[libvirt] [PATCH 0/2] tell dnsmasq not to forward PTR queries
From: Gene Czarcinski <gene@czarc.net> For networks which dnsmasq has "--listen-address" specified, add the command line parameter so that any dns PTR queries for those networks are not forwarded. There are separate patches for IPv4 and IPv6. Gene Czarcinski (2): IPV4 local=/....in-addr.arpa/ IPv6 local=/...ip6.arpa/ src/network/bridge_driver.c | 32 ++++++++++++++++++++++ tests/networkxml2argvdata/isolated-network.argv | 1 + .../networkxml2argvdata/nat-network-dns-hosts.argv | 1 + .../nat-network-dns-srv-record-minimal.argv | 5 ++++ .../nat-network-dns-srv-record.argv | 5 ++++ .../nat-network-dns-txt-record.argv | 11 ++++++-- tests/networkxml2argvdata/nat-network.argv | 18 ++++++++++-- tests/networkxml2argvdata/nat-network.xml | 4 +++ tests/networkxml2argvdata/netboot-network.argv | 1 + .../networkxml2argvdata/netboot-proxy-network.argv | 1 + tests/networkxml2argvdata/routed-network.argv | 3 +- 11 files changed, 76 insertions(+), 6 deletions(-) -- 1.7.11.4
From: Gene Czarcinski <gene@czarc.net> For IPv4 networks dnsmasq listens to, do no forward any IPv4 dns PTR queries for that network. Only network prefixes 8, 16, or 24 work correctly. --- src/network/bridge_driver.c | 17 +++++++++++++++++ tests/networkxml2argvdata/isolated-network.argv | 1 + tests/networkxml2argvdata/nat-network-dns-hosts.argv | 1 + .../nat-network-dns-srv-record-minimal.argv | 3 +++ .../networkxml2argvdata/nat-network-dns-srv-record.argv | 3 +++ .../networkxml2argvdata/nat-network-dns-txt-record.argv | 9 +++++++-- tests/networkxml2argvdata/nat-network.argv | 12 +++++++++--- tests/networkxml2argvdata/netboot-network.argv | 1 + tests/networkxml2argvdata/netboot-proxy-network.argv | 1 + tests/networkxml2argvdata/routed-network.argv | 3 ++- 10 files changed, 45 insertions(+), 6 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 4faad5d..7ad6fe2 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -634,6 +634,23 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network, if (!ipaddr) goto cleanup; virCommandAddArgList(cmd, "--listen-address", ipaddr, NULL); + int psize = virNetworkIpDefPrefix(tmpipdef); + if ((VIR_SOCKET_ADDR_IS_FAMILY(&tmpipdef->address, AF_INET)) && + ((psize==8) || (psize==16) || (psize=24))) + { + int val = + ntohl(tmpipdef->address.data.inet4.sin_addr.s_addr) >> 8; + char *p, str[25]; /* strlen("xxx.yyy.zzz.in-addr.arpa")+1 */ + p = &str[0]; + if (psize == 24) + p += sprintf(p, "%d.", val & 0xff); + val = val >> 8; + if (psize != 8) + p += sprintf(p, "%d.", val & 0xff); + val = val >> 8; + p += sprintf(p, "%d.in-addr.arpa", val & 0xff); + virCommandAddArgFormat(cmd, "--local=/%s/", &str[0]); + } VIR_FREE(ipaddr); } diff --git a/tests/networkxml2argvdata/isolated-network.argv b/tests/networkxml2argvdata/isolated-network.argv index 048c72b..40592d9 100644 --- a/tests/networkxml2argvdata/isolated-network.argv +++ b/tests/networkxml2argvdata/isolated-network.argv @@ -2,6 +2,7 @@ --local=// --domain-needed --conf-file= \ --except-interface lo --dhcp-option=3 --no-resolv \ --listen-address 192.168.152.1 \ +--local=/152.168.192.in-addr.arpa/ \ --dhcp-range 192.168.152.2,192.168.152.254 \ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/private.leases --dhcp-lease-max=253 \ --dhcp-no-override\ diff --git a/tests/networkxml2argvdata/nat-network-dns-hosts.argv b/tests/networkxml2argvdata/nat-network-dns-hosts.argv index 03a0676..b04f9cc 100644 --- a/tests/networkxml2argvdata/nat-network-dns-hosts.argv +++ b/tests/networkxml2argvdata/nat-network-dns-hosts.argv @@ -1,4 +1,5 @@ @DNSMASQ@ --strict-order --bind-interfaces --domain=example.com \ --local=/example.com/ --domain-needed \ --conf-file= --except-interface lo --listen-address 192.168.122.1 \ +--local=/122.168.192.in-addr.arpa/ \ --expand-hosts --addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts\ diff --git a/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv b/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv index a1e4200..e0ea334 100644 --- a/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv +++ b/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv @@ -5,10 +5,13 @@ --except-interface lo \ --srv-host=name.tcp.,,,, \ --listen-address 192.168.122.1 \ +--local=/122.168.192.in-addr.arpa/ \ --listen-address 192.168.123.1 \ +--local=/123.168.192.in-addr.arpa/ \ --listen-address 2001:db8:ac10:fe01::1 \ --listen-address 2001:db8:ac10:fd01::1 \ --listen-address 10.24.10.1 \ +--local=/10.in-addr.arpa/ \ --dhcp-range 192.168.122.2,192.168.122.254 \ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \ --dhcp-lease-max=253 \ diff --git a/tests/networkxml2argvdata/nat-network-dns-srv-record.argv b/tests/networkxml2argvdata/nat-network-dns-srv-record.argv index 8af38c4..0a5cd6b 100644 --- a/tests/networkxml2argvdata/nat-network-dns-srv-record.argv +++ b/tests/networkxml2argvdata/nat-network-dns-srv-record.argv @@ -5,10 +5,13 @@ --except-interface lo \ --srv-host=name.tcp.test-domain-name,.,1024,10,10 \ --listen-address 192.168.122.1 \ +--local=/122.168.192.in-addr.arpa/ \ --listen-address 192.168.123.1 \ +--local=/123.168.192.in-addr.arpa/ \ --listen-address 2001:db8:ac10:fe01::1 \ --listen-address 2001:db8:ac10:fd01::1 \ --listen-address 10.24.10.1 \ +--local=/10.in-addr.arpa/ \ --dhcp-range 192.168.122.2,192.168.122.254 \ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \ --dhcp-lease-max=253 \ diff --git a/tests/networkxml2argvdata/nat-network-dns-txt-record.argv b/tests/networkxml2argvdata/nat-network-dns-txt-record.argv index 404b56a..6e1d054 100644 --- a/tests/networkxml2argvdata/nat-network-dns-txt-record.argv +++ b/tests/networkxml2argvdata/nat-network-dns-txt-record.argv @@ -1,9 +1,14 @@ @DNSMASQ@ --strict-order --bind-interfaces \ --local=// --domain-needed --conf-file= \ --except-interface lo '--txt-record=example,example value' \ ---listen-address 192.168.122.1 --listen-address 192.168.123.1 \ +--listen-address 192.168.122.1 \ +--local=/122.168.192.in-addr.arpa/ \ +--listen-address 192.168.123.1 \ +--local=/123.168.192.in-addr.arpa/ \ --listen-address 2001:db8:ac10:fe01::1 \ ---listen-address 2001:db8:ac10:fd01::1 --listen-address 10.24.10.1 \ +--listen-address 2001:db8:ac10:fd01::1 \ +--listen-address 10.24.10.1 \ +--local=/10.in-addr.arpa/ \ --dhcp-range 192.168.122.2,192.168.122.254 \ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \ --dhcp-lease-max=253 --dhcp-no-override \ diff --git a/tests/networkxml2argvdata/nat-network.argv b/tests/networkxml2argvdata/nat-network.argv index 1dc8f73..55f31e2 100644 --- a/tests/networkxml2argvdata/nat-network.argv +++ b/tests/networkxml2argvdata/nat-network.argv @@ -1,8 +1,14 @@ @DNSMASQ@ --strict-order --bind-interfaces \ --local=// --domain-needed --conf-file= \ ---except-interface lo --listen-address 192.168.122.1 \ ---listen-address 192.168.123.1 --listen-address 2001:db8:ac10:fe01::1 \ ---listen-address 2001:db8:ac10:fd01::1 --listen-address 10.24.10.1 \ +--except-interface lo \ +--listen-address 192.168.122.1 \ +--local=/122.168.192.in-addr.arpa/ \ +--listen-address 192.168.123.1 \ +--local=/123.168.192.in-addr.arpa/ \ +--listen-address 2001:db8:ac10:fe01::1 \ +--listen-address 2001:db8:ac10:fd01::1 \ +--listen-address 10.24.10.1 \ +--local=/10.in-addr.arpa/ \ --dhcp-range 192.168.122.2,192.168.122.254 \ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \ --dhcp-lease-max=253 --dhcp-no-override \ diff --git a/tests/networkxml2argvdata/netboot-network.argv b/tests/networkxml2argvdata/netboot-network.argv index 5a85ec2..9d62602 100644 --- a/tests/networkxml2argvdata/netboot-network.argv +++ b/tests/networkxml2argvdata/netboot-network.argv @@ -1,6 +1,7 @@ @DNSMASQ@ --strict-order --bind-interfaces --domain=example.com \ --local=/example.com/ --domain-needed --conf-file= \ --except-interface lo --listen-address 192.168.122.1 \ +--local=/122.168.192.in-addr.arpa/ \ --dhcp-range 192.168.122.2,192.168.122.254 \ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/netboot.leases \ --dhcp-lease-max=253 --dhcp-no-override --expand-hosts --enable-tftp \ diff --git a/tests/networkxml2argvdata/netboot-proxy-network.argv b/tests/networkxml2argvdata/netboot-proxy-network.argv index 36836b0..01a4ffd 100644 --- a/tests/networkxml2argvdata/netboot-proxy-network.argv +++ b/tests/networkxml2argvdata/netboot-proxy-network.argv @@ -1,6 +1,7 @@ @DNSMASQ@ --strict-order --bind-interfaces --domain=example.com \ --local=/example.com/ --domain-needed --conf-file= \ --except-interface lo --listen-address 192.168.122.1 \ +--local=/122.168.192.in-addr.arpa/ \ --dhcp-range 192.168.122.2,192.168.122.254 \ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/netboot.leases \ --dhcp-lease-max=253 --dhcp-no-override --expand-hosts \ diff --git a/tests/networkxml2argvdata/routed-network.argv b/tests/networkxml2argvdata/routed-network.argv index 77e802f..e0b3033 100644 --- a/tests/networkxml2argvdata/routed-network.argv +++ b/tests/networkxml2argvdata/routed-network.argv @@ -1,3 +1,4 @@ @DNSMASQ@ --strict-order --bind-interfaces \ --local=// --domain-needed --conf-file= \ ---except-interface lo --listen-address 192.168.122.1\ +--except-interface lo --listen-address 192.168.122.1 \ +--local=/122.168.192.in-addr.arpa/\ -- 1.7.11.4
From: Gene Czarcinski <gene@czarc.net> For IPv6 networks that dnsmasq listens to, do not forward any dns PTR queries for that network. A character string compare is performed by dnsmasq where each character is a 4-bit hexidecimal number. Dots ('.') are used to separate characters. Note that if a network is "listened to", then the assumption is that the network is "owned" by dnsmasq for purposes of dns query forwarding. --- src/network/bridge_driver.c | 15 +++++++++++++++ .../nat-network-dns-srv-record-minimal.argv | 2 ++ tests/networkxml2argvdata/nat-network-dns-srv-record.argv | 2 ++ tests/networkxml2argvdata/nat-network-dns-txt-record.argv | 2 ++ tests/networkxml2argvdata/nat-network.argv | 6 ++++++ tests/networkxml2argvdata/nat-network.xml | 4 ++++ 6 files changed, 31 insertions(+) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 7ad6fe2..e9de25a 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -650,6 +650,21 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network, val = val >> 8; p += sprintf(p, "%d.in-addr.arpa", val & 0xff); virCommandAddArgFormat(cmd, "--local=/%s/", &str[0]); + } + else if ((VIR_SOCKET_ADDR_IS_FAMILY(&tmpipdef->address, AF_INET6)) && + (psize>0) && (psize<128) && ((psize & 3)==0)) + { + /* note its a "nibble" at a time like the ipv4 8/16/24 */ + char *p, str[73]; /* 73 is strlen("32*<n.>ip6.arpa")+1 */ + int ii = psize - 1; + p = &str[0]; + while (ii >= 0) { + int val = tmpipdef->address.data.inet6.sin6_addr.s6_addr[ii>>3]; + p += sprintf(p, "%.1x.", (ii>>2) & 1 ? val & 0x0f : val >> 4); + ii -= 4; + } + p += sprintf(p, "ip6.arpa"); + virCommandAddArgFormat(cmd, "--local=/%s/", &str[0]); } VIR_FREE(ipaddr); } diff --git a/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv b/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv index e0ea334..6e666cd 100644 --- a/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv +++ b/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv @@ -9,7 +9,9 @@ --listen-address 192.168.123.1 \ --local=/123.168.192.in-addr.arpa/ \ --listen-address 2001:db8:ac10:fe01::1 \ +--local=/1.0.e.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \ --listen-address 2001:db8:ac10:fd01::1 \ +--local=/1.0.d.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \ --listen-address 10.24.10.1 \ --local=/10.in-addr.arpa/ \ --dhcp-range 192.168.122.2,192.168.122.254 \ diff --git a/tests/networkxml2argvdata/nat-network-dns-srv-record.argv b/tests/networkxml2argvdata/nat-network-dns-srv-record.argv index 0a5cd6b..6021ca0 100644 --- a/tests/networkxml2argvdata/nat-network-dns-srv-record.argv +++ b/tests/networkxml2argvdata/nat-network-dns-srv-record.argv @@ -9,7 +9,9 @@ --listen-address 192.168.123.1 \ --local=/123.168.192.in-addr.arpa/ \ --listen-address 2001:db8:ac10:fe01::1 \ +--local=/1.0.e.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \ --listen-address 2001:db8:ac10:fd01::1 \ +--local=/1.0.d.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \ --listen-address 10.24.10.1 \ --local=/10.in-addr.arpa/ \ --dhcp-range 192.168.122.2,192.168.122.254 \ diff --git a/tests/networkxml2argvdata/nat-network-dns-txt-record.argv b/tests/networkxml2argvdata/nat-network-dns-txt-record.argv index 6e1d054..28c808d 100644 --- a/tests/networkxml2argvdata/nat-network-dns-txt-record.argv +++ b/tests/networkxml2argvdata/nat-network-dns-txt-record.argv @@ -6,7 +6,9 @@ --listen-address 192.168.123.1 \ --local=/123.168.192.in-addr.arpa/ \ --listen-address 2001:db8:ac10:fe01::1 \ +--local=/1.0.e.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \ --listen-address 2001:db8:ac10:fd01::1 \ +--local=/1.0.d.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \ --listen-address 10.24.10.1 \ --local=/10.in-addr.arpa/ \ --dhcp-range 192.168.122.2,192.168.122.254 \ diff --git a/tests/networkxml2argvdata/nat-network.argv b/tests/networkxml2argvdata/nat-network.argv index 55f31e2..b516706 100644 --- a/tests/networkxml2argvdata/nat-network.argv +++ b/tests/networkxml2argvdata/nat-network.argv @@ -6,7 +6,13 @@ --listen-address 192.168.123.1 \ --local=/123.168.192.in-addr.arpa/ \ --listen-address 2001:db8:ac10:fe01::1 \ +--local=/1.0.e.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \ --listen-address 2001:db8:ac10:fd01::1 \ +--local=/1.0.d.f.0.1.c.a.8.b.d.0.1.0.0.2.ip6.arpa/ \ +--listen-address fe00:2001:dead:beef:fd01::1 \ +--local=/e.e.b.d.a.e.d.1.0.0.2.0.0.e.f.ip6.arpa/ \ +--listen-address fe00:dead:beef:1234:fd01::1 \ +--local=/0.0.0.0.0.0.0.0.0.0.1.0.d.f.4.3.2.1.f.e.e.b.d.a.e.d.0.0.e.f.ip6.arpa/ \ --listen-address 10.24.10.1 \ --local=/10.in-addr.arpa/ \ --dhcp-range 192.168.122.2,192.168.122.254 \ diff --git a/tests/networkxml2argvdata/nat-network.xml b/tests/networkxml2argvdata/nat-network.xml index eb71d9e..98dcca2 100644 --- a/tests/networkxml2argvdata/nat-network.xml +++ b/tests/networkxml2argvdata/nat-network.xml @@ -16,6 +16,10 @@ </ip> <ip family='ipv6' address='2001:db8:ac10:fd01::1' prefix='64'> </ip> + <ip family='ipv6' address='fe00:2001:dead:beef:fd01::1' prefix='60'> + </ip> + <ip family='ipv6' address='fe00:dead:beef:1234:fd01::1' prefix='120'> + </ip> <ip family='ipv4' address='10.24.10.1'> </ip> </network> -- 1.7.11.4
I would appreciate it if the libvirt developers who are attempting to provide overall guidance to give some thought to the two patches. I have done a bunch of testing and both patches work as intended ... they only deal with the dns service provided by dnsmasq. When dsnmasq is providing both dns and dhcp services, this makes sense. But how about the situations where dnsmasq is only listening? The earlier patches I submitted for not forwarding A, AAAA, or MX dns queries because there was no way for an upstream dns server determining what should be forwarded to the "Big Eye" Internet. [why isn't "test.virt" as good a FQDN as anything else] But, the same is not true for private network PTR queries ... dnsmasq "bogus-priv" can indicate not to forward them. There is also some discussion about implementing a similar capability for IPv6. Anyway, here they are for your consideration. Gene On 09/11/2012 12:58 PM, gene@czarc.net wrote:
From: Gene Czarcinski <gene@czarc.net>
For networks which dnsmasq has "--listen-address" specified, add the command line parameter so that any dns PTR queries for those networks are not forwarded.
There are separate patches for IPv4 and IPv6.
Gene Czarcinski (2): IPV4 local=/....in-addr.arpa/ IPv6 local=/...ip6.arpa/
src/network/bridge_driver.c | 32 ++++++++++++++++++++++ tests/networkxml2argvdata/isolated-network.argv | 1 + .../networkxml2argvdata/nat-network-dns-hosts.argv | 1 + .../nat-network-dns-srv-record-minimal.argv | 5 ++++ .../nat-network-dns-srv-record.argv | 5 ++++ .../nat-network-dns-txt-record.argv | 11 ++++++-- tests/networkxml2argvdata/nat-network.argv | 18 ++++++++++-- tests/networkxml2argvdata/nat-network.xml | 4 +++ tests/networkxml2argvdata/netboot-network.argv | 1 + .../networkxml2argvdata/netboot-proxy-network.argv | 1 + tests/networkxml2argvdata/routed-network.argv | 3 +- 11 files changed, 76 insertions(+), 6 deletions(-)
On 09/11/2012 01:25 PM, Gene Czarcinski wrote:
I would appreciate it if the libvirt developers who are attempting to provide overall guidance to give some thought to the two patches.
I have done a bunch of testing and both patches work as intended ... they only deal with the dns service provided by dnsmasq.
When dsnmasq is providing both dns and dhcp services, this makes sense. But how about the situations where dnsmasq is only listening?
The earlier patches I submitted for not forwarding A, AAAA, or MX dns queries because there was no way for an upstream dns server determining what should be forwarded to the "Big Eye" Internet. [why isn't "test.virt" as good a FQDN as anything else]
But, the same is not true for private network PTR queries ... dnsmasq "bogus-priv" can indicate not to forward them. There is also some discussion about implementing a similar capability for IPv6.
Anyway, here they are for your consideration.
Gene
On 09/11/2012 12:58 PM, gene@czarc.net wrote:
From: Gene Czarcinski <gene@czarc.net>
For networks which dnsmasq has "--listen-address" specified, add the command line parameter so that any dns PTR queries for those networks are not forwarded.
There are separate patches for IPv4 and IPv6.
Gene Czarcinski (2): IPV4 local=/....in-addr.arpa/ IPv6 local=/...ip6.arpa/
src/network/bridge_driver.c | 32 ++++++++++++++++++++++ tests/networkxml2argvdata/isolated-network.argv | 1 + .../networkxml2argvdata/nat-network-dns-hosts.argv | 1 + .../nat-network-dns-srv-record-minimal.argv | 5 ++++ .../nat-network-dns-srv-record.argv | 5 ++++ .../nat-network-dns-txt-record.argv | 11 ++++++-- tests/networkxml2argvdata/nat-network.argv | 18 ++++++++++-- tests/networkxml2argvdata/nat-network.xml | 4 +++ tests/networkxml2argvdata/netboot-network.argv | 1 + .../networkxml2argvdata/netboot-proxy-network.argv | 1 + tests/networkxml2argvdata/routed-network.argv | 3 +- 11 files changed, 76 insertions(+), 6 deletions(-)
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Mumble, mumble ... for some reason my patches did not make it ... I will resubmit. Gene
participants (2)
-
Gene Czarcinski -
gene@czarc.net