Re: [Dnsmasq-discuss] No new lease for Option 82 requests until old one times out
Hi, Sorry for bringing up such an old thread but I was circling back onto this problem and I wonder if we could revisit it. > On 17/09/14 09:49, Joachim Nilsson wrote: >> Hi Simon, >> >> I've found a little problem with how Option 82 circuit-id/remote-id >> works. Everything is fine in the below setup until I replace the client >> with a replacement unit that has a different MAC. >> >>[client]---LAN1---[dhcrelay]---LAN2---[dnsmasq] >> >> dhcp-range=subnet0,tag:!static,192.168.2.100,192.168.2.199,255.255.255.0,864000 >> >> >>dhcp-circuitid=set:cid0,"Eth6" >>tag-if=set:static,set:tag0,tag:cid0 >> dhcp-range=tag:tag0,192.168.2.99,192.168.2.99,255.255.255.0,864000 >> >> When 'client' is replaced the request from the new client reaches >> dnsmasq, which responds with "no address available". I figured this is >> because the "pool" for the static IP only has one entry, bound to the >> old client's MAC. Indeed, it is not until the lease for the old client >> times out that the new client receives an offer. I guess this behavior >> is by design ... >> >> I was thinking that adding 'tag:tag0' to the --dhcp-host setting would >> have been perfect for Option 82, since they're basically static leases >> anyway -- the same port on a given switch should always receive the same >> IP ... so adding tag support, in addition to the already existing mac >> and client-id, seemed at least to me useful. >> >> What do you think? > > Allowing dhcp-host matching by tag is a good idea, but it's not the > complete solution to this problem. You've spotted the catch, which is > that the address you want is already bound to a different MAC/client-id. > > If you could select a dhcp-host line by tag, ie > > dhcp-circuitid=set:cid0,"Eth6" > dhcp-host=tag:cid0,192.168.2.99 > > then when the MAC address changed, you just get a different error: > > "not using configured address 192.168.2.99 because it is leased to MAC address>" > > > To make this work, you'd need some extra semantics, either explicit or > implicit, to enable the old binding to be abandoned. Abandoning a > binding is dangerous, since when it granted the lease, the server was > promising the client exclusive use of the IP address. There is precedent > for this: the form of dhcp-host which has more than one MAC address > allows exactly then abandonment of a lease to one MAC address in favour > of the other one. > > It would be possible to define the dhcp-host=tag:cid0,192.168.2.99 form > as having the same properties, or require some special keyword to enable > this behaviour. What about dhcp-host=*,tag:cid0,192.168.2.99? This syntax already exists for disregarding the client id and relying only on the MAC address only and it is similar to what we are saying, disregard the MAC and match on tag only. This should give us enough to be explicit about abandoning the old binding. What do you think? > > I think this covers Neil's points as well, part from the PXE one. There > is already some logic that tries to do the right thing when the same MAC > address sometimes presents a client-id, and sometimes doesn't. It > doesn't solve the case of two different client-ids at differnet points > in the netboot, AFAIK. > > > Cheers, > > Simon. > > > >> >> Regards >> /Joachim >> >> >> ___ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss at lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >> Thanks, Jason Kincl ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] High Availability: Part Deux
Long time dnsmasq user here, It's a great product, and we're using it on a mid-sized network of 200+ hosts. Our business is to the point where we need to eliminate single points of failure to protect business continuity. I've looked through the archives and dnsmasq failure is a frequent topic of discussion. Surprisingly, there doesn't seem to be a formula anyone has come up with that can easily be implemented (at least that I could find). I'm trying to come up with a plan... Lets say I setup two instances of dnsmasq with the exact same configuration, and the leases file was shared on disk between to the hosts. Does dnsmasq check the leases file before it hands out a lease? If so, I think DRDB (http://drbd.linbit.com) may provide the solution I'm looking for. A change from the file would be seen both the other servers in the cluster. Since a DHCP client will only accept one offer, write contention shouldn't be a problem. Any other conflicts I'm not thinking of? Appreciate any comments very much. Thank you! -Jonathan -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Problems with dnsmasq + authentication with AD
Hello Erling, 2.48 is getting quite old, and i remember having encountered issues when first deploying the EL6 version. I've moved to newer versions long time ago and use dnsmasq in production in front of AD servers. I definitely can't reproduce that behaviour on 2.70, see below: # dig mydomain.domain ; <<>> DiG 9.5.0-P2 <<>> mydomain.domain ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mydomain.domain. IN A ;; ANSWER SECTION: mydomain.domain. 455 IN A 10.0.0.16 mydomain.domain. 455 IN A 10.0.0.11 mydomain.domain. 455 IN A 10.0.0.14 mydomain.domain. 455 IN A 10.0.0.12 mydomain.domain. 455 IN A 10.0.0.13 ;; Query time: 1 msec ;; SERVER: 10.0.0.180#53(10.0.0.180) ;; WHEN: Wed Mar 25 13:54:25 2015 ;; MSG SIZE rcvd: 119 -O. On 2015-03-25 10:54, Erling Ringen Elvsrud wrote: > Thanks for your reply, I have tested further and it certainly looks like dnsmasq does not handle multiple A records with the same name like domaindnszones.mydomain.foo (resolves to 36 ip-adresses) > > and forestdnszones.mydomain.foo (resolves to 36 ip-adresses) that good > > We use dnsmasq 2.48 (RHEL 6.6). > I have tested like this (hostnames and ip-adresses anonymized): > > #!/usr/bin/env python > > import socket > > for n in range(5): > print socket.gethostbyname('DomainDnsZones.mydomain.foo'); > > with dnsmasq disabled: > > [root@myhost ~]# time ./dns-test.py > 10.68.62.31 > 10.67.2.31 > 10.68.133.36 > 10.68.130.31 > 10.35.27.32 > > real 0m0.048s user 0m0.009s sys 0m0.009s > > with dnsmasq enabled: > > [root@b27wasl00148 ~]# time ./dns-test.py > 10.68.62.31 > 10.67.2.31 > 10.68.133.36 > 10.68.130.31 > 10.35.27.32 > > real 0m1.105s user 0m0.013s sys 0m0.007s > 48 milliseconds without dnsmasq and 1105 milliseconds with dnsmasq is a very large > difference. On ordinary dns-entries dnsmasq performs good and caching improves > the speed of dns-queries. > > My motivation to use dnsmasq is to improve robustness and performance by running dnsmasq on every host ("Enterprise environment" with about 3000 hosts in total) as a workaround of missing functionality in the resolver in Glibc like max 3 dns-servers, 1 sec timeout if a dns-server is misbehaving (rotate option + timeout 1 + attempts 1 improves this but dns issues is still a large problem) and no caching. > Do you have experience with such use of dnsmasq? > > Thanks, > > Erling > > On Tue, Mar 17, 2015 at 10:57 PM, Simon Kelley wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> There's an option to dnsmasq called --filterwin2k which was an >> ill-concieved attempt to modify this sort of query. Check that you >> don't have that enabled. Apart from that, I'm not aware of anything in >> dnsmasq that could cause this. >> >> Cheers, >> >> Simon. >> >> On 17/03/15 09:03, Erling Ringen Elvsrud wrote: >> > Hi, >> > >> > We use AD to authenticate users for our Linux-servers. Recently we >> > started to try out dnsmasq in order to get better dns-request >> > performance, better resiliance (more dns-servers, avoid timeout:1, >> > etc with the standard glibc resolver). >> > >> > Today I noticed that about every fifth logon attempt is a lot >> > slower than normal (10x the time). If I stop dnsmasq the slowdowns >> > seems to dissapear. >> > >> > I can see with many ad-related dns-queries with wireshark when >> > logon is slow like ForestDnsZones.mydomain and >> > DomainDnsZones.mydomain. The replies are large (tcp-based) these >> > queries returns 20-30 A-records for many domain-controllers. >> > >> > Are you aware of similar problems with the dnsmasq / >> > ad-integration combination? >> > >> > Thanks, >> > >> > Erling >> > >> > >> > > ___ Dnsmasq-discuss >> > mailing list Dnsmasq-discuss@lists.thekelleys.org.uk [1] >> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss [2] >> > >> -BEGIN PGP SIGNATURE- >> Version: GnuPG v1 >> >> iQIcBAEBCAAGBQJVCKNEAAoJEBXN2mrhkTWiTksP/0czuFYsKvU9oCz6FBMFQivW >> tbgATUXAMxDT4PwMZVPVdhcNQiNkspO0fYf7eoLSRpdwLjw0Qcm2uHpoPREFZPVE >> LXI+KSTc1qv2/Z3spAHiOLM1cF/8ERKlYwn3dlFbFTTW63XV53IRKsK1150uDqgH >> WvAwdLAvXuaXrZt9HDt6Aqef+r6KnqGAkcfNIwwyLv7qTWDeT+xFcJ5qhfO+hFm9 >> LnZtEDs/r7rbTG8L3E2oyRl2eunWeyE9iYHqo2PEVLDur5QaAqxUbFmu1rYFPRIV >> wCuMXz/n69Fwj6LMPlSQ2h/vl6SMYF2IXS0OnBeMVucuejWafJEguQFXMTCgPUuV >> AjJXq8gl6NAtxW7JjvvxWJkDeSvUTHoZpHPHFa8Ioxvuzaoj1+OBaatwWyg4HtQf >> V3KQSfduC1L+h3Xr7F3vHuGKr3kXT977QSdwb/VMXlay4ekQtpywNJga+vGhS/G1 >> 2VWl0NxsIa2RxC+58m5qCBRP73Yz6JWYoDNr3sE6SRP5M0442SP518/SzMz//d8f >> Fb6RzMdgqnWXHG1BbPYz7KfmnVdb15LJP7k6KsxWCDmHSpNSKlUwNxe0s5N+C9bv >> 5a0PlsbjnMn9iA6hGS125cbGsCU8h496BCFdKcbT4BQES9BcgYsPMwXiPAZ7h8lg >> uwiUd71aUaOz0wPV9V46 >> =E5QU >> -END PGP SIGNATURE- >> >> ___ >> Dnsmasq-discuss mailing list >> Dnsmasq-d
Re: [Dnsmasq-discuss] Problems with dnsmasq + authentication with AD
Thanks for your reply, I have tested further and it certainly looks like dnsmasq does not handle multiple A records with the same name like domaindnszones.mydomain.foo (resolves to 36 ip-adresses) and forestdnszones.mydomain.foo (resolves to 36 ip-adresses) that good We use dnsmasq 2.48 (RHEL 6.6). I have tested like this (hostnames and ip-adresses anonymized): #!/usr/bin/env python import socket for n in range(5): print socket.gethostbyname('DomainDnsZones.mydomain.foo'); with dnsmasq disabled: [root@myhost ~]# time ./dns-test.py 10.68.62.31 10.67.2.31 10.68.133.36 10.68.130.31 10.35.27.32 real 0m0.048s user 0m0.009s sys 0m0.009s with dnsmasq enabled: [root@b27wasl00148 ~]# time ./dns-test.py 10.68.62.31 10.67.2.31 10.68.133.36 10.68.130.31 10.35.27.32 real 0m1.105s user 0m0.013s sys 0m0.007s 48 milliseconds without dnsmasq and 1105 milliseconds with dnsmasq is a very large difference. On ordinary dns-entries dnsmasq performs good and caching improves the speed of dns-queries. My motivation to use dnsmasq is to improve robustness and performance by running dnsmasq on every host ("Enterprise environment" with about 3000 hosts in total) as a workaround of missing functionality in the resolver in Glibc like max 3 dns-servers, 1 sec timeout if a dns-server is misbehaving (rotate option + timeout 1 + attempts 1 improves this but dns issues is still a large problem) and no caching. Do you have experience with such use of dnsmasq? Thanks, Erling On Tue, Mar 17, 2015 at 10:57 PM, Simon Kelley wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > There's an option to dnsmasq called --filterwin2k which was an > ill-concieved attempt to modify this sort of query. Check that you > don't have that enabled. Apart from that, I'm not aware of anything in > dnsmasq that could cause this. > > Cheers, > > Simon. > > > On 17/03/15 09:03, Erling Ringen Elvsrud wrote: > > Hi, > > > > We use AD to authenticate users for our Linux-servers. Recently we > > started to try out dnsmasq in order to get better dns-request > > performance, better resiliance (more dns-servers, avoid timeout:1, > > etc with the standard glibc resolver). > > > > Today I noticed that about every fifth logon attempt is a lot > > slower than normal (10x the time). If I stop dnsmasq the slowdowns > > seems to dissapear. > > > > I can see with many ad-related dns-queries with wireshark when > > logon is slow like ForestDnsZones.mydomain and > > DomainDnsZones.mydomain. The replies are large (tcp-based) these > > queries returns 20-30 A-records for many domain-controllers. > > > > Are you aware of similar problems with the dnsmasq / > > ad-integration combination? > > > > Thanks, > > > > Erling > > > > > > > > ___ Dnsmasq-discuss > > mailing list Dnsmasq-discuss@lists.thekelleys.org.uk > > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1 > > iQIcBAEBCAAGBQJVCKNEAAoJEBXN2mrhkTWiTksP/0czuFYsKvU9oCz6FBMFQivW > tbgATUXAMxDT4PwMZVPVdhcNQiNkspO0fYf7eoLSRpdwLjw0Qcm2uHpoPREFZPVE > LXI+KSTc1qv2/Z3spAHiOLM1cF/8ERKlYwn3dlFbFTTW63XV53IRKsK1150uDqgH > WvAwdLAvXuaXrZt9HDt6Aqef+r6KnqGAkcfNIwwyLv7qTWDeT+xFcJ5qhfO+hFm9 > LnZtEDs/r7rbTG8L3E2oyRl2eunWeyE9iYHqo2PEVLDur5QaAqxUbFmu1rYFPRIV > wCuMXz/n69Fwj6LMPlSQ2h/vl6SMYF2IXS0OnBeMVucuejWafJEguQFXMTCgPUuV > AjJXq8gl6NAtxW7JjvvxWJkDeSvUTHoZpHPHFa8Ioxvuzaoj1+OBaatwWyg4HtQf > V3KQSfduC1L+h3Xr7F3vHuGKr3kXT977QSdwb/VMXlay4ekQtpywNJga+vGhS/G1 > 2VWl0NxsIa2RxC+58m5qCBRP73Yz6JWYoDNr3sE6SRP5M0442SP518/SzMz//d8f > Fb6RzMdgqnWXHG1BbPYz7KfmnVdb15LJP7k6KsxWCDmHSpNSKlUwNxe0s5N+C9bv > 5a0PlsbjnMn9iA6hGS125cbGsCU8h496BCFdKcbT4BQES9BcgYsPMwXiPAZ7h8lg > uwiUd71aUaOz0wPV9V46 > =E5QU > -END PGP SIGNATURE- > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss