Re: [Dnsmasq-discuss] coping with ipv6 source routing and dns
On 30/01/14 14:40, Dave Taht wrote: I'm not sure I follow all of this, but for reverse DNS something like server=/hex, lots of hex.ip6.arpa/2001:558:feed::1 Will work. Syntactically having to have a tool to reverse the domain is a pita, what I'd like is reverse=#260x:x:y:z::/60#2001:558:feed::1# Quite possible, indeed the string-bashing code already exists. reverse=260x:x:y:z::/60,2001:558:feed::1#53 maybe? Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] coping with ipv6 source routing and dns
On 29/01/14 19:22, Dave Taht wrote: I have been (mostly) happily fiddling with my new comcast ipv6 connection, trying to route all dns queries over ipv6 in particular, by disabling requesting the ipv4 dns addrs and relying on the dhcpv6 request to succeed. config interface eth0 option 'ifname' 'eth0' option 'proto' 'dhcp' option 'peerdns' '0' config interface wan6 option ifname @eth0 option protodhcpv6 option 'broadcast' '1' option 'metric' '2048' works. yea! no more nat holes for ipv4 dns. Problem is, I also have a hurricane electric tunnel. When I try to use both, addresses from one get used on the other and dns forward lookups fail. I think the right answer is to abandon resolv.conf.auto and instead explicitly assign ipv6 source addrs in dnsmasq... server=2001:558:feed::1@:comcast:assigned:ipv6:address server=2001:558:feed::2@:comcast.assigned:ipv6:address server=2001:470:20::2@my:hurricane:assigned:ipv6:address yes? (I'll be trying this in a bit) One thing of possible useful note is that (yea!) we can just select some arbitrary new ipv6 address within the assigned range, add it to the local dnsmasq server box, and source dns lookups from that, using up just that port space. then my own /etc/resolv.conf just points to localhost for hm.armory.com, so I fix that with server=/hm.armory.com/172.26.3.1/ server=/wifi.armory.com/172.26.2.1/ But this doesn't help in terms of reverse lookups (I think), where I might or might not have my own delegated subdomain. from someoption= comcast.assigned.ipv6.address.range/60 lookup via 2001:558:feed::1 or ::2 someoption= he.assigned.ipv6.address.range/48 lookup via 2001:470:20::2 I'm not sure I follow all of this, but for reverse DNS something like server=/hex, lots of hex.ip6.arpa/2001:558:feed::1 Will work. ? and then there's splitting dns... where I might want nuc.hm.armory.com s available to the outside universe. somehow. Have you looked at the dnsmasq auth stuff for this? Simon. ? My brain hurts. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] coping with ipv6 source routing and dns
On Thu, Jan 30, 2014 at 1:57 AM, Simon Kelley si...@thekelleys.org.uk wrote: On 29/01/14 19:22, Dave Taht wrote: I have been (mostly) happily fiddling with my new comcast ipv6 connection, trying to route all dns queries over ipv6 in particular, by disabling requesting the ipv4 dns addrs and relying on the dhcpv6 request to succeed. config interface eth0 option 'ifname' 'eth0' option 'proto' 'dhcp' option 'peerdns' '0' config interface wan6 option ifname @eth0 option protodhcpv6 option 'broadcast' '1' option 'metric' '2048' works. yea! no more nat holes for ipv4 dns. Problem is, I also have a hurricane electric tunnel. When I try to use both, addresses from one get used on the other and dns forward lookups fail. I think the right answer is to abandon resolv.conf.auto and instead explicitly assign ipv6 source addrs in dnsmasq... server=2001:558:feed::1@:comcast:assigned:ipv6:address server=2001:558:feed::2@:comcast.assigned:ipv6:address server=2001:470:20::2@my:hurricane:assigned:ipv6:address To try to explain the reasoning for this better, the first two servers refuse requests from an address range assigned the third. This is probably because the first two are not open resolvers. yes? (I'll be trying this in a bit) One thing of possible useful note is that (yea!) we can just select some arbitrary new ipv6 address within the assigned range, add it to the local dnsmasq server box, and source dns lookups from that, using up just that port space. then my own /etc/resolv.conf just points to localhost for hm.armory.com, so I fix that with server=/hm.armory.com/172.26.3.1/ server=/wifi.armory.com/172.26.2.1/ But this doesn't help in terms of reverse lookups (I think), where I might or might not have my own delegated subdomain. from someoption= comcast.assigned.ipv6.address.range/60 lookup via 2001:558:feed::1 or ::2 someoption= he.assigned.ipv6.address.range/48 lookup via 2001:470:20::2 I'm not sure I follow all of this, but for reverse DNS something like server=/hex, lots of hex.ip6.arpa/2001:558:feed::1 Will work. Syntactically having to have a tool to reverse the domain is a pita, what I'd like is reverse=#260x:x:y:z::/60#2001:558:feed::1# ? and then there's splitting dns... where I might want nuc.hm.armory.com s available to the outside universe. somehow. Have you looked at the dnsmasq auth stuff for this? head, hurting. Simon. ? My brain hurts. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss -- Dave Täht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] coping with ipv6 source routing and dns
On 01/30/2014 11:40 AM, Dave Taht wrote: ? and then there's splitting dns... where I might want nuc.hm.armory.com s available to the outside universe. somehow. Have you looked at the dnsmasq auth stuff for this? head, hurting. hope a real-life example helps :) $ cat /etc/dnsmasq.conf enable-ra dhcp-range=lan, 2a00:1508:1:f004::, ra-names dhcp-option=option6:domain-search,red.deltalibre.org.ar ### up until here, simply send RAs on the local network, ### and tell clients the domain they belong to ### tun6 is a tunnel interface to a public v6 broker auth-server=gw-red.deltalibre.org.ar,tun6 auth-zone=red.deltalibre.org.ar,2a00:1508:1:f004::/64 auth-sec-servers=dnsrelay1.altermundi.net # Let others cache our /etc/hosts and dhcp.lease info auth-ttl=602 with that configuration, here are some queries $ dig gw-red.deltalibre.org.ar @8.8.8.8 +all ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 5279 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;gw-red.deltalibre.org.ar. IN ;; ANSWER SECTION: gw-red.deltalibre.org.ar. 7200 IN 2a00:1508:1:f004::1 ;; Query time: 2626 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Jan 30 16:38:48 2014 ;; MSG SIZE rcvd: 70 $ dig ns red.deltalibre.org.ar @8.8.8.8 +all ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 34645 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;red.deltalibre.org.ar. IN NS ;; ANSWER SECTION: red.deltalibre.org.ar. 602 IN NS gw-red.deltalibre.org.ar. red.deltalibre.org.ar. 602 IN NS dnsrelay1.altermundi.net. ;; Query time: 568 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Jan 30 16:39:01 2014 ;; MSG SIZE rcvd: 98 That unusual TTL lets you tell apart which replies originated on my dnsmasq instance. dnsrelay[12].altermundi.net are bind servers, elsewhere, which hold the NS record of red.deltalibre.org.ar pointing to gw-red host as well as the glue record shown in the first query (gw-red.deltalibre.org.ar. 7200 IN 2a00:1508:1:f004::1) [right now dnsrelay1.altermundi.net ipv4 is down :c so queries fail randomly when asking 8.8.8.8 depending on whether it tries to recurse to dnsrelay1 (down) or gw-red (up, ipv6-only) ] but feel free to poke 2a00:1508:1:f004::1 directly cheers! gui Simon. ? My brain hurts. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss