Re: dhcpd and unbound on a small LAN
Morning!
What I have not seen mentioned:
dhcpd.conf -> "deny unknown-clients;"
Beware if you use static leases as already mentioned, then dhcpd does
*not* feed the IPs to it's PF tables when it hands the IP out to the
client.
If you do:
host foobar { hardware ethernet a8:34:6a:e1:1d:1c; }
with "deny unknown-clients" directive, then the IP is taken from the
"range" pool but only for known MACs.
See net/arpd and net/arpwatch packages(7)!
As for your hosts(5) versus unbound(8) problem, I've the following:
$ whence vihosts
'doas vi /etc/hosts; hoststounbound'
$ whence hoststounbound
'grep -v -e ^# -e ^$ /etc/hosts | hoststounbound.sh hosts > \
/var/unbound/etc/localzone.hosts.conf; reload-unbound'
$ whence reload-unbound
'doas unbound-control -c /var/unbound/etc/unbound.conf reload'
"hoststounbound.sh" is a script that parses hosts(5) lines and outputs a
valid unbound.conf(5) config. feedback, improvements, all welcome:
#!/bin/sh -eu
_zone=${1:-"hosts"}
_ttl=${2:-"3600"}
_ip=""
_names=""
_name=""
_line=""
_word=""
print "server:\n"
print "local-zone: \"${_zone}\" transparent\n"
while read _line; do
_ip=""
_names=""
for _word in $_line; do
if [[ "X${_word}" == X"#"* ]]; then
break
elif [[ -z $_ip ]]; then
_ip="${_word}"
else
_names="${_names}${_word} "
fi
done
#[[ "X${_ip}" == X"127.0.0.1" || "X${_ip}" == X"::1" ]] && continue
a="A"
[[ "X${_ip}" == X*":"* ]] && a=""
for _name in ${_names}; do
[[ ${_name%%.*} == "*" ]] && { _name=${_name#*.}; \
print "local-zone: \"${_name}.\" redirect"; }
print "local-data: \"${_name}. ${_ttl} ${a} ${_ip}\""
[[ "X${_ip}" == X"0.0.0.0" ]] || \
print "local-data-ptr: \"${_ip} ${_ttl} ${_name}\"\n"
done
done
Marcus
pipat...@gmail.com (Anders Andersson), 2020.01.06 (Mon) 13:24 (CET):
> I'm in the process of replacing an aging OpenWRT device on my home LAN
> with an apu4d4 running OpenBSD as my personal router.
>
> I would like to use unbound as a caching DNS server for my local
> hosts, but I'm trying to figure out how to handle local hostnames. It
> seems like a common scenario but I can't find a solution that feels
> like the "right" way. I have two problems, one is trivial compared to
> the other.
>
>
> My first and very minor issue is that I would like to register my
> static hosts in a more convenient way than what's currently offered by
> unbound. From what I understand you would configure your local hosts
> something like this:
>
> local-zone: "home.lan." static
> local-data: "laptop.home.lan.IN A 10.0.0.2"
> local-data-ptr: "10.0.0.2 laptop.home.lan"
>
> Every time information has to be entered twice there is room for error
> and inconsistencies, so preferably this list should be automatically
> generated from a simpler file, maybe /etc/hosts. I can of course
> easily write such a script, but I'm wondering if there might be a
> standard, go-to way of doing this.
>
>
>
> My second and more difficult issue is that I can't seem to find a way
> to feed information from the DHCP server into unbound, so that locally
> assigned hosts can be queried by their hostnames. To clarify with an
> example:
>
> 1. I install a new system and in the installation procedure I name it "alice".
> 2. "alice" asks for and receives an IP number from my DHCP server.
> 3. Every other machine can now connect to "alice" by name, assuming
> that "alice" informed the DHCP server of its name when asking for an
> address.
>
> Currently this works because OpenWRT is using dnsmasq which is both a
> caching DNS server and a DHCP server, so the left hand knows what the
> right hand is doing. How can I solve this in OpenBSD base without
> jumping through hoops?
>
> Right now I'm considering something that monitors dhcpd.leases for
> changes and updates a running unbound using unbound-control(8) but I
> don't feel confident enough writing such a tool that does not miss a
> lot of corner cases and handle startup/shutdown gracefully. I'm also
> thinking that it can't be such an unusual use case, so someone surely
> must have written such a tool already. I just haven't found any in my
> search.
>
> Or am I doing this the wrong way? I've now read about things like mDNS
> and Zeroconf and Avahi and I'm just getting more and more confused.
> Ideas are welcome!
Re: dhcpd and unbound on a small LAN
> On Jan 6, 2020, at 04:24, Anders Andersson wrote:
> Right now I'm considering something that monitors dhcpd.leases for
> changes and updates a running unbound using unbound-control(8) but I
> don't feel confident enough writing such a tool that does not miss a
> lot of corner cases and handle startup/shutdown gracefully. I'm also
> thinking that it can't be such an unusual use case, so someone surely
> must have written such a tool already. I just haven't found any in my
> search.
>
> Or am I doing this the wrong way? I've now read about things like mDNS
> and Zeroconf and Avahi and I'm just getting more and more confused.
> Ideas are welcome!
So, on my little home network, I do the following (well, it’s in progress, but
I used to do the same thing with Bind):
1) run unbound for name resolution for all devices (after the recent discussion
about turning your network inside out, I’m debating turning on PF to redirect
all DNS queries to my unbound server).
2) I run nsd to provide name services for my domains. So, I use
“int.domain.name” for all local addresses. I just point unbound at nsd
(running on a different port) for those domains.
3) I use static assignment of IPv4 address to *most* of my devices (this is the
part in progress). This is what everyone’s talking about using:
host alice {
hardware ethernet 00:19:b9:e0:2f:de;
fixed-address 192.168.0.68;
}
Of course, I could use dynamic DNS updates for all devices, but I find that as
the “owner” of basically everything, it’s easier to have fixed addresses
instead. The problem is for every device I need some sort of DB for every
device that includes the ETHERNET address as well as the IP address (because
devices get replaced, etc., but I want to keep the name and the IP, but change
the ethernet). From that, I can generate both the dhcpd.conf file *and* the
nsd PTR and A records. That’s the bit I’m working on now.
The upshot is that unbound redirects certain domains to nsd, NSD controls all
the domains (both my internal ones and some external ones) and DHCPD points all
the clients to unbound for name resolution.
I have a small range for non-known devices — I don’t mind friends coming over
and using my wireless. Soon I hope to put THOSE devices on another vlan and
give them rate-limited access. But I haven’t finished the whole “create
everything from one DB” yet, so. . . WIP.
Yes, I could just have unbound return addresses for the local network, but
what’s the fun in that? :-)
Sean
Re: dhcpd and unbound on a small LAN
On Mon, Jan 6, 2020 at 9:26 AM Sonic wrote:
>
> You have it backwards, let dhcp use the information in unbound to
> assign the reserved address:
> ===
> host alice {
> hardware ethernet 20:9e:02:f5:93:60;
> fixed-address alice.home.lan;
> option host-name "alice";
> }
> ===
This is how I do it too, except simplified further by setting the
use-host-decl-names option at a higher scope (see dhcpd.conf(5)); then
you don't need "option host-name ..." for each host.
> Start unbound before dhcpd in your rc.conf.local (ex):
> ===
> unbound_flags="-c /var/unbound/etc/unbound.conf"
> dhcpd_flags="em0"
> ===
The order of directives in rc.conf.local does not matter, as the order
of base daemons is hardcoded in /etc/rc (and does indeed start unbound
before dhcpd); as a matter of fact, 'rcctl enable foo' will sort the
file! (I personally dislike this behavior, since it moves comment
lines away from the things they're commenting on, but I digress...)
The only order that does matter is words within the pkg_scripts
setting, which orders those relative to each other.
> Make sure your resolv.conf points to unbound so that your system can
> resolve the local dns names.
If your uplink interface interface is configured as DHCP, this will
need to be set in dhclient.conf, e.g. "supersede domain-name-servers
127.0.0.1".
-Andrew
Re: dhcpd and unbound on a small LAN
On 2020-01-06, Raymond, David wrote: > I found unbound hard to use so I went back to dnsmasq (a package on > OpenBSD), which I had used previously on linux. Trivial configuration > and it works like a charm in providing DNS service for local and > remote systems behind a NAT firewall. (It gets local information from > the host file on the NAT machine.) Optionally, it will also provide > dhcp service. (Note that you have to set up a _dnsmasq user/group to > keep rcctl happy.) The _dnsmasq user/group are created automatically when you install the package.
Re: dhcpd and unbound on a small LAN
On Mon, 6 Jan 2020 09:51:55 -0500 Sonic wrote: > On Mon, Jan 6, 2020 at 9:35 AM Steve Litt > wrote: > > I need something like that for my situation. Two questions: > > > > 1) Does the preceding setup prevent anyone with a different mac > > address from getting 192.168.0.68? > > Via dhcp, yes, it would. Unless they change their MAC address to > match. They could also manually use the same IP address. > > > 2) Is there a way I can set it up so ONLY specific mac addresses can > > get a dhcp lease from my server?*** I'd like to keep the man on the > > street from getting a lease: If I don't know the person and machine > > ahead of time, I don't want them getting a lease. > > See the "range" statement for the dhcp subnet, with no range only > known clients with reserved addresses will get IP addresses assigned. Nice! Between you and Paul, I now have all the info to do exactly what I want. Thanks to both of you! SteveT Steve Litt December 2019 featured book: Rapid Learning for the 21st Century http://www.troubleshooters.com/rl21
Re: dhcpd and unbound on a small LAN
On Mon, Jan 06, 2020 at 09:33:44AM -0500, Steve Litt wrote:
| On Mon, 06 Jan 2020 14:03:20 +0100
| "Boudewijn Dijkstra" wrote:
|
|
| > Another way is to configure the DHCP server to give alice the same
| > address every time.
| >
| > host alice {
| > hardware ethernet 00:19:b9:e0:2f:de;
| > fixed-address 192.168.0.68;
| > }
|
| I need something like that for my situation. Two questions:
|
| 1) Does the preceding setup prevent anyone with a different mac address
| from getting 192.168.0.68?
That specific snippet of DHCP configuration does not prevent dhcpd
from handing it out to other machines (with different macs). It
depends on the rest of your configuration and on whether this machine
is currently alive with that address on your network.
If you have configured a range for dynamic allocation that covers the
assigned fixed-address, then that fixed-address may be assigned to
another machine. This may result in problems for host alice when it
boots. The easy solution is to not do that: don't have your
statically assigned addresses overlap with the dynamic range.
| 2) Is there a way I can set it up so ONLY specific mac addresses can
| get a dhcp lease from my server?*** I'd like to keep the man on the
| street from getting a lease: If I don't know the person and machine
| ahead of time, I don't want them getting a lease.
If you want to only allow specific MACs, then you'll need to specify
the MAC addresses in the configuration file, and assign each one an
address, so you'll need to pre-assign IPs to MACs.
| *** I presume one way is to set aside just enough IP addresses to cover
| known mac addresses. I was wondering if there's a way that involves
| less arithmetic.
Not sure what arithmetic you're referring to specifically: simply
enumerate all machines by MAC and give each one a static lease
('fixed-address') in your /etc/dhcpd.conf, much like the host 'alice'
in the sample Boudewijn showed you. Leave out a dynamic 'range' for
unknown clients, and you're done. This is what I have done in the
past on my private home network.
Cheers,
Paul 'WEiRD' de Weerd
--
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
http://www.weirdnet.nl/
Re: dhcpd and unbound on a small LAN
On Mon, Jan 6, 2020 at 9:35 AM Steve Litt wrote: > I need something like that for my situation. Two questions: > > 1) Does the preceding setup prevent anyone with a different mac address > from getting 192.168.0.68? Via dhcp, yes, it would. Unless they change their MAC address to match. They could also manually use the same IP address. > 2) Is there a way I can set it up so ONLY specific mac addresses can > get a dhcp lease from my server?*** I'd like to keep the man on the > street from getting a lease: If I don't know the person and machine > ahead of time, I don't want them getting a lease. See the "range" statement for the dhcp subnet, with no range only known clients with reserved addresses will get IP addresses assigned. Chris
Re: dhcpd and unbound on a small LAN
On Mon, Jan 6, 2020 at 7:27 AM Anders Andersson wrote:
> ...
> Every time information has to be entered twice there is room for error
> and inconsistencies, so preferably this list should be automatically
> generated from a simpler file, maybe /etc/hosts.
No need for dual entry or messing with the hosts file, unbound alone
is fine for resolving names.
> ...
> My second and more difficult issue is that I can't seem to find a way
> to feed information from the DHCP server into unbound, so that locally
> assigned hosts can be queried by their hostnames.
You have it backwards, let dhcp use the information in unbound to
assign the reserved address:
===
host alice {
hardware ethernet 20:9e:02:f5:93:60;
fixed-address alice.home.lan;
option host-name "alice";
}
===
Start unbound before dhcpd in your rc.conf.local (ex):
===
unbound_flags="-c /var/unbound/etc/unbound.conf"
dhcpd_flags="em0"
===
Make sure your resolv.conf points to unbound so that your system can
resolve the local dns names.
Chris
Re: dhcpd and unbound on a small LAN
On Mon, 06 Jan 2020 14:03:20 +0100
"Boudewijn Dijkstra" wrote:
> Another way is to configure the DHCP server to give alice the same
> address every time.
>
> host alice {
> hardware ethernet 00:19:b9:e0:2f:de;
> fixed-address 192.168.0.68;
> }
I need something like that for my situation. Two questions:
1) Does the preceding setup prevent anyone with a different mac address
from getting 192.168.0.68?
2) Is there a way I can set it up so ONLY specific mac addresses can
get a dhcp lease from my server?*** I'd like to keep the man on the
street from getting a lease: If I don't know the person and machine
ahead of time, I don't want them getting a lease.
*** I presume one way is to set aside just enough IP addresses to cover
known mac addresses. I was wondering if there's a way that involves
less arithmetic.
Thanks,
SteveT
Steve Litt
December 2019 featured book: Rapid Learning for the 21st Century
http://www.troubleshooters.com/rl21
Re: dhcpd and unbound on a small LAN
I found unbound hard to use so I went back to dnsmasq (a package on OpenBSD), which I had used previously on linux. Trivial configuration and it works like a charm in providing DNS service for local and remote systems behind a NAT firewall. (It gets local information from the host file on the NAT machine.) Optionally, it will also provide dhcp service. (Note that you have to set up a _dnsmasq user/group to keep rcctl happy.) Dave Raymond On 1/6/20, Anders Andersson wrote: > I'm in the process of replacing an aging OpenWRT device on my home LAN > with an apu4d4 running OpenBSD as my personal router. > > I would like to use unbound as a caching DNS server for my local > hosts, but I'm trying to figure out how to handle local hostnames. It > seems like a common scenario but I can't find a solution that feels > like the "right" way. I have two problems, one is trivial compared to > the other. > > > My first and very minor issue is that I would like to register my > static hosts in a more convenient way than what's currently offered by > unbound. From what I understand you would configure your local hosts > something like this: > > local-zone: "home.lan." static > local-data: "laptop.home.lan.IN A 10.0.0.2" > local-data-ptr: "10.0.0.2 laptop.home.lan" > > Every time information has to be entered twice there is room for error > and inconsistencies, so preferably this list should be automatically > generated from a simpler file, maybe /etc/hosts. I can of course > easily write such a script, but I'm wondering if there might be a > standard, go-to way of doing this. > > > > My second and more difficult issue is that I can't seem to find a way > to feed information from the DHCP server into unbound, so that locally > assigned hosts can be queried by their hostnames. To clarify with an > example: > > 1. I install a new system and in the installation procedure I name it > "alice". > 2. "alice" asks for and receives an IP number from my DHCP server. > 3. Every other machine can now connect to "alice" by name, assuming > that "alice" informed the DHCP server of its name when asking for an > address. > > Currently this works because OpenWRT is using dnsmasq which is both a > caching DNS server and a DHCP server, so the left hand knows what the > right hand is doing. How can I solve this in OpenBSD base without > jumping through hoops? > > Right now I'm considering something that monitors dhcpd.leases for > changes and updates a running unbound using unbound-control(8) but I > don't feel confident enough writing such a tool that does not miss a > lot of corner cases and handle startup/shutdown gracefully. I'm also > thinking that it can't be such an unusual use case, so someone surely > must have written such a tool already. I just haven't found any in my > search. > > Or am I doing this the wrong way? I've now read about things like mDNS > and Zeroconf and Avahi and I'm just getting more and more confused. > Ideas are welcome! > > -- David J. Raymond david.raym...@nmt.edu http://physics.nmt.edu/~raymond
Re: dhcpd and unbound on a small LAN
Op Mon, 06 Jan 2020 13:24:50 +0100 schreef Anders Andersson
:
I'm in the process of replacing an aging OpenWRT device on my home LAN
with an apu4d4 running OpenBSD as my personal router.
I would like to use unbound as a caching DNS server for my local
hosts, but I'm trying to figure out how to handle local hostnames. It
seems like a common scenario but I can't find a solution that feels
like the "right" way. I have two problems, one is trivial compared to
the other.
My first and very minor issue is that I would like to register my
static hosts in a more convenient way than what's currently offered by
unbound. From what I understand you would configure your local hosts
something like this:
local-zone: "home.lan." static
local-data: "laptop.home.lan.IN A 10.0.0.2"
local-data-ptr: "10.0.0.2 laptop.home.lan"
Every time information has to be entered twice there is room for error
and inconsistencies, so preferably this list should be automatically
generated from a simpler file, maybe /etc/hosts. I can of course
easily write such a script, but I'm wondering if there might be a
standard, go-to way of doing this.
My second and more difficult issue is that I can't seem to find a way
to feed information from the DHCP server into unbound, so that locally
assigned hosts can be queried by their hostnames. To clarify with an
example:
1. I install a new system and in the installation procedure I name it
"alice".
2. "alice" asks for and receives an IP number from my DHCP server.
3. Every other machine can now connect to "alice" by name, assuming
that "alice" informed the DHCP server of its name when asking for an
address.
Currently this works because OpenWRT is using dnsmasq which is both a
caching DNS server and a DHCP server, so the left hand knows what the
right hand is doing. How can I solve this in OpenBSD base without
jumping through hoops?
Right now I'm considering something that monitors dhcpd.leases for
changes and updates a running unbound using unbound-control(8) but I
don't feel confident enough writing such a tool that does not miss a
lot of corner cases and handle startup/shutdown gracefully. I'm also
thinking that it can't be such an unusual use case, so someone surely
must have written such a tool already. I just haven't found any in my
search.
Or am I doing this the wrong way? I've now read about things like mDNS
and Zeroconf and Avahi and I'm just getting more and more confused.
Ideas are welcome!
Another way is to configure the DHCP server to give alice the same address
every time.
host alice {
hardware ethernet 00:19:b9:e0:2f:de;
fixed-address 192.168.0.68;
}
--
Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/
dhcpd and unbound on a small LAN
I'm in the process of replacing an aging OpenWRT device on my home LAN with an apu4d4 running OpenBSD as my personal router. I would like to use unbound as a caching DNS server for my local hosts, but I'm trying to figure out how to handle local hostnames. It seems like a common scenario but I can't find a solution that feels like the "right" way. I have two problems, one is trivial compared to the other. My first and very minor issue is that I would like to register my static hosts in a more convenient way than what's currently offered by unbound. From what I understand you would configure your local hosts something like this: local-zone: "home.lan." static local-data: "laptop.home.lan.IN A 10.0.0.2" local-data-ptr: "10.0.0.2 laptop.home.lan" Every time information has to be entered twice there is room for error and inconsistencies, so preferably this list should be automatically generated from a simpler file, maybe /etc/hosts. I can of course easily write such a script, but I'm wondering if there might be a standard, go-to way of doing this. My second and more difficult issue is that I can't seem to find a way to feed information from the DHCP server into unbound, so that locally assigned hosts can be queried by their hostnames. To clarify with an example: 1. I install a new system and in the installation procedure I name it "alice". 2. "alice" asks for and receives an IP number from my DHCP server. 3. Every other machine can now connect to "alice" by name, assuming that "alice" informed the DHCP server of its name when asking for an address. Currently this works because OpenWRT is using dnsmasq which is both a caching DNS server and a DHCP server, so the left hand knows what the right hand is doing. How can I solve this in OpenBSD base without jumping through hoops? Right now I'm considering something that monitors dhcpd.leases for changes and updates a running unbound using unbound-control(8) but I don't feel confident enough writing such a tool that does not miss a lot of corner cases and handle startup/shutdown gracefully. I'm also thinking that it can't be such an unusual use case, so someone surely must have written such a tool already. I just haven't found any in my search. Or am I doing this the wrong way? I've now read about things like mDNS and Zeroconf and Avahi and I'm just getting more and more confused. Ideas are welcome!
