Re: [Dnsmasq-discuss] No new lease for Option 82 requests until old one times out
Hi, Sorry for bringing up such an old thread but I was circling back onto this problem and I wonder if we could revisit it. > On 17/09/14 09:49, Joachim Nilsson wrote: >> Hi Simon, >> >> I've found a little problem with how Option 82 circuit-id/remote-id >> works. Everything is fine in the below setup until I replace the client >> with a replacement unit that has a different MAC. >> >>[client]---LAN1---[dhcrelay]---LAN2---[dnsmasq] >> >> dhcp-range=subnet0,tag:!static,192.168.2.100,192.168.2.199,255.255.255.0,864000 >> >> >>dhcp-circuitid=set:cid0,"Eth6" >>tag-if=set:static,set:tag0,tag:cid0 >> dhcp-range=tag:tag0,192.168.2.99,192.168.2.99,255.255.255.0,864000 >> >> When 'client' is replaced the request from the new client reaches >> dnsmasq, which responds with "no address available". I figured this is >> because the "pool" for the static IP only has one entry, bound to the >> old client's MAC. Indeed, it is not until the lease for the old client >> times out that the new client receives an offer. I guess this behavior >> is by design ... >> >> I was thinking that adding 'tag:tag0' to the --dhcp-host setting would >> have been perfect for Option 82, since they're basically static leases >> anyway -- the same port on a given switch should always receive the same >> IP ... so adding tag support, in addition to the already existing mac >> and client-id, seemed at least to me useful. >> >> What do you think? > > Allowing dhcp-host matching by tag is a good idea, but it's not the > complete solution to this problem. You've spotted the catch, which is > that the address you want is already bound to a different MAC/client-id. > > If you could select a dhcp-host line by tag, ie > > dhcp-circuitid=set:cid0,"Eth6" > dhcp-host=tag:cid0,192.168.2.99 > > then when the MAC address changed, you just get a different error: > > "not using configured address 192.168.2.99 because it is leased to MAC address>" > > > To make this work, you'd need some extra semantics, either explicit or > implicit, to enable the old binding to be abandoned. Abandoning a > binding is dangerous, since when it granted the lease, the server was > promising the client exclusive use of the IP address. There is precedent > for this: the form of dhcp-host which has more than one MAC address > allows exactly then abandonment of a lease to one MAC address in favour > of the other one. > > It would be possible to define the dhcp-host=tag:cid0,192.168.2.99 form > as having the same properties, or require some special keyword to enable > this behaviour. What about dhcp-host=*,tag:cid0,192.168.2.99? This syntax already exists for disregarding the client id and relying only on the MAC address only and it is similar to what we are saying, disregard the MAC and match on tag only. This should give us enough to be explicit about abandoning the old binding. What do you think? > > I think this covers Neil's points as well, part from the PXE one. There > is already some logic that tries to do the right thing when the same MAC > address sometimes presents a client-id, and sometimes doesn't. It > doesn't solve the case of two different client-ids at differnet points > in the netboot, AFAIK. > > > Cheers, > > Simon. > > > >> >> Regards >> /Joachim >> >> >> ___ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss at lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >> Thanks, Jason Kincl ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] High Availability: Part Deux
Long time dnsmasq user here, It's a great product, and we're using it on a mid-sized network of 200+ hosts. Our business is to the point where we need to eliminate single points of failure to protect business continuity. I've looked through the archives and dnsmasq failure is a frequent topic of discussion. Surprisingly, there doesn't seem to be a formula anyone has come up with that can easily be implemented (at least that I could find). I'm trying to come up with a plan... Lets say I setup two instances of dnsmasq with the exact same configuration, and the leases file was shared on disk between to the hosts. Does dnsmasq check the leases file before it hands out a lease? If so, I think DRDB (http://drbd.linbit.com) may provide the solution I'm looking for. A change from the file would be seen both the other servers in the cluster. Since a DHCP client will only accept one offer, write contention shouldn't be a problem. Any other conflicts I'm not thinking of? Appreciate any comments very much. Thank you! -Jonathan -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Problems with dnsmasq + authentication with AD
Hello Erling,
2.48 is getting quite old, and i remember having
encountered issues when first deploying the EL6 version.
I've moved to
newer versions long time ago and use dnsmasq in production in front of
AD servers. I definitely can't reproduce that behaviour on 2.70, see
below:
# dig mydomain.domain
; <<>> DiG 9.5.0-P2 <<>>
mydomain.domain
;; global options: printcmd
;; Got answer:
;;
->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45
;; flags: qr rd ra;
QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION
SECTION:
;mydomain.domain. IN A
;; ANSWER SECTION:
mydomain.domain. 455
IN A 10.0.0.16
mydomain.domain. 455 IN A 10.0.0.11
mydomain.domain. 455
IN A 10.0.0.14
mydomain.domain. 455 IN A 10.0.0.12
mydomain.domain. 455
IN A 10.0.0.13
;; Query time: 1 msec
;; SERVER:
10.0.0.180#53(10.0.0.180)
;; WHEN: Wed Mar 25 13:54:25 2015
;; MSG SIZE
rcvd: 119
-O.
On 2015-03-25 10:54, Erling Ringen Elvsrud wrote:
>
Thanks for your reply, I have tested further and it certainly looks like
dnsmasq does not handle multiple A records with the same name like
domaindnszones.mydomain.foo (resolves to 36 ip-adresses)
>
> and
forestdnszones.mydomain.foo (resolves to 36 ip-adresses) that good
>
>
We use dnsmasq 2.48 (RHEL 6.6).
> I have tested like this (hostnames
and ip-adresses anonymized):
>
> #!/usr/bin/env python
>
> import
socket
>
> for n in range(5):
> print
socket.gethostbyname('DomainDnsZones.mydomain.foo');
>
> with dnsmasq
disabled:
>
> [root@myhost ~]# time ./dns-test.py
> 10.68.62.31
>
10.67.2.31
> 10.68.133.36
> 10.68.130.31
> 10.35.27.32
>
> real
0m0.048s user 0m0.009s sys 0m0.009s
>
> with dnsmasq enabled:
>
>
[root@b27wasl00148 ~]# time ./dns-test.py
> 10.68.62.31
> 10.67.2.31
> 10.68.133.36
> 10.68.130.31
> 10.35.27.32
>
> real 0m1.105s user
0m0.013s sys 0m0.007s
> 48 milliseconds without dnsmasq and 1105
milliseconds with dnsmasq is a very large
> difference. On ordinary
dns-entries dnsmasq performs good and caching improves
> the speed of
dns-queries.
>
> My motivation to use dnsmasq is to improve robustness
and performance by running dnsmasq on every host ("Enterprise
environment" with about 3000 hosts in total) as a workaround of missing
functionality in the resolver in Glibc like max 3 dns-servers, 1 sec
timeout if a dns-server is misbehaving (rotate option + timeout 1 +
attempts 1 improves this but dns issues is still a large problem) and no
caching.
> Do you have experience with such use of dnsmasq?
>
>
Thanks,
>
> Erling
>
> On Tue, Mar 17, 2015 at 10:57 PM, Simon Kelley
wrote:
>
>> -BEGIN PGP SIGNED
MESSAGE-
>> Hash: SHA256
>>
>> There's an option to dnsmasq called
--filterwin2k which was an
>> ill-concieved attempt to modify this sort
of query. Check that you
>> don't have that enabled. Apart from that,
I'm not aware of anything in
>> dnsmasq that could cause this.
>>
>>
Cheers,
>>
>> Simon.
>>
>> On 17/03/15 09:03, Erling Ringen Elvsrud
wrote:
>> > Hi,
>> >
>> > We use AD to authenticate users for our
Linux-servers. Recently we
>> > started to try out dnsmasq in order to
get better dns-request
>> > performance, better resiliance (more
dns-servers, avoid timeout:1,
>> > etc with the standard glibc
resolver).
>> >
>> > Today I noticed that about every fifth logon
attempt is a lot
>> > slower than normal (10x the time). If I stop
dnsmasq the slowdowns
>> > seems to dissapear.
>> >
>> > I can see with
many ad-related dns-queries with wireshark when
>> > logon is slow like
ForestDnsZones.mydomain and
>> > DomainDnsZones.mydomain. The replies
are large (tcp-based) these
>> > queries returns 20-30 A-records for
many domain-controllers.
>> >
>> > Are you aware of similar problems
with the dnsmasq /
>> > ad-integration combination?
>> >
>> > Thanks,
>>
>
>> > Erling
>> >
>> >
>> > >
___ Dnsmasq-discuss
>> >
mailing list Dnsmasq-discuss@lists.thekelleys.org.uk [1]
>> >
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss [2]
>>
>
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v1
>>
>>
iQIcBAEBCAAGBQJVCKNEAAoJEBXN2mrhkTWiTksP/0czuFYsKvU9oCz6FBMFQivW
>>
tbgATUXAMxDT4PwMZVPVdhcNQiNkspO0fYf7eoLSRpdwLjw0Qcm2uHpoPREFZPVE
>>
LXI+KSTc1qv2/Z3spAHiOLM1cF/8ERKlYwn3dlFbFTTW63XV53IRKsK1150uDqgH
>>
WvAwdLAvXuaXrZt9HDt6Aqef+r6KnqGAkcfNIwwyLv7qTWDeT+xFcJ5qhfO+hFm9
>>
LnZtEDs/r7rbTG8L3E2oyRl2eunWeyE9iYHqo2PEVLDur5QaAqxUbFmu1rYFPRIV
>>
wCuMXz/n69Fwj6LMPlSQ2h/vl6SMYF2IXS0OnBeMVucuejWafJEguQFXMTCgPUuV
>>
AjJXq8gl6NAtxW7JjvvxWJkDeSvUTHoZpHPHFa8Ioxvuzaoj1+OBaatwWyg4HtQf
>>
V3KQSfduC1L+h3Xr7F3vHuGKr3kXT977QSdwb/VMXlay4ekQtpywNJga+vGhS/G1
>>
2VWl0NxsIa2RxC+58m5qCBRP73Yz6JWYoDNr3sE6SRP5M0442SP518/SzMz//d8f
>>
Fb6RzMdgqnWXHG1BbPYz7KfmnVdb15LJP7k6KsxWCDmHSpNSKlUwNxe0s5N+C9bv
>>
5a0PlsbjnMn9iA6hGS125cbGsCU8h496BCFdKcbT4BQES9BcgYsPMwXiPAZ7h8lg
>>
uwiUd71aUaOz0wPV9V46
>> =E5QU
>> -END PGP SIGNATURE-
>>
>>
___
>> Dnsmasq-discuss
mailing list
>> Dnsmasq-d
Re: [Dnsmasq-discuss] Problems with dnsmasq + authentication with AD
Thanks for your reply, I have tested further and
it certainly looks like dnsmasq does not handle multiple A records with the
same name like domaindnszones.mydomain.foo (resolves to 36 ip-adresses)
and forestdnszones.mydomain.foo (resolves to 36 ip-adresses) that good
We use dnsmasq 2.48 (RHEL 6.6).
I have tested like this (hostnames and ip-adresses anonymized):
#!/usr/bin/env python
import socket
for n in range(5):
print socket.gethostbyname('DomainDnsZones.mydomain.foo');
with dnsmasq disabled:
[root@myhost ~]# time ./dns-test.py
10.68.62.31
10.67.2.31
10.68.133.36
10.68.130.31
10.35.27.32
real 0m0.048s user 0m0.009s sys 0m0.009s
with dnsmasq enabled:
[root@b27wasl00148 ~]# time ./dns-test.py
10.68.62.31
10.67.2.31
10.68.133.36
10.68.130.31
10.35.27.32
real 0m1.105s user 0m0.013s sys 0m0.007s
48 milliseconds without dnsmasq and 1105 milliseconds with dnsmasq is a
very large
difference. On ordinary dns-entries dnsmasq performs good and caching
improves
the speed of dns-queries.
My motivation to use dnsmasq is to improve robustness and performance by
running dnsmasq on every host ("Enterprise environment" with about 3000
hosts in total) as a workaround of missing functionality in the resolver in
Glibc like max 3 dns-servers, 1 sec timeout if a dns-server is misbehaving
(rotate option + timeout 1 + attempts 1 improves this but dns issues is
still a large problem) and no caching.
Do you have experience with such use of dnsmasq?
Thanks,
Erling
On Tue, Mar 17, 2015 at 10:57 PM, Simon Kelley
wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> There's an option to dnsmasq called --filterwin2k which was an
> ill-concieved attempt to modify this sort of query. Check that you
> don't have that enabled. Apart from that, I'm not aware of anything in
> dnsmasq that could cause this.
>
> Cheers,
>
> Simon.
>
>
> On 17/03/15 09:03, Erling Ringen Elvsrud wrote:
> > Hi,
> >
> > We use AD to authenticate users for our Linux-servers. Recently we
> > started to try out dnsmasq in order to get better dns-request
> > performance, better resiliance (more dns-servers, avoid timeout:1,
> > etc with the standard glibc resolver).
> >
> > Today I noticed that about every fifth logon attempt is a lot
> > slower than normal (10x the time). If I stop dnsmasq the slowdowns
> > seems to dissapear.
> >
> > I can see with many ad-related dns-queries with wireshark when
> > logon is slow like ForestDnsZones.mydomain and
> > DomainDnsZones.mydomain. The replies are large (tcp-based) these
> > queries returns 20-30 A-records for many domain-controllers.
> >
> > Are you aware of similar problems with the dnsmasq /
> > ad-integration combination?
> >
> > Thanks,
> >
> > Erling
> >
> >
> >
> > ___ Dnsmasq-discuss
> > mailing list Dnsmasq-discuss@lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
>
> iQIcBAEBCAAGBQJVCKNEAAoJEBXN2mrhkTWiTksP/0czuFYsKvU9oCz6FBMFQivW
> tbgATUXAMxDT4PwMZVPVdhcNQiNkspO0fYf7eoLSRpdwLjw0Qcm2uHpoPREFZPVE
> LXI+KSTc1qv2/Z3spAHiOLM1cF/8ERKlYwn3dlFbFTTW63XV53IRKsK1150uDqgH
> WvAwdLAvXuaXrZt9HDt6Aqef+r6KnqGAkcfNIwwyLv7qTWDeT+xFcJ5qhfO+hFm9
> LnZtEDs/r7rbTG8L3E2oyRl2eunWeyE9iYHqo2PEVLDur5QaAqxUbFmu1rYFPRIV
> wCuMXz/n69Fwj6LMPlSQ2h/vl6SMYF2IXS0OnBeMVucuejWafJEguQFXMTCgPUuV
> AjJXq8gl6NAtxW7JjvvxWJkDeSvUTHoZpHPHFa8Ioxvuzaoj1+OBaatwWyg4HtQf
> V3KQSfduC1L+h3Xr7F3vHuGKr3kXT977QSdwb/VMXlay4ekQtpywNJga+vGhS/G1
> 2VWl0NxsIa2RxC+58m5qCBRP73Yz6JWYoDNr3sE6SRP5M0442SP518/SzMz//d8f
> Fb6RzMdgqnWXHG1BbPYz7KfmnVdb15LJP7k6KsxWCDmHSpNSKlUwNxe0s5N+C9bv
> 5a0PlsbjnMn9iA6hGS125cbGsCU8h496BCFdKcbT4BQES9BcgYsPMwXiPAZ7h8lg
> uwiUd71aUaOz0wPV9V46
> =E5QU
> -END PGP SIGNATURE-
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
