Re: [Dnsmasq-discuss] Hello! Also, question about /etc/ethers and /etc/hosts
On 9/13/23 13:18, TRUNKLES via Dnsmasq-discuss wrote: I'd like to start by just asking a simple question I've not managed to find an answer to anywhere else: are /etc/ethers and /etc/hosts supposed to supersede dynamic IP allocaiton? Suppose I have all of my "known" devices (MAC addresses) in /etc/ethers, are those supposed to appear to dnsmasq as implicit --dhcp-host= declarations, to take precedence over dynamic host IP allocation as provided by --dhcp-range= statements in the conf file? And as for the things that don't work at all part: As deployed, probably badly configured by me, dnsmasq is apparently recognising the /etc/ethers entry and matching it with /etc/hosts, because that shows up and looks good in /var/lib/misc/dnsmasq.leaes, but then, also allocating it a dynamic IP address, which results in entries like this: 1694633632 41:c4:b7:ff:16:a3 192.168.111.126 192.168.111.20 # media-server * That not only looks wrong, but is wrong enough that if I stop dnsmasq and then restart it, it refuses to run until I've deleted that file. Clearly, I've done something terrible somewhere, but I still find it interesting that dnsmasq would produce a lease file that is so wrong that it segfaults upon trying to read it back upon restart. Hi Trunkles, I made the switch from ISC named/dhcp a long time ago and remember some growing pains. For sure, dnsmasq can do what you find and I actually prefer it to other solutions for home use. Personally, I don't use the ethers file at all and prefer to do my matching in the /etc/dnsmasq.d/.conf files. So my sample config might look something like this: dhcp-range=lan,192.168.101.100,192.168.101.200,96h dhcp-option=tag:lan,option:router,192.168.101.1 dhcp-option=option:dns-server,192.168.101.2 dhcp-option=option:tzdb-timezone,"America/" dhcp-option=15,"" # Domain name domain= expand-hosts localise-queries dhcp-host=30:05:5c:7b:36:b5,hostA dhcp-host=0c:9d:92:10:a1:8c,hostB dhcp-host=04:17:b6:67:80:3c,hostC I only create dhcp-host entries for hosts that I want to be static in assigment via DHCP. They would have a corresponding /etc/hosts entry where dnsmasq would find the IP. My hosts file might contain: 192.168.101.3 hostA 192.168.101.4 hostB 192.168.101.5 hostC Fully dynamic hosts will just get assigned a host from the pool and dnsmasq will use the client supplied hostname to do local DNS lookups on those. From there, you can get into more details like using tags to assign different values to different clients, etc but lets get the basics working first. If you want more specific help, it would be useful to post your config file so we can look for issues. Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Change upstream server by client?
On 12/18/22 09:10, Jonathan Stafford wrote: Thanks, Michael. That will work to get them using that server, but it's totally bypassing dnsmasq which means my local entries from /etc/hosts don't resolve. I'd like both things to work to be difficult :) Hi Jonathan, Sorry, I didn't respond earlier, but here is what I do in more detail. I run 2 instances of pihole (DNSmasq) on docker. Each run on their own IP address (macvlan) separate from the docker host. Their IP addresses are .2 and .3. The .2 host is primary and forwards upstream to 1.1.1.1. This container also holds all the hosts file info and handles DHCP+dynamic host DNS resolution. The .3 host is secondary and handles only DNS requests for the kids. This forwards upstream to 1.1.1.3. If a DNS request comes in for local domain info, it simply forwards those requests to .2 like this: server=/mydomain.com/192.168.101.2 server=/101.168.192.in-addr.arpa/192.168.101.2 Combine with the tagging and now you can point any client to either upstream DNS: # Define DNS servers dhcp-option=option:dns-server,192.168.101.2 dhcp-option=tag:kidsdevices,option:dns-server,192.168.101.3 dhcp-host=0c:51:01:95:d3:36,set:kidsdevices # Ipad dhcp-host=58:41:4E:CD:D2:0A,set:kidsdevices # Iphone While I did this with Pihole, you can easily do this with DNSmasq only. This is also similar to what Geert was suggesting. Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Change upstream server by client?
I am not aware of a way, but hopefully someone else has ideas. I run two instances of pihole. One for the grown ups that points upstream to 1.1.1.1 and the other points to 1.1.1.3. Then I use similar stanzas below to point the clients to the right piholeMichael On Dec 18, 2022, at 9:10 AM, Jonathan Stafford wrote:Thanks, Michael. That will work to get them using that server, but it's totally bypassing dnsmasq which means my local entries from /etc/hosts don't resolve. I'd like both things to work to be difficult :)On Sun, Dec 18, 2022 at 10:36 AM Michael Smith <mich...@kmaclub.com> wrote: On 12/18/22 06:59, Jonathan Stafford wrote: --server provides a way to change upstream resolvers based on the domain being queried. Is there a way to make the same sort of change based on the client doing the querying? For example, I'd like the IP address range I use for my kids' devices to use 1.1.1.3. You can achieve this using tags: # Define DNS servers dhcp-option=option:dns-server,1.1.1.1 dhcp-option=tag:kidsdevices,option:dns-server,1.1.1.3 dhcp-host=0c:51:01:95:d3:36,set:kidsdevices # Ipad dhcp-host=58:41:4E:CD:D2:0A,set:kidsdevices # Iphone Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Change upstream server by client?
On 12/18/22 06:59, Jonathan Stafford wrote: --server provides a way to change upstream resolvers based on the domain being queried. Is there a way to make the same sort of change based on the client doing the querying? For example, I'd like the IP address range I use for my kids' devices to use 1.1.1.3. You can achieve this using tags: # Define DNS servers dhcp-option=option:dns-server,1.1.1.1 dhcp-option=tag:kidsdevices,option:dns-server,1.1.1.3 dhcp-host=0c:51:01:95:d3:36,set:kidsdevices # Ipad dhcp-host=58:41:4E:CD:D2:0A,set:kidsdevices # Iphone Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq: dhcp-server with disabled dns-server: /etc/hosts ignored
Dear Geert, thanks for your answer! Yes, if remove the line (so, enable the dns-server), I see that the /etc/hosts is read and then the host gets the correct IP-address of trb. Actually, this workaround is fine for many distributions, but I realized that in Ubuntu the systemd-resolve is on by default and this is in conflict the the dnsmasq-dns-server. Disabling the systemd-resolve causes other error messages and needs more changes in the setup of Ubuntu to get everything silent, but I'm not sure of other side effects. Greetings, Michael --- On Sat, 22 Oct 2022, Geert Stappers via Dnsmasq-discuss wrote: Date: Sat, 22 Oct 2022 21:15:46 From: Geert Stappers via Dnsmasq-discuss Reply-To: Geert Stappers To: dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: [Dnsmasq-discuss] dnsmasq: dhcp-server with disabled dns-server: /etc/hosts ignored On Fri, Oct 21, 2022 at 11:23:28PM +0200, Michael Traxler wrote: Hello, dnsmasq-2.87: It took me quite some time to figure this out :-) When you disable the DNS-server via port=0 the /etc/hosts file is ignored and also the addn-hosts= is ignored. This then results in the problem, that the DHCP-server still works, but if you use the dhcp-host=da:7a:3a:62:7d:d2,trb where trb is a name in /etc/hosts dnsmasq reacts with: DHCPDISCOVER(enp2s0) da:7a:3a:62:7d:d2 no address available I checked via strace that it really doesn't even open /etc/hosts nor the given file via the "addn-hosts" option. Looks for me like a bug. I can not find a logical reason, why a dhcp-server *needs* to have a running DNS-server. Or is it a feature? :-) Or an incomplete configuration file. So remove the 'port=0' (or comment it out) and check if the host with MAC-address gets the IP-address of trb. And report back. Groeten Geert Stappers ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] dnsmasq: dhcp-server with disabled dns-server: /etc/hosts ignored
Hello, dnsmasq-2.87: It took me quite some time to figure this out :-) When you disable the DNS-server via port=0 the /etc/hosts file is ignored and also the addn-hosts= is ignored. This then results in the problem, that the DHCP-server still works, but if you use the dhcp-host=da:7a:3a:62:7d:d2,trb where trb is a name in /etc/hosts dnsmasq reacts with: DHCPDISCOVER(enp2s0) da:7a:3a:62:7d:d2 no address available I checked via strace that it really doesn't even open /etc/hosts nor the given file via the "addn-hosts" option. Looks for me like a bug. I can not find a logical reason, why a dhcp-server *needs* to have a running DNS-server. Or is it a feature? :-) Thanks a lot, Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Problem with dynamic upstream nameservers in dnsmasq 2.87
On 16.10.22 23:25, Christopher J. Madsen wrote: > I tried building dnsmasq 2.87 with a patch that reverts commit 553c4c99, > and that does seem to fix the problem. Related to the very same patch, but from a slightly different angle: automatic reload of $resolv-file purges all upstream servers not configured in this $resolve-file; below is a small minimal configuration and the logs of v2.88test1 vs v2.88test1+backout-553c4c9 dnsmasq.conf # Include all files in a directory which end in .conf conf-dir=/data/bla/t/dnsmasq-example/dnsmasq.d/,*.conf dnsmasq.d/check.conf resolv-file=/run/NetworkManager/no-stub-resolv.conf server=/ct.de/9.9.9.9 server=/heise.de/8.8.8.8 no-negcache interface=lo domain-needed clear-on-reload port=5355 no-dhcp-interface=lo keep-in-foreground user=dnsmasq Output of v2.88test1: > pkill -f -USR1 dnsmasq-example dnsmasq[2314255]: time 1666000359 dnsmasq[2314255]: cache size 150, 0/0 cache insertions re-used unexpired cache entries. dnsmasq[2314255]: queries forwarded 0, queries answered locally 0 dnsmasq[2314255]: queries for authoritative zones 0 dnsmasq[2314255]: pool memory in use 0, max 0, allocated 0 dnsmasq[2314255]: server 9.9.9.9#53: queries sent 0, retried 0, failed 0, nxdomain replies 0, avg. latency 0ms dnsmasq[2314255]: server 8.8.8.8#53: queries sent 0, retried 0, failed 0, nxdomain replies 0, avg. latency 0ms dnsmasq[2314255]: server 172.27.1.253#53: queries sent 0, retried 0, failed 0, nxdomain replies 0, avg. latency 0ms dnsmasq[2314255]: server 172.27.1.254#53: queries sent 0, retried 0, failed 0, nxdomain replies 0, avg. latency 0ms > touch /run/NetworkManager/no-stub-resolv.conf dnsmasq[2314255]: reading /run/NetworkManager/no-stub-resolv.conf dnsmasq[2314255]: using nameserver 172.27.1.253#53 dnsmasq[2314255]: using nameserver 172.27.1.254#53 dnsmasq[2314255]: read /etc/hosts - 35 addresses > pkill -f -USR1 dnsmasq-example dnsmasq[2314255]: time 1666000365 dnsmasq[2314255]: cache size 150, 0/0 cache insertions re-used unexpired cache entries. dnsmasq[2314255]: queries forwarded 0, queries answered locally 0 dnsmasq[2314255]: queries for authoritative zones 0 dnsmasq[2314255]: pool memory in use 0, max 0, allocated 0 dnsmasq[2314255]: server 172.27.1.253#53: queries sent 0, retried 0, failed 0, nxdomain replies 0, avg. latency 0ms dnsmasq[2314255]: server 172.27.1.254#53: queries sent 0, retried 0, failed 0, nxdomain replies 0, avg. latency 0ms dnsmasq[2314255]: server 9.9.9.9#53: queries sent 0, retried 0, failed 0, nxdomain replies 0, avg. latency 0ms after backout of 553c4c9 * 504538b 2022-10-14 15:12:04.. (tag: backout) Revert "Fix massive confusion on server reload." > pkill -f -USR1 dnsmasq-example dnsmasq[2306436]: time 1666000232 dnsmasq[2306436]: cache size 150, 0/0 cache insertions re-used unexpired cache entries. dnsmasq[2306436]: queries forwarded 0, queries answered locally 0 dnsmasq[2306436]: queries for authoritative zones 0 dnsmasq[2306436]: pool memory in use 0, max 0, allocated 0 dnsmasq[2306436]: server 9.9.9.9#53: queries sent 0, retried 0, failed 0, nxdomain replies 0, avg. latency 0ms dnsmasq[2306436]: server 8.8.8.8#53: queries sent 0, retried 0, failed 0, nxdomain replies 0, avg. latency 0ms dnsmasq[2306436]: server 172.27.1.253#53: queries sent 0, retried 0, failed 0, nxdomain replies 0, avg. latency 0ms dnsmasq[2306436]: server 172.27.1.254#53: queries sent 0, retried 0, failed 0, nxdomain replies 0, avg. latency 0ms > touch /run/NetworkManager/no-stub-resolv.conf dnsmasq[2306436]: reading /run/NetworkManager/no-stub-resolv.conf dnsmasq[2306436]: using nameserver 9.9.9.9#53 for domain ct.de dnsmasq[2306436]: using nameserver 8.8.8.8#53 for domain heise.de dnsmasq[2306436]: using nameserver 172.27.1.253#53 dnsmasq[2306436]: using nameserver 172.27.1.254#53 dnsmasq[2306436]: using nameserver 9.9.9.9#53 dnsmasq[2306436]: read /etc/hosts - 35 addresses > pkill -f -USR1 dnsmasq-example dnsmasq[2306436]: time 1666000244 dnsmasq[2306436]: cache size 150, 0/0 cache insertions re-used unexpired cache entries. dnsmasq[2306436]: queries forwarded 0, queries answered locally 0 dnsmasq[2306436]: queries for authoritative zones 0 dnsmasq[2306436]: pool memory in use 0, max 0, allocated 0 dnsmasq[2306436]: server 9.9.9.9#53: queries sent 0, retried 0, failed 0, nxdomain replies 0, avg. latency 0ms dnsmasq[2306436]: server 8.8.8.8#53: queries sent 0, retried 0, failed 0, nxdomain replies 0, avg. latency 0ms dnsmasq[2306436]: server 172.27.1.253#53: queries sent 0, retried 0, failed 0, nxdomain replies 0, avg. latency 0ms dnsmasq[2306436]: server 172.27.1.254#53: queries sent 0, retried 0, failed 0, nxdomain replies 0, avg. latency 0ms Thanks for all you work on dnsmasq! Michael -- Michael Eyrich ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.u
Re: [Dnsmasq-discuss] DHCP Proxy and UEFI HTTP boot
Hi Geert, solved it yesterday. The trick was to "enable" the vendor by dhcp-pxe-vendor. So this is the working config: # Disable DNS Server port=0 # Enable DHCP logging log-dhcp log-debug log-facility=/tmp/dns.log # run as DHCP proxy dhcp-range=192.168.1.200,proxy dhcp-pxe-vendor=PXEClient,HTTPClient:Arch:00016 dhcp-vendorclass=set:efihttp,HTTPClient:Arch:00016 pxe-service=tag:efihttp,x86-64_EFI,"Network Boot",http://192.168.1.200/esxi/mboot.efi dhcp-boot=tag:efihttp,http://192.168.1.200/esxi/mboot.efi dhcp-option-force=tag:efihttp,60,HTTPClient Hhhhmm but the dhcp-pxe-vendor is not necessary for HTTPClient:Arch:7 or HTTPClient:Arch:9...? An iPXE boot with vendor class HTTPClient:Arch:7 does not need this option so eval by dhcp-vendorclass works for 7 "out of the box". Therefore I ignored that option also for 00016... "It is OK to take time to read the monthly posting that was the posting before the posting that started this thread. https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q2/date.html"; => [1] I was new to the mailing list and now reed the Monthly posting https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q2/016423.html and I agree: The documentation is "hard to "read" ;-) Thanks for offering support. Regards Michael Am 08.06.2022 22:16, schrieb Geert Stappers via Dnsmasq-discuss: On Wed, Jun 08, 2022 at 12:22:50PM +0200, Michael via Dnsmasq-discuss wrote: Am 08.06.2022 10:31, schrieb Geert Stappers via Dnsmasq-discuss: On Tue, Jun 07, 2022 at 11:35:26AM +0200, Michael via Dnsmasq-discuss wrote: Hi dnsmasq-discuss Groupmembers, I tried to get working dnsmasq as DHCP Proxy for UEFI HTTP boot. Anybody a hint for me whats wrong in my configuration? It is incomplete. Or is the combination DHCP Proxy and UEFI HTTP boot not RFC like? THx in advance Yeah, the answer was send in advance. Now wait for the next monthly posting. Thanks for your detailed answer. You are welcome, now let's solve the interresting problem. Please do share a completere configuration. Show who is the main stakeholder of dnsmasq as DHCP proxy for UEFI HTTP boot challenge. It is OK to take time to read the monthly posting that was the posting before the posting that started this thread. https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q2/date.html Michael Groeten Geert Stappers Links: -- [1] https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q2/date.html___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DHCP Proxy and UEFI HTTP boot
It is incomplete. => Thanks for your detailed answer. Michael Am 08.06.2022 10:31, schrieb Geert Stappers via Dnsmasq-discuss: On Tue, Jun 07, 2022 at 11:35:26AM +0200, Michael via Dnsmasq-discuss wrote: Hi dnsmasq-discuss Groupmembers, I tried to get working dnsmasq as DHCP Proxy for UEFI HTTP boot. The following configuration, dnsmasq as DHCP Server, works (but we have another DHCP Server running): dhcp-range=efi-http,192.168.1.200,192.168.1.220 dhcp-option=tag:efi-http,option:vendor-class,HTTPClient dhcp-option=tag:efi-http,option:bootfile-name,http://192.168.1.100/esxi/mboot.efi But when i tried to setup dnsmasq as DHCP Proxy it does not respond to any requests: dhcp-range=efi-http,192.168.1.0,proxy,255.255.255.0 dhcp-option=tag:efi-http,option:vendor-class,HTTPClient dhcp-option=tag:efi-http,option:bootfile-name,http://192.168.1.100/esxi/mboot.efi After further investigations I found out that dnsmasq does only responds (send packets) to DHCP Requests, when configured as DHCP Proxy, when the options pxe-service and dhcp-boot are set (to some "default", useless values, and therefore UEFI HTTP Boot not work). But in my opinion these options are not necessary for booting UEFI HTTP Clients and makes no sense to set. Anybody a hint for me whats wrong in my configuration? It is incomplete. Or is the combination DHCP Proxy and UEFI HTTP boot not RFC like? THx in advance Yeah, the answer was send in advance. Now wait for the next monthly posting. Michael Groeten Geert Stappers___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] DHCP Proxy and UEFI HTTP boot
Hi dnsmasq-discuss Groupmembers, I tried to get working dnsmasq as DHCP Proxy for UEFI HTTP boot. The following configuration, dnsmasq as DHCP Server, works (but we have another DHCP Server running): dhcp-range=efi-http,192.168.1.200,192.168.1.220 dhcp-option=tag:efi-http,option:vendor-class,HTTPClient dhcp-option=tag:efi-http,option:bootfile-name,http://192.168.1.100/esxi/mboot.efi But when i tried to setup dnsmasq as DHCP Proxy it does not respond to any requests: dhcp-range=efi-http,192.168.1.0,proxy,255.255.255.0 dhcp-option=tag:efi-http,option:vendor-class,HTTPClient dhcp-option=tag:efi-http,option:bootfile-name,http://192.168.1.100/esxi/mboot.efi After further investigations I found out that dnsmasq does only responds (send packets) to DHCP Requests, when configured as DHCP Proxy, when the options pxe-service and dhcp-boot are set (to some "default", useless values, and therefore UEFI HTTP Boot not work). But in my opinion these options are not necessary for booting UEFI HTTP Clients and makes no sense to set. Anybody a hint for me whats wrong in my configuration? Or is the combination DHCP Proxy and UEHI HTTP boot not RFC like? THx in advance Michael___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dhcp-host=hostnameonly does not work
On 5/19/22 07:46, Maulis Adam via Dnsmasq-discuss wrote: Hello, I like to configure my dhcp server with as little redundacy as possible. But it looks like the IP address needs to be written both of /etc/hosts and /etc/dnsmasq.conf The client machines are in the /etc/hosts for example: 192.168.64.200 cntemplate.hpc The non-default dnsmasq config options are: no-resolv server=192.168.5.251 expand-hosts domain=hpc Case 1: dhcp-range=192.168.64.0,static dhcp-host=cntemplate Does not work, syslog said: May 19 15:53:47 gw00 dnsmasq-dhcp[4912]: DHCPDISCOVER(vlan164) 02:00:00:00:00:65 no address available Maybe I am not fully understanding your use case. Here is how I have mine configured: hosts: 192.168.101.10 hostname dnsmasq.conf dhcp-host=0c:9d:92:10:a1:8c,hostname This ties the DHCP request (MAC) to the hostname and then the hostname to the ip in the hosts file. Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Setting dnsmasq to serve multiple subnets
On 4/28/22 09:20, Will Dennis wrote: Hi all, I currently have dnsmasq set up and working well for the LAN that the dnsmasq server is on (for our purposes, say 192.168.0.0/24.) Config is like this currently: Now, I have now set up a router (layer-3 switch) that has interfaces to multiple other networks off of it, all having a /28 network mask. It has been set to be a DHCP relay (“ip helper”) pointing DHCP requests from these new networks to the dnsmasq server. I cannot seem to find a “howto” on how to configure dnsmasq to serve multiple dhcp pools/associated options so it can be the single DHCP/DNS server for these multiple new networks. In my reading of the man pages, I **think** I’d have to do something like this in my config to enable this: domain-needed bogus-priv strict-order no-hosts dhcp-authoritative dhcp-leasefile=/var/lib/misc/dnsmasq.leases domain=nec-labs.com dhcp-range=192.168.0.20,192.168.0.59,1h dhcp-option=option:router,192.168.0.1 dhcp-range=set:vlan10,192.168.1.1,192.168.1.13,255.255.255.240,1h dhcp-option=tag:vlan10,option:router,192.168.1.14 […] Am I correct in this? And, I don’t need to tag the original pool/options, do I? Here is what I have in my config for multiple subnets and directing various services. I am running dnsmasq on a seperate host in the lan subnet. I tag even the default lan for clarity. # Subnet specific delarations dhcp-range=lan,192.168.101.100,192.168.101.200,96h dhcp-range=IOT,192.168.102.100,192.168.102.200,96h dhcp-range=guest,192.168.103.100,192.168.103.200,72h dhcp-range=camera,192.168.104.100,192.168.104.200,72h # Define router dhcp-option=tag:lan,option:router,192.168.101.1 dhcp-option=tag:IOT,option:router,192.168.102.1 dhcp-option=tag:guest,option:router,192.168.103.1 dhcp-option=tag:camera,option:router,192.168.104.1 # Define DNS servers (DNSmasq server - also DHCP) dhcp-option=option:dns-server,192.168.101.2 # Define NTP servers dhcp-option=tag:lan,option:ntp-server,192.168.101.1 dhcp-option=tag:IOT,option:ntp-server,192.168.102.1 dhcp-option=tag:guest,option:ntp-server,192.168.103.1 dhcp-option=tag:camera,option:ntp-server,192.168.104.1 # Common definitions dhcp-option=option:netmask,255.255.255.0 dhcp-option=15,"mydomain" # Domain name dhcp-option=101,America/Denver ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNS from dhcp-host while client is offline
On 10/4/21 05:37, Dominik Derigs wrote: Hey Petr, On Mon, 2021-10-04 at 11:45 +0200, Petr Menšík wrote: Perhaps a flag could be added to dhcp-range, requesting also addition of dhcp-hosts to static dns. Maybe this flag would better be set on --dhcp-host and --dhcp- hostsfile if this is used? This would feel more "natural" to me. Initially, I've myself found this an odd behavior to only serve only DHCP host names that are known to be "alive". I do see some value in not serving A records when we know the server is offline, however, the very same happens on the Internet all the time: no DNS server I'm aware of checks if an A record is reachable before giving you the reply. I've seen other systems using dnsmasq (it may or not have been DD-WRT, no promises!) that created two files from static leases: A dhcp-hostsfile and an addn-hosts file. Having an option to make the latter obsolete sounds like a good idea. Maybe I am misunderstanding the issue, but dnsmasq already give the ability that is being asked for I believe. If you want a static DNS entry, add the entry to /etc/hosts or -addn-hosts= If you want a DHCP lease that always hands out the same ip address but is only valid during the lease, create a dhcp-host entry that includes the IP & hostname If you want a DHCP lease can always be looked up via DNS, add it to /etc/hosts or -addn-hosts and the dhcp-host entry contains the hostname Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Upstream servers by host tag (or MAC)
On 9/23/21 04:35, Petr Menšík wrote: Hi Hubert, it may work, if you would run two dnsmasq instances. One for children with OpenDNS as upstream servers, another for everyone else. default instance: bind-interfaces listen-address=10.1.0.1 server=8.8.8.8 domain=home.arpa dhcp-option=option:dns-server,10.1.0.1,8.8.8.8 dhcp-option=tag:child,option:dns-server:10.1.0.2,208.67.222.123 ... children instance: bind-interfaces listen-address=10.1.0.2 server=208.67.222.123 server=/home.arpa/10.1.0.1 Because the second instance would forward local domain to main instance, which also registers dhcp, they should be able to resolve any local names. But other names would be served by different server. Children might have reserved different address range, but it might be handy to be on shared broadcast link. Good for link-local address resolution and easy local games setup. Not sure it is relevant anymore. Not sure if 10.1.0.2 can be on the same interface as 10.1.0.1. It would work fine with just DNS, but I think dhcp requires interface=eth0 or similar. Which would block the second instance from working correctly. I think alternative address would have to be on different interface. I do almost exactly this so I can confirm it works. I have one machine running docker. On that machine, I run two containers with their own IP addresses (macvlan). .1 for the primary including DHCP pointing to my main DNS. Then the .2 version that points to the safe DNS, but relays local name queries (and reverse) over to the .1. Then in config as you highlighted above, I point the child machines to the .2 and everything else to .1. It would be nice if you could use tags to point to different DNS servers, but until that is an option, this works. Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Details of the --dhcp-optsdir= option
On 9/3/21 1:23 PM, Chris Green wrote: If I have set dhcp-optsdir in /etc/dnsmasq.conf and add a file to the directory it points to I assume any extra configuration in the added file will 'just happen' without any restart or signalling of dnsmasq. However (like the description for dhcp-hostsdir I presume that an option I have added as above will not be removed if I delete the added file. Specifically if I put a dhcp-range option in the added file (when there wasn't one in /etc/dnsmasq.conf) the DHCP server in dnsmasq will be turned on, but removing the file won't turn the DHCP server off again. I'd need to restart dnsmasq to turn the DHCP server off (or would one of the signals suffice?). I believe this is correct. I'm thinking of running dnsmasq on two systems on my LAN to provide some resilience. One will be configured to run DHCP as well as DNS, the other will be DNS only. Apart from DHCP the configurations will be identical and the IPs of both systems will be given by the DHCP server as DNS IPs. This works if your DHCP server only hands out static addressing so the host names are all listed in the /etc/hosts or addn hosts location on both machines. If the DHCP server is handing out addresses from a pool, then only the DHCP dnsmasq instance will know about those hosts by name. You could try to add a referral from the second host to the DHCP host for any local domain lookup server=/mydomain.com/192.168.101.2 # IP of DHCP dnsmasq server server=/101.168.192.in-addr.arpa/192.168.101.2 # handle reverse lookups This should allow both machines to respond with the same data but it requires both to be up. So the normal 'everything working' situation will be system A (say on 192.168.1.2) is a DNS and DHCP server. System B (say on 192.168.1.3) provides only DNS. System A's DHCP server will give out both 192.168.1.2 and 192.168.1.3 as DNS servers. If 192.168.1.3 fails or is off line everything continues to work OK except maybe some slowing down of DNS because of requests to 192.168.1.3 having to timeout before retrying on 192.168.1.2. If 192.168.1.2 fails I will add the DHCP configuration to it 'manually' and then I'll have a working system while I fix 192.168.1.2. I think it is important to understand the DNS doesn't really have the concept of primary and secondary nameservers. They are all expected to be equal and the client can choose which one it wants to try. So, your servers have to have the ability to give the same responses or you will go crazy trying to figure out why somethings aren't working right. In your scenario, you could sync the leases file over regularly as a backup. Then when the failure occurs, you would update the secondary box to add the dhcp options, stop the redirection above, and begin owning/managing the DHCP leases file. When the primary comes back online, you have to reverse the whole process or leave it this way until the next failure, but sync the files the other way. Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Questions about DHCP persistence and lease times
On 9/3/21 7:02 AM, Chris Green wrote: I was thinking about the usual "one local server and 1.1.1.1 or 8.8.8.8 as secondary" but now I think about it I suppose there's nothing difficult about providing two local servers. However will having one of them non-functional slow things down at all? So:- 1 - How do I configure dnsmasq to give two DNS server addresses? 2 - Will only actually having one listening cause any delay? You can configure multiple addresses with: dhcp-option=6, x.x.x.x, y.y.y.y As I mentioned in another response, the client resolver chooses which DNS server to use and what order. Having one in the list that isn't active can cause problems as your client may try it and then have to time out before trying the other. I wouldn't list any that were not active. Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Questions about DHCP persistence and lease times
On 9/3/21 5:58 AM, Jesus M Diaz wrote: I wasn't considering erasing/deleting the dnsmasq.leases file, I was rather thinking of copying it to a non-running backup dnsmasq so that if/when the running dnsmasq fails I can start the other and it will give out the same IPs. Do you really need this? I mean, if dhcp server dies and you have a stand-by backup that takes over immediately, the renew request from the hosts will be to use the same IP address, so if you don't have the dnsmasq.lease file, ergo there are no leases at the moment, dnsmasq would grant the same (requested) IP address. Without the leases file, you won't have the DNS mapping for those hosts that have been handed out a DHCP lease. I am not sure if those will come back upon renew or if it has to wait until a new request comes in. Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Further thoughts/questions on failover
On 9/2/21 5:45 AM, Chris Green wrote: I'm still ruminating on this problem! :-) A number of people are using docker containers to manage this, one live dnsmasq in a container is the default DNS/DHCP for the system and another dnsmasq container is maintained to keep its files in sync with the running one. So far so good. What I don't follow is what happens if/when failure occurs as I don't see how the replacement dnsmasq instance can appear at the same address on the LAN. So, unless all systems are rebooted they will lose DNS won't they? Hi Chris, In my other response, I just highlighted how I work around this. My infrastructure server runs on some other IP. Then, my dnsmasq runs on 192.168.1.2 as a separate IP from the hosting server. That way it can always have the same ip regardless of what server it runs on. That IP is reserved just for DNS/DHCP service. Then no clients have to change when a failover happens. E.g. My default dnsmasq instance runs on a system at 192.168.1.2, if I had a 'clone' docker container on my desktop machine it would be at address 192.168.1.3. So, if 192.168.1.2 dies and I start the dnsmasq container on my desktop machine it's at 192.168.1.3 but all machines on the network are configured (until reboot or DHCP reload time) to use 192.168.1.2. Am I missing something very obvious here (probably!). Just maintaining a Rasberry Pi image and updating the dnsmasq files on it would actually work better (for me anyway) as I could copy it out to an actual SD card regularly and all I'd need to do to recover after a failure would be to plug the SD card into a non-dead Pi and turn it on. Yes, in my other thread, you can see that all of the key files for the system are located under a single directory ( with a directory structure under that ). So you don't have to have a script that copies a bunch of locations, just the one making it straight forward. Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Further thoughts/questions on failover
On 9/2/21 6:58 AM, Kevin Tedder wrote: Chris You just need to update the /etc/resolv.conf file on each of your clients to point them at both DNS's. e.g nameserver 192.168.1.2 nameserver 192.168.1.3 The client will now ask both DNS servers. It will get a response even if one of them is off-line. This is generally platform specific. Not all resolvers treat things equally. Some will only query one and if it times out, then will go to the other. This can cause big delays in DNS resolution and ends up feeling like your whole network is slow. Others query both and take the fastest response, so it is hit or miss based on your client platforms. Additionally, if the dnsmasq instance is ONLY doing DNS service, this can work fairly well. Keep the hosts file replicated and either server can hand out the same data. Obviously the cache will be different for each so you loose some effectiveness, but the client never really knows. However, if you are running DHCP and dnsmasq is updating/maintaining a list of host names of your local clients in the leases file, then only one of the dnsmasq instances is going to know about those. In this instance, I think makes more sense to ensure you have one really robust dnsmasq system than having two that don't respond the same. I think both have valid use cases and it just depends on what works best for your scenario. Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] How do others provide backup for their DNS? Ideas wanted
On 9/2/21 1:05 AM, Chris Green wrote:
On Wed, Sep 01, 2021 at 01:04:24PM -0700, Michael wrote:
Hi Chris,
This is a topic that has come up periodically over the years and I too have
watched with interest on how to best manage this.
