[Cerowrt-devel] dnsmasq ipv6 stuff
Dave Taht
dave.taht at gmail.com
Tue Jan 22 18:12:09 EST 2013
On Tue, Jan 22, 2013 at 1:52 PM, Chris Lawrence <lordsutch at gmail.com> wrote:
> On Tue, Jan 22, 2013 at 1:40 AM, Dave Taht <dave.taht at gmail.com> wrote:
> > I think that's this in /etc/dnsmasq.conf
> >
> > dhcp-range=se00,1234::, ra-stateless, ra-names
> > dhcp-range=sw00,1234::, ra-stateless, ra-names
> > dhcp-range=sw10,1234::, ra-stateless, ra-names
> > dhcp-range=gw00,1234::, ra-stateless, ra-names
> > dhcp-range=gw10,1234::, ra-stateless, ra-names
> >
> > It's kind of unclear to me what 1234 could be replaced with.
> > "ce30" works for me...
>
> Using ::1 on each will autoassign the addresses based on the address
> of the interface, which seems like a sensible default no matter what
> network address you have. Having said that I found that with
> ra-stateless enabled, at least one device on my network would send
> DHCPv6 requests that crashed dnsmasq. So I have:
>
> dhcp-range=::1,constructor:se00,ra-names
> (etc.)
>
My own objection to ::1 is that provides both an easy mneumonic for people
to manage their networks AND an easier vector for attacks from the outside
world.
J.random.badscript only has to ping ::1 on every subnet in your delegation
to try and hit all the routers.
That said, I think the humans are going to win on this one, even though the
dns integration with ipv6 and dnsmasq is tighter than it's ever been before.
One thing that does bother me though, from a simplification standpoint, is
I wouldn't mind using up some of that extra address space to gain larger
ephemeral port ranges for things like dns service and to make it easier to
analyze traffic. I remember back in the 90s when we used to have one ip
address per web host.... it was a PITA then because of address scarcity.
I have been liking ipv6's integration with virtual machines. No more port
forwarding, yea! A raft of unupdated vm machines running boo.
> I think with test11 that can be further simplified to:
>
> dhcp-range=::1,constructor:*,ra-names
>
> This uses SLAAC only, which seems sufficient for my network purposes.
> I tried adding an end to the range to see if that was the problem with
> DHCP, but that doesn't seem to help, at least in test10.
>
>
I won't mind providing some examples of syntax, and I can imagine that a
guest network might use slaac and an internal network try to use dhcp.
The new constructor thing is neat. Though I've read the man page secton on
it 3 times, and still don't get it all.
And now there's a new authoritative dns support documented in the man
page...
It has long been my hope to be able to publish AAAA records in the public
dns, and this will let you do that. Still unclear as to how to just export
AAAAs and not As....
Another one of my hopes has been to get one name for a machine with two
interfaces somehow, someday.
Anyway, I'm liking it...
> The other thing I noticed in 3.7.2-4 is that both dnsmasq and
> dnsmasq-dhcpv6 are installed, but the dnsmasq binary is actually the
> non-v6 version unless you reinstall the dnsmasq-dhcpv6 package
> (according to upstream OpenWRT, only one or the other should be
> installed since they conflict).
>
I may have fixed this in 3.7.3-1, so if it isn't fixed now, let me know.
CONFIG_PACKAGE_dnsmasq=m
CONFIG_PACKAGE_dnsmasq-dhcpv6=y
I'm hoping to get a 3.7.4-1 out with the last of the unaligned hack fixes
out today.
> Chris
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>
--
Dave Täht
Fixing bufferbloat with cerowrt:
http://www.teklibre.com/cerowrt/subscribe.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20130122/747b7b51/attachment-0002.html>
More information about the Cerowrt-devel
mailing list