Discussion:
[Dnsmasq-discuss] Windows ipv6 hostname
Markus Hartung
2016-12-23 09:39:20 UTC
Permalink
Hey guys.
By default the windows firewall blocks ICMPv4 and ICMPv6 ECHO
requests, not ICMP in general. This causes several issues, so whenever
I setup a Windows machine this is one of the first thing to disable.
Markus' mails were initially saying that he uses "ra-names", so ist
definitely not stateful DHCPv6. Mabye he changed inbetween, but I
wanted to post this here, what one must do for "ra-names" to work
- Disable firewall rule to block ICMP v4 and also ICMP v6 ECHO
netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
Uwe
Aye, I were initially using ra-names since I didn't get DHCPv6 working.
It turned out that the firewall on the server were the issue. DHCPv6 is
preferred for me though as it doesn't have the drawback that it doesn't
work out-of-the-box on windows hosts.


I tried installing win 10 home in a virtual machine and it sends its
FQDN in the DHCP-request and then the server knows the name of the host
it is going to add a A- and AAAA-record.

So my theory that it was the windows 10 edition was wrong.

When I was trying with trial and error to find the issue I got a crazy
idea to test plugging in an ethernet cable, then all was working as
intended. My host sends its FQDN in its DHCP-request and it gets
registred correctly in the lease list with the hostname.

So the culprit seem to be that it is on wifi it doesn't send the FQDN.

Is there a way to flush the lease database in dnsmasq? I have tried
removing the line in /var/lib/misc/dnsmasq.leases and restart dnsmasq
but my laptop still gets the same IP-address. Or is it that dnsmasq uses
the mac-address to generate same IP-address every time?

Merry X-mas.
Markus
Markus Hartung
2016-12-22 15:42:57 UTC
Permalink
Windows Vista has (good quality) support for DHCPv6 and IIRC new
versions of Windowses uses same/similar implementation. So I think
Windows 10 should work (no idea if some advanced configuration is
needed)... Also at that time Windows Vista had correct implementation of
using RA prefix together with assigned DHCPv6 address. (In contrast
common linux ISC DHCPv6 client is still broken and hardcode /64 prefix
even if RA announce different).
Allright, hope they haven't screwed up anything in later versions of
windows.
It is common behaviour that all firewalls block everything except some
exceptions. It is also good for security reasons.
DHCP is using IPv4 and DHCPv6 is obviously using IPv6. And IPv6 network
stack is independent of IPv4, so you need to configure your firewall
differently for IPv4 and IPv6 (e.g. iptables vs. ip6tables).
And because DHCP and DHCPv6 are *different* protocols, they should not
be used on same ports. If you look at DNS there is no DNSv6 or so. DNS
is same over IPv4 and IPv6.
You cannot ask for IPv6 address via DHCP or IPv4 via DHCPv6. But you can
resolve AAAA record (IPv6) via IPv4 connection to DNS, so hence DNS is
only one.
If you cannot memorize number of tcp or udp ports for some services,
just look into /etc/services file.
$ grep -E -i 'dhcp|bootp' /etc/services
bootps 67/tcp # BOOTP server
bootps 67/udp
bootpc 68/tcp # BOOTP client
bootpc 68/udp
dhcpv6-client 546/tcp
dhcpv6-client 546/udp
dhcpv6-server 547/tcp
dhcpv6-server 547/udp
Thanks for the insight. There were no rules in ufw about dhcp-client
and server, my guess is that most want ipv4 and most doesn't care/know
about ipv6.
I remember that Windowses act differently if they are configured to be
part of domain or if they have set some domain name or if they have
configured some workgroup or if they have enabled sharing for small home
networks... This is just my observation and maybe one of those settings
is different on working and non working host?
I could not help you with Windows 10, but try to look at different
network settings in Windows. Maybe you find something...
I have windows 10 pro on the working host and "only" windows 10 home on
the non-working. Perhaps the home version it's assumed that the dhcp
server is just handling dhcp for a few hosts and therefore the
dns-handling is to be handled by the dns-server via a "dynamic update"
message to the dns-server (which dnsmasq claims to not support).

And on pro version it is assumed to have more infrastructure in the dhcp
server.

Just a theory though. I can try install a home version in a virtual
machine and test out the hypothesis. I'm going to see if I can upgrade
my home to pro if that is the issue.


BR,
Markus
Pali Rohár
2016-12-22 13:15:46 UTC
Permalink
Another option is to stop using SLAAC and start using DHCPv6 where
you have full control of assigned IPv6 addresses.
Such feature like host will "randomly" chose address is unsuitable
for setup when you need to have control of which address is
assigned to which device (e.g in this setup when you want to
assign AAAA record).
That would of cource be the optimal solution, is there a way to get
dnsmasq to do DHCPv6 and also add AAAA-records or any third-party
programs/tools to acheive that?
IIRC dnsmasq supports it.
--
Pali Rohár
***@gmail.com
w***@gmail.com
2016-12-21 02:30:56 UTC
Permalink
$ cat /var/lib/misc/dnsmasq.leases
1482365715 3e:XX:XX:XX:XX:02 192.168.1.184 * 01:3e:XX:XX:XX:XX:02
1482334524 00:YY:YY:YY:YY:67 192.168.1.133 hostname *
I have masked the MAC-address,
MACs are only good on the local link... once through a router, the original MACs
are lost to anything further down stream... this is like masking RFC-1918
addresses ;)
--
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
Ziggy SpaceRat
2016-12-20 11:57:50 UTC
Permalink
will use the same address on every network). So I would expect more and
more clients to adopt the privacy-preserving approach. I believe
NetworkManager has support for it on Linux, but am not sure if it's
enabled by default.
New installations of Debian and Ubuntu enable it by default.
Thanks for the information, but I have managed to compile ohybridproxy
Haven't had time to play with it myself yet, so can't be of much help
ohybridproxy won't help:
It is limited to mDNS/avahi.
Windows does not support mDNS/avahi.

It would help though if DNSMasq contained a combined mDNS/LLMNR
resolver.

If one compiles avahi with an LLMNR patch, it can resolve hosts that
do mDNS and hosts that do LLMNR:

***@linux ~ # avahi-resolve -6n windows.local
windows.local fe80::96de:80ff:fe12:3456

It should be possible to add the LLMNR-patched resolver part of avahi
to DNSMasq.
--
Mit freundlichen Grüssen
Ziggy SpaceRat
Pali Rohár
2016-12-20 11:53:34 UTC
Permalink
...
https://tools.ietf.org/html/rfc7217
If this is the case, there is no way for dnsmasq to predict the
IPv6 address of a new client (which is what ra-names relies on),
and so you can't get the AAAA record.
It's a shame the windows 10 IPv6 implementation lacks those stuff.
Well, arguably the Windows 10 behaviour is a feature - RFC7217 was
written because the EUI-64 based approach has privacy issues (the
client will use the same address on every network). So I would
expect more and more clients to adopt the privacy-preserving
approach. I believe NetworkManager has support for it on Linux, but
am not sure if it's enabled by default.
Another option is to stop using SLAAC and start using DHCPv6 where you
have full control of assigned IPv6 addresses.

Such feature like host will "randomly" chose address is unsuitable for
setup when you need to have control of which address is assigned to
which device (e.g in this setup when you want to assign AAAA record).
https://github.com/sbyx/ohybridproxy - this will query mdns on the
network for AAAA records when asked. However, I am not sure if
there is a way to integrate this with the authoritative server in
dnsmasq (but if there is, I would love to know about it).
Thanks for the information, but I have managed to compile
ohybridproxy and have no idea on how to use it.
Haven't had time to play with it myself yet, so can't be of much help
there; but as I understand it, the idea is that you configure the
proxy to use a particular domain, and then point dnsmasq at it with
--server. Don't think this will integrate with the auth server
mechanism in dnsmasq, though; not sure if there's a way to achieve
that.
The alternative is to turn off the private addresses in Windows 10,
--
Pali Rohár
of course (as Michael suggested).
Michael Stilkerich
2016-12-20 07:59:59 UTC
Permalink
Hello Markus,

Windows 10 by default uses randomized identifiers instead of the MAC
address. You can turn this off using the following command in an admin
shell:

netsh interface ipv6 set global randomizeidentifiers=disabled

In addition to that, make sure that the Windows computer replies to the
ICMP echo requests that dnsmasq uses to check if the address is in use.

With this setting the Windows computer should still use temporary
addresses to initiate outgoing connections, but be reachable on EUI-64
based address.

-Mike
Hello,
Anyone here that is more knowledgeable about IPv6 and Windows 10 hosts?
I have set up my dnsmasq as a authoritative DNS server and have enable
enable-ra
dhcp-range=tag:eno1,::1,::FFFF,constructor:eno1,ra-names,24h
It seems that my linux hosts are correctly getting a IPv6 address and
registers correctly a AAAA-record in the DNS server.
My Windows 10 host gets an IPv6 address but doesn't get any
AAAA-record.
Can anyone shed any light on the situation? Do the linux and windows
hosts get their IPv6 differently? And is there a way to get windows to
register an AAAA-record?
Cheers,
Markus
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Pali Rohár
2016-12-26 09:29:26 UTC
Permalink
Post by Markus Hartung
Is there a way to flush the lease database in dnsmasq? I have tried
removing the line in /var/lib/misc/dnsmasq.leases and restart dnsmasq
but my laptop still gets the same IP-address. Or is it that dnsmasq
uses the mac-address to generate same IP-address every time?
Removing lease database file when dnsmasq is not running should be
enough.

But dhcp client can try to "renew" already assigned IP address and dhcp
client (dnsmasq) can extend this lease if nobody is using requested ip
address.

So you should remove both *client* and *server* databases to prevent
such situation.

I think it is possible to configure dnsmasq to assign only configured
ipv4 address for mac address.

For dhcpv6 I have own dnsmasq patches which assign ipv6 address bases on
mac address...
--
Pali Rohár
***@gmail.com
Markus Hartung
2016-12-26 13:50:41 UTC
Permalink
Hello,
Post by Pali Rohár
Post by Markus Hartung
Is there a way to flush the lease database in dnsmasq? I have tried
removing the line in /var/lib/misc/dnsmasq.leases and restart dnsmasq
but my laptop still gets the same IP-address. Or is it that dnsmasq
uses the mac-address to generate same IP-address every time?
Removing lease database file when dnsmasq is not running should be
enough.
But dhcp client can try to "renew" already assigned IP address and dhcp
client (dnsmasq) can extend this lease if nobody is using requested ip
address.
So you should remove both *client* and *server* databases to prevent
such situation.
I think it is possible to configure dnsmasq to assign only configured
ipv4 address for mac address.
For dhcpv6 I have own dnsmasq patches which assign ipv6 address bases on
mac address...
That could be interesting with such patch. Is there any reason it haven't been accepted?

What I need is just a way for a given mac-address dnsmasq should be informed of the hostname.

BR,
Markus
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Pali Rohár
2016-12-26 14:03:17 UTC
Permalink
Post by Markus Hartung
Post by Pali Rohár
For dhcpv6 I have own dnsmasq patches which assign ipv6 address bases on
mac address...
That could be interesting with such patch. Is there any reason it haven't been accepted?
See discussion:
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q1/010135.html
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q1/thread.html#10135

Simon did not response about it for 11 months... so I do not know.
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q4/010885.html
Post by Markus Hartung
What I need is just a way for a given mac-address dnsmasq should be
informed of the hostname.
Anyway, dnsmasq has already some support for mac-address in DHCPv6...
--
Pali Rohár
***@gmail.com
Markus Hartung
2017-01-01 23:46:14 UTC
Permalink
Happy new year!

I didn't manage to get my windows 10 to send a hostname, but I settled
with a workaround in the dnsmasq config.

If I add an dhcp-host entry like this but without any ip-address I get
dnsmasq to add the host correctly in the dns.

dhcp-host=3e:fa:72:5b:c7:02,carlsberg

So now my lease-file looks like this:

1483400087 3e:fa:72:5b:c7:02 192.168.1.184 carlsberg 01:3e:fa:72:5b:c7:02
1483400345 171899506 2001:470:28:6ac::e82c carlsberg
00:03:00:01:3e:fa:72:5b:c7:02

Before the dhcp-host entry I just had a * on the entry. So now my host
has a AAAA-record like I wanted in the first place and also I don't have
it hardcoded to a specific ip-address.

BR,

Markus
Post by Pali Rohár
Post by Markus Hartung
Post by Pali Rohár
For dhcpv6 I have own dnsmasq patches which assign ipv6 address bases on
mac address...
That could be interesting with such patch. Is there any reason it haven't been accepted?
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q1/010135.html
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q1/thread.html#10135
Simon did not response about it for 11 months... so I do not know.
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q4/010885.html
Post by Markus Hartung
What I need is just a way for a given mac-address dnsmasq should be
informed of the hostname.
Anyway, dnsmasq has already some support for mac-address in DHCPv6...
Loading...