Re: [Dnsmasq-discuss] Windows ipv6 hostname
On 12/20/2016 07:26 PM, Markus Hartung wrote: $ cat /var/lib/misc/dnsmasq.leases 1482365715 3e:XX:XX:XX:XX:02 192.168.1.184 * 01:3e:XX:XX:XX:XX:02 1482334524 00:YY:YY:YY:YY:67 192.168.1.133 hostname * I have masked the MAC-address, MACs are only good on the local link... once through a router, the original MACs are lost to anything further down stream... this is like masking RFC-1918 addresses ;) -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Windows ipv6 hostname
On 2016-12-20 12:14, Toke Høiland-Jørgensen wrote: Well, arguably the Windows 10 behaviour is a feature - RFC7217 was written because the EUI-64 based approach has privacy issues (the client will use the same address on every network). So I would expect more and more clients to adopt the privacy-preserving approach. I believe NetworkManager has support for it on Linux, but am not sure if it's enabled by default. Alright, after some researching I understand how the EUI-64 approach is working and how it might be a bad idea. I don't have so many machines and the added security implications are worth the benefit. And after re-reading the manpage of dnsmasq I found this: * ra-names* enables a mode which gives DNS names to dual-stack hosts which do SLAAC for IPv6. Dnsmasq uses the host's IPv4 lease to derive the name, network segment and MAC address and assumes that the host will also have an IPv6 address calculated using the SLAAC algorithm, on the same network segment. The address is pinged, and if a reply is received, an record is added to the DNS for this IPv6 address. Note that this is only happens for directly-connected networks, (not one doing DHCP via a relay) and it will not work if a host is using privacy extensions. *ra-names* can be combined with *ra-stateless* and *slaac.* So I guess the automatic creation of -records doesn't work any more if I enable privacy extensions. Haven't had time to play with it myself yet, so can't be of much help there; but as I understand it, the idea is that you configure the proxy to use a particular domain, and then point dnsmasq at it with --server. Don't think this will integrate with the auth server mechanism in dnsmasq, though; not sure if there's a way to achieve that. I haven't been able to get any responses from ohybridproxy using dig so I guess there's something missing $ ./ohybridproxy -p 1053 eno1=mydomain.se $ dig host.mydomain.se @:: -p 1053 Windows 10 by default uses randomized identifiers instead of the MAC address. You can turn this off using the following command in an admin shell: netsh interface ipv6 set global randomizeidentifiers=disabled In addition to that, make sure that the Windows computer replies to the ICMP echo requests that dnsmasq uses to check if the address is in use. With this setting the Windows computer should still use temporary addresses to initiate outgoing connections, but be reachable on EUI-64 based address. Thanks for the pointers, now I'm able to correctly get an IPv6-address that should work with ra-names. However it seems that dnsmasq doesn't have any hostname in the DHvPv4 lease file. $ cat /var/lib/misc/dnsmasq.leases 1482365715 3e:XX:XX:XX:XX:02 192.168.1.184 * 01:3e:XX:XX:XX:XX:02 1482334524 00:YY:YY:YY:YY:67 192.168.1.133 hostname * I have masked the MAC-address, as you can see the host at 192.168.1.184 doesn't have any hostname. Is it that windows 10 does something wrong or anything else I can look at? On 2016-12-20 12:53, Pali Rohár wrote: Another option is to stop using SLAAC and start using DHCPv6 where you have full control of assigned IPv6 addresses. Such feature like host will "randomly" chose address is unsuitable for setup when you need to have control of which address is assigned to which device (e.g in this setup when you want to assign record). That would of cource be the optimal solution, is there a way to get dnsmasq to do DHCPv6 and also add -records or any third-party programs/tools to acheive that? --- Thanks for all your help so far guys! Best regards, Markus ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Windows ipv6 hostname
