9 Dec
2015
9 Dec
'15
3:56 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 06/12/15 00:32, Ilario Gelmetti wrote:
[4] https://wiki.openwrt.org/doc/uci/dhcp#all_options
This is not strictly Libre-Mesh related but more an
OpenWRT related
problem, I'm sharing this because I think it can be a common
problem. I got this problem connecting a the WAN port of a device
running Libre-Mesh to a network where the dns server was used also
for private addresses of the local network (using a custom TLD
[1]). So when a wireless or cabled client connects to this LiMe
node it receives as DNS server the address of the LiMe node which
runs dnsmasq as dns server. This server in Libre-Mesh is by default
configured for ask to 8.8.8.8 which is a DNS server run by Google
which clearly ignores the local sites names which exists just on
the local DNS server. I supposed that manually adding the line list
resolvers '172.31.16.4' (the IP of the local DNS server) under the
config lime 'network' section of the /etc/config/lime file should
solve the problem. Indeed it didn't work and I finally got that
was a protection against some kind of attack [2]: dnsmasq: possible
DNS-rebind attack detected: etherpad.calafou This protection
avoids to accept a private IP [3] as an answer for a request which
is expected to have a public IP. So I had to add the list
rebind_domain '/calafou/' (where .calafou was the local TLD) option
[4] under the config dnsmasq section of the /etc/config/dhcp file.
In my opinion, you should start using ipv6 :)
google is reporting that 10% of total global traffic is going via
ipv6, so the future is happening today
no rebind protection and no need to mess with custom TLDs, and private
ips.
In your opinion, isn't better to leave empty the
DNS field in the
default configuration so that LiMe is going to use the one
suggested by the DHCP server instead of fixing 8.8.8.8?
it's not trivial, as of today in lime scheme, to have the dynamic DNS
(suggested by DHCP to *one* gateway node) to be distributed along the
whole network.
that's why we workarounded that limitation using a static dns resolver
list :(
we could probably brainstorm / rethink all that part again, now that
we have some years' experience :)
cheers!
Ciao! Ilario
PS notice that if in /etc/config/lime you configure just one entry
for the "list resolvers" this replaces the whole list of
resolvers in /etc/config/lime-defaults, so also the IPv6 resolver.
[1] https://en.wikipedia.org/wiki/Top-level_domain [2]
https://en.wikipedia.org/wiki/DNS_rebinding [3]
https://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spa
ces
_______________________________________________ users mailing list
users(a)lists.libre-mesh.org
https://lists.libre-mesh.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCgAGBQJWZ6Z+AAoJEIJqNBvBfxrI/rEP/iUWAq/s6Z6aBO3Bmf7xtaT/
P6q50JPVaypEBZpyvnzfXblmC0mp1dmTvAS3u2fjFbUeNLOcvacih1gxOT2Hk7kt
Cno2Igbqt8d4eLzlIUZnQgbD30Sthlxfuxq48VX7MtP6Ru91Myj3XyzmWqSFPAnY
sS8mRnKFlP0dzZKYpzPb/XJwYnZq4N4yvorAgWEKjGtsr9dQOVVzBMrhrAqsw9lg
2brXARRfZPKk9nUOrEmIFq+2khtW2X3BA/BsLra073brenqHbgfY3t/Z7xBe8TzG
r6D6rnlkDuEQ7k2KbQxTLhDcuG2aOFppq0xBDxo3LBtUHxdDE/1TuMLE1muAqnT5
oNNHARClUezJkXwgnA0nXFzJC/ueHr0rbdKG+01SxcR5Aa8YwN1VMU97cvgTxNwP
oGxihB4WWpj4LRCVwVhweXWGor7h5I3ySKADTOTCMqvUn8pwKpbXed35rHa2c6T7
PO+c7UXBs+xZ07ainw5193Q1p0udvGTJlBufTG3pnqVJF7xFhRD0cQmf7gLfIPk8
pTSs8Luv4UmjbRLoQcmuWiA8vuoxAxh47IZoZME7JnljYd8JhWu+/gjVsHXjvb2Z
WOdrOu6thcWZQZEh/7oinqsek2GF4RzxGwCvs4MmKRIZw+BC8otB9Ddl+mtnSKvh
8GoUw4cn3sZWVKbcWgMo
=iwUl
-----END PGP SIGNATURE-----