Re: [Dnsmasq-discuss] Bug while using address=//::
Hey Petr and Simon, On Mon, 2021-10-11 at 12:59 +0200, Petr Menšík wrote: > I cannot consider current implementation of filter-a and filter- > useful. I did not look into the code before and was naively assuming it would be in fact per-domain and not kill-'em-all style. And yes, I do agree it should be like --filter-a=/example.com/ Maybe this option could simply be syntactic sugar for server=/example/# address=/example.com/:: but with a real filter instead of forcing it to :: Best, Dominik ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Bug while using address=//::
Hi Dominik, I cannot consider current implementation of filter-a and filter- useful. On discussion with you, we agreed there are cases where filtering IS useful. But I think it always should be possible only for selected domains, where it brings any advantage. Current form does not allow that, it always filters everything or nothing. It is not helpful IMHO. Unless domain filter is added, I think it is more appropriate to filter access on link layer and just don't offer any IPv6 addresses at all. Or offer addresses just to selected hosts via DHCPv6. Which does not require any change in dnsmasq. Current implementation solves only demands of mr. E, but he never explained why it is useful and in which cases. Why does his network need it when others do not? I guess we could still support --filter-=/./, but I would like domain to be mandatory for those filterings. Cheers, Petr On 10/10/21 19:36, Dominik Derigs wrote: > On Sun, 2021-10-10 at 17:32 +0200, Treysis wrote: >> Why was this needed? > It is worth exploring the mailing list archive. Only two weeks > ago, we have seen valid use cases for an option to filter . > > See, e.g. > > https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q3/015709.html > https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q3/015711.html > > Best, > Dominik > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Bug while using address=//::
On Sun, 2021-10-10 at 17:32 +0200, Treysis wrote: > Why was this needed? It is worth exploring the mailing list archive. Only two weeks ago, we have seen valid use cases for an option to filter . See, e.g. https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q3/015709.html https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q3/015711.html Best, Dominik ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Bug while using address=//::
I'm sorry, but what you are doing IS VERY WRONG! 1. Why was this needed? 2. Only because the server doesn't have IPv6 connectivity, doesn't mean the client can't have IPv6 connectivity. 3. Only because your network might not have IPv6, doesn't mean you should alter DNS requests without good reason. Why shouldn't a client be allowed to JUST QUERY the local dns server for all records? Even if I am on IPv4-only I might be interested in all configured addresses for a domain! Simple case: troubleshooting. Someone has problems and I wanna see if a server has records which might cause problems for that someone...with filter- enabled I can't!!! It should be left to the OS to decide whether to query for only A, or , or both. I just proposed the "filter-A" patch because many systems behave differently regarding IPv4-only vs. IPv6-only, i.e. they will query for A records regardless if the system has IPv4 connectivity or not. On the other hand, I haven't seen querying for on IPv4-only networks. This is why I ultimately also suggest to remove the "filter-" option. It does more harm than good. Having this option lets one assume it's a normal option that should just be used on IPv4-single stack networks. But NO. IT SHOULD NOT. I only introduced "filter-A" for VERY SPECIFIC CASES. One should really know how DNS works and what this option does. Don't use it just 'because it is there'. Cheers, T On 10/8/2021 3:56, E wrote: Well well... I never thought you actually cared. This is just what I needed! Thanks a lot!! I couldn't wait for deb packaging so I tried it myself. 1. Install it over default dnsmasq mkdir tmp1 cd tmp1 git clone http://thekelleys.org.uk/git/dnsmasq.git make make install cd ~ rm -r tmp1/ 2. Add 1 line to dnsmasq.conf filter- 3. service dnsmasq restart " Job for dnsmasq.service failed because the control process exited with error code. See "systemctl status dnsmasq.service" and "journalctl -xe" for details. " " bad option at line 24 of /etc/dnsmasq.conf FAILED to start up dnsmasq.service: Failed with result 'exit-code'. " # dnsmasq --version Dnsmasq version 2.87test4-1-g37a70d3 Copyright (c) 2000-2021 Simon Kelley Compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset auth no-cryptohash no-DNSSEC loop-detect inotify dumpfile ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Bug while using address=//::
On Thu, Oct 07, Simon Kelley wrote:
> --filter-A and --filter- options, these drop IPv4 and IPv6 ANSWERS,
Did you consider an option to filter them per interface or server?
Like server=/${dnsdomain}/${ip}/no-{A,}
Olaf
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Bug while using address=//::
Well well... I never thought you actually cared. This is just what I needed! Thanks a lot!! I couldn't wait for deb packaging so I tried it myself. 1. Install it over default dnsmasq mkdir tmp1 cd tmp1 git clone http://thekelleys.org.uk/git/dnsmasq.git make make install cd ~ rm -r tmp1/ 2. Add 1 line to dnsmasq.conf filter- 3. service dnsmasq restart " Job for dnsmasq.service failed because the control process exited with error code. See "systemctl status dnsmasq.service" and "journalctl -xe" for details. " " bad option at line 24 of /etc/dnsmasq.conf FAILED to start up dnsmasq.service: Failed with result 'exit-code'. " # dnsmasq --version Dnsmasq version 2.87test4-1-g37a70d3 Copyright (c) 2000-2021 Simon Kelley Compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset auth no-cryptohash no-DNSSEC loop-detect inotify dumpfile ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Bug while using address=//::
Changing "filter-" to "filter-A" in dnsmasq.conf = same error Remove "filter-" and restart = no error ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Bug while using address=//::
On 30/09/2021 05:15, E wrote: >> IPv6 connectivity > > Why dnsmasq can't drop , when the server has no IPv6 connectivity at > all? This doesn't make sense. > Something like "no-ipv6" or "ipv4-only" switch would be really nice > here... > > > dnsmasq.conf simple example > > server=8.8.8.8#53 > no-ipv6 # will drop client's questions > I added --filter-A and --filter- options, these drop IPv4 and IPv6 ANSWERS, which is the correct way to implement this. Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Bug while using address=//::
apt remove --purge dnsmasq* fixed the issue. Thanks a lot. https://serverfault.com/questions/826872/return-a-records-but-not--records-on-specific-domain-in-bind9/827217#827217 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Bug while using address=//::
On 9/30/21 09:42, john doe wrote: > On 9/30/2021 7:17 AM, Geert Stappers via Dnsmasq-discuss wrote: >> On Wed, Sep 29, 2021 at 09:15:15PM -0700, E wrote: IPv6 connectivity >>> >>> Why dnsmasq can't drop , >>> when the server has no IPv6 connectivity at all? >>> This doesn't make sense. I have no connectivity but still would like to know, which servers have public IPv6 addresses and which don't. Connectivity is not directly related to type of queries forwarded. >> >> No sense to those would don't understand what DNS is. >> (DNS is a key value database (which is distributed)) >> >> >>> Something like "no-ipv6" or "ipv4-only" switch >>> would be really nice here... >> >> Nice is how people should behave. >> >> Computers and other tools are blunt, rude, straight down and such. >> >> >> Please understand that querying an record >> is the very same as querying an TXT, MX or A record. >> It doesn't mather if the request travels >> over IPv6 or IPv4. >> > > A '' record is for IPv6 and a 'A' record is for IPv4. Understood. But filtering all records of single type is not usually required and not helping. BIND has moved similar functionality to plugin [1]. But they recommend in its own documentation it should not be used *unless absolutely necessary*. Fetching records is not usually the problem to solve, but some corner cases exists. Partial modification of contents is not considered good practice by DNS community. I think Geert tried to note I can request via IPv4 and it is safe. Likewise I can request A record over IPv6 and there is no problem with that. I would like to know why is fetching records bad on host without IPv6 connectivity. Dominik already pointed to valid cases on IPv6 connected host with limited IPv6 link. Dnsmasq relies on forwarders configured explicitly or read from /etc/resolv.conf. If there is no IPv6 address in resolv.conf, no IPv6 would be used. Isn't that enough? Cheers, Petr 1. https://manpages.debian.org/unstable/bind9/filter-.8.en.html > > -- > John Doe > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Bug while using address=//::, Configuration regressions
Okay, confirming this works on 2.86 release, but does not with 2.85 or 2.81. I am afraid it could be requested via bugs reported to distribution only. It does not work with root domain /./ on previous versions. It seems --address=/./:: is now equivalent to --address=/#/:: What seems more important, the behaviour of --address changed significantly. --address=/com/:: on 2.85 and lower sends :: for queries and NOERROR without response on A queries. While I like current behaviour more, I think we should revert to previous behaviour to keep systems behaving the same after upgrades and allow new behaviour with modified configuration. --address=/com/#/ now behaves like --address=/com/# behaved before, but no backward compatible version for specified address exists. I think it should be modified to previous mode by default. And a way to make new behaviour possible also with given address. --address=/#/ is accepted, but does nothing. Similar to --server=/ Also --local=/com/:: changed its behaviour. It now behaves like --address=/com/::, not as --server=/com/:: as it should and used to in 2.85. Should we ensure address part is empty perhaps to prevent misusing --local instead of --server? On 9/30/21 06:09, E wrote: >> Which dnsmasq version are you using? > Latest on Debian 11. > > ii dnsmasq 2.85-1 > all Small caching DNS proxy and DHCP/TFTP server > ii dnsmasq-base 2.85-1 > amd64Small caching DNS proxy and DHCP/TFTP server > > >> src/dnsmasq -d --port 2053 --conf-file=/dev/null --log-queries > --address=/./:: >> This seems to do what you wanted > Is it? Nope. still not blocked at all! > > 1. edit dnsmasq.conf, add "address=/./::" > 2. restart service > 3. > dig .com @127.0.0.1 --- still responds results > dig .com A @127.0.0.1 --- works (returning A results) > > > My question is simple, > a. How can I block certain ranges? > b. Or, How can I block all ? > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Bug while using address=//::
On 9/30/2021 7:17 AM, Geert Stappers via Dnsmasq-discuss wrote: On Wed, Sep 29, 2021 at 09:15:15PM -0700, E wrote: IPv6 connectivity Why dnsmasq can't drop , when the server has no IPv6 connectivity at all? This doesn't make sense. No sense to those would don't understand what DNS is. (DNS is a key value database (which is distributed)) Something like "no-ipv6" or "ipv4-only" switch would be really nice here... Nice is how people should behave. Computers and other tools are blunt, rude, straight down and such. Please understand that querying an record is the very same as querying an TXT, MX or A record. It doesn't mather if the request travels over IPv6 or IPv4. A '' record is for IPv6 and a 'A' record is for IPv4. -- John Doe ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Bug while using address=//::
On Wed, Sep 29, 2021 at 09:15:15PM -0700, E wrote: > > IPv6 connectivity > > Why dnsmasq can't drop , > when the server has no IPv6 connectivity at all? > This doesn't make sense. No sense to those would don't understand what DNS is. (DNS is a key value database (which is distributed)) > Something like "no-ipv6" or "ipv4-only" switch > would be really nice here... Nice is how people should behave. Computers and other tools are blunt, rude, straight down and such. Please understand that querying an record is the very same as querying an TXT, MX or A record. It doesn't mather if the request travels over IPv6 or IPv4. And other please, an pretty please: Embrace evolution Embrace mental growth Groeten Geert Stappers P.S. To those who feel insulted by this posting Consider the suffering when being ignored -- Silence is hard to parse signature.asc Description: PGP signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Bug while using address=//::
> Which dnsmasq version are you using? Latest on Debian 11. ii dnsmasq 2.85-1 all Small caching DNS proxy and DHCP/TFTP server ii dnsmasq-base 2.85-1 amd64Small caching DNS proxy and DHCP/TFTP server > src/dnsmasq -d --port 2053 --conf-file=/dev/null --log-queries --address=/./:: > This seems to do what you wanted Is it? Nope. still not blocked at all! 1. edit dnsmasq.conf, add "address=/./::" 2. restart service 3. dig .com @127.0.0.1 --- still responds results dig .com A @127.0.0.1 --- works (returning A results) My question is simple, a. How can I block certain ranges? b. Or, How can I block all ? ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Bug while using address=//::
> IPv6 connectivity Why dnsmasq can't drop , when the server has no IPv6 connectivity at all? This doesn't make sense. Something like "no-ipv6" or "ipv4-only" switch would be really nice here... dnsmasq.conf simple example server=8.8.8.8#53 no-ipv6 # will drop client's questions ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Bug while using address=//::
Hi Dominik, On 9/29/21 19:30, Dominik Derigs wrote: > Hey Petr, > > On Wed, 2021-09-29 at 17:49 +0200, Petr Menšík wrote: >> May I ask for your reason, why are you trying to explicitly block IPv6 in >> year 2021? > I asked the very same question when we received the reports about this bug > with the different allocated memory sized that was fixed two weeks ago. The > answer I received from independent parties was always the same. In short: > > 1. No native IPv6 connectivity > 2. Using some sort of VPN tunnel to get IPv6 > 3. Several services favor IPv6 Sure, this exactly is also my situation. We have some internal IPv6 connectivity at offices, but without global internet access. I do not have native IPv6 even at home. But if I miss IPv6 route forward, I do not care if applications try get IPv6 addresses. If default route is missing, any attempt of connection fails immediately. I don't know about application which cannot handle such situation. Okay, some applications may use -4 parameter to skip logging failed attempts, but they should work. If I have some IPv6 connectivity but want to skip it for some services, I would understand that. Some subset only makes sense, like only for netflix domains or spotify domains. Slightly better than blocking their IPv6 ranges on firewall. > > These services (I saw Netflix, Spotify and other bigger names) mentioned > that refuse to work because they think you want to cheat on their geo- > fencing with your VPN. When they use Netflix over their native IPv4, > everything works. Ok, tunnels make geolocation hard. If they do not want to serve the content to uncertain countries, sure, there may be no better way than to disable queries for those services. Especially if their servers accept a connection from those address and respond REFUSED kind of error. Is there scenario, where IPv6 communication over IP addresses should work but any names should not resolve? I could not find any. > > I was a bit surpised about this, but it does make sense. You are correct. Until we have fully supported native connectivity, some filtering might help fixing broken services. Thanks for sharing your experience. > > Best > Dominik Cheers, Petr -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Bug while using address=//::
Hey Petr, On Wed, 2021-09-29 at 17:49 +0200, Petr Menšík wrote: > May I ask for your reason, why are you trying to explicitly block IPv6 in > year 2021? I asked the very same question when we received the reports about this bug with the different allocated memory sized that was fixed two weeks ago. The answer I received from independent parties was always the same. In short: 1. No native IPv6 connectivity 2. Using some sort of VPN tunnel to get IPv6 3. Several services favor IPv6 These services (I saw Netflix, Spotify and other bigger names) mentioned that refuse to work because they think you want to cheat on their geo- fencing with your VPN. When they use Netflix over their native IPv4, everything works. I was a bit surpised about this, but it does make sense. Best Dominik ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Bug while using address=//::
Hello E, May I ask for your reason, why are you trying to explicitly block IPv6 in year 2021? Unless you have public IPv6 route, your system should work just fine with any requests they make. src/dnsmasq -d --port 2053 --conf-file=/dev/null --log-queries --address=/./:: This seems to do what you wanted, it is recent code from dnsmasq. But my question remains. What is a problem with IPv6 if you just do not have IPv6 connectivity? Any programs or systems needing this tuning need to fix themselves, not by dnsmasq. Regards, Petr On 9/28/21 01:41, E wrote: >> https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q3/015348.html >> It can block any name by using --address=/blockedname/::1. > What I want to do: > 1. Block requests. (at first I want to block specific IPv6 ranges > but it's not possible, so) > 2. Can able to query A. > > Steps: > 1. Install dnsmasq on Debian 11 (completely disabled IPv6/IPv4 only > environment) > 2. Add below 2 line to conf and restart service. > server=8.8.8.8#53 > address=/COM/:: > 3. dig github.com A @127.0.0.1 > > Result: > No answer at all. > ;github.com.IN A > > Expected: > github.com. IN A 1.2.3.4 > > > Questions: > 1. why dnsmasq is rejecting A request? > 2. Is there any way to block ? > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Bug while using address=//::
Which dnsmasq version are you using? Simon. On 28/09/2021 00:41, E wrote: >> https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q3/015348.html >> It can block any name by using --address=/blockedname/::1. > > What I want to do: > 1. Block requests. (at first I want to block specific IPv6 ranges > but it's not possible, so) > 2. Can able to query A. > > Steps: > 1. Install dnsmasq on Debian 11 (completely disabled IPv6/IPv4 only > environment) > 2. Add below 2 line to conf and restart service. > server=8.8.8.8#53 > address=/COM/:: > 3. dig github.com A @127.0.0.1 > > Result: > No answer at all. > ;github.com.IN A > > Expected: > github.com. IN A 1.2.3.4 > > > Questions: > 1. why dnsmasq is rejecting A request? > 2. Is there any way to block ? > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