Toke Høiland-Jørgensen wrote: > will use the same address on every network). So I would expect more and > more clients to adopt the privacy-preserving approach. I believe > NetworkManager has support for it on Linux, but am not sure if it's > enabled by default. New installations of Debian and Ubuntu enable it by default. >>> A way to get naming is to use ohybridproxy: >> Thanks for the information, but I have managed to compile ohybridproxy > Haven't had time to play with it myself yet, so can't be of much help ohybridproxy won't help: It is limited to mDNS/avahi. Windows does not support mDNS/avahi. It would help though if DNSMasq contained a combined mDNS/LLMNR resolver. If one compiles avahi with an LLMNR patch, it can resolve hosts that do mDNS and hosts that do LLMNR: root@linux ~ # avahi-resolve -6n windows.local windows.local fe80::96de:80ff:fe12:3456 It should be possible to add the LLMNR-patched resolver part of avahi to DNSMasq. -- Mit freundlichen Grüssen Ziggy SpaceRat ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Windows ipv6 hostname
On Tuesday 20 December 2016 12:14:19 Toke Høiland-Jørgensen wrote: > Markus Hartungwrites: > > On 2016-12-19 06:18, Toke Høiland-Jørgensen wrote: > >> Markus Hartung writes: > >> > >> ... > >> My guess is that Windows 10 implements RFC7217: > >> https://tools.ietf.org/html/rfc7217 > >> > >> If this is the case, there is no way for dnsmasq to predict the > >> IPv6 address of a new client (which is what ra-names relies on), > >> and so you can't get the record. > > > > It's a shame the windows 10 IPv6 implementation lacks those stuff. > > Well, arguably the Windows 10 behaviour is a feature - RFC7217 was > written because the EUI-64 based approach has privacy issues (the > client will use the same address on every network). So I would > expect more and more clients to adopt the privacy-preserving > approach. I believe NetworkManager has support for it on Linux, but > am not sure if it's enabled by default. Another option is to stop using SLAAC and start using DHCPv6 where you have full control of assigned IPv6 addresses. Such feature like host will "randomly" chose address is unsuitable for setup when you need to have control of which address is assigned to which device (e.g in this setup when you want to assign record). > >> A way to get naming is to use ohybridproxy: > >> https://github.com/sbyx/ohybridproxy - this will query mdns on the > >> network for records when asked. However, I am not sure if > >> there is a way to integrate this with the authoritative server in > >> dnsmasq (but if there is, I would love to know about it). > > > > Thanks for the information, but I have managed to compile > > ohybridproxy and have no idea on how to use it. > > Haven't had time to play with it myself yet, so can't be of much help > there; but as I understand it, the idea is that you configure the > proxy to use a particular domain, and then point dnsmasq at it with > --server. Don't think this will integrate with the auth server > mechanism in dnsmasq, though; not sure if there's a way to achieve > that. > > The alternative is to turn off the private addresses in Windows 10, -- Pali Rohár pali.ro...@gmail.com > of course (as Michael suggested). signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Windows ipv6 hostname
Markus Hartungwrites: > On 2016-12-19 06:18, Toke Høiland-Jørgensen wrote: >> Markus Hartung writes: >> >> ... >> My guess is that Windows 10 implements RFC7217: >> https://tools.ietf.org/html/rfc7217 >> >> If this is the case, there is no way for dnsmasq to predict the IPv6 >> address of a new client (which is what ra-names relies on), and so you >> can't get the record. > > It's a shame the windows 10 IPv6 implementation lacks those stuff. Well, arguably the Windows 10 behaviour is a feature - RFC7217 was written because the EUI-64 based approach has privacy issues (the client will use the same address on every network). So I would expect more and more clients to adopt the privacy-preserving approach. I believe NetworkManager has support for it on Linux, but am not sure if it's enabled by default. >> A way to get naming is to use ohybridproxy: >> https://github.com/sbyx/ohybridproxy - this will query mdns on the >> network for records when asked. However, I am not sure if there is >> a way to integrate this with the authoritative server in dnsmasq (but if >> there is, I would love to know about it). > Thanks for the information, but I have managed to compile ohybridproxy > and have no idea on how to use it. Haven't had time to play with it myself yet, so can't be of much help there; but as I understand it, the idea is that you configure the proxy to use a particular domain, and then point dnsmasq at it with --server. Don't think this will integrate with the auth server mechanism in dnsmasq, though; not sure if there's a way to achieve that. The alternative is to turn off the private addresses in Windows 10, of course (as Michael suggested). -Toke ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] ProxyDHCP replies on invalid range
Hi, I've filed this as a bug report in launchpad, but I'm forwarding it here as well upon request: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1651044 In Ubuntu 16.04, I've configured dnsmasq to reply on subnet=10.160.37.0/24, yet it replies even when it gets an IP on subnet=10.161.254.0/24. This happens after system restart, or after restarting dnsmasq with the ethernet cable unplugged. If the ethernet cable is plugged in while restarting dnsmasq, it works as expected. So maybe when dnsmasq starts and the network is down, it incorrectly initializes some networking information? I'm using dnsmasq 2.75-1ubuntu0.16.04.1 on i386 architecture and network-manager 1.2.2-0ubuntu0.16.04.3 with DHCP. Details: $ egrep -rv '^#|^$' /etc/dnsmasq.* /etc/dnsmasq.d/ltsp-server-dnsmasq.conf:dhcp-range=10.160.37.0,proxy /etc/dnsmasq.d/ltsp-server-dnsmasq.conf:dhcp-range=192.168.67.20,192.168.67.250,8h /etc/dnsmasq.d/ltsp-server-dnsmasq.conf:enable-tftp /etc/dnsmasq.d/ltsp-server-dnsmasq.conf:tftp-root=/var/lib/tftpboot/ /etc/dnsmasq.d/ltsp-server-dnsmasq.conf:dhcp-option=17,/opt/ltsp/i386 /etc/dnsmasq.d/ltsp-server-dnsmasq.conf:dhcp-vendorclass=etherboot,Etherboot /etc/dnsmasq.d/ltsp-server-dnsmasq.conf:dhcp-vendorclass=pxe,PXEClient /etc/dnsmasq.d/ltsp-server-dnsmasq.conf:dhcp-vendorclass=ltsp,"Linux ipconfig" /etc/dnsmasq.d/ltsp-server-dnsmasq.conf:dhcp-boot=net:pxe,/ltsp/i386/pxelinux.0 /etc/dnsmasq.d/ltsp-server-dnsmasq.conf:dhcp-boot=net:etherboot,/ltsp/i386/nbi.img /etc/dnsmasq.d/ltsp-server-dnsmasq.conf:dhcp-boot=net:ltsp,/ltsp/i386/lts.conf /etc/dnsmasq.d/ltsp-server-dnsmasq.conf:dhcp-option=vendor:pxe,6,2b /etc/dnsmasq.d/ltsp-server-dnsmasq.conf:dhcp-no-override /etc/dnsmasq.d/ltsp-server-dnsmasq.conf:pxe-service=X86PC, "Boot from network", /ltsp/i386/pxelinux $ ip a 1: lo:mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp2s0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether d0:50:99:a6:bc:0a brd ff:ff:ff:ff:ff:ff inet 10.161.254.185/24 brd 10.161.254.255 scope global dynamic enp2s0 valid_lft 431873sec preferred_lft 431873sec inet6 fe80::f363:c1e2:9cb8:d9e2/64 scope link valid_lft forever preferred_lft forever $ sudo netstat -nap | grep dnsmasq [sudo] password for administrator: tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 843/dnsmasq tcp6 0 0 :::53 :::* LISTEN 843/dnsmasq udp 0 0 0.0.0.0:53 0.0.0.0:* 843/dnsmasq udp 0 0 0.0.0.0:67 0.0.0.0:* 843/dnsmasq udp 0 0 0.0.0.0:69 0.0.0.0:* 843/dnsmasq udp 0 0 0.0.0.0:4011 0.0.0.0:* 843/dnsmasq udp6 0 0 :::53 :::* 843/dnsmasq udp6 0 0 :::69 :::* 843/dnsmasq unix 2 [ ] DGRAM 15746 843/dnsmasq $ grep dnsmasq /var/log/syslog | tail -n 30 Dec 19 10:52:17 ltsp-server systemd[1]: Starting dnsmasq - A lightweight DHCP and caching DNS server... Dec 19 10:52:17 ltsp-server dnsmasq[630]: dnsmasq: syntax check OK. Dec 19 10:52:20 ltsp-server dnsmasq[843]: started, version 2.75 cachesize 150 Dec 19 10:52:20 ltsp-server dnsmasq[843]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify Dec 19 10:52:20 ltsp-server dnsmasq[843]: DNS service limited to local subnets Dec 19 10:52:20 ltsp-server dnsmasq-dhcp[843]: DHCP, IP range 192.168.67.20 -- 192.168.67.250, lease time 8h Dec 19 10:52:20 ltsp-server dnsmasq-dhcp[843]: DHCP, proxy on subnet 10.160.37.0 Dec 19 10:52:20 ltsp-server dnsmasq-tftp[843]: TFTP root is /var/lib/tftpboot/ Dec 19 10:52:20 ltsp-server dnsmasq[843]: no servers found in /var/run/dnsmasq/resolv.conf, will retry Dec 19 10:52:20 ltsp-server dnsmasq[843]: read /etc/hosts - 7 addresses Dec 19 10:52:23 ltsp-server systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server. Dec 19 10:52:29 ltsp-server dnsmasq[843]: reading /var/run/dnsmasq/resolv.conf Dec 19 10:52:29 ltsp-server dnsmasq[843]: ignoring nameserver 127.0.0.1 - local interface Dec 19 10:52:29 ltsp-server dnsmasq[843]: using nameserver 194.63.238.4#53 Dec 19 10:52:29 ltsp-server dnsmasq[843]: using nameserver 8.8.8.8#53 Dec 19 08:52:47 ltsp-server dnsmasq-dhcp[843]: PXE(enp2s0) 52:54:00:8f:74:ad proxy Dec 19 08:52:47 ltsp-server dnsmasq-dhcp[843]: PXE(enp2s0) 10.161.254.195 52:54:00:8f:74:ad /ltsp/i386/pxelinux.0 Dec 19 08:52:47 ltsp-server dnsmasq-tftp[843]: sent /var/lib/tftpboot/ltsp/i386/pxelinux.0 to 10.161.254.195 ... Note that it replies in "52:54:00:8f:74:ad proxy" while it shouldn't. If I run this: # service dnsmasq restart Then it behaves correctly: Dec 19 09:01:17 ltsp-server dnsmasq-dhcp[2381]: no address range available for DHCP request via enp2s0 Kind regards, Alkis Georgopoulos ___
Re: [Dnsmasq-discuss] Windows ipv6 hostname
Hello Markus, Windows 10 by default uses randomized identifiers instead of the MAC address. You can turn this off using the following command in an admin shell: netsh interface ipv6 set global randomizeidentifiers=disabled In addition to that, make sure that the Windows computer replies to the ICMP echo requests that dnsmasq uses to check if the address is in use. With this setting the Windows computer should still use temporary addresses to initiate outgoing connections, but be reachable on EUI-64 based address. -Mike On 2016-12-19 00:07, Markus Hartung wrote: Hello, Anyone here that is more knowledgeable about IPv6 and Windows 10 hosts? I have set up my dnsmasq as a authoritative DNS server and have enable ra with these options: enable-ra dhcp-range=tag:eno1,::1,::,constructor:eno1,ra-names,24h It seems that my linux hosts are correctly getting a IPv6 address and registers correctly a -record in the DNS server. My Windows 10 host gets an IPv6 address but doesn't get any -record. Can anyone shed any light on the situation? Do the linux and windows hosts get their IPv6 differently? And is there a way to get windows to register an -record? Cheers, Markus ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss