Re: [Dnsmasq-discuss] [PATCH v4] Connection track mark based DNS query filtering.
On 18.02.21, 22:10, "Dnsmasq-discuss on behalf of Geert Stappers" wrote: > On Thu, Feb 18, 2021 at 12:11:55AM +0100, Etan Kissling wrote: > > On 17.02.21, 23:41, Geert Stappers" wrote: > > > > +#if defined(HAVE_CONNTRACK) && defined(HAVE_UBUS) > > > > > > One of many > > > > Sorry, I don't understand the comment for these. > > The sorry should come from me. I was way too short with text. > Thing I trying to tell is that the wish is to avoid #if > conditionals. Reason I remember is reducing the amount > of different binaries. But HAVE_CONNTRACK is already > present in current source. No new binaries are created with this patch. The existing HAVE_CONNTRACK symbol is used to guard accessing Netfilter connection track marks. The existing HAVE_UBUS symbol is used to guard OpenWrt specific code. Furthermore, even when those symbols are defined, all new code only activates when the configuration option to enable the feature is set: if (option_bool(OPT_CMARK_ALST_EN)) Thanks Etan ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] How to add AAAA record for host with dynamic prefix?
On 2021-02-13 20:22, Fred F wrote: Dear all, I'd like to bump this question. Isn't there anybody who is using dnsmasq in IPv6 networks with dynamic prefixes? Regards, Frederik On Sat, 10 Oct 2020 at 16:59, Fred F wrote: Hi, I am using dnsmasq in an environment with a dynamic IPv6 prefix. On a few of my servers I am using statically assigned IP addresses for IPv4 and static interface tokens for IPv6 (through systemd-networkd). This way the machines will always have predictable v4 and v6 addresses without DHCP or SLAAC in the following format: v4: 192:168.1.1 v6: dead::beef:192:168:1:1 (where dead::beef if the current IPv6 prefix). Now I'd like to add records for these hostnames in dnsmasq. When defining DHCP/SLAAC ranges in dnsmasq there is the "constructor:infname" syntax which automagically uses the interface's current IPv6 prefix. Is there something like that for host records? Something like this would be super cool, but I cannot get it to work: host-record=laptop,laptop.thekelleys.org,192.168.1.1,::192.168.1.1,constructor:eth0 Is there any other way to do what I am doing? I know about the "ra-names" feature but unfortunately it's not compatible with IPv6 interface tokens other than the MAC address (a.k.a. default SLAAC). Best regards Frederik Hello Frederik, IPv4 and IPv6 have different philosophies and you may get seduced to adopt your IPv4 knowledge to IPv6. Took me some time to get this sorted out myself. Actually your question is about IPv6 in general and not really dnsmasq specific. IPv6 is by default multi-homed with multiple IPv6 addresses (SLAAC, temporary private, DHCPv6, etc.) of multiple IPv6 networks (GUA, ULA, LLA). In general GUAs are for WAN communications, ULAs for LAN/VPN communications and LLA for configuration less on-link communication. * LLA; Prefix fe80::/10; RFC 4291<3513<2373<1884 * ULA; Prefix fc00::/7 typcially fd00::/8; RFC 4193 * Side note: SLAs are deprecated and superseeded by ULAs. * GUA; Prefix 2000::/3; RFC 4291<3513<2373<1884 For local IPv6 addresses define yourself a random(!) ULA network (fdxx:::::/64) and assign static IPv6 addresses to your services/servers (SLAAC, temporary private, DHCPv6 in addition as it fits your needs). ULAs allow you to route traffic from/to ULAs (LAN/VPN) and also from/to GUAs without having a WAN connection on the servers/services, while LLA is not routed by design. Even if you want the service to be reachable from outside via its GUA address, then you should still define static ULA addresses to be locally independent from your ISP service. Static addresses also allow you to contact your services/servers even when DHCP is down. I myself additionally setup a DHCP entry for them with their static IP addresses, so that they get their usual/planned IPv6 addresses during their setup or when running a live system from USB/CD/DVD. My private local home office setup has 2 ULAs (one "production" ULA from my dnsmasq server, one fallback ULA from my FritzBox router) plus 1 GUA (from my Fritzbox router). dnsmasq serves the static addresses from its /etc/hosts. But these are just my personal preferences. Hope this points you to the right directions. Kind regards Matthias Bücher ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DKIM / DMARC emails.
On 17/02/2021 13:54, Etan Kissling wrote: When submitting a patch I noticed that the Dnsmasq mailing list modifies the subject of the email (prefix [Dnsmasq-discuss]) as well as appends 'Dnsmasq-discuss mailing list' information to the end of my message. These modifications break DKIM signatures of our emails, leading to them being filtered into Junk folders. DMARC is a security standard for accessing email authenticity. See my earlier patch: - [PATCH v4] Connection track mark based DNS query filtering. Other mailing lists such as netfilter-de...@vger.kernel.org do not share these DMARC problems. What is the preferred approach here to get my patch reviewed? On 17.02.21 22:48, Simon Kelley wrote: There's no particular reason for that behaviour, I guess it was the default on whichever antediluvian version of mailman was first used to host the mailing list. It appears to be trivial to turn both features off, and I can't see any particular reason not to. Anyone object? On 18/02/2021 12:47, Matus UHLAR - fantomas wrote: I personally prefer mailing lists without munging Subject and bodies. however many people seem not to be able to cope with it, since they don't understand how mailing lists work. This was apparently readon why those are added. The page https://wiki.list.org/DEV/DMARC describes that in order to cope with DMARC the recommended option is to set dmarc_moderation_action to "Munge From. This solves problem with sites using DMARC without DKIM, because DMARC in such case requires SPF to match header From:. On 18.02.21 22:50, Simon Kelley wrote: That wiki page is just word-soup as far as I am concerned. Does setting dmarc_moderation_action to "munge from" fix Etan's original problem? it should - it's designed to do exactly that. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside... ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] getting different responses from high traffic DNSmasq
Hi Simon, hi Chris, thanks a lot for your help. We updated to the latest version, by compiling it on our own, and now the issue is gone. @Simon: Your smoking gun seems to be correct. The domains are just internal domains hosted on a free-ipa and consul :) Best wishes and a really nice weekend Boris Am Fr., 19. Feb. 2021 um 00:38 Uhr schrieb Simon Kelley : > > On 18/02/2021 09:44, Boris Behrens wrote: > > This happened after the update from v2.76 to v2.80 > > > > Is there a way how I can debug that deeper. > > The information you've given so far is useful, but not enough to allow > someone to easily reproduce the problem, which is the key. > > > Questions which need answering: > > 1) What are the actual domains which show this problem (email me direct > of you don't want to publicise them.) > > 2) is the presence of ANY queries important? Do you get the same effect > with other query types? > > 3) Do you see the same problem with the latest release? If not, then the > problem reduces to finding the already committed fix, or upgrading your > install. If we know is still exists in 2.84, then we can work on fixing > that, instead of going back to old code. > > 4) If you turn on query logging, what gets logged during the sequence below. > > > > > > As a hunch, my guess is that > > http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=162e5e0062ce923c494cc64282f293f0ed64fc10 > > which went into 2.81, may be the smoking gun, hence the importance of > question 3. > > > Simon. > > > > > > > > > Am Mi., 17. Feb. 2021 um 19:06 Uhr schrieb Boris Behrens : > >> > >> Hello people, > >> I've got a strange issue with a high traffic (>5 requests / sec) where it > >> sometimes does not responde with the NXDOMAIN but with NOERROR. > >> > >> When we ask the upstream DNS directly we always get a NXDOMAIN response. > >> > >> We use DNSmasq 2.80-1.1ubuntu1.2 > >> We worked around this issue by disabling the cache. > >> > >> Someone got an idea what the problem is? > >> > >> The following request are made in a frame of 2 seconds: > >> > >> /src # dig consul.mgmt.DOMAIN.TLD @10.0.0.204 -t ANY > >> ; <<>> DiG 9.14.12 <<>> consul.mgmt.DOMAIN.TLD @10.0.0.204 -t ANY > >> ;; global options: +cmd > >> ;; Got answer: > >> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10713 > >> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > >> > >> ;; OPT PSEUDOSECTION: > >> ; EDNS: version: 0, flags:; udp: 4096 > >> ; COOKIE: 111292d8f7ef4f7ce124a223602d53418932dae2b1b0e5ea (good) > >> ;; QUESTION SECTION: > >> ;consul.mgmt.DOMAIN.TLD. IN ANY > >> > >> ;; AUTHORITY SECTION: > >> mgmt.DOMAIN.TLD. 3600 IN SOA ipa2.DOMAIN.TLD. > >> hostmaster.mgmt.DOMAIN.TLD. 1613268909 3600 900 1209600 3600 > >> > >> ;; Query time: 2 msec > >> ;; SERVER: 10.0.0.204#53(10.0.0.204) > >> ;; WHEN: Wed Feb 17 17:32:49 UTC 2021 > >> ;; MSG SIZE rcvd: 133 > >> > >> --- > >> /src # dig consul.mgmt.DOMAIN.TLD @10.0.0.204 -t ANY > >> ; <<>> DiG 9.14.12 <<>> consul.mgmt.DOMAIN.TLD @10.0.0.204 -t ANY > >> ;; global options: +cmd > >> ;; Got answer: > >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54953 > >> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > >> > >> ;; OPT PSEUDOSECTION: > >> ; EDNS: version: 0, flags:; udp: 4096 > >> ; COOKIE: 2bd32278271acc813fbfb58b602d5345fddaeac8e012297f (good) > >> ;; QUESTION SECTION: > >> ;consul.mgmt.DOMAIN.TLD. IN ANY > >> > >> ;; Query time: 1 msec > >> ;; SERVER: 10.0.0.204#53(10.0.0.204) > >> ;; WHEN: Wed Feb 17 17:32:53 UTC 2021 > >> ;; MSG SIZE rcvd: 81 > >> > >> --- > >> /src # dig consul.mgmt.DOMAIN.TLD @10.0.0.204 -t ANY > >> ; <<>> DiG 9.14.12 <<>> consul.mgmt.DOMAIN.TLD @10.0.0.204 -t ANY > >> ;; global options: +cmd > >> ;; Got answer: > >> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46107 > >> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > >> > >> ;; OPT PSEUDOSECTION: > >> ; EDNS: version: 0, flags:; udp: 4096 > >> ; COOKIE: daeb796bf30117b9d54983db602d534f207b56ad08f7ad15 (good) > >> ;; QUESTION SECTION: > >> ;consul.mgmt.DOMAIN.TLD. IN ANY > >> > >> ;; AUTHORITY SECTION: > >> mgmt.DOMAIN.TLD. 3600 IN SOA ipa2.DOMAIN.TLD. > >> hostmaster.mgmt.DOMAIN.TLD. 1613268909 3600 900 1209600 3600 > >> > >> ;; Query time: 1 msec > >> ;; SERVER: 10.0.0.204#53(10.0.0.204) > >> ;; WHEN: Wed Feb 17 17:33:03 UTC 2021 > >> ;; MSG SIZE rcvd: 133 > >> > >> > >> Our config: > >> bind-interfaces > >> interface=ens18 > >> all-servers > >> bogus-priv > >> no-resolv > >> no-hosts > >> server=/DOMAINS.TLD/10.0.255.11 > >> server=/DOMAINS.TLD/10.0.255.12 > >> server=/puppet/10.0.255.11 > >> server=/puppet/10.0.255.12 > >> rev-server=10.0.0.0/8,10.0.255.11 > >> rev-server=10.0.0.0/8,10.0.255.12 > >> #server=/DOMAINS/10.0.0.201#8600 > >> #server=/DOMAINS/10.0.0.202#8600 > >> #server=/DOMAINS/10.0.0.203#8600 > >> #server=/DOMAINS/10.0.0.204#8600 > >> #server=/DOMAINS/10.0.0.205#8600 > >> server=/DOMAINS/10.0.240.11#8600 > >> serve
