Re: [Dnsmasq-discuss] priority of local= and ipset=

[Justin]

thanks Simon

another related question

1)

if i have 6000 domains, do i write 6000 lines of local=/domain/8.8.8.8, or
do i write

local=/domain1/2/3/.../8.8.8.8

which one is faster for dnsmasq to locate and assign the nameserver?

2)

btw, how much time does it take for dnsmasq  ( 2.86 here) to locate one
domain from 100,000 domains in conf-file in the form of local= or ipset=?

3)

the search speed for local= and ipset= are the same? i mean do they use the
same algo?



On Fri, Jan 7, 2022 at 07:46 Simon Kelley  wrote:

> repeating a domain in --server (or --local) is sensible and dnsmasq will
> use some or all of the servers for an individual query, depending on
> unknowable stuff.
>
> You would imagine that
>
> ipset=/google.com/one
> ipset=/google.com/two
>
> would be equivalent to the documented
>
> ipset=/google.com/one,two
>
> but clearly it isn't. The advice is to stick to the documented way of
> expressing those semantics, I guess.
>
>
> Cheers,
> Simon.
>
>
>
> On 04/01/2022 07:55, Justin wrote:
> > I just did some test. looks like the 'google.com' will be send to both
> > 1.1.1.1 and 8.8.8.8. but the all the resolved ip address will only be
> > added to ipset 'one'
> >
> > On Tue, Jan 4, 2022 at 2:20 PM Justin  wrote:
> >>
> >> Hello
> >> i have settings in the order like this in dnsmasq.conf
> >>
> >> local=/google.com/1.1.1.1
> >> local=/google.com/8.8.8.8
> >> ipset=/google.com/one
> >> ipset=/google.com/two
> >>
> >> what is the behavior of dnsmasq? which nameserver will be uses to
> >> resolve google.com and which set name will the resolved ip of
> >> google.com be added to?
> >>
> >> thanks.
> >
> > ___
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss@lists.thekelleys.org.uk
> > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
> >
>
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>
-- 

Regards
Justin He
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] [PATCH] Strip EDNS(0) Client Subnet / MAC information

[Dominik Derigs]

Hey Simon,

a series of patches (multiple mails) follows. This is the first
one:

Strip EDNS(0) Client Subnet / MAC information if --strip-subnet
or --strip-mac is set.
If BOTH the add and strip options are set, incoming EDNS0 options
are REPLACED.

This ensures we do not unintentionally forward client information
somewhere upstream when ECS is used in lower DNS layers in our
local network. Some upstream servers, for instance, Google DNS,
even refuse to answer when ECS contains a 192.168.0.0/16 address.

Best,
Dominik
From cb72bf20ce317a8d4c727d7818b2e20b33832eae Mon Sep 17 00:00:00 2001
From: Dominik Derigs 
Date: Fri, 7 Jan 2022 06:11:53 +0100
Subject: [PATCH] Strip EDNS(0) Client Subnet / MAC information if
 --strip-subnet or --strip-mac is set. If both the add and strip options are
 set, incoming EDNS0 options are replaced. This ensures we do not
 unintentionally forward client information somewhere upstream when ECS is
 used in lower DNS layers in our local network.

Signed-off-by: DL6ER 
---
 src/dnsmasq.h |  4 +++-
 src/edns0.c   | 33 ++---
 src/option.c  |  6 ++
 3 files changed, 35 insertions(+), 8 deletions(-)

diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 1b00298..7384a1a 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -277,7 +277,9 @@ struct event_desc {
 #define OPT_QUIET_TFTP 66
 #define OPT_FILTER_A   67
 #define OPT_FILTER_68
-#define OPT_LAST   69
+#define OPT_STRIP_ECS  69
+#define OPT_STRIP_MAC  70
+#define OPT_LAST   71
 
 #define OPTION_BITS (sizeof(unsigned int)*8)
 #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) )
diff --git a/src/edns0.c b/src/edns0.c
index 5de6cb2..1599040 100644
--- a/src/edns0.c
+++ b/src/edns0.c
@@ -291,7 +291,7 @@ static size_t add_dns_client(struct dns_header *header, size_t plen, unsigned ch
 
 
 static size_t add_mac(struct dns_header *header, size_t plen, unsigned char *limit,
-		  union mysockaddr *l3, time_t now, int *cacheablep)
+		  union mysockaddr *l3, time_t now, int *cacheablep, const int replace)
 {
   int maclen;
   unsigned char mac[DHCP_CHADDR_MAX];
@@ -299,8 +299,13 @@ static size_t add_mac(struct dns_header *header, size_t plen, unsigned char *lim
   if ((maclen = find_mac(l3, mac, 1, now)) != 0)
 {
   *cacheablep = 0;
-  plen = add_pseudoheader(header, plen, limit, PACKETSZ, EDNS0_OPTION_MAC, mac, maclen, 0, 0); 
+  plen = add_pseudoheader(header, plen, limit, PACKETSZ, EDNS0_OPTION_MAC, mac, maclen, 0, replace);
 }
+  else if(replace > 0)
+  {
+/* Asked to replace MAC address but it is not available here. We just remove whatever might be there */
+plen = add_pseudoheader(header, plen, (unsigned char *)limit, daemon->edns_pktsz, EDNS0_OPTION_MAC, NULL, 0, 0, 2);
+  }
   
   return plen; 
 }
@@ -378,7 +383,8 @@ static size_t calc_subnet_opt(struct subnet_opt *opt, union mysockaddr *source,
   return len + 4;
 }
  
-static size_t add_source_addr(struct dns_header *header, size_t plen, unsigned char *limit, union mysockaddr *source, int *cacheable)
+static size_t add_source_addr(struct dns_header *header, size_t plen, unsigned char *limit,
+			  union mysockaddr *source, int *cacheable, const int replace)
 {
   /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
   
@@ -386,7 +392,7 @@ static size_t add_source_addr(struct dns_header *header, size_t plen, unsigned c
   struct subnet_opt opt;
   
   len = calc_subnet_opt(&opt, source, cacheable);
-  return add_pseudoheader(header, plen, (unsigned char *)limit, PACKETSZ, EDNS0_OPTION_CLIENT_SUBNET, (unsigned char *)&opt, len, 0, 0);
+  return add_pseudoheader(header, plen, (unsigned char *)limit, PACKETSZ, EDNS0_OPTION_CLIENT_SUBNET, (unsigned char *)&opt, len, 0, replace);
 }
 
 int check_source(struct dns_header *header, size_t plen, unsigned char *pseudoheader, union mysockaddr *peer)
@@ -498,11 +504,19 @@ size_t add_edns0_config(struct dns_header *header, size_t plen, unsigned char *l
   *check_subnet = 0;
   *cacheable = 1;
   
+  /* OPT_ADD_MAC = MAC is added (if available)
+ OPT_ADD_MAC + OPT_STRIP_MAC = MAC is replaced, if not available, it is only removed
+ OPT_STRIP_MAC = MAC is removed */
   if (option_bool(OPT_ADD_MAC))
-plen  = add_mac(header, plen, limit, source, now, cacheable);
-  
+plen  = add_mac(header, plen, limit, source, now, cacheable, option_bool(OPT_STRIP_MAC) ? 1 : 0);
+  else if (option_bool(OPT_STRIP_MAC))
+plen = add_pseudoheader(header, plen, (unsigned char *)limit, daemon->edns_pktsz, EDNS0_OPTION_MAC, NULL, 0, 0, 2);
+
+  /* Use --strip-mac also for --add-mac=hex and --add-mac=text */
   if (option_bool(OPT_MAC_B64) || option_bool(OPT_MAC_HEX))
 plen = add_dns_client(header, plen, limit, source, now, cacheable);
+  else if (option_bool(OPT_STRIP_MAC))
+plen = add_pseudoheader(header, plen, (unsigned char *)limit, daemon->edns_pktsz, EDNS0_OPTION_NOMDEVICEID, NULL, 0, 0, 2);
   
 

Re: [Dnsmasq-discuss] priority of local= and ipset=

[Simon Kelley]

repeating a domain in --server (or --local) is sensible and dnsmasq will
use some or all of the servers for an individual query, depending on
unknowable stuff.

