Re: [Dnsmasq-discuss] priority of local= and ipset=
thanks Simon another related question 1) if i have 6000 domains, do i write 6000 lines of local=/domain/8.8.8.8, or do i write local=/domain1/2/3/.../8.8.8.8 which one is faster for dnsmasq to locate and assign the nameserver? 2) btw, how much time does it take for dnsmasq ( 2.86 here) to locate one domain from 100,000 domains in conf-file in the form of local= or ipset=? 3) the search speed for local= and ipset= are the same? i mean do they use the same algo? On Fri, Jan 7, 2022 at 07:46 Simon Kelley wrote: > repeating a domain in --server (or --local) is sensible and dnsmasq will > use some or all of the servers for an individual query, depending on > unknowable stuff. > > You would imagine that > > ipset=/google.com/one > ipset=/google.com/two > > would be equivalent to the documented > > ipset=/google.com/one,two > > but clearly it isn't. The advice is to stick to the documented way of > expressing those semantics, I guess. > > > Cheers, > Simon. > > > > On 04/01/2022 07:55, Justin wrote: > > I just did some test. looks like the 'google.com' will be send to both > > 1.1.1.1 and 8.8.8.8. but the all the resolved ip address will only be > > added to ipset 'one' > > > > On Tue, Jan 4, 2022 at 2:20 PM Justin wrote: > >> > >> Hello > >> i have settings in the order like this in dnsmasq.conf > >> > >> local=/google.com/1.1.1.1 > >> local=/google.com/8.8.8.8 > >> ipset=/google.com/one > >> ipset=/google.com/two > >> > >> what is the behavior of dnsmasq? which nameserver will be uses to > >> resolve google.com and which set name will the resolved ip of > >> google.com be added to? > >> > >> thanks. > > > > ___ > > Dnsmasq-discuss mailing list > > Dnsmasq-discuss@lists.thekelleys.org.uk > > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > > > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > -- Regards Justin He ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] Strip EDNS(0) Client Subnet / MAC information
Hey Simon, a series of patches (multiple mails) follows. This is the first one: Strip EDNS(0) Client Subnet / MAC information if --strip-subnet or --strip-mac is set. If BOTH the add and strip options are set, incoming EDNS0 options are REPLACED. This ensures we do not unintentionally forward client information somewhere upstream when ECS is used in lower DNS layers in our local network. Some upstream servers, for instance, Google DNS, even refuse to answer when ECS contains a 192.168.0.0/16 address. Best, Dominik From cb72bf20ce317a8d4c727d7818b2e20b33832eae Mon Sep 17 00:00:00 2001 From: Dominik Derigs Date: Fri, 7 Jan 2022 06:11:53 +0100 Subject: [PATCH] Strip EDNS(0) Client Subnet / MAC information if --strip-subnet or --strip-mac is set. If both the add and strip options are set, incoming EDNS0 options are replaced. This ensures we do not unintentionally forward client information somewhere upstream when ECS is used in lower DNS layers in our local network. Signed-off-by: DL6ER --- src/dnsmasq.h | 4 +++- src/edns0.c | 33 ++--- src/option.c | 6 ++ 3 files changed, 35 insertions(+), 8 deletions(-) diff --git a/src/dnsmasq.h b/src/dnsmasq.h index 1b00298..7384a1a 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -277,7 +277,9 @@ struct event_desc { #define OPT_QUIET_TFTP 66 #define OPT_FILTER_A 67 #define OPT_FILTER_68 -#define OPT_LAST 69 +#define OPT_STRIP_ECS 69 +#define OPT_STRIP_MAC 70 +#define OPT_LAST 71 #define OPTION_BITS (sizeof(unsigned int)*8) #define OPTION_SIZE ( (OPT_LAST/OPTION_BITS)+((OPT_LAST%OPTION_BITS)!=0) ) diff --git a/src/edns0.c b/src/edns0.c index 5de6cb2..1599040 100644 --- a/src/edns0.c +++ b/src/edns0.c @@ -291,7 +291,7 @@ static size_t add_dns_client(struct dns_header *header, size_t plen, unsigned ch static size_t add_mac(struct dns_header *header, size_t plen, unsigned char *limit, - union mysockaddr *l3, time_t now, int *cacheablep) + union mysockaddr *l3, time_t now, int *cacheablep, const int replace) { int maclen; unsigned char mac[DHCP_CHADDR_MAX]; @@ -299,8 +299,13 @@ static size_t add_mac(struct dns_header *header, size_t plen, unsigned char *lim if ((maclen = find_mac(l3, mac, 1, now)) != 0) { *cacheablep = 0; - plen = add_pseudoheader(header, plen, limit, PACKETSZ, EDNS0_OPTION_MAC, mac, maclen, 0, 0); + plen = add_pseudoheader(header, plen, limit, PACKETSZ, EDNS0_OPTION_MAC, mac, maclen, 0, replace); } + else if(replace > 0) + { +/* Asked to replace MAC address but it is not available here. We just remove whatever might be there */ +plen = add_pseudoheader(header, plen, (unsigned char *)limit, daemon->edns_pktsz, EDNS0_OPTION_MAC, NULL, 0, 0, 2); + } return plen; } @@ -378,7 +383,8 @@ static size_t calc_subnet_opt(struct subnet_opt *opt, union mysockaddr *source, return len + 4; } -static size_t add_source_addr(struct dns_header *header, size_t plen, unsigned char *limit, union mysockaddr *source, int *cacheable) +static size_t add_source_addr(struct dns_header *header, size_t plen, unsigned char *limit, + union mysockaddr *source, int *cacheable, const int replace) { /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */ @@ -386,7 +392,7 @@ static size_t add_source_addr(struct dns_header *header, size_t plen, unsigned c struct subnet_opt opt; len = calc_subnet_opt(&opt, source, cacheable); - return add_pseudoheader(header, plen, (unsigned char *)limit, PACKETSZ, EDNS0_OPTION_CLIENT_SUBNET, (unsigned char *)&opt, len, 0, 0); + return add_pseudoheader(header, plen, (unsigned char *)limit, PACKETSZ, EDNS0_OPTION_CLIENT_SUBNET, (unsigned char *)&opt, len, 0, replace); } int check_source(struct dns_header *header, size_t plen, unsigned char *pseudoheader, union mysockaddr *peer) @@ -498,11 +504,19 @@ size_t add_edns0_config(struct dns_header *header, size_t plen, unsigned char *l *check_subnet = 0; *cacheable = 1; + /* OPT_ADD_MAC = MAC is added (if available) + OPT_ADD_MAC + OPT_STRIP_MAC = MAC is replaced, if not available, it is only removed + OPT_STRIP_MAC = MAC is removed */ if (option_bool(OPT_ADD_MAC)) -plen = add_mac(header, plen, limit, source, now, cacheable); - +plen = add_mac(header, plen, limit, source, now, cacheable, option_bool(OPT_STRIP_MAC) ? 1 : 0); + else if (option_bool(OPT_STRIP_MAC)) +plen = add_pseudoheader(header, plen, (unsigned char *)limit, daemon->edns_pktsz, EDNS0_OPTION_MAC, NULL, 0, 0, 2); + + /* Use --strip-mac also for --add-mac=hex and --add-mac=text */ if (option_bool(OPT_MAC_B64) || option_bool(OPT_MAC_HEX)) plen = add_dns_client(header, plen, limit, source, now, cacheable); + else if (option_bool(OPT_STRIP_MAC)) +plen = add_pseudoheader(header, plen, (unsigned char *)limit, daemon->edns_pktsz, EDNS0_OPTION_NOMDEVICEID, NULL, 0, 0, 2);
Re: [Dnsmasq-discuss] priority of local= and ipset=
repeating a domain in --server (or --local) is sensible and dnsmasq will use some or all of the servers for an individual query, depending on unknowable stuff. You would imagine that ipset=/google.com/one ipset=/google.com/two would be equivalent to the documented ipset=/google.com/one,two but clearly it isn't. The advice is to stick to the documented way of expressing those semantics, I guess. Cheers, Simon. On 04/01/2022 07:55, Justin wrote: > I just did some test. looks like the 'google.com' will be send to both > 1.1.1.1 and 8.8.8.8. but the all the resolved ip address will only be > added to ipset 'one' > > On Tue, Jan 4, 2022 at 2:20 PM Justin wrote: >> >> Hello >> i have settings in the order like this in dnsmasq.conf >> >> local=/google.com/1.1.1.1 >> local=/google.com/8.8.8.8 >> ipset=/google.com/one >> ipset=/google.com/two >> >> what is the behavior of dnsmasq? which nameserver will be uses to >> resolve google.com and which set name will the resolved ip of >> google.com be added to? >> >> thanks. > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] The filterwin2k option will make the dig command fail to query SOA.
On 01/01/2022 17:11, Andreas Metzler wrote: > On 2022-01-01 Dominik Derigs wrote: >> On Sat, 2022-01-01 at 16:27 +0100, Andreas Metzler wrote: >>> The manpage says "The requests blocked are for records [...] >>> where the requested name has underscores". The test-query shown >>> above is not for a name with underscores. So, afaict not working >>> as documented. > >> you have removed relevant parts when quoting that changed >> meaning. The man page says > >>> The requests blocked are for records of types SOA and SRV, and >>> type ANY where the requested name has underscores, to catch LDAP >>> requests. > >> where two parts are mentioned: > >>> records of types SOA and SRV, > >> and > >>> and type ANY where the requested name has underscores > >> I just checked the code. This is exactly what happens > >> SOA and SRV are always blocked, ANY only with underscores. To me, >> this seems clear from the man text because of the first and >> exclusively connecting SOA and SRV and then ANY + underscores >> following thereafter. > > I considered this to be a possible reading but the preceding text said > that the feature was for filtering out "requests which don't get > sensible answers from the public DNS" and my brain refused to put any > and all SRV requests in this box. ;-) > >> I see the man page wording could be improved. > > How about > --- > diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 > index 4de8969..96338b3 100644 > --- a/man/dnsmasq.8 > +++ b/man/dnsmasq.8 > @@ -346,6 +346,7 @@ forged answer to a DNS request for certain domain, before > the correct answer can > Later versions of windows make periodic DNS requests which don't get > sensible answers from > the public DNS and can cause problems by triggering dial-on-demand links. > This flag turns on an option > -to filter such requests. The requests blocked are for records of types SOA > and SRV, and type ANY where the > -requested name has underscores, to catch LDAP requests. > +to filter such requests. The requests blocked are for records of type ANY > +where the requested name has underscores, to catch LDAP requests, and for > +\fBall\fP records of types SOA and SRV. > .TP > .B --filter-A > --- > > cu Andreas > Patch applied. A definite improvement. Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Monthly posting
Hi, "How To Ask Questions The Smart Way" has immediately after the introduction an advice on before you ask. http://www.catb.org/esr/faqs/smart-questions.html#before Following that advice is still no guarantee for a quick response. So when you are still stuck with something that you think it is dnsmasq related, you have to make more effort. Greatest challenge is most likely being persistent in solving the problem. ( Not being persistent in demanding an answer ) The dnsmasq man page is feature complete. And known as hard to read for those who are new to it. But still do read it and try to understand it. Reading it again is known being effective for getting better understanding. Find a copy of it in source code of dnsmasq and read it by `man man/dnsmasq.8`, or when installed by `man dnsmasq` or at https://dnsmasq.org/docs/dnsmasq-man.html Pattern seen on the mailing list is unawareness of network-server-client-model. Expressing such problems is indeed hard, but also the road to a solution. Know that you are the main stake holder of the problem that you are facing. The highest reward for finding a solution goes to you. Keep the eco system that you are consulting healthy by sharing also your success stories. Avoid "DNS doesn't work", make it "My DNS client gets odd replies from dnsmasq", "My DNS requests don't get forwarded" or another non-generic issue. Use real DNS tools like `dig` or `host` instead of `ping`. For closer views is networksniffing recommented. When `tcpdump` or `wireshark` is used for such examinations, provide the mailinglist with an URL to `.pcap`-file. Karma bonus points for providing an URL that can be `wget`. So prevent that your community members get exposed to website that screams advertisements and the need for Javascript. Text version output of network sniffs don't show well after being put in an email. Please take the pain of uploading an .pcap file insteadof multipling the pain malformed netsniffer output. Dnsmasq is a mature project, meaning not often a release. However we constantly want to improve. Yes, patches welcome. Patches are not always reviewed within three days. Retransmit of your review request after eight days is not too pushy. Aim for common interest. If you find it here, fine. If you cannot find it here, you might found a clue for looking elsewhere on "common interest". Do know there are real humans behind the email addresses. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq and external DHCPv6 servers
On 1/6/22 11:21 AM, Simon Kelley wrote: On 06/01/2022 00:05, Eric Dittman via Dnsmasq-discuss wrote: On 1/5/22 4:57 PM, Simon Kelley wrote: On 03/01/2022 21:55, Eric Dittman via Dnsmasq-discuss wrote: I have a Ubiquiti UDM SE. It uses dnsmasq for DNS, DHCP, and RAs. I have external DNS and DHCP servers so I want to send RA packets with the M and O flags set and the A flag reset, but I can't figure out the proper configuration to do that. Right now just to get RA working on the subnets for IPv6 I have the following: enable-ra ra-param=*,high,0 domain=mydomain dhcp-range=2001:470:::,ra-names,slaac dhcp-range=2001:470::10::,ra-names,slaac dhcp-range=2001:470::20::,ra-names,slaac dhcp-range=2001:470::40::,ra-names,slaac I'm getting autoconf IPv6 addresses but I'm not seeing any DHCPv6 packets on the external DHCPv6 servers (a pair per subnet). Any ideas how I can get this working? The dnsmasq RA code was designed to work with the dnsmasq DHCPv6 server, so there's no direct support for this. I think the closest you can get is to configure a static-addresses-only dhcp range dhcp-range=2001:470::10::,static,slaac Which will not allocate any DHCPv6 leases, leaving the field open for you other DHCPv6 servers, but will set the M and O bits. Adding a new keyword to cover this circumstance is pretty straightforward. Thanks, Simon, that worked! I really appreciate it. The only issue I'm having now is I'm getting the router link-local IPv6 address included along with the two IPv6 addresses I specify in the DHCPv6 options for the DNS resolvers: nameserver 2001:470::10::105 nameserver 2001:470::10::106 nameserver fe80::300d:e6ff:fe85:e6e0 nameserver 10.0.10.105 nameserver 10.0.10.106 Dnsmasq will include the router's link-local address as the DNS server IF no other addresses are configured with dhcp-option AND dnsmasq is configured to provide DNS. If your case, since you're not using dnsmasq for DNS, disable DNS by setting port=0 and that DNS server address will disappear. Thanks again, Simon! That took care of the DNS entry. Ubiquiti has /etc/resolv.conf listing 127.0.0.1 and resolv.dnsmasq listing my nameservers, so disabling DNS in dnsmasq disables that, so my script that adds the customipv6.conf to the dnsmasq configuration directory will also need to update resolv.conf. -- Eric Dittman ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq and external DHCPv6 servers
On 06/01/2022 00:05, Eric Dittman via Dnsmasq-discuss wrote: > On 1/5/22 4:57 PM, Simon Kelley wrote: >> On 03/01/2022 21:55, Eric Dittman via Dnsmasq-discuss wrote: >>> I have a Ubiquiti UDM SE. It uses dnsmasq for DNS, DHCP, and RAs. I >>> have external DNS and DHCP servers so I want to send RA packets with >>> the M and O flags set and the A flag reset, but I can't figure out the >>> proper configuration to do that. Right now just to get RA working on >>> the subnets for IPv6 I have the following: >>> >>> enable-ra >>> ra-param=*,high,0 >>> domain=mydomain >>> dhcp-range=2001:470:::,ra-names,slaac >>> dhcp-range=2001:470::10::,ra-names,slaac >>> dhcp-range=2001:470::20::,ra-names,slaac >>> dhcp-range=2001:470::40::,ra-names,slaac >>> >>> I'm getting autoconf IPv6 addresses but I'm not seeing any DHCPv6 >>> packets on the external DHCPv6 servers (a pair per subnet). >>> >>> Any ideas how I can get this working? >> >> The dnsmasq RA code was designed to work with the dnsmasq DHCPv6 server, >> so there's no direct support for this. I think the closest you can get >> is to configure a static-addresses-only dhcp range >> >> dhcp-range=2001:470::10::,static,slaac >> >> Which will not allocate any DHCPv6 leases, leaving the field open for >> you other DHCPv6 servers, but will set the M and O bits. >> >> Adding a new keyword to cover this circumstance is pretty >> straightforward. > > Thanks, Simon, that worked! I really appreciate it. > > The only issue I'm having now is I'm getting the router link-local IPv6 > address included along with the two IPv6 addresses I specify in the > DHCPv6 options for the DNS resolvers: > > nameserver 2001:470::10::105 > nameserver 2001:470::10::106 > nameserver fe80::300d:e6ff:fe85:e6e0 > nameserver 10.0.10.105 > nameserver 10.0.10.106 Dnsmasq will include the router's link-local address as the DNS server IF no other addresses are configured with dhcp-option AND dnsmasq is configured to provide DNS. If your case, since you're not using dnsmasq for DNS, disable DNS by setting port=0 and that DNS server address will disappear. Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Infinite loop in dnsmasq v2.86?
On 2022-01-05 Simon Kelley wrote: > On 04/01/2022 17:11, Andreas Metzler wrote: [...] >> >> FWIW this looks similar to https://bugs.debian.org/1001576 which >> features a backtrace. >> > Are you running with the --strict-order config? The backtrace looks, at > least superficially, like the bug fixed in > https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=2561f9fe0eb9c0be1df48da1e2bd3d3feaa138c2 > Whilst John is not setting --strict order, so that doesn't seem to to be > relevant in his case. Hello Simon, I have not set strict-order. However I have now rebuilt the Debian package with the abovementioned patch. Let's see whether the problem goes away. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss