[libvirt] [PATCH 0/2] tell dnsmasq not to forward PTR queries
From: Gene Czarcinski <gene@czarc.net> For networks which dnsmasq has "--listen-address" specified, add the command line parameter so that any dns PTR queries for those networks are not forwarded. There are separate patches for IPv4 and IPv6. Gene Czarcinski (2): IPV4 local=/....in-addr.arpa/ IPv6 local=/...ip6.arpa/ src/network/bridge_driver.c | 32 ++++++++++++++++++++++ tests/networkxml2argvdata/isolated-network.argv | 1 + .../networkxml2argvdata/nat-network-dns-hosts.argv | 1 + .../nat-network-dns-srv-record-minimal.argv | 5 ++++ .../nat-network-dns-srv-record.argv | 5 ++++ .../nat-network-dns-txt-record.argv | 11 ++++++-- tests/networkxml2argvdata/nat-network.argv | 18 ++++++++++-- tests/networkxml2argvdata/nat-network.xml | 4 +++ tests/networkxml2argvdata/netboot-network.argv | 1 + .../networkxml2argvdata/netboot-proxy-network.argv | 1 + tests/networkxml2argvdata/routed-network.argv | 3 +- 11 files changed, 76 insertions(+), 6 deletions(-) -- 1.7.11.4
From: Gene Czarcinski <gene@czarc.net> For IPv4 networks dnsmasq listens to, do no forward any IPv4 dns PTR queries for that network. Only network prefixes 8, 16, or 24 work correctly. --- src/network/bridge_driver.c | 17 +++++++++++++++++ tests/networkxml2argvdata/isolated-network.argv | 1 + tests/networkxml2argvdata/nat-network-dns-hosts.argv | 1 + .../nat-network-dns-srv-record-minimal.argv | 3 +++ .../networkxml2argvdata/nat-network-dns-srv-record.argv | 3 +++ .../networkxml2argvdata/nat-network-dns-txt-record.argv | 9 +++++++-- tests/networkxml2argvdata/nat-network.argv | 12 +++++++++--- tests/networkxml2argvdata/netboot-network.argv | 1 + tests/networkxml2argvdata/netboot-proxy-network.argv | 1 + tests/networkxml2argvdata/routed-network.argv | 3 ++- 10 files changed, 45 insertions(+), 6 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 4faad5d..7ad6fe2 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -634,6 +634,23 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network, if (!ipaddr) goto cleanup; virCommandAddArgList(cmd, "--listen-address", ipaddr, NULL); + int psize = virNetworkIpDefPrefix(tmpipdef); + if ((VIR_SOCKET_ADDR_IS_FAMILY(&tmpipdef->address, AF_INET)) && + ((psize==8) || (psize==16) || (psize=24))) + { + int val = + ntohl(tmpipdef->address.data.inet4.sin_addr.s_addr) >> 8; + char *p, str[25]; /* strlen("xxx.yyy.zzz.in-addr.arpa")+1 */ + p = &str[0]; + if (psize == 24) + p += sprintf(p, "%d.", val & 0xff); + val = val >> 8; + if (psize != 8) + p += sprintf(p, "%d.", val & 0xff); + val = val >> 8; + p += sprintf(p, "%d.in-addr.arpa", val & 0xff); + virCommandAddArgFormat(cmd, "--local=/%s/", &str[0]); + } VIR_FREE(ipaddr); } diff --git a/tests/networkxml2argvdata/isolated-network.argv b/tests/networkxml2argvdata/isolated-network.argv index 048c72b..40592d9 100644 --- a/tests/networkxml2argvdata/isolated-network.argv +++ b/tests/networkxml2argvdata/isolated-network.argv @@ -2,6 +2,7 @@ --local=// --domain-needed --conf-file= \ --except-interface lo --dhcp-option=3 --no-resolv \ --listen-address 192.168.152.1 \ +--local=/152.168.192.in-addr.arpa/ \ --dhcp-range 192.168.152.2,192.168.152.254 \ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/private.leases --dhcp-lease-max=253 \ --dhcp-no-override\ diff --git a/tests/networkxml2argvdata/nat-network-dns-hosts.argv b/tests/networkxml2argvdata/nat-network-dns-hosts.argv index 03a0676..b04f9cc 100644 --- a/tests/networkxml2argvdata/nat-network-dns-hosts.argv +++ b/tests/networkxml2argvdata/nat-network-dns-hosts.argv @@ -1,4 +1,5 @@ @DNSMASQ@ --strict-order --bind-interfaces --domain=example.com \ --local=/example.com/ --domain-needed \ --conf-file= --except-interface lo --listen-address 192.168.122.1 \ +--local=/122.168.192.in-addr.arpa/ \ --expand-hosts --addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts\ diff --git a/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv b/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv index a1e4200..e0ea334 100644 --- a/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv +++ b/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv @@ -5,10 +5,13 @@ --except-interface lo \ --srv-host=name.tcp.,,,, \ --listen-address 192.168.122.1 \ +--local=/122.168.192.in-addr.arpa/ \ --listen-address 192.168.123.1 \ +--local=/123.168.192.in-addr.arpa/ \ --listen-address 2001:db8:ac10:fe01::1 \ --listen-address 2001:db8:ac10:fd01::1 \ --listen-address 10.24.10.1 \ +--local=/10.in-addr.arpa/ \ --dhcp-range 192.168.122.2,192.168.122.254 \ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \ --dhcp-lease-max=253 \ diff --git a/tests/networkxml2argvdata/nat-network-dns-srv-record.argv b/tests/networkxml2argvdata/nat-network-dns-srv-record.argv index 8af38c4..0a5cd6b 100644 --- a/tests/networkxml2argvdata/nat-network-dns-srv-record.argv +++ b/tests/networkxml2argvdata/nat-network-dns-srv-record.argv @@ -5,10 +5,13 @@ --except-interface lo \ --srv-host=name.tcp.test-domain-name,.,1024,10,10 \ --listen-address 192.168.122.1 \ +--local=/122.168.192.in-addr.arpa/ \ --listen-address 192.168.123.1 \ +--local=/123.168.192.in-addr.arpa/ \ --listen-address 2001:db8:ac10:fe01::1 \ --listen-address 2001:db8:ac10:fd01::1 \ --listen-address 10.24.10.1 \ +--local=/10.in-addr.arpa/ \ --dhcp-range 192.168.122.2,192.168.122.254 \ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \ --dhcp-lease-max=253 \ diff --git a/tests/networkxml2argvdata/nat-network-dns-txt-record.argv b/tests/networkxml2argvdata/nat-network-dns-txt-record.argv index 404b56a..6e1d054 100644 --- a/tests/networkxml2argvdata/nat-network-dns-txt-record.argv +++ b/tests/networkxml2argvdata/nat-network-dns-txt-record.argv @@ -1,9 +1,14 @@ @DNSMASQ@ --strict-order --bind-interfaces \ --local=// --domain-needed --conf-file= \ --except-interface lo '--txt-record=example,example value' \ ---listen-address 192.168.122.1 --listen-address 192.168.123.1 \ +--listen-address 192.168.122.1 \ +--local=/122.168.192.in-addr.arpa/ \ +--listen-address 192.168.123.1 \ +--local=/123.168.192.in-addr.arpa/ \ --listen-address 2001:db8:ac10:fe01::1 \ ---listen-address 2001:db8:ac10:fd01::1 --listen-address 10.24.10.1 \ +--listen-address 2001:db8:ac10:fd01::1 \ +--listen-address 10.24.10.1 \ +--local=/10.in-addr.arpa/ \ --dhcp-range 192.168.122.2,192.168.122.254 \ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \ --dhcp-lease-max=253 --dhcp-no-override \ diff --git a/tests/networkxml2argvdata/nat-network.argv b/tests/networkxml2argvdata/nat-network.argv index 1dc8f73..55f31e2 100644 --- a/tests/networkxml2argvdata/nat-network.argv +++ b/tests/networkxml2argvdata/nat-network.argv @@ -1,8 +1,14 @@ @DNSMASQ@ --strict-order --bind-interfaces \ --local=// --domain-needed --conf-file= \ ---except-interface lo --listen-address 192.168.122.1 \ ---listen-address 192.168.123.1 --listen-address 2001:db8:ac10:fe01::1 \ ---listen-address 2001:db8:ac10:fd01::1 --listen-address 10.24.10.1 \ +--except-interface lo \ +--listen-address 192.168.122.1 \ +--local=/122.168.192.in-addr.arpa/ \ +--listen-address 192.168.123.1 \ +--local=/123.168.192.in-addr.arpa/ \ +--listen-address 2001:db8:ac10:fe01::1 \ +--listen-address 2001:db8:ac10:fd01::1 \ +--listen-address 10.24.10.1 \ +--local=/10.in-addr.arpa/ \ --dhcp-range 192.168.122.2,192.168.122.254 \ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \ --dhcp-lease-max=253 --dhcp-no-override \ diff --git a/tests/networkxml2argvdata/netboot-network.argv b/tests/networkxml2argvdata/netboot-network.argv index 5a85ec2..9d62602 100644 --- a/tests/networkxml2argvdata/netboot-network.argv +++ b/tests/networkxml2argvdata/netboot-network.argv @@ -1,6 +1,7 @@ @DNSMASQ@ --strict-order --bind-interfaces --domain=example.com \ --local=/example.com/ --domain-needed --conf-file= \ --except-interface lo --listen-address 192.168.122.1 \ +--local=/122.168.192.in-addr.arpa/ \ --dhcp-range 192.168.122.2,192.168.122.254 \ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/netboot.leases \ --dhcp-lease-max=253 --dhcp-no-override --expand-hosts --enable-tftp \ diff --git a/tests/networkxml2argvdata/netboot-proxy-network.argv b/tests/networkxml2argvdata/netboot-proxy-network.argv index 36836b0..01a4ffd 100644 --- a/tests/networkxml2argvdata/netboot-proxy-network.argv +++ b/tests/networkxml2argvdata/netboot-proxy-network.argv @@ -1,6 +1,7 @@ @DNSMASQ@ --strict-order --bind-interfaces --domain=example.com \ --local=/example.com/ --domain-needed --conf-file= \ --except-interface lo --listen-address 192.168.122.1 \ +--local=/122.168.192.in-addr.arpa/ \ --dhcp-range 192.168.122.2,192.168.122.254 \ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/netboot.leases \ --dhcp-lease-max=253 --dhcp-no-override --expand-hosts \ diff --git a/tests/networkxml2argvdata/routed-network.argv b/tests/networkxml2argvdata/routed-network.argv index 77e802f..e0b3033 100644 --- a/tests/networkxml2argvdata/routed-network.argv +++ b/tests/networkxml2argvdata/routed-network.argv @@ -1,3 +1,4 @@ @DNSMASQ@ --strict-order --bind-interfaces \ --local=// --domain-needed --conf-file= \ ---except-interface lo --listen-address 192.168.122.1\ +--except-interface lo --listen-address 192.168.122.1 \ +--local=/122.168.192.in-addr.arpa/\ -- 1.7.11.4
From: Gene Czarcinski <gene@czarc.net> For IPv6 networks that dnsmasq listens to, do not forward any dns PTR queries for that network. A character string compare is performed by dnsmasq where each character is a 4-bit hexidecimal number. Dots ('.') are used to separate characters. Note that if a network is "listened to", then the assumption is that the network is "owned" by dnsmasq for purposes of dns query forwarding. --- src/network/bridge_driver.c | 15 +++++++++++++++ .../nat-network-dns-srv-record-minimal.argv | 2 ++ tests/networkxml2argvdata/nat-network-dns-srv-record.argv | 2 ++ tests/networkxml2argvdata/nat-network-dns-txt-record.argv | 2 ++ tests/networkxml2argvdata/nat-network.argv | 6 ++++++ tests/networkxml2argvdata/nat-network.xml | 4 ++++ 6 files changed, 31 insertions(+) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 7ad6fe2..e9de25a 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -650,6 +650,21 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network, val = val >> 8; p += sprintf(p, "%d.in-addr.arpa", val & 0xff); virCommandAddArgFormat(cmd, "--local=/%s/", &str[0]); + } + else if ((VIR_SOCKET_ADDR_IS_FAMILY(&tmpipdef->address, AF_INET6)) && + (psize>0) && (psize<128) && ((psize & 3)==0)) + { + /* note its a "nibble" at a time like the ipv4 8/16/24 */ + char *p, str[73]; /* 73 is strlen("32*<n.>ip6.arpa")+1 */ + int ii = psize - 1; + p = &str[0]; + while (ii >= 0) { + int val = tmpipdef->address.data.inet6.sin6_addr.s6_addr[ii>>3]; + p += sprintf(p, "%.1x.", (ii>>2) & 1 ? val & 0x0f : val >> 4); + ii -= 4; + } + p += sprintf(p, "ip6.arpa"); + virCommandAddArgFormat(cmd, "--local=/%s/", &str[0]); } VIR_FREE(ipaddr); } diff --git a/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv b/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv index e0ea334..6e666cd 100644 --- a/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv +++ b/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv @@ -9,7 +9,9 @@ --listen-address 192.168.123.1 \ --local=/123.168.192.in-addr.arpa/ \ --listen-address 2001:db8:ac10:fe01::1 \ +--local=/1.0.e.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \ --listen-address 2001:db8:ac10:fd01::1 \ +--local=/1.0.d.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \ --listen-address 10.24.10.1 \ --local=/10.in-addr.arpa/ \ --dhcp-range 192.168.122.2,192.168.122.254 \ diff --git a/tests/networkxml2argvdata/nat-network-dns-srv-record.argv b/tests/networkxml2argvdata/nat-network-dns-srv-record.argv index 0a5cd6b..6021ca0 100644 --- a/tests/networkxml2argvdata/nat-network-dns-srv-record.argv +++ b/tests/networkxml2argvdata/nat-network-dns-srv-record.argv @@ -9,7 +9,9 @@ --listen-address 192.168.123.1 \ --local=/123.168.192.in-addr.arpa/ \ --listen-address 2001:db8:ac10:fe01::1 \ +--local=/1.0.e.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \ --listen-address 2001:db8:ac10:fd01::1 \ +--local=/1.0.d.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \ --listen-address 10.24.10.1 \ --local=/10.in-addr.arpa/ \ --dhcp-range 192.168.122.2,192.168.122.254 \ diff --git a/tests/networkxml2argvdata/nat-network-dns-txt-record.argv b/tests/networkxml2argvdata/nat-network-dns-txt-record.argv index 6e1d054..28c808d 100644 --- a/tests/networkxml2argvdata/nat-network-dns-txt-record.argv +++ b/tests/networkxml2argvdata/nat-network-dns-txt-record.argv @@ -6,7 +6,9 @@ --listen-address 192.168.123.1 \ --local=/123.168.192.in-addr.arpa/ \ --listen-address 2001:db8:ac10:fe01::1 \ +--local=/1.0.e.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \ --listen-address 2001:db8:ac10:fd01::1 \ +--local=/1.0.d.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \ --listen-address 10.24.10.1 \ --local=/10.in-addr.arpa/ \ --dhcp-range 192.168.122.2,192.168.122.254 \ diff --git a/tests/networkxml2argvdata/nat-network.argv b/tests/networkxml2argvdata/nat-network.argv index 55f31e2..b516706 100644 --- a/tests/networkxml2argvdata/nat-network.argv +++ b/tests/networkxml2argvdata/nat-network.argv @@ -6,7 +6,13 @@ --listen-address 192.168.123.1 \ --local=/123.168.192.in-addr.arpa/ \ --listen-address 2001:db8:ac10:fe01::1 \ +--local=/1.0.e.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \ --listen-address 2001:db8:ac10:fd01::1 \ +--local=/1.0.d.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \ +--listen-address fe00:2001:dead:beef:fd01::1 \ +--local=/e.e.b.d.a.e.d.1.0.0.2.0.0.e.f.ip6.arpa/ \ +--listen-address fe00:dead:beef:1234:fd01::1 \ +--local=/0.0.0.0.0.0.0.0.0.0.1.0.d.f.4.3.2.1.f.e.e.b.d.a.e.d.0.0.e.f.ip6.arpa/ \ --listen-address 10.24.10.1 \ --local=/10.in-addr.arpa/ \ --dhcp-range 192.168.122.2,192.168.122.254 \ diff --git a/tests/networkxml2argvdata/nat-network.xml b/tests/networkxml2argvdata/nat-network.xml index eb71d9e..98dcca2 100644 --- a/tests/networkxml2argvdata/nat-network.xml +++ b/tests/networkxml2argvdata/nat-network.xml @@ -16,6 +16,10 @@ </ip> <ip family='ipv6' address='2001:db8:ac10:fd01::1' prefix='64'> </ip> + <ip family='ipv6' address='fe00:2001:dead:beef:fd01::1' prefix='60'> + </ip> + <ip family='ipv6' address='fe00:dead:beef:1234:fd01::1' prefix='120'> + </ip> <ip family='ipv4' address='10.24.10.1'> </ip> </network> -- 1.7.11.4
On 09/12/2012 11:16 AM, gene@czarc.net wrote:
From: Gene Czarcinski <gene@czarc.net>
For networks which dnsmasq has "--listen-address" specified, add the command line parameter so that any dns PTR queries for those networks are not forwarded.
Are you certain this will never be desired? If dnsmasq "owns" the network, then shouldn't it simply be answering these queries (and if it doesn't, doesn't that imply that dnsmasq disagrees with the assertion that it owns the network?) (on the subject of PTRs, I've never quite decided what annoys me more - admins who don't properly setup PTR records for all of their hosts, or software that believes the ability to successfully resolve the PTR for a client's IP address somehow makes that client more "legitimate". All those wasted hours waiting for sshd or ftpd to connect just because my ISP doesn't have a PTR for the IP address they gave me...)
There are separate patches for IPv4 and IPv6.
Gene Czarcinski (2): IPV4 local=/....in-addr.arpa/ IPv6 local=/...ip6.arpa/
src/network/bridge_driver.c | 32 ++++++++++++++++++++++ tests/networkxml2argvdata/isolated-network.argv | 1 + .../networkxml2argvdata/nat-network-dns-hosts.argv | 1 + .../nat-network-dns-srv-record-minimal.argv | 5 ++++ .../nat-network-dns-srv-record.argv | 5 ++++ .../nat-network-dns-txt-record.argv | 11 ++++++-- tests/networkxml2argvdata/nat-network.argv | 18 ++++++++++-- tests/networkxml2argvdata/nat-network.xml | 4 +++ tests/networkxml2argvdata/netboot-network.argv | 1 + .../networkxml2argvdata/netboot-proxy-network.argv | 1 + tests/networkxml2argvdata/routed-network.argv | 3 +- 11 files changed, 76 insertions(+), 6 deletions(-)
participants (2)
-
gene@czarc.net -
Laine Stump