Re: [Dnsmasq-discuss] I cannot receive any dns answers from Dnsmasq
The conf' file lacked "bind-interfaces". Sorry for the inconveniance. On 19/01/2017 13:17, Stephane Guedon - EN wrote: > The title says it all. When I make a dig query to dnsmasq, on localhost > or not, ipv4 or v6, Dnsmasq receives the request, treat it, but I don't > receive the answer. > > Request : > > stephane@mirror:/home/stephane dig @127.0.0.1 www.facebook.com > > ; <<>> DiG 9.4.2-P2 <<>> @127.0.0.1 www.facebook.com > ; (1 server found) > ;; global options: printcmd > ;; connection timed out; no servers could be reached > stephane@mirror:/home/stephane > > verbose dnsmasq : > > stephane@mirror:/home/stephane doas dnsmasq -d -R > dnsmasq: started, version 2.76 cachesize 150 > dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN > DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect > no-inotify > dnsmasq-dhcp: DHCP, IP range 10.0.0.20 -- 10.0.255.250, lease time 12h > dnsmasq-dhcp: DHCPv6 stateless on re2 > dnsmasq-dhcp: DHCPv4-derived IPv6 names on re2 > dnsmasq-dhcp: router advertisement on re2 > dnsmasq-dhcp: DHCPv6 stateless on fd00:2016:22:dec::, constructed for re2 > dnsmasq-dhcp: DHCPv4-derived IPv6 names on fd00:2016:22:dec::, > constructed for re2 > dnsmasq-dhcp: router advertisement on fd00:2016:22:dec::, constructed > for re2 > dnsmasq-dhcp: DHCPv6 stateless on 2a06:4000:1576::, constructed for re2 > dnsmasq-dhcp: DHCPv4-derived IPv6 names on 2a06:4000:1576::, constructed > for re2 > dnsmasq-dhcp: router advertisement on 2a06:4000:1576::, constructed for re2 > dnsmasq-dhcp: RTR-ADVERT(re2) fd00:2016:22:dec:: > dnsmasq-dhcp: RTR-ADVERT(re2) 2a06:4000:1576:: > dnsmasq-dhcp: IPv6 router advertisement enabled > ... > dnsmasq: 1 fd00:2016:22:dec::3/26860 /etc/hosts 2a06:4000:1576:: is > mirror.22decembre.eu > dnsmasq: 2 2a06:4000:1576::2/46016 query[] > u38868.mec086b732EDa.sOS.aTLas.RIPE.NEt.22DecEmbre.eU from 2a06:4000:1576::2 > dnsmasq: 2 2a06:4000:1576::2/46016 config > u38868.mec086b732EDa.sOS.aTLas.RIPE.NEt.22DecEmbre.eU is NXDOMAIN > dnsmasq: 3 2a06:4000:1576::2/60217 query[DNSKEY] 22dEceMbre.EU from > 2a06:4000:1576::2 > dnsmasq: 3 2a06:4000:1576::2/60217 config 22dEceMbre.EU is NXDOMAIN > dnsmasq: 4 127.0.0.1/32500 query[A] www.facebook.com from 127.0.0.1 > dnsmasq: 4 127.0.0.1/32500 forwarded www.facebook.com to fd00:2016:22:dec::3 > dnsmasq: 4 127.0.0.1/32500 reply www.facebook.com is > dnsmasq: 4 127.0.0.1/32500 reply star-mini.c10r.facebook.com is > 157.240.11.35 > > This is dnsmasq version 2.76p0 on OpenBSD, but I doubt it is relevant > (yet, further conf' provided any moment). > > When I start another dns daemon (unbound), I get the answers. I think it > is not firewall related. > > > Any idea ? > > Thank you very much for any help. > > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -- Ce fichier signature.asc ? C'est une signature GPG. Si vous voulez savoir pourquoi j'utilise GPG et pourquoi vous le devriez aussi, vous pouvez lire mon article : http://www.22decembre.eu/2015/03/21/introduction-fr/ signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
Le lundi 5 octobre 2015, 12:31:11 Ernst Ahlers a écrit : > > You can have a local zone with local data also in Unbound. > > Sure, but also signed with DNSSEC? > > CU > > ea That, I don't think so. If you want to make something sophisticated, why not looking to Bind ? It makes all possible things ever ! I precise that I do not use it. -- The file signature.asc is not attached to be read by you. It's a digital signature by GPG. If you want to know why I use it, and why you should as well, you can read my article there: http://www.22decembre.eu/2015/03/21/introduction-en/ signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
Le vendredi 2 octobre 2015, 19:34:30 Ernst Ahlers a écrit : > Thanks for chiming in Stephane, > > > Allowing dnsmasq to sign (or give a proof of authenticity) would solve > > this > > problem, yet I am sure it is not easy. > > AFAIK there's no provision yet in dnsmasq for keeping signed domains. > After all it was never intended to be a fully fledged DNS server. > > So the only viable option I see now would be switching to Unbound -- > which AVM is unlikely to do IMHO. > > Have a nice weekend all around! > > Ernst Unbound is only a resolver. To replace dhcp and dns on lan, you might need a dhcp+bind with split mode. Bind would then allow you also to resolve (as it's the all-in-one dns). -- The file signature.asc is not attached to be read by you. It's a digital signature by GPG. If you want to know why I use it, and why you should as well, you can read my article there: http://www.22decembre.eu/2015/03/21/introduction-en/ signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNSSEC: Answer for local hosts with AD flag set?
