Re: [Dnsmasq-discuss] Why does the dnsmasq routing feature require a subnet prefix length of 64?
Neal: You aren’t the only one who thought the math was off with IPv6. I had my issues, but for different reasons. Interesting read. R Sent from my iPhone > On Jun 20, 2023, at 7:17 PM, imn...@gmail.com wrote: > > I did some math a while back. IPv6 will 'never' run out of addresses? Hah! > It'll happen sooner than anyone thinks. > > - Assume 2^31 IPv6 LANs attached to the internet around the world. > - Compute 2^31 * 2^64 = 2^95 addresses assigned > - Assume 16 devices connected on each LAN: 2^31 * 2^4 = 2^35 addresses in use > > Converting to decminal, about 40 * 10^27 addresses assigned, 34 * 10^9 > addresses used. That leaves about 1.2 quintillion times the number of > addresses in use that will never be used. > > Had they used /96 as the standard size (32-bit host address), that would've > resulted in about 2^63 addresses assigned for the same 2^35 addresses used. > The wastage would've dropped to about 270 million times the addresses used: > about 12 orders of magnitude less address wastage. > > My opinion on this in more detail: http://murent.us/#ipv6wastage. > > I read somewhere that some may be second-guessing that decision. They > might've done better to use /96 and hash the MAC address down to 24 bits to > make SLAAC work. > > Neal > > >> On Tue, 20 Jun 2023 15:05:07 -0700 >> Eric Fahlgren wrote: >> >> Yeah, some of the RFCs on v6 address formats hem and haw about how big the >> network ID and interface ID parts are (probably written before actual >> implementations were in place), but >> https://www.rfc-editor.org/rfc/rfc4291#section-2.5.1 says quite >> unequivocally: >> >> For all unicast addresses, except those that start with the binary >> value 000, Interface IDs are required to be 64 bits long... >> >> Which drives a stake in the ground regarding how to partition those 128 bits. >> >> >>> On Tue, Jun 20, 2023 at 11:59 AM Petr Menšík wrote: >>> >>> I think that is required by SLAAC RFC, which adds another 2 bytes to 6 >>> bytes of hardware ethernet address. >>> >>> Which is in total 8 bytes, therefore 64 bits is required for it. Prefix >>> cannot be higher, but can be lower in theory. There might be some >>> implementation details now supporting lower prefix length in current >>> implementation. >>> >>> Cheers, >>> Petr On 15. 06. 23 12:07, renmingshuai via Dnsmasq-discuss wrote: >>> >>> When ra-only, slaac, or ra-stateless is configured in dhcp-range and the >>> prefix len is set to a value other than 64, like this: >>> >>> “dhcp-range=2000:1000:1000:1000:1000:1000::, ra-stateless,120,infinite” >>> >>> the following error message is displayed: >>> >>> dnsmasq: prefix length must be exactly 64 for RA subnets at line 16 of >>> /etc/dnsmasq.conf >>> >>> Why must the prefix length be 64? This may come from an RFC regulation or >>> recommendation, but I didn't find it. Would you mind tell me the reason? >>> >>> -- >>> Petr Menšík >>> Software Engineer, RHEL >>> Red Hat, http://www.redhat.com/ >>> PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB >>> >>> ___ >>> Dnsmasq-discuss mailing list >>> Dnsmasq-discuss@lists.thekelleys.org.uk >>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss >>> > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] dhcp leases file not consulted after restart?
I in the beginning of troubleshooting an issue with name resolution in dnsmasq on a freebsd server.I'm running dnsmasq 2.86 and I'm not able to resolve hostnames that are dhcp clients. This is a new development and may possibly be related to a FreeBSD system upgrade from 13.0-RELEASE to 13.0-RELEASE-p11.Example, my desktop machine is a dhcp client and is active on the network, and can ping via hostname the firewall server that runs dnsmasq which is assigned a static IP and reads /etc/hosts for static names and /etc/resolv.conf.dnsmasq for upstream dns servers.However the firewall cannot ping the client by name, despite a record for that host in the dnsmasq.leases file.again, this is a new issue, and this used to work when the server was originally setup. I can prove that the leases database file is being written to by the dnsmasq service as there are recent (read: from today) timestamps on the file itself.I'd appreciate any pointers as I'm running out of things to check and haven't found an obvious problem yet.Below is the startup log entry from a dnsmasq server restart. Not sure if it helps, but I didnt want to ask without trying to prove that I tried to fix it myself.May 12 09:21:16 icm dnsmasq[17586]: started, version 2.86 cachesize 150May 12 09:21:16 icm dnsmasq[17586]: compile time options: IPv6 GNU-getopt no-DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth cryptohash DNSSEC loop-detect no-inotify dumpfileMay 12 09:21:16 icm dnsmasq-dhcp[17586]: DHCP, IP range 192.168.19.75 -- 192.168.19.125, lease time 12hMay 12 09:21:16 icm dnsmasq-tftp[17586]: TFTP root is /usr/local/tftp secure modeMay 12 09:21:16 icm dnsmasq[17586]: using only locally-known addresses for hallhome.privateMay 12 09:21:16 icm dnsmasq[17586]: reading /etc/resolv.conf.dhcpMay 12 09:21:16 icm dnsmasq[17586]: using nameserver 71.10.216.1#53May 12 09:21:16 icm dnsmasq[17586]: using nameserver 71.10.216.2#53May 12 09:21:16 icm dnsmasq[17586]: using only locally-known addresses for hallhome.privateMay 12 09:21:16 icm dnsmasq[17586]: read /etc/hosts - 8 addressesThanks for any assistance/pointers you can provide.Rance___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] new config file in /etc/dnsmasq.d
I don't remember a mechanism in dnsmasq to achive this, although support for it (if it isn't too much work) would be something I'd happily help with.That being said, I think what you want is "inotify" on Linux, or "filewatcher" on Windows. These services will watch files for changes and automatically trigger actions like "reload dnsmasq"Warning: On Linux, inotify is an API so you still need a client to help you configure it. Something like the inotify-tools package on arch. (I think on debian based systems too)Hope this helpsOn Mar 9, 2022, at 1:43 PM, Frank Liu wrote:Hi,If I add a new file in /etc/dnsmasq.d that has a few srv-host entries,what's the best way to signal dnsmasq, other than restart it, so thatthose records can be resolvable?Thanks!Frank___Dnsmasq-discuss mailing listdnsmasq-disc...@lists.thekelleys.org.ukhttps://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Feature request = block-conf
Ercolino:I can't speak for Simon and the rest of the Dnsmasq team (mostly because I'm not on it) but I appreciate your discussion and explanation of your need. I would have responded sooner, but I've had a medical emergency with my wife and was off the net for a few days being with family in the hospital.Now your comparison to the state of TFTP in my judgement isn't of the same caliber. If the TFTP root is not present then the only issue is that a handful of netbooting clients wont work at all, and you'll get immediate feedback (on an impacted system) that you broke something, AND anything that booted on its own will be fine.If the supplemental config script were to not be present and skipped, you wouldnt get the immediate feedback that something wasn't working, AND you couldn't guarantee a safe state for the server instance.It seems to me that you have a legitimate issue, but there are other ways to implement what you need to happen that don't require changing Dnsmasq at all.1) manipulating the boot order such that Dnsmasq starts AFTER the USB subsystem is loaded and the supplemental file system is mounted.2) The file system on the embedded device shouldn't be read-only and you should be able to copy the supplemental config script from the USB key to the root filesystem of the device and then it would be available when the system booted and your mount sequencing issue would go away.RanceOn Mar 4, 2022, at 2:52 PM, Ercolino de Spiacico wrote:>How does dnsmasq behave if there is a configuration error in the config >file elsewhere? If the syntax is broken then it fails hard. Don't see >why this wouldn't be true of a suplemental config script being referred >to in the main one.And as to --fail-safe: I don't see how this is >reasonable, as it will lead to undesirable operation and possibly even >broken clients if the mistake includes part of the dhcp >configuration.Its annoying, but probably better for services not to >start if they can't interpret/understand their starting statI appreciate the reason why this was originally designed to be the default behavior however please allow me: this conf-script might be is another beast.I'm on a router developing this, the dnsmasq config is read at boot from the content of a nvram variable. By the time dnsmasq starts I must already have this conf-script target created, the USB mounting comes way after everything else and the script booting process is screwed; NTP doesn't sync, clients don't get an IP... you name it. Also if the device has no USB this needs to be referenced and created in /tmp (RAM) at boot, this is via the init script that again is coming in a bit too late in the SoE. Until this file is created dnsmasq fails. Moreover there's an additional risk here, part of the config content is coming from Internet so outside the administrative domain. A typo by the list maintainer might cause havoc, most importantly, this is not necessary when the device is initially set up, it can come after months and affect a large number of devices at one.I really don't want to sound insistent but let me put it this way, long time ago I brought up this very topic in the context of TFTP. If the destination folder of TFTP didn't exist it used to fail dnsmasq (big time on a router). Then fortunately the tftp-no-fail directive was introduced.This conf-script is pretty much the same case but in a different context. If this extra info here above is still not enough I'll drop the ball, but I'm just making a final effort because I see value in it, that's all.Regards___Dnsmasq-discuss mailing listdnsmasq-disc...@lists.thekelleys.org.ukhttps://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Feature request = block-conf
You are most welcome. Sent from my iPhone > On Mar 4, 2022, at 12:19 PM, Simon Kelley wrote: > > Thanks Rance, you saved me from writing the same answer. > > Simon. > > >> On 04/03/2022 17:00, Rance Hall via Dnsmasq-discuss wrote: >> How does dnsmasq behave if there is a configuration error in the config file >> elsewhere? If the syntax is broken then it fails hard. Don't see why this >> wouldn't be true of a suplemental config script being referred to in the >> main one. >> And as to --fail-safe: I don't see how this is reasonable, as it will lead >> to undesirable operation and possibly even broken clients if the mistake >> includes part of the dhcp configuration. >> Its annoying, but probably better for services not to start if they can't >> interpret/understand their starting state. >> Rance >>>> On Mar 4, 2022, at 4:16 AM, Ercolino de Spiacico >>>> wrote: >>> >>> >>> > I've just added it to 2.87test8 >>> >>> > Please test and report back. >>> >>> >>> >>> I'm finally managed to find a way to build from sources. One initial >>> feedback: >>> >>> I cross referenceed the conf script e.g. >>> >>> conf-scrip=/tmp/adblock-expander.sh >>> >>> If the file doesn't exists or has a broken syntax it will make the whole >>> dnsmasq process failing with a message like "/tmp/adblock-expander.sh >>> returns a non 0 exit code something" >>> >>> This is perhaps a wider topic and goes a bit out of scope for this >>> feature request, but perhaps we should: >>> >>> 1) remove this error control for conf-script and simply log+skip errors >>> rather than crash land the whole dnsmasq. >>> >>> 2) perhaps introducing a new "--fail-safe" option for dnsmasq to extend >>> point 1) to any broken directive in the configuration >>> >>> >>> Thanks! >>> >>> ___ >>> Dnsmasq-discuss mailing list >>> Dnsmasq-discuss@lists.thekelleys.org.uk >>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss >> ___ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Feature request = block-conf
How does dnsmasq behave if there is a configuration error in the config file elsewhere? If the syntax is broken then it fails hard. Don't see why this wouldn't be true of a suplemental config script being referred to in the main one.And as to --fail-safe: I don't see how this is reasonable, as it will lead to undesirable operation and possibly even broken clients if the mistake includes part of the dhcp configuration.Its annoying, but probably better for services not to start if they can't interpret/understand their starting state.RanceOn Mar 4, 2022, at 4:16 AM, Ercolino de Spiacico wrote:> I've just added it to 2.87test8> Please test and report back.I'm finally managed to find a way to build from sources. One initial feedback:I cross referenceed the conf script e.g.conf-scrip=/tmp/adblock-expander.shIf the file doesn't exists or has a broken syntax it will make the whole dnsmasq process failing with a message like "/tmp/adblock-expander.sh returns a non 0 exit code something"This is perhaps a wider topic and goes a bit out of scope for this feature request, but perhaps we should:1) remove this error control for conf-script and simply log+skip errors rather than crash land the whole dnsmasq.2) perhaps introducing a new "--fail-safe" option for dnsmasq to extend point 1) to any broken directive in the configurationThanks!___Dnsmasq-discuss mailing listdnsmasq-disc...@lists.thekelleys.org.ukhttps://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] multiple resolve.conf files
Dnsmasq gang: Many moons ago I ran my own network router at home and configured everything by hand. My router had a /etc/resolv.conf pointing to itself as the authoritative name server and had a /etc/resolv.conf.dnsmasq that the DHCP service updated when the external IP changed. I just told dnsmasq to use the alternate resolve.conf file. I subsequently switched to an appliance that ran dnsmasq and haven't switched back. Now I'm working on something similar. A raspberry pi like device that runs dnsmasq and a vpn client to connect home, and then in turn can allow connections back home via ssh, etc. Trying to duplicate what I used to do is impossible because of the changes in other tools that ride along next to dnsmasq. So far I keep finding roadblocks provided by systemd, resolved, etc. Anybody have any idea how I should go about this now? Is there an updated howto or something I could look at? I googled but couldn't find anything useful. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Telling dnsmasq *not* to send router option??
On Thu, Aug 2, 2012 at 12:49 PM, John Hallam d...@j.hallam.dk wrote: I have a situation where my laptop sometimes connects to my IPv4 home network over VPN and sometimes directly. I want to use DHCP to allocate the address of the VPN endpoint on the laptop, to be the same as when it is connected directly to my wired network. This basically works fine. However, the DHCP client wants to set up a default route, but does it wrong. OpenVPN knows how to do this right, and has already set the default routing configuration correctly to point to the VPN tunnel, except for those cases that should not route that way, so I want the DHCP client not to set the default route. Is it possible to instruct dnsmasq to refuse to send dhcp option 3 (router) and would this inhibit the DHCP client from setting a default route? (There are various reasons why I can't change the DHCP client and why this behaviour needs to be server-driven.) Any suggestions received gratefully... Thanks, John Hallam John: I have had limited success in scenarios like the one you describe. Every time I configure dnsmasq to not send a dhcp option I end up breaking something else I was not planning on. Some other device needed the option and is now broken because the option does not exist. Some dhcp clients have a strange way of inventing values they need if they think they need them and the answers are not provided, in some cases even the IP address itself. I have always been eventually forced to alter the dhcp client in some way. FWIW, I have used OpenVPN and Dnsmasq together and been very happy with the setup but I don't have a working setup available to me at the moment so I can't look up any configuration details. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSMasq script lookup
On Thu, Mar 29, 2012 at 3:54 AM, Simon Kelley si...@thekelleys.org.uk wrote: snip On thing which might be interesting, is to define a new type of upstream server (maybe called a look-aside server) which dnsmasq will send a query to first, and which if it can't answer the query can return a custom return-code Not known, which causes dnsmasq to then push the query into the standard server pathway. That becomes useful if such a server exists. Cheers, Simon. Simon: I just wanted to chime in here because this idea would fix one of the problems I've been working with for some time. I have my own dns server (to deal with IPs that send my mail server spam, etc) I currently send all dns requests to my dns server first. The second dns server is fast (its a small install of djbdns from Dan Bernstein). But not every query needs to be handled this way. I could improve the overall efficiency if of this idea if I could somehow filter which dns queries go off toward my server and which go out to the internet the standard way. Your look-aside server idea would go a long way toward making this happen. The only missing piece would be a sensible way to choose if the look-aside server was needed or not. Thanks. Rance ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] New here, and looking for some help
On Thu, Dec 29, 2011 at 12:42 AM, M kiwirider...@gmail.com wrote: Hi all. I won't post configs etc yet this message, want to get the basic system up and running first - just trying a reinstall after some suggestions from Simon - basically because I'm building a server at home for another network I kinda screwed some things up. Reinstall might help fix that :) Anyways, what I want to achieve is a network with the basic following layout : eth0 - talks to the outside world. eth1 (10.0.1.1) - 10.0.1.10 - 10.0.1.254 - Limited internet access, some sites not available to machines connected to this eth2 (10.0.2.1) - 10.0.2.10 - 10.0.2.254 - full access to the few machines connected here. Could also have eth1 do up to .100 and eth2 do .101-254. I'm certain that DNSMasq should be capable of doing this, but am not quite sure how to do it. I'd rather have pointers in the right direction than a full guide, and only get extra help if I need it. I retain the information better by having to learn to do it myself :) It would be easier IMO to run one instance of dnsmasq and setup dhcp pools for each physical address that needs one. I don't think your idea of having eth1 do up to .100 and eth2 for the rest has merit. Your original idea that eth1 would be 10.0.1.1 and support a dhcp pool in the 10.0.1 network. eth2 then can have 10.0.2.1 and a seperate dhcp pool for the 10.0.2 network. One thing that might be important early on - eventually this box will be running a website, and of course I want the URL to point back to the machine, however if I have 10.0.1.x and 10.0.2.x addresses, I can see I might run into issues with getting each branch to point to the right place. In this case, would it be better to keep everything under the .1.x range? After all, we''ll never have more than 30 machines connected at any one time, and most of the time only 10 on an extreme day. Getting the branches to point to the right place doesnt have anything to do with dnsmasq in my view. Its easy to put up a internal web server on 10.0.1.5 (for example) The 10.0.2 network machines can access the web server on 10.0.1.5 provided two things are true. dnsmasq running on the server must tell the 10.0.2 net that the hostnames ip address is 10.0.1.5. Then your firewall/routing/gateway setup must allow the 10.0.2 network access to the 10.0.1 network. dnsmasq has little to do with this, its network design/routing tables stuff that you need to be aware of. As to your need to have one of the networks not have full internet access, exactly how you do that depends on your needs. A forced network proxy server that blocks certain web sites is the classic solution for this type of thing. you could do this with dnsmasq also and sort of poison the dns results, but one thing you have to worry about is the ease of maintenance over the long term. Have fun, and good luck.
Re: [Dnsmasq-discuss] New dnsmasq router
On Mon, Dec 12, 2011 at 12:26 PM, Matt Ginzton m...@ginzton.net wrote: I did use a dhclient hook to tell it to stop writing to /etc/resolv.conf at all, so that resolv.conf has only 127.0.0.1 as the nameserver. Matt This will work as well, mind sharing with me how you did this? I know this is OT for the list so if you just want to email me privately thats fine. Rance
[Dnsmasq-discuss] New dnsmasq router
I recently retired my old centos based home firewall/router/dhcp/nat server and replaced it with a ubuntu-server install. Generally speaking it went flawlessly but one thing didn't work. On the old centos box I had a dhclient-exit-hooks script that did some magic with my resolv.conf files so the firewall box could have the same name resolution as the clients on my network. My external interface is dhcp from the isp and for loadbalancing reasons my isp dns servers are dynamic. The easiest way to deal with this was to create a static /etc/resolv.conf.perm file. After a dhcp update and a new /etc/resolv.conf, I wrote a custom dhclient-exit-hooks to copy the new resolv.conf file to resolv.conf.forwards (the path that my dnsmasq config file is expecting) and then copy the resolv.conf.perm to resolv.conf. Only after the ubuntu setup this process does not work. this isnt a dnsmasq problem per se but I was hoping that someone of you out there are using ubuntu in this way and can help me figure out what I did wrong. I've googled, but I didn't find anything useful. Rance
[Dnsmasq-discuss] resolving short names
I have a small home network with several nodes, some static ips, others from dnsmasq's dhcp server. all have same netmask and class. Three of the nodes( two servers, one client) are Windows Active Directory domain members using the windows dns service for a different domain name. Most of the clients on the dnsmasq side are able to resolve short names just fine. I need to know if there is a way to configure dnsmasq to look at the Windows AD DNS to resolve short names it doesn't understand. despite the fact that I have domain needed set in the dnsmasq.conf to keep dnsmasq from actually forwarding incomplete names. Ive already got a server= line in my dnsmasq.conf which fixed full name resolution just fine. here is what I want to happen: dnsmasq gets request to resolve short name like andromeda (name of one of my windows servers) dnsmasq tries to find andromeda in either /etc/hosts or the dhcp leases and fails. dnsmasq can't forward to upstream servers an incomplete name, so it assumes that the windows service is handling that name, and checks. If windows can find a listing for andromeda fine, return it. If not, then fail. Possible? Thanks.
[Dnsmasq-discuss] OT: Network analysis tools
I know this is Off Topic for this list, but I need help, and this is likely a good place to find people who understand the problem well enough to provide some hints. This is a research project for my Masters Degree. I'm setting up a virtual network with VDE and connecting vms to it with VirtualBox I'm using wirefilter to poison the logical cables between virtual VDE switches and I'm using wireshark to detect the force-fed faults. All seems to be working as far as I've tested it. I need help finding research grade documentation for the faults. so far I'm sourcing the software manuals for the various software products and I'm using and some RFCs It would be nice if I could find something that (preferably published in a journal or a conference) discussed the network related problems associated with too much packet loss, or duplicate packets or noise. Any help appreciated. Rance
[Dnsmasq-discuss] interaction with active directory
I'm working on my MCITP certification and deployed a test Win 2008 R2 server in my home network. while running dcpromo.exe trying to get my new box to be a domain controller I got an error message when I said that another box was the dns server. Something about not being able to update the zone files. (sorry I'm not in front of that box at the moment) I googled for dnsmasq and active directory and I got two hits one was a sample config file for dnsmasq that had some windows specific stuff enabled, and the other was user contributed patch for dnsmasq and AD records. Unfortunately for me this is simply not enough information. I have a hunch from these two google hits that what I want to do is possible. But no idea how to pull it off. So I put it to the list: How do you integrate AD 2008 R2 with dnsmasq for AD compatible DNS service? Thanks for any constructive comments. And as for the less than constructive comments: Im doing this because I'm getting paid to study the MCITP and I really don't want to screw up my home network that is functioning just fine without any windows intervention. I want as painless and easily reversible setup as possible for when the class is over and I'm no longer running an AD server in my home.
Re: [Dnsmasq-discuss] Can't make dnsmasq work on a VirtualBox host-only network
On Thu, Sep 30, 2010 at 8:13 PM, Mike Williams m...@dogbiscuit.org wrote: Hi, I'm attempting to set up a virtualized farm of servers under VirtualBox. I'll need to create a bunch of VMs, and I don't want to have to manually set their hostname and IP address, so a DHCP solution is attractive. The DHCP server built into VirtualBox doesn't allow us to either (a) dynamically update the DNS, or (b) pre-bind MAC addresses to IP addresses, so I've been looking at using dnsmasq. snip ... Unfortunately, the guest never sees the DHCPOFFERs, and eventually gives up in disgust. It seems like the DHCPOFFER packets aren't making it back onto the host-only network (vboxnet0). Help! Any ideas how I might get dnsmasq working effectively? Is this more likely to be a problem with dnsmasq, or with VirtualBox's networking? How might I debug it further? -- cheers, Mike Williams Did you remember to shut off the internal vbox dhcp server so that there wouldnt be conflicts with two dhcp servers for guests? you can use the command line VBoxManage tool to manage details of VBOX not in the gui. the command: VBoxManage list dhcpservers will list the internal dhcp servers and tell you if it is enabled. a similar VBoxManage command will disable it if it is. This is a really nifty tool, so I'll let you read up on how to use it to actually disable that dhcpserver which i suspect is running.
Re: [Dnsmasq-discuss] Clients bypassing dnsmasq server intermittently
On Tue, Sep 28, 2010 at 4:13 PM, g...@desgames.com g...@desgames.com wrote: The behaviour I'm seeing is that when I try to ping or connect to dev1..com (or just dev1), it should resolve to 192.168.1.26, which it doesfor a while. However, more than once I've discovered that it's started resolving to the outside IP which is something like 24.x.x.x. The only way to fix it is to drop my wireless connection and then reconnect. FYI, I've disabled the DHCP server on the wireless router. Any idea what's happening? Thanks, Guy This sounds like you have two dhcp servers on your network serving different dns addresses. When the macbook lease expires and gets a new dhcp address it gets it from the OTHER dhcp server and that dhcp server is passing the resolv address as a public one.
Re: [Dnsmasq-discuss] Random IP address in the pool with dhcp-script?
On Thu, Aug 26, 2010 at 7:11 AM, Benjamin Henrion b...@udev.org wrote: Hi, I am trying to figure out howto give a different IP address, preferably random, in a pool, by invoking the dhcp-script. Any idea how to do that? Best, -- Benjamin Henrion bhenrion at ffii.org Maybe I'm reading this wrong, but since the original assignment from the dhcp pool is reasonably random, and after than dnsmasq works very hard to offer the same IP address to the same machine based on mac address or hostname or some other network characteristic that is configurable. I'm taking your question to mean is there a way to force dnsmasq to give out DIFFERENT IP addresses even if we've processed this machine before. If this is what you want, then you might need to explain the problem you are trying to solve, because generally this is undesired behavior, at least it is on the networks I manage. Rance
Re: [Dnsmasq-discuss] could not bind dnsmasq to mutiple interfaces with same ip-address
On Thu, May 13, 2010 at 1:24 PM, Michael Rack michael.r...@rsm-freilassing.de wrote: Hi Simon! I've installed dnsmasq to my new servers i bought. I copied all files original as of the old server. But on startup i get this error message: dnsmasq: unknown interface bond5 after removing bond5 i got the following error message: dnsmasq: unknown interface bond4 after removing bond4, dnsmasq startet properly. I have never seen this error unless the interface really didn't exist. your removing the bond5 entry from the config file seems to suggest that the IF really doesnt exist. What does ifconfig say?
Re: [Dnsmasq-discuss] One lease or another
On Wed, Dec 30, 2009 at 4:08 PM, Didster dids...@gmail.com wrote: Hi Probably an odd request this, but is there anyway of getting dnsmasq to give a lease to either one machine or another but not both? I'd agree with you about the odd part. So I have a small network of about 7 PCs on a static range. Each PC is listed with its MAC address in a dhcp-host directive. For 2 of the PCs, I only want one of the 2 machines to be able to get a lease at any one time. So if PC1 has a lease, PC2s request will fail and vise versa. Is there anyway that can be done? AFAIK, no, there is nothing that can force this behavior, it might be against an RFC even. I'm always curious when people ask questions like this, they are trying to do something interesting and unique, I'd really like to hear about why you want to do this. Rance
Re: [Dnsmasq-discuss] dhcp-range - must ip address of server be outside that?
On Sun, Dec 27, 2009 at 5:47 PM, richardvo...@gmail.com richardvo...@gmail.com wrote: On Sun, Dec 27, 2009 at 11:31 AM, dnsmasq.to.pee...@spamgourmet.com wrote: dnsmasq.conf has a line: dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h (hostmin,hostmax,netmask,leasetime) If I enable that line, must the dnsmasq server itself be outside that range? Ie, for the dnsmasq server: 192.168.0.55 on the LAN interface would be wrong but 192.168.0.45 would be ok. In my experience, dnsmasq is smart enough to not give out its own address, or any addresses mentioned in dhcp-host lines (except to the computer to which it is reserved). It may be confusing, because your address pool is smaller than the dhcp-range suggests, and you'll have fewer leases than expected when dhcp starts failing, but dnsmasq won't do anything so broken as giving away its own address. Richard: This is good to know, Ive never even asked dnsmasq to do this, so I wouldnt have had a clue that it would work correctly. I always design a static ip pool, a device pool, and a dhcp pool that way I know whats going on on the network. and I can easily ignore devices in searches when Im looking for a problem with an as yet unidentified pc somewhere.
Re: [Dnsmasq-discuss] dhcp-range - must ip address of server be outside that?
On Sun, Dec 27, 2009 at 6:47 PM, dnsmasq.to.pee...@spamgourmet.com wrote: Rance wrote: On to another issue now: static ips outside the allocated pool. You seem to be implying that it is better not to define static ips in dhcpserver config files (that is, it is better to have them outside the dhcp range pool). Why? (To be clear, I am thinking here of a lan with a mix of static and dynamic ips, using a dhcpserver on the lan) Please explain it, or point me to material that explains why this should be a best practice. As far as your scripting goes, good luck. I'm always interested in what people do to solve problems like this, and scripts for your own use are very different from scripts you intend others to use. Maybe you can share your ideas/problems. I'd love to hear. As far as my ip setup goes I always define at least 3 ( and sometimes more) sub sets of ips in the range my network is going to use. 1) Servers that need static ip addresses. 2) devices that need static ip addresses. (like network printers etc.) 3) dhcp pool If I need to then I can refine this list some more. company owned dhcp machines and guest dhcp machines wireless access devices (like access points, etc) Why do you do this? Good form Minimize problems with ip overlap easier to troubleshoot later Every network design class I ever attended or taught had a layout like this. Maybe its as simple as this is what I know. as far as asking dnsmasq to always assign the same ip address based on hostname or mac or some other known attribute, that is possible and I do that all the time. Temporary test servers are an example of something I allow to get a dhcp address but use a mac address to make sure it gets a known value.
Re: [Dnsmasq-discuss] dhcp-range - must ip address of server be outside that?
oh crap On Sun, Dec 27, 2009 at 2:45 PM, Rance Hall ran...@gmail.com wrote: PJ: see comments below: On Sun, Dec 27, 2009 at 11:31 AM, dnsmasq.to.pee...@spamgourmet.com wrote: dnsmasq.conf has a line: dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h (hostmin,hostmax,netmask,leasetime) If I enable that line, must the dnsmasq server itself be outside that range? Ie, for the dnsmasq server: 192.168.0.55 on the LAN interface would be wrong but 192.168.0.45 would be ok. regards PJ Its usually helpful if your static ip addresses are all in a space that is allocated to your dhcp pool. This statement is WRONG with a CAPITAL WRONG It should have said: Its usually helpful if your static ip addresses are all in a space that is NOT allocated to your dhcp pool. Sorry about the confusion. Can't believe I missed that during my message edit. The rest of what I said below is still relevant. The fact that you don't already know this concerns me greatly. Dnsmasq is a great product and I've used it successfully and even tried to contribute when I can. But getting the most out of dnsmasq means that you have to have a basic understanding of networking at the IP level. Your question indicates that perhaps you don't have that basic understanding. I fear that you will be creating your own problems over the course of your dnsmasq installation because you don't really know what you are doing. My advice: slow down, do some reading, and try to understand what you want to do. If you have a specific question about basic setup, or how to make dnsmasq fit what you want, then by all means ask. If I am wrong about my assessment of your question, I'll apologize. Rance
Re: [Dnsmasq-discuss] unable to resolv hosts by name in my local network
On Fri, Dec 18, 2009 at 3:31 AM, Luca Postregna luca.postre...@gmail.com wrote: Ok, this is true. But my question is different, i think. If in /etc/hosts are present my hosts, with expandhost option in my dnsmasq config, resolv by name work properly. But I don't want to specify anything in /etc/hosts. I think that dnsmasq, when one client get address, obtain all info (dhcp.leases) to permit itself and other clients to resolv by name the new client, is it true? LP snip This is almost always true for cases when all clients that need to resolv each others names are provided by the dhcp server. You don't have to modify /etc/hosts if dhcp clients are all you have. There are some common things that interfere with this basic status. 1) Some OSes (usually unix based) ship needing dhclient to be configured to send a hostname with the dhcp request. Windows does this by default, but with *nix this is a configurable option. NOT sending the hostname with the dhcp request will cause name resolution to fail for just these hosts. 2) Its possible (though I've only seen it happen once in my several years of using dnsmasq) to get a corrupted dhcp.leases file. If this file is hosed then name resolution of dhcp clients can be broken depending on the specific way the leases file gets hosed. 3) the wrong authoritative setting in dnsmasq.conf or another dhcp server somewhere on your net that also thinks its authoritative. There might be other off the wall things as well. I refer you to my previous post, the behavior you desire is in my view, default. If you don't get it, there is something broken. But you need to do a better job of explaining what broken looks like for you so we can help you figure out what to do about it.
Re: [Dnsmasq-discuss] unable to resolv hosts by name in my local network
On Thu, Dec 17, 2009 at 3:51 PM, Luca Postregna luca.postre...@gmail.com wrote: Is there a way to resolv by name the hosts of my network without modify /etc/hosts on the server or in the client? On the server in dhcp.leased I can read that my client send the hostname, is not that enough? Thanks, Luca. -- http://www.infis.units.it/~lucapost/ Luca Postregna The clients that get dhcp addresses should already be able to resolv by name the other dhcp clients. If this is not true, you have a problem and you need to fix that first. In order for the clients to resolv by name static ip machines, the server needs to know about them some way. typically this is with the /etc/hosts file, but IIRC dnsmasq has the ability to specify an additional/alternate /etc/hosts file. this other file needs to be a properly formatted /etc/hosts file, it can just have another name. This should get your clients resolving the network correctly. The next thing you need to know about is if you want the dhcp server to resolv local names the same way the clients do. There is a way to configure this also. specify in your servers /etc/resolv.conf that the server should look at itself for name resolution, and then specify a second proper /etc/resolv.conf file for dnsmasq to use to get the rest of the net.
Re: [Dnsmasq-discuss] dnsmasq / dns server / iptables config glitch?
On Tue, Nov 24, 2009 at 8:28 AM, Mark Beierl m...@jemms.net wrote: The TIME_WAIT is not an active socket, it's the remnant of a previous connection. I have no idea at all why mysqld has moved to 127.0.1.1. Is the bind address config line set to the host name and is the host name entry in /etc/hosts 127.0.1.1? Unfortunately, I know very little about mysql, so I can't point you in the right direction for configuration... Regards, Mark Adam Hardy wrote: You're right. The result from netstat was: tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 2557/mysqld after changing the bindaddress config in the mysql config as per the docs to free up networking, it then gives this result: adam@isengard:~$ sudo netstat -napt | grep 3306 tcp 0 0 127.0.1.1:3306 0.0.0.0:* LISTEN 16473/mysqld tcp 0 0 127.0.1.1:53067 127.0.1.1:3306 TIME_WAIT - which looks weird. But then it's probably just because I don't have much experience in this area. Why has it switched over to 127.0.1.1 ? Thanks Adam The mysql configuration file is my.cnf Its probably in /etc/ somewhere By default mysql listens on the localhost interface only. you can skip networking completely and just use pipes/sockets by using the skip-networking directive in the my.cnf file. Or you can add a bind-address directive to my.cnf. bind-address 0.0.0.0 will listen on all interfaces a series of bind-address x.x.x.x will specify a list of interfaces to listen on (don't forget to include localhost) Rance
Re: [Dnsmasq-discuss] random problem with name resolution
On Fri, Jul 24, 2009 at 5:09 AM, Rance Hallran...@gmail.com wrote: On Fri, Jul 24, 2009 at 3:54 AM, Stefano Bridistefano.br...@gmail.com wrote: Hi all, first of all thanks for the wonderful tool! I have a problem with the dns part of dnsmasq: sometimes does not resolve hostnames. There are two things that I want to point you to: 1) the local=/domain.tld/ option if you specify this option correctly then members of that domain are never forwarded to isp. This option will fix your problem of forwarding names to the public internet that dont exist. and should speed things up right off. 2) while the above is good advice, its not complete, it doesnt fix the problem of dnsmasq not knowing about the boxes on the localnet in the first place. On its face, I'd say that this is a configuration error. In all my years of using dnsmasq Ive never seen this problem on a otherwise correctly configured dnsmasq that wasnt my fault. the way you have dnsmasq configured local queries only come from one of two places, the alternate host file you specified, and the dhcp leases file. Make absolutely sure that the host you are occasionally having trouble with is actually present in either one of these files. I suspect it is not present at the point you are having the trouble. HTH Rance Oh and I forgot one other thing, I use TWO resolv.conf files Rather than listing them in the config file I have a /etc/resolv.conf file that points the server box back to itself as you do, But I also have a /etc/resolv.conf.forwards file that has the nameservers from the isp in the proper resolv.conf format. then I dont have the entries in the config file. Its not that one way is better than the other, but I find that its easier to troubleshoot problems like this when you know exactly which configuration file is causing you problems and the fact that each file is not that large so it makes mistakes easier to spot. Just a thought. HTH
Re: [Dnsmasq-discuss] DHCP options and SIGHUP
On Sun, Jul 12, 2009 at 8:52 AM, Olaf Westrikweizen...@ipcop-forum.de wrote: Hi everyone, I have a question and/or problem with using various DHCP options and reloading them by using SIGHUP. Following use case: 'global' DHCP settings (rarely changing) and several static leases, some of which using dhcp-boot for PXE boot. Now I would like to reread the static leases after changes have been made by using SIGHUP. No problem if I put the dhcp-host configuration lines in a file referenced by dhcp-hostsfile, but what to do with the dhcp-boot lines? Any thoughts? Thanks Olaf First I'll start by saying I dont have the answer to your question. That being said, the fact that you are in a situation where the question is relevant really interests me. In my setup I only have one dhcp-boot line, and a gpxe match dhcp-boot line (which may be going away as my experiments with gpxe and iscsi booting have not provided fruitful results) For my personal curiosity, if no other reason, could you explain what you are trying to do. It sounds like you are wanting to set a host specific dhcp-boot so that different hosts get different starts, am I right? Im not sure this is possible as you have stated it. But have you explored the idea of a scripted pxelinux default dhcp-boot file? suppose you could start all clients the same, they started with pxelinux.0 and loaded the default file. then that default file is where the advanced selection is made. and you get a special kernel/append line on a per instance basis. the latest version of syslinux includes gpxelinux.0 which works as a replacement for pxelinux.0 and it is scriptable if pxelinux.0 is not. HTH Rance
Re: [Dnsmasq-discuss] writing a dhclient-exit-hooks script to manage dnsmasq
On Thu, Jul 9, 2009 at 9:26 AM, Brad Morganb-mor...@concentric.net wrote: I use dyndns.com for my home system and my IP hasn't changed in 6 months. There's a configurable parameter in the script I use that says how often to send an update even if the IP hasn't changed. The script was obtained from the dyndns.com site, I didn't write it. Regards, Brad Brad, and the rest of the crew. I was able to solve my problem, thanks to Brads suggestion and others on this list I started researching dyndns providers, and dyndns.com seemed like a better fit for what I wanted to do. so I signed up, got an even better domain to have a subdomain on and the perl script that Brad refered to also comes with a cron setup file for use in /etc/cron.d and a sample /etc/dhclient-exit-hooks script so that your dyndns gets updated on a regular basis AND whenever you get a new IP address. Darn Nifty As to my resolv.conf problem I ended up solving it this way: I could not change the dhclient-script to change the name of the resolv file without changing core system scripts that would be overwritten on the next update/upgrade. so I now have three resolv files /etc/resolv.conf.perm /etc/resolv.conf /ec/resolv.conf.forwards .perm is the permanant resolv file whose nameserver line is self-referencing .forwards is the one I ask dnsmasq to use. As part of my dhclient-exit-hooks script I execute this code just before the dhclient-exit-hooks script wants to get out to the internet to update my dyndns server. cp -f /etc/resolv.conf /etc/resolv.conf.forwards cp -f /etc/resolv.conf.perm /etc/resolv.conf and thats just that simple. I did end up with one question -- assuming dnsmasq is polling the resolv file how long should I wait between replacing the file and trying to get on the net. Im wondering if a sleep 1 or something needs to go after the resolv file business and a dyndns update. thanks all for your insight and patience as I worked this one out.
[Dnsmasq-discuss] writing a dhclient-exit-hooks script to manage dnsmasq
hey gang, Im trying to do something I've done repeatedly with static external ip addresses but now that I have a external dhcp address things have gone a little off. What I used to do was mv /etc/resolv.conf to /etc/resolv.conf.dnsmasq and tell dnsmasq to read this file instead of /etc/resolv.conf then I would edit /etc/resolv.conf to point the machine back to itself. This way during normal operation the dhcp server ping, ssh, etc to the same machines by hostname that the clients all did. no biggie Enter a dhcp based external interface /etc/resolv.conf is rewritten from time to time as my ISP uses a set of DNS servers and selects the least busy one to give out for load balancing reasons. There are lots of tutorials on how to get /etc/resolv.conf to NOT get rewritten, but if the ISP changes it on purpose, not rewriting the file is not an option. so, I came up with the idea of creating an extra file called /etc/resolv.conf.perm for the permanant /etc/resolv.conf to reside. Then as part of dhclient-exit-hooks, I would check if /etc/resolv.conf had been rewritten some way and if it did, move the .conf file to .conf.dnsmasq and then copy the .conf.perm into .conf then I would have to send dnsmasq a signal (a SIGHUP if I read the docs correctly) Then I need the script to do something strange, I want it to upload a file to my isp's webhosting account so that my public ip address is available via a simple grep of a downloaded .html file I already know how to script an ftp session, so that part is easy. I have several questions... 1) according to dnsmasq documentation a SIGHUP will cause all the config files to re re-read and it will also re-read /etc/resolv.conf if the no-poll option is set. Am I reading this correctly? Is there a way to ask dnsmasq to just re-read the resolv file without having to reload everything? 2) I'm not convinced that dhclient-exit-hooks is the right place for this, but I cant think of another. There are lots of google hits on errors with dhclient-exit-hooks not running. Not to mention that I dont yet understand when the various things happen that dhclient-script asks for. (like Is /etc/resolv.conf created before or after the exit-hooks-script is run? or What about one of the interface specific scripts that dhclient-script executes at different places in the process? or Is the value of the new IP available to a dhclient-exit-hooks script so I could just reference the variable, or do I have to look it up on my own? If someone would be so kind as to help straighten me out with a pointer to a good primer, or something like that I would be grateful. Is there a better way/place to do what I want to do? 3) if anyone has done anything like this, and wouldn't mind sharing, I'd love to see a reasonably active script that really does some stuff. Thanks all for the time, and I apologize for the parts of this that are related, but maybe off topic As a way of saying thanks I would like to contribute the script for public use when its done. Simon, you think there is room for something like this in /contrib?
[Dnsmasq-discuss] Please Ignore writing a dhclient-exit-hooks script to manage dnsmasq
Please forget what I previously wrote. We use two main linux distros and one FreeBSD box and what I needed to do needed to be portable across distros, I know that I didnt mention that in my first post but I knew I could handle the portability part. Anyway the short of it is that half of my machines do not support the ftp -s:scriptname syntax that I was going to use to upload my files to the web server I think now I have to come up with another approach altogether. maybe something like a filewatcher in the background that checks if resolv.conf changed and if so, do the stuff I need done. Thanks all for your attention
Re: [Dnsmasq-discuss] extension of configuration files
On Sun, Jul 5, 2009 at 5:20 PM, richardvo...@gmail.comrichardvo...@gmail.com wrote: How about a compromise -- not a full wildcard syntax, but a user-controlled literal suffix match? e.g. conf-dir-suffix=.conf Or you could let other programs do the heavy lifting and have a just-in-time config command whose output is processed. Dangerous because it has to be run before forking as nobody, but very powerful: jit-config=/bin/sh -c cat /etc/conf.d/dnsmasq/*.conf Just a couple of thoughts and I'll let Simon finish digesting this thread. I have an objection to the apache multiple includes approach. I think that the only way to make room for this is to rip out the current behavior of accommodating for the various emacs patterns Simon mentioned earlier in the thread to make room for this. I question the need for the apache include approach since apache will let you specify more than one include statement. Dnsmasq has few enough options that a single directory with multiple files is really sufficient. the conf-dir-suffix idea really seems to be the most flexible, and the easiest to add in the current mix.
[Dnsmasq-discuss] problem getting gpxe to work within dnsmasq
Heres my setup dnsmasq is my dhcp/dns/tftpserver all together. I have a working pxe menu system I like, and it affords me the chance to boot dban, memtest, etc just from pxe. I've really struggled getting gPXE to work the way I want it to since Simon was so nice to alter dnsmasq to that gpxe would work the gpxe authors and Simon have apparently teamed up as there is some really good docs out there. Here is what Im trying to accomplish: leave the currently setup pxe menus alone, except add an option from one of the menus to boot gpxe from pxe. pxe supplies the gpxe kernel just like it would for any other product. gpxe starts, gets a different bootfile name and starts the gPXe menu page where you can define the various iSCSI drives that are netbootable problem: here is the stock dnsmasq config file section # Boot for Etherboot gPXE. The idea is to send two different # filenames, the first loads gPXE, and the second tells gPXE what to # load. The dhcp-match sets the gpxe tag for requests from gPXE. #dhcp-match=gpxe,175 # gPXE sends a 175 option. #dhcp-boot=net:#gpxe,undionly.kpxe I have the following configuration dhcp-boot=pxelinux.0 dhcp-match=gpxe,175 # gPXE sends a 175 option. dhcp-boot=net:#menu.gpxe where menu.gpxe exists right next to the pxelinux.0 file in the fttp directory and the file is a gpxe script that tells it what to do next. on my clients I get the following behavior... pxe boots as expected. select gpxe from pxe menu gpxe loads as expected gpxe does NOT load the script and create the menu. gpxe reloads itself ONCE no filename or root path specified BOOT FAILURE. if I dont try to give gpxe a menu, gxe loads ONCE, and then gives me a press ctrl-b to get a command prompt and when the command prompt is present, I can manually do what I want. I'm open to the possibility that my menu is hosed, but I just want to double check that my setup is correct.
Re: [Dnsmasq-discuss] Dnsmasq only to respond to local queries?
I apologize to the list, my reply button was not setup correctly. On Sun, Oct 5, 2008 at 10:09 AM, Michal Sawicz mic...@sawicz.net wrote: I got a direct response so I'm forwarding it here and my following responses are below... depends on your setup but for me dnsmasq is authoritative for the locally served domain, and forwards all other domains out to the internet. But it's still dnsmasq that does the reply, or does it tell the hosts somehow that they should ask the other ns? so if hosts 4 and 5 are setup correctly with TWO dns sources of information your dnsmasq ip first, and a public internet source second. I'm not sure I understand that sentence... after reading it again theres no way you should. the information is there, but in a garbaged way, so Im sorry about that. on the wireless link, you can setup the clients with multiple dns servers, which I would do, your local one having first priority, and a public one. so that in case something went wrong with dnsmasq or the wireless bridge, then the other segment can still access the internet successfully. You said that router2 only had one ip cable interface which to me suggests that router1 and router2 are connected to each other via WIFI link since the ip cable interface hooks router2 up to the internet. Yes I didn't explain that part - the WiFi link are two APs separate from the routers, connected to my networks through standard switches. So the setup actually looks like this: -- Internet -- /\ / \ /\ Router1 --- AP == AP --- Router2 (w/dnsmasq) (proprietary) /|\ | \ host1 host2 host3host4 host5 Where /|\- are ethernet/DSL links, = is WiFi. if router2 suddenly has a WIFI problem, then yes hosts 4 and 5 do lose all inet capability because the link is broken. Router1 has its own DSL link, as does router2. The WiFi link should only be responsible of linking the two LAN segments, not participating in internet communication at all. You'll forgive me, but I dont see the value in the extra work you are doing here. Seems to me like you have added extra equipment you dont need and made your network more complex, but have not solved a problem. whats wrong with this: internet --- | router1 w/dnsmasq --- / \ cabledwifi router2 hosts --- repeated \ wireless hosts I don't want the second segment to depend on the first one. They have their separate web connections (which, in turn, I can use as a fallback for the other one. I understand (I think) what problem you were trying to solve with your original setup, but I guess I dont think you solved it. they arent two seperate subnets that need to talk to each other, so since they are the same subnet I would try to wire them that way. Feel free to enlighten me if you think I missing something. Router1 and 2 are on two different physical locations (the WiFi is a 200m bridge). I want the two locations to be independent when it comes to internet connection, I only want the WiFi to allow fast connections between the hosts on either side, but still use their respective connections to the internet. This helps me out a little, its clearer now what you are trying to accomplish. you want dnsmasq to decided if the request is forwarded or authoritative, and if it would be forwarded, shut up, right. This means that all your clients need to NS servers one for dnsmasq and one for the public internet when dnsmasq doesnt respond. dnsmasq has to be listed first so it will be tried first, but there has to be a fallback position. Thanks for the insight anyway, the basic idea is that I'd like dnsmasq to say 'dunno, ask the other guy' to queries for remote domains. On the other hand if that's not possible there's no real problem, it's not like DNS traffic is a big one and if dnsmasq would be unavailable, the hosts will ask upstream anyway. I couldnt find a specific sample of a command either from the man page or re-reading the sample config file that suggests that what you are asking for is possible. -- Michal Sawicz mic...@sawicz.net
[Dnsmasq-discuss] new isp with new setup, how to change dnsmasq to accomodate
hey gang: I got a new ISP yesterday and the network setup is slightly different, and now my dnsmasq doesnt work the way I want it to. BRIEF SETUP DESCRIPTION --- OLD WAY all ethernet adapters on my home firewall/internal dhcp/dns server are static private ips the dsl modem has the public ip address. the machine that runs dnsmasq has a /etc/resolv.conf file that points to itself for name resolution. the real name servers are in a file called /etc/resolv.conf.dnsmasq and dnsmasq is configured to read this file instead of /etc/resolv.conf This is so that the server itself resolves names in the same way that the clients do. BRIEF SETUP --- NEW WAY public ip address is acquired by eth0 using dhcp client on my server (new modem operates in bridge mode and does not have its own ip) the dhcp client overwrite /etc/resolv.conf and dnsmasq is set to use that file for upstream name resolution. --- I want to restore the ability to have the server resolv names the same way the clients to (meaning that the internal domain name can be resolved on the gateway server itself. This is essential for ssh tunneling, etc. so, as I see it I can write a dhclient-exit-hooks script (to preserve future upgrade capability) that does the following: 1) copies the new /etc/resolv.conf file to /etc/resolv.conf.dnsmasq 2) copies a static /etc/resolv.conf.perm to /etc/resolv.conf 3) sends dnsmasq a reload/reread config files instruction 4) if needed, reloads other network services that need to be restarted/reconfigured is there a another/better way to do what Im trying to do?