time() or
> clock_gettime(CLOCK_REALTIME) in order to remain comparable to other
> logs in the same system -- or maybe not.
> 
> Sources: man times, man time, man clock_gettime.
> 
> HTH,
> 
> Amicalement,
> Albert.
> 
> Le Wed, 12 Oct 2016 23:50:11 +
> John Knight <john.kni...@belkin.com> a écrit:
> 
> > Hi,
> >
> > I think I may know what the issue is... it appears that the time may
> > be changed by ntp in my failure scenario as suggested by the URLs
> > referencing ntp in the dnsmasq.log file.  There are numerous
> > references to difftime in dnsmasq code.  One of which acknowledges
> > potential problem if the clock goes backwards... and is handled by
> > comparing last_resolv >1.0 and < -1.0 to accommodate such a
> > possibility.  However, in function poll_resolv(), the difftime()
> > call checks for > 0.0, assuming the modification time of the file is
> > greater than the last_change time.  If the time had changed on the
> > router, then its possible that the modification time of the
> > /etc/resolv.conf could be less than that of the last_change.  I
> > think this needs to be a check for != 0.  If the time is changed
> > negatively, then the existing code will not work properly me thinks.
> > Its im

Re: [Dnsmasq-discuss] Dnsmasq not resolving addresses for an hour

[Albert ARIBAUD]

Hi,

Just a generic comment: from what I can see, all absolute times in
dnsmasq are returned bu dnsmasq_time() which calls either times() or
time(). This, IIUC, corresponds to CLOCK_REALTIME in clock_gettime(),
which is indeed affected when (re)setting the time.

Maybe a fix to time jump issues would be (in Linux at least) to replace
time() with clock_gettime(CLOCK_BOOTTIME,...) which seems to have been
designed to get around discontinuities caused by settimeofday(). 

Note: maybe dates used for logging purposes should still use time() or
clock_gettime(CLOCK_REALTIME) in order to remain comparable to other
logs in the same system -- or maybe not.

Sources: man times, man time, man clock_gettime.

HTH,

Amicalement,
Albert.

Le Wed, 12 Oct 2016 23:50:11 +
John Knight  a écrit:

> Hi,
> 
> I think I may know what the issue is... it appears that the time may
> be changed by ntp in my failure scenario as suggested by the URLs
> referencing ntp in the dnsmasq.log file.  There are numerous
> references to difftime in dnsmasq code.  One of which acknowledges
> potential problem if the clock goes backwards... and is handled by
> comparing last_resolv >1.0 and < -1.0 to accommodate such a
> possibility.  However, in function poll_resolv(), the difftime() call
> checks for > 0.0, assuming the modification time of the file is
> greater than the last_change time.  If the time had changed on the
> router, then its possible that the modification time of
> the /etc/resolv.conf could be less than that of the last_change.  I
> think this needs to be a check for != 0.  If the time is changed
> negatively, then the existing code will not work properly me thinks.
> Its imperative that latest gets set in order for the reload_servers()
> code to run... and if the time is not right, then the
> reload_servers() won't get called.  This specific code (poll_resolv)
> hasn't changed, and if I am right, it is also broken in 2.76.
> 
> What do you think?  I am going to make the change locally and re-test
> and see if I can make it fail again.  Unfortunately, it doesn't
> always fail, but I have reproduced it twice now, hopefully it will
> happen again if my fix is not right.
> 
> Best Regards,
> 
> John Knight
> 
> __
> Confidential This e-mail and any files transmitted with it are the
> property of Belkin International, Inc. and/or its affiliates, are
> confidential, and are intended solely for the use of the individual
> or entity to whom this e-mail is addressed. If you are not one of the
> named recipients or otherwise have reason to believe that you have
> received this e-mail in error, please notify the sender and delete
> this message immediately from your computer. Any other use,
> retention, dissemination, forwarding, printing or copying of this
> e-mail is strictly prohibited. Pour la version fran?aise:
> http://www.belkin.com/email-notice/French.html F?r die
> deutsche ?bersetzung: http://www.belkin.com/email-notice/German.html
> __



Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq not providing a response to client

[Albert ARIBAUD]

Hi Bill,

Le Fri, 9 Sep 2016 16:10:35 -0400
Bill Warren  a écrit:

> Hi Albert,
> 
> I tried installing dnsmasq in a virtualized, fresh FreeBSD
> installation ... and it is working.  I will go through my hardening
> configurations to see what, if anything, I can isolate as the cause.

I would have said as much from reading the second tcpdump, which shows
the answer from google to the dnsmasq server host (...1.14) but not the
answer from the server host to the original client. I bet the iptables
layer drops the packet for some reason.

> to be continued …

Let us know when you find out.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Feature request

[Albert ARIBAUD]

Hi Archi,

Le Wed, 7 Sep 2016 10:03:04 +0200
"Archimede Pitagorico"  a écrit:

> I use a lot the --server and --ipset options. In brief, I want
> certain domains to be dispatched to a special DNS and their IP
> address to be stored in an ipset, so that using iptables and policy
> routing I can dispatch all traffic to these web sites via a special
> interface. it all works well, except that I miss some flexibility in
> defining domain names. for instance I would like
> ipset=/somewebsite.*/specialiface to store the IP addresses for
> somewebsite.com and somewebsite.org in the ipset specialiface. I
> tried to use wildcards, as in the example above, but that t does not
> work. Is there a way to do it? Otherwise, is it possible to add more
> flexibility in specification of domain names (either simple wild
> cards support, or regex support)? thanks a lot Archi

I don't think there is support for wildcard in the domain name for
--ipset, --address or --server directives; at least the manpage does not
indicate there are any.

However, your query is contradictory in that on the one hand youseem to
want to write a generic directive covering any possible TLD, andon the
other hand, you describe a scenario where you only want to catch.org
and .com TLDs.

The latter, I think, is covered with the syntax

--ipset=/somewebsite.com/somewebsite.org/specialiface

More than two domains can be specified, BTW -- I just tried with three
domains using TLD .net, .org and .com, and it works (but then, it would
also work with three --ipset directives each targettting one TLD).

Of course, if you want to catch any FQDN like "*somewebsite.*", that
won't work.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq not providing a response to client

[Albert ARIBAUD]

Hello Bill,

Le Tue, 6 Sep 2016 19:17:56 -0400
Bill Warren  a écrit:

> Greetings from a new user of dnsmasq v.2.76 on FreeBSD v.10.3
> 
> dnsmasq is receiving queries and obtaining responses (confirmed in
> --no-daemon mode).

Rather than paraphrasing the dnsmasq output, can you copy-paste it,
including [a reasonable amount of] the lines which you think are
irrelevant? I'm asking this because in your description, you don't
indicate what dnsmasq says about the response once it got it from the
upstream (I don't think it discards it, but hey, troubleshooting is
about checking what you don't think can go wrong).

> However, the client never receives a response ...
>   dig @192.168.1.14 www.google.com
> results in
>   […]
>   connection timed out; no servers could be reached
> 
> I disabled the pf firewall to ensure it wasn’t filtering traffic, to
> no avail.

What about the server? Can you try dig on the same machine as dnsmasq
is running? Especially considering this:

> I cannot figure out why my clients aren’t getting the response from
> dnsmasq even though it received and looked-up the query.  

So it affects several clients. All the more a reason to check whether
the dnsmasq server itself can dig its own dnsmasq.

> Any suggestions would be greatly appreciated!  I stumbled onto
> dnsmasq and think it will be the perfect solution … once I get it
> working properly.

In addition to trying dig on the server itself, I also suggest doing a
tcpdump on the server machine's interface while doing the dig, in order
to cross-check whether the server process physically sends the response
out.

Then, same with digging from a client, but running two tcpdumps: one on
the server's physical interface, and one on the client's physical
interface.

(Ideally, you should either copy-paste tcpdump output here if it's
short enough (but complete enough!), or write the dumps to files through
option -w or stdout redirection and make the files available somewhere,
providing just the URLs.)

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq: routing non /24 reverse in-addr.arpa requests

[Albert ARIBAUD]

Hi Alessandro,

Le Sun, 28 Aug 2016 19:03:48 +0200
Alessandro Bottonelli  a écrit:

> Now I have to plan the make and install of a
> "/usr/local/sbin/dnsmasq" and the replacement of the repository
> version. I've to do it directly on a fully operational, 7x24,
> mission-critical server, 600 Km away. Therefore, I've to do it just
> like porcupines make love: VERY CAUTIOUSLY! :-)))

There is an advantage to your situation over that of porcupine
reproduction: you can set up the newer dnsmasq to run on a non-standard
port, which allows you to run tests on it using dig et al. while at the
same time not disturbing the production setup (but be wary not to kill
the wrong dnsmasq, though! I suggest running the tested dnsmasq in the
foreground in its own terminal, killing it with ^C rather than 'kill').
 
> Such rev-server option looks very promising.
> 
> Since you have been helping a lot, I will post the results to the
> list in a few days, for your an anybody's else reference.

Thanks a lot.

> Grazie mille Albert,

NP!

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq: routing non /24 reverse in-addr.arpa requests

[Albert ARIBAUD]

Hi again Alessandro,

Le Sun, 28 Aug 2016 14:56:35 +0200
Alessandro Bottonelli <alessan...@bottonelli.it> a écrit:

> Il 2016-08-28 11:53 Albert ARIBAUD ha scritto:
> > Hi Alessandro,
> > 
> > Le Sun, 28 Aug 2016 11:33:02 +0200
> > Alessandro Bottonelli <alessan...@bottonelli.it> a écrit:
> > 
> > Here's the current /etc/dnsmasq.conf content (I added the line
> > numbers):
> > 
> > -
> > 1.  # routing PTR queries to nameservers:
> > 2.  server=/50.150.10.in-addr.arpa/10.150.50.17
> > 3.  server=/51.150.10.in-addr.arpa/10.150.50.17
> > 4.  server=/52.150.10.in-addr.arpa/10.150.50.17
> > 5.  server=/53.150.10.in-addr.arpa/10.150.50.17
> > 6.  server=/54.150.10.in-addr.arpa/10.150.50.17
> > 7.  server=/156.240.10.in-addr.arpa/10.150.50.17
> > 8.  server=/157.240.10.in-addr.arpa/10.150.50.17
> > 9.  server=/158.240.10.in-addr.arpa/10.150.50.17
> > 10. server=/129.240.10.in-addr.arpa/10.240.129.113
> > 11. # anything else not defined above (strict-order is set)
> > 11. server=/10.in-addr.arpa/10.159.59.41
> > 
> > 
> > The issue is with line 7, actually 10.240.156.x IS NOT a /24 net. I
> > tried different syntax forms, I searched, but could not find a way
> > to tell dnsmasq about that.
> > 
> > [10.240.156.x looks like a /24 (sub)net to me, what with three
> > bytes out
> > of four being constant. Do you mean the third byte may be something
> > else than 156? Or is x being restricted to less than whole 0..255
> > range?]
> >   
> The latter you wrote. My line 7 is wrong I know, but I don't know how
> to write it differently.
> I can rev 10.240.156.6 by asking 10.150.50.17. But 10.240.156.101 is 
> reversed only by 10.159.59.41 (tried with dig -x 10.240.156.101 
> @10.159.59.41 and works fine).
> 
> And that's my issue, what's the syntax (if available) to tell dnsmasq
> to ask for reverse for less than 0.255 range? Say ask
> 10.240.156.[0-63] revs to 10.150.50.17 and ask 10.240.156.[64-255]
> revs to 10.159.59.41.
> 
> And/Or, as previously asked, is there a way to tell dnsmasq to ignore 
> NXDOMAIN coming from one server (say 10.150.50.17) and keep asking
> the others (till the and of the server list)?

Er... Maybe you missed the second part of my answer. Here it is again:

> > Can you use rev-server? The manpage gives an example with a subnet
> > size for rev-server (whereas it does not give any size for server).
> > Maybe other values than 24 work too -- I haven't checked the source
> > code, only the manpage.

Did you try this?

> Thanks,

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq: routing non /24 reverse in-addr.arpa requests

[Albert ARIBAUD]

Hi Alessandro,

Le Sun, 28 Aug 2016 11:33:02 +0200
Alessandro Bottonelli  a écrit:

> Hi,
> 
> very new to dnsmasq, and also very impressed. I replaced bind last
> night 'cause I needed to route different subnets reverses to
> different name servers. Not a clean setup, I know. But that's what my
> Customer has been doing over the last twenty years. Cannot do
> anything about it.
> 
> Here's the current /etc/dnsmasq.conf content (I added the line
> numbers):
> 
> -
> 1.  # routing PTR queries to nameservers:
> 2.  server=/50.150.10.in-addr.arpa/10.150.50.17
> 3.  server=/51.150.10.in-addr.arpa/10.150.50.17
> 4.  server=/52.150.10.in-addr.arpa/10.150.50.17
> 5.  server=/53.150.10.in-addr.arpa/10.150.50.17
> 6.  server=/54.150.10.in-addr.arpa/10.150.50.17
> 7.  server=/156.240.10.in-addr.arpa/10.150.50.17
> 8.  server=/157.240.10.in-addr.arpa/10.150.50.17
> 9.  server=/158.240.10.in-addr.arpa/10.150.50.17
> 10. server=/129.240.10.in-addr.arpa/10.240.129.113
> 11. # anything else not defined above (strict-order is set)
> 11. server=/10.in-addr.arpa/10.159.59.41
> 
> 
> The issue is with line 7, actually 10.240.156.x IS NOT a /24 net. I 
> tried different syntax forms, I searched, but could not find a way to 
> tell dnsmasq about that.

[10.240.156.x looks like a /24 (sub)net to me, what with three bytes out
of four being constant. Do you mean the third byte may be something
else than 156? Or is x being restricted to less than whole 0..255
range?]

> Is it possible?

Can you use rev-server? The manpage gives an example with a subnet size
for rev-server (whereas it does not give any size for server). Maybe
other values than 24 work too -- I haven't checked the source code,
only the manpage.

> Or alternatively; is there a way to tell dnsmasq to ignore NXDOMAIN
> from previous servers and keep asking? I KNOW, intellectually very
> wrong. But real life is real life :-)
> 
> Thanks in advance for any help.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] DHCP packet received on which has no address

[Albert ARIBAUD]

Le Thu, 25 Aug 2016 18:45:09 +0200
Albert ARIBAUD <albert.arib...@free.fr> a écrit:


> eth0.3 which does not have an IP and netmask, and therefore rightly
> complain about that.

(developing slightly)

I do understand that most probably -- even though it was not
stated explicitly -- dnsmasq is receiving its how hosts' DHCP request
sent by the client running on eth0.3.

This does not really change my reading of the situation: if dnsmasq
receives this request, it is because eth0.3 is in the list of
interfaces which dnsmasq is actually listening to, even though it is
not in the list of interfaces it *should* be listening to. Hence my
question...

> I don't think, therefore, that what you describe as a bug is [the] one
> [you are considering]. Rather, I would ask how exactly the list of
> interfaces dnsmasq should listen on is efined, how exactly eth0.3 is

/s/efined/defined/

> excluded from this list, and whether dnsmasq actually listens only to
> the given list of interfaces.

... because obviously dnsmasq is listening on eth0.3 but should not.

Amicalement,
-- 
Albert.


pgpsvuNnlZf_Z.pgp
Description: Signature digitale OpenPGP
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] DHCP packet received on which has no address

[Albert ARIBAUD]

Bonjour,

Le Thu, 25 Aug 2016 13:32:56 +0300
Andrew Shadura  a écrit:

> On 25/08/16 13:26, Andrew Shadura wrote:
> > Okay, let me give you a more specific example, with just one of the
> > interfaces.
> > 
> > Let's say we've got eth0 with vlans:
> >   eth0.1, static config
> >   eth0.2, static config + dhcp server
> >   eth0.3, dhcp client  
> 
> So, let's say we've configured eth0.1 and eth0.2, then started
> dnsmasq. It complains eth3.4 (an interface expected on a different
> machine) doesn't exist, so it'll skip and ignore it, and then it
> starts listening on eth0.2.
> 
> Next, we bring eth0.3 up. DHCP client starts, and then dnsmasq starts
> complaining it's received a DHCP packet on eth0.3 it didn't expect.
> 
> As I can see in the code, the first thing dnsmasq does for a packet
> received on some interface is that it attempts to determine the
> interface address. If that fails, none of the checks, which are
> further down in the code, are performed.

I believe the following is correct behavior:

- if dnsmasq received a DHCP packet on some interface, it is because the
  system considered that this packet should be sent to dnsmasq.

- if dnsmasq receives a DHCP packet on an interface, it can only be
  because dnsmasq should serve DHCP requests on the segment to which
  this interface belongs.

- but dnsmasq can only serve DHCP requests on a segment with IPs from
  the subnet of this segment, and it can only tell which subnet this
  segment is on if the interface has an IP and netmask.

Applied to your case, it seems like dnsmasq receives DHCP requests on
eth0.3 which does not have an IP and netmask, and therefore rightly
complain about that.

I don't think, therefore, that what you describe as a bug is [the] one
[you are considering]. Rather, I would ask how exactly the list of
interfaces dnsmasq should listen on is efined, how exactly eth0.3 is
excluded from this list, and whether dnsmasq actually listens only to
the given list of interfaces.

Amicalement,
-- 
Albert.


pgppWQSwf6cAX.pgp
Description: Signature digitale OpenPGP
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] DHCP packet received on which has no address

[Albert ARIBAUD]

Hi,

Le Thu, 25 Aug 2016 11:52:41 +0300
Andrew Shadura  a écrit:

> Hello,
> 
> We've run into an issue: in our configuration, there are many
> interfaces, some of them are being served by dnsmasq-dhcp, some of
> them use run dhcp client themselves.

Not sure I'm getting this right, but I assume you mean on some
interfaces the host running your dnsmasq is DHCP server, and on some it
is DHCP client.

> Interfaces come and go, so it's
> not always possible to use bind-interfaces.

This seems to imply that dnsmasq should serve (at least some) of these
dynamic interfaces. If all dynamic interfaces should be served, then
AFAIU bind-dynamic is what you need. Otherwise, you need some ad hoc
means discriminate beweeen 'client' and 'server' dynamic interfaces.

Also, you haven't said how these interfaces come and go. Are they
virtual interfaces? VLANs? taps? bridges? etc.

> Sometimes dnsmasq-dhcp
> reacts to the DHCP packets coming from the interfaces it's not
> supposed to work with, and as they hasn't been configured yet dnsmasq
> complains.

Again, I'm interpreting here, but I'll assume you mean that on some
(dynamic?) interfaces where the host is supposed to be a client,
its dnsmasq actually does answer DHCP requests. I would understand how
this happens if you already use bind-dynamic, otherwise I don't see how
this is possible.

> Having looked at the code, I see the warning is issued when
> dnsmasq-dhcp has detected the interface hasn't got an address, before
> it checks the interface name or exclusion lists. That doesn't seem
> right to me, but I haven't come up with a reasonable patch yet.
> 
> Could that please be fixed?

I beliveve it is perfectly right that dnsmasq can only serve IPs to a
network segment it knows the IP subnet of, and that knowledge comes
from the interface to that segment having an IP itself.

So the problem comes from dnsmasq listening on an up but unconfigured
interface.

So either dnsmasq should listen on this interface, and then it is wrong
that this interface has no IP, or dnsmasq should not listen on this
interface, and it was a mistake to let it.

Or dnsmasq is receiving requests on an interface which should not
present them but does because of your local (virtual, vlan, tap,
bridge...) interface setup.

Of course, without more info on your setup, I might be wrong, and
possible am. So can you please elaborate on your host's networking
setup?

> Thanks.

Amicalement,
-- 
Albert.


pgprCPNJ60dTD.pgp
Description: Signature digitale OpenPGP
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Static IP client question

[Albert ARIBAUD]

Hi Chris,

Le Sun, 7 Aug 2016 16:36:11 +0100
Chris Green <c...@isbd.net> a écrit:

> On Sun, Aug 07, 2016 at 05:25:24PM +0200, Albert ARIBAUD wrote:
> > Chris Green <c...@isbd.net> a écrit:  
> > > On Sat, Aug 06, 2016 at 08:57:43PM -0400, Edward Crosby wrote:  
> > > >I've implemented Dnsmasq on a Raspberry Pi 3 running Ubuntu
> > > > Mate 16.04 on my home LAN. I have configured it as a DHCP
> > > > server also. I have quite a few clients on my LAN, most of them
> > > > are DHCP clients. I have one PC, my personal PC, that has a
> > > > static IP address. This PC does not resolve host names of other
> > > > host on my LAN, it doesn't even resolve the hostname of the
> > > > Dnsmasq DNS server, even though I have the Dnsmasq server IP as
> > > > my DNS server.
> > > 
> > > I'm doing almost exactly the same as you.
> > > 
> > > What I do is fix the IP address of my desktop machine by getting
> > > dnsmasq to always give it the same address.  So leave your desktop
> > > with a dynamic IP in its configuration and have something like the
> > > following to your /etc/hosts file on the pi:-
> > > 
> > > 127.0.0.1   localhost
> > > #
> > > #
> > > # These have fixed IP for various reasons, so dnsmasq serves
> > > their IP from here   
> > > #
> > > 192.168.1.1 vigor
> > > 192.168.1.2 pi.zbmc.eu raspberrypi  pi
> > > 192.168.1.3 esprimo.zbmc.eu zbmc.eu
> > > 192.168.1.5 maxinexp
> > > 192.168.1.6 ben
> > > 192.168.1.40mikrotik
> > > 192.168.1.60fonera
> > > 
> > > My desktop machine is esprimo.  
> > 
> > Hi Chris and Edward,
> > 
> > I don't have many Windows machines around my dnsmasq managed,
> > statically attributed LAN, but at least one is used daily, and I
> > just ran a test on it, which makes me ask a question to Edward:
> > 
> > How did you (both) test that the machine does not resolve?
> > 
> > Here's why I'm asking:
> > 
> > I've tested the following with a Windows machine (let's call it
> > romulus) and my Linux machine (let's call it remus). From the
> > command prompt on romulus, I ran the following:
> > 
> > ping remus
> >   
> > => romulus complains that it could not find host remus.  
> > 
> > nslookup remus
> >   
> > => This resolves immediately to remus' fixed IP address.  
> > 
> > ping remus.  (note the dot at the end!)
> >   
> > => This works.  
> > 
> > If I'd believed the first ping, I might have concluded that the
> > resolution did not work, while it actually does; the issue is with
> > how romulus handles domainless names.
> > 
> > Hence my question re: how exactly the issue was tested.
> >   
> I've not used nslookup in years, it's deprecated now.  I use 'host' or
> 'dig' if something else doesn't work (e.g. an ssh to somewhere).

I'd use dig if that were provided on Windows machines. :)

> I'm not sure why you get the symptoms you're seeing though Albert, I
> don't think I've ever noticed anything like that.  If I try 'ssh
> something' and it doesn't work then 'host something' doesn't work
> either! :-)

I'm not sure why you think I am seeing symptoms here :) -- as far as
I'm concerned, the Windows machines on my network work fine [enough for
their users]. I am just giving an example to show that depending on how
one tests things, one may get to a wrong conclusion, and therefore,
that explaining how one runs a test is as important as running it.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Static IP client question

[Albert ARIBAUD]

Bonjour,

Le Sun, 7 Aug 2016 09:32:47 +0100
Chris Green  a écrit:

> On Sat, Aug 06, 2016 at 08:57:43PM -0400, Edward Crosby wrote:
> >I've implemented Dnsmasq on a Raspberry Pi 3 running Ubuntu Mate
> > 16.04 on my home LAN. I have configured it as a DHCP server also. I
> > have quite a few clients on my LAN, most of them are DHCP clients.
> > I have one PC, my personal PC, that has a static IP address. This
> > PC does not resolve host names of other host on my LAN, it doesn't
> > even resolve the hostname of the Dnsmasq DNS server, even though I
> > have the Dnsmasq server IP as my DNS server.  
> 
> I'm doing almost exactly the same as you.
> 
> What I do is fix the IP address of my desktop machine by getting
> dnsmasq to always give it the same address.  So leave your desktop
> with a dynamic IP in its configuration and have something like the
> following to your /etc/hosts file on the pi:-
> 
> 127.0.0.1   localhost
> #
> #
> # These have fixed IP for various reasons, so dnsmasq serves
> their IP from here   
> #
> 192.168.1.1 vigor
> 192.168.1.2 pi.zbmc.eu raspberrypi  pi
> 192.168.1.3 esprimo.zbmc.eu zbmc.eu
> 192.168.1.5 maxinexp
> 192.168.1.6 ben
> 192.168.1.40mikrotik
> 192.168.1.60fonera
> 
> My desktop machine is esprimo.

Hi Chris and Edward,

I don't have many Windows machines around my dnsmasq managed,
statically attributed LAN, but at least one is used daily, and I just
ran a test on it, which makes me ask a question to Edward:

How did you (both) test that the machine does not resolve?

Here's why I'm asking:

I've tested the following with a Windows machine (let's call it romulus)
and my Linux machine (let's call it remus). From the command prompt on
romulus, I ran the following:

ping remus

=> romulus complains that it could not find host remus.

nslookup remus

=> This resolves immediately to remus' fixed IP address.

ping remus.  (note the dot at the end!)

=> This works.

If I'd believed the first ping, I might have concluded that the
resolution did not work, while it actually does; the issue is with
how romulus handles domainless names.

Hence my question re: how exactly the issue was tested.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] suggestion filter out loopback addresses for query

[Albert ARIBAUD]

Hi,

Le Tue, 02 Aug 2016 10:39:23 -0400
Junyang Gu  a écrit:

> It seems to me that dnsmasq should filter out loopback addresses for
> DNS queries universally, or at least provide such an option.
> 
> Consider such a scenario,
> 
> dnsmasq runs on host1, and host1's /etc/hosts contains 127.0.1.1
> host1, which is usually the case.
> 
> A second machine host2 queries dnsmasq for host1, and would get
> 127.0.1.1, which is also a valid IP address, except it goes to host2.
> 
> I do not see any any scenario where dnsmasq should return a loopback
> address.

I've seen this method used by NS providers for blackholing suspicious
FQDNs. It makes sure traffic directed at them will not even enter the
Net.

> Regards

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] why not cache data obtained via TCP?

[Albert ARIBAUD]

Hi Simon,

Le Thu, 28 Jul 2016 21:53:41 +0100
Simon Kelley <si...@thekelleys.org.uk> a écrit:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> 
> 
> On 27/07/16 09:02, Albert ARIBAUD wrote:
> > Hi Ming,
> > 
> > Le Wed, 27 Jul 2016 10:06:47 +0800 XMing <mgab...@gmail.com> a
> > écrit:
> >   
> >> is there any regulation or spec about that?  
> > 
> > There is neither, and DNS records obtained through TCP /are/
> > cached.
> > 
> > Or, more to the point, answers are cached (or not, depending on
> > the cache-related settings in dnsmasq) regardless of whether they
> > were obtained through UDP or TCP.
> > 
> > What made you believe that answers obtained through TCP would not
> > be cached?
> > 
> > Amicalement,
> >   
> 
> Actually, they're not cached.

My bad, then. I'd assumed -- yes, I know -- that there was no
difference.

> TCP connections are handled by forking a new process for each TCP
> connection. The records which arrive to that new process are not
> inserted into the cache (actually, they may be inserted into the cache
> of the child process, bu that's a copy which evaporates when the TCP
> connection dies, they don't make it to the real cache in the
> long-lived dnsmasq process.
>
> The reason for this is ease of implementation; it's the simplest and
> smallest way to handle TCP connections. It's not the most efficient,
> and it means that records which come via TCP are not cached. Since TCP
> connections are pretty rare, that's a trade-off worth making, I think.
> 
> Tl;DR data obatined via TCP is not cached. There's no mandate to do
> that in the DNS spec, it just makes the implementation easy.

Got it. For TCP records to get cached, the child process would need an 
easy way to pass it to its parent (or the main process would need an
easy way to handle the TCP connections itself).

> Cheers,
> 
> Simon.

Thanks for the explanation!

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] list dns cache and expiration

[Albert ARIBAUD]

Hi,

Le Thu, 28 Jul 2016 06:46:51 +0800
"水静流深" <1248283...@qq.com> a écrit:

> Dnsmasq have been installed on my os.
>  cache-size=1024 was written in /etc/dnsmasq.conf.
>  1.how to list all the dns cache on my dnsmasq?

See the dnsmasq manpage for the log-queries option (note that if you
intend on processing the cache dump, you may want to configure your
system so that the log from dnsmasq is directed to a specific file
where no other process logs anything, or even avoid the system log
altogether and instead feed the dnsmasq output directly to some
process).

>  2.how to keep the dns cache expiration till  3600 seconds on dnsmasq?

The dnsmasq manpage lists all TTL-related options. Watch out, dnsmasq
does not give you full control on the TTL, though.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] why not cache data obtained via TCP?

[Albert ARIBAUD]

Hi Ming,

Le Wed, 27 Jul 2016 10:06:47 +0800
XMing  a écrit:

> is there any regulation or spec about that?

There is neither, and DNS records obtained through TCP /are/ cached.

Or, more to the point, answers are cached (or not, depending on the
cache-related settings in dnsmasq) regardless of whether they were
obtained through UDP or TCP.

What made you believe that answers obtained through TCP would not be
cached?

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] No DHCP leases handed on bridge interface

[Albert ARIBAUD]

Bonjour,

Le Sat, 16 Jul 2016 07:15:55 + (UTC)
Sébastien Delafond <s...@debian.org> a écrit:

> On 2016-07-15, Albert ARIBAUD <albert.arib...@free.fr> wrote:
> > No mention of the interfaces it binds to and how? No functional
> > equivalent to the interface-related options of dnsmasq?  
> 
> You can pass interfaces to bind to on the command-line, but it wasn't
> necessary in my case.
> 
> > Which seems to imply that dnsmasq makes the difference based on the
> > interface it receives the request on -- hence my asking how ISC dhcp
> > chooses the interfaces it listens to... and how dnsmasq does it.
> >
> > You might want to check whether the bridge is brought up before or
> > after dnsmasq is started.  
> 
> It's up before I start dnsmasq.

OK.

> > Also, try combinations of interface= and bind-interfaces.  
> 
> I've tried with "interface=br.eth0-2 bind-interfaces" but the behavior
> stays the same.
> 
> > Also, checkout bridge-interface= if it is available in your version
> > of dnsmasq.  
> 
> From the man page, I had assumed bridge-interface would play a role
> only if the bridge interface wasn't assigned an IP.

Indeed, but it was still worth trying, in case the manpage and code did
not agree.

> With "interface=eth0.2 bind-interfaces
> bridge-interface=eth0.2,br.eth0-2", dnsmasq refuses to stop with
> "unknown interface eth0.2", which seems to be a generic message
> saying that the interface doesn't have an IP.
> 
> With "interface=br.eth0-2 bind-interfaces
> bridge-interface=eth0.2,br.eth0-2", dnsmasq clearly states
> "dnsmasq-dhcp: DHCP, sockets bound exclusively to interface br.eth0-2
> " when starting, and I don't get DHCP leases either.
> 
> With "interface=* bind-interfaces bridge-interface=eth0.2,br.eth0-2",
> no obvious changes.
> 
> Not passing bind-interfaces doesn't seem to affect the result of those
> tests.

Alright... I'm out of ideas, sorry -- apart from recompiling dnsmasq
with ad hoc debug code. :/

> Cheers,
> 
> --Seb

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] No DHCP leases handed on bridge interface

[Albert ARIBAUD]

Bonsoir Seb,

Le Fri, 15 Jul 2016 17:09:02 + (UTC)
Sébastien Delafond <s...@debian.org> a écrit:

> On 2016-07-15, Albert ARIBAUD <albert.arib...@free.fr> wrote:
> > OTOH, there *is* a link with the networking setup since dnsmasq
> > works without the bridge and stops working with the bridge.  
> 
> True.
> 
> > Also, the fact tha ISC dhcp works might hinge on how ISC dhcp
> > listens to requests exactly vs. how dnsmasq does. What's the ISC
> > dhcp config exactly?  
> 
> The shorted functional one is:
> 
>   subnet 192.168.0.0 netmask 255.255.0.0 {
> range 192.168.1.100 192.168.1.200;
>   }

No mention of the interfaces it binds to and how? No functional
equivalent to the interface-related options of dnsmasq?

> > Speaking of tcpdump, can you use it to capture a successful request
> > to ISC dhcp and a (failed) request to dnsmasq, on eth0.2 as well as
> > on br.eth0-2, and make the captures files available somewhere?  
> 
> They're now at https://people.debian.org/~seb/dnsmasq-pcaps

Thanks. The captures are identical except for obvious differences like
transaction numbers or checksums, which have no influence on acceptance
or rejection of a DHCP request.

Which seems to imply that dnsmasq makes the difference based on the
interface it receives the request on -- hence my asking how ISC dhcp
chooses the interfaces it listens to... and how dnsmasq does it.

You might want to check whether the bridge is brought up before or
after dnsmasq is started. Also, try combinations of interface= and
bind-interfaces. Also, checkout bridge-interface= if it is available in
your version of dnsmasq.

> Cheers,
> 
> --Seb

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] No DHCP leases handed on bridge interface

[Albert ARIBAUD]

Bonjour Seb,

Le Fri, 15 Jul 2016 15:48:55 + (UTC)
Sébastien Delafond <s...@debian.org> a écrit:

> On 2016-07-15, Albert ARIBAUD <albert.arib...@free.fr> wrote:
> > That leads to further questions, at least. VLANs do not cause
> > problems for dnsmasq, but bridging VLANs may be tricky and more
> > prone to network misconfigurations.
> >
> > So just to make sure, can you list all interfaces and all bridges in
> > your system, including ifconfig outputs?  
> 
> Sure:
> 
>   $ brctl show
>   bridge name bridge id   STP enabled interfaces
>   br.eth0-2   8000.1cb72c761568   no
> eth0.2 $ ifconfig
>   br.eth0-2 Link encap:Ethernet  HWaddr 1c:b7:2c:76:15:68  
>   inet addr:192.168.1.1  Bcast:192.168.255.255
> Mask:255.255.0.0 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>   RX packets:872 errors:0 dropped:0 overruns:0 frame:0
>   TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
>   collisions:0 txqueuelen:1000 
>   RX bytes:130641 (127.5 KiB)  TX bytes:258 (258.0 B)
> 
>   eth0  Link encap:Ethernet  HWaddr 1c:b7:2c:76:15:68  
>   UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>   RX packets:140624 errors:0 dropped:0 overruns:0 frame:0
>   TX packets:103007 errors:0 dropped:0 overruns:0 carrier:0
>   collisions:0 txqueuelen:1000 
>   RX bytes:91383944 (87.1 MiB)  TX bytes:74433059 (70.9 MiB)
>   Interrupt:180 Base address:0x5000 
> 
>   eth0.1Link encap:Ethernet  HWaddr 1c:b7:2c:76:15:68  
>   inet addr:172.16.25.234  Bcast:172.16.25.255
> Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>   RX packets:748 errors:0 dropped:0 overruns:0 frame:0
>   TX packets:355 errors:0 dropped:0 overruns:0 carrier:0
>   collisions:0 txqueuelen:1000 
>   RX bytes:51266 (50.0 KiB)  TX bytes:41482 (40.5 KiB)
> 
>   eth0.2Link encap:Ethernet  HWaddr 1c:b7:2c:76:15:68  
>   UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>   RX packets:4 errors:0 dropped:0 overruns:0 frame:0
>   TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
>   collisions:0 txqueuelen:1000 
>   RX bytes:1312 (1.2 KiB)  TX bytes:258 (258.0 B)
> 
>   loLink encap:Local Loopback  
>   inet addr:127.0.0.1  Mask:255.0.0.0
>   inet6 addr: ::1/128 Scope:Host
>   UP LOOPBACK RUNNING  MTU:65536  Metric:1
>   RX packets:285419 errors:0 dropped:0 overruns:0 frame:0
>   TX packets:285419 errors:0 dropped:0 overruns:0 carrier:0
>   collisions:0 txqueuelen:0 
>   RX bytes:77987874 (74.3 MiB)  TX bytes:77987874 (74.3 MiB)
> 
> So, only one bridge (that's not bridging much right now since it only
> contains eth0.2).

... and no weirdness in the address/mask settings that I can see.

[...]

> Interesting issue, but it doesn't feel like what I'm facing right now:
> the fact that ISC dhcpd serves leases OK seems to indicate that the
> network configuration itself is all right.

OTOH, there *is* a link with the networking setup since dnsmasq works
without the bridge and stops working with the bridge. Also, the fact
tha ISC dhcp works might hinge on how ISC dhcp listens to requests
exactly vs. how dnsmasq does. What's the ISC dhcp config exactly?

> Plus, there really is not VLAN at all outside of that
> software-programmable NIC anyway: tcpdump -e confirms that packets
> going in and out (either on br0.eth-2 or eth0.2) are not tagged. I've
> tested that by assigning a manual IP to my client and initiating a
> telnet connection to the outside.
> 
> Does this make any sort of sense ? :)

Well, it certainly does not give me a definite clue as to what is wrong
with your dnsmasq.

Speaking of tcpdump, can you use it to capture a successful request to
ISC dhcp and a (failed) request to dnsmasq, on eth0.2 as well as on 
br.eth0-2, and make the captures files available somewhere?

> Cheers,
> 
> --Seb

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] No DHCP leases handed on bridge interface

[Albert ARIBAUD]

Bonjour,

Le Fri, 15 Jul 2016 16:39:37 +0200
Sébastien Delafond <s...@debian.org> a écrit:

> On Jul/15, Albert ARIBAUD wrote:
> > Just to make sure: "eth0.2" would normally denote a virtual
> > interface for VLAN 2 traffic on eth0. Are VLANs involved in your
> > network setup?  
> 
> Hi Albert,
> 
> the hardware is an ARM board using the roboswitch module: that
> basically uses VLANs internally, in order to let users dynamically
> create logical groups from the 9 physical ethernet ports available on
> the board, by writing to /proc/switch/eth0/*. Does that help ?

That leads to further questions, at least. VLANs do not cause problems
for dnsmasq, but bridging VLANs may be tricky and more prone to network
misconfigurations.

So just to make sure, can you list all interfaces and all bridges in
your system, including ifconfig outputs?

FYI and assuming you can read French :) here is an overview of an
issue I had with bridged VLANs: <http://albert.aribaud.net/fr/node/11>.

The Englih TL;DR of it is: I had eth0 and eth1 bridged (as "br0") and
needed VLAN 100 traffic to pass across transparently. Not only did I
need to also bridge eth0.100 and eth1.100 (as "br100"), but I also
had to use iptables to make br0 reject VLAN 100 packets, otherwise they
were dropped instead of being processed and passed across by br100.

Again: no reason why your problem might be the one I had; I'm just
giving an example of how mixing bridges and VLANs can be tricky.

> Cheers,
> 
> --Seb

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] No DHCP leases handed on bridge interface

[Albert ARIBAUD]

Hi Seb,

Le Fri, 15 Jul 2016 10:28:33 + (UTC)
Sébastien Delafond  a écrit:

> Hello,
> 
> I have a server with a bridge containing only one interface (ideally
> it'll of course include more interfaces, but I've tried to eliminate
> as many factors as possible):
> 
>   $ brctl show
>   bridge name bridge id   STP enabled interfaces
>   br.eth0-2   8000.1cb72c761568   no
> eth0.2 $ ip ad show br.eth0-2
> 15: br.eth0-2:  mtu 1500 qdisc 
> \ noqueue state UP group default qlen 1000
> link/ether 1c:b7:2c:76:15:68 brd ff:ff:ff:ff:ff:ff
> inet 192.168.1.1/16 brd 192.168.255.255 scope global br.eth0-2
> valid_lft forever preferred_lft forever
> 
> The DHCP-relevant parts of dnsmasq.conf are:
> 
>   interface=*
>   dhcp-authoritative
>   dhcp-lease-max=5000
>   dhcp-range=set:br.eth0-2,192.168.1.100,192.168.1.200,86400
>   dhcp-option=tag:br.eth0-2,3,192.168.1.1 # gateway
>   dhcp-option=tag:br.eth0-2,1,255.255.0.0 # netmask
>   dhcp-option=tag:br.eth0-2,6,192.168.1.1 # dns
> 
> My client, sitting on the other end of eth0.2, is issuing DHCP
> requests that correctly make it up to the server (tcpdump sees them
> on both eth0.2 and br.eth0-2). However, dnsmasq is acting like it
> doesn't receive them at all: it stays silent, even when run with "-d
> --log-dhcp". In strace, I don't see anything either after it's
> started.
> 
> The most interesting point is probably that ISC-dhcpd serves DHCP
> leases just fine in the same exact setup: simply stopping dnsmasq and
> starting ISC-dhcpd with a minimal "subnet 192.168.0.0 netmask
> 255.255.0.0 { range 192.168.1.100 192.168.1.200;}" configuration
> results in leases being handed to the same client.
> 
> Also, if I remove the bridge, assign 192.168.1.1/16 to eth0.2, and
> restart dnsmasq, then my client gets a DHCP lease.
> 
> Another thing I've done is to replay all the aforementioned tests
> with a wlan0 interface instead of the eth0.2, with the same results:
> ISC dhcpd works fine, dnsmasq doesn't serve DHCP over the bridge
> containing only wlan0, but does if I kill the bridge and work with
> wlan0 alone.
> 
> Any clue what's going on ? This is a 4.4.3 kernel, and I've tried both
> 2.62 from Debian jessie, and 2.76 from stretch.

Just to make sure: "eth0.2" would normally denote a virtual interface
for VLAN 2 traffic on eth0. Are VLANs involved in your network setup?

> Cheers,
> 
> --Seb

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq to provide public DNS service

[Albert ARIBAUD]

Hi Tong,

Le Thu, 14 Jul 2016 00:21:20 + (UTC)
T o n g  a écrit:

> After struggled for a few days, I finally decided that I should
> reply, to bring some closure on this. Thank you for all these days of
> your tireless help. However, my conclusion is still the same as my
> first post -- dnsmasq is unable to provide public DNS service -- It
> can be used as DNS server for local host, or local network, but just
> not for the general public. We've ruled out everything possible, and
> the only thing left is dnsmasq. 

Your conclusion is wrong; the only thing you can conclude from your
trials is that dnsmasq will not operate properly in an environment
which does not conform to Internet standards -- and *that* is hardly a
surprise.

> I.e., if there is any probelm with my ISP or my hosting provider, I 
> wouldn't have been able to start a working second SSH session
> listening to port 53 (instead of 22). 

You are again not concluding properly. DNS requires *UDP* port 53 as
well as *TCP* port 53. Your assumption that DNS somehow can do with
*TCP* port 53 alone is unfounded and plain wrong.

> In other words, all else the same, swap in SSH to listen to port 53,
> it works; swap in dnsmasq, and it fails. With all else the same,
> dnsmasq is the only problem. 

This experiment only proves that *TCP* port 53 works between your home
and box, but that was apready proven by previous tests I suggested.
However, dnsmasq requires *UDP* port 53 -- and due to a crippled
access, you cannot use that UDP port, contrary to a considerable
quantity of other persons who daily prove that dnsmasq can be used way
beyond a LAN.

> Thanks anyway for all your helps. 

You're welcome. :)

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Dnsmasq responding with SOA instead of A

[Albert ARIBAUD]

Hi again Aaron,

Le Mon, 11 Jul 2016 21:53:21 +
Aaron Germuth  a écrit:

> Hey Albert,
> 
> Thanks for the reply and sorry about that. The dig command used is
> 
> dig @100.108.108.176 b.local.example.com A.
> 
> 100.108.108.176 is the IP of my dns server. This dns server has an
> entry in /etc/hosts mapping
> b.local.example.com -> 1.2.3.50.
> 
> My domain 'example.com' has a RR:
> local.example.com  NS 3600   MY_DNS_SERVER.com
> 
> I'm expecting the following dig response (which i get when running it
> locally on my dns server):
> 
> ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @100.108.108.176
> b.local.example.com ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24172
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:
> 0
> 
> ;; QUESTION SECTION:
> ;b.local.example.com. IN A
> 
> ;; ANSWER SECTION:
> b.local.example.com. 600 IN A 1.2.3.50
> 
> ;; Query time: 0 msec
> ;; SERVER: 100.108.108.176#53(100.108.108.176)
> ;; WHEN: Mon Jul 11 17:38:03 EDT 2016
> ;; MSG SIZE  rcvd: 51
> 
> The response if ran from the other computer is:
> 
> ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @100.108.108.176
> b.local.example.com ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25320
> ;; flags: qr aa rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL:
> 0 ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;b.local.example.com. IN A
> 
> ;; AUTHORITY SECTION:
> local.example.com. 600 IN SOA   MY_DNS_SERVER.com.
> hostmaster.MY_DNS_SERVER.com
> . 1468262852
> 1200 180 1209600 600
> 
> ;; Query time: 60 msec
> ;; SERVER: 100.108.108.176#53(100.108.108.176)
> ;; WHEN: Mon Jul 11 14:32:23 PDT 2016
> ;; MSG SIZE  rcvd: 1
> 
> The only filtering I've done is changing the domain to example.com and
> replacing MY_DNS_SERVER url. Otherwise its copy paste. I don't think
> the exact URL should matter?

I don't think it does, except of course that no one can reproduce your
tests, but I can understand that you don't want to disclose your
domain(s) or IP(s).

> Let me know if you need anything else.

I've already got way more info than I can handle -- I'm not DNS guru. :)
What I know is that auth-server should treat *all* requests on eth0 the
same way, so any difference in response is due to queries not being the
same.

The only difference I see is that the second query seems to have
requested recursion but not the first, so they are different somehow.
Maybe some of these differences can explain the different answers?

I suggest you capture DNS traffic on the dnsmasq host using tcpdump, run
both queries, and compare the corresponding captures field by field and
analyze each difference found. Of course, the captures will be full of
sensitive data, so you'll have to do the comparison yourself, but then
you could for instance report here which fields are different.

> Thanks,
> 
> Aaron

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Dnsmasq responding with SOA instead of A

[Albert ARIBAUD]

Hi Aaron,

Le Mon, 11 Jul 2016 20:20:56 +
Aaron Germuth  a écrit:

> Hey guys,
> 
> I'm trying to run my own dnsmasq instance on a computer. I want it to
> be authoritative for my domain (local.example.com). However I am
> getting different results for the same query from different computers.
> 
> dig @100.108.108.176 b.local.example.com. A
> 
> When I run this from the dns server itself (100.108.108.176) I get an
> ip as a response and the following in the logs:
> 
> Jul 11 14:47:53 MY_DNS_SERVER.com dnsmasq[30817]: query[A]
> b.local.example.com from 100.108.108.176
> Jul 11 14:47:53 MY_DNS_SERVER.com dnsmasq[30817]: /etc/hosts 1.2.3.50
> is b.local.example.com
> 
> When I run this from a different computer on a different network I do
> not get an IP. Instead dig returns an a SOA pointing to itself
> (MY_DNS_SERVER.com). Furthermore, the logs show the following:
> 
> Jul 11 14:49:29 MY_DNS_SERVER.com dnsmasq[30817]: auth[A]
> b.local.example.com from 172.27.88.26
> Jul 11 14:49:29 MY_DNS_SERVER.com dnsmasq[30817]: auth
> b.local.example.com is NODATA-IPv4
> 
> I'm not sure whats happening. It seems it interprets one as a
> query[A] and one auth[A]. It seems in the 2nd response it thinks it
> doesn't know how to handle that domain so it returns who it thinks is
> authoritative for that domain, which is itself. This is what my
> dnsmasq.conf looks like:
> 
> auth-server=MY_DNS_SERVER.com,eth0
> auth-zone=local.example.com,eth0
> 
> log-queries
> 
> #do not read resolv.conf to find servers where to lookup dns
> no-resolv
> #do not poll resolve.conf for changes
> no-poll
> 
> #address to use when address not local
> server=8.8.8.8
> server=4.4.4.4
> 
> local=/local.example.com/
> domain=local.example.com
> 
> If you need any more information, let me know.

First thing you should do is not to filter out or explain the dig
commands you use and their results, but instead to just copy-paste the
command and its output. Here, for instance, none of what you provide
allows checking how the request was sent exactly, and what principal
and additional info was returned.

> Thanks,
> 
> Aaron

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq to provide public DNS service

[Albert ARIBAUD]

Hi Tong,

Le Sat, 9 Jul 2016 16:17:45 + (UTC)
T o n g  a écrit:

> $ dig cnn.com
> ; <<>> DiG 9.10.3-P4-Ubuntu <<>> cnn.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56353
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1280
> ;; QUESTION SECTION:
> ;cnn.com.   IN  A
> 
> ;; ANSWER SECTION:
> cnn.com.65  IN  A   157.166.226.26
> cnn.com.65  IN  A   157.166.226.25
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sat Jul 09 16:14:34 UTC 2016
> ;; MSG SIZE  rcvd: 68

OK, so dnsmasq is running locally on UDP

> > 3. What does iptables-save display?   
> 
> $ sudo iptables-save
> # Generated by iptables-save v1.6.0 on Sat Jul  9 16:08:46 2016
> *filter
> :INPUT ACCEPT [990:208464]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1019:100580]
> :f2b-sshd - [0:0]
> -A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
> -A INPUT -p udp -m udp --dport 68 -j ACCEPT
> -A f2b-sshd -j RETURN
> COMMIT
> # Completed on Sat Jul  9 16:08:46 2016
> 
> I believe this is the standard setting from fail2ban because I have 
> fail2ban_0.9.3-1 installed (and nothing else related). 

OK, so no blocking at your box level except for what fail2ban may
decide to block. Now we're faily sure your probelm is with either your
ISP or your hosting provider.

Regarding running the DNS on TCP alone: problem is, you might force the
dig command to use TCP, but that's a specific case; all DNS resolutions
happening on your machine in any other process that dug will keep on
trying UDP first when the request size warrants it, because that's the
standard.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq to provide public DNS service

[Albert ARIBAUD]

Hi Tong,

Le Sat, 9 Jul 2016 02:08:36 + (UTC)
T o n g <mlist4sunt...@yahoo.com> a écrit:

> On Fri, 08 Jul 2016 18:49:53 +0200, Albert ARIBAUD wrote:
> 
> >> > Once we have netcat available on both ends, we will be able to
> >> > mimic DNS exchanges between the machines but without dnsmasq
> >> > being involved;  
> >> 
> >> The connect is not the problem. I've stopped dnsmasq temporarily
> >> and start SSH listening to port 53 and I was able to connect from
> >> home.  
> > 
> > The SSH test only proves you can access the box on TCP port 22
> > (assuming you're usign the defaults) from your home; this does not
> > prove anything regarding TCP port 53 or UDP port 53, which are what
> > DNS uses.
> > 
> > So:
> > 
> > 1. Open a terminal and start an SSH session to your box. In this
> >session, disable dnsmasq then run
> > 
> > netcat -u -l -p 53
> > 
> > 3. On your home machine open one terminal and run
> > 
> > netcat -u xyz 53
> > 
> >where xyz should be replaced with the public IP of your box.
> > 
> > 4. Type some text then hit the Enter key on your home machine.
> >Does your box display the text?
> > 
> > 5. Type some other text then hit the Enter key in the shell to your
> > box. Does the netcat running locally  display the text?  
> 
> Sorry for responding late, because I didn't get anything from the
> server, my box. However, I did started a second SSH session before,
> to listen to port 53 instead of 22, and it worked before. Then I
> looked up... Long story short, 
> 
> If I start `netcat -t` then it works; if I start `netcat -u` then it 
> doesn't work.

... and this shows why it is important to run the tests exactly as
requested, rather than assume result from other tests...

> I.e., the hosting company is blocking the UDP accesses. 

... but again, do not jump to conclusions, t least not without further
testing: yes, it could be your hosting company dropping any UDP traffic
incoming on your box, *but* it could also be your own box settings, or
your ISP dropping UDP port 53 going out of your access except for a
given set of source addresses, or your home machine dropping it
silently...

The proven point is: right now, your box does not seem to receive UDP
port 53 traffic from your home machine. What you can look into now is
whether your box and home machine have any network filtering in place
(iptable-save should show that). This, at least, will take the machines
out of the suspect list and that will narrow it down to your ISP and
your hosting provider.

> But my dnsmasq does listen to TCP port as well though:
> 
> $ netstat -lnp | grep :53
> (Not all processes could be identified, non-owned process info
>  will not be shown, you would have to be root to see it all.)
> tcp0  0 0.0.0.0:53  0.0.0.0:*   
> LISTEN  -   
> tcp6   0  0 :::53   :::*
> LISTEN  -   
> udp0  0 0.0.0.0:53  
> 0.0.0.0:*   -   
> udp6   0  
> 0 :::53   :::*
> -   
> Will TCP only without UDP not OK? 

(someone correct me if I'm inexact here) DNS uses UDP port 53 as long
as the request and response can fit in a single UDP datagram (packet),
and will switch to TCP if a single UDP datagram is not big enough. I do
not know, and do not think, that you can run a DNS server over a TCP
port alone.

> I tried, 
> 
> dig +tcp +short cnn.com @mybox, and will get:
> 
> ;; communications error to mybox_ip#53: connection reset
> 
> from my home or, 
> 
> ;; communications error to mybox_ip#53: end of file
> 
> if trying from within my box. 
> 
> Why is that? 

Let's first tackle the second one (box to box), as it does not involve
your ISP and hosting provider networks, and therefore points at a
purely local (configuration?) problem on your box.

1. Preamble: make sure dnsmasq is running.

2. Run a default (UDP) dig request. What does it output? Please do not
   describe it, copy-paste it.

3. What does iptables-save display? Again, please do not describe it,
   copy-paste it. 

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq to provide public DNS service

[Albert ARIBAUD]

Hi Tong,

Le Thu, 7 Jul 2016 13:06:42 + (UTC)
T o n g <mlist4sunt...@yahoo.com> a écrit:

> On Thu, 07 Jul 2016 12:33:53 +0200, Albert ARIBAUD wrote:
> 
> > To determine which variant of netcat is present on these machines,
> > if any, could you run the following command, once on the dedicated
> > server, and once on the machine you are using to access the server:
> > 
> > netcat -h
> > 
> > ... and copy-paste both outputs in your reply?  
> 
> Both machines are running the latest Ubuntu. I.e., the output are the 
> same for both of them.
> 
> $ lsb_release -a
> No LSB modules are available.
> Distributor ID: Ubuntu
> Description:Ubuntu 16.04 LTS
> Release:16.04
> Codename:   xenial
> 
> $ apt-cache policy netcat-openbsd
> netcat-openbsd:
>   Installed: 1.105-7ubuntu1
>   Candidate: 1.105-7ubuntu1
>   Version table:
>  *** 1.105-7ubuntu1 500
> 500 http://archive.ubuntu.com/ubuntu xenial/main amd64
> Packages 100 /var/lib/dpkg/status
> 
> $ netcat -h
> OpenBSD netcat (Debian patchlevel 1.105-7ubuntu1)
> ...
> 
> > Once we have netcat available on both ends, we will be able to
> > mimic DNS exchanges between the machines but without dnsmasq being
> > involved;  
> 
> The connect is not the problem. I've stopped dnsmasq temporarily and 
> start SSH listening to port 53 and I was able to connect from home. 

The SSH test only proves you can access the box on TCP port 22
(assuming you're usign the defaults) from your home; this does not prove
anything regarding TCP port 53 or UDP port 53, which are what DNS uses.

So:

1. Open a terminal and start an SSH session to your box. In this
   session, disable dnsmasq then run

netcat -u -l -p 53

3. On your home machine open one terminal and run

netcat -u xyz 53

   where xyz should be replaced with the public IP of your box.

4. Type some text then hit the Enter key on your home machine.
   Does your box display the text?

5. Type some other text then hit the Enter key in the shell to your box.
   Does the netcat running locally  display the text?

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq to provide public DNS service

[Albert ARIBAUD]

Hi Tong,

Le Thu, 7 Jul 2016 02:41:15 + (UTC)
T o n g  a écrit:

> Yes, the "box" is what I referred as the machine that I run the
> dnsmasq and trying to configure. This is the only thing I'm talking
> about so far. Nothing else. 

> Once again, the box I'm configuring, is a dedicated servers from the 
> hosting company, and I have full (remote) control of it and have 
> installed the latest Ubuntu into it. it has its own realy public IP.
> The SSH, DNS, etc ports are open to the would as well.

OK, sorry for the misunderstanding. So I will assume this box has only
one network interface, which is facing the Internet, and is reacheable
through a public IP (which we do not need).

> > You should not even specify any interface= option.  
> 
> OK. So how dnsmasq decides whether to serve local host, or local
> network (LAN) or the general public (WAN)? If is it not
> listen-address, then what it is? 

You don't tell dnsmasq about "LAN" vs "WAN"; dnsmasq does not accept or
ignore/reject DNS requests based on their coming "from LAN" or "from
WAN"; it accepts or ignores/rejects them based on the interface on
which it has received them and the IP address they were sent to. Since
your box has a single interface which has a single IPv4 address, all
requests will be received on the same interface and have the same IPv4
destination.
 
> >> The outside world is not involved yet -- I haven't been able to
> >> make itself work first.  
> > 
> > Before making dnsmasq work with clients from outside your LAN, you
> > need to verify that your "box" meets conditions 1 and 2 above.
> > 
> > Let's start with condition 1. You can check it by running a
> > traceroute from your "box" to some known internet host (e.g.
> > google.com). What does such a traceroute print out?  
> 
> What do you need the traceroute print out for? 

To make sure the machine running dnsmasq can access the Internet on
its own. Obviously you can access it, but some networking rules may
prevent it from reaching out freely.

> Can the dnsmasq be used as DNS server not only to local host, or
> local network, but also the general public as well or not? If yes,
> what would the configuration be? 
> 
> Does dnsmasq comes with that feature (serving the local network or
> the general public) out of box? Else what kind of alternation need to
> be made to the configuration file? 

Yes dnsmasq can server the whole world if you want it to, and as I
already told you, it should work out of the box.

Therefore, if it does not work in your case, it is because either
its configuration is improper, or the networking setup of the box it
runs on is improper (or both).

Which is why I am asking you questions and sugesting tests in order to
diagnose the situation and fix it.

But for that, I need precise, exact and complete answers to the
question I am asking.

So let's start with a few basics, by checking that you can actually
communicate from your own machine to the dedicated server over the
standard DNS ports.
.
For this I suggest that we use the 'netcat' command both on your
dedicated server and on the machine from which you access this server.

To determine which variant of netcat is present on these machines, if
any, could you run the following command, once on the dedicated server,
and once on the machine you are using to access the server:

netcat -h

... and copy-paste both outputs in your reply?

Once we have netcat available on both ends, we will be able to mimic
DNS exchanges between the machines but without dnsmasq being involved;
either this mimicking will work, meaning that the networking is set up
properly, or it won't, meaning the networking has to be fixed before
even considering running dnsmasq.

Once we're sure the networking is OK, then we can introduce dnsmasq in
the picture.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dhcp-range broke in 2.76

[Albert ARIBAUD]

Hi again Matthew,

Le Wed, 6 Jul 2016 08:54:55 -0700
Matthew Keeler  a écrit:

> Thank you Albert. I guess where I was going wrong was thinking that
> the static lease addresses referenced in a dhcp-host config needed to
> fall within another configured dhcp-range. So I guess I should just
> be able to remove that line from my configuration and have the same
> behavior as before (the first 128 ips in my subnet not being
> dynamically allocated but needing dhcp-host configurations).

You will need the dhcp-range option, as it is the one which enables
the DHCP server.

If you don't need dynamic allocation, but cannot use the 'static'
keyword, then you can set the dynamic range within the 128 address
range for which you have dhcp-host lines defined. Basically, it will
make dnsmasq reject or ignore any requests not in the ones statically
defined.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dhcp-range broke in 2.76

[Albert ARIBAUD]

Hi Matthew,

Le Wed, 6 Jul 2016 10:31:05 -0400
Matthew Keeler  a écrit:

> I have been using dnsmasq for a while on my local network with
> several dhcp ranges specified. One of them no longer parses in v2.76
> although it did in v2.75.
> 
> dhcp-range=10.3.2.1,10.3.2.127,static,255.255.254.0,infinite
> 
> It looks like it is now no longer valid to have a start and end ipv4
> address with the static mode where this was allowed previously. Was
> this an intentional removal? My understanding (which may be
> incorrect) was that to have a ip range reserved for dhcp reservations
> required having the dhcp range specified and the dhcp-hosts specified
> to ips that fall within that range. Then that range would have the
> static mode to prevent auto assignment of ips to other unknown hosts.
> 
> If this is intended behavior and not a bug, how can I allocate an IP
> range for DHCP reservations? I think something like the following
> should work to produce the same results although it is a rather ugly
> solution as it requires adding tags in many, many places.
> 
> dhcp-range=tag:reserved,10.3.2.1,10.3.2.127,255.255.254.0,infinite
> dhcp-host=00:01:02:03:04:05,set:reserved,10.3.2.7,myhost

What do you mean by "reservations"? Static leases? For that you need
nothing more than a dhcp-host= line mapping the MAC or DUID to a static
IPv4 address, for each static lease you want.

The static keyword in dhcp-range= tells dnsmasq to not do dynamic
allocation, so basically a range is useless (as far as allocation is
concerned) if you specify static.

I personally define my dhcp-range= line without static and with a
small range for the odd guest machine, and my dhcp-host= lines with IPv4
addresses lying outside that range -- but even if a static lease IP
address fell within the dynamic DHCP range, dnsmasq would not use that
address for dynamic allocation.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq to provide public DNS service

[Albert ARIBAUD]

Hi Tong,

Le Tue, 5 Jul 2016 00:42:25 + (UTC)
T o n g  a écrit:

> > 1) Does your dnsmasq host have access to the Internet?
> > 
> > 2) Have you configured your Internet access so that DNS requests
> > incoming from the outside are routed to your dnsmasq host?  
> 
> Yeah, those "out-side" factors, I know how to control, and they are 
> working fine. For example, I have use `listen-address=192.168.1.1`
> before to provide DNS service for my own home network, and it works
> fine. 

Yes, listening to a LAN address allows serving client on the LAN. But
this does absolutely not mean that conditions 1 and 2 above are met
and that clients from the Net can be served.

> This box I'm configuring, it has its own public IP, not on
> 192.168.x.x. The SSH, DNS, etc ports are open to the would as well. 

This piece of information raises a lot of questions. Could you please
anwer by 'yes' or 'no' to the following?

1. Does the "box" you are referring to run the dnsmasq you are trying
to configure?

2. Is this box also the gateway from your LAN to the Internet?

3. Does it hace two network interfaces, one facing the Internet and one
facing the LAN?

> Oh, should I listen to its Gateway IP instead of 0.0.0.0?

You should not specifiy listen-address *at all* unless you want
your dnsmasq to serve *only* your LAN or to serve *only* the Net.

You should not even specify any interface= option.

> The outside world is not involved yet -- I haven't been able to make 
> itself work first. 

Before making dnsmasq work with clients from outside your LAN, you need
to verify that your "box" meets conditions 1 and 2 above.

Let's start with condition 1. You can check it by running a traceroute
from your "box" to some known internet host (e.g. google.com). What
does such a traceroute print out?

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq to provide public DNS service

[Albert ARIBAUD]

Hi Tong,

Le Mon, 4 Jul 2016 13:05:35 + (UTC)
T o n g <mlist4sunt...@yahoo.com> a écrit:

> On Mon, 04 Jul 2016 10:56:05 +0200, Albert ARIBAUD wrote:
> 
> >> >> The machine from which I run dig gets its DNS servers is the one
> >> >> that I tweaked the /etc/dnsmasq.d/public.conf file, by doing
> >> >> which my DNS breaks. And on removing the file, my DNS service
> >> >> (servered by local dnsmasq) works again.
> >> >> 
> >> >> And, yes, basically I'm creating an open DNS server, and since
> >> >> nobody is doing that, I can't find any information on how to
> >> >> set it up properly.  
> >> > 
> >> > Nobody should do that indeed, because it is a very bad idea: your
> >> > machine may then serve as an amplifier for DDoS attacks.  
> >> 
> >> I'm more interested to know how to do that than actually provide
> >> the DNS service. BTW, on to that thought, how the ISP or Google's
> >> DNS server able to avoid being an amplifier for DDoS attacks?  
> > 
> > They have DDoS mitigation machines between their DNS servers and the
> > rest of the world, which watch traffic and curb / cut it when they
> > detect abnormal traffic, e.g. sudden heavy traffic to one (set of)
> > destination(s).  
> 
> Thanks,
> 
> >> > Still, the configuration -- as far as dnsmasq is concerned -- is
> >> > the same for an open DNS and a LAN DNS.
> >> > 
> >> > Could you please describe your setup from a network
> >> > perspective ?  
> >> 
> >> I don't quite understand what you are asking. Consider it is my
> >> own box behind my ISP. How this network setup has anything to do
> >> with the question?  
> > 
> > Basically, my question boils down to two questions: is dnsmasq using
> > external DNS servers as upstreams, or does it use a local recursive
> > server such as bind or unbound? Also, do you test your dnsmasq with
> > another host on the LAN, or from the same machine that hosts
> > dnsmasq? 
> >> Ideally, I just want to use a file,
> >> say /etc/dnsmasq.d/public.conf, to turn it on. Then, I can easily
> >> turn it off by removing the file. It's not just I'm broadcasting
> >> to the world that I have this. It's for my own personal usage.  
> > 
> > Lots of people use dnsmasq for serving their LAN, myself included,
> > so that works pretty much out-of-the-box if you just make dnsmasq
> > listen to the LAN interface of the host running it.
> > 
> > Providing worldwide access is then not a dnsmasq question, but a
> > LAN-to-Internet routing question.  
> 
> OK. that explains why when I changed mine from 192.168.1.1 of the 
> following to 0.0.0.0 and it stops working:

Actually no, that does not explain it.

> $ cat /etc/dnsmasq.d/public.conf
> # listen to public
> listen-address=0.0.0.0
> # provide only DNS service and disable DHCP and TFTP on it
> no-dhcp-interface=eth0
> 
> So, it confirms that dnsmasq only works for LAN, but not for the
> public. 

Actually, it can perfectly work for open access, as long as 1) the host
it is running on can access the Internet, and 2) outside hosts can send
DNS requests to your dnsmasq host. So,

1) Does your dnsmasq host have access to the Internet?

2) Have you configured your Internet access so that DNS requests
incoming from the outside are routed to your dnsmasq host?

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq to provide public DNS service

[Albert ARIBAUD]

Hi Tong,

Le Sun, 3 Jul 2016 22:40:05 + (UTC)
T o n g <mlist4sunt...@yahoo.com> a écrit:

> On Sat, 02 Jul 2016 21:27:11 +0200, Albert ARIBAUD wrote:
> 
> >> The machine from which I run dig gets its DNS servers is the one
> >> that I tweaked the /etc/dnsmasq.d/public.conf file, by doing which
> >> my DNS breaks. And on removing the file, my DNS service (servered
> >> by local dnsmasq) works again.
> >> 
> >> And, yes, basically I'm creating an open DNS server, and since
> >> nobody is doing that, I can't find any information on how to set
> >> it up properly.  
> > 
> > Nobody should do that indeed, because it is a very bad idea: your
> > machine may then serve as an amplifier for DDoS attacks.  
> 
> I'm more interested to know how to do that than actually provide the
> DNS service. BTW, on to that thought, how the ISP or Google's DNS
> server able to avoid being an amplifier for DDoS attacks?

They have DDoS mitigation machines between their DNS servers and the
rest of the world, which watch traffic and curb / cut it when they
detect abnormal traffic, e.g. sudden heavy traffic to one (set of)
destination(s).
 
> > Still, the configuration -- as far as dnsmasq is concerned -- is the
> > same for an open DNS and a LAN DNS.
> > 
> > Could you please describe your setup from a network perspective ?  
> 
> I don't quite understand what you are asking. Consider it is my own
> box behind my ISP. How this network setup has anything to do with the 
> question? 

Basically, my question boils down to two questions: is dnsmasq using
external DNS servers as upstreams, or does it use a local recursive
server such as bind or unbound? Also, do you test your dnsmasq with
another host on the LAN, or from the same machine that hosts dnsmasq?

> Ideally, I just want to use a file, say /etc/dnsmasq.d/public.conf,
> to turn it on. Then, I can easily turn it off by removing the file.
> It's not just I'm broadcasting to the world that I have this. It's
> for my own personal usage.

Lots of people use dnsmasq for serving their LAN, myself included, so
that works pretty much out-of-the-box if you just make dnsmasq listen
to the LAN interface of the host running it.

Providing worldwide access is then not a dnsmasq question, but a
LAN-to-Internet routing question.

As I'm still not sure how much open you want your dnsmasq to be, I'm
asking explicitly: do you want your dnsmasq to serve DNS queries from
your LAN only, or from anywhere in the world?

> Had I been able to do it myself, there
> won't be a public discussion/announcement of it. I.e., nobody would
> have known. 

As an aside: never rely on "people not knowing". Security by obscurity
is arguably worse than no security at all, as you /believe/ you have
some security which you actually don't have. Take my word for it: if
you "secretly" leave your dnsmasq open to the world, it /will/ be used,
and by people who are interested in taking advantage of the resource.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq to provide public DNS service

[Albert ARIBAUD]

Hi Tong,

Le Sat, 2 Jul 2016 17:07:50 + (UTC)
T o n g <mlist4sunt...@yahoo.com> a écrit:

> Oh, sorry for responding late. 
> 
> The machine from which I run dig gets its DNS servers is the one that
> I tweaked the /etc/dnsmasq.d/public.conf file, by doing which my DNS 
> breaks. And on removing the file, my DNS service (servered by local 
> dnsmasq) works again. 
> 
> And, yes, basically I'm creating an open DNS server, and since nobody
> is doing that, I can't find any information on how to set it up
> properly. 

Nobody should do that indeed, because it is a very bad idea: your
machine may then serve as an amplifier for DDoS attacks.

Still, the configuration -- as far as dnsmasq is concerned -- is the
same for an open DNS and a LAN DNS.

Could you please describe your setup from a network perspective ?

> Please help. Thanks
> 
> On Thu, 30 Jun 2016 14:37:17 +0200, Albert ARIBAUD wrote:
> 
> > Hi Tong,
> > 
> > Le Thu, 30 Jun 2016 12:03:07 + (UTC)
> > T o n g a écrit:
> >   
> >> Does no reply means impossible, or just nobody has look into it
> >> yet?  
> > 
> > It is perfectly possible tu run dnsmasq as a "public" DNS, if by
> > this you mean "make it serve requests from other hosts than the one
> > it is running on", or even, "make it serve requests from any host"
> > -- although the latter is risky, as you'd basically create an open
> > DNS server.
> > 
> > Now, for th reason why your tests fail, there is not enough info in
> > your post to allow diagnosing what is wrong. Notably, you do not
> > indicate how the machine from which you run dig gets its DNS
> > servers: the issue could just as well be there.
> >   
> >> On Wed, 29 Jun 2016 03:28:02 +, T o n g wrote:
> >>   
> >> > If I'm to provide DNS service to the public (outside my local
> >> > network) using dnsmasq, how to do it, e.g., how to set the
> >> > listen-address? It didn't work out of the box after I installed
> >> > it in my Ubuntu (16.04 LTS xenial) so I changed to the
> >> > following, but it stops working:
> >> > 
> >> > $ cat /etc/dnsmasq.d/public.conf # listen to public
> >> > listen-address=0.0.0.0 # provide only DNS service and disable
> >> > DHCP and TFTP on it no-dhcp-interface=eth0
> >> > 
> >> > $ dig +short docs.google.com ;; connection timed out; no
> >> > servers could be reached
> >> > 
> >> > $ netstat -ulnp | grep :53 (Not all processes could be
> >> > identified, non-owned process info
> >> >   will not be shown, you would have to be root to see it
> >> > all.) udp0  0 0.0.0.0:53
> >> > 0.0.0.0:* -
> >> > udp6   0  0 :::53   :::*  
> 
> 
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Need some info on retried and failed queries

[Albert ARIBAUD]

Hi Mikhail,

Le Fri, 1 Jul 2016 15:03:43 +0200
Mikhail Morfikov  a écrit:

> In the dnsmasq confg file I can set the two following parameters:
> 
> min-cache-ttl=3600
> max-cache-ttl=7200
> 
> Let's say I visit some http server on the internet. The cache entry
> would be created for the domain and for 1h, each request to that
> domain would be served from the cache, right?

Almost. It would be 1 hour if the TTL from the upstream server was
less than 1 hour; 2 hours if the upstream TTL was more than two hours;
and in-bewteen, it would be the upstream TTL.

> What if the IP address associated with the domain changes for some
> reason in 10min. after my first visit?

You don't see it until 50 minutes after (simplifying a bit here). That's
the principle of the cache.

> What would dnsmasq do if I
> tried to access the web server once more after 15min?

It would still rely on the 1 hour minimum TTL, so it would still not
ask any upstream server again until about 35 minutes (ditto).
 
> Some people say
> that I would have wrong IP so I couldn't connect to the web server
> till the cache entry expires. But I've never had this problem and all
> web pages works fine with the above values, at least I think so.

It's just that you never experienced an IP *change* within the TTL of
its DNS entry -- or that you did but something else hid that from
you; for instance your web browser page cache may have prevented your
machine from trying to connect to the obsolete IP.

> I can see some retried or failed queries in the following log:
>
> dnsmasq[1612]: cache size 1, 0/4284 cache insertions re-used
> unexpired cache entries.
> dnsmasq[1612]: queries forwarded 4508, queries answered locally 6386
> dnsmasq[1612]: queries for authoritative zones 0
> dnsmasq[1612]: server 192.168.1.1#53: queries sent 0, retried or
> failed 0 dnsmasq[1612]: server 208.67.222.222#53: queries sent 59,
> retried or failed 0 dnsmasq[1612]: server 127.0.2.1#5353: queries
> sent 4449, retried or failed 60 dnsmasq[1612]: time 1467180121
> 
> But I don't really know what means "retried or failed 60". So did it
> fail or not? Is it because of the high TTL values or something else?

TTL and failures are unrelated. TTL is just an indication that a DNS
entry can/should be considered constant for as long as indicated, while
failures and retries are when dnsmasq tries to query an upstream server
and it fails for some reason (the upstream server does not anwser at
all, or anwsers garbage, for instance).

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] systemd service improvements

[Albert ARIBAUD]

Bonjour,

Le Thu, 30 Jun 2016 21:18:02 +0200
Pali Rohár  a écrit:

> On Thursday 30 June 2016 16:58:56 Craig Andrews wrote:
> > I'd like to propose a couple changes in terms of systemd in dnsmaq.
> > First, dnsmasq should always install a systemd unit so all
> > distributions/users can use it  
> 
> I'm against such change. Why on the Earth install useless files into 
> system which do nothing? I really do not want to see that programs 
> starts installing systemd files just because it is "no harm".
> 
> If such thing happen, dnsmasq then should install also config file
> for upstart, also for openrc, and also install shortcut for Windows
> start menu for *all* systems as that is too by that definition "no
> harm".

I tend to agree with the principle that a systemd unit file should
only be installed on systems which use systemd. I was surprised indeed
to see that the dnsmasq git repo contains such a file.

Furthermore, the OP itself indicates that different systemd-based
distributions will require different systemd units for dnsmasq, which
shows that systemd (or upstart, or sysvinit...) files should be managed
at the distribution, not upstream application, level.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq to provide public DNS service

[Albert ARIBAUD]

Hi Tong,

Le Thu, 30 Jun 2016 12:03:07 + (UTC)
T o n g  a écrit:

> Does no reply means impossible, or just nobody has look into it yet?

It is perfectly possible tu run dnsmasq as a "public" DNS, if by this
you mean "make it serve requests from other hosts than the one it is
running on", or even, "make it serve requests from any host" --
although the latter is risky, as you'd basically create an open DNS
server.

Now, for th reason why your tests fail, there is not enough info in
your post to allow diagnosing what is wrong. Notably, you do not
indicate how the machine from which you run dig gets its DNS servers:
the issue could just as well be there.

> On Wed, 29 Jun 2016 03:28:02 +, T o n g wrote:
> 
> > If I'm to provide DNS service to the public (outside my local
> > network) using dnsmasq, how to do it, e.g., how to set the
> > listen-address? It didn't work out of the box after I installed it
> > in my Ubuntu (16.04 LTS xenial) so I changed to the following, but
> > it stops working:
> > 
> > $ cat /etc/dnsmasq.d/public.conf # listen to public
> > listen-address=0.0.0.0 # provide only DNS service and disable
> > DHCP and TFTP on it no-dhcp-interface=eth0
> > 
> > $ dig +short docs.google.com ;; connection timed out; no servers
> > could be reached
> > 
> > $ netstat -ulnp | grep :53 (Not all processes could be
> > identified, non-owned process info
> >  will not be shown, you would have to be root to see it
> > all.) udp0  0 0.0.0.0:53
> > 0.0.0.0:*   -
> > udp6   0  0 :::53   :::*
> > 
> > 
> > Please help.
> > Thanks.  

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Cannot obtain IP address from dnsmasq

[Albert ARIBAUD]

Hi Matwey,

Le Fri, 24 Jun 2016 19:30:04 +0300
"Matwey V. Kornilov" <matwey.korni...@gmail.com> a écrit:

> 2016-06-24 19:19 GMT+03:00 Albert ARIBAUD <albert.arib...@free.fr>:
> > Hi Matwey,
> >
> > Le Fri, 24 Jun 2016 12:10:53 +0300
> > "Matwey V. Kornilov" <matwey.korni...@gmail.com> a écrit:
> >  
> >> Hello,
> >>
> >> I am running dnsmasq-2.71 and experiencing the following issue.
> >>
> >> I have network interface eth3 with 10.3.0.1/24 address assigned to
> >> it. I want dnsmasq instance to supply everyone on eth3 L2-segment
> >> with IP address from 10.3.0.1/24 subnet. I don't want DHCP be
> >> running on other interfaces where it can interfere others.
> >>
> >> The issue is the following, HP commutator can not obtain address.
> >>
> >> 12:03:01.609174 IP 192.168.1.1.68 > 255.255.255.255.67: BOOTP/DHCP,
> >> Request from 40:a8:f0:6f:64:40, length 256
> >> 12:03:23.952477 IP 192.168.1.1.68 > 255.255.255.255.67: BOOTP/DHCP,
> >> Request from 40:a8:f0:6f:64:40, length 256
> >>
> >> At the same time, other devises obtain address successfully:
> >>
> >> 12:03:45.311101 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP,
> >> Request from 44:aa:e8:00:0c:4e, length 249
> >> 12:03:45.313634 IP 10.3.0.1.67 > 255.255.255.255.68: BOOTP/DHCP,
> >> Reply, length 300
> >> 12:03:45.340273 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP,
> >> Request from 44:aa:e8:00:0c:4e, length 256
> >> 12:03:45.371271 IP 10.3.0.1.67 > 255.255.255.255.68: BOOTP/DHCP,
> >> Reply, length 300
> >> 12:03:45.395392 IP 10.3.0.33.1025 > 239.255.255.250.1900: UDP,
> >> length 320 12:03:46.884261 IP 0.0.0.0.68 > 255.255.255.255.67:
> >> BOOTP/DHCP, Request from 44:aa:e8:00:0c:46, length 249
> >> 12:03:46.885707 IP 10.3.0.1.67 > 255.255.255.255.68: BOOTP/DHCP,
> >> Reply, length 300
> >> 12:03:46.911271 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP,
> >> Request from 44:aa:e8:00:0c:46, length 256
> >> 12:03:46.945596 IP 10.3.0.1.67 > 255.255.255.255.68: BOOTP/DHCP,
> >> Reply, length 300
> >> 12:03:46.968662 IP 10.3.0.32.1025 > 239.255.255.250.1900: UDP,
> >> length 320 12:03:50.390213 IP 10.3.0.33.1025 >
> >> 239.255.255.250.1900: UDP, length 320
> >>
> >> I suppose, that the issue here is that HP's source address is
> >> 192.168.1.1, how could I configure dnsmasq to overcome this
> >> issue?  
> >
> > The above is a tcpdump log. What does dnsmaq itself log? Think of
> > adding the log-dhcp option to the dnsmasq config file beforehand.
> >  
> 
> Nothing about 192.168.1.1 in log-dhcp, unfortunately.

Not a dnsmasq issue, then: if the request from 192.168.1.1 never
reaches dnsmasq, it's either dnsmasq not listening on the right
interface or a network issue. Since requests from others on the
same physical network segment are seen, dnsmasq is listening on the
right interface. Therefore, it is a network issue.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Cannot obtain IP address from dnsmasq

[Albert ARIBAUD]

Hi Matwey,

Le Fri, 24 Jun 2016 12:10:53 +0300
"Matwey V. Kornilov"  a écrit:

> Hello,
> 
> I am running dnsmasq-2.71 and experiencing the following issue.
> 
> I have network interface eth3 with 10.3.0.1/24 address assigned to
> it. I want dnsmasq instance to supply everyone on eth3 L2-segment
> with IP address from 10.3.0.1/24 subnet. I don't want DHCP be running
> on other interfaces where it can interfere others.
> 
> The issue is the following, HP commutator can not obtain address.
> 
> 12:03:01.609174 IP 192.168.1.1.68 > 255.255.255.255.67: BOOTP/DHCP, 
> Request from 40:a8:f0:6f:64:40, length 256
> 12:03:23.952477 IP 192.168.1.1.68 > 255.255.255.255.67: BOOTP/DHCP, 
> Request from 40:a8:f0:6f:64:40, length 256
> 
> At the same time, other devises obtain address successfully:
> 
> 12:03:45.311101 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP,
> Request from 44:aa:e8:00:0c:4e, length 249
> 12:03:45.313634 IP 10.3.0.1.67 > 255.255.255.255.68: BOOTP/DHCP,
> Reply, length 300
> 12:03:45.340273 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP,
> Request from 44:aa:e8:00:0c:4e, length 256
> 12:03:45.371271 IP 10.3.0.1.67 > 255.255.255.255.68: BOOTP/DHCP,
> Reply, length 300
> 12:03:45.395392 IP 10.3.0.33.1025 > 239.255.255.250.1900: UDP, length
> 320 12:03:46.884261 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP,
> Request from 44:aa:e8:00:0c:46, length 249
> 12:03:46.885707 IP 10.3.0.1.67 > 255.255.255.255.68: BOOTP/DHCP,
> Reply, length 300
> 12:03:46.911271 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP,
> Request from 44:aa:e8:00:0c:46, length 256
> 12:03:46.945596 IP 10.3.0.1.67 > 255.255.255.255.68: BOOTP/DHCP,
> Reply, length 300
> 12:03:46.968662 IP 10.3.0.32.1025 > 239.255.255.250.1900: UDP, length
> 320 12:03:50.390213 IP 10.3.0.33.1025 > 239.255.255.250.1900: UDP,
> length 320
> 
> I suppose, that the issue here is that HP's source address is 
> 192.168.1.1, how could I configure dnsmasq to overcome this issue?

The above is a tcpdump log. What does dnsmaq itself log? Think of
adding the log-dhcp option to the dnsmasq config file beforehand.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Logging milliseconds//Addendum

[Albert ARIBAUD]

Hi Manfred,

Le Tue, 21 Jun 2016 17:30:13 +0200
 a écrit:

> Hi All !
> 
> I just changed some free DNS against some other free DNS
> and now, I have more problems then bevore. Though I'll
> extend my logging thoughs: In the DNSMasq answer is not
> visible which of dns provided the answer - that makes diag
> problematic.

Seems you started a new thread while I was answering on the previous
one.

Short answer: I would suggest that you avoid trying "this and that" as
well as ad hoc patching", and that you follow a more systematic approach
to solving your problem, by running tcpdump on the machine which hosts
your dnsmasq.

Also, you should really try and make other hypotheses than just your ISP
messing with DNS. For instance, have you tried to find out how much of
your uplink bandwidth you're using? Because if your uplink saturates,
then UDP packets sch as DNS requests might get dropped by your ISP's
modem.

> Thanks anyway,
> Manfred

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Logging milliseconds

[Albert ARIBAUD]

Hi Manfred,

Le Tue, 21 Jun 2016 18:25:44 +0200
 a écrit:

> Hi !
> 
> If it comes to webbrowsing, it comes to complexity. But if I wish
> to analyze dns, I go to the commandline. If one has 30 instances
> of Firefox, you cannot control something - it is always slower,
> while for Chrome, due to its multiprocess design, it keeps fast.

See below (*)

> So I usually do not look at apps, I look to the network. I make
> direct test to dns and there is really the problem. So I present
> a little dnsmasq log here:
> 
> Q Jun 21 13:14:46 dnsmasq[28673]: query[A] startpage.com from 192.168.26.9
>   Jun 21 13:14:46 dnsmasq[28673]: forwarded startpage.com to 213.73.91.35
>   Jun 21 13:14:46 dnsmasq[28673]: query[A] startpage.com.mbg.local from 
> 192.168.26.9
>   Jun 21 13:14:46 dnsmasq[28673]: config startpage.com.mbg.local is 
> NXDOMAIN-IPv4
>   Jun 21 13:14:46 dnsmasq[28673]: query[A] startpage.com from 192.168.26.9
>   Jun 21 13:14:46 dnsmasq[28673]: forwarded startpage.com to 213.73.91.35
>   Jun 21 13:14:46 dnsmasq[28673]: query[A] www.manne.eu.mbg.local from 
> 192.168.26.254
>   Jun 21 13:14:46 dnsmasq[28673]: config www.manne.eu.mbg.local is 
> NXDOMAIN-IPv4
>   Jun 21 13:14:51 dnsmasq[28673]: query[A] startpage.com from 192.168.26.9
>   Jun 21 13:14:51 dnsmasq[28673]: forwarded startpage.com to 85.214.73.63
>   Jun 21 13:14:51 dnsmasq[28673]: query[A] startpage.com from 192.168.26.9
>   Jun 21 13:14:51 dnsmasq[28673]: forwarded startpage.com to 85.214.73.63
>   Jun 21 13:14:56 dnsmasq[28673]: query[A] startpage.com.mbg.local from 
> 192.168.26.9
>   Jun 21 13:14:56 dnsmasq[28673]: config startpage.com.mbg.local is 
> NXDOMAIN-IPv4
>   Jun 21 13:14:56 dnsmasq[28673]: query[A] startpage.com.mbg.local from 
> 192.168.26.9
>   Jun 21 13:14:56 dnsmasq[28673]: config startpage.com.mbg.local is 
> NXDOMAIN-IPv4
>   Jun 21 13:14:56 dnsmasq[28673]: query[A] startpage.com from 192.168.26.9
>   Jun 21 13:14:56 dnsmasq[28673]: forwarded startpage.com to 213.73.91.35
>   Jun 21 13:15:01 dnsmasq[28673]: query[A] startpage.com from 192.168.26.9
>   Jun 21 13:15:01 dnsmasq[28673]: forwarded startpage.com to 85.214.73.63
>   Jun 21 13:15:01 dnsmasq[28673]: query[A] www.manfbraun.de from 
> 192.168.26.254
>   Jun 21 13:15:01 dnsmasq[28673]: cached www.manfbraun.de is 84.201.92.70
>   Jun 21 13:15:01 dnsmasq[28673]: query[] www.manfbraun.de from 
> 192.168.26.254
>   Jun 21 13:15:01 dnsmasq[28673]: forwarded www.manfbraun.de to 213.73.91.35
>   Jun 21 13:15:06 dnsmasq[28673]: query[A] startpage.com.mbg.local from 
> 192.168.26.9
>   Jun 21 13:15:06 dnsmasq[28673]: config startpage.com.mbg.local is 
> NXDOMAIN-IPv4
>   Jun 21 13:15:06 dnsmasq[28673]: query[A] startpage.com from
> 192.168.26.9 Jun 21 13:15:06 dnsmasq[28673]: forwarded startpage.com
> to 213.73.91.35 R Jun 21 13:15:06 dnsmasq[28673]: reply startpage.com
> is 37.0.87.19
> 
> You'll easily see, that the first request to "startpage.com" [markey
> by Q] is followed by several other and even to different DNS, and the
> first reply arrives 20 seconds (!!) later [marked by R] and you'll
> not know, which DNS provided the answer.

I do indeed notice that the local machine 192.168.26.9 sends several
queries to the dnsmasq instance in the same second, and that the
answer takes 20 seconds to come back.

Re: the multiple queries, looking at the first second logged (13:14:46):

Apparently, the first three queries are for one name (startpage.com),
and the fourth one is for another (www.manne.eu). As the fourth one
seems unrelated, I'll put it aside (as I will www.manfbraun.de in the
later part of the log). This leaves three requests within one second.

AFAIU, the first two requests are sent in parallel by the client because
it thinks that "startpage.com" could be a complete global name or a
local prefix under the local net "mbg.local". I may be wrong but I see
no issue there.

Also, I see that there are bursts of queries, and within each burst,
dnsmasq queries one upstream server, and basically alternates on each
burst. There too, it does not strike me as odd.

This leaves the question of why the client asked for "startpage.com"
twice in the same second, and why it keeps asking for the same name
eight times in 20 seconds, which is way below e.g. a TCP connection
failure timeout. There is a reason why dnsmasq does not query its
upstream server several times per second for a given name (it's in the
RFC IIRC, and although I don't remember any timeout value being
specified, less than a second does not make sense).

[why it keeps asking for a name it has received a NXDOMAIN for
surprises me too -- although maybe it expects the name to suddenly
appear -- but anyway, it got its answer there immediately.]

Now, you are linking the [R] answers with the [Q] query at 14:14:46,
but it could just as well be linked with the last query at 13:15:06,
and all other requests were just not received upstream.

That, a tcpdump on the dnsmasq machine would tell us.

> 

Re: [Dnsmasq-discuss] Logging milliseconds

[Albert ARIBAUD]

Bonjour,

Le Tue, 21 Jun 2016 16:41:02 +0200
 a écrit:

> Hello !
> 
> Ok, for a short moment, this might be ok.

Why 'for a short moment'? The only limit is storage for the tcpdump
dump to file, and that's relatively dense. Even if the machine on which
you are running tcpdump does not have enough storage space, it could
always send the output over the network to e.g. your desktop or laptop
machine, which is certainly able to handle it.

> But request/response usually
> dont follow each other directly, because there are some more of them
> "on the road". DNSMasq has already all this internally, while
> externally, one must really write a piece of tracker, which is able
> to wait for the answer of each request. Not a nice bash onliner .. ;-)

Wireshark is able to map responses to requests; in fact, in the packet
display window, it provides clickable links to jump from one to the
other. Wireshark also computes the time elapsed between request and
response, and displays it in the response packet. And you can export
all this as text, including references between requests and responses
and their time deltas.

Granted, if you want to do stats on long capture logs (or just limit
the dump to what you think is valuable), you'll have to write some ad
hoc AWK or sed lines, but I'd suspect a few tens at most, and nothing
more complex than variable assignments, some arithmetic, and ouput
formattting.

> But my question was just, if something like a format statement for the
> logoutput exists. It this exist (and I do not see it) then everything
> is already done.

I don't think there is any log format control option in dnsmasq.

> It's because I see huge delay for apps nearly each day. The provider
> declared to have the issue fixed. Sort of. The port are not longer
> blocked - but now, there are huge delay. The may probably have
> a contract with the NSA  ;-)

"Delays in apps" can have so many causes. What possible causes other
than remote DNS servers have you considered and how did you rule them
out?

> Thanks anyway,
> 
> Manfred

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Logging milliseconds

[Albert ARIBAUD]

Hi,

Le Mon, 20 Jun 2016 13:13:26 +0200
 a écrit:

> Hello !
> 
> I am just facing the situation, that my dns-request needing a very
> long time, and this is wether my requesting client, nor dnsmasq. It's
> the provider trying my attempt to ignore his DNSs and use free DNSs,
> as we have several here in Germany.
> 
> Its not a whole week gone, when I opened an issue about DNS blocking.
> It was that, I have enough facts - I'll not try to write whole story
> here. But at that last issue, I found me in the situation, where I
> want to analyse dnsmasq's log.
> 
> I am missing [wrote about that here more then a year ago:
> DNSMASQ log output format] the relationship between a clients
> request and dnsmasq's answer to it. There can be several in
> progress ... From the log, you'll not see it.
> 
> Today, due to the DNS blocking story, I want to make a stats over
> the log, but it contains only seconds in the timestamp, were I
> wished it to have milliseconds too. Is that possible ? I cannot
> find something about this.
> 
> Additionally, at best, I would fetch the output, if I start the
> process by myself and pipe its output directly. Probably not
> doable for me. I would write a mini program in C# ... Another
> solution would be, to create a pipe in the filesystem and define
> it as the logfile for the dnsmasq. I have done this, at least with
> apache, it works (Apache has the charm, to be able to host
> a program und pump it's output into it - but thats easy for me).
> 
> Wether or not, without milliseconds, it would be sensless.
> 
> Any help, notes and hints are very welcome !!

If you can run wireshark or even simply tcpdump on the machine that runs
dnsmasq, then you could log DNS requests and replies with accurate time
stamping. Would this be enough for you?

> Thanks anyway,

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Sending a fake reply to client by dnsmasq

[Albert ARIBAUD]

Hi Ravin,

Le Tue, 14 Jun 2016 16:30:41 +0530
ravin goyal  a écrit:

> Hi, I am working on dnsmasq-2.75 and i want to send a fake reply to
> client when it reqest dnsmasq for answers such that dnsmasq rather
> than sending the packet contaning the reply it sends the fake reply
> 
> I tried changing daemon->packet memory location to some random valid
> memory location in reply_query function of forward.c file since char
> *packet of daemon struct contains the reply that dnsmasq will forward
> to client right??
> 
> But afterwards dnsmasq fails to resppond to any query sent by client?
> First i tried setting the daemon->packet to NULL then sendmsg failed
> by giving error
> "Bad address";
> 
> Is there way that i can proceed with this? OR I am doing something
> wrong here

Can you not use address= lines in the standard dnsmasq conf line?

> Regards
> Ravin

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Log to database

[Albert ARIBAUD]

Hi Joachim,

Le Sun, 12 Jun 2016 17:39:12 +0200
Joachim Zobel  a écrit:

> Hi.
> 
> The main problem for my reverse_replace script is speed. It takes a 
> minute, which is too slow to be run from a web gui. This is because
> the script parses the last 15k lines and puts them into an IP->name
> lookup tables made up from enviroment variables.
> 
> Is there a way to log queries to a database? Something along the
> lines of log-facility=/named/pipe and a clever script that turns its
> stdin into INSERT statements. This way I could avoid building the
> lookup table.

I don"t see any option in dnsmasq for that, but maybe you could
configure your syslog/rsyslog/systemd logger to route dnsmasq logs to
some script (in addition to the standard logging), and that script
would do the database logging.

Problem, of course, is that you'd have to handle database purging, as I
don't think dnsmasq anything when it purges its cache, so your DB would
keep growing if you did not purge it, e.g. based on record date.

> Sincerely,
> Joachim

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Authoritative

[Albert ARIBAUD]

Hello,

Le Mon, 30 May 2016 09:51:56 +0200
MacDonald Chapwanya  a écrit:

> Dear All
> 
> Does dnsmasq do authoritative? If so where can I find the
> documentation?? Please help.

Whether about DHCP or DNS, you will find the answer by looking up the
dnsmasq man page -- search for substring "thorita".

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq lease file not updating properly

[Albert ARIBAUD]

Hello,

Le Thu, 26 May 2016 19:27:33 +0530
Gopi Krishna M  a écrit:

> Hi Albert,
> 
> Thanks for your suggestion.
> 
> I believe it is not in the slaac mode and in dhcpv6 only.
> 
> I confirmed with below things.
> 
> 1) Router advertise, solicit, request things are happening while every
> client getting connected.
> 2) The bit Managed address configuration is set. Checked through
> wireshark. It will be set
> in DHCPv6 only and not for slaac.
> 
> If you believe still it is in slaac mode, Please tell the config
> changes to make
> dnsmasq run as a dhcpv6 server.

OK, so this confirms you're indeed not using SLAAC and are indeed using
DHCPv6. Sorr then, I have no other idea why the leases file does not
mention the DHCPv6 lease -- and no idea if it should, actually.

> Thanks,
> Gopi krishna M

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq lease file not updating properly

[Albert ARIBAUD]

Hi,

Le Wed, 25 May 2016 19:17:31 +0530
Gopi Krishna M  a écrit:

> Hi All,
> 
> I have been using dnsmasq 2.70 vesrion as dhcp server for ipv4 and
> ipv6. My lease file is not getting updated properly when
> running dnsmasq. It is updating properly for ipv4  but not correct
> for ipv6.
> 
>  #cat /etc/dnsmasq_new.leases
> 2082886681 00:80:48:4b:83:12 192.168.10.161 host-mysy *
> duid 00:01:00:01:43:b8:34:78:00:80:a3:a0:bb:38
> 2082843195 1212908306 *18:2001:2002:2003:: **
> 00:01:00:01:00:80:10:7e:ea:09
> 
> It is marked as above and its actual lease ip is
> *2001:2002:2003::10a* but its not showing. Meanwhile even if we
> connect multiple clients then the same *18:2001:2002:2003:: *is
> getting repeated. Meanwhile it is not showing the
> proper mac also.
> 
> for your kind ref:
> 
> config file
> # cat /etc/dnsmasq_gateway.conf
> interface=lan0
> except-interface=lo
> bind-interfaces
> dhcp-range=192.168.10.20, 192.168.10.254, 14h
> dhcp-range=2001:2002:2003::105, 2001:2002:2003::110, 64, 14h
> enable-ra
> 
> Interface IP: 192.168.10.1
> IPv6: 2001:2002:2003::100
> 
> running as
> 
> 
> *dnsmasq -C /etc/dnsmasq_gateway.conf -l /etc/dnsmasq_new.leases*
> Please tell your suggestions.
> 
> Note: Clients are getting IPv4 and IPv6 properly. Everything is fine
> apart from updating the lease file. Compiled for ARM(linux 3.10)
> 
> Thanks in advance.
> 
> Regards,
> Gopi krishna M

(anyone feel free to correct me if I got the following wrong)

You are using SLAAC for IPv6 configuration. In this mode, it is the
client, not the DHCP server, which selects its own IPv6.

Therefore there are no actual IPv6 leases: dnsmasq just informs the
client about the /64 subnet under which the client, not dnsmasq, shall
select its address; the client does not inform dnsmasq back.

This is /probably/ why the actual address does not show up in the lease
file.

If you want dnsmasq to control which address the client receives (and
possibly log this in the lease file) then you should use DHCPv6 rather
than SLAAC.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Dnsmasq 2.75 on Ubuntu 16.04 crashes reproducibly

[Albert ARIBAUD]

Hi Alexander,

Le Tue, 3 May 2016 22:56:45 +0500
"Alexander E. Patrakov" <patra...@gmail.com> a écrit:

> 03.05.2016 22:28, Albert ARIBAUD wrote:
> > Hi Alexander,
> >
> > Le Tue, 3 May 2016 21:45:00 +0500
> > "Alexander E. Patrakov" <patra...@gmail.com> a écrit:
> >
> >> 2016-05-03 20:37 GMT+05:00 Simon Kelley <si...@thekelleys.org.uk>:
> >>> I'm pretty sure that this is fixed in the current code.
> >>
> >> It is indeed fixed in git! But distributions (including Ubuntu and
> >> Arch) are still distributing a vulnerable version and are probably
> >> unaware of it. Could you please apply for a CVE ID (if it doesn't
> >> already exist) so that they fix their packages?
> >
> > A CVE ID? For a crash caused by a specific local name record which
> > clashes with the public one? What's the vulnerability or exposure
> > here?
> 
> This is actually crashable by querying any CNAME that points to 
> localhost.localdomain, given that upstream is 8.8.8.8, because 
> localhost.localdomain nearly universally exists in /etc/hosts as ::1, 
> and 8.8.8.8 doesn't have an  entry for it. So this is a security
> issue.

I am still not seeing what the *security* issue is. How can this problem
be *exploited* in order to cause a DoS or compromise a host for
instance?

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Dnsmasq 2.75 on Ubuntu 16.04 crashes reproducibly

[Albert ARIBAUD]

Hi Alexander,

Le Tue, 3 May 2016 21:45:00 +0500
"Alexander E. Patrakov"  a écrit:

> 2016-05-03 20:37 GMT+05:00 Simon Kelley :
> > I'm pretty sure that this is fixed in the current code.
> 
> It is indeed fixed in git! But distributions (including Ubuntu and
> Arch) are still distributing a vulnerable version and are probably
> unaware of it. Could you please apply for a CVE ID (if it doesn't
> already exist) so that they fix their packages?

A CVE ID? For a crash caused by a specific local name record which
clashes with the public one? What's the vulnerability or exposure here?

Besides, one cannot burden the author of some software with the
task of making sure it is up to date in distros -- unless of course he
happens to also be the package manager for some given distro, in
which case he could be held responsible for keeping that distro up to
date.

In the general case, some user (you for instance) should open a bug
report (not a CVE) to get the package updated.

Amicalement,
-- 
Albert.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss