Bonjour Benjamin, Le Wed, 14 Oct 2015 22:09:10 +0000, Benjamin Brücker <sisyphoslou...@outlook.de> a écrit :
> Hi, > > For my small network with frequently changing guests I'd like to use dnsmasq, > because I would like to block some domains by dnsmasq's address=/../.. > feature (great!). For that purpose I have to ensure that all DNS requests are > answered by dnsmasq -- what is just partly working. I don't know if I made > mistake configuring dnsmasq or interface or iptables or if ipv6 could > disorder my configuration. > > This is my setup: > > Internet (IPv6) > /|\ > | > \|/ > Router-from-ISP > 192.168.0.1 > /|\ > | > \|/ > 192.168.0.253 (br0:1) > Ubuntu-Router (DNSMASQ) > 192.168.1.1 (br0) > /|\ > | > \|/ > 192.168.1.10-192.168.1.100.150 > Clients (Windows, Android, Linux, wired, wireless) > > Looks maybe a bit too complicate? Reason for that setup is, that I can not > change the ISP router, because the cable provider only allow their own > devices, and the ISP router doesn't has no functionality like adding routes > or blocking domains. > > This is configuration of Ubuntu-Router: > > 1. Interfaces, with ip tables rules, which are necessary because I cannot add > routes on the ISP router: > auto lo > iface lo inet loopback > auto br0 > iface br0 inet static > bridge_ports p1p1 wlan1 > address 192.168.2.1 > network 192.168.2.0 > netmask 255.255.255.0 > broadcast 192.168.2.255 > auto br0:1 > iface br0:1 inet static > address 192.168.0.253 > netmask 255.255.255.0 > broadcast 192.168.0.255 > network 192.168.0.0 > gateway 192.168.0.1 > up /sbin/iptables -F > up /sbin/iptables -X > up /sbin/iptables -t nat -F > up /sbin/iptables -A FORWARD -o br0:1 -i br0 -m conntrack --ctstate NEW -j > ACCEPT > up /sbin/iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j > ACCEPT > up /sbin/iptables -A POSTROUTING -t nat -j MASQUERADE > up /etc/init.d/hostapd restart > up /etc/init.d/dnsmasq restart Maybe OT, but while I see a point to br0 (probably bridging the wired and wireless parts of your LAN), I can't see that of br0:1, since on your synoptic, the "br0:1" interfaces are different from the "br0" interfaces -- IOW, the 192.168.0/24 subnet is between the cable router and the Ubuntu router, and the 192.168.2/24 subnet is between the Ubuntu router and the LAN+WLAN, so they should not share any common interface. > 2. Resolv.conf: > nameserver 127.0.0.1 > nameserver 192.168.0.1 I assume it is the resolv.conf of the Ubuntu server? What about that of the LAN+WAN clients? > 3. dnsmasq.conf: > address=/double-click.net/127.0.0.1 > address=/doubleclick.net/127.0.0.1 > address=/doubleclickbygoogle.com/127.0.0.1 > address=/doubleclickbygoogle.net/127.0.0.1 > address=/google-analytics.com/127.0.0.1 > address=/google-analytics.net/127.0.0.1 > address=/ssl.google-analytics.com/127.0.0.1 > address=/googleanalytics.com/127.0.0.1 > address=/googleanalytics.net/127.0.0.1 > address=/facebook.com/127.0.0.1 > interface=lo > interface=br0 > listen-address=127.0.0.1 > listen-address=::1 > listen-address=192.168.2.1 > dhcp-range=192.168.2.200,192.168.2.250,255.255.255.0,12h > dhcp-option=121,192.168.2.0/24,192.192.168.2.1 > log-queries > log-dhcp > > 4. syctrl.conf: > net.ipv4.ip_forward=1 > net.ipv6.conf.all.disable_ipv6 = 1 > net.ipv6.conf.default.disable_ipv6 = 1 > net.ipv6.conf.lo.disable_ipv6 = 1 > net.ipv6.conf.br0.disable_ipv6 = 1 > net.ipv6.conf.br0:1.disable_ipv6 = 1 > > What happens now is something like this: If I connect one client via DHCP > dnsmasq is logging this: > > Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 Klient stellt Name > bereit: santorin > Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 DHCPREQUEST(br0) > 192.168.2.231 a0:88:b4:75:69:94 > Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 Marken: br0 > Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 DHCPACK(br0) > 192.168.2.231 a0:88:b4:75:69:94 santorin > Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 angeforderte > Optionen: 1:netmask, 28:broadcast, 2:time-offset, 3:router, > Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 angeforderte > Optionen: 15:domain-name, 6:dns-server, 119:domain-search, > Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 angeforderte > Optionen: 12:hostname, 44:netbios-ns, 47:netbios-scope, > Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 angeforderte > Optionen: 26:mtu, 121:classless-static-route, 42:ntp-server, > Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 angeforderte > Optionen: 121:classless-static-route, 249, 33:static-route, > Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 angeforderte > Optionen: 252, 42:ntp-server > Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 Nächster Server: > 192.168.2.1 > Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 1 option: > 53 message-type 5 > Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: > 54 server-identifier 192.168.2.1 > Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: > 51 lease-time 12h > Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: > 58 T1 6h > Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: > 59 T2 10h30m > Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: > 1 netmask 255.255.255.0 > Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: > 28 broadcast 192.168.2.255 > Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: > 3 router 192.168.2.1 > Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 4 option: > 6 dns-server 192.168.2.1 > Oct 14 22:34:43 sithonia dnsmasq-dhcp[1047]: 1863487321 sent size: 8 option: > 12 hostname santorin > > This looks to me very well. But if I browse the internet on the client, just > some of DNS queries appear in the internet: > > Oct 14 22:19:34 sithonia dnsmasq[1072]: query[A] button.flattr.com from > 192.168.2.231 > Oct 14 22:19:34 sithonia dnsmasq[1072]: forwarded button.flattr.com to > 192.168.0.1 > Oct 14 22:19:34 sithonia dnsmasq[1072]: reply button.flattr.com is > 104.20.15.50 Not sure what's wrong here. flattr.com is not in any of your dnsmasq's "address=" lines, so dnsmasq forwards queries for this domain to its upstream, which replies. Were you expecting something else? Can you post logs and annotate them, so that we know what went as expected and what did not (and in the latter case, what you were expecting)? > In this case the server was "taz.de" but just some buttons apper in the > dnsmasq log. And I can browse "facebook.com" which I turned to Ubuntu-Routers > IP. Can you provide annotated logs for facebook.com requests? > I use dnsmasq version 2.68-1ubuntu0.1@Ubuntu server 14.04.3. > > Any idea why DNS queries only partly answered by dnsmasq? What is wrong with > my configuration? > > Thx, Benjamin Amicalement, -- Albert. _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