I looked at using heartbeat and other failover service to handle any
potential failure. but it just becomes so complicated if you are using DHCP
too. If you do just DNS, then this is all much simpler.
Here is what I am doing now:
1) Run dnsmasq (pihole actually) in a docker container on my
"infrastructure" server. It has a static IP/MAC separate from the
infrastructure server.
2) Hourly, I rsync the docker data directory for pihole over to my desktop
machine. This contains the /etc/pihole directory, leases file, /etc/hosts
file, etc. It is a super tiny amount of data
3) On my desktop, I have docker installed and ready to go including the
pihole install.
Then, when I have a failure or want to do maintenance, I just stop the
pihole docker on the infrastructure server and start the pihole container on
the desktop. The service comes up with the same IP and MAC and the clients
never know it happened. When I am done, I just reverse the process.
It seems to work fine for my needs.
That sounds a good practical approach and would work for me I think.
I think I need to learn about docker. Is there a beginners guide
anywhere that explains how to do something simple like I would want to
do?
The only other issue is that the only 'servers' I have on my system
(apart from my desktop machine) are Pis, however I see no reason for
not using one of them.
Hi Chris,
I am sure there are some good guides out there for learning docker. I
just learned by just picking a project that I wanted to try and set out
to get it running. You could always run your primary on a pi and your
backup on another platform without any issues using my example below.
I would think running dnsmasq would be about simple of a docker as you
can get. Here are a couple of examples that you should be able to use:
https://github.com/jpillora/docker-dnsmasq
https://hub.docker.com/r/strm/dnsmasq/
Personally, I like to use docker-compose, because it allows you to spin
up the same arguments each time without remembering them.
As I mentioned, I am not using just dnsmasq, but rather pihole built on
top of DNSmasq, but my docker-compose file looks like this below. You
should be able to adapt the arguments for just dnsmasq pretty easily.
pihole-main:
container_name: pihole-main
restart: unless-stopped
image: pihole/pihole
hostname: pihole-main
domainname: $DOMAINNAME
mac_address: 02:42:c0:a8:65:02
environment:
- TZ=${TZ}
- "WEBPASSWORD=fakepassword"
- "TEMPERATUREUNIT=f"
- DNSMASQ_USER=${DNSMASQ_USER}
- PUID=${PUID}
- PGID=${PGID}
# Internal IP of the cloudflared container
- "DNS1=8.8.8.8"
# Explicitly disable a second DNS server, otherwise Pi-hole uses
Google
- "DNS2=no"
# Listen on all interfaces and permit all origins
# This allows Pihole to work in this setup and when answering
across VLANS,
# but do not expose pi-hole to the internet!
- "DNSMASQ_LISTENING=all"
dns:
# - 127.0.0.1
- 8.8.8.8
# Persist data and custom configuration to the host's storage
volumes:
- ${VOLUME}/pihole-main/config:/etc/pihole/
- ${VOLUME}/pihole-main/dnsmasq:/etc/dnsmasq.d/
- ${VOLUME}/pihole-main/misc:/var/lib/misc/
- ${VOLUME}/pihole-main/home:/home/
cap_add:
- NET_ADMIN
- CAP_SYS_NICE
# 1. Join the public network so it's reachable by systems on our LAN
networks:
lan:
ipv4_address: 192.168.101.2
With this configuration, the IP of the container is always
192.168.101.2. The server it is running on though has a different IP -
something in the 192.168.101 range. This way, if I bring this
container up on the backup machine, it can come up on the same IP and
mac address and the clients never know it moved.
Bring it up is just as simple as docker-compose up -d on the backup machine.
Then with this config, I just rsync the ${VOLUME}/pihole-main directory
to the backup machine and it is ready if needed.
Michael
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] How do others provide backup for their DNS? Ideas wanted
On 9/1/21 11:45 AM, Chris Green wrote: Thanks for the replies. It does seem that any sort of live failover for DHCP and/or DNS turns out to be quite complex. I am thus thinking that simply having a reasonably quick to start 'cold' backup makes sense. I really don't mind if my LAN is DNS and DHCP'less for an hour or so, it can cope! The best idea (and I haven't really thought about the practicalities yet) I have had so far is a dual boot Raspberry Pi or similar that reboots itself to the 'other' OS in the small hours, backs up the 'main' OS (which is the dnsmasq server) and then reboots back to the 'main' server. One then has a daily cloned image of the dnsmasq server which can be plugged into backup hardware if the server fails. Hi Chris, This is a topic that has come up periodically over the years and I too have watched with interest on how to best manage this. I looked at using heartbeat and other failover service to handle any potential failure. but it just becomes so complicated if you are using DHCP too. If you do just DNS, then this is all much simpler. Here is what I am doing now: 1) Run dnsmasq (pihole actually) in a docker container on my "infrastructure" server. It has a static IP/MAC separate from the infrastructure server. 2) Hourly, I rsync the docker data directory for pihole over to my desktop machine. This contains the /etc/pihole directory, leases file, /etc/hosts file, etc. It is a super tiny amount of data 3) On my desktop, I have docker installed and ready to go including the pihole install. Then, when I have a failure or want to do maintenance, I just stop the pihole docker on the infrastructure server and start the pihole container on the desktop. The service comes up with the same IP and MAC and the clients never know it happened. When I am done, I just reverse the process. It seems to work fine for my needs. Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Weird TFTP Failure
On 7/14/21 3:06 PM, Craig Perry wrote: Hello, I'm battling a little bit with a weird PXE Boot issue - i can pxeboot ubuntu 20.04 just fine but not 21.04. When booting 20.04 (which works just fine) the behaviour i see is: 1. transfers vmlinuz kernel image via tftp - OK 2. transfers initrd image via tftp - OK 3. Kernel boots, mounts the initial ramdisk then that's the end of tftp stuff, everything thereafter happens over http and it's fine However, when booting 21.04, the behaviour i see is: 1. transfers vmlinuz kernel image via tftp - OK 2. transfers initrd image via tftp - FAILS, always near the end of the file transfer The 20.04's initrd is 80mb in size, 21.04's is 99mb. Its been a long time since I have done any PXE builds, but I remember seeing something like this in the past. So take my response with a grain of salt :) What PXE boot manager are you using? I believe in the pxelinux.cfg file ( or similar ) you typically set ramdisk_size= and that needs to have enough room to hold the initrd. You might want to check to see if yours is big enough for the larger initrd. Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Passing DHCP_AGENT_RELAY Informations to DHCP-Script
Hi Guys, how can I pass all DHCP-Option82 Informations to my DHCP script? I need this Information to know which user is requesting an IP-Address. In this value i get the CPE-IP-Address and the Port Identification to identify the end-user. Thank you. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] dnsmasq keepalive or RasberryPi?
Hey there. I am looking for a linux command to auto-restart dnsmasq if it ever fails. It seems that my Raspberry Pi version fails from time to time. Looked in the archives but was not able to find any documentation on such a command. Currently I have to use the service dnsmasq restart command but really want something to do this automatically if it ever fails. Thx ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] No more random source port if "--enable-dbus" is used and NM plugin
пт, 7 авг. 2020 г. в 22:11, Geert Stappers :
> On Fri, Aug 07, 2020 at 07:09:52PM +0300, Michael Aramanovich wrote:
> >
> > However, the problem is still easily reproducible on Centos 7, Centos 8,
> > with dnsmasq 2.76 / 2.79 (and the most recent ones as well).
>
> Acknowlegde on the "and the most recent ones as well"
> ..
Reproducing the issue without NM will help to fingerpoint to dnsmasq ...
>
>
Well , I managed to reproduce the issue with the last version (just
compiled from git), without NM, and even without --enable-dbus :) , the
issue is more or less clear now:
Just run dnsmasq with the following parameters ("ens32" is the interface
name on my centos; change it to yours if it differs):
sudo dnsmasq --no-resolv --no-daemon --no-hosts --bind-interfaces
--listen-address=127.0.0.1 --cache-size=0 --server 8.8.8.8@ens32
Every request to the upstream DNS server 8.8.8.8 will be sent by dnsmasq
with the SAME source port, randomly chosen at start up, the "--query-port"
option in the command line above will be ignored (and this is documented in
dnsmasq-man: "The query-port flag is ignored for any servers which have a
source address specified but the port may be specified directly as part of
the source address." ) Also, adding --min-port or --max-port will not
make sense.
But still there is no way to force dnsmasq to use a random port for every
upstream query if the upstream server is set with @interface.
Unfortunately, the NetworkManager uses DBus to set upstream name server via
SetServersEx, with argument 8.8.8.8@ens32, which is basically the same as
setting it via conf or command line as in the example above. That's why I
thought initially that "--enable-dbus" is a culprit.
Regards,
Michael.
>
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] No more random source port if "--enable-dbus" is used.
(continuation of http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q1/011315.html ) Hello back in 2017 there was already an attempt to solve this , but it led to nothing, unfortunately. However, the problem is still easily reproducible on Centos 7, Centos 8, with dnsmasq 2.76 / 2.79 (and the most recent ones as well). How to reproduce: - configure NetworkManager and enable dnsmasq plugin: in /etc/NetworkManager/NetworkManager.conf, add: # This enabled the dnsmasq plugin. [main] dns=dnsmasq - restart NetworkManager. After that, the dnsmasq process will appear with the following options: /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/var/run/NetworkManager/dnsmasq.pid --listen-address=127.0.0.1 --cache-size=400 --clear-on-reload --conf-file=/dev/null --proxy-dnssec --enable-dbus=org.freedesktop.NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d Since then, every request to the upstream DNS server will be sent by dnsmasq with the SAME local source port. Moreover, setting or changing any of the options - --query-port, --min-port, --max-port does not make any sense and these options are definitely ignored by dnsmasq if it runs with the "--enable-dbus" option. As a result, all the DNS requests are coming with the same udp source port , which violates RFC 5452 p.4.5 ;at some point this "session" is blocked by Juniper with DNS algo enabled. Please advise if this is a dnsmasq bug, or there are any other configuration options (either in dnsmasq or NetworkManager) to avoid this and force dnsmasq to use a random UDP source port for upstream queries. Regards Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Question
On 4/10/20 2:46 PM, Dave Harrison wrote: Greetings, I was attempting to post a question to your board. I'm not clear if I was successful in logging in or not. However, I will post the question to this email. Hopefully this will be a reasonable format for asking the question. The question: I have configured a Raspberry Pi 4 with a LAMP stack and a Wordpress website. Unfortunately after the site was successfully published, I realized that I was unable to access the website from the public side. I was able to view the website from within my local network. I set up Port Forwarding successfully and established a static IP address for Raspberry Pi. I am asking this question to determine if the dnsmasq application may help me solve this problem. I realize there are a number of "tunneling" solutions, however I am looking for a solution that will allow visitors to type in the public WWW url address and view the website. It is important that public visitors can access the website from the "normal" URL address. DNSmasq is primarily for providing DNS responses for hosts on your local network. The DNS responses could be to help hosts on your network find your LAMP stack or resolving DNS for things on the internet. Without it, hosts on your local network likely can only find things on the internet, but can't find things locally by name. You are looking to have hosts out on the internet find a host that is on your network which is basically the reverse problem. There are two ways you might approach this problem. 1) Register a domain with a registrar and have them host DNS records for you. This is probably more complication than you want to take on today. 2) Sign up with a dynamic DNS company and use a client on your local network or your router to regularly update the DNS record at the DDNS provider. Then your LAMP stack could be found by others by doing to @DDNS.com or something like that. Google DDNS provider and you can find a bunch of companies that provide this service and many are free. You might even see if your router directly supports one of these providers making the integration and automatic updates easy. Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] rebind-domain-ok bug? Not whitelisiing 4 word domain.
So it is only kind of working. I’m still seeing the following in the logs now then: Oct 14 20:06:18 dnsmasq[15781]: possible DNS-rebind attack detected: universal-web-internal.production.gannettdigital.com This is with the following set: rebind-domain-ok=/mcafee.com/amazonmusiclocal.com/gannettdigital.com/ When I specifically try to go to universal-web-internal.production.gannettdigital.com in a web browser though or do DNS lookup, I’m not seeing anything in the logs which is odd. On Monday, October 14, 2019, 7:51 PM, Michael wrote: Someone tried it and they used the following and said it worked. When I tried it, it also worked. I have no idea why that did, but using /gannettdigital.com/ by itself did not. rebind-domain-ok=/mcafee.com/amazonmusiclocal.com/gannettdigital.com/ On Monday, October 14, 2019, 6:05 PM, Michael wrote: Hi Simon, I'm using ASUS Merlin 384.13, which is compiled with dnsmasq 2.80-44-g608aa9f, on my router. I have rebind protection on and want to whitelist "universal-web-internal.production.gannettdigital.com" as for some reason after upgrading to iOS 13 on my iOS devices that domain is getting hit very often. I added the following to the dnsmasq.conf file, but the domain is still being logged:rebind-domain-ok=/universal-web-internal.production.gannettdigital.com/I also tried:rebind-domain-ok=/.gannettdigital.com/That white lists "production.gannettdigital.com" (which also has a private ip address), but not "universal-web-internal.production.gannettdigital.com".As such, this appears to be a bug. I'm not sure if dnsmasq doesn't like the dashes or the fact that there are 4 parts to the domain. Any idea why this isn't working? Thanks,Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] rebind-domain-ok bug? Not whitelisiing 4 word domain.
Someone tried it and they used the following and said it worked. When I tried it, it also worked. I have no idea why that did, but using /gannettdigital.com/ by itself did not. rebind-domain-ok=/mcafee.com/amazonmusiclocal.com/gannettdigital.com/ On Monday, October 14, 2019, 6:05 PM, Michael wrote: Hi Simon, I'm using ASUS Merlin 384.13, which is compiled with dnsmasq 2.80-44-g608aa9f, on my router. I have rebind protection on and want to whitelist "universal-web-internal.production.gannettdigital.com" as for some reason after upgrading to iOS 13 on my iOS devices that domain is getting hit very often. I added the following to the dnsmasq.conf file, but the domain is still being logged:rebind-domain-ok=/universal-web-internal.production.gannettdigital.com/I also tried:rebind-domain-ok=/.gannettdigital.com/That white lists "production.gannettdigital.com" (which also has a private ip address), but not "universal-web-internal.production.gannettdigital.com".As such, this appears to be a bug. I'm not sure if dnsmasq doesn't like the dashes or the fact that there are 4 parts to the domain. Any idea why this isn't working? Thanks,Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] rebind-domain-ok bug? Not whitelisiing 4 word domain.
Hi Simon, I'm using ASUS Merlin 384.13, which is compiled with dnsmasq 2.80-44-g608aa9f, on my router. I have rebind protection on and want to whitelist "universal-web-internal.production.gannettdigital.com" as for some reason after upgrading to iOS 13 on my iOS devices that domain is getting hit very often. I added the following to the dnsmasq.conf file, but the domain is still being logged:rebind-domain-ok=/universal-web-internal.production.gannettdigital.com/I also tried:rebind-domain-ok=/.gannettdigital.com/That white lists "production.gannettdigital.com" (which also has a private ip address), but not "universal-web-internal.production.gannettdigital.com".As such, this appears to be a bug. I'm not sure if dnsmasq doesn't like the dashes or the fact that there are 4 parts to the domain. Any idea why this isn't working? Thanks,Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DHCP, how to ignore the client MAC address?
Hi John, thanks for your reply. On 12.01.19 07:48, john doe wrote: If the maintaner of dnsmasq has not chimed in that leav us with to options: - To much on his plate, something could be done to answer this question. - The issue lies elsewhere (predicting way for MAC addressing). Ok, than we wait, maybe Simon jump's in... Many Thanks Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DHCP, how to ignore the client MAC address?
Hi Geert, thanks for you mail. On 1/11/19 6:50 PM, Geert Stappers wrote: > On Fri, Jan 11, 2019 at 11:29:13AM +0100, MIchael Schleicher (smicha) wrote: >> On 11.01.19 10:53, john doe wrote: >>> On 1/11/2019 9:49 AM, MIchael Schleicher (smicha) wrote: >>>> >>>> I have just checked on my environment what's in the dnsmasq.leases file: >>>> >>>> 1547246444 00:50:56:85:23:ea 10.198.10.223 win-vm 01:00:50:56:85:23:ea >>>> 1547276503 00:50:56:85:f1:86 10.198.10.37 linux-vm 01:00:50:56:85:f1:86 >>>> >>>> As you see the Client-ID (5th field) is the MAC + "01:" as prefix. >>>> >>> >>> You previously said that the hostname is always the same, as ilustrated >>> by the above they are not (win-vm vs linux-vm)? >>> >> >> That are 2 different systems. (1 Windows and 1 Linux VM). It's just a >> example >> > > Thing I would like to known is the name of the virtualisation platform. > Mostly because all those I seen did allow me to define MAC address. > The virtual landscapes (VM's) are running on VMware ESX Cluster. The ESX Hosts are "controlled" by a software which called "eCloud-Manager". That are deploying the different clones of landscapes. We have a bunch of master VM's and the software deploy that VM's in different isolated landscapes. (each landscape is isolated with vlans and includes a copy of the Masters (but with different MAC as the Master VM's have!). So, when a cloned VM in one of the virtual landscapes are crash or have some other problems, the software destorys the VM and deploy a copy of the Master-VM, with a different MAC to that landscapes. And that is exactly the problem, during the deployment of that cloned VM from the Master, the MAC will changed from the eCloud-Manager during the VMWare deployment. I hope I gave you a understandable description. Many Thanks Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DHCP, how to ignore the client MAC address?
Hi John, On 11.01.19 10:53, john doe wrote: On 1/11/2019 9:49 AM, MIchael Schleicher (smicha) wrote: Hi, thanks for your reply. On 10.01.19 22:25, wkitt...@gmail.com wrote: On 1/10/19 3:26 PM, Michael Schleicher wrote: As I said, for Linux VM's, I can set a uniq Client-ID that helps, but on Windows you can not set define a Client-ID (as far as I know). isn't this the machine name? when i was supporting winwhatever, the install generated a machine name... that is the name i saw used in DHCP requests... it is the name that was added to the DNS so queries on it would return its current IP... I have just checked on my environment what's in the dnsmasq.leases file: 1547246444 00:50:56:85:23:ea 10.198.10.223 win-vm 01:00:50:56:85:23:ea 1547276503 00:50:56:85:f1:86 10.198.10.37 linux-vm 01:00:50:56:85:f1:86 As you see the Client-ID (5th field) is the MAC + "01:" as prefix. You previously said that the hostname is always the same, as ilustrated by the above they are not (win-vm vs linux-vm)? That are 2 different systems. (1 Windows and 1 Linux VM). It's just a example Thanks Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DHCP, how to ignore the client MAC address?
Hi, thanks for your reply. On 10.01.19 22:25, wkitt...@gmail.com wrote: On 1/10/19 3:26 PM, Michael Schleicher wrote: As I said, for Linux VM's, I can set a uniq Client-ID that helps, but on Windows you can not set define a Client-ID (as far as I know). isn't this the machine name? when i was supporting winwhatever, the install generated a machine name... that is the name i saw used in DHCP requests... it is the name that was added to the DNS so queries on it would return its current IP... I have just checked on my environment what's in the dnsmasq.leases file: 1547246444 00:50:56:85:23:ea 10.198.10.223 win-vm 01:00:50:56:85:23:ea 1547276503 00:50:56:85:f1:86 10.198.10.37 linux-vm 01:00:50:56:85:f1:86 As you see the Client-ID (5th field) is the MAC + "01:" as prefix. Many Thanks Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DHCP, how to ignore the client MAC address?
Hi John,
many thanks for your reply and help.
On 1/10/19 9:28 AM, john doe wrote:
> On 1/9/2019 11:38 AM, MIchael Schleicher wrote:
>>
>> On 09.01.19 08:14, john doe wrote:
>>> On 1/8/2019 11:31 AM, smicha wrote:
>>>> Hi John,
>>>>
>>>> thanks for your reply.
>>>>
>>>> I did some tests with your hints.
>>>>
>>>> On 7.1.2019 17:41, john doe wrote:
>>>>>
>>>>> Some hints from dnsmasq.conf:
>>>>>
>>>>> # Give the machine which says its name is "bert" IP address
>>>>> # 192.168.0.70 and an infinite lease
>>>>> #dhcp-host=bert,192.168.0.70,infinite
>>>>
>>>> Do not work with my setup, because when we re-deploy a VM, the MAC
>>>> address will be autom. changed.
>>>> The re-delpoyed VM will than get a different IP as the old vm had
>>>> before.
>>>>
>>>
>>> I just tested this option and the behavior described is correct with
>>> dnsmasq 2.76, from the man page:
>>
>> I have running the version 2.78.
>>
>>> "--dhcp-host=lap,192.168.0.199 tells dnsmasq to always allocate the
>>> machine lap the IP address 192.168.0.199.
>>> Addresses allocated like this are not constrained to be in the range
>>> given by the --dhcp-range option, but they must be in the same subnet as
>>> some valid dhcp-range. For subnets which don't need"
>>
>> Yes, the config "--dhcp-host=lap,192.168.0.199" is working. The VM with
>> the hostname "lap" will get the IP 192.168.0.199.
>>
>> But, I have the problem, when I have a new VM, a new version of the VM
>> "lap" which have a different MAC address.
>> Than, that new version of VM "lap" get not the 192.168.0.199. They get
>> an other IP from the pool.
>>
>>> As long as a client use the hostname ("lap") the same IP will always be
>>> given to that client, the MAC address is not used.
>>>
>>
>> As far as I see, for the "first" IP provisioning that is true -> the
>> Hostname is enough.
>> But, than the "dnsmasq.leases" file have also the MAC address and
>> Client-ID values stored, which will be compared an the next DHCP Requests.
>> If than one of the values are different (MAC, CLIENT-ID) the DHCP-Client
>> will get an other IP.
>>
>> Please see below, a example...
>>
>>
>>>>>
>>>>> See also (1) for more info on 'dhcp-host'.
>>>>>
>>>>>
>>>>> 1) http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
>>>>
>>>>
>>>> Maybe is it possible to "patch" the code of dnsmasq, where dnsmasq can
>>>> ignore the MAC address in the DHCP task?
>>>>
>>>
>>> Possibly, more nolageable dnsmasqer would need to chime in to do that
>>> though! :)
>>> If '--dhcp-host=hostname,IP' is not working for you more info would need
>>> to be provided.
>>>
>>
>>
>> BTW: the VM "lap" does not have set a special "DHCP-Client-Identifier",
>> so it use for DHCP-Client-ID the MAC address.
>>
>>
>> Here some outputs of the dnsmasq.leases file:
>>
>> # inital DHCP-Request:
>>
>> 1547107342 00:50:56:85:02:fa 192.168.0.199 lap 01:00:50:56:85:02:fa
>>
>> As you can see, the VM "lap" (MAC 00:50:56:85:02:fa) get the expected IP
>> -> so far so good.
>>
>>
>> Next, I power off the VM "lap" without a DHCP-Release and deploy a copy
>> of the VM "lap" which have than an other MAC (00:50:56:85:02:ff) ! ->
>> the MAC will always set by the deployment of a new VM version.
>>
>>
>> Now, I start the new version of the VM "lap" (the old version of the VM
>> "lap" is no longer available.
>>
>> The dnsmasq.leases looks now, like this:
>> 1547116110 00:50:56:85:02:ff 192.168.0.200 lap 01:00:50:56:85:02:ff
>> 1547107342 00:50:56:85:02:fa 192.168.0.199 * 01:00:50:56:85:02:fa
>>
>>
>> As you see, the VM "lap" have now the IP "192.168.0.200" and not the
>> expected IP "192.168.0.199.
>>
>> Do you have an idea how I can fix that?
>> I tested different options with "--dhcp-host", but with no luck.
>>
>> I hope you can help my.
>>
>
> Beside looking at the VM software to always assign the same MAC address
> to the same guest and the fact that I'm able to reproduce what you are
> seeing, that is all I can offer.
>
I have already checked the VM deployment software, when a new version of
a VM will be cloned/deployed, the VM-deployment-layer give that new
clone/deployed VM a different MAC.
As I said, for Linux VM's, I can set a uniq Client-ID that helps, but on
Windows you can not set define a Client-ID (as far as I know).
I have already try to find in the dnsmasq code the part, where the
incoming DHCP-Request will be received and maybe I can change or set the
Client-ID (fake) for the upcoming processing, but i did not found the
correct part of the code and also have no good knowhow in C.
I will try to find the part and do than some changes and tests.
If maybe someone can give me some hints, that's very welcome.
Many thanks
Michael
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DHCP, how to ignore the client MAC address?
On 09.01.19 08:14, john doe wrote:
On 1/8/2019 11:31 AM, smicha wrote:
Hi John,
thanks for your reply.
I did some tests with your hints.
On 7.1.2019 17:41, john doe wrote:
Some hints from dnsmasq.conf:
# Give the machine which says its name is "bert" IP address
# 192.168.0.70 and an infinite lease
#dhcp-host=bert,192.168.0.70,infinite
Do not work with my setup, because when we re-deploy a VM, the MAC
address will be autom. changed.
The re-delpoyed VM will than get a different IP as the old vm had before.
I just tested this option and the behavior described is correct with
dnsmasq 2.76, from the man page:
I have running the version 2.78.
"--dhcp-host=lap,192.168.0.199 tells dnsmasq to always allocate the
machine lap the IP address 192.168.0.199.
Addresses allocated like this are not constrained to be in the range
given by the --dhcp-range option, but they must be in the same subnet as
some valid dhcp-range. For subnets which don't need"
Yes, the config "--dhcp-host=lap,192.168.0.199" is working. The VM with
the hostname "lap" will get the IP 192.168.0.199.
But, I have the problem, when I have a new VM, a new version of the VM
"lap" which have a different MAC address.
Than, that new version of VM "lap" get not the 192.168.0.199. They get
an other IP from the pool.
As long as a client use the hostname ("lap") the same IP will always be
given to that client, the MAC address is not used.
As far as I see, for the "first" IP provisioning that is true -> the
Hostname is enough.
But, than the "dnsmasq.leases" file have also the MAC address and
Client-ID values stored, which will be compared an the next DHCP Requests.
If than one of the values are different (MAC, CLIENT-ID) the DHCP-Client
will get an other IP.
Please see below, a example...
See also (1) for more info on 'dhcp-host'.
1) http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
Maybe is it possible to "patch" the code of dnsmasq, where dnsmasq can
ignore the MAC address in the DHCP task?
Possibly, more nolageable dnsmasqer would need to chime in to do that
though! :)
If '--dhcp-host=hostname,IP' is not working for you more info would need
to be provided.
BTW: the VM "lap" does not have set a special "DHCP-Client-Identifier",
so it use for DHCP-Client-ID the MAC address.
Here some outputs of the dnsmasq.leases file:
# inital DHCP-Request:
1547107342 00:50:56:85:02:fa 192.168.0.199 lap 01:00:50:56:85:02:fa
As you can see, the VM "lap" (MAC 00:50:56:85:02:fa) get the expected IP
-> so far so good.
Next, I power off the VM "lap" without a DHCP-Release and deploy a copy
of the VM "lap" which have than an other MAC (00:50:56:85:02:ff) ! ->
the MAC will always set by the deployment of a new VM version.
Now, I start the new version of the VM "lap" (the old version of the VM
"lap" is no longer available.
The dnsmasq.leases looks now, like this:
1547116110 00:50:56:85:02:ff 192.168.0.200 lap 01:00:50:56:85:02:ff
1547107342 00:50:56:85:02:fa 192.168.0.199 * 01:00:50:56:85:02:fa
As you see, the VM "lap" have now the IP "192.168.0.200" and not the
expected IP "192.168.0.199.
Do you have an idea how I can fix that?
I tested different options with "--dhcp-host", but with no luck.
I hope you can help my.
May do you have an hint in which part of the code, I can fake the
incoming/received "DHCP CLIENT-ID". I think that is one of the key's to
fix the problem.
As I said before in a prev. mail. The problem is not there, when the
DHCP-Client sending a uniq DHCP-Client-ID. In Linux that is not the
problem i can set that, but in Windows I do not have the option to set
the DHCP-Client-ID ! :-(
Many thanks
Michael
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNS entry without DHCP
On 12/8/18 7:55 PM, dnsmasqyq@neverbox.com wrote: Hi, If I'm using dnsmasq just as a DNS caching server, not a DHCP one, would it be possible to config some fixed IP addresses as DNS entries for my LAN? I.e., instead of changing the hosts file on every machine on my LAN with the same entries, is it possible to do such configuration centralized at dnsmasq DNS server alone? Yes, just add them to the /etc/hosts file on the machine running dnsmasq or use the addn-hosts directive to point it to another file. Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq not responding to DHCPv6 DHCPCONFIRM messages attempting to confirm an unknown lease
On 2018-07-20 09:01, Michael Marley wrote: > Hi, > > I have dnsmasq set to be a DHCPv6 and DHCPv6 server for my local network. > Here is the relevant part of the configuration: > > interface=vlan1 > interface=vlan2 > interface=vlan3 > interface=vlan4 > interface=vlan5 > dhcp-authoritative > dhcp-range=interface:vlan1,10.1.0.2,10.1.255.253,1h > dhcp-range=interface:vlan2,10.2.0.2,10.2.255.253,1h > dhcp-range=interface:vlan3,10.3.0.2,10.3.255.253,1h > dhcp-range=interface:vlan4,10.4.0.2,10.4.255.253,1h > dhcp-range=interface:vlan5,10.5.0.2,10.5.255.253,1h > dhcp-range=interface:vlan1,fdda:5f29:421b:1::2,fdda:5f29:421b:1::,64,1h > dhcp-range=interface:vlan2,fdda:5f29:421b:2::2,fdda:5f29:421b:2::,64,1h > dhcp-range=interface:vlan3,fdda:5f29:421b:3::2,fdda:5f29:421b:3::,64,1h > dhcp-range=interface:vlan4,fdda:5f29:421b:4::2,fdda:5f29:421b:4::,64,1h > dhcp-range=interface:vlan5,fdda:5f29:421b:5::2,fdda:5f29:421b:5::,64,1h > > My problem is that if a DHCPv6 client attempts to confirm an unknown lease > (from another network, for example if I unplug a computer from vlan4 and plug > it into vlan3), dnsmasq doesn't respond to the DHCPCONFIRM messages that the > client sends. I just get a long string of > > DHCPCONFIRM(vlan4) 00:01:00:01:20:65:91:d7:3c:97:0e:7f:f5:ba > > until the client finally gives up and acquires a new lease from scratch. > This also happens if I connect a client to my network that was previously > connected to another network with a DHCPv6 lease. For DHCPv4 in the same > situation, it works correctly and sends a DHCPNAK, causing the client to > retry from scratch immediately and get a new lease quickly as described in > the documentation for the "dhcp-authoritative" option. It seems to me this > ought to take place for DHCPv6 as well, preventing the client from having to > time out before obtaining a lease. Have I configured something wrong or is > there a bug? > > Thanks, > > Michael Marley > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss I apologize for my ineptness, but it seems dnsmasq does actually send a NOTONLINK reply in this case (rfc3315.c:1105). It just doesn't log that it is doing so, which is what led me to believe that it wasn't. My actual problem appears to be caused by defective/bugged DHCPv6 snooping on a switch, which I will report to the manufacturer. I do think that logging the NOTONLINK reply would probably be a good idea though, to avoid confusion. Michael___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] dnsmasq not responding to DHCPv6 DHCPCONFIRM messages attempting to confirm an unknown lease
Hi, I have dnsmasq set to be a DHCPv6 and DHCPv6 server for my local network. Here is the relevant part of the configuration: interface=vlan1 interface=vlan2 interface=vlan3 interface=vlan4 interface=vlan5 dhcp-authoritative dhcp-range=interface:vlan1,10.1.0.2,10.1.255.253,1h dhcp-range=interface:vlan2,10.2.0.2,10.2.255.253,1h dhcp-range=interface:vlan3,10.3.0.2,10.3.255.253,1h dhcp-range=interface:vlan4,10.4.0.2,10.4.255.253,1h dhcp-range=interface:vlan5,10.5.0.2,10.5.255.253,1h dhcp-range=interface:vlan1,fdda:5f29:421b:1::2,fdda:5f29:421b:1::,64,1h dhcp-range=interface:vlan2,fdda:5f29:421b:2::2,fdda:5f29:421b:2::,64,1h dhcp-range=interface:vlan3,fdda:5f29:421b:3::2,fdda:5f29:421b:3::,64,1h dhcp-range=interface:vlan4,fdda:5f29:421b:4::2,fdda:5f29:421b:4::,64,1h dhcp-range=interface:vlan5,fdda:5f29:421b:5::2,fdda:5f29:421b:5::,64,1h My problem is that if a DHCPv6 client attempts to confirm an unknown lease (from another network, for example if I unplug a computer from vlan4 and plug it into vlan3), dnsmasq doesn't respond to the DHCPCONFIRM messages that the client sends. I just get a long string of DHCPCONFIRM(vlan4) 00:01:00:01:20:65:91:d7:3c:97:0e:7f:f5:ba until the client finally gives up and acquires a new lease from scratch. This also happens if I connect a client to my network that was previously connected to another network with a DHCPv6 lease. For DHCPv4 in the same situation, it works correctly and sends a DHCPNAK, causing the client to retry from scratch immediately and get a new lease quickly as described in the documentation for the "dhcp-authoritative" option. It seems to me this ought to take place for DHCPv6 as well, preventing the client from having to time out before obtaining a lease. Have I configured something wrong or is there a bug? Thanks, Michael Marley ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] DHCPv6 Prefix Deligation for ISPs
Hi, we are a ISP and we like to provide DHCPv6-PD to our customers. Is there a possibility to archive that goal with DNSMASQ? DNSMASQ have to assign a /57 network from our configured IP-Space and have to insert a static route into kernel routing table to the leased IPv6-/64 Address. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [ip/address association]
Hi Simon, I am not entirely clear on this. Is there a specific variable which contains the relevant IP/information? (In cache.c) Thanks, Michael. On 11/06/2018 18:51, Simon Kelley wrote: daemon-namebuff is justa working variable. Look at the cache.c module for name->IP lookups. Simon. On 11/06/18 11:20, Michael Mill wrote: Good day, I see that the daemon/namebuff value stores the relevant domain information for the query. I need the IP address associated with this query. Where would i find this? Thanks, Michael. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [ip/address association]
Good day, I see that the daemon/namebuff value stores the relevant domain information for the query. I need the IP address associated with this query. Where would i find this? Thanks, Michael. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Should results from --server be cached?
Hi all, I want to ask whether queries for A records matching a --server argument are expected to be cached. I'm running an instance of dnsmasq with the following arguments: dnsmasq -k --all-servers --cache-size=1 --log-facility=- --server=/cluster.local/127.0.0.1#10053 --server=/in-addr.arpa/ 127.0.0.1#10053 --server=/in6.arpa/127.0.0.1#10053 --dns-forward-max=2048 --log-queries --no-negcache I would expect when it receives a query for a domain name matching .cluster.local, that dnsmasq would forward the request to the specified nameserver (127.0.0.1#10053) and that it would cache the response for the duration of the TTL that the 127.0.0.1#10053 nameserver specifies. The behavior I'm obsering is that when requests are made for a cluster.local domain, they are always forwarded to the 127.0.0.1#10053 nameserver. Cache insertion metrics lead me to believe that response records are being inserted into the cache, however, subsequent requests for the same cluster.local address aren't actually served from the cache. So my question is, am I misunderstanding the behavior of the --server arugment as it relates to populating the cache? Or is it possible that dnsmasq is forwarding the query prior to checking whether the requested value already exists in the cache? Thanks very much, -Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DHCP Relay Problem
On 2/16/2018 2:57 PM, Simon Kelley wrote:From the changelog for v.78 version 2.78 Fix DHCP relaying, broken in 2.76 and 2.77 by commit ff325644c7afae2588583f935f4ea9b9694eb52e. Thanks to John Fitzgibbon for the diagnosis and patch. So an upgrade for the remote router looks like a good first step. Quite so. I had hoped to get that done this weekend, but it didn't happen. I'll send an update once I've gotten it upgraded. Thank you for the assistance. -- Michael Garrison Stuber ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DHCP Relay Problem
Thanks for your help on this.
As always, we need to know what version of dnsmasq you are running. We
don't just increment those version numbers for fun!
Wait? You don't just do printf("Dnsmasq Version %d.%d\n", rand() % 100,
rand() %100); ? :)
Sorry about that. I got so focused on the traces I forgot the version
numbers.
The main router is running:
Dnsmasq version ubnt/2.78-1-ubnt2Copyright (c) 2000-2017 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua
TFTP conntrack ipset auth DNSSEC loop-detect inotify
The remote router is running:
Dnsmasq version 2.76Copyright (c) 2000-2016 Simon Kelley
Compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP
DHCPv6 no-Lua TFTP no-conntrack ipset Tomato-helper auth no-DNSSEC
loop-detect no-inotify
I could potentially update either, though I'd prefer to work with what's
on the device if at all possible.
The packet from the DHCP is sent to the relay at 192.168.10.1, which is
correct, and the last packet in your series, "seen at the Remote Router"
is sent to the broadcast address, 255.255.255.255, which is strong
evidence that the relay has, in fact picked up the reply and forwarded
it to the remote client.
Is it? The Main Router/DHCP Server definitely sends a packet back to
the remote router. It is address to 192.168.10.1, but the broadcast bit
is set. The remote router receives it on the 192.168.1.2 interface. I
never see anything in the Dnsmasq log indicating that the relay response
was received. I also don't see anything being sent from the remote
router to the client. It seems like the response is getting to
192.168.1.2, but isn't getting picked up by the Dnsmasq running in the
relay mode.
Am I correct in thinking that the Dnsmasq Relay instance should be
listening for a response from the Dnsmasq DHCP server instance, and then
should send the DHCP response to the client?
I was looking at the following:
https://www.netmanias.com/en/post/techdocs/6000/dhcp-network-protocol/understanding-dhcp-relay-agents
to make sure I understood things correctly. Notionally, the failure
seems to be occurring at "2a" in figured 2 of the page.
It's sending it to the broadcast address
because the broadcast flag is on in the DHCP reply.
Is there a way to turn the broadcast flag off? (Obviously the client
needs to broadcast it's initial discover request, but it seems to me the
relay could unicast the request to the server, and the server could
unicast back.)
Which interface of
the remote router are you seeing this on. It's possible that the
relay-reply path is picking the wrong interface to send it out on.
The packet capture was looking at all interfaces, but the response is
coming in on the 192.168.1.2 interface of the remote router.
On 2/14/2018 12:50 PM, Simon Kelley wrote:
On 12/02/18 21:35, Michael Garrison Stuber wrote:
Greetings!
I'm trying to diagnose a problem with DHCP relaying via DNSMasq.
I'm hoping someone can help, or at least point to what to investigate
next. I have a router running DNSMasq as a DHCP server. I have a
second router connected to the first, running DNSMasq as a relay.
[Main Router] 192.168.1.1 <--WAN-Link--> 192.168.1.2 [Remote Router]
192.168.10.1 <--Client-LAN--> DHCP client.
When a DHCP client comes on to the Client LAN, it sends a DHCP
request. I see this in the Remote Router Log:
Feb 12 12:32:22 yew daemon.info dnsmasq-dhcp[7855]: DHCP relay
192.168.10.1 -> 192.168.1.1
Remote Router forwards it the Main Router:
[Packets seen at Remote Router]
12:32:22.057611 Out 00:24:9b:29:81:f3 ethertype IPv4 (0x0800), length
344: (tos 0x0, ttl 128, id 22793, offset 0, flags [none], proto UDP
(17), length 328) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request
[|bootp]
12:32:22.058858 Out bc:ae:c5:c3:00:4d ethertype IPv4 (0x0800), length
344: (tos 0x0, ttl 64, id 38438, offset 0, flags [none], proto UDP (17),
length 328) 192.168.10.1.67 > 192.168.1.1.67: BOOTP/DHCP, Request [|bootp]
[Packets seen at Main Router]
12:32:22.213469 In 68:72:51:88:69:b4 ethertype IPv4 (0x0800), length
344: (tos 0x0, ttl 64, id 38438, offset 0, flags [none], proto UDP (17),
length 328)
192.168.10.1.67 > 192.168.1.1.67: BOOTP/DHCP, Request from
00:24:9b:29:81:f3, length 300, hops 1, xid 0xf43325a2, secs 3072, Flags
[Broadcast]
Gateway-IP 192.168.10.1
Client-Ethernet-Address 00:24:9b:29:81:f3
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Client-ID Option 61, length 7: ether 00:24:9b:29:81:f3
Hostname Option 12, length 10: "MTGS-SBOOK"
Vendor-Class Option 60, length 8: "MSFT 5.0"
Parameter-Request Option 55, length 13:
Subnet-Mask, D
[Dnsmasq-discuss] DHCP Relay Problem
Greetings! I'm trying to diagnose a problem with DHCP relaying via DNSMasq. I'm hoping someone can help, or at least point to what to investigate next. I have a router running DNSMasq as a DHCP server. I have a second router connected to the first, running DNSMasq as a relay. [Main Router] 192.168.1.1 <--WAN-Link--> 192.168.1.2 [Remote Router] 192.168.10.1 <--Client-LAN--> DHCP client. When a DHCP client comes on to the Client LAN, it sends a DHCP request. I see this in the Remote Router Log: Feb 12 12:32:22 yew daemon.info dnsmasq-dhcp[7855]: DHCP relay 192.168.10.1 -> 192.168.1.1 Remote Router forwards it the Main Router: [Packets seen at Remote Router] 12:32:22.057611 Out 00:24:9b:29:81:f3 ethertype IPv4 (0x0800), length 344: (tos 0x0, ttl 128, id 22793, offset 0, flags [none], proto UDP (17), length 328) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request [|bootp] 12:32:22.058858 Out bc:ae:c5:c3:00:4d ethertype IPv4 (0x0800), length 344: (tos 0x0, ttl 64, id 38438, offset 0, flags [none], proto UDP (17), length 328) 192.168.10.1.67 > 192.168.1.1.67: BOOTP/DHCP, Request [|bootp] [Packets seen at Main Router] 12:32:22.213469 In 68:72:51:88:69:b4 ethertype IPv4 (0x0800), length 344: (tos 0x0, ttl 64, id 38438, offset 0, flags [none], proto UDP (17), length 328) 192.168.10.1.67 > 192.168.1.1.67: BOOTP/DHCP, Request from 00:24:9b:29:81:f3, length 300, hops 1, xid 0xf43325a2, secs 3072, Flags [Broadcast] Gateway-IP 192.168.10.1 Client-Ethernet-Address 00:24:9b:29:81:f3 Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: Discover Client-ID Option 61, length 7: ether 00:24:9b:29:81:f3 Hostname Option 12, length 10: "MTGS-SBOOK" Vendor-Class Option 60, length 8: "MSFT 5.0" Parameter-Request Option 55, length 13: Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name Router-Discovery, Static-Route, Vendor-Option, Netbios-Name-Server Netbios-Node, Netbios-Scope, Classless-Static-Route, Classless-Static-Route-Microsoft Option 252 The main router responds: [Packets seen at Main Router] 12:32:22.215239 Out 80:2a:a8:4f:c4:02 ethertype IPv4 (0x0800), length 346: (tos 0xc0, ttl 64, id 33748, offset 0, flags [none], proto UDP (17), length 330) 192.168.1.1.67 > 192.168.10.1.67: BOOTP/DHCP, Reply, length 302, hops 1, xid 0xf43325a2, secs 3072, Flags [Broadcast] Your-IP 192.168.10.133 Server-IP 192.168.1.1 Gateway-IP 192.168.10.1 Client-Ethernet-Address 00:24:9b:29:81:f3 Vendor-rfc1048 Extensions Magic Cookie 0x63825363 DHCP-Message Option 53, length 1: Offer Server-ID Option 54, length 4: 192.168.1.1 Lease-Time Option 51, length 4: 86400 RN Option 58, length 4: 43200 RB Option 59, length 4: 75600 Subnet-Mask Option 1, length 4: 255.255.255.0 BR Option 28, length 4: 192.168.10.255 Domain-Name Option 15, length 8: "localnet" Domain-Name-Server Option 6, length 4: 192.168.1.1 Default-Gateway Option 3, length 4: 192.168.10.1 [Packet seen at Remote Router] 12:32:22.062199 P 80:2a:a8:4f:c4:02 ethertype IPv4 (0x0800), length 346: (tos 0xc0, ttl 64, id 33748, offset 0, flags [none], proto UDP (17), length 330) 192.168.1.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 302, hops 1, xid 0xf43325a2, secs 3072, Flags [Broadcast] Your-IP 192.168.10.133 Server-IP 192.168.1.1 [|bootp] Unfortunately, the DNSMasq Process at the Remote Router never picks up the response to send it to the client. I've tried using the option of the --dhcp-relay option in DNSMasq, but it doesn't seem to make a difference. ipforwarding is on, and iptables is set to accept everything in both directions. I can't tell whether DNSMasq at the Remote Router is receiving the response and ignoring it, or if it never makes it to the DNSMasq process. Is there anyway to crank up the logging on DNSMasq even higher? Am I right in thinking that DNSMasq should in fact receive this message, process it, and forward the response to the client? Any tips on how to trouble shoot this? -- Michael Garrison Stuber ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Show host names in dnsmasq's log
I have modified cache.c to do this. Output in the log now looks like this: query[A] v20.vortex-win.data.microsoft.com from 192.168.5.118 = cpu-video (dhcp) or query[] download.opensuse.org from 192.168.5.10 = emu-deve..eu (static) If there is interest, I will post the changes. The modification just loops through the cache table and gets the names from there - local query originators only of course, these being either static or dhcp assigned, can be found in there. best regards, Michael Stiemke (mailto:m...@ansynova.com) ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] cnames and dns working when ip not assigned
On 08/14/2017 03:27 PM, Spike wrote: Dear all, two things I'm trying to figure out: #CNames how can I implement cnames in dnsmasq? I have static per mac assignments in my hosts file and I'd like to add one or more cnames per host. Is that possible, what's the syntax? I've seen some pages discussing the topic, but none of the solutions worked for me and more importantly none of them was specifying more than one cname. #DNS while host is down As far as I can see dnsmasq will respond to a host request only if the host is alive/got a dhcp. Is it possible to override this behavior? If I have a host definition with an ip, I need that to resolve even if the host is down. I think they key is to realize dnsmasq is a tool with multiple jobs: 1) DNS 2) DHCP 3) tftp 4) etc These jobs can all be interconnected easily within dnsmasq. Static host for DNS - add to /etc/hosts or specify an alternate (or additional ) host file w/ addn-hosts= directive. My host looks like: 192.168.1.10 hosta www aliasb aliasc 192.168.1.11 hostb 192.168.1.12 hostc These entries are permanent and have no dependency on these hosts having a dhcp lease. www, aliasb, and aliasc are now "aliases" for hosta, but they are A records and not CNAMES.Do you really require a CNAME or will A record suffice? you can then statically define DHCP clients if you choose such as: dhcp-host=00:90:a9:f1:b3:e7,hostf dnsmasq will now provide a dhcp lease to this host.If hostf is in your hosts file, it will give it that static IP. If it isnt', it will give you an IP from the dhcp range AND dynamically add hostf to DNS. Once DHCP lease is no longer valid, it will remove hostf from DNS. if you don't define the dhcp-host at all, it will give a DHCP ip and use the hostname the client passed up to add to DNS and will again remove it when the lease goes away. Does that help clarify? Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Windows ipv6 hostname
On 2016-12-21 01:26, Markus Hartung wrote: So I guess the automatic creation of -records doesn't work any more if I enable privacy extensions. Your IPv6 host can (and usually does) have several IPv6 addresses at a time. Disabling the use of randomized identifiers ensures that one of those addresses is an EUI-64 address. But the privacy extension are still enabled (this is a separate option, "netsh interface ipv6 set privacy state=disabled"), and your host will additionally have temporary addresses that expire & change over time and are used for outgoing connections. Thanks for the pointers, now I'm able to correctly get an IPv6-address that should work with ra-names. However it seems that dnsmasq doesn't have any hostname in the DHvPv4 lease file. $ cat /var/lib/misc/dnsmasq.leases 1482365715 3e:XX:XX:XX:XX:02 192.168.1.184 * 01:3e:XX:XX:XX:XX:02 1482334524 00:YY:YY:YY:YY:67 192.168.1.133 hostname * Well, dnsmasq needs to get the hostname to assign to a machine from someplace. I don't know all the possible places (search the manual page for that), but I can think of: 1) Dnsmasq configuration (dhcp-host options) 2) /etc/ethers if enabled 3) suggested with the DHCPv4 request by the client I think Windows 10 should suggest a hostname (3), at least it seems to do for me. I have manually assigned a hostname on the Windows computer, and dnsmasq knows and assigns it. -Mike ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Windows ipv6 hostname
Hello Markus, Windows 10 by default uses randomized identifiers instead of the MAC address. You can turn this off using the following command in an admin shell: netsh interface ipv6 set global randomizeidentifiers=disabled In addition to that, make sure that the Windows computer replies to the ICMP echo requests that dnsmasq uses to check if the address is in use. With this setting the Windows computer should still use temporary addresses to initiate outgoing connections, but be reachable on EUI-64 based address. -Mike On 2016-12-19 00:07, Markus Hartung wrote: Hello, Anyone here that is more knowledgeable about IPv6 and Windows 10 hosts? I have set up my dnsmasq as a authoritative DNS server and have enable ra with these options: enable-ra dhcp-range=tag:eno1,::1,::,constructor:eno1,ra-names,24h It seems that my linux hosts are correctly getting a IPv6 address and registers correctly a -record in the DNS server. My Windows 10 host gets an IPv6 address but doesn't get any -record. Can anyone shed any light on the situation? Do the linux and windows hosts get their IPv6 differently? And is there a way to get windows to register an -record? Cheers, Markus ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Moving client to new subnet
We recently migrated from isc-dhcp-server running on Ubuntu Server 10.04 to dnsmasq running on Ubuntu Server 16.04. We have a dhcp-range defined that is static - all clients on that subnet are defined in a dhcp-hostsfile. We have a second dhcp-range defined that is dynamic (for "visitor" devices). With our old server, when we were adding a new client (either Windows or Ubuntu) we would let it grab a dynamic address on the first boot, then get the MAC address and add it to the dhcp-hostsfile, restart dhcp and reboot or otherwise renew the ip address on the client. With the new server we have learned that the client will still request and be granted the dynamic address, even if dnsmasq was stopped and the lease deleted. Is there a setting for dnsmasq that will force it to give a static address when one is defined for the client (based on MAC and/or computer name), even if a dynamic address is requested? -- Michael Crider, IT Supervisor Howell-Oregon Electric Cooperative West Plains MO http://www.hoecoop.org ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] ProxyDHCP mode is broken for serving ipxe.efi to UEFI pxe clents
Hi Simon,
thanks, it’s working fine for me now. Before releasing 2.76, it would be good
if more people could test this on actual hardware.
Also, there’s one more item that needs to go into the release notes: we now
redirect all clients to port 4011, including the BIOS clients. This is a change
in behavior over the previous release, where the option 43 menu was sent on
port 68. This could potentially break things for some very old and broken PXE
implementations. It’s unlikely, since the port 4011 stuff has always been part
of the PXE spec, but possible. I don’t think it’s really necessary, but I have
included a patch below that restricts the port 4011 redirect to CSA >= 6. With
that patch, the PXE behavior for BIOS clients is exactly what it was in older
releases.
Michael
--- a/src/rfc2131.c
+++ b/src/rfc2131.c
@@ -882,8 +882,13 @@ size_t dhcp_reply(struct dhcp_context *context, char
*iface_name, int int_index,
clear_packet(mess, end);
- /* Redirect the client to port 4011 */
- mess->siaddr = tmp->local;
+ /* Redirect EFI clients to port 4011 */
+ int redirect4011 = 0;
+ if (pxearch >= 6)
+ {
+ redirect4011 = 1;
+ mess->siaddr = tmp->local;
+ }
/* Returns true if only one matching service is available. On
port 4011,
it also inserts the boot file and server name. */
workaround = pxe_uefi_workaround(pxearch, tagif_netid, mess,
tmp->local, now, pxe);
@@ -906,7 +911,7 @@ size_t dhcp_reply(struct dhcp_context *context, char
*iface_name, int int_index,
option_put(mess, end, OPTION_SERVER_IDENTIFIER, INADDRSZ,
htonl(tmp->local.s_addr));
pxe_misc(mess, end, uuid);
prune_vendor_opts(tagif_netid);
- if (pxe && !workaround)
+ if ((pxe && !workaround) || !redirect4011)
do_encap_opts(pxe_opts(pxearch, tagif_netid, tmp->local,
now), OPTION_VENDOR_CLASS_OPT, DHOPT_VENDOR_MATCH, mess, end, 0);
log_packet("PXE", NULL, emac, emac_len, iface_name, ignore ?
"proxy-ignored" : "proxy", NULL, mess->xid);
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] ProxyDHCP mode is broken for serving ipxe.efi to UEFI pxe clents
I have included a patch below that makes essentially two modifications to get
PXE working with the UEFI firmware in VMware.
- It only appends the layer number to the file name on BIOS x86.
- It always redirects the client to port 4011. To do that, only the siaddr is
set and neither a boot file nor a PXE menu are included in the Offer sent upon
receiving the Discover. In reaction to the ACK it then sends an ACK which
includes either the single boot file name and server, or the PXE menu.
This patch works to the same degree as my patch did. VMware boots fine with a
single boot service, and the menu also works if you specify multiple, however
you have to blindly navigate the menu because it is not shown on screen.
Michael
--- a/src/rfc2131.c
+++ b/src/rfc2131.c
@@ -63,7 +63,7 @@ static void pxe_misc(struct dhcp_packet *mess, unsigned char
*end, unsigned char
static int prune_vendor_opts(struct dhcp_netid *netid);
static struct dhcp_opt *pxe_opts(int pxe_arch, struct dhcp_netid *netid,
struct in_addr local, time_t now);
struct dhcp_boot *find_boot(struct dhcp_netid *netid);
-static int pxe_uefi_workaround(int pxe_arch, struct dhcp_netid *netid, struct
dhcp_packet *mess, struct in_addr local, time_t now);
+static int pxe_uefi_workaround(int pxe_arch, struct dhcp_netid *netid, struct
dhcp_packet *mess, struct in_addr local, time_t now, int pxe);
size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int
int_index,
size_t sz, time_t now, int unicast_dest, int *is_inform, int
pxe, struct in_addr fallback)
@@ -824,7 +824,10 @@ size_t dhcp_reply(struct dhcp_context *context, char
*iface_name, int int_index,
else
mess->siaddr = context->local;
- snprintf((char *)mess->file, sizeof(mess->file), "%s.%d",
service->basename, layer);
+ if (pxearch == 0)
+ snprintf((char *)mess->file, sizeof(mess->file), "%s.%d",
service->basename, layer);
+ else
+ strncpy((char *)mess->file, service->basename,
sizeof(mess->file));
option_put(mess, end, OPTION_MESSAGE_TYPE, 1, DHCPACK);
option_put(mess, end, OPTION_SERVER_IDENTIFIER, INADDRSZ,
htonl(context->local.s_addr));
pxe_misc(mess, end, uuid);
@@ -879,11 +882,10 @@ size_t dhcp_reply(struct dhcp_context *context, char
*iface_name, int int_index,
clear_packet(mess, end);
- /* Only do workaround for replies to 4011 */
- if (!pxe)
- mess->siaddr = tmp->local;
- else
- workaround = pxe_uefi_workaround(pxearch, tagif_netid,
mess, tmp->local, now);
+ /* Redirect the client to port 4011 */
+ mess->siaddr = tmp->local;
+ /* Returns true if only one matching service is available. On
port 4011, it also inserts the boot file and server name. */
+ workaround = pxe_uefi_workaround(pxearch, tagif_netid, mess,
tmp->local, now, pxe);
if (!workaround && boot)
{
@@ -903,7 +905,7 @@ size_t dhcp_reply(struct dhcp_context *context, char
*iface_name, int int_index,
option_put(mess, end, OPTION_SERVER_IDENTIFIER, INADDRSZ,
htonl(tmp->local.s_addr));
pxe_misc(mess, end, uuid);
prune_vendor_opts(tagif_netid);
- if (!workaround)
+ if (pxe && !workaround)
do_encap_opts(pxe_opts(pxearch, tagif_netid, tmp->local,
now), OPTION_VENDOR_CLASS_OPT, DHOPT_VENDOR_MATCH, mess, end, 0);
log_packet("PXE", NULL, emac, emac_len, iface_name, ignore ?
"proxy-ignored" : "proxy", NULL, mess->xid);
@@ -1989,7 +1991,7 @@ static int prune_vendor_opts(struct dhcp_netid *netid)
and jamb the data direct into the DHCP file, siaddr and sname fields.
Note that in this case, we have to assume that layer zero would be requested
by the client PXE stack. */
-static int pxe_uefi_workaround(int pxe_arch, struct dhcp_netid *netid, struct
dhcp_packet *mess, struct in_addr local, time_t now)
+static int pxe_uefi_workaround(int pxe_arch, struct dhcp_netid *netid, struct
dhcp_packet *mess, struct in_addr local, time_t now, int pxe)
{
struct pxe_service *service, *found;
@@ -2009,6 +2011,9 @@ static int pxe_uefi_workaround(int pxe_arch, struct
dhcp_netid *netid, struct dh
if (!found)
return 0; /* No relevant menu items. */
+ if (!pxe)
+ return 1;
+
if (found->sname)
{
mess->siaddr = a_record_from_hosts(found->sname, now);
@@ -2024,7 +2029,10 @@ static int pxe_uefi_workaround(int pxe_arch, struct
dhcp_netid *netid, struct dh
inet_ntop(AF_INET, &mess->siaddr, (char *)mess->sna
Re: [Dnsmasq-discuss] ProxyDHCP mode is broken for serving ipxe.efi to UEFI pxe clents
> - I think that this is just a workaround (because what > dnsmasq implements should be working for PXE/UEFI ...) > and it may not be needed in the future .. so kind more 'elegant' to > implement it this way (option could be called 'pxe-menu-workaround' > perhaps ? This workaround will be required for at least a decade to come, as many current UEFI implementation still don’t correctly implement menus. So 99% of setups would need to enable the workaround, which means it should be default to avoid confusion. Also, what’s wrong with disabling the menu if there is only one entry for the architecture, like my patch does? It doesn’t reduce functionality in any way and reduces the number of configuration options needed in the most common scenarios. > - It gives more flexibility: the workaround can be applied only > to predefined and (sorry - patched man page should be > improved to state that clearly): so we can use that to implement > for example sthg like this: > > - match on given hwaddr prefix with dhcp-match, then tag > - match on tag and client architecture and apply workaround only > then. You can also use tags with my patch and achieve the same thing. For example, if you want clients with tag abcd to display a menu with two entries and all other clients to boot directly to the first entry (which for them is the only entry, thus invoking my workaround), you should be able to use something like pxe-service=BC_EFI,iPXE,pxelinux pxe-service=tag:abcd,BC_EFI,iPXE,ipxe > - setting of sname is indeed because I found 2 clients which did not > want to boot without it .. Ok, then I suggest we add that to my patch. > - naming convention: > > .0 vs. .efi The .0 for X86PC can’t be changed due to backwards compatibility, otherwise everybody would have to update their config files. I’d be ok with not automatically adding an extension for all other architectures though. However, that would be inconsistent and also backwards-incompatible, though I wouldn’t worry too much about the latter as googling for "pxe-service=..." does not yield any meaningful hits for anything but x86PC, IA32_EFI, BC_EFI and X86-64_EFI. Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] ProxyDHCP mode is broken for serving ipxe.efi to UEFI pxe clents
> The difference between Michael's patch and Jarek's seems to be that > Michael's works automatically when there is precisely one valid boot > service line, but Jarek's needs explicit configuration. What situation > does Jarek's approach cover, that Michael's doesn’t? I’ve also been wondering about that. Comparing the patches, I believe that, when skipping the menu, the only difference is that Jarek additionally sets the sname field, while I only set siaddr and file. I think Jarek said that without sname, some of his clients didn’t boot. I think it would be fine to add the sname line to my patch and hopefully that should fix Jarek’s clients too without needing all that pxe_skip_menu code. > Michael's path sets the boot filename to .efi rather than .0 > when the CSA is "IA32_EFI", "BC_EFI", "Xscale_EFI", or "x86-64_EFI" but > Jarek's doesn't. Should that be added to Jarek's patch? Absolutely. .0 is correct for x86 BIOS and .efi is correct for EFI on any platform. Not sure about other (less common) platforms, but the current . is probably not right for anything except x86 BIOS. > Sorry if these seem like stupid questions. I'm working blind here, > without a test system to experiment with. If you have access to a recent version of VMware, I can send you a VMX file and an EFI binary for testing. Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq offering dynamic instead of static dhcp leases - what am I doing incorrectly?
> > >> What am I doing incorrectly? How should the configuration file look? > >> > > dhcp-host=de:ad:be:ef:55:55,id:*,10.0.0.10 # ,hnstatic,infinite > > > This is the first thing I'd be suspicious of, the fields in dhcp-host > can come in any order, and they're typed with a load of dodgy heuristics > which I think your commenting-out may have confused. Try actually > deleting the commented out second and see if that helps. > > > Cheers, > > Simon. > > I was worried something like that might be the case. I had actually also tested the configuration as such, but there weren't any differences I could spot. interface=eth1 expand-hosts dhcp-leasefile=/var/lib/misc/dnsmasq.leases domain=example.com,10.0.0.0/16,local dhcp-range=10.0.4.1,10.0.8.250,255.255.0.0,1h dhcp-range=tag:staticdhcp,10.0.0.0,static,255.255.0.0,1h dhcp-option=1,255.255.0.0 dhcp-option=3,10.0.0.1 dhcp-option=option:mtu,9000 dhcp-host=de:ad:be:ef:55:55,id:*,10.0.0.10 Somewhat oddly dhclient on the test VM doesn't accept the incorrectly offered lease; but that is another issue. Feb 12 18:52:38 testDnsmasq dnsmasq[113]: started, version 2.72 cachesize 150 Feb 12 18:52:38 testDnsmasq dnsmasq[113]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect Feb 12 18:52:38 testDnsmasq dnsmasq-dhcp[113]: DHCP, static leases only on 10.0.0.0, lease time 1h Feb 12 18:52:38 testDnsmasq dnsmasq-dhcp[113]: DHCP, IP range 10.0.4.1 -- 10.0.8.250, lease time 1h Feb 12 18:52:38 testDnsmasq dnsmasq[113]: using local addresses only for domain 0.10.in-addr.arpa Feb 12 18:52:38 testDnsmasq dnsmasq[113]: reading /etc/resolv.conf Feb 12 18:52:38 testDnsmasq dnsmasq[113]: using local addresses only for domain 0.10.in-addr.arpa Feb 12 18:52:38 testDnsmasq dnsmasq[113]: using nameserver 192.168.1.1#53 Feb 12 18:52:38 testDnsmasq dnsmasq[113]: read /etc/hosts - 4 addresses Feb 12 18:52:38 testDnsmasq systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Feb 12 18:57:54 testDnsmasq dnsmasq-dhcp[113]: 1333999467 available DHCP range: 10.0.4.1 -- 10.0.8.250 Feb 12 18:57:54 testDnsmasq dnsmasq-dhcp[113]: 1333999467 available DHCP subnet: 10.0.0.0/255.255.0.0 Feb 12 18:57:54 testDnsmasq dnsmasq-dhcp[113]: 1333999467 client provides name: testStatic Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 DHCPDISCOVER(eth1) de:ad:be:af:55:55 Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 tags: eth1 Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 DHCPOFFER(eth1) 10.0.7.62 de:ad:be:af:55:55 Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 requested options: 1:netmask, 28:broadcast, 2:time-offset, 3:router, Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 requested options: 15:domain-name, 6:dns-server, 119:domain-search, Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 requested options: 12:hostname, 44:netbios-ns, 47:netbios-scope, Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 requested options: 26:mtu, 121:classless-static-route, 42:ntp-server Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 next server: 10.0.0.2 Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 sent size: 1 option: 53 message-type 2 Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 sent size: 4 option: 54 server-identifier 10.0.0.2 Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 sent size: 4 option: 51 lease-time 1h Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 sent size: 4 option: 58 T1 30m Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 sent size: 4 option: 59 T2 52m30s Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 sent size: 4 option: 28 broadcast 10.0.255.255 Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 sent size: 4 option: 6 dns-server 10.0.0.2 Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 sent size: 11 option: 15 domain-name example.com Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 sent size: 2 option: 26 mtu 9000 Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 sent size: 4 option: 3 router 10.0.0.1 Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 sent size: 4 option: 1 netmask 255.255.0.0 Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 available DHCP range: 10.0.4.1 -- 10.0.8.250 Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 available DHCP subnet: 10.0.0.0/255.255.0.0 Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 client provides name: testStatic Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 DHCPDISCOVER(eth1) de:ad:be:af:55:55 Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 tags: eth1 Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 DHCPOFFER(eth1) 10.0.7.62 de:ad:be:af:55:55 Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]: 1333999467 requested options: 1:netmask, 28:broadcast, 2:time-offset, 3:router, Feb 12 18:57:57 testDnsmasq dnsmasq-dhcp[113]
Re: [Dnsmasq-discuss] dnsmasq offering dynamic instead of static dhcp leases - what am I doing incorrectly?
Re-sending after temporarily subscribing On Thu, Feb 11, 2016 at 4:11 PM Michael Evans wrote: > My goal is to have dnsmasq serve DHCP leases on an interface, either for > static addresses (either within that interface's very large subnet mask) > > 71: eth1@if72: mtu 1500 qdisc fq_codel > state UP group default qlen 1000 > link/ether de:ad:be:af:f0:0d brd ff:ff:ff:ff:ff:ff > inet 10.0.0.2/16 brd 10.0.255.255 scope global eth1 >valid_lft forever preferred_lft forever > inet6 fe80::dcad:beff:feaf:f00d/64 scope link >valid_lft forever preferred_lft forever > > > Using a config-dir entry (which is scanned according to the ranges) > > > interface=eth1 > expand-hosts > > dhcp-leasefile=/var/lib/misc/dnsmasq.leases > > domain=example.com,10.0.0.0/16,local > > dhcp-range=10.0.4.1,10.0.8.250,255.255.0.0,1h > dhcp-range=tag:staticdhcp,10.0.0.0,static,255.255.0.0,1h > > # dhcp-options slipped for brevity > > dhcp-host=de:ad:be:ef:55:55,id:*,10.0.0.10 # ,hnstatic,infinite > > > Yet the offered address is from the dynamic range. > > > Feb 12 00:09:00 testDnsmasq dnsmasq[312]: started, version 2.72 cachesize > 150 > Feb 12 00:09:00 testDnsmasq dnsmasq[312]: compile time options: IPv6 > GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth > DNSSEC loop-detect > Feb 12 00:09:00 testDnsmasq dnsmasq-dhcp[312]: DHCP, static leases only on > 10.0.0.0, lease time 1h > Feb 12 00:09:00 testDnsmasq dnsmasq-dhcp[312]: DHCP, IP range 10.0.4.1 -- > 10.0.8.250, lease time 1h > Feb 12 00:09:00 testDnsmasq dnsmasq[312]: using local addresses only for > domain 0.10.in-addr.arpa > Feb 12 00:09:00 testDnsmasq dnsmasq[312]: reading /etc/resolv.conf > Feb 12 00:09:00 testDnsmasq dnsmasq[312]: using local addresses only for > domain 0.10.in-addr.arpa > Feb 12 00:09:00 testDnsmasq dnsmasq[312]: using nameserver 192.168.1.1#53 > Feb 12 00:09:00 testDnsmasq dnsmasq[312]: read /etc/hosts - 4 addresses > Feb 12 00:09:00 testDnsmasq systemd[1]: Started dnsmasq - A lightweight > DHCP and caching DNS server. > Feb 12 00:09:06 testDnsmasq dnsmasq-dhcp[312]: 2573025057 available DHCP > range: 10.0.4.1 -- 10.0.8.250 > Feb 12 00:09:06 testDnsmasq dnsmasq-dhcp[312]: 2573025057 available DHCP > subnet: 10.0.0.0/255.255.0.0 > Feb 12 00:09:06 testDnsmasq dnsmasq-dhcp[312]: 2573025057 client provides > name: testStatic > Feb 12 00:09:09 testDnsmasq dnsmasq-dhcp[312]: 2573025057 > DHCPDISCOVER(eth1) de:ad:be:af:55:55 > Feb 12 00:09:09 testDnsmasq dnsmasq-dhcp[312]: 2573025057 tags: eth1 > Feb 12 00:09:09 testDnsmasq dnsmasq-dhcp[312]: 2573025057 DHCPOFFER(eth1) > 10.0.7.62 de:ad:be:af:55:55 > Feb 12 00:09:09 testDnsmasq dnsmasq-dhcp[312]: 2573025057 requested > options: 1:netmask, 28:broadcast, 2:time-offset, 3:router, > Feb 12 00:09:09 testDnsmasq dnsmasq-dhcp[312]: 2573025057 requested > options: 15:domain-name, 6:dns-server, 119:domain-search, > Feb 12 00:09:09 testDnsmasq dnsmasq-dhcp[312]: 2573025057 requested > options: 12:hostname, 44:netbios-ns, 47:netbios-scope, > Feb 12 00:09:09 testDnsmasq dnsmasq-dhcp[312]: 2573025057 requested > options: 26:mtu, 121:classless-static-route, 42:ntp-server > Feb 12 00:09:09 testDnsmasq dnsmasq-dhcp[312]: 2573025057 next server: > 10.0.0.2 > Feb 12 00:09:09 testDnsmasq dnsmasq-dhcp[312]: 2573025057 sent size: 1 > option: 53 message-type 2 > Feb 12 00:09:09 testDnsmasq dnsmasq-dhcp[312]: 2573025057 sent size: 4 > option: 54 server-identifier 10.0.0.2 > Feb 12 00:09:09 testDnsmasq dnsmasq-dhcp[312]: 2573025057 sent size: 4 > option: 51 lease-time 1h > Feb 12 00:09:09 testDnsmasq dnsmasq-dhcp[312]: 2573025057 sent size: 4 > option: 58 T1 30m > Feb 12 00:09:09 testDnsmasq dnsmasq-dhcp[312]: 2573025057 sent size: 4 > option: 59 T2 52m30s > Feb 12 00:09:09 testDnsmasq dnsmasq-dhcp[312]: 2573025057 sent size: 4 > option: 28 broadcast 10.0.255.255 > Feb 12 00:09:09 testDnsmasq dnsmasq-dhcp[312]: 2573025057 sent size: 4 > option: 6 dns-server 10.0.0.2 > Feb 12 00:09:09 testDnsmasq dnsmasq-dhcp[312]: 2573025057 sent size: 11 > option: 15 domain-name example.com > Feb 12 00:09:09 testDnsmasq dnsmasq-dhcp[312]: 2573025057 sent size: 2 > option: 26 mtu 9000 > Feb 12 00:09:09 testDnsmasq dnsmasq-dhcp[312]: 2573025057 sent size: 4 > option: 3 router 10.0.0.1 > Feb 12 00:09:09 testDnsmasq dnsmasq-dhcp[312]: 2573025057 sent size: 4 > option: 1 netmask 255.255.0.0 > Feb 12 00:09:09 testDnsmasq dnsmasq-dhcp[312]: 2573025057 available DHCP > range: 10.0.4.1 -- 10.0.8.250 > Feb 12 00:09:09 testDnsmasq dnsmasq-dhcp[312]: 2573025057 available DHCP > subnet: 10.0.0.0/255.255.0.0 > Feb 12 00:09:09 testDnsmasq dnsmasq-dhcp[312]: 2573025057 client provides > name: testStatic > > > What am I doing incorrectly? How should the configuration file look? > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] proxy DHCP and UEFI boot
I’ve posted a patch to make it work: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2015q4/010007.html It works perfectly for a single PXE service. It only uses the PXE menu system if multiple PXE services are specified as most firmware implementations don’t fully support it. Make sure to specify your PXE services for both BC_EFI and X86-64_EFI as UEFI firmwares can’t seem to agree which one is the correct one to use. As usual, specify the boot file name without the suffix (.efi). > On 24.11.2015, at 00:25, Michael Walton wrote: > > Hi mailing list, > has there been any recent progress getting proxy DHCP + UEFI boot to work? > I'm using dnsmasq in conjunction with a little known (but remarkably good) > deployment system called crucible WDS. For windows deployments the author > wrote his own proxy dhcp system which -I *think*- is supposed to work with > UEFI boot, > so if you are looking for some code that may point in the right direction, > check out: > > https://sourceforge.net/p/cruciblewds/code/HEAD/tree/trunk/src/CWDS_ProxyDHCP/ > > Thanks, > Mike W. > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] proxy DHCP and UEFI boot
Hi mailing list, has there been any recent progress getting proxy DHCP + UEFI boot to work? I'm using dnsmasq in conjunction with a little known (but remarkably good) deployment system called crucible WDS. For windows deployments the author wrote his own proxy dhcp system which -I *think*- is supposed to work with UEFI boot, so if you are looking for some code that may point in the right direction, check out: https://sourceforge.net/p/cruciblewds/code/HEAD/tree/trunk/src/CWDS_ProxyDHCP/ Thanks, Mike W. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq proxy with uefi pxe not working
In proxy mode, you can leave out the dhcp-boot lines. Also, note that some hardware incorrectly reports an architecture of 9 (BC_EFI) instead of 7 (X86-64_EFI), so in general you’ll need to have lines for both in your config. I assume you’re using my patch from October 31st? The pxe-service line for EFI should not have a file extension, .efi is added automatically. Also, I’ve never needed dhcp-no-override or dhcp-option in proxy mode. A Wireshark trace on UDP ports 67, 68, 69 and 4011 is generally the most useful thing to help you debug the issue. Check if the server address and file name are correctly sent to the client and make sure it requests the TFTP download correctly. The log output you sent looks fine. Michael > On 17.11.2015, at 20:48, Louis Garcia wrote: > > I have a dns proxy running on F23 and configured for older BIOS pxe and all > is working. On newer uefi I get a ip assigned and get to the "Press F8 for > the Menu." After that everything quits and returns to the bios. Here is some > info. If there are more debugging options let me know? I am running > dnsmasq-2.75 with a patch from Michael Kuron earlier on this list. > > > /etc/dnsmasq.conf > > # Configuration file for dnsmasq: > > # Turn on the debugging > log-dhcp > > # Don't function as a DNS server > port=0 > > # kill multicast > dhcp-option=vendor:PXEClient,6,2b > > # Disable re-use of the DHCP servername and filename fields as extra > # option space. That's to avoid confusing some old or broken DHCP clients. > dhcp-no-override > > # This range(s) is for the public interface, where dnsmasq functions > # as a proxy DHCP server providing boot information but no IP leases. > # Any ip in the subnet will do, so you may just put your server NIC ip here. > dhcp-range=192.168.0.5,proxy > > # Set the boot filename for netboot/PXE. You will only need this if you want > to > # boot machines over the network and you will need the built in TFTP server. > > # BIOS PXE clients > dhcp-boot=pxelinux.0 > > # UEFI PXE clients > dhcp-match=set:efi-x86_64,option:client-arch,7 > dhcp-boot=tag:efi-x86_64,uefi/shim.efi > > #pxe-prompt="What system shall I netboot?", timeout before first available > action is taken: > pxe-prompt="Press F8 for the Menu.", 5 > > #Loads /pxelinux.0 from dnsmasq TFTP server. > pxe-service=x86PC, "Install Fedora Workstation, (BIOS)", pxelinux > > #Loads /uefi/shim.efi from dnsmasq TFTP server. > pxe-service=X86-64_EFI, "Boot From Network, (UEFI)", uefi/shim.efi > > # Enable dnsmasq's built-in TFTP server > enable-tftp > > # Set the root directory for files available via FTP. > tftp-root=/srv/tftpboot > > > logs: > > systemd[1]: Started DNS caching server.. > dnsmasq[1897]: started, version 2.75 DNS disabled > systemd[1]: Starting DNS caching server > dnsmasq[1897]: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP > DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify > dnsmasq-dhcp[1897]: DHCP, proxy on subnet 192.168.0.5 > dnsmasq-tftp[1897]: TFTP root is /srv/tftpboot > dnsmasq-dhcp[1897]: 1005692705 available DHCP subnet: > 192.168.0.5/255.255.255.0 <http://192.168.0.5/255.255.255.0> > dnsmasq-dhcp[1897]: 1005692705 vendor class: PXEClient:Arch:7:UNDI:003016 > dnsmasq-dhcp[1897]: 1005692705 PXE(enp0s25) b8:ae:ed:73:6f:9b proxy > dnsmasq-dhcp[1897]: 1005692705 tags: efi-x86_64, enp0s25 > dnsmasq-dhcp[1897]: 1005692705 bootfile name: uefi/shim.efi > dnsmasq-dhcp[1897]: 1005692705 broadcast response > dnsmasq-dhcp[1897]: 1005692705 sent size: 1 option: 53 message-type 2 > dnsmasq-dhcp[1897]: 1005692705 sent size: 4 option: 54 server-identifier > 192.168.0.5 > dnsmasq-dhcp[1897]: 1005692705 sent size: 9 option: 60 vendor-class > 50:58:45:43:6c:69:65:6e:74 > dnsmasq-dhcp[1897]: 1005692705 sent size: 17 option: 97 client-machine-id > 00:00:3f:65:c8:77:72:e3:11:93:4d:b8:ae:ed... > dnsmasq-dhcp[1897]: 1005692705 available DHCP subnet: > 192.168.0.5/255.255.255.0 <http://192.168.0.5/255.255.255.0> > dnsmasq-dhcp[1897]: 1005692705 vendor class: PXEClient:Arch:7:UNDI:003016 > dnsmasq-dhcp[1897]: 378552196 available DHCP subnet: > 192.168.0.5/255.255.255.0 <http://192.168.0.5/255.255.255.0> > dnsmasq-dhcp[1897]: 378552196 vendor class: PXEClient:Arch:7:UNDI:003016 > dnsmasq-dhcp[1897]: 378552196 PXE(enp0s25) b8:ae:ed:73:6f:9b proxy > dnsmasq-dhcp[1897]: 378552196 tags: efi-x86_64, enp0s25 > dnsmasq-dhcp[1897]: 378552196 bootfile name: uefi/shim.efi > dnsmasq-dhcp[1897]: 378552196 sent size: 1 option: 53 message-type 5 > dnsmasq-dhcp[1897]: 378552196 sent size: 4 option: 54 server-ident
Re: [Dnsmasq-discuss] ProxyDHCP with UEFI systems
As it turns out, UEFI does support PXE menus, but the implementations are
rather buggy in that regard. VMware often does not render the menu on the
screen, but you can blindly select the menu entry using the arrow keys and boot
it with the return key. A recent Asus laptop renders the menu, but ignores the
TFTP server IP specified in the PXE service and instead tries to open a TFTP
connection to the DHCP server’s IP. There probably are some fully-working
implementations out there as well.
Below is a patch that combines the work from my previous emails with this new
discovery. It always redirects to port 4011. If only one service is specified,
it puts that into the siaddr and file fields directly, which should work for
all UEFI implementations. If more than one service is specified, it sends a
menu, which might reveal bugs in the UEFI implementation. All of this is
backwards compatible with BIOS because the port 4011 redirect is part of the
PXE spec.
How can I submit this patch for inclusion in dnsmasq?
diff --git a/src/rfc2131.c b/src/rfc2131.c
index 9f69ed5..bdc0f78 100644
--- a/src/rfc2131.c
+++ b/src/rfc2131.c
@@ -824,7 +824,10 @@ size_t dhcp_reply(struct dhcp_context *context, char
*iface_name, int int_index,
else
mess->siaddr = context->local;
- snprintf((char *)mess->file, sizeof(mess->file), "%s.%d",
service->basename, layer);
+ if (service->CSA == 6 || service->CSA == 7 || service->CSA == 8 ||
service->CSA == 9)
+ snprintf((char *)mess->file, sizeof(mess->file), "%s.efi",
service->basename);
+ else
+ snprintf((char *)mess->file, sizeof(mess->file), "%s.%d",
service->basename, layer);
option_put(mess, end, OPTION_MESSAGE_TYPE, 1, DHCPACK);
option_put(mess, end, OPTION_SERVER_IDENTIFIER, INADDRSZ,
htonl(context->local.s_addr));
pxe_misc(mess, end, uuid);
@@ -859,6 +862,7 @@ size_t dhcp_reply(struct dhcp_context *context, char
*iface_name, int int_index,
if (tmp)
{
+ int num_services = 0;
struct dhcp_boot *boot;
if (tmp->netid.net)
@@ -890,13 +894,42 @@ size_t dhcp_reply(struct dhcp_context *context, char
*iface_name, int int_index,
if (boot->file)
strncpy((char *)mess->file, boot->file,
sizeof(mess->file)-1);
}
+ else
+ {
+ struct pxe_service *service;
+ for (service = daemon->pxe_services; service;
service = service->next)
+ if (pxearch == service->CSA &&
match_netid(service->netid, netid, 1))
+ ++num_services;
+
+ if (num_services == 1 && pxe)
+ {
+ for (service = daemon->pxe_services;
service; service = service->next)
+ if (pxearch == service->CSA &&
match_netid(service->netid, netid, 1))
+ {
+ if (service->sname)
+ mess->siaddr =
a_record_from_hosts(service->sname, now);
+ else if (service->server.s_addr
!= 0)
+ mess->siaddr =
service->server;
+ else
+ mess->siaddr =
tmp->local;
+
+ if (service->CSA == 0)
+ snprintf((char
*)mess->file, sizeof(mess->file), "%s.0", service->basename);
+ else if (service->CSA == 6 ||
service->CSA == 7 || service->CSA == 8 || service->CSA == 9)
+ snprintf((char
*)mess->file, sizeof(mess->file), "%s.efi", service->basename);
+ else
+ strncpy((char
*)mess->file, service->basename, sizeof(mess->file)-1);
+ }
+ }
+ }
option_put(mess, end, OPTION_MESSAGE_TYPE, 1,
mess_type == DHCPDISCOVER ? DHCPOFFER : DHCPACK);
option_put(mess, end, OPTION_SERVER_IDENTIFIER, INADDRSZ,
htonl(tmp->local.s_addr));
pxe_misc(mess, end, uuid);
prune_vendor_opts(tagif_netid);
- do_encap_opts(pxe_opts(pxearch, tagif_netid, tmp->local,
no
Re: [Dnsmasq-discuss] ProxyDHCP with UEFI systems
Actually, I shouldn’t set the siaddr in the initial Offer. It’s fine for VMware
UEFI and BIOS, but the Asus UEFI will end up trying to download the boot file
from the Offer’s siaddr instead of the ACK’s siaddr if it’s present. So the
small additional modification below will also allow the TFTP server to be on a
different machine than the proxy DHCP server.
--- a/src/rfc2131.c
+++ b/src/rfc2131.c
@@ -898,9 +898,7 @@ size_t dhcp_reply(struct dhcp_context *context, char
*iface_name, int int_index,
if (pxearch == service->CSA &&
match_netid(service->netid, netid, 1))
++num_services;
- if (num_services == 1 && !pxe)
- mess->siaddr = tmp->local;
- else if (num_services == 1)
+ if (num_services == 1 && pxe)
{
for (service = daemon->pxe_services;
service; service = service->next)
if (pxearch == service->CSA &&
match_netid(service->netid, netid, 1))
> On 24.10.2015, at 15:21, Michael Kuron
> wrote:
>
> More wiresharking helped me figure this out. So when UEFI receives a DHCP
> Offer or Proxy DHCP Offer with Vendor Class Identifier (option 60) set to
> PXEClient, it sends a DHCP Request to the siaddr from the offer, but on port
> 4011. If the server then sends a DHCP ACK back to port 4011, containing an
> siaddr and file name, that file is then booted. The PXE menu system does not
> appear to be supported by UEFI.
>
> So here’s a new patch. It does two things if there is only one applicable
> --pxe-service specified:
> - If it receives a Discover on port 68 with a Vendor class identifier equal
> to PXEClient, it sets the siaddr in the Offer to the local address.
> - If it receives a Request on port 4011 with a Vendor class identifier equal
> to PXEClient, it sets the siaddr and file as specified using the
> --pxe-service option.
>
> This is actually working for me with VMware Fusion 8 and with a recent Asus
> laptop. This is also backwards compatible with BIOS PXE booting (the port
> 4011 stuff was specified a long time ago).
>
> Regards,
> Michael
>
>
>
> diff --git a/src/rfc2131.c b/src/rfc2131.c
> index 9f69ed5..32f18d1 100644
> --- a/src/rfc2131.c
> +++ b/src/rfc2131.c
> @@ -859,6 +859,7 @@ size_t dhcp_reply(struct dhcp_context *context, char
> *iface_name, int int_index,
>
> if (tmp)
> {
> + int num_services = 0;
> struct dhcp_boot *boot;
>
> if (tmp->netid.net)
> @@ -890,13 +891,44 @@ size_t dhcp_reply(struct dhcp_context *context, char
> *iface_name, int int_index,
> if (boot->file)
> strncpy((char *)mess->file, boot->file,
> sizeof(mess->file)-1);
> }
> + else
> + {
> + struct pxe_service *service;
> + for (service = daemon->pxe_services; service;
> service = service->next)
> + if (pxearch == service->CSA &&
> match_netid(service->netid, netid, 1))
> + ++num_services;
> +
> + if (num_services == 1 && !pxe)
> + mess->siaddr = tmp->local;
> + else if (num_services == 1)
> + {
> + for (service = daemon->pxe_services;
> service; service = service->next)
> + if (pxearch == service->CSA &&
> match_netid(service->netid, netid, 1))
> + {
> + if (service->sname)
> + mess->siaddr =
> a_record_from_hosts(service->sname, now);
> + else if (service->server.s_addr
> != 0)
> + mess->siaddr =
> service->server;
> + else
> + mess->siaddr =
> tmp->local;
> +
> + if (service->CSA == 0)
>
Re: [Dnsmasq-discuss] ProxyDHCP with UEFI systems
More wiresharking helped me figure this out. So when UEFI receives a DHCP Offer
or Proxy DHCP Offer with Vendor Class Identifier (option 60) set to PXEClient,
it sends a DHCP Request to the siaddr from the offer, but on port 4011. If the
server then sends a DHCP ACK back to port 4011, containing an siaddr and file
name, that file is then booted. The PXE menu system does not appear to be
supported by UEFI.
So here’s a new patch. It does two things if there is only one applicable
--pxe-service specified:
- If it receives a Discover on port 68 with a Vendor class identifier equal to
PXEClient, it sets the siaddr in the Offer to the local address.
- If it receives a Request on port 4011 with a Vendor class identifier equal to
PXEClient, it sets the siaddr and file as specified using the --pxe-service
option.
This is actually working for me with VMware Fusion 8 and with a recent Asus
laptop. This is also backwards compatible with BIOS PXE booting (the port 4011
stuff was specified a long time ago).
Regards,
Michael
diff --git a/src/rfc2131.c b/src/rfc2131.c
index 9f69ed5..32f18d1 100644
--- a/src/rfc2131.c
+++ b/src/rfc2131.c
@@ -859,6 +859,7 @@ size_t dhcp_reply(struct dhcp_context *context, char
*iface_name, int int_index,
if (tmp)
{
+ int num_services = 0;
struct dhcp_boot *boot;
if (tmp->netid.net)
@@ -890,13 +891,44 @@ size_t dhcp_reply(struct dhcp_context *context, char
*iface_name, int int_index,
if (boot->file)
strncpy((char *)mess->file, boot->file,
sizeof(mess->file)-1);
}
+ else
+ {
+ struct pxe_service *service;
+ for (service = daemon->pxe_services; service;
service = service->next)
+ if (pxearch == service->CSA &&
match_netid(service->netid, netid, 1))
+ ++num_services;
+
+ if (num_services == 1 && !pxe)
+ mess->siaddr = tmp->local;
+ else if (num_services == 1)
+ {
+ for (service = daemon->pxe_services;
service; service = service->next)
+ if (pxearch == service->CSA &&
match_netid(service->netid, netid, 1))
+ {
+ if (service->sname)
+ mess->siaddr =
a_record_from_hosts(service->sname, now);
+ else if (service->server.s_addr
!= 0)
+ mess->siaddr =
service->server;
+ else
+ mess->siaddr =
tmp->local;
+
+ if (service->CSA == 0)
+ snprintf((char
*)mess->file, sizeof(mess->file), "%s.0", service->basename);
+ else if (service->CSA == 6 ||
service->CSA == 7 || service->CSA == 8 || service->CSA == 9)
+ snprintf((char
*)mess->file, sizeof(mess->file), "%s.efi", service->basename);
+ else
+ strncpy((char
*)mess->file, service->basename, sizeof(mess->file)-1);
+ }
+ }
+ }
option_put(mess, end, OPTION_MESSAGE_TYPE, 1,
mess_type == DHCPDISCOVER ? DHCPOFFER : DHCPACK);
option_put(mess, end, OPTION_SERVER_IDENTIFIER, INADDRSZ,
htonl(tmp->local.s_addr));
pxe_misc(mess, end, uuid);
prune_vendor_opts(tagif_netid);
- do_encap_opts(pxe_opts(pxearch, tagif_netid, tmp->local,
now), OPTION_VENDOR_CLASS_OPT, DHOPT_VENDOR_MATCH, mess, end, 0);
+ if (num_services != 1)
+ do_encap_opts(pxe_opts(pxearch, tagif_netid, tmp->local,
now), OPTION_VENDOR_CLASS_OPT, DHOPT_VENDOR_MATCH, mess, end, 0);
log_packet("PXE", NULL, emac, emac_len, iface_name, ignore ?
"proxy-ignored" : "proxy", NULL, mess->xid);
log_tags(tagif_neti
Re: [Dnsmasq-discuss] ProxyDHCP with UEFI systems
I made some changes to dnsmasq (patch below) that remove the PXE menu system
(the option 43 stuff) if there’s only one menu entry and put the boot file name
and server address directly into the file and siaddr fields. This works fine
for BIOS systems, but doesn’t work for UEFI either.
Next thing I tried was to copy the boot file name and server address into
options 66 and 67, but that doesn’t work either.
So far, it really seems like proxyDHCP support in UEFI systems is completely
missing. I used VMware Fusion 8.0.1 and a recent Asus laptop for testing. If
anybody could supply a Wireshark of a different implementation that works
(Windows Deployment Services maybe?), it should be easy to adapt my patch.
It’s really easy to set up a test system in any modern version of VMware: just
create a new VM and add the following to the .vmx file:
firmware = "efi"
diff --git a/src/rfc2131.c b/src/rfc2131.c
index 9f69ed5..27b2573 100644
--- a/src/rfc2131.c
+++ b/src/rfc2131.c
@@ -859,6 +859,7 @@ size_t dhcp_reply(struct dhcp_context *context, char
*iface_name, int int_index,
if (tmp)
{
+ int num_services = 0;
struct dhcp_boot *boot;
if (tmp->netid.net)
@@ -890,13 +891,49 @@ size_t dhcp_reply(struct dhcp_context *context, char
*iface_name, int int_index,
if (boot->file)
strncpy((char *)mess->file, boot->file,
sizeof(mess->file)-1);
}
+ else
+ {
+ struct pxe_service *service;
+ for (service = daemon->pxe_services; service;
service = service->next)
+ if (pxearch == service->CSA &&
match_netid(service->netid, netid, 1))
+ ++num_services;
+
+ if (num_services == 1)
+ {
+ for (service = daemon->pxe_services;
service; service = service->next)
+ if (pxearch == service->CSA &&
match_netid(service->netid, netid, 1))
+ {
+ if (service->sname)
+ mess->siaddr =
a_record_from_hosts(service->sname, now);
+ else if (service->server.s_addr
!= 0)
+ mess->siaddr =
service->server;
+ else
+ mess->siaddr =
tmp->local;
+
+ if (service->CSA == 0)
+ snprintf((char
*)mess->file, sizeof(mess->file), "%s.0", service->basename);
+ else if (service->CSA == 6 ||
service->CSA == 7 || service->CSA == 8 || service->CSA == 9)
+ {
+ char sname[16];
+ snprintf((char
*)mess->file, sizeof(mess->file), "%s.efi", service->basename);
+ inet_ntop(AF_INET,
&mess->siaddr, &sname, 16);
+ // Option 66 and 67
necessary according to
http://www-01.ibm.com/support/docview.wss?uid=swg27027022&aid=1
+ option_put_string(mess,
end, OPTION_SNAME, sname, 0);
+ option_put_string(mess,
end, OPTION_FILENAME, &mess->file, 0);
+ }
+ else
+ strncpy((char
*)mess->file, service->basename, sizeof(mess->file)-1);
+ }
+ }
+ }
option_put(mess, end, OPTION_MESSAGE_TYPE, 1,
mess_type == DHCPDISCOVER ? DHCPOFFER : DHCPACK);
option_put(mess, end, OPTION_SERVER_IDENTIFIER, INADDRSZ,
htonl(tmp->local.s_addr));
pxe_misc(mess, end, uuid);
prune_vendor_opts(tagif_netid);
- do_encap_opts(pxe_opts(pxearch, tagif_netid, tmp->local,
now), OPTION_VENDOR_CLASS_OPT, DHOPT_VENDOR_MATCH, mess, end, 0);
+ if (num_services != 1)
+ do_encap_opts(pxe_opts(pxearch, tagif_netid, tmp->local,
now), OPTION_VENDOR_CLASS_OPT, DHOPT_VENDOR_MATCH, mess, end, 0);
[Dnsmasq-discuss] Reduce amount of warning messages because the name exists in /etc/hosts
Hi, is it possible to reduce amount of warning messages because a name exists in /etc/hosts, when I create a new IP-address reservation, but the address is currently used by another DHCP client (until the leasetime ends)? Aug 1 21:18:52 hostname daemon.warn dnsmasq-dhcp[18152]: not giving name ipphone-123.local to the DHCP lease of 192.168.1.161 because the name exists in /etc/hosts with address 192.168.1.123 Aug 1 21:18:52 hostname daemon.warn dnsmasq-dhcp[18152]: not giving name ipphone-123 to the DHCP lease of 192.168.1.161 because the name exists in /etc/hosts with address 192.168.1.123 Aug 1 21:19:36 hostname daemon.warn dnsmasq-dhcp[18152]: not giving name ipphone-123.local to the DHCP lease of 192.168.1.161 because the name exists in /etc/hosts with address 192.168.1.123 Aug 1 21:19:36 hostname daemon.warn dnsmasq-dhcp[18152]: not giving name ipphone-123 to the DHCP lease of 192.168.1.161 because the name exists in /etc/hosts with address 192.168.1.123 Aug 1 21:19:41 hostname daemon.warn dnsmasq-dhcp[18152]: not giving name ipphone-123.local to the DHCP lease of 192.168.1.161 because the name exists in /etc/hosts with address 192.168.1.123 Aug 1 21:19:41 hostname daemon.warn dnsmasq-dhcp[18152]: not giving name ipphone-123 to the DHCP lease of 192.168.1.161 because the name exists in /etc/hosts with address 192.168.1.123 Aug 1 21:19:50 hostname daemon.warn dnsmasq-dhcp[18152]: not giving name ipphone-123.local to the DHCP lease of 192.168.1.161 because the name exists in /etc/hosts with address 192.168.1.123 Aug 1 21:19:50 hostname daemon.warn dnsmasq-dhcp[18152]: not giving name ipphone-123 to the DHCP lease of 192.168.1.161 because the name exists in /etc/hosts with address 192.168.1.123 Aug 1 21:20:06 hostname daemon.warn dnsmasq-dhcp[18152]: not giving name ipphone-123.local to the DHCP lease of 192.168.1.161 because the name exists in /etc/hosts with address 192.168.1.123 Aug 1 21:20:06 hostname daemon.warn dnsmasq-dhcp[18152]: not giving name ipphone-123 to the DHCP lease of 192.168.1.161 because the name exists in /etc/hosts with address 192.168.1.123 Aug 1 21:20:52 hostname daemon.warn dnsmasq-dhcp[18152]: not giving name ipphone-123.local to the DHCP lease of 192.168.1.161 because the name exists in /etc/hosts with address 192.168.1.123 Aug 1 21:20:52 hostname daemon.warn dnsmasq-dhcp[18152]: not giving name ipphone-123 to the DHCP lease of 192.168.1.161 because the name exists in /etc/hosts with address 192.168.1.123 Aug 1 21:20:57 hostname daemon.warn dnsmasq-dhcp[18152]: not giving name ipphone-123.local to the DHCP lease of 192.168.1.161 because the name exists in /etc/hosts with address 192.168.1.123 Aug 1 21:20:57 hostname daemon.warn dnsmasq-dhcp[18152]: not giving name ipphone-123 to the DHCP lease of 192.168.1.161 because the name exists in /etc/hosts with address 192.168.1.123 Maybe every 30 or 60 minutes but not that often. Michael http://www.mksolutions.info ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] RFC5011?
Hi, that is good news that you considered implementing this, too. On Mon, 2015-07-27 at 19:31 +0100, Simon Kelley wrote: > I've considered it, and in an ideal world would like to implement it. > My experience is the _nothing_ to do with DNSSEC is "not too > difficult" and, to be honest, any system deploying the releases of > dnsmasq with DNSSEC to-date which can't be updated is in a bad way > anyway. I hope we're close to a stable implementation now, so maybe > now is the time to start thinking about this. Of course this is only > relevant of the root key really does get rolled sometime soon, and if > that doesn't cause the end of world. I guess DNSSEC is working alright in dnsmasq now. There are some issues here and there, but some of them are caused by other things on the way like MTU issues, broken upstream resolvers and so on. The official information is that a key rollover will happen "at some time in 2015": https://indico.dns-oarc.net/event/21/contribution/35/material/slides/ 0.pdf There is no schedule yet, but we better be prepared. > My ideal would be to a have a stand-alone RFC5011 daemon, which is > responsible for keeping the OS's idea of the root key(s) up-to-date. > Debian already has a package which provides a central copy of the > root > keys, and dnsmasq will use these is it's installed. Having something > which does that but dynamically updates them would be good. Hmm, I do not really think that an extra daemon is such a good idea. I do not know what the reasons are that you would prefer this, but here is my view: This daemon will only be needed once every five years. It will run additionally and almost never do anything. I guess most problems that we will have then are similar to the leap second bugs - very rare events that never really tests and when it is showtime everything fails miserably. Not that I don't trust your coding skills, but certainly this daemon won't receive much love. The daemon would require to implement DNSSEC again. I am not sure if parts of the codebase of dnsmasq can be used on their own. It doesn't look like that to me. One could use something like libunbound or similar because that would have an implementation to verify the DNSSEC signatures, but would also be lots of code that is pulled in and barely used. I am not sure what other users of dnsmasq would think about this who are running embedded systems on very tiny flash. Creating a libdnsmasq that does the same job will probably require lots of work in dnsmasq that isn't worth it for such a tiny job like RFC5011. If you want to save systems from downloading the new trust-anchor multiple times because they have multiple resolvers that need the keys a single stand-along daemon would help. But even if that would happen for each of them independently that would not create more load on the network or require any other resources. None of these are arguments that require a hundred percent to implement the functionality inside dnsmasq but I still think that this is the better idea. Lots of code is there and can easily be used. Updating to a newly downloaded key is done very quickly and we could implement a trigger that can do better error handling and maybe start updating the DNSKEY of the . zone when something went wrong along the validation process. This might have some security implications but still is an idea to make the transitions to a new key as easy as we possibly can. Is this even a requirement to just update the . zone? What if I use a trust-anchor for my own zone? Shouldn't that one be updated, too? In that case it is again better to check the running configuration of dnsmasq and then perform an update for these, too (didn't check what the RFC says about this). Just my thoughts... Best, -Michael > > Cheers, > > Simon. > > On 23/07/15 10:18, Michael Tremer wrote: > > Hello Simon, hello list, > > > > I was just wondering if someone has ever considered to support > > RFC5011 in dnsmasq: > > > > https://tools.ietf.org/html/rfc5011 > > > > This will automatically update the trust anchor in case the KSK of > > the root zone is replaced which will probably happen this year. > > > > The implementation should not be too difficult. Most of the stuff > > that is required is already there. dnsmasq needs to fetch the > > DNSKEY record(s) of the . zone regularly and check if the KSK has > > changed. If so the signature needs to be validated of course and > > then the new key material needs to be stored somewhere on disk. > > > > If this is not implemented all instances that use DNSSEC won't work > > any more. As dnsmasq is often deployed on systems that are not too > > regularly updated (hardware routers and so on) I think it is a >
[Dnsmasq-discuss] RFC5011?
Hello Simon, hello list, I was just wondering if someone has ever considered to support RFC5011 in dnsmasq: https://tools.ietf.org/html/rfc5011 This will automatically update the trust anchor in case the KSK of the root zone is replaced which will probably happen this year. The implementation should not be too difficult. Most of the stuff that is required is already there. dnsmasq needs to fetch the DNSKEY record(s) of the . zone regularly and check if the KSK has changed. If so the signature needs to be validated of course and then the new key material needs to be stored somewhere on disk. If this is not implemented all instances that use DNSSEC won't work any more. As dnsmasq is often deployed on systems that are not too regularly updated (hardware routers and so on) I think it is a good idea to implement this RFC. As far as I know unbound and others support this RFC. Best, -Michael signature.asc Description: This is a digitally signed message part ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] bugs.gentoo.org and dnssec
Hello Simon, thank you very much for looking into that. I can confirm that "dig ANY ipfire.org" is now correctly falling back to TCP and validates the result correctly. I passed a compiled binary on to the people who experienced the bug as well. If you do not hear back from me things should be fine. Best, -Michael On Tue, 2015-04-28 at 20:59 +0100, Simon Kelley wrote: > OK, that was an embarrassingly simple fix, in the git repo now, or the > 2.73rc7 tarball if you prefer. > > Interestingly, > > dig ANY ipfire.org > > to 8.8.8.8 gets an answer which fits a UDP packet, and therefore > doesn't trigger the bug. > > 178.63.73.246 does fall back to TCP, as your example shows, and does > trigger the problem. > > I'm not sure is this is relevant to Alon's problem, since the query > he's making has a small answer that doesn't trigger fallback to TCP, > though with DNSSEC information included, the answer is 1244 bytes, so > it _could_ trigger TCP on some links. > > It would be useful to test with 2.73rc7 Alon, if you can. > > > Many thanks for the tests and info. > > Cheers, > > Simon. > > On 28/04/15 13:00, Michael Tremer wrote: > > Hello, > > > > I am not sure if I am experiencing the same bug here or if it is > > somewhat different. > > > > When I try accessing some domains that use DNSSEC (like ipfire.org > > does, but this applies to other as well), I sometimes get SERVFAIL. > > This happens usually for bigger replies where fragmentation comes > > into the game. > > > > I think that I do not have a general issue with fragmentation or > > some issue with the upstream name servers, because everything goes > > well if I send the same query directly without going through > > dnsmasq. See below. > > > > dig ANY ipfire.org returns a huge number of records with lots of > > signatures and can be used to reproduce the issue with various > > upstream name servers. dnsmasq receives a truncated DNS reply (it's > > over 4k) and opens a TCP connection. As soon as dnsmasq is using > > TCP, the answer to the local system that made the request is always > > SERVFAIL. > > > > It also happens with "dig ANY ietf.org", but works with "dig ANY > > postbank.de" which replies with a DNS packet less than 4k. > > > > Other people have reported the same and/or similar issue over > > here: https://bugzilla.ipfire.org/show_bug.cgi?id=10786 > > > > They confirm that the issue also happens with 8.8.8.8. > > > > I captured the packets that dnsmasq is sending out to the upstream > > name servers and attached the pcap file. > > > > What can we do about this problem? It essentially makes DNSSEC > > unusable at the moment. > > > > Best, -Michael > > > > + dig ANY ipfire.org ;; Truncated, retrying in TCP mode. > > > > ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>> ANY ipfire.org ;; > > global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, > > status: SERVFAIL, id: 43712 ;; flags: qr rd ra; QUERY: 1, ANSWER: > > 0, AUTHORITY: 0, ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; > > QUESTION SECTION: ;ipfire.org. IN ANY > > > > ;; Query time: 52 msec ;; SERVER: 192.168.180.1#53(192.168.180.1) > > ;; WHEN: Tue Apr 28 13:49:20 CEST 2015 ;; MSG SIZE rcvd: 39 > > > > + dig ANY ipfire.org @178.63.73.246 ;; Truncated, retrying in TCP > > mode. > > > > ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>> ANY ipfire.org > > @178.63.73.246 ;; global options: +cmd ;; Got answer: ;; > > ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30094 ;; flags: qr > > rd ra ad; QUERY: 1, ANSWER: 21, AUTHORITY: 0, ADDITIONAL: 3 > > > > ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; > > QUESTION SECTION: ;ipfire.org. IN ANY > > > > ;; ANSWER SECTION: ipfire.org. 3571IN A > > 178.63.73.246 ipfire.org. > > 3571IN RRSIG A 8 2 3600 2015050700 2015041600 38274 > > ipfire.org. > > AafVd/T/gKOD35lqZihS89u4aH0T4YcIN3uWGihlF6ZufWk05zs9XBBj > > 8SAzs5yTOACe7Hb6iNpAr7B4TNvcqCfbDTkGRcfptaIoUl2CbJ015KSd > > OB2pHQxzzsGvqFc609egjP6cP4uh8cIK4JZ4iLD5ldT23x76nPWzUx4N > > d+ErCfq/UiWvf1vfuxIRP18otagfyK5AEG3U7VBoIH1rYtPov7LwbFmp > > EMRa27xWD/bYcMueDk9ojfgnqKK6jXQ8RqHoXR7SRsjV/HyCb6hSuTBc > > g+R+gykb/r082jTzon8kJKCcC7t7TWEdLY2WH+h1I3
Re: [Dnsmasq-discuss] bugs.gentoo.org and dnssec
Hello, I am not sure if I am experiencing the same bug here or if it is somewhat different. When I try accessing some domains that use DNSSEC (like ipfire.org does, but this applies to other as well), I sometimes get SERVFAIL. This happens usually for bigger replies where fragmentation comes into the game. I think that I do not have a general issue with fragmentation or some issue with the upstream name servers, because everything goes well if I send the same query directly without going through dnsmasq. See below. dig ANY ipfire.org returns a huge number of records with lots of signatures and can be used to reproduce the issue with various upstream name servers. dnsmasq receives a truncated DNS reply (it's over 4k) and opens a TCP connection. As soon as dnsmasq is using TCP, the answer to the local system that made the request is always SERVFAIL. It also happens with "dig ANY ietf.org", but works with "dig ANY postbank.de" which replies with a DNS packet less than 4k. Other people have reported the same and/or similar issue over here: https://bugzilla.ipfire.org/show_bug.cgi?id=10786 They confirm that the issue also happens with 8.8.8.8. I captured the packets that dnsmasq is sending out to the upstream name servers and attached the pcap file. What can we do about this problem? It essentially makes DNSSEC unusable at the moment. Best, -Michael + dig ANY ipfire.org ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>> ANY ipfire.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 43712 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;ipfire.org.IN ANY ;; Query time: 52 msec ;; SERVER: 192.168.180.1#53(192.168.180.1) ;; WHEN: Tue Apr 28 13:49:20 CEST 2015 ;; MSG SIZE rcvd: 39 + dig ANY ipfire.org @178.63.73.246 ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.9.6-P1-RedHat-9.9.6-8.P1.fc21 <<>> ANY ipfire.org @178.63.73.246 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30094 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 21, AUTHORITY: 0, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ipfire.org.IN ANY ;; ANSWER SECTION: ipfire.org. 3571IN A 178.63.73.246 ipfire.org. 3571IN RRSIG A 8 2 3600 2015050700 2015041600 38274 ipfire.org. AafVd/T/gKOD35lqZihS89u4aH0T4YcIN3uWGihlF6ZufWk05zs9XBBj 8SAzs5yTOACe7Hb6iNpAr7B4TNvcqCfbDTkGRcfptaIoUl2CbJ015KSd OB2pHQxzzsGvqFc609egjP6cP4uh8cIK4JZ4iLD5ldT23x76nPWzUx4N d+ErCfq/UiWvf1vfuxIRP18otagfyK5AEG3U7VBoIH1rYtPov7LwbFmp EMRa27xWD/bYcMueDk9ojfgnqKK6jXQ8RqHoXR7SRsjV/HyCb6hSuTBc g+R+gykb/r082jTzon8kJKCcC7t7TWEdLY2WH+h1I3FN+f3iNhHoal/J l5cA+g== ipfire.org. 48822 IN NS ns2.lightningwirelabs.com. ipfire.org. 48822 IN NS ns3.lightningwirelabs.com. ipfire.org. 48822 IN NS ns1.lightningwirelabs.com. ipfire.org. 48822 IN RRSIG NS 8 2 86400 2015050700 2015041600 38274 ipfire.org. LtEwh5KQuMZOM9aQphrCiSJA7R6Ubv+A7ip+7S+NwfOLRC+Eao5I/MGw AXprSNvFglwKYyj/8hmAHkByRcniXceu5e9DPL8GZnRrJEaNmPyNgv+j bSIS4jD4FSrhS6LPQzAVg6XA5r9B1y9SDPiqgDm+e3fkD8zg+ZmJuY2x XYw9JeV1c4pZVCjS6jflkZ/9LcZrNGjcDuNZxQCSFu3wD/fmxbJXfKZN e4zO8XE18Ul1c7ifGLLRM45MyedQK/Gz47KXCkC0zkVtmRPybQN9lT+1 NKRQJFNc8U6+Hb90eQSjudsrXK0V2Z7McO5OMOe305loKWhvW8KMkc/b KIKnEw== ipfire.org. 2310IN SOA ns1.lightningwirelabs.com. hostmaster.ipfire.org. 1430190033 10800 1800 604800 300 ipfire.org. 2310IN RRSIG SOA 8 2 3600 2015050700 2015041600 38274 ipfire.org. C8pSowvYXE3sngaZrOaevrbMtx3f3hKKkgRW51gebWBokxF7+5UuXclb 9pZm16ArrMeMIQhR0d14Wamn0yhsrIo8eqgPbjTdn9VzNZnpXXcsxAXu QJ4+vPGP92EfgDocqid7/9jKeJWtNZbgHJUfOwsEtYgS+gdP3L77k+gW EAypTHtJqiE65sFHUWXlb9kwmpr1trq5DXnVBwtiiaBhbYeZryY3MTkl MVyQEZebr/MUUQKAstgJ3l3U2Rikd5aolKecjEvC2UJ18atlWuuZFgh5 f+J8vWoWABv5FwJAXxKHvvuNUJD3ca+Q0PGOJj87Wf+SlB+MGRiDfSiX avh2qQ== ipfire.org. 529 IN MX 10 mail01.ipfire.org. ipfire.org. 529 IN RRSIG MX 8 2 3600 2015050700 2015041600 38274 ipfire.org. UpsMIw7DF7810q1r7w81d2+Mfe6728iNX46WP8AZDhbI7vjyY41y33zD rY4hDbBRfaZBCycrBKYmLj38FlXbFsxKGI+KMtAkhnEv4H3q7RjBo77u u1BLEd5Tql5oVfCaLlgvoqnATiDOr8Hh/C6R3ukSItC+cLeVY6cmBeE5 cvh6afqiPXhf9JLrEBpl3maxkx+307XThYW6u7ZE73k2xkNZbKb8ePrK vcND4KQlbAvGgTgOstK+wIUn2yn1oHtjWiHIXJXG6iFPXIpjMFLIYH0u /HrKhtxT397H/3dR6HXJ0zIGD+Pt82HUjPblA+B3O05FzhXFMccydG6m ffJh9Q== ipfire.org. 2218IN NAPTR 30 0 "s" "SIP+D2T" "" _sip._tcp.ipfire.org. ipfire.org. 2218
Re: [Dnsmasq-discuss] RSA/SHA1-NSEC3-SHA1 signature bug?
Hi Simon, I wrote in the post that the user who can reproduce the bug should enable that logging and post the results or possibly any core dumps. dnsmasq is running perfectly fine on my IPFire system and I tried throwing hundreds of requests at it to let it crash, but it won't :) We are not using IPv6 servers at all. IPFire 2 only supports IPv4 any way. I also tried to alter the MTU of the outgoing interface and similar things. No lock so far. When it runs, it runs. The few people who are experiencing these issues are experiencing them constantly and quickly after dnsmasq has been started. Changing the upstream name servers does not resolve the problem. That's all I have so far. Looking forward to hear from that user now. Thanks for your great help! -Michael On Mon, 2015-01-12 at 20:27 +, Simon Kelley wrote: > Michael, > > That's useful information, thanks, but it's not really enough to find > the problem. The best possible thing would be a way to reproduce the > crash here. If the crash is always caused by a particular domain, then > setting --log-queries, and looking at the last few lines of the log > might be enough, otherwise, we're looking at getting coredumps. > > If you could encourage your users to start with query logging, that > would be great. There are relatively few people using the DNSSEC > validation, so it's really useful that it's getting some serious use > with you. > > > Are you using IPv6 upstream servers? There have been a few problems > with that which are external to dnsmasq, and which might be the source > of the delays. > > I'm wondering about adding an option which would just log queries > which take more than a couple of seconds, which would make tracing > this sort of thing easier. > > > Cheers, > > > Simon. > > > On 11/01/15 20:59, Michael Tremer wrote: > > Hello Simon, > > > > unfortunately this does not seem to be it. > > > > I got one report back from a user on our forums: > > > > http://forum.ipfire.org/viewtopic.php?f=22&t=11401&p=79097#p79097 > > > > The German text there says that dnsmasq just crashes after a couple > > of minutes in operation. > > > > I didn't experience any crashes here, but it feels like resolving > > DNS entries takes ages from time to time... > > > > That's all of the feedback I got so far. > > > > -Michael > > > > On Sat, 2015-01-03 at 15:35 +, Simon Kelley wrote: > >> Given the available information, > >> > >> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=094b5c3d904bae9aeb3206d9f3b8348926b84975 > >> > >> > >> > would be a very likely candidate to fix the crash problem. If that > >> doesn't do it it would be really good to find a way to reproduce > >> the problem. > >> > >> > >> > >> Cheers, > >> > >> Simon. > >> > >> On 02/01/15 09:42, Michael Tremer wrote: > >>> Hello Simon, > >>> > >>> thanks for looking into this. Unfortunately I did not have > >>> enough time to look into that last year. > >>> > >>> Whilst writing this, I am building a version of dnsmasq 2.72 > >>> with some patches from the git repository. I also hope that > >>> these will fix this problem that we are experiencing with lots > >>> installations: > >>> https://bugzilla.ipfire.org/show_bug.cgi?id=10607 > >>> > >>> It will take me a couple of days to confirm if the crash is > >>> gone, so please stay tuned for that. I will also try to > >>> encourage some of our users in testing this pre-release. > >>> > >>> If that would be of any help, I can try setting up a domain > >>> that signs its records by using that algorithm. > >>> > >>> -Michael > >>> > >>> On Tue, 2014-12-23 at 16:02 +, Simon Kelley wrote: > >>>> I just looked at this. Simon's stripeyc.at is now working > >>>> for me. I don't think I found any problems with 2.72 on that > >>>> one though. > >>>> > >>>> The domain mentioned in the ipfire thread > >>>> (formation.ent-liberscol.fr) definitely found a bug in > >>>> dnsmasq (combination of NSEC3 and wildcards.) I think that's > >>>> all fixed in the current git HEAD / 2.73test2. Michael, > >>>> please could you confirm, and pass this back to the ipfire > >>>> list? > >>>>
Re: [Dnsmasq-discuss] RSA/SHA1-NSEC3-SHA1 signature bug?
Hello Simon, unfortunately this does not seem to be it. I got one report back from a user on our forums: http://forum.ipfire.org/viewtopic.php?f=22&t=11401&p=79097#p79097 The German text there says that dnsmasq just crashes after a couple of minutes in operation. I didn't experience any crashes here, but it feels like resolving DNS entries takes ages from time to time... That's all of the feedback I got so far. -Michael On Sat, 2015-01-03 at 15:35 +, Simon Kelley wrote: > Given the available information, > > http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=094b5c3d904bae9aeb3206d9f3b8348926b84975 > > would be a very likely candidate to fix the crash problem. If that > doesn't do it it would be really good to find a way to reproduce the > problem. > > > > Cheers, > > Simon. > > On 02/01/15 09:42, Michael Tremer wrote: > > Hello Simon, > > > > thanks for looking into this. Unfortunately I did not have enough > > time to look into that last year. > > > > Whilst writing this, I am building a version of dnsmasq 2.72 with > > some patches from the git repository. I also hope that these will > > fix this problem that we are experiencing with lots installations: > > https://bugzilla.ipfire.org/show_bug.cgi?id=10607 > > > > It will take me a couple of days to confirm if the crash is gone, > > so please stay tuned for that. I will also try to encourage some of > > our users in testing this pre-release. > > > > If that would be of any help, I can try setting up a domain that > > signs its records by using that algorithm. > > > > -Michael > > > > On Tue, 2014-12-23 at 16:02 +, Simon Kelley wrote: > >> I just looked at this. Simon's stripeyc.at is now working for > >> me. I don't think I found any problems with 2.72 on that one > >> though. > >> > >> The domain mentioned in the ipfire thread > >> (formation.ent-liberscol.fr) definitely found a bug in dnsmasq > >> (combination of NSEC3 and wildcards.) I think that's all fixed in > >> the current git HEAD / 2.73test2. Michael, please could you > >> confirm, and pass this back to the ipfire list? > >> > >> Cheers, > >> > >> Simon. > >> > >> > >> On 22/10/14 22:37, Simon Gebler wrote: > >>> Sorry if I sounded rude or anything. Have a safe journey! > >>> > >>> On October 22, 2014 11:20:35 PM CEST, Simon Kelley > >>> wrote: > >>>> On 21/10/14 15:24, SiGe wrote: > >>>>> I experienced that problem myself, posted about it on the > >>>>> mailing > >>>> list > >>>>> a few days ago. At least it happens on my domain that has > >>>>> both a SHA-1 AND 256 hash. I'm experiencing it with the > >>>>> version currently shipped in the current stable OpenWRT > >>>>> version. > >>>>> > >>>>> So you're not alone there. Too bad my other post was > >>>>> unacknowledged > >>>> so far :/ > >>>> > >>>> Apologies for the lack of acknowledgement. I'm currently > >>>> very busy and traveling. Getting to where I have available > >>>> time _and_ a good cellphone signal is tricky, and I have a > >>>> huge email backlog to crawl out from. I'll look at this as > >>>> soon as I can. > >>>> > >>>> > >>>> Cheers, > >>>> > >>>> Simon. > >>>> > >>>>> > >>>>> ~ Simon > >>>>> > >>>>> On October 21, 2014 3:11:10 PM CEST, Michael Tremer > >>>>> wrote: > >>>>>> > >>>>>> Hello fellow dnsmasq users, > >>>>>> > >>>>>> there is a topic on the IPFire support forums I would > >>>>>> like to point > >>>> you > >>>>>> to: > >>>>>> > >>>>>> http://forum.ipfire.org/index.php?topic=11726.0 > >>>>>> > >>>>>> It appears that dnsmasq cannot verify resource records of > >>>>>> a DNSSEC-enabled domain. That domain uses > >>>>>> RSA/SHA1-NSEC3-SHA1 for its signatures. Although there is > >>>>>> some code in dnsmasq that is supposed > >>>> to > >>>>>> handle this, it does not verify the records correctly. > >>>>>> > >>>>>> Did anyone else experience this problem? Is it a bug > >>>>>> with dnsmasq or > >>>> the > >>>>>> authoritative name servers of that domain? > >>>>>> > >>>>>> Best, -Michael > >>>>>> > >>>>>> > >>>>>> > >>>>>> Dnsmasq-discuss mailing list > >>>>>> Dnsmasq-discuss@lists.thekelleys.org.uk > >>>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > >>>>> > >>>>> > >>>>>> > >> > >>>>>> > ___ > >>>>> Dnsmasq-discuss mailing list > >>>>> Dnsmasq-discuss@lists.thekelleys.org.uk > >>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > >>>>> > >>> > >>>>> > >>> signature.asc Description: This is a digitally signed message part ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] RSA/SHA1-NSEC3-SHA1 signature bug?
Hello Simon, thanks for looking into this. Unfortunately I did not have enough time to look into that last year. Whilst writing this, I am building a version of dnsmasq 2.72 with some patches from the git repository. I also hope that these will fix this problem that we are experiencing with lots installations: https://bugzilla.ipfire.org/show_bug.cgi?id=10607 It will take me a couple of days to confirm if the crash is gone, so please stay tuned for that. I will also try to encourage some of our users in testing this pre-release. If that would be of any help, I can try setting up a domain that signs its records by using that algorithm. -Michael On Tue, 2014-12-23 at 16:02 +, Simon Kelley wrote: > I just looked at this. Simon's stripeyc.at is now working for me. I > don't think I found any problems with 2.72 on that one though. > > The domain mentioned in the ipfire thread (formation.ent-liberscol.fr) > definitely found a bug in dnsmasq (combination of NSEC3 and > wildcards.) I think that's all fixed in the current git HEAD / > 2.73test2. Michael, please could you confirm, and pass this back to > the ipfire list? > > Cheers, > > Simon. > > > On 22/10/14 22:37, Simon Gebler wrote: > > Sorry if I sounded rude or anything. Have a safe journey! > > > > On October 22, 2014 11:20:35 PM CEST, Simon Kelley > > wrote: > >> On 21/10/14 15:24, SiGe wrote: > >>> I experienced that problem myself, posted about it on the > >>> mailing > >> list > >>> a few days ago. At least it happens on my domain that has both > >>> a SHA-1 AND 256 hash. I'm experiencing it with the version > >>> currently shipped in the current stable OpenWRT version. > >>> > >>> So you're not alone there. Too bad my other post was > >>> unacknowledged > >> so far :/ > >> > >> Apologies for the lack of acknowledgement. I'm currently very > >> busy and traveling. Getting to where I have available time _and_ > >> a good cellphone signal is tricky, and I have a huge email > >> backlog to crawl out from. I'll look at this as soon as I can. > >> > >> > >> Cheers, > >> > >> Simon. > >> > >>> > >>> ~ Simon > >>> > >>> On October 21, 2014 3:11:10 PM CEST, Michael Tremer > >>> wrote: > >>>> > >>>> Hello fellow dnsmasq users, > >>>> > >>>> there is a topic on the IPFire support forums I would like to > >>>> point > >> you > >>>> to: > >>>> > >>>> http://forum.ipfire.org/index.php?topic=11726.0 > >>>> > >>>> It appears that dnsmasq cannot verify resource records of a > >>>> DNSSEC-enabled domain. That domain uses RSA/SHA1-NSEC3-SHA1 > >>>> for its signatures. Although there is some code in dnsmasq > >>>> that is supposed > >> to > >>>> handle this, it does not verify the records correctly. > >>>> > >>>> Did anyone else experience this problem? Is it a bug with > >>>> dnsmasq or > >> the > >>>> authoritative name servers of that domain? > >>>> > >>>> Best, -Michael > >>>> > >>>> > >>>> > >>>> Dnsmasq-discuss mailing list > >>>> Dnsmasq-discuss@lists.thekelleys.org.uk > >>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > >>> > >>> > >>>> > ___ > >>> Dnsmasq-discuss mailing list > >>> Dnsmasq-discuss@lists.thekelleys.org.uk > >>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > >>> > > > >>> > > signature.asc Description: This is a digitally signed message part ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] interface-name and IPv6 temporary addresses
Just compiled and tested. Looking good! It’s returning only the correct (global) address for forward queries, and returning temporary addresses for reverse queries. Thanks for the fix, Simon! Yours, ~ M. > On Dec 17, 2014, at 7:43 AM, Simon Kelley wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > I just pushed changes to the git repo to implement this. Michael, > please could you seen if it now behaves as you'd like? > > Cheers, > > Simon. > > > On 01/12/14 18:49, Michael Gorbach wrote: >> On Nov 30, 2014, at 11:17 AM, Simon Kelley >> wrote: >>> >>> On 29/11/14 19:18, Michael Gorbach wrote: >>>> Hi All, >>>> >>>> I've got a question and potential enhancement request. It looks >>>> like right now, the (very useful) interface-name feature pulls >>>> all (global) addresses from the interface. One of my machines >>>> uses IPv6 privacy extensions (known in Linux as use_tempaddr), >>>> which means that in addition to link-local and permanent global >>>> addresses, it has a rotating cast of ~ 5 temporary addresses. I >>>> suggest that dnsmasq should detect those temporary addresses >>>> and not return them for queries that would otherwise hit >>>> interface-name. Returning them as it does now means > 5 >>>> records for a single name, which causes repeated confusion due >>>> to things like SSH warning about an unknown host because it has >>>> suddenly picked a previously-unknown temporary address to >>>> connect to. Thoughts? >>>> >>> >>> Sounds like a sensible suggestion. This facility was added before >>> I was really familiar with IPv6 and all its extra complications. >>> Most of those 5 temporary addresses will be "deprecated" ie >>> hanging around for the use of existing connections, but not used >>> for new ones. They definitely shouldn't appear, but I'm pretty >>> convinced, unless anyone can come up with a good reason why not, >>> that all privacy addresses should be elided, without exception. >>> >>> I wonder, though, if that's only true for forward (ie ) >>> lookups. Should a reverse lookup on an old privacy address still >>> yield the name of the host it belongs to? >> >> Thanks, Simon. I’d agree that all the temporary addresses should be >> skipped in forward resolution. In terms of reverse, I’d say there’s >> a high amount of value in having at least the current temporary >> address resolve to the correct host name. Temporary addresses are >> often preferred for outbound connections, so if we don’t have >> reverse resolution here then for example SSH is going to complain >> that it can’t check reverse DNS. There’s probably some value in >> reverse resolution for deprecated temporary addresses, for example >> if you wanted to track down some client in your system logs from >> several days ago, but it’s significantly lower. If that’s a large >> amount of work, to me it’s something that wouldn’t be >> top-priority. >> >> Yours, ~ M. >> >>> >>> >>> >>> Cheers, >>> >>> Simon. >>> >>> >>> ___ Dnsmasq-discuss >>> mailing list Dnsmasq-discuss@lists.thekelleys.org.uk >>> <mailto:Dnsmasq-discuss@lists.thekelleys.org.uk> >>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >>> <http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss> > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > > iQIcBAEBCAAGBQJUkXqGAAoJEBXN2mrhkTWiXWgQAKGoEO3e90O1vYXoXrO1x2FB > 9yC/jow4juxmtNoLVwZ7vLwTyvCSG9kpUDhDh6Rn2x674iXbOa8HpU6wAWSOdL6o > HRPYmutJk9cO6Pq6mQrzK02afDEfLwpRVazIgIznuq3LmjIV4oEACQItItXsbRxE > e6VTfO/MbXlKSvuShPreTotLPInpd1+crj4iNWPpAZzby+H3lLcHc2+VtUF1Tkou > pkK1WHDYLK1aqn2xgao8/d3YF6JQmQMD6D9wo+jYF0FYerP0zPDsnaC2alt/RIrq > R1o6kfcpAv6yY6PWbA3WLYUFn0j9q9Qv95jGWWmlsU0GiuvNZTPQ1RAXrdLbv2WM > UeEU6HErEtwimnws6aG5Ou5ig3kWHaKdk+Cl1p3XAHHrPAmBU6ut7zm7s/kpbdgT > /kR03mHf8+34aRWhyPCDVOghQQxmFWB6Dep3LxRjouZvdxke1Pht/FHA98GeqgdU > eEhO3ySRNJqD+H8tSr+WRUfWfSN8d/eWiE9A/jeLhvhQOzC/d63I9mHZQUsdVE/W > weqk4fVavTkvhNon8tXpqT8yggsD8S/m/KhCj691tY3he78iEM9u7WCFas3UC7fa > R6avOGiKdq6aBbLAT0bBTRe/pdZGvk7zUMaO84Wd1aFT/UVpQ3/FAq8Ec8RZStLm > oFi+BU4Vh5ZGcn9DKgol > =civ9 > -END PGP SIGNATURE- smime.p7s Description: S/MIME cryptographic signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] interface-name and IPv6 temporary addresses
On Nov 30, 2014, at 11:17 AM, Simon Kelley wrote: > > On 29/11/14 19:18, Michael Gorbach wrote: >> Hi All, >> >> I've got a question and potential enhancement request. It looks like >> right now, the (very useful) interface-name feature pulls all >> (global) addresses from the interface. One of my machines uses IPv6 >> privacy extensions (known in Linux as use_tempaddr), which means that >> in addition to link-local and permanent global addresses, it has a >> rotating cast of ~ 5 temporary addresses. I suggest that dnsmasq >> should detect those temporary addresses and not return them for >> queries that would otherwise hit interface-name. Returning them as it >> does now means > 5 records for a single name, which causes >> repeated confusion due to things like SSH warning about an unknown >> host because it has suddenly picked a previously-unknown temporary >> address to connect to. Thoughts? >> > > Sounds like a sensible suggestion. This facility was added before I was > really familiar with IPv6 and all its extra complications. Most of those > 5 temporary addresses will be "deprecated" ie hanging around for the use > of existing connections, but not used for new ones. They definitely > shouldn't appear, but I'm pretty convinced, unless anyone can come up > with a good reason why not, that all privacy addresses should be elided, > without exception. > > I wonder, though, if that's only true for forward (ie ) lookups. > Should a reverse lookup on an old privacy address still yield the name > of the host it belongs to? Thanks, Simon. I’d agree that all the temporary addresses should be skipped in forward resolution. In terms of reverse, I’d say there’s a high amount of value in having at least the current temporary address resolve to the correct host name. Temporary addresses are often preferred for outbound connections, so if we don’t have reverse resolution here then for example SSH is going to complain that it can’t check reverse DNS. There’s probably some value in reverse resolution for deprecated temporary addresses, for example if you wanted to track down some client in your system logs from several days ago, but it’s significantly lower. If that’s a large amount of work, to me it’s something that wouldn’t be top-priority. Yours, ~ M. > > > > Cheers, > > Simon. > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > <mailto:Dnsmasq-discuss@lists.thekelleys.org.uk> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > <http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss> smime.p7s Description: S/MIME cryptographic signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] interface-name and IPv6 temporary addresses
Hi All, I've got a question and potential enhancement request. It looks like right now, the (very useful) interface-name feature pulls all (global) addresses from the interface. One of my machines uses IPv6 privacy extensions (known in Linux as use_tempaddr), which means that in addition to link-local and permanent global addresses, it has a rotating cast of ~ 5 temporary addresses. I suggest that dnsmasq should detect those temporary addresses and not return them for queries that would otherwise hit interface-name. Returning them as it does now means > 5 records for a single name, which causes repeated confusion due to things like SSH warning about an unknown host because it has suddenly picked a previously-unknown temporary address to connect to. Thoughts? Yours, ~ Michael Gorbach smime.p7s Description: S/MIME cryptographic signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Vulnerability to hack DNSMASQ?
> 91.205.14.65:domain<=> 72.194.79.40:36142 > 67B268b 54b 13b > 91.205.14.65:domain<=> 72.194.79.40:8859 > 67B268b 54b 13b > 91.205.14.65:domain<=> 72.194.79.40:13960 > 67B268b 54b 13b > 91.205.14.65:domain<=> 72.194.79.40:55017 > 67B268b 54b 13b > 91.205.14.65:domain<=> 72.194.79.40:61910 > 67B268b 54b 13b > 91.205.14.65:domain<=> 72.194.79.40:2498 > 67B268b 54b 13b > 91.205.14.65:domain<=> 72.194.79.40:23665 > 67B268b 54b 13b > 91.205.14.65:domain<=> 72.194.79.40:39752 > 134B 0b107b 27b > 91.205.14.65:domain<=> 72.194.79.40:60709 > 134B 0b 54b 27b > 91.205.14.65:domain<=> 72.194.79.40:64920 > 134B 0b 54b 27b > 91.205.14.65:domain<=> 72.194.79.40:29023 > 67B 0b 54b 13b > 91.205.14.65:domain<=> 72.194.79.40:47383 > 67B 0b 54b 13b Why are there so many several ports that dnsmasq is connected to? I run dnsmasq version 2.59rc1. After stopping the process, it took over 8 Minutes before the traffic stopped passing my wan interface. Liebe Grüße aus Freilassing, Michael Rack RSM Freilassing -- RSM Freilassing Tel.: +49 8654 607110 Nocksteinstr. 13Fax.: +49 8654 670438 D-83395 Freilassingwww.rsm-freilassing.de ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] RSA/SHA1-NSEC3-SHA1 signature bug?
Hello fellow dnsmasq users, there is a topic on the IPFire support forums I would like to point you to: http://forum.ipfire.org/index.php?topic=11726.0 It appears that dnsmasq cannot verify resource records of a DNSSEC-enabled domain. That domain uses RSA/SHA1-NSEC3-SHA1 for its signatures. Although there is some code in dnsmasq that is supposed to handle this, it does not verify the records correctly. Did anyone else experience this problem? Is it a bug with dnsmasq or the authoritative name servers of that domain? Best, -Michael signature.asc Description: This is a digitally signed message part ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] add dynamic IPv6 to DNS
Hi, thank you very much. I already studied the manpage, but didn't saw it. It works like a charm. Thank you again. Am 15. Oktober 2014 um 20:56 schrieb Mathias Kresin : 2014-10-15 19:46 GMT+02:00 Michael Kuehn : > Hi, > > i have the following situation. My router has a static IPv4 address. I add > the static IPv4 address into the hosts-File with the hostname "router" so > that dnsmasq can resolve my routers IP. > > Now with IPv6, my router gets the IP the DHCP so i can't hardcore it into > the hosts-File. How can i add an (dynamic) IP address as an -Record for > my router? After checking the manual (!), the dnsmasq option "--interface-name" looks like a suitable candidate. Using this option, you can drop the v4 address in your host file as well. Regards ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] add dynamic IPv6 to DNS
Hi, i have the following situation. My router has a static IPv4 address. I add the static IPv4 address into the hosts-File with the hostname "router" so that dnsmasq can resolve my routers IP. Now with IPv6, my router gets the IP the DHCP so i can't hardcore it into the hosts-File. How can i add an (dynamic) IP address as an -Record for my router? Thank you. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSMasq does not resolv *.org domains
On Wed, 2014-08-20 at 19:54 +0100, Simon Kelley wrote: > On 20/08/14 14:28, Michael Tremer wrote: > > Hello list, > > > > I think I might have some very similar problem here. It is not specific > > to dnsmasq. The result is the same to what Conrad has reported. > > > > When ever dnsmasq is running with DNSSEC enabled, I cannot resolve any > > DNSSEC-enabled domain. Zones that do not have DNSSEC work as usual. > > > > When tracing with tcpdump what is happening, I can easily see that > > dnsmasq (or dig [1]) is walking through that DNSSEC key chain and > > resolving one after an other. I am trying to resolve www.ipfire.org for > > example here. It all gets stuck when dnsmasq tries to fetch the DNSKEY > > record of the root zone. > > > > 15:16:58.135942 IP 93.200.64.128.46432 > 178.63.73.246.53: 12823+ [1au] > > DNSKEY? ipfire.org. (39) > > 15:16:58.170687 IP 178.63.73.246.53 > 93.200.64.128.46432: 12823$ 2/0/1 > > DNSKEY, DNSKEY (463) > > 15:17:07.449158 IP 93.200.64.128.37448 > 178.63.73.246.53: 54451+ [1au] A? > > www.ipfire.org. (43) > > 15:17:07.483714 IP 178.63.73.246.53 > 93.200.64.128.37448: 54451$ 4/0/1 > > CNAME web01.ipfire.org., RRSIG, A 178.63.73.246, RRSIG (419) > > 15:17:07.505287 IP 93.200.64.128.56633 > 178.63.73.246.53: 47477+ [1au] > > DNSKEY? ipfire.org. (39) > > 15:17:07.541306 IP 178.63.73.246.53 > 93.200.64.128.56633: 47477$ 3/0/1 > > DNSKEY, DNSKEY, RRSIG (761) > > 15:17:07.542774 IP 93.200.64.128.45576 > 178.63.73.246.53: 58759+ [1au] DS? > > ipfire.org. (39) > > 15:17:07.576272 IP 178.63.73.246.53 > 93.200.64.128.45576: 58759$ 2/0/1 DS, > > RRSIG (238) > > 15:17:07.582642 IP 93.200.64.128.43441 > 178.63.73.246.53: 42710+ [1au] > > DNSKEY? org. (32) > > 15:17:07.617901 IP 178.63.73.246.53 > 93.200.64.128.43441: 42710$ 7/0/1 > > DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG, RRSIG, RRSIG[|domain] > > 15:17:07.618604 IP 93.200.64.128.51370 > 178.63.73.246.53: 53036+ [1au] DS? > > org. (32) > > 15:17:07.649326 IP 178.63.73.246.53 > 93.200.64.128.51370: 53036$ 3/0/1 DS, > > DS, RRSIG (275) > > 15:17:07.651213 IP 93.200.64.128.57826 > 178.63.73.246.53: 12511+ [1au] > > DNSKEY? . (28) > > 15:17:12.652416 IP 93.200.64.128.57826 > 178.63.73.246.53: 12511+ [1au] > > DNSKEY? . (28) > > 15:17:17.657531 IP 93.200.64.128.57826 > 178.63.73.246.53: 12511+ [1au] > > DNSKEY? . (28) > > > > I am operating the resolver and tried to figure out why that query is > > never answered. At first I suspected some MTU problem which seems to be > > just false. The query never reaches my resolver (also works when I use > > other name servers like 8.8.8.8). I can resolve anything I want except > > any records of the root zone. Not even the SOA. When I use TCP, I can > > get the DNSKEYs, but that is nothing that I want to use by default for > > the obvious reasons. > > > > This is a system connected to the Internet via a DSL link from Deutsche > > Telekom AG. I have access to multiple places with the same connection > > and they all work except this one. I wonder if Conrad is experiencing > > exactly the same or if someone else has ever experienced some similar > > problem. DNSSEC is basically not usable here. > > Are you saying that the DNSKEY query for the root works when sent to > 8.8.8.8, but fails when sent to 178.63.73.246. In that case the problem > is likely to be 178.63.73.246. If both fail, then it's possible your ISP > is doing bad things with packets to port 53. It fails for *both* name servers and all others that I tested. I suspect that the ISP is doing some weird things and I just wanted to know if that ever happened to someone else, too. > From here, > > dig @178.63.73.246 dnskey . > > Seems to work fine. Yes, works from my home and everywhere else. So I don't think that there is anything wrong with that name server. > Cheers, > > Simon. > > > > > -Michael > > > > [1] dig @178.63.73.246 DNSKEY . > > > > On Mon, 2014-08-18 at 22:03 +0100, Simon Kelley wrote: > >> On 18/08/14 21:37, Conrad Kostecki wrote: > >>> Bingo! That seems to be the cause. When I disable dnssec, its working > >>> fine. When I enable it again, it’s failing again on *.org domains. > >>> Why? Do you have some explanation? > >> > >> Well, if dnssec is enabled in dnsmasq it needs to do load of extra > >> queries to do the validation, so one of them may be failing. > >> > >> What happens if you do the queries direct to the google servers, but as
Re: [Dnsmasq-discuss] DNSMasq does not resolv *.org domains
Hello list, I think I might have some very similar problem here. It is not specific to dnsmasq. The result is the same to what Conrad has reported. When ever dnsmasq is running with DNSSEC enabled, I cannot resolve any DNSSEC-enabled domain. Zones that do not have DNSSEC work as usual. When tracing with tcpdump what is happening, I can easily see that dnsmasq (or dig [1]) is walking through that DNSSEC key chain and resolving one after an other. I am trying to resolve www.ipfire.org for example here. It all gets stuck when dnsmasq tries to fetch the DNSKEY record of the root zone. 15:16:58.135942 IP 93.200.64.128.46432 > 178.63.73.246.53: 12823+ [1au] DNSKEY? ipfire.org. (39) 15:16:58.170687 IP 178.63.73.246.53 > 93.200.64.128.46432: 12823$ 2/0/1 DNSKEY, DNSKEY (463) 15:17:07.449158 IP 93.200.64.128.37448 > 178.63.73.246.53: 54451+ [1au] A? www.ipfire.org. (43) 15:17:07.483714 IP 178.63.73.246.53 > 93.200.64.128.37448: 54451$ 4/0/1 CNAME web01.ipfire.org., RRSIG, A 178.63.73.246, RRSIG (419) 15:17:07.505287 IP 93.200.64.128.56633 > 178.63.73.246.53: 47477+ [1au] DNSKEY? ipfire.org. (39) 15:17:07.541306 IP 178.63.73.246.53 > 93.200.64.128.56633: 47477$ 3/0/1 DNSKEY, DNSKEY, RRSIG (761) 15:17:07.542774 IP 93.200.64.128.45576 > 178.63.73.246.53: 58759+ [1au] DS? ipfire.org. (39) 15:17:07.576272 IP 178.63.73.246.53 > 93.200.64.128.45576: 58759$ 2/0/1 DS, RRSIG (238) 15:17:07.582642 IP 93.200.64.128.43441 > 178.63.73.246.53: 42710+ [1au] DNSKEY? org. (32) 15:17:07.617901 IP 178.63.73.246.53 > 93.200.64.128.43441: 42710$ 7/0/1 DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG, RRSIG, RRSIG[|domain] 15:17:07.618604 IP 93.200.64.128.51370 > 178.63.73.246.53: 53036+ [1au] DS? org. (32) 15:17:07.649326 IP 178.63.73.246.53 > 93.200.64.128.51370: 53036$ 3/0/1 DS, DS, RRSIG (275) 15:17:07.651213 IP 93.200.64.128.57826 > 178.63.73.246.53: 12511+ [1au] DNSKEY? . (28) 15:17:12.652416 IP 93.200.64.128.57826 > 178.63.73.246.53: 12511+ [1au] DNSKEY? . (28) 15:17:17.657531 IP 93.200.64.128.57826 > 178.63.73.246.53: 12511+ [1au] DNSKEY? . (28) I am operating the resolver and tried to figure out why that query is never answered. At first I suspected some MTU problem which seems to be just false. The query never reaches my resolver (also works when I use other name servers like 8.8.8.8). I can resolve anything I want except any records of the root zone. Not even the SOA. When I use TCP, I can get the DNSKEYs, but that is nothing that I want to use by default for the obvious reasons. This is a system connected to the Internet via a DSL link from Deutsche Telekom AG. I have access to multiple places with the same connection and they all work except this one. I wonder if Conrad is experiencing exactly the same or if someone else has ever experienced some similar problem. DNSSEC is basically not usable here. -Michael [1] dig @178.63.73.246 DNSKEY . On Mon, 2014-08-18 at 22:03 +0100, Simon Kelley wrote: > On 18/08/14 21:37, Conrad Kostecki wrote: > > Bingo! That seems to be the cause. When I disable dnssec, its working fine. > > When I enable it again, it’s failing again on *.org domains. > > Why? Do you have some explanation? > > Well, if dnssec is enabled in dnsmasq it needs to do load of extra > queries to do the validation, so one of them may be failing. > > What happens if you do the queries direct to the google servers, but ask > for dnsmasq validation? > > dig +dnssec domain.org > > > The most useful information at this point would be the logs after > enabling dnssec and log-queries. That would tell us which DNSSEC queries > are timing out. > > > Cheers, > > Simon. > > > > > > Conrad > > > > Von: sven falempin [mailto:sven.falem...@gmail.com] > > Gesendet: Donnerstag, 14. August 2014 23:08 > > An: Conrad Kostecki > > Betreff: Re: [Dnsmasq-discuss] DNSMasq does not resolv *.org domains > > > > what bout sending the dnsmasq conf... maybe dnssec ? > > > > and look at your logs > > > > > > On Thu, Aug 14, 2014 at 4:47 PM, Conrad Kostecki > > mailto:c...@conrad-kostecki.de>> wrote: > > Hi! > > I am having a very strange problem. I am unable to resolve any *.org > > domains via DNSMasq. > > My currently used DNSMasq is 2.72test3-7-g993f8cb. The problem happens only > > within DNSMasq. > > > > Galactica # cat /etc/resolv.conf > > nameserver 127.0.0.1 > > nameserver ::1 > > nameserver 8.8.8.8 > > nameserver 8.8.4.4 > > nameserver 2001:4860:4860:: > > nameserver 2001:4860:4860::8844 > > > > As you see, there is localhost in first two lines defined and then the > > Google DNS servers, which DNSMasq should use. > > It's pretty funny, that DNSMasq just says, it can't r
Re: [Dnsmasq-discuss] [PATCH] Support for reading the ISC dhcp lease file
Hello Simon, thanks for your reply. On Wed, 2014-07-30 at 22:24 +0100, Simon Kelley wrote: > On 30/07/14 11:51, Michael Tremer wrote: > > Hello fellow dnsmasq users, > > > > I am working on the free firewall distribution called IPFire > > (www.ipfire.org) and inside of that distribution, dnsmasq is used as a > > DNS proxy. For the DHCP services, we use the ISC dhcp daemon. > > > > In the past, dnsmasq supported importing the leases from the ISC dhcpd > > lease file which then was unfortunately removed because the code was > > unmaintainable. I am not fully aware of the reasons. > > The reason was very simple. The first versions of dnsmasq were just DNS > forwarders, nothing to do with DHCP. Then the ability to read ISC lease > files was added, which allowed DHCP-allocated addresses to be added to > the DNS. This was a good idea, but a bit of a hack, so instead, long > ago, the DHCP server code was added to dnsmasq, with integration with > the DNS side. Finally, after plenty of warning, the now redundant > ISC-leasefile reading code was removed. Makes perfectly sense. > We've seen calls to add this code back before, but the question which > I've never seen answered is why it's necessary to use the ISC server and > not the built-in dnsmasq one. The DHCP code in dnsmasq is now very > mature, and I'm not aware of anything it can't do that the ISC code can, > in the niche where dnsmasq is appropriate. > > If I knew of a good reason to favour the ISC dhcpd over the dnsmasq one, > I'd be in a better position to judge if this patch is a good idea. The reason why we use the ISC dhcp server is basically our history. The web user interface is writing configuration files for ISC dhcpd and we didn't really want to rework that when dnsmasq supported DHCP. You are probably right that dnsmasq comes with everything you need. I am not sure about the latest IPv6 developments and if it supports pools and steering some devices identified by their MAC addresses into those pools. Those features are certainly ones that the vast majority of dnsmasq users doesn't need or use. I cannot name *the* reason why ISC dhcp is superior - it isn't. It might have some features that dnsmasq does not have and dnsmasq might have some features that ISC dhcp does not have. My personal reason is that I find the configuration file of the ISC dhcp daemon much better to read/write. dnsmasq is not that intuitive. So there is no major technical reason that springs to mind. It's mainly personal preference. I don't really know if that is sufficient to include the code. It would be a unique feature of dnsmasq that I couldn't find in any of the alternatives. > > Our workaround was to stick with a very old version of dnsmasq. Now that > > there are things like DNSSEC and that backporting security fixes it not > > a pleasant thing to do, I took the old code and made it work with the > > current master branch. > > > > I started with the old code from John Volpe and Simon and cleaned it up > > step by step. Some things like parsing the date was unnecessarily > > complicated and I think that the attached patch is much cleaner. It has > > been tested a lot by our community and is working well. > > > > There is also a git branch where you can pull my changes from: > > > > > > http://git.ipfire.org/?p=people/ms/dnsmasq.git;a=shortlog;h=refs/heads/dhcp-lease > > > > I would really like to see this included in dnsmasq. There are also > > various bugs in the bugtrackers of various distributions like Debian and > > so on. > > > > Maybe we can work out the problems and get this merged. > > It looks like a good basis for adding the feature, but let's decide if > it's a good feature to have, first. Good plan. -Michael > > > Cheers, > > Simon. > > > > > Best, > > -Michael > > > > > > > > > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] Support for reading the ISC dhcp lease file
Hello fellow dnsmasq users,
I am working on the free firewall distribution called IPFire
(www.ipfire.org) and inside of that distribution, dnsmasq is used as a
DNS proxy. For the DHCP services, we use the ISC dhcp daemon.
In the past, dnsmasq supported importing the leases from the ISC dhcpd
lease file which then was unfortunately removed because the code was
unmaintainable. I am not fully aware of the reasons.
Our workaround was to stick with a very old version of dnsmasq. Now that
there are things like DNSSEC and that backporting security fixes it not
a pleasant thing to do, I took the old code and made it work with the
current master branch.
I started with the old code from John Volpe and Simon and cleaned it up
step by step. Some things like parsing the date was unnecessarily
complicated and I think that the attached patch is much cleaner. It has
been tested a lot by our community and is working well.
There is also a git branch where you can pull my changes from:
http://git.ipfire.org/?p=people/ms/dnsmasq.git;a=shortlog;h=refs/heads/dhcp-lease
I would really like to see this included in dnsmasq. There are also
various bugs in the bugtrackers of various distributions like Debian and
so on.
Maybe we can work out the problems and get this merged.
Best,
-Michael
diff --git a/Makefile b/Makefile
index 292c8bd..5e0cdbe 100644
--- a/Makefile
+++ b/Makefile
@@ -69,7 +69,7 @@ objs = cache.o rfc1035.o util.o option.o forward.o network.o \
dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \
helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \
- domain.o dnssec.o blockdata.o
+ domain.o dnssec.o blockdata.o isc.o
hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
dns-protocol.h radv-protocol.h ip6addr.h
diff --git a/src/cache.c b/src/cache.c
index 5cec918..1f5657f 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -17,7 +17,7 @@
#include "dnsmasq.h"
static struct crec *cache_head = NULL, *cache_tail = NULL, **hash_table = NULL;
-#ifdef HAVE_DHCP
+#if (defined HAVE_DHCP) || (defined HAVE_ISC_READER)
static struct crec *dhcp_spare = NULL;
#endif
static struct crec *new_chain = NULL;
@@ -222,6 +222,9 @@ static void cache_free(struct crec *crecp)
crecp->flags &= ~F_BIGNAME;
}
+ if (crecp->flags & F_DHCP)
+free(crecp->name.namep);
+
#ifdef HAVE_DNSSEC
cache_blockdata_free(crecp);
#endif
@@ -1110,7 +1113,7 @@ void cache_reload(void)
total_size = read_hostsfile(ah->fname, ah->index, total_size, (struct
crec **)daemon->packet, revhashsz);
}
-#ifdef HAVE_DHCP
+#if (defined HAVE_DHCP) || (defined HAVE_ISC_READER)
struct in_addr a_record_from_hosts(char *name, time_t now)
{
struct crec *crecp = NULL;
@@ -1188,7 +1191,7 @@ void cache_add_dhcp_entry(char *host_name, int prot,
addrlen = sizeof(struct in6_addr);
}
#endif
-
+
inet_ntop(prot, host_address, daemon->addrbuff, ADDRSTRLEN);
while ((crec = cache_find_by_name(crec, host_name, 0, flags | F_CNAME)))
@@ -1253,7 +1256,11 @@ void cache_add_dhcp_entry(char *host_name, int prot,
else
crec->ttd = ttd;
crec->addr.addr = *host_address;
+#ifdef HAVE_ISC_READER
+ crec->name.namep = strdup(host_name);
+#else
crec->name.namep = host_name;
+#endif
crec->uid = next_uid();
cache_hash(crec);
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 1c96a0e..156ac9a 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -934,6 +934,11 @@ int main (int argc, char **argv)
poll_resolv(0, daemon->last_resolv != 0, now);
daemon->last_resolv = now;
+
+#ifdef HAVE_ISC_READER
+ if (daemon->lease_file && !daemon->dhcp)
+ load_dhcp(now);
+#endif
}
if (FD_ISSET(piperead, &rset))
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 3032546..a40b2a9 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -1447,3 +1447,8 @@ void slaac_add_addrs(struct dhcp_lease *lease, time_t
now, int force);
time_t periodic_slaac(time_t now, struct dhcp_lease *leases);
void slaac_ping_reply(struct in6_addr *sender, unsigned char *packet, char
*interface, struct dhcp_lease *leases);
#endif
+
+/* isc.c */
+#ifdef HAVE_ISC_READER
+void load_dhcp(time_t now);
+#endif
diff --git a/src/isc.c b/src/isc.c
new file mode 100644
index 000..5106442
--- /dev/null
+++ b/src/isc.c
@@ -0,0 +1,251 @@
+/* dnsmasq is Copyright (c) 2014 John Volpe, Simon Kelley and
+ Michael Tremer
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 dated June, 1991, or
+ (at your option) version 3 dated 29 June, 2007.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; witho
Re: [Dnsmasq-discuss] converting ISC dhcpd.conf to dnsmasq
On 05/23/2014 06:42 PM, Linux Luser wrote: Use the "set:tagname" option in your dhcp-host command. Then use that tag in it's own dchp-boot command to send a specific boot file to a specific host. # PXE response for non-iPXE clients dhcp-match=set:ipxe,175 # iPXE sends a 175 option dhcp-boot=tag:!ipxe,ipxe.pxe # PXE response for host 'mythbed' dhcp-host=bc:ee:7b:25:3b:15,*set:mythbed*,mythbed tag-if=set:mythbed-ipxe,tag:ipxe,tag:mythbed dhcp-boot=mythbed-ipxe,http://minimyth2/conf/mythbed/mythbed.ipxe # PXE response for host 'mythliv' dhcp-host=38:60:77:9c:6b:1d,*set:mythliv*,mythliv tag-if=set:mythliv-ipxe,tag:ipxe,tag:mythliv dhcp-boot=mythliv-ipxe,http://minimyth2/conf/mythbed/mythliv.ipxe Using the 'tag-if' command, you can effectively combine two tags into one. But depending only your case, you might be able to omit this line and simply send the 'filename' DHCP field (which is what dhcp-boot does) for every DHCP request, regardless if it is during an iPXE boot or not. Thanks, your example really helped me get it working. Your example was only missing the tag on the dhcp-boot line. # Special boot hosts # PXE response for non-iPXE clients dhcp-match=set:ipxe,175 # iPXE sends a 175 option dhcp-boot=tag:!ipxe,ipxe.pxe # PXE response for host 'mythbed' dhcp-host=bc:ee:7b:25:3b:15,set:mythbed,mythbed tag-if=set:mythbed-ipxe,tag:ipxe,tag:mythbed dhcp-boot=tag:mythbed-ipxe,http://minimyth2/conf/mythbed/mythbed.ipxe # PXE response for host 'mythliv' dhcp-host=38:60:77:9c:6b:1d,set:mythliv,mythliv tag-if=set:mythliv-ipxe,tag:ipxe,tag:mythliv dhcp-boot=tag:mythliv-ipxe,http://minimyth2/conf/mythliv/mythliv.ipxe I really appreciate the help. I can now EOL my local copy of tftp, bind, and dhcpd in favor of dnsmasq! Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] converting ISC dhcpd.conf to dnsmasq
Hello,
i am trying to convert my existing isc dhcp service to dnsmasq.
The only issue I am having is with netbooting.
For isc dhcp, I have a few entries like:
host mythbed {
hardware ethernet bc:ee:7b:25:3b:15;
fixed-address mythbed;
if exists user-class and option user-class = "iPXE" {
#filename "http://minimyth/ipxe/mythbed";;
filename "http://minimyth2/conf/mythbed/mythbed.ipxe";;
} else{
filename "ipxe.pxe";
}
default-lease-time 604800;
max-lease-time 1209600;
}
host mythliv {
hardware ethernet 38:60:77:9c:6b:1d;
fixed-address mythliv;
if exists user-class and option user-class = "iPXE" {
filename "http://minimyth2/conf/mythliv/mythliv.ipxe";;
} else {
filename "ipxe.pxe";
}
}
I have been trying to translate this into dnsmasq, but not having much luck.
Something like this will let one host boot:
dhcp-match=set:ipxe,175 # iPXE sends a 175 option
dhcp-host=bc:ee:7b:25:3b:15,mythbed
dhcp-boot=tag:!ipxe,ipxe.pxe
dhcp-boot=tag:ipxe,http://minimyth2/conf/mythbed/mythbed.ipxe
But adding:
dhcp-host=bc:ee:7b:25:3b:15,mythbed
dhcp-boot=tag:!ipxe,ipxe.pxe
dhcp-boot=tag:ipxe,http://minimyth2/conf/mythbed/mythbed.ipxe
causes the options for the first to get overwritten.
Could someone give me an example of how to only supply pxe options
requested, if it is a certain host/mac, boot ipxe the first time, and
then pass a URL to ipxe on the next request?
I tried using multiple tags but either that isn't allowed or I didn't
use them correctly.
Any help would be much appreciated.
Michael
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] ra-names without router advertisements
Hi, I'd like to use dnsmasq as DNS and DHCP(v6) server on my home network. The box running dnsmasq is not the router; the router is a box provided by my internet provider that does router advertisements with the A flag set. The dnsmasq box gets the IPv6 prefix from the router advertisements of the router. I'd also like dnsmasq to answer -DNS requests for my local hosts. For this, the ra-names seemed useful, since I'd be fine with all my hosts using SLAAC only. However, setting the ra-names options also causes dnsmasq to advertise the box it's running on as the router, which it isn't. Is there a technical reason/requirement that ra-names turns on the router advertisements? Thanks, -Mike Here's my config: domain-needed bogus-priv no-resolv server=192.168.0.4 interface=eth0 domain=mylocaldomain.de # DHCPv4, static and dynamic range dhcp-range=192.168.0.50,192.168.0.250,255.255.255.0,12h dhcp-range=192.168.0.1,192.168.0.49,static,255.255.255.0,12h read-ethers dhcp-option=option:router,192.168.0.4 # DHCPv6 dhcp-range=::1,:::::,constructor:eth0,ra-names dhcp-option=option6:dns-server,[::] dhcp-authoritative ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Newcomer to dnsmasq and having issues with DHCP
Hello, I have been running ISC bind and dhcp on my network for many years and would like to get those services running on my Asus router running Merlin firmware using dnsmasq. At the moment, I am trying to test the config file on a Linux host on the same subnet. Once it is working, I will move it over to the router. DNS seems to be working fine, but I am not getting any responses from DHCP at all, either for static or dynamic hosts. Below is my config. It is my attempt to convert my isc dhcpd.conf to dnsmasq. Hopefully I have missed something simple. Also, am I on the right track for netbooting? I want to hand out ipxe by default for a couple of hosts and then point them to a URL once running ipxe pid-file=/var/run/dnsmasq.pid user=nobody no-poll min-port=4096 bind-dynamic #interface=br0 #interface=ppp1* interface=p2p1 no-negcache cache-size=1500 domain-needed bogus-priv domain=mydomain.net expand-hosts local=/mydomain.net/ server=8.8.8.8 server=8.8.4.4 cname=mail.mydomain.net,ghs.google.com cname=calendar.mydomain.net,ghs.google.com dhcp-authoritative dhcp-option=1,255.255.255.0 dhcp-option=3,192.168.101.1 dhcp-option=6,192.168.101.1 dhcp-option=7,192.168.101.2 dhcp-option=15,"mydomain.net" dhcp-option=42,192.168.101.2 dhcp-option=66,192.168.101.2 # Range of addresses for DHCP dhcp-range=dynamic,192.168.101.2,192.168.101.30,4h dhcp-range=static,192.168.101.100,192.168.101.150,48h # Define hosts dhcp-host=48:02:2a:46:be:a4,babycam,static dhcp-host=00:e0:91:94:d0:e7,directv-0,static dhcp-host=00:e0:91:8b:3f:5d,directv-1,static dhcp-host=08:00:27:31:db:f9,fedoratest,static dhcp-host=00:21:b9:01:f3:6b,ha,static dhcp-host=00:18:dd:03:ca:94,hdhr,static dhcp-host=00:80:a3:8c:77:c6,kvm,static dhcp-host=00:18:de:2c:77:36,laptop,static dhcp-host=00:20:6b:72:8d:ee,minolta,static dhcp-host=00:b5:6d:00:fd:f8,mobl1,static dhcp-host=84:3a:4b:0a:d8:e4,mobl1-wireless,static dhcp-host=18:b4:30:06:15:ab,nest-downstairs,static dhcp-host=18:b4:30:0a:9c:84,nest-upstairs,static dhcp-host=00:a0:de:a5:57:93,yamaha-liv,static dhcp-match=set:ipxe,175 # iPXE sends a 175 option # Special boot hosts dhcp-host=bc:ee:7b:25:3b:15,mythbed,set:mythbed,static dhcp-boot=tag:!ipxe,tag=mythliv,ipxe.pxe dhcp-boot=tag:ipxe,tag:mythliv,http://minimyth2/conf/mythliv/mythliv.ipxe dhcp-host=38:60:77:9c:6b:1d,mythliv,set:mythliv,static dhcp-boot=tag:!ipxe,tag=mythbed,ipxe.pxe dhcp-boot=tag:ipxe,tag:mythbed,http://minimyth2/conf/mythbed/mythbed.ipxe dhcp-host=08:00:27:B0:D7:3D,fedoratest2,set:fedoratest2,static dhcp-boot=tag:!ipxe,tag=fedoratest2,ipxe.pxe dhcp-boot=tag:ipxe,tag:fedoratest2,"" dhcp-option=tag:ipxe,tag:fedoratest2,option:root-path,"iscsi:myhost:::1:iqn.2012-09.net.mydomain:fedoratest2" ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Dnsmasq MySQL back-end
Hi audiotec69,
i use a combination of DNSMASQ and PHP to store the leases in database.
I've attached a PHP-Script that will do the job. You need to install
CreoleDB (Database Abstraction Layer).
You have to give the script executable bits (chmod 775 )
In your DNSMASQ-Configuration enable the dhcp-script option and point it
absolute to the script-path. Restart your DNSMASQ and your leases will
be stored in database.
BTW: A native MySQL-Backend-Driver will be the best solution an
recommend. But my skills in programming C are not the best to accomplish
the goals.
Liebe Grüße aus Freilassing,
Michael Rack
RSM Freilassing
--
RSM Freilassing Tel.: +49 8654 607110
Nocksteinstr. 13Fax.: +49 8654 670438
D-83395 Freilassingwww.rsm-freilassing.de
Am 10.02.2014 06:31, schrieb audiotec69:
So apparently back in 2005 there was a patch created for dnsmasq
version 2.20
(http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2005q1/000163.html)
to use a MySQL back-end for leases. Could this still be possible? If
so where might I find documentation on such a configuration. If this
is not possible, perhaps someone could send me in the right direction.
I am working on a project that needs the ability to store leases in a
database.
Ideally I would like to be able to capture the time the lease was
issued and the time it expired.
Thanks.
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
#!/usr/bin/php
getMessage());
exit( 11 );
}
}
}
$now = date('Y-m-d H:i:s');
switch( strtolower($params[0]) )
{
// Add Lease
case 'add':
if( strlen($params[1]) < 17 ) $params[1] = '00:'.
$params[1];
$strQuery = 'INSERT INTO `dhcp_leases` (`mac_address`,
`ip_address`, `dhcp_relay`, `hostname`, `lease_end`)'.
' VALUES ('
.chr(39).
mysql_escape_string($params[1]) .chr(39)
.', INET_ATON('.chr(39).
mysql_escape_string($params[2]) .chr(39).')'
.', '. ( (
array_key_exists('DNSMASQ_RELAY_ADDRESS', $_ENV)
AND
empty($_ENV['DNSMASQ_RELAY_ADDRESS']) === false
)
? 'INET_ATON('. chr(39).
mysql_escape_string($_ENV['DNSMASQ_RELAY_ADDRESS']) . chr(39) .')'
: 'NULL'
)
.', '. ( (
array_key_exists('DNSMASQ_SUPPLIED_HOSTNAME', $_ENV)
AND
$_ENV['DNSMASQ_SUPPLIED_HOSTNAME'] !== ''
)
? chr(39).
mysql_escape_string($_ENV['DNSMASQ_SUPPLIED_HOSTNAME']) . chr(39)
: 'NULL'
)
.', '.chr(39).
mysql_escape_string(date('Y-m-d H:i:s', (int)$_ENV['DNSMASQ_LEASE_EXPIRES']))
.chr(39)
.')';
write_log( $strQuery );
if( $conn->ExecuteUpdate( $strQuery ) > 0 )
{
printLine( sprintf('OK: Lease for ip-address %s
added', $params[2]) );
}
else
{
printLine( sprintf('ERR: Failed to add lease
for %s', $params[2]) );
exit( 32 );
}
exit( 0 );
break;
// Renew Lease
case 'old':
if( strlen($params[1]) < 17 ) $params[1] = '00:'.
$params[1];
$strQuery = 'UPDATE `dhcp_leases`'.
' SET `lease_end`='.chr(39).
mysql_escape_string(date('Y-m-d H:i:s', (int)$_ENV['DNSMASQ_LEASE_EXPIRES']))
.chr(39).
' WHERE `mac_address`='.chr(39).
mysql_escape_string($params[1]) .chr(39).
' AND `ip_address`=INET_ATON('.ch
Re: [Dnsmasq-discuss] pxe booting trouble
Brilliant, I've found success with replacing "dhcp-boot" with "pxe-service=BC_EFI, "Install Linux", BOOTX64.efi" along with renaming BOOTX64.efi to BOOTX64.efi.0 Thanks for your help and for dnsmasq! On Sat, December 28, 2013 7:50 am, Simon Kelley wrote: >PS. Decoding the logs a bit more, I think there is >pxe-prompt=PXE >somewhere in your config. (Command-line? included files?) OK, scratch that. The "PXE" string is the default prompt. Most likely, as far as I can see, there must be at least one pxe-service config line, for with a CSA which doesn't match the machine you're PXE booting. (You're booting an EFI system, so maybe there's something starting pxe-service=x86PC, which won't provide a bootable image to an EFI system.) If there really isn't such a line, then there's a bug in the code which I can't see from inspection. A workaround, will be to use full PXE and provide a correct pxe-service line, something like pxe-server=X86-64_EFI,boot,BOOTX64.efi But note that the PXE system will add ".0" to the filename, so the file on the TFTP server should be renamed BOOTX64.efi.0 Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] pxe booting trouble
It was indeed complete, other than dns related lines. Is there way to force the dhcp netboot method? On Fri, December 27, 2013 2:55 pm, Simon Kelley wrote: Are you sure that the config you sent previously is complete? The logs would seem to indicate that full PXE mode (as opposed to DHCP netboot) is enabled. That would need a pxe-service dnsmasq config line somewhere. Cheers, Simon. On 27/12/13 20:44, Michael Thompson wrote: > again, no change. please find a log here http://pastebin.com/D99SQyqj > > many thanks > > > On Fri, December 27, 2013 2:28 pm, Simon Kelley wrote: > > That all looks quite sensible. Are the p5p2 and p7p2 interfaces > constituents of the bond? You might like to specify > > no-dhcp-interface=p7p2,p5p2 > > if so. I've had difficulty in the past with bonded interfaces and PXE. > > Can you send the logs? There mat be clues there. > > Cheers, > > Simon. > >> >> >> >> On Fri, December 27, 2013 2:02 pm, Simon Kelley wrote: >> On 27/12/13 19:54, Michael Thompson wrote: >>> I’m having trouble pxe booting clients with dnsmasq, specifically with >>> the >>> dhcp part. If I use ISC dhcp, but keep dnsmasq for dns and tftp, it >>> works >>> fine. I’d much rather have dnsmasq do it all but simply cannot get it >>> to >>> work. >>> >>> Pxe booting via isc dhcp works with this bit of configuration: >>> next-server 172.18.100.19; >>> filename "BOOTX64.efi"; >>> >>> this, I believe, is the dnsmasq equivalent but yields an error >>> message: >>> dhcp-boot=BOOTX64.efi,admin,172.18.100.19 >>> >>> should that be enough to work? Might additional configurations be >>> necessary? >>> The error is “PXE-E21 Remote boot cancelled. Boot Failed: Please >>> ensure >>> compatible media is available” >>> >>> Thanks for any pointers you can give. >> >> Try adding >> >> dhcp-no-override >> >> to your dnsmasq config. >> >> >> Cheers, >> >> Simon. >> >>> >>> >>> >>> ___ >>> Dnsmasq-discuss mailing list >>> Dnsmasq-discuss@lists.thekelleys.org.uk >>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >>> >> >> >> ___ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >> >> >> >> >> > > > > > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] pxe booting trouble
again, no change. please find a log here http://pastebin.com/D99SQyqj many thanks On Fri, December 27, 2013 2:28 pm, Simon Kelley wrote: That all looks quite sensible. Are the p5p2 and p7p2 interfaces constituents of the bond? You might like to specify no-dhcp-interface=p7p2,p5p2 if so. I've had difficulty in the past with bonded interfaces and PXE. Can you send the logs? There mat be clues there. Cheers, Simon. > > > > On Fri, December 27, 2013 2:02 pm, Simon Kelley wrote: > On 27/12/13 19:54, Michael Thompson wrote: >> I’m having trouble pxe booting clients with dnsmasq, specifically with >> the >> dhcp part. If I use ISC dhcp, but keep dnsmasq for dns and tftp, it >> works >> fine. I’d much rather have dnsmasq do it all but simply cannot get it >> to >> work. >> >> Pxe booting via isc dhcp works with this bit of configuration: >> next-server 172.18.100.19; >> filename "BOOTX64.efi"; >> >> this, I believe, is the dnsmasq equivalent but yields an error message: >> dhcp-boot=BOOTX64.efi,admin,172.18.100.19 >> >> should that be enough to work? Might additional configurations be >> necessary? >> The error is “PXE-E21 Remote boot cancelled. Boot Failed: Please ensure >> compatible media is available” >> >> Thanks for any pointers you can give. > > Try adding > > dhcp-no-override > > to your dnsmasq config. > > > Cheers, > > Simon. > >> >> >> >> ___ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >> > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > > > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] pxe booting trouble
I’m having trouble pxe booting clients with dnsmasq, specifically with the dhcp part. If I use ISC dhcp, but keep dnsmasq for dns and tftp, it works fine. I’d much rather have dnsmasq do it all but simply cannot get it to work. Pxe booting via isc dhcp works with this bit of configuration: next-server 172.18.100.19; filename "BOOTX64.efi"; this, I believe, is the dnsmasq equivalent but yields an error message: dhcp-boot=BOOTX64.efi,admin,172.18.100.19 should that be enough to work? Might additional configurations be necessary? The error is “PXE-E21 Remote boot cancelled. Boot Failed: Please ensure compatible media is available” Thanks for any pointers you can give. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DHCP assignment with dynamic VLANs
Hi Andrea, that is not possible with DNSMASQ. Thats is as by software design. If a request receives on the br-lan interface, DNSMASQ will serve only IP-Ranges that matches that interface. If you find a other DHCP-Software that does what you want, let me know :) Liebe Grüße aus Freilassing, Michael Rack RSM Freilassing -- RSM Freilassing Tel.: +49 8654 607110 Nocksteinstr. 13Fax.: +49 8654 670438 D-83395 Freilassingwww.rsm-freilassing.de Am 21.10.2013 17:52, schrieb Andrea Galvani: Hello everyone. I'm running dnmasq 2.62 on a OpenWRT router and I'm trying to understand if this DHCP configuration is feasable or not: The address space that I'm using for my network is 10.1.1.0 /24. When a new user accesses my network through Wi-Fi I need to give him a private network just for comunicating with the router, so I DYNAMICALLY allocate a /30 vlan interface just for him. This vlan interface's address space is NOT part of my network address space, for example it can be 10.2.2.120 /30. In this case, the router will configure 10.2.2.122 as its address for the new vlan and the user must obtain 10.2.2.121 through DHCP. I know the user's MAC address so I thought about a static assignment. I added this to dnsmasq.conf --- # the IP pool for the VLAN dhcp-range=set:vlan6,10.1.2.120,10.1.2.123 # static IP for the user dhcp-host=br-lan,00:0d:88:65:5a:5d,10.1.2.121 # tagging the user dhcp-host=00:0d:88:65:5a:5d,set:vlan6 # options for user... dhcp-option=tag:vlan6,3,10.1.2.122 dhcp-option=tag:vlan6,54,10.1.2.122 dhcp-option=tag:vlan6,1,255.255.255.252 dhcp-option=tag:vlan6,28,10.1.2.123 dhcp-option=tag:vlan6,6,10.1.2.122 dhcp-option=tag:vlan6,15,vlan6 --- "br-lan" is my lan interface which is bridged to wireless "vlan6" is the tag I use to distinguish the options for my user/vlan. I set the router's address on the vlan as dgw and server identifier, the /30 netmask and the broadcast address. As a result I get: "no address range available for DHCP request via br-lan" But if I set a DHCP range for br-lan (10.1.1.0 /24) the user will get an address from BR-LAN POOL, ignoring the static assignment and the part regarding the vlan! Basically the user gains access to the LAN and sends a broadcast DHCP Discover on that interface. What should happen is that this user is in someway "redirected" on the new VLAN interface (different address pool), and obtains an IP of that interface. Is it possible to have a behaviour like this with dnsmasq? Thanks for your attention Andrea ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dhcp relay
Hi Simon, is dhcp-helper able to set Opt 5 / 11 * DHCP-Server-Identifier-Override * Subnet-Link-Selection and is dhcp-helper bind to interface or port? And is dhcp-helper also able to forward DHCPv6 Requests? Liebe Grüße aus Freilassing, Michael Rack RSM Freilassing -- RSM Freilassing Tel.: +49 8654 607110 Nocksteinstr. 13Fax.: +49 8654 670438 D-83395 Freilassingwww.rsm-freilassing.de Am 06.05.2013 22:19, schrieb Simon Kelley: On 06/05/13 12:57, dima vasiletc wrote: Hello Can dnsmasq working as relay for other dhcp-server. For example get ip addresses from internet provider and assign it to hosts in my network ? Not dnsmasq, but we have something available. http://thekelleys.org.uk/dhcp-helper Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] using dnsmasq as a "dns router"
I would like to use dnsmasq as a caching dns server which forwards requests to the dyndns dns servers, which do content filtering, except for local queries, which should go to the dhcp supplied dns server. Since my laptop can be connected to any number of wireless networks, the dhcp supplied dns server varies. Is there a virtual name for the dhcp supplied dns server or some other way to get its address? Mike ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] SRV forwarding is not working
I have a configured a dnsmasq to forward all queries in form of "*. mycompany.com" to server 10.0.0.1: server=/mycompany.com/10.0.0.1 But when I'm trying to get SRV "_ldap._tcp.dc._msdcs.mycompany.com" I receive: > host -t SRV _ldap._tcp.dc._msdcs.mycompany.com. 192.168.5.20 ;; Truncated, retrying in TCP mode. Using domain server: Name: 192.168.5.20 Address: 192.168.5.20#53 Aliases: Host _ldap._tcp.dc._msdcs.mycompany.com. not found: 3(NXDOMAIN) The direct query works fine: > host -t SRV _ldap._tcp.dc._msdcs.mycompany.com. 10.0.0.1 ;; Truncated, retrying in TCP mode. Using domain server: Name: 10.0.0.1 Address: 10.0.0.1#53 Aliases: _ldap._tcp.dc._msdcs.mycompany.com has SRV record 0 100 389 server1.mycompany.com. _ldap._tcp.dc._msdcs.mycompany.com has SRV record 0 100 389 server2.mycompany.com. _ldap._tcp.dc._msdcs.mycompany.com has SRV record 0 100 389 server3.mycompany.com. _ldap._tcp.dc._msdcs.mycompany.com has SRV record 0 100 389 server4.mycompany.com. _ldap._tcp.dc._msdcs.mycompany.com has SRV record 0 100 389 server5.mycompany.com. _ldap._tcp.dc._msdcs.mycompany.com has SRV record 0 100 389 server6.mycompany.com. _ldap._tcp.dc._msdcs.mycompany.com has SRV record 0 100 389 server7.mycompany.com. _ldap._tcp.dc._msdcs.mycompany.com has SRV record 0 100 389 server8.mycompany.com. _ldap._tcp.dc._msdcs.mycompany.com has SRV record 0 100 389 server9.mycompany.com. And more. If I change query type from SRV to ANY (to the dnsmasq) I receive correct answer: > host -t ANY _ldap._tcp.dc._msdcs.mycompany.com. 192.168.5.20 ;; Truncated, retrying in TCP mode. Using domain server: Name: 192.168.5.20 Address: 192.168.5.20#53 Aliases: _ldap._tcp.dc._msdcs.mycompany.com has SRV record 0 100 389 server1.mycompany.com. _ldap._tcp.dc._msdcs.mycompany.com has SRV record 0 100 389 server2.mycompany.com. _ldap._tcp.dc._msdcs.mycompany.com has SRV record 0 100 389 server3.mycompany.com. _ldap._tcp.dc._msdcs.mycompany.com has SRV record 0 100 389 server4.mycompany.com. _ldap._tcp.dc._msdcs.mycompany.com has SRV record 0 100 389 server5.mycompany.com. _ldap._tcp.dc._msdcs.mycompany.com has SRV record 0 100 389 server6.mycompany.com. _ldap._tcp.dc._msdcs.mycompany.com has SRV record 0 100 389 server7.mycompany.com. _ldap._tcp.dc._msdcs.mycompany.com has SRV record 0 100 389 server8.mycompany.com. _ldap._tcp.dc._msdcs.mycompany.com has SRV record 0 100 389 server9.mycompany.com. What is wrong? P.S. I have "filterwin2k" commented. Best regards, Michael Strelnikov ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Feature-Lookup: DHCP-Forwarder
Hi Simon, whats about a compile option to activate a DHCP-Forwarding Code in dnsmasq, so dnsmasq also can act as DHCP-Forwarder? My network structure looks like that: UPSTREAM-1 UPSTREAM-2 | | EDGE-ROUTER | | ROUTER NET1 ROUTER NET2 | | CLIENTS CLIENTS DNSMASQ runs on EDGE-Router. On Router-NET1 and Router-NET2 currently dhcpforwarder v0.8 is running. dhcpforwarder adds some extra fields to the Packet that is forwarded to DNSMASQ: network-selection + agent-id + dhcp-server override. Problem: DHCPFORWARDER does not support stateful IPv6. Currently i am running DNSMASQ and DHCPFORWARDER on every ROUTER-NET-X to provide DHCP and DNS. It would be nice to replace DHCPFORWARDER with 100% functionality of DNSMASQ. So, is it planed / possible to see this new feature in upcomming releases? Liebe Grüße aus Freilassing, Michael Rack RSM Freilassing -- RSM Freilassing Tel.: +49 8654 607110 Nocksteinstr. 13Fax.: +49 8654 670438 D-83395 Freilassingwww.rsm-freilassing.de ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Variables inside config
Hi all, Can I define a variable in the top of dnsmasq.conf and use it throughout config? Best regards, Michael Strelnikov ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] dnsmasq configuration question
Hello, Can I configure dnsmasq to behave like that: 1. All requests go to default external DNS server. 2. If for specific domain the name was not resolved than another DNS server should be used to complete the request. 3. If alternative server did not resolve that name than "not-resolved" response should be used. Thank you. -Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] SOA and NS lookup forwarding
> Do you have --filterwin2k set? That would cause problems with SOA records. > > It would be useful to have some examples of exactly what the queries are > that fail. > > > Cheers, > > Simon. > > Hi, Sorry for the delayed reply, I've been busy or out of the office for a while. Hunting things down to try and produce my reply, I've found the issue - I'd added some "local" lines to prevent dnsmasq forwarding requests for hostnames and addresses only it should be handling, but had accidentally included the in-addr range for the subnet I was having problems with, which I really needed to not block. Removing that "local" line, and things seem to be working as desired. I think my dnsmasq config is too complicated Thanks Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
