date:20161220

Re: [Dnsmasq-discuss] Windows ipv6 hostname

2016-12-20 Thread wkitty42


On 12/20/2016 07:26 PM, Markus Hartung wrote:

$ cat /var/lib/misc/dnsmasq.leases
1482365715 3e:XX:XX:XX:XX:02 192.168.1.184 * 01:3e:XX:XX:XX:XX:02
1482334524 00:YY:YY:YY:YY:67 192.168.1.133 hostname *

I have masked the MAC-address,



MACs are only good on the local link... once through a router, the original MACs 
are lost to anything further down stream... this is like masking RFC-1918 
addresses ;)



--
 NOTE: No off-list assistance is given without prior approval.
   *Please keep mailing list traffic on the list* unless
   private contact is specifically requested and granted.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Windows ipv6 hostname

2016-12-20 Thread Markus Hartung


On 2016-12-20 12:14, Toke Høiland-Jørgensen wrote:


Well, arguably the Windows 10 behaviour is a feature - RFC7217 was
written because the EUI-64 based approach has privacy issues (the client
will use the same address on every network). So I would expect more and
more clients to adopt the privacy-preserving approach. I believe
NetworkManager has support for it on Linux, but am not sure if it's
enabled by default.


Alright, after some researching I understand how the EUI-64 approach is 
working and how it might be a bad idea.


I don't have so many machines and the added security implications are 
worth the benefit.


And after re-reading the manpage of dnsmasq I found this:
*
ra-names* enables a mode which gives DNS names to dual-stack hosts which 
do SLAAC for IPv6. Dnsmasq uses the host's IPv4 lease to derive the 
name, network segment and MAC address and assumes that the host will 
also have an IPv6 address calculated using the SLAAC algorithm, on the 
same network segment. The address is pinged, and if a reply is received, 
an  record is added to the DNS for this IPv6 address. Note that this 
is only happens for directly-connected networks, (not one doing DHCP via 
a relay) and it will not work if a host is using privacy extensions. 
*ra-names* can be combined with *ra-stateless* and *slaac.*


So I guess the automatic creation of -records doesn't work any more 
if I enable privacy extensions.



Haven't had time to play with it myself yet, so can't be of much help
there; but as I understand it, the idea is that you configure the proxy
to use a particular domain, and then point dnsmasq at it with --server.
Don't think this will integrate with the auth server mechanism in
dnsmasq, though; not sure if there's a way to achieve that.
I haven't been able to get any responses from ohybridproxy using dig so 
I guess there's something missing

$ ./ohybridproxy -p 1053 eno1=mydomain.se

$ dig host.mydomain.se  @:: -p 1053



   Windows 10 by default uses randomized identifiers instead of the MAC
address. You can turn this off using the following command in an admin
shell:

netsh interface ipv6 set global randomizeidentifiers=disabled

In addition to that, make sure that the Windows computer replies to the
ICMP echo requests that dnsmasq uses to check if the address is in use.

With this setting the Windows computer should still use temporary
addresses to initiate outgoing connections, but be reachable on EUI-64
based address.
Thanks for the pointers, now I'm able to correctly get an IPv6-address 
that should work with ra-names. However it seems that dnsmasq doesn't 
have any hostname in the DHvPv4 lease file.


$ cat /var/lib/misc/dnsmasq.leases
1482365715 3e:XX:XX:XX:XX:02 192.168.1.184 * 01:3e:XX:XX:XX:XX:02
1482334524 00:YY:YY:YY:YY:67 192.168.1.133 hostname *

I have masked the MAC-address, as you can see the host at 192.168.1.184 
doesn't have any hostname. Is it that windows 10 does something wrong or 
anything else I can look at?


On 2016-12-20 12:53, Pali Rohár wrote:

Another option is to stop using SLAAC and start using DHCPv6 where you
have full control of assigned IPv6 addresses.

Such feature like host will "randomly" chose address is unsuitable for
setup when you need to have control of which address is assigned to
which device (e.g in this setup when you want to assign  record).
That would of cource be the optimal solution, is there a way to get 
dnsmasq to do DHCPv6 and also add -records or any third-party 
programs/tools to acheive that?


---
Thanks for all your help so far guys!

Best regards,
Markus

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Windows ipv6 hostname

2016-12-20 Thread Ziggy SpaceRat

Toke Høiland-Jørgensen wrote:

> will use the same address on every network). So I would expect more and
> more clients to adopt the privacy-preserving approach. I believe
> NetworkManager has support for it on Linux, but am not sure if it's
> enabled by default.
New installations of Debian and Ubuntu enable it by default.

>>> A way to get naming is to use ohybridproxy:
>> Thanks for the information, but I have managed to compile ohybridproxy
> Haven't had time to play with it myself yet, so can't be of much help

ohybridproxy won't help:
It is limited to mDNS/avahi.
Windows does not support mDNS/avahi.

It  would  help  though  if  DNSMasq  contained  a combined mDNS/LLMNR
resolver.

If  one  compiles avahi with an LLMNR patch, it can resolve hosts that
do mDNS and hosts that do LLMNR:

root@linux ~ # avahi-resolve -6n windows.local
windows.local   fe80::96de:80ff:fe12:3456

It  should be possible to add the LLMNR-patched resolver part of avahi
to DNSMasq.

-- 
Mit freundlichen Grüssen
Ziggy SpaceRat

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Windows ipv6 hostname

2016-12-20 Thread Pali Rohár

On Tuesday 20 December 2016 12:14:19 Toke Høiland-Jørgensen wrote:
> Markus Hartung  writes:
> > On 2016-12-19 06:18, Toke Høiland-Jørgensen wrote:
> >> Markus Hartung  writes:
> >> 
> >> ...
> >> My guess is that Windows 10 implements RFC7217:
> >> https://tools.ietf.org/html/rfc7217
> >> 
> >> If this is the case, there is no way for dnsmasq to predict the
> >> IPv6 address of a new client (which is what ra-names relies on),
> >> and so you can't get the  record.
> > 
> > It's a shame the windows 10 IPv6 implementation lacks those stuff.
> 
> Well, arguably the Windows 10 behaviour is a feature - RFC7217 was
> written because the EUI-64 based approach has privacy issues (the
> client will use the same address on every network). So I would
> expect more and more clients to adopt the privacy-preserving
> approach. I believe NetworkManager has support for it on Linux, but
> am not sure if it's enabled by default.

Another option is to stop using SLAAC and start using DHCPv6 where you 
have full control of assigned IPv6 addresses.

Such feature like host will "randomly" chose address is unsuitable for 
setup when you need to have control of which address is assigned to 
which device (e.g in this setup when you want to assign  record).

> >> A way to get naming is to use ohybridproxy:
> >> https://github.com/sbyx/ohybridproxy - this will query mdns on the
> >> network for  records when asked. However, I am not sure if
> >> there is a way to integrate this with the authoritative server in
> >> dnsmasq (but if there is, I would love to know about it).
> > 
> > Thanks for the information, but I have managed to compile
> > ohybridproxy and have no idea on how to use it.
> 
> Haven't had time to play with it myself yet, so can't be of much help
> there; but as I understand it, the idea is that you configure the
> proxy to use a particular domain, and then point dnsmasq at it with
> --server. Don't think this will integrate with the auth server
> mechanism in dnsmasq, though; not sure if there's a way to achieve
> that.
> 
> The alternative is to turn off the private addresses in Windows 10,

-- 
Pali Rohár
pali.ro...@gmail.com
> of course (as Michael suggested).


signature.asc
Description: This is a digitally signed message part.
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Windows ipv6 hostname

2016-12-20 Thread Toke Høiland-Jørgensen

Markus Hartung  writes:

> On 2016-12-19 06:18, Toke Høiland-Jørgensen wrote:
>> Markus Hartung  writes:
>>
>> ...
>> My guess is that Windows 10 implements RFC7217:
>> https://tools.ietf.org/html/rfc7217
>>
>> If this is the case, there is no way for dnsmasq to predict the IPv6
>> address of a new client (which is what ra-names relies on), and so you
>> can't get the  record.
>
> It's a shame the windows 10 IPv6 implementation lacks those stuff.

Well, arguably the Windows 10 behaviour is a feature - RFC7217 was
written because the EUI-64 based approach has privacy issues (the client
will use the same address on every network). So I would expect more and
more clients to adopt the privacy-preserving approach. I believe
NetworkManager has support for it on Linux, but am not sure if it's
enabled by default.

>> A way to get naming is to use ohybridproxy:
>> https://github.com/sbyx/ohybridproxy - this will query mdns on the
>> network for  records when asked. However, I am not sure if there is
>> a way to integrate this with the authoritative server in dnsmasq (but if
>> there is, I would love to know about it).

> Thanks for the information, but I have managed to compile ohybridproxy
> and have no idea on how to use it.

Haven't had time to play with it myself yet, so can't be of much help
there; but as I understand it, the idea is that you configure the proxy
to use a particular domain, and then point dnsmasq at it with --server.
Don't think this will integrate with the auth server mechanism in
dnsmasq, though; not sure if there's a way to achieve that.

The alternative is to turn off the private addresses in Windows 10, of
course (as Michael suggested).

-Toke

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] ProxyDHCP replies on invalid range

2016-12-20 Thread Alkis Georgopoulos

Hi, I've filed this as a bug report in launchpad, but I'm forwarding it 
here as well upon request:

https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1651044


In Ubuntu 16.04, I've configured dnsmasq to reply on 
subnet=10.160.37.0/24, yet it replies even when it gets an IP on 
subnet=10.161.254.0/24.


This happens after system restart, or after restarting dnsmasq with the 
ethernet cable unplugged.
If the ethernet cable is plugged in while restarting dnsmasq, it works 
as expected.
So maybe when dnsmasq starts and the network is down, it incorrectly 
initializes some networking information?
I'm using dnsmasq 2.75-1ubuntu0.16.04.1 on i386 architecture and 
network-manager 1.2.2-0ubuntu0.16.04.3 with DHCP.


Details:
$ egrep -rv '^#|^$' /etc/dnsmasq.*
/etc/dnsmasq.d/ltsp-server-dnsmasq.conf:dhcp-range=10.160.37.0,proxy
/etc/dnsmasq.d/ltsp-server-dnsmasq.conf:dhcp-range=192.168.67.20,192.168.67.250,8h
/etc/dnsmasq.d/ltsp-server-dnsmasq.conf:enable-tftp
/etc/dnsmasq.d/ltsp-server-dnsmasq.conf:tftp-root=/var/lib/tftpboot/
/etc/dnsmasq.d/ltsp-server-dnsmasq.conf:dhcp-option=17,/opt/ltsp/i386
/etc/dnsmasq.d/ltsp-server-dnsmasq.conf:dhcp-vendorclass=etherboot,Etherboot
/etc/dnsmasq.d/ltsp-server-dnsmasq.conf:dhcp-vendorclass=pxe,PXEClient
/etc/dnsmasq.d/ltsp-server-dnsmasq.conf:dhcp-vendorclass=ltsp,"Linux 
ipconfig"

/etc/dnsmasq.d/ltsp-server-dnsmasq.conf:dhcp-boot=net:pxe,/ltsp/i386/pxelinux.0
/etc/dnsmasq.d/ltsp-server-dnsmasq.conf:dhcp-boot=net:etherboot,/ltsp/i386/nbi.img
/etc/dnsmasq.d/ltsp-server-dnsmasq.conf:dhcp-boot=net:ltsp,/ltsp/i386/lts.conf
/etc/dnsmasq.d/ltsp-server-dnsmasq.conf:dhcp-option=vendor:pxe,6,2b
/etc/dnsmasq.d/ltsp-server-dnsmasq.conf:dhcp-no-override
/etc/dnsmasq.d/ltsp-server-dnsmasq.conf:pxe-service=X86PC, "Boot from 
network", /ltsp/i386/pxelinux


$ ip a
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
   valid_lft forever preferred_lft forever
2: enp2s0:  mtu 1500 qdisc pfifo_fast 
state UP group default qlen 1000

link/ether d0:50:99:a6:bc:0a brd ff:ff:ff:ff:ff:ff
inet 10.161.254.185/24 brd 10.161.254.255 scope global dynamic enp2s0
   valid_lft 431873sec preferred_lft 431873sec
inet6 fe80::f363:c1e2:9cb8:d9e2/64 scope link
   valid_lft forever preferred_lft forever

$ sudo netstat -nap | grep dnsmasq
[sudo] password for administrator:
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 843/dnsmasq
tcp6 0 0 :::53 :::* LISTEN 843/dnsmasq
udp 0 0 0.0.0.0:53 0.0.0.0:* 843/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 843/dnsmasq
udp 0 0 0.0.0.0:69 0.0.0.0:* 843/dnsmasq
udp 0 0 0.0.0.0:4011 0.0.0.0:* 843/dnsmasq
udp6 0 0 :::53 :::* 843/dnsmasq
udp6 0 0 :::69 :::* 843/dnsmasq
unix 2 [ ] DGRAM 15746 843/dnsmasq

$ grep dnsmasq /var/log/syslog | tail -n 30
Dec 19 10:52:17 ltsp-server systemd[1]: Starting dnsmasq - A lightweight 
DHCP and caching DNS server...

Dec 19 10:52:17 ltsp-server dnsmasq[630]: dnsmasq: syntax check OK.
Dec 19 10:52:20 ltsp-server dnsmasq[843]: started, version 2.75 
cachesize 150
Dec 19 10:52:20 ltsp-server dnsmasq[843]: compile time options: IPv6 
GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth 
DNSSEC loop-detect inotify
Dec 19 10:52:20 ltsp-server dnsmasq[843]: DNS service limited to local 
subnets
Dec 19 10:52:20 ltsp-server dnsmasq-dhcp[843]: DHCP, IP range 
192.168.67.20 -- 192.168.67.250, lease time 8h
Dec 19 10:52:20 ltsp-server dnsmasq-dhcp[843]: DHCP, proxy on subnet 
10.160.37.0
Dec 19 10:52:20 ltsp-server dnsmasq-tftp[843]: TFTP root is 
/var/lib/tftpboot/
Dec 19 10:52:20 ltsp-server dnsmasq[843]: no servers found in 
/var/run/dnsmasq/resolv.conf, will retry

Dec 19 10:52:20 ltsp-server dnsmasq[843]: read /etc/hosts - 7 addresses
Dec 19 10:52:23 ltsp-server systemd[1]: Started dnsmasq - A lightweight 
DHCP and caching DNS server.
Dec 19 10:52:29 ltsp-server dnsmasq[843]: reading 
/var/run/dnsmasq/resolv.conf
Dec 19 10:52:29 ltsp-server dnsmasq[843]: ignoring nameserver 127.0.0.1 
- local interface

Dec 19 10:52:29 ltsp-server dnsmasq[843]: using nameserver 194.63.238.4#53
Dec 19 10:52:29 ltsp-server dnsmasq[843]: using nameserver 8.8.8.8#53
Dec 19 08:52:47 ltsp-server dnsmasq-dhcp[843]: PXE(enp2s0) 
52:54:00:8f:74:ad proxy
Dec 19 08:52:47 ltsp-server dnsmasq-dhcp[843]: PXE(enp2s0) 
10.161.254.195 52:54:00:8f:74:ad /ltsp/i386/pxelinux.0
Dec 19 08:52:47 ltsp-server dnsmasq-tftp[843]: sent 
/var/lib/tftpboot/ltsp/i386/pxelinux.0 to 10.161.254.195

...

Note that it replies in "52:54:00:8f:74:ad proxy" while it shouldn't.
If I run this:
# service dnsmasq restart

Then it behaves correctly:
Dec 19 09:01:17 ltsp-server dnsmasq-dhcp[2381]: no address range 
available for DHCP request via enp2s0



Kind regards,
Alkis Georgopoulos

___

Re: [Dnsmasq-discuss] Windows ipv6 hostname

2016-12-20 Thread Michael Stilkerich


Hello Markus,

  Windows 10 by default uses randomized identifiers instead of the MAC 
address. You can turn this off using the following command in an admin 
shell:


netsh interface ipv6 set global randomizeidentifiers=disabled

In addition to that, make sure that the Windows computer replies to the 
ICMP echo requests that dnsmasq uses to check if the address is in use.


With this setting the Windows computer should still use temporary 
addresses to initiate outgoing connections, but be reachable on EUI-64 
based address.


-Mike

On 2016-12-19 00:07, Markus Hartung wrote:

Hello,

Anyone here that is more knowledgeable about IPv6 and Windows 10 hosts?

I have set up my dnsmasq as a authoritative DNS server and have enable
ra with these options:

enable-ra
dhcp-range=tag:eno1,::1,::,constructor:eno1,ra-names,24h

It seems that my linux hosts are correctly getting a IPv6 address and
registers correctly a -record in the DNS server.

My Windows 10 host gets an IPv6 address but doesn't get any 
-record.


Can anyone shed any light on the situation? Do the linux and windows
hosts get their IPv6 differently? And is there a way to get windows to
register an -record?

Cheers,
Markus


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Windows ipv6 hostname

Re: [Dnsmasq-discuss] Windows ipv6 hostname

Re: [Dnsmasq-discuss] Windows ipv6 hostname

Re: [Dnsmasq-discuss] Windows ipv6 hostname

Re: [Dnsmasq-discuss] Windows ipv6 hostname

[Dnsmasq-discuss] ProxyDHCP replies on invalid range

Re: [Dnsmasq-discuss] Windows ipv6 hostname

7 matches

Site Navigation

Mail list logo

Footer information