Le jeudi 1 octobre 2015, 08:57:14 Ernst Ahlers a écrit : > > I guess the logic is that dnsmasq is the authoritative source for > > that data, so it doesn't need to validate it to know that it's > > real. > > Right, but obviously the solution is not as simple as setting AD. > > As for the background (sorry, since English is not my native tongue > I'm having trouble being verbose): > > A lot people around here (me included) use a well-known router brand > (Fritz!Boxen) which employs dnsmasq. The manufacturer (AVM) offers a > free dyndns service (myfritz.net). It not only answers for both > address types but for IPv6 also allows subdomains for hosts within > your dyndns domain. > > This is practical for accessing services like IMAP or Webdav(s) from > anywhere via the same domain name. Now asking the router for a host > from the local network will return the *external* IPv4 address and > the global IPv6 address. > > With IPv4 connections from the local network this obviously incurs a > performance penalty since the packets will have to traverse the > router's NAT. This might not be an issue with IMAP but definitely > with NAS access via Webdav(s) or SFTP. > > I submitted the idea of returning local IPv4 addresses for internal > queries to AVM. Their reply was that this will fail if they'd enable > DNSSEC for their dyndns service in the future. My knee-jerk reply > was to let dnsmasq set the AD flag for this kind of query. But as > per your explanations this is only half a solution. > > Do you think there's any chance to solve this correctly without > switching from dnsmasq to Unbound or the like? > > Best regards > > Ernst > Allow myself to be in. The interest is also that a domain is signed and used publicly (www, mx, imap with public internet addresses signed...) but that when you are in your network, the local dns (dnsmasq) gives your internal (nat, local) addresses instead, which are not signed. There, you will have conflicts between the two adresses. Allowing dnsmasq to sign (or give a proof of authenticity) would solve this problem, yet I am sure it is not easy. -- The file signature.asc is not attached to be read by you. It's a digital signature by GPG. If you want to know why I use it, and why you should as well, you can read my article there: http://www.22decembre.eu/2015/03/21/introduction-en/ signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9
Le dimanche 14 juin 2015 19:44:14, vous avez écrit : Hi, On Sun, Jun 14, 2015 at 9:06 AM, Stéphane Guedon steph...@22decembre.eu wrote: Le vendredi 12 juin 2015, 13:16:09 Maciej Soltysiak a écrit : A user on my service, who has dnssec-check-unsigned enabled gets an unsigned response from a signed zone and the intended reaction of dnsmasq kicks in. Not a bug then. Is my understanding correct? As far as I understand, I have the same issue (except that dnsmasq itself is serving the non signed zone and unbound the signed) ! To solve that, I propose to make the unsigned zone on another domain or zone than the signed one. server.domain.org is signed and the public face of your server. server.intern.domain.org is unsigned. Your users can then use this address, and the dns can still have different answer depending where they are. Do you understand me ? Do you think it is a good idea ? (I am thinking of using it for my case). Yes, I understand, I think it would work and it's a clever workaround for the issue, however in my case it does not help to maintain the end goal which was to provide authenticated response to that domain so that it is always trustworthy. That actually is becoming a DNSSEC question. Is there a way to provide split-horizon answers on signed zones? Can one name have 2 different valid answers and RRSIGs? perhaps if the signature could be for a name/ttl pair, not just the name and have different ttls on those names? Dunno. Perhaps me trying to use dns records to test whether the responses are coming over dnscrypt or not is flawed in nature. Thanks anyway, Maciej Actually, it works at first glance (basic resolution and connectivity works), but it fails fast : when you have to work on your website that is hosted on your home server, nothing works anymore ! So I am returning to my previous setup before wondering what I should do. I am going to write an article about this and all the workarounds that have been tried. Maybe it will then give me an idea on the solution. -- The file signature.asc is not attached to be read by you. It's a digital signature by GPG. If you want to know why I use it, and why you should as well, you can read my article there: http://www.22decembre.eu/2015/03/21/introduction-en/ signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9
Le dimanche 14 juin 2015 19:44:14, vous avez écrit : Hi, On Sun, Jun 14, 2015 at 9:06 AM, Stéphane Guedon steph...@22decembre.eu wrote: Le vendredi 12 juin 2015, 13:16:09 Maciej Soltysiak a écrit : A user on my service, who has dnssec-check-unsigned enabled gets an unsigned response from a signed zone and the intended reaction of dnsmasq kicks in. Not a bug then. Is my understanding correct? As far as I understand, I have the same issue (except that dnsmasq itself is serving the non signed zone and unbound the signed) ! To solve that, I propose to make the unsigned zone on another domain or zone than the signed one. server.domain.org is signed and the public face of your server. server.intern.domain.org is unsigned. Your users can then use this address, and the dns can still have different answer depending where they are. Do you understand me ? Do you think it is a good idea ? (I am thinking of using it for my case). Yes, I understand, I think it would work and it's a clever workaround for the issue, however in my case it does not help to maintain the end goal which was to provide authenticated response to that domain so that it is always trustworthy. That actually is becoming a DNSSEC question. Is there a way to provide split-horizon answers on signed zones? Can one name have 2 different valid answers and RRSIGs? perhaps if the signature could be for a name/ttl pair, not just the name and have different ttls on those names? Dunno. Perhaps me trying to use dns records to test whether the responses are coming over dnscrypt or not is flawed in nature. Thanks anyway, Maciej Actually, it works at first glance (basic resolution and connectivity works), but it fails fast : when you have to work on your website that is hosted on your home server, nothing works anymore ! So I am returning to my previous setup before wondering what I should do. I am going to write an article about this and all the workarounds that have been tried. Maybe it will then give me an idea on the solution. -- The file signature.asc is not attached to be read by you. It's a digital signature by GPG. If you want to know why I use it, and why you should as well, you can read my article there: http://www.22decembre.eu/2015/03/21/introduction-en/ signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9
Le vendredi 12 juin 2015, 13:16:09 Maciej Soltysiak a écrit : I think I have discovered what the problem is and it's unlikely to be dnsmasq. What I do is that I have a setup which is basically a split horizon: - users who are not on the service get A record for using.dnscrypt from a DNSSEC signed zone - users who are on the service get *a different* A record for using.dnscrypt.pl from unbound, without sigs! A user on my service, who has dnssec-check-unsigned enabled gets an unsigned response from a signed zone and the intended reaction of dnsmasq kicks in. Not a bug then. Is my understanding correct? As far as I understand, I have the same issue (except that dnsmasq itself is serving the non signed zone and unbound the signed) ! To solve that, I propose to make the unsigned zone on another domain or zone than the signed one. server.domain.org is signed and the public face of your server. server.intern.domain.org is unsigned. Your users can then use this address, and the dns can still have different answer depending where they are. Do you understand me ? Do you think it is a good idea ? (I am thinking of using it for my case). Best regards, Maciej On Fri, Jun 12, 2015 at 10:19 AM, Maciej Soltysiak mac...@soltysiak.com wrote: Hi, One of my users raised an issue that using.dnscrypt.pl does not resolve when dnssec-check-unsigned is turned on. I replicated the issue with most recent openwrt Chaos Calmer package: dnsmasq-full. When dnssec and trust anhcor are set and dnssec-check-unsigned is as well, dnsmasq says BOGUS DS: Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A] using.dnscrypt.pl from fdea:7beb:d9e3:0:d928:e795:8461:1896 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS] using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is BOGUS DS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation using.dnscrypt.pl is BOGUS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is 178.62.233.48 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A] using.dnscrypt.pl from 192.168.1.206 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: query[A] using.dnscrypt.pl from fdea:7beb:d9e3:0:d928:e795:8461:1896 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: forwarded using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS] using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: dnssec-query[DS] using.dnscrypt.pl to 127.0.0.1 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is BOGUS DS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation using.dnscrypt.pl is BOGUS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is 178.62.233.48 Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is BOGUS DS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: validation using.dnscrypt.pl is BOGUS Fri Jun 12 10:14:34 2015 daemon.info dnsmasq[6769]: reply using.dnscrypt.pl is 178.62.233.48 Verisign dnssec check are ok: http://dnssec-debugger.verisignlabs.com/using.dnscrypt.pl Oddly, dnscrypt.pl resolves fine. It also works fine if dnssec-check-unsigned is turned off. Not sure if rc10 fixes it, it's not in openwrt repo yet. Any ideas? Best regards, Maciej Soltysiak DNSCrypt Poland https://dnscrypt.pl -- Ce fichier signature.asc ? C'est une signature GPG. Si vous voulez savoir pourquoi j'utilise GPG et pourquoi vous le devriez aussi, vous pouvez lire mon article : http://www.22decembre.eu/2015/03/21/introduction-fr/ signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] IPv6 dhcp/ra-issue
Le lundi 21 avril 2014, 15:28:30 Oliver Rath a écrit : Hi list, Im trying to give my network-computers IPv6-Addresses constructed from ppp0. In my config I get from my provider i.e. these (dynamic) IPv4 and IPv6-addresses: # ifconfig ppp0 ppp0: flags=4305UP,POINTOPOINT,RUNNING,NOARP,MULTICAST mtu 1492 inet 80.137.126.83 netmask 255.255.255.255 destination 87.186.224.66 inet6 fe80::43c:5b54:cea:b7ea prefixlen 10 scopeid 0x20link inet6 2003:62:487f:b168:43c:5b54:cea:b7ea prefixlen 64 scopeid 0x0global ppp txqueuelen 3 (Punkt-zu-Punkt Verbindung) RX packets 2546359 bytes 3258224683 (3.0 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1550070 bytes 133189854 (127.0 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 One of my additional interfaces has this address: # ifconfig p3p1 p3p1: flags=4163UP,BROADCAST,RUNNING,MULTICAST mtu 1500 inet 192.168.2.254 netmask 255.255.255.0 broadcast 192.168.2.255 inet6 fe80::210:f3ff:fe07:f7bf prefixlen 64 scopeid 0x20link ether 00:10:f3:07:f7:bf txqueuelen 1000 (Ethernet) RX packets 2806761 bytes 3337921408 (3.1 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1832066 bytes 326375284 (311.2 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 If I understand right, ive got an IPv6-subnet with the ability of ~250 clients (Telekom Germany), directly addressable from internet. Now i want to configure dnsmasq in a way, that the clients get IPv4- (works, internal only) and IPv6-addresses in a from internet addressable way. Imho the fe80.. number is the *router*-ipv6-address, the 2003:... the *host* ipv6-address. Now my clients should also get an ipv6-router *and* -host address. Is this right? My dnsmasq.conf (stripped): except-interface=ppp0 dhcp-range=set:gw2,192.168.2.50,192.168.2.150,255.255.255.0,12h dhcp-range=tag:gw2,::,constructor:ppp0 ddhcp-option=tag:gw2,128,192.168.2.254 enable-ra dhcp-option=mtu,1492 dhcp-option=option6:dns-server,[::] dhcp-option=252,http://heimserver/wpad.dat; log-queries log-dhcp Now I would assume, that my clientpc (p3p1 is bridged with wlan-ap) would get an fe80:.. and another, from internet routable address. While my card has the mac-address 00:21:6a:37:3f:72, i would assume getting an IPv6 address like 2003:62:487f:b168:0021:6aFF:FE373f:72, but he doesnt: wlan0 on my client-pc: # ifconfig wlan0 wlan0 Link encap:Ethernet Hardware Adresse 00:21:6a:37:3f:72 inet Adresse:192.168.2.100 Bcast:192.168.2.255 Maske:255.255.255.0 inet6-Adresse: fe80::221:6aff:fe37:3f72/64 Gültigkeitsbereich:Verbindung UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1 RX-Pakete:2981577 Fehler:0 Verloren:0 Überläufe:0 Fenster:0 TX-Pakete:2979080 Fehler:0 Verloren:0 Überläufe:0 Träger:0 Kollisionen:0 Sendewarteschlangenlänge:1000 RX-Bytes:3059635559 (3.0 GB) TX-Bytes:2883630423 (2.8 GB) Here /var/log/syslog on my client (sorry for the german parts): Apr 21 14:57:29 hp dhclient: DHCPREQUEST of 192.168.2.100 on wlan0 to 255.255.255.255 port 67 (xid=0x48327e63) Apr 21 14:57:29 hp dhclient: DHCPACK of 192.168.2.100 from 192.168.2.254 Apr 21 14:57:29 hp dhclient: bound to 192.168.2.100 -- renewal in 21016 seconds. Apr 21 14:57:29 hp dhclient: DHCPACK of 192.168.2.100 from 192.168.2.254 Apr 21 14:57:29 hp dhclient: bound to 192.168.2.100 -- renewal in 21016 seconds. Apr 21 14:57:29 hp NetworkManager[827]: info (wlan0): DHCPv4 state changed preinit - reboot Apr 21 14:57:29 hp NetworkManager[827]: info address 192.168.2.100 Apr 21 14:57:29 hp NetworkManager[827]: info prefix 24 (255.255.255.0) Apr 21 14:57:29 hp NetworkManager[827]: info gateway 192.168.2.254 Apr 21 14:57:29 hp NetworkManager[827]: info hostname 'hp' Apr 21 14:57:29 hp NetworkManager[827]: info nameserver '192.168.2.254' Apr 21 14:57:29 hp NetworkManager[827]: info Activation (wlan0) Stage 5 of 5 (IPv4 Configure Commit) scheduled... Apr 21 14:57:29 hp NetworkManager[827]: info Activation (wlan0) Stage 5 of 5 (IPv4 Commit) started... Apr 21 14:57:29 hp avahi-daemon[801]: Joining mDNS multicast group on interface wlan0.IPv4 with address 192.168.2.100. Apr 21 14:57:29 hp avahi-daemon[801]: New relevant interface wlan0.IPv4 for mDNS. Apr 21 14:57:29 hp avahi-daemon[801]: Registering new address record for 192.168.2.100 on wlan0.IPv4. Apr 21 14:57:30 hp NetworkManager[827]: info (wlan0): device state change: ip-config - secondaries (reason 'none') [70 90 0] Apr 21 14:57:30 hp NetworkManager[827]: info Activation (wlan0) Stage 5 of 5 (IPv4 Commit) complete. Apr 21 14:57:30 hp NetworkManager[827]: info (wlan0): device state change: secondaries - activated (reason 'none') [90 100 0] Apr 21 14:57:30 hp NetworkManager[827]: info NetworkManager state is now CONNECTED_GLOBAL Apr 21
Re: [Dnsmasq-discuss] IPv6 dhcp/ra-issue
Le lundi 21 avril 2014, 15:50:04 Timo Buhrmester a écrit : inet6 fe80::43c:5b54:cea:b7ea prefixlen 10 scopeid 0x20link This is the link-local address, established by stateless autoconfiguration. inet6 2003:62:487f:b168:43c:5b54:cea:b7ea prefixlen 64 scopeid This is the /64 your ISP assigned you. If I understand right, ive got an IPv6-subnet with the ability of ~250 clients (Telekom Germany), directly addressable from internet. Looks like you got a /64, therefore there's slightly more than 250 adresses ;). network /64 is the minimum. so yes, millions of addresses available ! Imho the fe80.. number is the *router*-ipv6-address, the 2003:... the *host* ipv6-address. Now my clients should also get an ipv6-router *and* -host address. Is this right? fe80:: adresses are local adresses, non-routable. As per the above (though i'm not quite sure what you mean by router/host addresses, this doesn't sound right. My dnsmasq.conf (stripped): Unfortunately I can't help you on the dnsmasq specifics for I'm rather new to it, however I just felt like clarifying these IPv6 specifics. I wanted myself to improve Timo's answer. Best Regards, Timo ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss