Re: dhcpd and unbound on a small LAN
Morning! What I have not seen mentioned: dhcpd.conf -> "deny unknown-clients;" Beware if you use static leases as already mentioned, then dhcpd does *not* feed the IPs to it's PF tables when it hands the IP out to the client. If you do: host foobar { hardware ethernet a8:34:6a:e1:1d:1c; } with "deny unknown-clients" directive, then the IP is taken from the "range" pool but only for known MACs. See net/arpd and net/arpwatch packages(7)! As for your hosts(5) versus unbound(8) problem, I've the following: $ whence vihosts 'doas vi /etc/hosts; hoststounbound' $ whence hoststounbound 'grep -v -e ^# -e ^$ /etc/hosts | hoststounbound.sh hosts > \ /var/unbound/etc/localzone.hosts.conf; reload-unbound' $ whence reload-unbound 'doas unbound-control -c /var/unbound/etc/unbound.conf reload' "hoststounbound.sh" is a script that parses hosts(5) lines and outputs a valid unbound.conf(5) config. feedback, improvements, all welcome: #!/bin/sh -eu _zone=${1:-"hosts"} _ttl=${2:-"3600"} _ip="" _names="" _name="" _line="" _word="" print "server:\n" print "local-zone: \"${_zone}\" transparent\n" while read _line; do _ip="" _names="" for _word in $_line; do if [[ "X${_word}" == X"#"* ]]; then break elif [[ -z $_ip ]]; then _ip="${_word}" else _names="${_names}${_word} " fi done #[[ "X${_ip}" == X"127.0.0.1" || "X${_ip}" == X"::1" ]] && continue a="A" [[ "X${_ip}" == X*":"* ]] && a="" for _name in ${_names}; do [[ ${_name%%.*} == "*" ]] && { _name=${_name#*.}; \ print "local-zone: \"${_name}.\" redirect"; } print "local-data: \"${_name}. ${_ttl} ${a} ${_ip}\"" [[ "X${_ip}" == X"0.0.0.0" ]] || \ print "local-data-ptr: \"${_ip} ${_ttl} ${_name}\"\n" done done Marcus pipat...@gmail.com (Anders Andersson), 2020.01.06 (Mon) 13:24 (CET): > I'm in the process of replacing an aging OpenWRT device on my home LAN > with an apu4d4 running OpenBSD as my personal router. > > I would like to use unbound as a caching DNS server for my local > hosts, but I'm trying to figure out how to handle local hostnames. It > seems like a common scenario but I can't find a solution that feels > like the "right" way. I have two problems, one is trivial compared to > the other. > > > My first and very minor issue is that I would like to register my > static hosts in a more convenient way than what's currently offered by > unbound. From what I understand you would configure your local hosts > something like this: > > local-zone: "home.lan." static > local-data: "laptop.home.lan.IN A 10.0.0.2" > local-data-ptr: "10.0.0.2 laptop.home.lan" > > Every time information has to be entered twice there is room for error > and inconsistencies, so preferably this list should be automatically > generated from a simpler file, maybe /etc/hosts. I can of course > easily write such a script, but I'm wondering if there might be a > standard, go-to way of doing this. > > > > My second and more difficult issue is that I can't seem to find a way > to feed information from the DHCP server into unbound, so that locally > assigned hosts can be queried by their hostnames. To clarify with an > example: > > 1. I install a new system and in the installation procedure I name it "alice". > 2. "alice" asks for and receives an IP number from my DHCP server. > 3. Every other machine can now connect to "alice" by name, assuming > that "alice" informed the DHCP server of its name when asking for an > address. > > Currently this works because OpenWRT is using dnsmasq which is both a > caching DNS server and a DHCP server, so the left hand knows what the > right hand is doing. How can I solve this in OpenBSD base without > jumping through hoops? > > Right now I'm considering something that monitors dhcpd.leases for > changes and updates a running unbound using unbound-control(8) but I > don't feel confident enough writing such a tool that does not miss a > lot of corner cases and handle startup/shutdown gracefully. I'm also > thinking that it can't be such an unusual use case, so someone surely > must have written such a tool already. I just haven't found any in my > search. > > Or am I doing this the wrong way? I've now read about things like mDNS > and Zeroconf and Avahi and I'm just getting more and more confused. > Ideas are welcome!
Re: dhcpd and unbound on a small LAN
> On Jan 6, 2020, at 04:24, Anders Andersson wrote: > Right now I'm considering something that monitors dhcpd.leases for > changes and updates a running unbound using unbound-control(8) but I > don't feel confident enough writing such a tool that does not miss a > lot of corner cases and handle startup/shutdown gracefully. I'm also > thinking that it can't be such an unusual use case, so someone surely > must have written such a tool already. I just haven't found any in my > search. > > Or am I doing this the wrong way? I've now read about things like mDNS > and Zeroconf and Avahi and I'm just getting more and more confused. > Ideas are welcome! So, on my little home network, I do the following (well, it’s in progress, but I used to do the same thing with Bind): 1) run unbound for name resolution for all devices (after the recent discussion about turning your network inside out, I’m debating turning on PF to redirect all DNS queries to my unbound server). 2) I run nsd to provide name services for my domains. So, I use “int.domain.name” for all local addresses. I just point unbound at nsd (running on a different port) for those domains. 3) I use static assignment of IPv4 address to *most* of my devices (this is the part in progress). This is what everyone’s talking about using: host alice { hardware ethernet 00:19:b9:e0:2f:de; fixed-address 192.168.0.68; } Of course, I could use dynamic DNS updates for all devices, but I find that as the “owner” of basically everything, it’s easier to have fixed addresses instead. The problem is for every device I need some sort of DB for every device that includes the ETHERNET address as well as the IP address (because devices get replaced, etc., but I want to keep the name and the IP, but change the ethernet). From that, I can generate both the dhcpd.conf file *and* the nsd PTR and A records. That’s the bit I’m working on now. The upshot is that unbound redirects certain domains to nsd, NSD controls all the domains (both my internal ones and some external ones) and DHCPD points all the clients to unbound for name resolution. I have a small range for non-known devices — I don’t mind friends coming over and using my wireless. Soon I hope to put THOSE devices on another vlan and give them rate-limited access. But I haven’t finished the whole “create everything from one DB” yet, so. . . WIP. Yes, I could just have unbound return addresses for the local network, but what’s the fun in that? :-) Sean
Re: dhcpd and unbound on a small LAN
On Mon, Jan 6, 2020 at 9:26 AM Sonic wrote: > > You have it backwards, let dhcp use the information in unbound to > assign the reserved address: > === > host alice { > hardware ethernet 20:9e:02:f5:93:60; > fixed-address alice.home.lan; > option host-name "alice"; > } > === This is how I do it too, except simplified further by setting the use-host-decl-names option at a higher scope (see dhcpd.conf(5)); then you don't need "option host-name ..." for each host. > Start unbound before dhcpd in your rc.conf.local (ex): > === > unbound_flags="-c /var/unbound/etc/unbound.conf" > dhcpd_flags="em0" > === The order of directives in rc.conf.local does not matter, as the order of base daemons is hardcoded in /etc/rc (and does indeed start unbound before dhcpd); as a matter of fact, 'rcctl enable foo' will sort the file! (I personally dislike this behavior, since it moves comment lines away from the things they're commenting on, but I digress...) The only order that does matter is words within the pkg_scripts setting, which orders those relative to each other. > Make sure your resolv.conf points to unbound so that your system can > resolve the local dns names. If your uplink interface interface is configured as DHCP, this will need to be set in dhclient.conf, e.g. "supersede domain-name-servers 127.0.0.1". -Andrew
Re: dhcpd and unbound on a small LAN
On 2020-01-06, Raymond, David wrote: > I found unbound hard to use so I went back to dnsmasq (a package on > OpenBSD), which I had used previously on linux. Trivial configuration > and it works like a charm in providing DNS service for local and > remote systems behind a NAT firewall. (It gets local information from > the host file on the NAT machine.) Optionally, it will also provide > dhcp service. (Note that you have to set up a _dnsmasq user/group to > keep rcctl happy.) The _dnsmasq user/group are created automatically when you install the package.
Re: dhcpd and unbound on a small LAN
On Mon, 6 Jan 2020 09:51:55 -0500 Sonic wrote: > On Mon, Jan 6, 2020 at 9:35 AM Steve Litt > wrote: > > I need something like that for my situation. Two questions: > > > > 1) Does the preceding setup prevent anyone with a different mac > > address from getting 192.168.0.68? > > Via dhcp, yes, it would. Unless they change their MAC address to > match. They could also manually use the same IP address. > > > 2) Is there a way I can set it up so ONLY specific mac addresses can > > get a dhcp lease from my server?*** I'd like to keep the man on the > > street from getting a lease: If I don't know the person and machine > > ahead of time, I don't want them getting a lease. > > See the "range" statement for the dhcp subnet, with no range only > known clients with reserved addresses will get IP addresses assigned. Nice! Between you and Paul, I now have all the info to do exactly what I want. Thanks to both of you! SteveT Steve Litt December 2019 featured book: Rapid Learning for the 21st Century http://www.troubleshooters.com/rl21
Re: dhcpd and unbound on a small LAN
On Mon, Jan 06, 2020 at 09:33:44AM -0500, Steve Litt wrote: | On Mon, 06 Jan 2020 14:03:20 +0100 | "Boudewijn Dijkstra" wrote: | | | > Another way is to configure the DHCP server to give alice the same | > address every time. | > | > host alice { | > hardware ethernet 00:19:b9:e0:2f:de; | > fixed-address 192.168.0.68; | > } | | I need something like that for my situation. Two questions: | | 1) Does the preceding setup prevent anyone with a different mac address | from getting 192.168.0.68? That specific snippet of DHCP configuration does not prevent dhcpd from handing it out to other machines (with different macs). It depends on the rest of your configuration and on whether this machine is currently alive with that address on your network. If you have configured a range for dynamic allocation that covers the assigned fixed-address, then that fixed-address may be assigned to another machine. This may result in problems for host alice when it boots. The easy solution is to not do that: don't have your statically assigned addresses overlap with the dynamic range. | 2) Is there a way I can set it up so ONLY specific mac addresses can | get a dhcp lease from my server?*** I'd like to keep the man on the | street from getting a lease: If I don't know the person and machine | ahead of time, I don't want them getting a lease. If you want to only allow specific MACs, then you'll need to specify the MAC addresses in the configuration file, and assign each one an address, so you'll need to pre-assign IPs to MACs. | *** I presume one way is to set aside just enough IP addresses to cover | known mac addresses. I was wondering if there's a way that involves | less arithmetic. Not sure what arithmetic you're referring to specifically: simply enumerate all machines by MAC and give each one a static lease ('fixed-address') in your /etc/dhcpd.conf, much like the host 'alice' in the sample Boudewijn showed you. Leave out a dynamic 'range' for unknown clients, and you're done. This is what I have done in the past on my private home network. Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Re: dhcpd and unbound on a small LAN
On Mon, Jan 6, 2020 at 9:35 AM Steve Litt wrote: > I need something like that for my situation. Two questions: > > 1) Does the preceding setup prevent anyone with a different mac address > from getting 192.168.0.68? Via dhcp, yes, it would. Unless they change their MAC address to match. They could also manually use the same IP address. > 2) Is there a way I can set it up so ONLY specific mac addresses can > get a dhcp lease from my server?*** I'd like to keep the man on the > street from getting a lease: If I don't know the person and machine > ahead of time, I don't want them getting a lease. See the "range" statement for the dhcp subnet, with no range only known clients with reserved addresses will get IP addresses assigned. Chris
Re: dhcpd and unbound on a small LAN
On Mon, Jan 6, 2020 at 7:27 AM Anders Andersson wrote: > ... > Every time information has to be entered twice there is room for error > and inconsistencies, so preferably this list should be automatically > generated from a simpler file, maybe /etc/hosts. No need for dual entry or messing with the hosts file, unbound alone is fine for resolving names. > ... > My second and more difficult issue is that I can't seem to find a way > to feed information from the DHCP server into unbound, so that locally > assigned hosts can be queried by their hostnames. You have it backwards, let dhcp use the information in unbound to assign the reserved address: === host alice { hardware ethernet 20:9e:02:f5:93:60; fixed-address alice.home.lan; option host-name "alice"; } === Start unbound before dhcpd in your rc.conf.local (ex): === unbound_flags="-c /var/unbound/etc/unbound.conf" dhcpd_flags="em0" === Make sure your resolv.conf points to unbound so that your system can resolve the local dns names. Chris
Re: dhcpd and unbound on a small LAN
On Mon, 06 Jan 2020 14:03:20 +0100 "Boudewijn Dijkstra" wrote: > Another way is to configure the DHCP server to give alice the same > address every time. > > host alice { > hardware ethernet 00:19:b9:e0:2f:de; > fixed-address 192.168.0.68; > } I need something like that for my situation. Two questions: 1) Does the preceding setup prevent anyone with a different mac address from getting 192.168.0.68? 2) Is there a way I can set it up so ONLY specific mac addresses can get a dhcp lease from my server?*** I'd like to keep the man on the street from getting a lease: If I don't know the person and machine ahead of time, I don't want them getting a lease. *** I presume one way is to set aside just enough IP addresses to cover known mac addresses. I was wondering if there's a way that involves less arithmetic. Thanks, SteveT Steve Litt December 2019 featured book: Rapid Learning for the 21st Century http://www.troubleshooters.com/rl21
Re: dhcpd and unbound on a small LAN
I found unbound hard to use so I went back to dnsmasq (a package on OpenBSD), which I had used previously on linux. Trivial configuration and it works like a charm in providing DNS service for local and remote systems behind a NAT firewall. (It gets local information from the host file on the NAT machine.) Optionally, it will also provide dhcp service. (Note that you have to set up a _dnsmasq user/group to keep rcctl happy.) Dave Raymond On 1/6/20, Anders Andersson wrote: > I'm in the process of replacing an aging OpenWRT device on my home LAN > with an apu4d4 running OpenBSD as my personal router. > > I would like to use unbound as a caching DNS server for my local > hosts, but I'm trying to figure out how to handle local hostnames. It > seems like a common scenario but I can't find a solution that feels > like the "right" way. I have two problems, one is trivial compared to > the other. > > > My first and very minor issue is that I would like to register my > static hosts in a more convenient way than what's currently offered by > unbound. From what I understand you would configure your local hosts > something like this: > > local-zone: "home.lan." static > local-data: "laptop.home.lan.IN A 10.0.0.2" > local-data-ptr: "10.0.0.2 laptop.home.lan" > > Every time information has to be entered twice there is room for error > and inconsistencies, so preferably this list should be automatically > generated from a simpler file, maybe /etc/hosts. I can of course > easily write such a script, but I'm wondering if there might be a > standard, go-to way of doing this. > > > > My second and more difficult issue is that I can't seem to find a way > to feed information from the DHCP server into unbound, so that locally > assigned hosts can be queried by their hostnames. To clarify with an > example: > > 1. I install a new system and in the installation procedure I name it > "alice". > 2. "alice" asks for and receives an IP number from my DHCP server. > 3. Every other machine can now connect to "alice" by name, assuming > that "alice" informed the DHCP server of its name when asking for an > address. > > Currently this works because OpenWRT is using dnsmasq which is both a > caching DNS server and a DHCP server, so the left hand knows what the > right hand is doing. How can I solve this in OpenBSD base without > jumping through hoops? > > Right now I'm considering something that monitors dhcpd.leases for > changes and updates a running unbound using unbound-control(8) but I > don't feel confident enough writing such a tool that does not miss a > lot of corner cases and handle startup/shutdown gracefully. I'm also > thinking that it can't be such an unusual use case, so someone surely > must have written such a tool already. I just haven't found any in my > search. > > Or am I doing this the wrong way? I've now read about things like mDNS > and Zeroconf and Avahi and I'm just getting more and more confused. > Ideas are welcome! > > -- David J. Raymond david.raym...@nmt.edu http://physics.nmt.edu/~raymond
Re: dhcpd and unbound on a small LAN
Op Mon, 06 Jan 2020 13:24:50 +0100 schreef Anders Andersson : I'm in the process of replacing an aging OpenWRT device on my home LAN with an apu4d4 running OpenBSD as my personal router. I would like to use unbound as a caching DNS server for my local hosts, but I'm trying to figure out how to handle local hostnames. It seems like a common scenario but I can't find a solution that feels like the "right" way. I have two problems, one is trivial compared to the other. My first and very minor issue is that I would like to register my static hosts in a more convenient way than what's currently offered by unbound. From what I understand you would configure your local hosts something like this: local-zone: "home.lan." static local-data: "laptop.home.lan.IN A 10.0.0.2" local-data-ptr: "10.0.0.2 laptop.home.lan" Every time information has to be entered twice there is room for error and inconsistencies, so preferably this list should be automatically generated from a simpler file, maybe /etc/hosts. I can of course easily write such a script, but I'm wondering if there might be a standard, go-to way of doing this. My second and more difficult issue is that I can't seem to find a way to feed information from the DHCP server into unbound, so that locally assigned hosts can be queried by their hostnames. To clarify with an example: 1. I install a new system and in the installation procedure I name it "alice". 2. "alice" asks for and receives an IP number from my DHCP server. 3. Every other machine can now connect to "alice" by name, assuming that "alice" informed the DHCP server of its name when asking for an address. Currently this works because OpenWRT is using dnsmasq which is both a caching DNS server and a DHCP server, so the left hand knows what the right hand is doing. How can I solve this in OpenBSD base without jumping through hoops? Right now I'm considering something that monitors dhcpd.leases for changes and updates a running unbound using unbound-control(8) but I don't feel confident enough writing such a tool that does not miss a lot of corner cases and handle startup/shutdown gracefully. I'm also thinking that it can't be such an unusual use case, so someone surely must have written such a tool already. I just haven't found any in my search. Or am I doing this the wrong way? I've now read about things like mDNS and Zeroconf and Avahi and I'm just getting more and more confused. Ideas are welcome! Another way is to configure the DHCP server to give alice the same address every time. host alice { hardware ethernet 00:19:b9:e0:2f:de; fixed-address 192.168.0.68; } -- Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/
dhcpd and unbound on a small LAN
I'm in the process of replacing an aging OpenWRT device on my home LAN with an apu4d4 running OpenBSD as my personal router. I would like to use unbound as a caching DNS server for my local hosts, but I'm trying to figure out how to handle local hostnames. It seems like a common scenario but I can't find a solution that feels like the "right" way. I have two problems, one is trivial compared to the other. My first and very minor issue is that I would like to register my static hosts in a more convenient way than what's currently offered by unbound. From what I understand you would configure your local hosts something like this: local-zone: "home.lan." static local-data: "laptop.home.lan.IN A 10.0.0.2" local-data-ptr: "10.0.0.2 laptop.home.lan" Every time information has to be entered twice there is room for error and inconsistencies, so preferably this list should be automatically generated from a simpler file, maybe /etc/hosts. I can of course easily write such a script, but I'm wondering if there might be a standard, go-to way of doing this. My second and more difficult issue is that I can't seem to find a way to feed information from the DHCP server into unbound, so that locally assigned hosts can be queried by their hostnames. To clarify with an example: 1. I install a new system and in the installation procedure I name it "alice". 2. "alice" asks for and receives an IP number from my DHCP server. 3. Every other machine can now connect to "alice" by name, assuming that "alice" informed the DHCP server of its name when asking for an address. Currently this works because OpenWRT is using dnsmasq which is both a caching DNS server and a DHCP server, so the left hand knows what the right hand is doing. How can I solve this in OpenBSD base without jumping through hoops? Right now I'm considering something that monitors dhcpd.leases for changes and updates a running unbound using unbound-control(8) but I don't feel confident enough writing such a tool that does not miss a lot of corner cases and handle startup/shutdown gracefully. I'm also thinking that it can't be such an unusual use case, so someone surely must have written such a tool already. I just haven't found any in my search. Or am I doing this the wrong way? I've now read about things like mDNS and Zeroconf and Avahi and I'm just getting more and more confused. Ideas are welcome!