You would imagine that

ipset=/google.com/one
ipset=/google.com/two

would be equivalent to the documented

ipset=/google.com/one,two

but clearly it isn't. The advice is to stick to the documented way of
expressing those semantics, I guess.


Cheers,
Simon.



On 04/01/2022 07:55, Justin wrote:
> I just did some test. looks like the 'google.com' will be send to both
> 1.1.1.1 and 8.8.8.8. but the all the resolved ip address will only be
> added to ipset 'one'
> 
> On Tue, Jan 4, 2022 at 2:20 PM Justin  wrote:
>>
>> Hello
>> i have settings in the order like this in dnsmasq.conf
>>
>> local=/google.com/1.1.1.1
>> local=/google.com/8.8.8.8
>> ipset=/google.com/one
>> ipset=/google.com/two
>>
>> what is the behavior of dnsmasq? which nameserver will be uses to
>> resolve google.com and which set name will the resolved ip of
>> google.com be added to?
>>
>> thanks.
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
> 


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] The filterwin2k option will make the dig command fail to query SOA.

[Simon Kelley]

On 01/01/2022 17:11, Andreas Metzler wrote:
> On 2022-01-01 Dominik Derigs  wrote:
>> On Sat, 2022-01-01 at 16:27 +0100, Andreas Metzler wrote:
>>> The manpage says "The requests blocked are for records [...]
>>> where the requested name has underscores". The test-query shown
>>> above is not for a name with underscores. So, afaict not working
>>> as documented.
> 
>> you have removed relevant parts when quoting that changed
>> meaning. The man page says
> 
>>> The requests blocked are for records of types SOA and SRV, and
>>> type ANY where the requested name has underscores, to catch LDAP
>>> requests.
> 
>> where two parts are mentioned:
> 
>>> records of types SOA and SRV,
> 
>> and
> 
>>> and type ANY where the requested name has underscores
> 
>> I just checked the code. This is exactly what happens
> 
>> SOA and SRV are always blocked, ANY only with underscores. To me,
>> this seems clear from the man text because of the first and
>> exclusively connecting SOA and SRV and then ANY + underscores
>> following thereafter.
> 
> I considered this to be a possible reading but the preceding text said
> that the feature was for filtering out "requests which don't get
> sensible answers from the public DNS" and my brain refused to put any
> and all SRV requests in this box. ;-)
> 
>> I see the man page wording could be improved.
> 
> How about
> ---
> diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
> index 4de8969..96338b3 100644
> --- a/man/dnsmasq.8
> +++ b/man/dnsmasq.8
> @@ -346,6 +346,7 @@ forged answer to a DNS request for certain domain, before 
> the correct answer can
>  Later versions of windows make periodic DNS requests which don't get 
> sensible answers from
>  the public DNS and can cause problems by triggering dial-on-demand links. 
> This flag turns on an option
> -to filter such requests. The requests blocked are for records of types SOA 
> and SRV, and type ANY where the 
> -requested name has underscores, to catch LDAP requests.
> +to filter such requests. The requests blocked are for records of type ANY
> +where the requested name has underscores, to catch LDAP requests, and for
> +\fBall\fP records of types SOA and SRV.
>  .TP
>  .B --filter-A
> ---
> 
> cu Andreas
> 

Patch applied. A definite improvement.


Cheers,

Simon.


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] Monthly posting

[Monthly posting]

Hi,

"How To Ask Questions The Smart Way" has immediately after the introduction
an advice on before you ask.  
http://www.catb.org/esr/faqs/smart-questions.html#before 

Following that advice is still no guarantee for  a quick response.
So when you are still stuck with something that you think it is dnsmasq
related, you have to make more effort.

Greatest challenge is most likely being persistent in solving the
problem. ( Not being persistent in demanding an answer )

The dnsmasq man page is feature complete. And known as hard to read for
those who are new to it. But still do read it and try to understand it.
Reading it again is known being effective for getting better
understanding. Find a copy of it in source code of dnsmasq
and read it by `man man/dnsmasq.8`, or when installed by `man dnsmasq`
or at https://dnsmasq.org/docs/dnsmasq-man.html

Pattern seen on the mailing list is unawareness of
network-server-client-model. Expressing such problems is indeed hard,
but also the road to a solution. Know that you are the main stake holder
of the problem that you are facing. The highest reward for
finding a solution goes to you. Keep the eco system that you are
consulting healthy by sharing also your success stories.

Avoid "DNS doesn't work",  make it "My DNS client gets odd replies
from dnsmasq", "My DNS requests don't get forwarded" or another
non-generic issue.

Use real DNS tools like `dig` or `host` instead of `ping`.


For closer views is networksniffing recommented.
When `tcpdump` or `wireshark` is used for such examinations,
provide the mailinglist with an URL to  `.pcap`-file.

Karma bonus points for providing an URL that can be `wget`.
So prevent that your community members get exposed
to website that screams advertisements and the need for Javascript.

Text version output of network sniffs don't show well
after being put in an email. Please take the pain of uploading
an .pcap file insteadof multipling
the pain malformed netsniffer output.



Dnsmasq is a mature project, meaning not often a release.
However we constantly want to improve. Yes, patches welcome.

Patches are not always reviewed within three days.
Retransmit of your review request after eight days is not too pushy.


Aim for common interest. If you find it here, fine.
If you cannot find it here, you might found a clue for looking elsewhere
on "common interest".


Do know there are real humans behind the email addresses.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq and external DHCPv6 servers

[Eric Dittman via Dnsmasq-discuss]

On 1/6/22 11:21 AM, Simon Kelley wrote:

On 06/01/2022 00:05, Eric Dittman via Dnsmasq-discuss wrote:

On 1/5/22 4:57 PM, Simon Kelley wrote:

On 03/01/2022 21:55, Eric Dittman via Dnsmasq-discuss wrote:

I have a Ubiquiti UDM SE.  It uses dnsmasq for DNS, DHCP, and RAs.  I
have external DNS and DHCP servers so I want to send RA packets with
the M and O flags set and the A flag reset, but I can't figure out the
proper configuration to do that.  Right now just to get RA working on
the subnets for IPv6 I have the following:

enable-ra
ra-param=*,high,0
domain=mydomain
dhcp-range=2001:470:::,ra-names,slaac
dhcp-range=2001:470::10::,ra-names,slaac
dhcp-range=2001:470::20::,ra-names,slaac
dhcp-range=2001:470::40::,ra-names,slaac

I'm getting autoconf IPv6 addresses but I'm not seeing any DHCPv6
packets on the external DHCPv6 servers (a pair per subnet).

Any ideas how I can get this working?


The dnsmasq RA code was designed to work with the dnsmasq DHCPv6 server,
so there's no direct support for this. I think the closest you can get
is to configure a static-addresses-only dhcp range

dhcp-range=2001:470::10::,static,slaac

Which will not allocate any DHCPv6 leases, leaving the field open for
you other DHCPv6 servers, but will set the M and O bits.

Adding a new keyword to cover this circumstance is pretty
straightforward.


Thanks, Simon, that worked!  I really appreciate it.

The only issue I'm having now is I'm getting the router link-local IPv6
address included along with the two IPv6 addresses I specify in the
DHCPv6 options for the DNS resolvers:

nameserver 2001:470::10::105
nameserver 2001:470::10::106
nameserver fe80::300d:e6ff:fe85:e6e0
nameserver 10.0.10.105
nameserver 10.0.10.106



Dnsmasq will include the router's link-local address as the DNS server
IF no other addresses are configured with dhcp-option AND dnsmasq is
configured to provide DNS.

If your case, since you're not using dnsmasq for DNS, disable DNS by
setting

port=0

and that DNS server address will disappear.


Thanks again, Simon!

That took care of the DNS entry.  Ubiquiti has /etc/resolv.conf listing
127.0.0.1 and resolv.dnsmasq listing my nameservers, so disabling DNS
in dnsmasq disables that, so my script that adds the customipv6.conf
to the dnsmasq configuration directory will also need to update
resolv.conf.
--
Eric Dittman

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] dnsmasq and external DHCPv6 servers

[Simon Kelley]

On 06/01/2022 00:05, Eric Dittman via Dnsmasq-discuss wrote:
> On 1/5/22 4:57 PM, Simon Kelley wrote:
>> On 03/01/2022 21:55, Eric Dittman via Dnsmasq-discuss wrote:
>>> I have a Ubiquiti UDM SE.  It uses dnsmasq for DNS, DHCP, and RAs.  I
>>> have external DNS and DHCP servers so I want to send RA packets with
>>> the M and O flags set and the A flag reset, but I can't figure out the
>>> proper configuration to do that.  Right now just to get RA working on
>>> the subnets for IPv6 I have the following:
>>>
>>> enable-ra
>>> ra-param=*,high,0
>>> domain=mydomain
>>> dhcp-range=2001:470:::,ra-names,slaac
>>> dhcp-range=2001:470::10::,ra-names,slaac
>>> dhcp-range=2001:470::20::,ra-names,slaac
>>> dhcp-range=2001:470::40::,ra-names,slaac
>>>
>>> I'm getting autoconf IPv6 addresses but I'm not seeing any DHCPv6
>>> packets on the external DHCPv6 servers (a pair per subnet).
>>>
>>> Any ideas how I can get this working?
>>
>> The dnsmasq RA code was designed to work with the dnsmasq DHCPv6 server,
>> so there's no direct support for this. I think the closest you can get
>> is to configure a static-addresses-only dhcp range
>>
>> dhcp-range=2001:470::10::,static,slaac
>>
>> Which will not allocate any DHCPv6 leases, leaving the field open for
>> you other DHCPv6 servers, but will set the M and O bits.
>>
>> Adding a new keyword to cover this circumstance is pretty
>> straightforward.
> 
> Thanks, Simon, that worked!  I really appreciate it.
> 
> The only issue I'm having now is I'm getting the router link-local IPv6
> address included along with the two IPv6 addresses I specify in the
> DHCPv6 options for the DNS resolvers:
> 
> nameserver 2001:470::10::105
> nameserver 2001:470::10::106
> nameserver fe80::300d:e6ff:fe85:e6e0
> nameserver 10.0.10.105
> nameserver 10.0.10.106


Dnsmasq will include the router's link-local address as the DNS server
IF no other addresses are configured with dhcp-option AND dnsmasq is
configured to provide DNS.

If your case, since you're not using dnsmasq for DNS, disable DNS by
setting

port=0

and that DNS server address will disappear.


Cheers,

Simon.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Infinite loop in dnsmasq v2.86?

[Andreas Metzler]

On 2022-01-05 Simon Kelley  wrote:
> On 04/01/2022 17:11, Andreas Metzler wrote:
[...]
>> 
>> FWIW this looks similar to https://bugs.debian.org/1001576 which
>> features a backtrace.
>> 

> Are you running with the --strict-order config? The backtrace looks, at
> least superficially, like the bug fixed in

> https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=2561f9fe0eb9c0be1df48da1e2bd3d3feaa138c2

> Whilst John is not setting --strict order, so that doesn't seem to to be
> relevant in his case.

Hello Simon,

I have not set strict-order. However I have now rebuilt the Debian
package with the abovementioned patch. Let's see whether the problem
goes away.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss