Re: [Dnsmasq-discuss] I cannot receive any dns answers from Dnsmasq
The conf' file lacked "bind-interfaces". Sorry for the inconveniance. On 19/01/2017 13:17, Stephane Guedon - EN wrote: > The title says it all. When I make a dig query to dnsmasq, on localhost > or not, ipv4 or v6, Dnsmasq receives the request, treat it, but I don't > receive the answer. > > Request : > > stephane@mirror:/home/stephane dig @127.0.0.1 www.facebook.com > > ; <<>> DiG 9.4.2-P2 <<>> @127.0.0.1 www.facebook.com > ; (1 server found) > ;; global options: printcmd > ;; connection timed out; no servers could be reached > stephane@mirror:/home/stephane > > verbose dnsmasq : > > stephane@mirror:/home/stephane doas dnsmasq -d -R > dnsmasq: started, version 2.76 cachesize 150 > dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN > DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect > no-inotify > dnsmasq-dhcp: DHCP, IP range 10.0.0.20 -- 10.0.255.250, lease time 12h > dnsmasq-dhcp: DHCPv6 stateless on re2 > dnsmasq-dhcp: DHCPv4-derived IPv6 names on re2 > dnsmasq-dhcp: router advertisement on re2 > dnsmasq-dhcp: DHCPv6 stateless on fd00:2016:22:dec::, constructed for re2 > dnsmasq-dhcp: DHCPv4-derived IPv6 names on fd00:2016:22:dec::, > constructed for re2 > dnsmasq-dhcp: router advertisement on fd00:2016:22:dec::, constructed > for re2 > dnsmasq-dhcp: DHCPv6 stateless on 2a06:4000:1576::, constructed for re2 > dnsmasq-dhcp: DHCPv4-derived IPv6 names on 2a06:4000:1576::, constructed > for re2 > dnsmasq-dhcp: router advertisement on 2a06:4000:1576::, constructed for re2 > dnsmasq-dhcp: RTR-ADVERT(re2) fd00:2016:22:dec:: > dnsmasq-dhcp: RTR-ADVERT(re2) 2a06:4000:1576:: > dnsmasq-dhcp: IPv6 router advertisement enabled > ... > dnsmasq: 1 fd00:2016:22:dec::3/26860 /etc/hosts 2a06:4000:1576:: is > mirror.22decembre.eu > dnsmasq: 2 2a06:4000:1576::2/46016 query[] > u38868.mec086b732EDa.sOS.aTLas.RIPE.NEt.22DecEmbre.eU from 2a06:4000:1576::2 > dnsmasq: 2 2a06:4000:1576::2/46016 config > u38868.mec086b732EDa.sOS.aTLas.RIPE.NEt.22DecEmbre.eU is NXDOMAIN > dnsmasq: 3 2a06:4000:1576::2/60217 query[DNSKEY] 22dEceMbre.EU from > 2a06:4000:1576::2 > dnsmasq: 3 2a06:4000:1576::2/60217 config 22dEceMbre.EU is NXDOMAIN > dnsmasq: 4 127.0.0.1/32500 query[A] www.facebook.com from 127.0.0.1 > dnsmasq: 4 127.0.0.1/32500 forwarded www.facebook.com to fd00:2016:22:dec::3 > dnsmasq: 4 127.0.0.1/32500 reply www.facebook.com is > dnsmasq: 4 127.0.0.1/32500 reply star-mini.c10r.facebook.com is > 157.240.11.35 > > This is dnsmasq version 2.76p0 on OpenBSD, but I doubt it is relevant > (yet, further conf' provided any moment). > > When I start another dns daemon (unbound), I get the answers. I think it > is not firewall related. > > > Any idea ? > > Thank you very much for any help. > > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -- Ce fichier signature.asc ? C'est une signature GPG. Si vous voulez savoir pourquoi j'utilise GPG et pourquoi vous le devriez aussi, vous pouvez lire mon article : http://www.22decembre.eu/2015/03/21/introduction-fr/ signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] I cannot receive any dns answers from Dnsmasq
The title says it all. When I make a dig query to dnsmasq, on localhost or not, ipv4 or v6, Dnsmasq receives the request, treat it, but I don't receive the answer. Request : stephane@mirror:/home/stephane dig @127.0.0.1 www.facebook.com ; <<>> DiG 9.4.2-P2 <<>> @127.0.0.1 www.facebook.com ; (1 server found) ;; global options: printcmd ;; connection timed out; no servers could be reached stephane@mirror:/home/stephane verbose dnsmasq : stephane@mirror:/home/stephane doas dnsmasq -d -R dnsmasq: started, version 2.76 cachesize 150 dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect no-inotify dnsmasq-dhcp: DHCP, IP range 10.0.0.20 -- 10.0.255.250, lease time 12h dnsmasq-dhcp: DHCPv6 stateless on re2 dnsmasq-dhcp: DHCPv4-derived IPv6 names on re2 dnsmasq-dhcp: router advertisement on re2 dnsmasq-dhcp: DHCPv6 stateless on fd00:2016:22:dec::, constructed for re2 dnsmasq-dhcp: DHCPv4-derived IPv6 names on fd00:2016:22:dec::, constructed for re2 dnsmasq-dhcp: router advertisement on fd00:2016:22:dec::, constructed for re2 dnsmasq-dhcp: DHCPv6 stateless on 2a06:4000:1576::, constructed for re2 dnsmasq-dhcp: DHCPv4-derived IPv6 names on 2a06:4000:1576::, constructed for re2 dnsmasq-dhcp: router advertisement on 2a06:4000:1576::, constructed for re2 dnsmasq-dhcp: RTR-ADVERT(re2) fd00:2016:22:dec:: dnsmasq-dhcp: RTR-ADVERT(re2) 2a06:4000:1576:: dnsmasq-dhcp: IPv6 router advertisement enabled ... dnsmasq: 1 fd00:2016:22:dec::3/26860 /etc/hosts 2a06:4000:1576:: is mirror.22decembre.eu dnsmasq: 2 2a06:4000:1576::2/46016 query[] u38868.mec086b732EDa.sOS.aTLas.RIPE.NEt.22DecEmbre.eU from 2a06:4000:1576::2 dnsmasq: 2 2a06:4000:1576::2/46016 config u38868.mec086b732EDa.sOS.aTLas.RIPE.NEt.22DecEmbre.eU is NXDOMAIN dnsmasq: 3 2a06:4000:1576::2/60217 query[DNSKEY] 22dEceMbre.EU from 2a06:4000:1576::2 dnsmasq: 3 2a06:4000:1576::2/60217 config 22dEceMbre.EU is NXDOMAIN dnsmasq: 4 127.0.0.1/32500 query[A] www.facebook.com from 127.0.0.1 dnsmasq: 4 127.0.0.1/32500 forwarded www.facebook.com to fd00:2016:22:dec::3 dnsmasq: 4 127.0.0.1/32500 reply www.facebook.com is dnsmasq: 4 127.0.0.1/32500 reply star-mini.c10r.facebook.com is 157.240.11.35 This is dnsmasq version 2.76p0 on OpenBSD, but I doubt it is relevant (yet, further conf' provided any moment). When I start another dns daemon (unbound), I get the answers. I think it is not firewall related. Any idea ? Thank you very much for any help. -- The file signature.asc is not attached to be read by you. It's a digital signature by GPG. If you want to know why I use it, and why you should as well, you can read my article there: http://www.22decembre.eu/2015/03/21/introduction-en/ signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
Le lundi 5 octobre 2015, 12:31:11 Ernst Ahlers a écrit : > > You can have a local zone with local data also in Unbound. > > Sure, but also signed with DNSSEC? > > CU > > ea That, I don't think so. If you want to make something sophisticated, why not looking to Bind ? It makes all possible things ever ! I precise that I do not use it. -- The file signature.asc is not attached to be read by you. It's a digital signature by GPG. If you want to know why I use it, and why you should as well, you can read my article there: http://www.22decembre.eu/2015/03/21/introduction-en/ signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
Le vendredi 2 octobre 2015, 19:34:30 Ernst Ahlers a écrit : > Thanks for chiming in Stephane, > > > Allowing dnsmasq to sign (or give a proof of authenticity) would solve > > this > > problem, yet I am sure it is not easy. > > AFAIK there's no provision yet in dnsmasq for keeping signed domains. > After all it was never intended to be a fully fledged DNS server. > > So the only viable option I see now would be switching to Unbound -- > which AVM is unlikely to do IMHO. > > Have a nice weekend all around! > > Ernst Unbound is only a resolver. To replace dhcp and dns on lan, you might need a dhcp+bind with split mode. Bind would then allow you also to resolve (as it's the all-in-one dns). -- The file signature.asc is not attached to be read by you. It's a digital signature by GPG. If you want to know why I use it, and why you should as well, you can read my article there: http://www.22decembre.eu/2015/03/21/introduction-en/ signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
Le jeudi 1 octobre 2015, 08:57:14 Ernst Ahlers a écrit : > > I guess the logic is that dnsmasq is the authoritative source for > > that data, so it doesn't need to validate it to know that it's > > real. > > Right, but obviously the solution is not as simple as setting AD. > > As for the background (sorry, since English is not my native tongue > I'm having trouble being verbose): > > A lot people around here (me included) use a well-known router brand > (Fritz!Boxen) which employs dnsmasq. The manufacturer (AVM) offers a > free dyndns service (myfritz.net). It not only answers for both > address types but for IPv6 also allows subdomains for hosts within > your dyndns domain. > > This is practical for accessing services like IMAP or Webdav(s) from > anywhere via the same domain name. Now asking the router for a host > from the local network will return the *external* IPv4 address and > the global IPv6 address. > > With IPv4 connections from the local network this obviously incurs a > performance penalty since the packets will have to traverse the > router's NAT. This might not be an issue with IMAP but definitely > with NAS access via Webdav(s) or SFTP. > > I submitted the idea of returning local IPv4 addresses for internal > queries to AVM. Their reply was that this will fail if they'd enable > DNSSEC for their dyndns service in the future. My knee-jerk reply > was to let dnsmasq set the AD flag for this kind of query. But as > per your explanations this is only half a solution. > > Do you think there's any chance to solve this correctly without > switching from dnsmasq to Unbound or the like? > > Best regards > > Ernst > Allow myself to be in. The interest is also that a domain is signed and used publicly (www, mx, imap with public internet addresses signed...) but that when you are in your network, the local dns (dnsmasq) gives your internal (nat, local) addresses instead, which are not signed. There, you will have conflicts between the two adresses. Allowing dnsmasq to sign (or give a proof of authenticity) would solve this problem, yet I am sure it is not easy. -- The file signature.asc is not attached to be read by you. It's a digital signature by GPG. If you want to know why I use it, and why you should as well, you can read my article there: http://www.22decembre.eu/2015/03/21/introduction-en/ signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9
Le dimanche 14 juin 2015 19:44:14, vous avez écrit : > Hi, > > On Sun, Jun 14, 2015 at 9:06 AM, Stéphane Guedon > > wrote: > > Le vendredi 12 juin 2015, 13:16:09 Maciej Soltysiak a écrit : > > > A user on my service, who has dnssec-check-unsigned enabled gets an > > > unsigned response from a signed zone and the intended reaction of > > > dnsmasq > > > kicks in. > > > > > > Not a bug then. Is my understanding correct? > > > > As far as I understand, I have the same issue (except that dnsmasq itself > > is > > serving the non signed zone and unbound the signed) ! > > > > To solve that, I propose to make the unsigned zone on another domain or > > zone > > than the signed one. > > > > server.domain.org is signed and the public face of your server. > > > > server.intern.domain.org is unsigned. Your users can then use this > > address, > > and the dns can still have different answer depending where they are. > > > > Do you understand me ? > > > > Do you think it is a good idea ? (I am thinking of using it for my case). > > Yes, I understand, I think it would work and it's a clever workaround for > the issue, however in my case it does not help to maintain the end goal > which was to provide authenticated response to that domain so that it is > always trustworthy. > > That actually is becoming a DNSSEC question. Is there a way to provide > split-horizon answers on signed zones? Can one name have 2 different valid > answers and RRSIGs? perhaps if the signature could be for a name/ttl pair, > not just the name and have different ttls on those names? Dunno. > > Perhaps me trying to use dns records to test whether the responses are > coming over dnscrypt or not is flawed in nature. > > Thanks anyway, > Maciej Actually, it works at first glance (basic resolution and connectivity works), but it fails fast : when you have to work on your website that is hosted on your home server, nothing works anymore ! So I am returning to my previous setup before wondering what I should do. I am going to write an article about this and all the workarounds that have been tried. Maybe it will then give me an idea on the solution. -- The file signature.asc is not attached to be read by you. It's a digital signature by GPG. If you want to know why I use it, and why you should as well, you can read my article there: http://www.22decembre.eu/2015/03/21/introduction-en/ signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9
Le dimanche 14 juin 2015 19:44:14, vous avez écrit : > Hi, > > On Sun, Jun 14, 2015 at 9:06 AM, Stéphane Guedon > > wrote: > > Le vendredi 12 juin 2015, 13:16:09 Maciej Soltysiak a écrit : > > > A user on my service, who has dnssec-check-unsigned enabled gets an > > > unsigned response from a signed zone and the intended reaction of > > > dnsmasq > > > kicks in. > > > > > > Not a bug then. Is my understanding correct? > > > > As far as I understand, I have the same issue (except that dnsmasq itself > > is > > serving the non signed zone and unbound the signed) ! > > > > To solve that, I propose to make the unsigned zone on another domain or > > zone > > than the signed one. > > > > server.domain.org is signed and the public face of your server. > > > > server.intern.domain.org is unsigned. Your users can then use this > > address, > > and the dns can still have different answer depending where they are. > > > > Do you understand me ? > > > > Do you think it is a good idea ? (I am thinking of using it for my case). > > Yes, I understand, I think it would work and it's a clever workaround for > the issue, however in my case it does not help to maintain the end goal > which was to provide authenticated response to that domain so that it is > always trustworthy. > > That actually is becoming a DNSSEC question. Is there a way to provide > split-horizon answers on signed zones? Can one name have 2 different valid > answers and RRSIGs? perhaps if the signature could be for a name/ttl pair, > not just the name and have different ttls on those names? Dunno. > > Perhaps me trying to use dns records to test whether the responses are > coming over dnscrypt or not is flawed in nature. > > Thanks anyway, > Maciej Actually, it works at first glance (basic resolution and connectivity works), but it fails fast : when you have to work on your website that is hosted on your home server, nothing works anymore ! So I am returning to my previous setup before wondering what I should do. I am going to write an article about this and all the workarounds that have been tried. Maybe it will then give me an idea on the solution. -- The file signature.asc is not attached to be read by you. It's a digital signature by GPG. If you want to know why I use it, and why you should as well, you can read my article there: http://www.22decembre.eu/2015/03/21/introduction-en/ signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9
Le vendredi 12 juin 2015, 13:16:09 Maciej Soltysiak a écrit : > I think I have discovered what the problem is and it's unlikely to be > dnsmasq. > > What I do is that I have a setup which is basically a split horizon: > - users who are not on the service get A record for using.dnscrypt from a > DNSSEC signed zone > - users who are on the service get *a different* A record for > using.dnscrypt.pl from unbound, without sigs! > > A user on my service, who has dnssec-check-unsigned enabled gets an > unsigned response from a signed zone and the intended reaction of dnsmasq > kicks in. > > Not a bug then. Is my understanding correct? As far as I understand, I have the same issue (except that dnsmasq itself is serving the non signed zone and unbound the signed) ! To solve that, I propose to make the unsigned zone on another domain or zone than the signed one. server.domain.org is signed and the public face of your server. server.intern.domain.org is unsigned. Your users can then use this address, and the dns can still have different answer depending where they are. Do you understand me ? Do you think it is a good idea ? (I am thinking of using it for my case). > > Best regards, > Maciej > > On Fri, Jun 12, 2015 at 10:19 AM, Maciej Soltysiak > > wrote: > > Hi, > > > > One of my users raised an issue that using.dnscrypt.pl does not resolve > > when dnssec-check-unsigned is turned on. > > I replicated the issue with most recent openwrt Chaos Calmer package: > > dnsmasq-full. > > > > When dnssec and trust anhcor are set and dnssec-check-unsigned is as well, > > dnsmasq says BOGUS DS: > > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A] > > using.dnscrypt.pl from fdea:7beb:d9e3:0:d928:e795:8461:1896 > > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded > > using.dnscrypt.pl to 127.0.0.1 > > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS] > > using.dnscrypt.pl to 127.0.0.1 > > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply > > using.dnscrypt.pl is BOGUS DS > > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation > > using.dnscrypt.pl is BOGUS > > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply > > using.dnscrypt.pl is 178.62.233.48 > > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A] > > using.dnscrypt.pl from 192.168.1.206 > > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded > > using.dnscrypt.pl to 127.0.0.1 > > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A] > > using.dnscrypt.pl from fdea:7beb:d9e3:0:d928:e795:8461:1896 > > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded > > using.dnscrypt.pl to 127.0.0.1 > > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS] > > using.dnscrypt.pl to 127.0.0.1 > > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS] > > using.dnscrypt.pl to 127.0.0.1 > > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply > > using.dnscrypt.pl is BOGUS DS > > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation > > using.dnscrypt.pl is BOGUS > > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply > > using.dnscrypt.pl is 178.62.233.48 > > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply > > using.dnscrypt.pl is BOGUS DS > > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation > > using.dnscrypt.pl is BOGUS > > Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply > > using.dnscrypt.pl is 178.62.233.48 > > > > Verisign dnssec check are ok: > > http://dnssec-debugger.verisignlabs.com/using.dnscrypt.pl > > > > Oddly, dnscrypt.pl resolves fine. It also works fine if > > dnssec-check-unsigned is turned off. > > > > Not sure if rc10 fixes it, it's not in openwrt repo yet. > > Any ideas? > > > > Best regards, > > Maciej Soltysiak > > DNSCrypt Poland > > https://dnscrypt.pl -- Ce fichier signature.asc ? C'est une signature GPG. Si vous voulez savoir pourquoi j'utilise GPG et pourquoi vous le devriez aussi, vous pouvez lire mon article : http://www.22decembre.eu/2015/03/21/introduction-fr/ signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] IPv6 dhcp/ra-issue
Le lundi 21 avril 2014, 15:50:04 Timo Buhrmester a écrit : > > inet6 fe80::43c:5b54:cea:b7ea prefixlen 10 scopeid > > 0x20 > > This is the link-local address, established by stateless > autoconfiguration. > > inet6 2003:62:487f:b168:43c:5b54:cea:b7ea prefixlen 64 > > scopeid > > This is the /64 your ISP assigned you. > > > If I understand right, ive got an IPv6-subnet with the ability of > > ~250 clients (Telekom Germany), directly addressable from > > internet. > Looks like you got a /64, therefore there's slightly more than 250 > adresses ;). network /64 is the minimum. so yes, millions of addresses available ! > > Imho the fe80.. number is the *router*-ipv6-address, the 2003:... > > the *host* ipv6-address. Now my clients should also get an > > ipv6-router *and* -host address. Is this right? fe80:: adresses are local adresses, non-routable. > > As per the above (though i'm not quite sure what you mean by > router/host addresses, this doesn't sound right. > > My dnsmasq.conf (stripped): > Unfortunately I can't help you on the dnsmasq specifics for I'm > rather new to it, however I just felt like clarifying these IPv6 > specifics. I wanted myself to improve Timo's answer. > > > Best Regards, > > Timo > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] IPv6 dhcp/ra-issue
Le lundi 21 avril 2014, 15:28:30 Oliver Rath a écrit : > Hi list, > > Im trying to give my network-computers IPv6-Addresses constructed > from ppp0. In my config I get from my provider i.e. these (dynamic) > IPv4 and IPv6-addresses: > > # ifconfig ppp0 > ppp0: flags=4305 mtu 1492 > inet 80.137.126.83 netmask 255.255.255.255 destination > 87.186.224.66 > inet6 fe80::43c:5b54:cea:b7ea prefixlen 10 scopeid > 0x20 inet6 2003:62:487f:b168:43c:5b54:cea:b7ea prefixlen 64 > scopeid 0x0 > ppp txqueuelen 3 (Punkt-zu-Punkt Verbindung) > RX packets 2546359 bytes 3258224683 (3.0 GiB) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 1550070 bytes 133189854 (127.0 MiB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > One of my additional interfaces has this address: > # ifconfig p3p1 > p3p1: flags=4163 mtu 1500 > inet 192.168.2.254 netmask 255.255.255.0 broadcast > 192.168.2.255 inet6 fe80::210:f3ff:fe07:f7bf prefixlen 64 scopeid > 0x20 ether 00:10:f3:07:f7:bf txqueuelen 1000 (Ethernet) RX > packets 2806761 bytes 3337921408 (3.1 GiB) > RX errors 0 dropped 0 overruns 0 frame 0 > TX packets 1832066 bytes 326375284 (311.2 MiB) > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 > > > > If I understand right, ive got an IPv6-subnet with the ability of > ~250 clients (Telekom Germany), directly addressable from internet. > Now i want to configure dnsmasq in a way, that the clients get > IPv4- (works, internal only) and IPv6-addresses in a from internet > addressable way. > > Imho the fe80.. number is the *router*-ipv6-address, the 2003:... > the *host* ipv6-address. Now my clients should also get an > ipv6-router *and* -host address. Is this right? > > My dnsmasq.conf (stripped): > > except-interface=ppp0 > dhcp-range=set:gw2,192.168.2.50,192.168.2.150,255.255.255.0,12h > dhcp-range=tag:gw2,::,constructor:ppp0 > ddhcp-option=tag:gw2,128,192.168.2.254 > enable-ra > dhcp-option=mtu,1492 > dhcp-option=option6:dns-server,[::] > dhcp-option=252,"http://heimserver/wpad.dat"; > log-queries > log-dhcp > > Now I would assume, that my clientpc (p3p1 is bridged with wlan-ap) > would get an fe80:.. and another, from internet routable address. > While my card has the mac-address 00:21:6a:37:3f:72, i would assume > getting an IPv6 address like 2003:62:487f:b168:0021:6aFF:FE373f:72, > but he doesnt: > > wlan0 on my client-pc: > > # ifconfig wlan0 > wlan0 Link encap:Ethernet Hardware Adresse 00:21:6a:37:3f:72 > inet Adresse:192.168.2.100 Bcast:192.168.2.255 > Maske:255.255.255.0 > inet6-Adresse: fe80::221:6aff:fe37:3f72/64 > Gültigkeitsbereich:Verbindung > UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1 > RX-Pakete:2981577 Fehler:0 Verloren:0 Überläufe:0 > Fenster:0 TX-Pakete:2979080 Fehler:0 Verloren:0 Überläufe:0 > Träger:0 Kollisionen:0 Sendewarteschlangenlänge:1000 > RX-Bytes:3059635559 (3.0 GB) TX-Bytes:2883630423 (2.8 GB) > > > Here /var/log/syslog on my client (sorry for the german parts): > > Apr 21 14:57:29 hp dhclient: DHCPREQUEST of 192.168.2.100 on wlan0 > to 255.255.255.255 port 67 (xid=0x48327e63) > Apr 21 14:57:29 hp dhclient: DHCPACK of 192.168.2.100 from > 192.168.2.254 Apr 21 14:57:29 hp dhclient: bound to 192.168.2.100 > -- renewal in 21016 seconds. > Apr 21 14:57:29 hp dhclient: DHCPACK of 192.168.2.100 from > 192.168.2.254 Apr 21 14:57:29 hp dhclient: bound to 192.168.2.100 > -- renewal in 21016 seconds. > Apr 21 14:57:29 hp NetworkManager[827]: (wlan0): DHCPv4 state > changed preinit -> reboot > Apr 21 14:57:29 hp NetworkManager[827]:address > 192.168.2.100 Apr 21 14:57:29 hp NetworkManager[827]: > prefix 24 (255.255.255.0) Apr 21 14:57:29 hp NetworkManager[827]: >gateway 192.168.2.254 Apr 21 14:57:29 hp > NetworkManager[827]:hostname 'hp' Apr 21 14:57:29 hp > NetworkManager[827]:nameserver '192.168.2.254' Apr 21 > 14:57:29 hp NetworkManager[827]: Activation (wlan0) Stage 5 > of 5 (IPv4 Configure Commit) scheduled... > Apr 21 14:57:29 hp NetworkManager[827]: Activation (wlan0) > Stage 5 of 5 (IPv4 Commit) started... > Apr 21 14:57:29 hp avahi-daemon[801]: Joining mDNS multicast group > on interface wlan0.IPv4 with address 192.168.2.100. > Apr 21 14:57:29 hp avahi-daemon[801]: New relevant interface > wlan0.IPv4 for mDNS. > Apr 21 14:57:29 hp avahi-daemon[801]: Registering new address record > for 192.168.2.100 on wlan0.IPv4. > Apr 21 14:57:30 hp NetworkManager[827]: (wlan0): device state > change: ip-config -> secondaries (reason 'none') [70 90 0] Apr 21 > 14:57:30 hp NetworkManager[827]: Activation (wlan0) Stage 5 > of 5 (IPv4 Commit) complete. > Apr 21 14:57:30 hp NetworkManager[827]: (wlan0): device state > change: secondaries -> activated (reason 'none') [90 100 0] Apr 21 > 14:57:30 hp NetworkManager[827]: NetworkManager state is now > CONNECTED_GLOBAL > Apr 21 14:57:30 hp
[Dnsmasq-discuss] local dns setup
Hello I have written a huge tutorial/article on my blog, and dnsmasq is one of the main topic. You may find it here : http://www.22decembre.eu/2014/04/14/local-dns-setup-with-dnsmasq-nsd-and-unbound/ Feel free to use, inspire yourself or criticize. signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] dhcpv6 and RA
Hello I want to make ipv6 work on dhcp in the network, to make possible addressing with hostnames. I have seen it works well with some of the lan hosts (this hosts get ipv6 and are registreted in the local domain). But one of my client doesn't behave correctly : no hostname is registered after sometime, the default ipv6 route disapears (the networking process disable accept_ra in the kernel, which erase the route). This host is a debian jessie/testing. When I ask him to make its address with "auto", default route stays : auto eth0 allow-hotplug eth0 iface eth0 inet dhcp iface eth0 inet6 auto When I ask dhcp, default route is erased 15 minutes after boot like said above. My question is : is it related to dnsmasq ? maybe I placed a wrong option which tells dhcpv6 clients to disable router adv accepting ? Here is my config related to the topic : interface=re0 dhcp-range=192.168.87.50,192.168.87.200,255.255.255.0,12h dhcp-range=2001:16d8:dd00:8207::100, 2001:16d8:dd00:8207::8000,ra- names enable-ra dhcp-option=option:router,192.168.87.1 dhcp-option=option:ntp-server,0.0.0.0 dhcp-option=option:dns-server,192.168.87.3,192.168.87.5,208.67.222.222 dhcp-option=option:domain-search,22decembre.eu dhcp-option=option6:dns-server,[::],[2620:0:ccd::2] dhcp-option=option6:ntp-server,[::] dhcp-option=option6:domain-search,22decembre.eu dhcp-authoritative Thanks for any help on the topic. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Announce: dnsmasq-2.69
Le mercredi 9 avril 2014, 21:13:33 Simon Kelley a écrit : > Dnsmasq-2.69 is here. > > http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.69.tar.gz > > and (new) a signature > > http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.69.tar.gz.sign > > > Many thanks to all who've contributed this major milestone. Most are > mentioned in the CHANGELOG, but it's also necessary to thank Evan > Hunt, Dave Taht, Giovanni Bajo and Comcast. > > Release notes below. > > Cheers, > > Simon. > > > -- > > version 2.69 > Implement dynamic interface discovery on *BSD. This > allows the contructor: syntax to be used in dhcp-range for DHCPv6 > on the BSD platform. Thanks to Matthias Andree for valuable > research on how to implement this. > > Fix infinite loop associated with some --bogus-nxdomain > configs. Thanks fogobogo for the bug report. > > Fix missing RA RDNS option with configuration like > --dhcp-option=option6:23,[::] Thanks to Tsachi > Kimeldorfer for spotting the problem. > > Add [fd00::] and [fe80::] as special addresses in DHCPv6 > options, analogous to [::]. [fd00::] is replaced with the actual > ULA of the interface on the machine running dnsmasq, [fe80::] with > the link-local address. Thanks to Tsachi Kimeldorfer for > championing this. > > DNSSEC validation and caching. Dnsmasq needs to be > compiled with this enabled, with > > make dnsmasq COPTS=-DHAVE_DNSSEC > > this add dependencies on the nettle crypto library and > the gmp maths library. It's possible to have these linked > statically with > > make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC' > > which bloats the dnsmasq binary, but saves the size of > the shared libraries which are much bigger. > > To enable, DNSSEC, you will need a set of > trust-anchors. Now that the TLDs are signed, this can be > the keys for the root zone, and for convenience they are included > in trust-anchors.conf in the dnsmasq > distribution. You should of course check that these are > legitimate and up-to-date. So, adding > > conf-file=/path/to/trust-anchors.conf > dnssec > > to your config is all thats needed to get things > working. The upstream nameservers have to be > DNSSEC-capable too, of course. Many ISP nameservers aren't, but the > Google public nameservers (8.8.8.8 and 8.8.4.4) are. When DNSSEC is > configured, dnsmasq validates any queries for domains which are > signed. Query results which are bogus are replaced with SERVFAIL > replies, and results which are correctly signed have the AD bit > set. In addition, and just as importantly, dnsmasq supplies correct > DNSSEC information to clients which are doing their own validation, > and caches DNSKEY, DS and RRSIG records, which significantly > improve the performance of downstream validators. Setting > --log-queries will show DNSSEC in action. > > If a domain is returned from an upstream nameserver > without DNSSEC signature, dnsmasq by default trusts this. This > means that for unsigned zone (still the majority) there is > effectively no cost for having DNSSEC enabled. Of course this > allows an attacker to replace a signed record with a false unsigned > record. This is addressed by the --dnssec-check-unsigned flag, > which instructs dnsmasq to prove that an unsigned record is > legitimate, by finding a secure proof that the zone containing the > record is not signed. Doing this has costs (typically one or two > extra upstream queries). It also has a nasty failure mode if > dnsmasq's upstream nameservers are not DNSSEC capable. Without > --dnssec-check-unsigned using such an upstream server will simply > result in not queries being validated; with --dnssec-check-unsigned > enabled and a > DNSSEC-ignorant upstream server, _all_ queries will > fail. > > Note that DNSSEC requires that the local time is valid > and accurate, if not then DNSSEC validation will fail. NTP should > be running. This presents a problem for routers without a > battery-backed clock. To set the time needs NTP to do DNS lookups, > but lookups will fail until NTP has run. To address this, there's a > flag, --dnssec-no-timecheck which disables the time checks (only) > in DNSSEC. When dnsmasq is started and the clock is not synced, > this flag should be used. As soon as the clock is synced, SIGHUP > dnsmasq. The SIGHUP clears the cache of partially- validated data > and resets the no-timecheck flag, so that all DNSSEC checks > henceforward will be complete. > > The development of DNSSEC in dnsmasq was started by > Giovanni Bajo, to whom huge thanks are owed. It has been > supported by Comcast, whose techfund grant has allowed for an > invaluable period
Re: [Dnsmasq-discuss] dnsmasq doesn't send RA
Le jeudi 27 mars 2014, 10:30:30 John Gorkos a écrit : > This sounds remarkably similar to the problem I described here: > http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2013q4/0078 > 10.html Mine is on a Debian system, but the symptoms are the same. > > I never did find a solution. I simply run radvd in parallel with > dnsmasq. John Gorkos > the good thing with dnsmasq is that it can replace four softwares (dhcp4 and 6, dns,ra) at once, with simple conf coordinated together. But you don't have dnssec validation, nor nat64 (that's fine if everything the rest works, you can waith for the function to be mature). If you can't do ra again and serve the corresponding ipv6 names, that begin to be really annoying... If I need to run radvd seperately, I think I am going to switch back to dhcp and unbound (which are already setup). ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq doesn't send RA
Le jeudi 27 mars 2014, 12:52:47 Albert ARIBAUD a écrit : > Le 27/03/2014 12:30, Stéphane Guedon a écrit : > > Le jeudi 27 mars 2014, 12:26:22 Albert ARIBAUD a écrit : > >> Le 27/03/2014 09:58, Stéphane Guedon a écrit : > >>> Hello > >>> > >>> I would like to use dnsmasq to replace radvd and serve dns ipv6 > >>> queries on lan. > >>> > >>> But as I setup the daemon, it doesn't seem to send ra and none > >>> of > >>> my network hosts receive ra. > >>> > >>> # > >>> > >>> I am using this version : > >>> Dnsmasq version 2.69rc1-6-g4e1fe44 Copyright (c) 2000-2014 > >>> Simon > >>> Kelley > >>> Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN > >>> DHCP > >>> DHCPv6 no-Lua TFTP no-conntrack no-ipset auth no-DNSSEC > >>> > >>> # > >>> > >>> I am on openbsd. Here is my network : > >>> > >>> re0: flags=8843 mtu 1500 > >>> > >>> lladdr bc:5f:f4:73:a7:e0 > >>> priority: 0 > >>> groups: egress > >>> media: Ethernet autoselect (1000baseT full- > >>> > >>> duplex,rxpause,txpause) > >>> > >>> status: active > >>> inet6 fe80::be5f:f4ff:fe73:a7e0%re0 prefixlen 64 > >>> scopeid > >>> 0x1 > >>> inet6 2001:16d8:dd00:8207::2 prefixlen 64 > >>> inet6 2001:16d8:dd00:8207:be5f:f4ff:fe73:a7e0 > >>> prefixlen > >>> 64 > >>> inet6 2001:16d8:dd00:8207:be5f:f4ff:fe73:a7e0 > >>> prefixlen > >>> 64 > >>> inet 192.168.87.2 netmask 0xff00 broadcast > >>> 192.168.87.255 > >>> inet6 2001:16d8:dd00:8207::3 prefixlen 64 > >>> > >>> tun0: flags=8051 mtu 1280 > >>> > >>> priority: 0 > >>> groups: tun egress > >>> status: active > >>> inet6 fe80::be5f:f4ff:fe73:a7e0%tun0 -> prefixlen 64 > >>> scopeid > >>> > >>> 0x5 > >>> > >>> inet6 fe80::14d8:dd00:207:2%tun0 -> prefixlen 64 > >>> scopeid > >>> 0x5 > >>> inet6 2001:16d8:dd00:207::2 -> 2001:16d8:dd00:207::1 > >>> prefixlen > >>> > >>> 128 > >>> > >>> ## > >>> > >>> I use the adress 192.168.87.3 and ipv6::3 for private purpose. i > >>> have an other nameserver (authoritative for my public domain > >>> 22decembre.eu) listening on the public adress. Both nameservers > >>> are running fine, totally ignoring each other and answering > >>> requests on their respective address. > >>> > >>> Here is the config (I supress most of the comments to make it > >>> shorter) > >>> > >>> > >>> ### > >>> > >>> domain-needed > >>> bogus-priv > >>> > >>> local=/22decembre.eu/ > >>> listen-address=2001:16d8:dd00:8207::3 > >>> listen-address=::1 > >>> listen-address=127.0.0.1 > >>> listen-address=192.168.87.3 > >>> > >>> expand-hosts > >>> domain=22decembre.eu > >>> > >>> dhcp-range=192.168.87.50,192.168.87.200,255.255.255.0,12h > >>> dhcp-range=192.168.87.0,static > >>> > >>> > >>> # Do DHCP and Router Advertisements for this subnet. Set the A > >>> bit > >>> in the RA > >>> # so that clients can use SLAAC addresses as well as DHCP ones. > >>> > >>> dhcp-range=2001:16d8:dd00:8207::100, 2001:16d8:dd00:8207::8000, > >>> slaac,ra-names > >>> enable-ra > >>> > >>> dhcp-host=00:23:8b:75:2e:ce,luciole,192.168.87.20 > >>> dhcp-host=00:24:2b:72:d1:df,luciole-wifi,192.168.87.21 > >>> > >>> dhcp-option=option:router,192.168.87.1 > >>> dhcp-option=option:ntp-server,0.0.0.0 > >>> dhcp-option=option:dns-server,192.168.87.3,208.67.222.222 > >>> > >>> dhcp-option=option6:dns-server,[2001:16d8:dd00:8207::3],2620:0:c >
Re: [Dnsmasq-discuss] dnsmasq doesn't send RA
Le jeudi 27 mars 2014, 12:26:22 Albert ARIBAUD a écrit : > Le 27/03/2014 09:58, Stéphane Guedon a écrit : > > Hello > > > > I would like to use dnsmasq to replace radvd and serve dns ipv6 > > queries on lan. > > > > But as I setup the daemon, it doesn't seem to send ra and none of > > my network hosts receive ra. > > > > # > > > > I am using this version : > > Dnsmasq version 2.69rc1-6-g4e1fe44 Copyright (c) 2000-2014 Simon > > Kelley > > Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP > > DHCPv6 no-Lua TFTP no-conntrack no-ipset auth no-DNSSEC > > > > # > > > > I am on openbsd. Here is my network : > > > > re0: flags=8843 mtu 1500 > > > > lladdr bc:5f:f4:73:a7:e0 > > priority: 0 > > groups: egress > > media: Ethernet autoselect (1000baseT full- > > > > duplex,rxpause,txpause) > > > > status: active > > inet6 fe80::be5f:f4ff:fe73:a7e0%re0 prefixlen 64 scopeid > > 0x1 > > inet6 2001:16d8:dd00:8207::2 prefixlen 64 > > inet6 2001:16d8:dd00:8207:be5f:f4ff:fe73:a7e0 prefixlen > > 64 > > inet6 2001:16d8:dd00:8207:be5f:f4ff:fe73:a7e0 prefixlen > > 64 > > inet 192.168.87.2 netmask 0xff00 broadcast > > 192.168.87.255 > > inet6 2001:16d8:dd00:8207::3 prefixlen 64 > > > > tun0: flags=8051 mtu 1280 > > > > priority: 0 > > groups: tun egress > > status: active > > inet6 fe80::be5f:f4ff:fe73:a7e0%tun0 -> prefixlen 64 > > scopeid > > > > 0x5 > > > > inet6 fe80::14d8:dd00:207:2%tun0 -> prefixlen 64 scopeid > > 0x5 > > inet6 2001:16d8:dd00:207::2 -> 2001:16d8:dd00:207::1 > > prefixlen > > > > 128 > > > > ## > > > > I use the adress 192.168.87.3 and ipv6::3 for private purpose. i > > have an other nameserver (authoritative for my public domain > > 22decembre.eu) listening on the public adress. Both nameservers > > are running fine, totally ignoring each other and answering > > requests on their respective address. > > > > Here is the config (I supress most of the comments to make it > > shorter) > > > > > > ### > > > > domain-needed > > bogus-priv > > > > local=/22decembre.eu/ > > listen-address=2001:16d8:dd00:8207::3 > > listen-address=::1 > > listen-address=127.0.0.1 > > listen-address=192.168.87.3 > > > > expand-hosts > > domain=22decembre.eu > > > > dhcp-range=192.168.87.50,192.168.87.200,255.255.255.0,12h > > dhcp-range=192.168.87.0,static > > > > > > # Do DHCP and Router Advertisements for this subnet. Set the A bit > > in the RA > > # so that clients can use SLAAC addresses as well as DHCP ones. > > > > dhcp-range=2001:16d8:dd00:8207::100, 2001:16d8:dd00:8207::8000, > > slaac,ra-names > > enable-ra > > > > dhcp-host=00:23:8b:75:2e:ce,luciole,192.168.87.20 > > dhcp-host=00:24:2b:72:d1:df,luciole-wifi,192.168.87.21 > > > > dhcp-option=option:router,192.168.87.1 > > dhcp-option=option:ntp-server,0.0.0.0 > > dhcp-option=option:dns-server,192.168.87.3,208.67.222.222 > > > > dhcp-option=option6:dns-server,[2001:16d8:dd00:8207::3],2620:0:ccd > > ::2 dhcp-option=option6:ntp-server,[::] > > > > dhcp-authoritative > > > > # Set the cachesize here. > > cache-size=250 > > > > cname=www,blackblock > > cname=biblib,blackblock > > cname=photos,blackblock > > > > log-dhcp > > > > # > > > > thanks in advance for any help. > > Hi Stéphane, > > What does the log say? > > Amicalement, Here is everything I read from dnsmasq : Mar 27 09:14:42 blackblock dnsmasq[29557]: started, version 2.69rc1-6- g4e1fe44 cachesize 250 Mar 27 09:14:42 blackblock dnsmasq[29557]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack no-ipset auth no-DNSSEC Mar 27 09:14:42 blackblock dnsmasq[29557]: setting --bind-interfaces option because of OS limitations Mar 27 09:14:42 blackblock dnsmasq-dhcp[29557]: DHCP, static leases only on 192.168.87.0, lease time 1h Mar 27 09:14:42 blackblock dnsmasq-dhcp[29557]: DHCP, IP range 192.168.87.50 -- 192.168.87.200, lease time 12h Mar 27 09:14:42 blackblock dnsmasq-dhcp[29557]: DHCPv6, IP range 2001:16d
[Dnsmasq-discuss] dnsmasq doesn't send RA
Hello I would like to use dnsmasq to replace radvd and serve dns ipv6 queries on lan. But as I setup the daemon, it doesn't seem to send ra and none of my network hosts receive ra. # I am using this version : Dnsmasq version 2.69rc1-6-g4e1fe44 Copyright (c) 2000-2014 Simon Kelley Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack no-ipset auth no-DNSSEC # I am on openbsd. Here is my network : re0: flags=8843 mtu 1500 lladdr bc:5f:f4:73:a7:e0 priority: 0 groups: egress media: Ethernet autoselect (1000baseT full- duplex,rxpause,txpause) status: active inet6 fe80::be5f:f4ff:fe73:a7e0%re0 prefixlen 64 scopeid 0x1 inet6 2001:16d8:dd00:8207::2 prefixlen 64 inet6 2001:16d8:dd00:8207:be5f:f4ff:fe73:a7e0 prefixlen 64 inet6 2001:16d8:dd00:8207:be5f:f4ff:fe73:a7e0 prefixlen 64 inet 192.168.87.2 netmask 0xff00 broadcast 192.168.87.255 inet6 2001:16d8:dd00:8207::3 prefixlen 64 tun0: flags=8051 mtu 1280 priority: 0 groups: tun egress status: active inet6 fe80::be5f:f4ff:fe73:a7e0%tun0 -> prefixlen 64 scopeid 0x5 inet6 fe80::14d8:dd00:207:2%tun0 -> prefixlen 64 scopeid 0x5 inet6 2001:16d8:dd00:207::2 -> 2001:16d8:dd00:207::1 prefixlen 128 ## I use the adress 192.168.87.3 and ipv6::3 for private purpose. i have an other nameserver (authoritative for my public domain 22decembre.eu) listening on the public adress. Both nameservers are running fine, totally ignoring each other and answering requests on their respective address. Here is the config (I supress most of the comments to make it shorter) : ### domain-needed bogus-priv local=/22decembre.eu/ listen-address=2001:16d8:dd00:8207::3 listen-address=::1 listen-address=127.0.0.1 listen-address=192.168.87.3 expand-hosts domain=22decembre.eu dhcp-range=192.168.87.50,192.168.87.200,255.255.255.0,12h dhcp-range=192.168.87.0,static # Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA # so that clients can use SLAAC addresses as well as DHCP ones. dhcp-range=2001:16d8:dd00:8207::100, 2001:16d8:dd00:8207::8000, slaac,ra-names enable-ra dhcp-host=00:23:8b:75:2e:ce,luciole,192.168.87.20 dhcp-host=00:24:2b:72:d1:df,luciole-wifi,192.168.87.21 dhcp-option=option:router,192.168.87.1 dhcp-option=option:ntp-server,0.0.0.0 dhcp-option=option:dns-server,192.168.87.3,208.67.222.222 dhcp-option=option6:dns-server,[2001:16d8:dd00:8207::3],2620:0:ccd::2 dhcp-option=option6:ntp-server,[::] dhcp-authoritative # Set the cachesize here. cache-size=250 cname=www,blackblock cname=biblib,blackblock cname=photos,blackblock log-dhcp # thanks in advance for any help. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
