Menu
▾
▴
ipcop-devel
|
From: Administrator <ad...@di...> - 2017-10-05 06:58:25
|
Hi Is ipcop vulnerable to any of this: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html # dnsmasq -v Dnsmasq version 2.72 Copyright (c) 2000-2014 Simon Kelley Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect Yours David |
|
From: Bob B. <gra...@sp...> - 2011-10-15 20:26:30
|
Hi, I have a mixture of fixed address and dhcp addressed clients on my green network and with IPCop 1.4.21, I used dnsmasq to provide DNS for both the fixed and dynamic clients on my LAN. Unless I have missed some configuration settings in IPCop 2.0, it would appear that dnsmasq doesn't now provide DNS information to the fixed address clients that are outside the dhcp range of addresses but are on the same network. Is it possible to revert back to the 1.4.21 dnsmasq performance where all client on the same network can receive DNS info from IPCop 2.0? Thanks Bob |
|
From: Olaf W. <wei...@ip...> - 2011-10-15 21:16:52
|
On 2011-10-15 22:26, Bob Brewer wrote: > Is it possible to revert back to the 1.4.21 dnsmasq performance where > all client on the same network can receive DNS info from IPCop 2.0? Since all clients receive proper DNS information, there is nothing to revert to. Olaf |
|
From: Bob B. <gra...@sp...> - 2011-10-16 11:55:54
|
Olaf Westrik wrote: >> Is it possible to revert back to the 1.4.21 dnsmasq performance where >> all client on the same network can receive DNS info from IPCop 2.0? > > Since all clients receive proper DNS information, there is nothing to > revert to. Thank you for your reply Olaf, it looks like my analysis of my problem was incorrect as it was only DNS lookups on my local domain that were not being processed. I believe this is the same situation as seen by John Campbell in the "IPCop 2 & DNS" thread. As suggested in this thread I have edited my /etc/rc.d/rc.dnsmasq file to omit the "--local=/$DOMAINNAME/" suffix which has cured the problem I was having with localdomain DNS lookups. Bob |
|
From: Michael R. <mi...@mi...> - 2011-10-16 12:10:36
Attachments:
signature.asc
|
On Sun, 16 Oct 2011 12:55:43 +0100 Bob Brewer <gra...@sp...> wrote: > > As suggested in this thread I have edited my /etc/rc.d/rc.dnsmasq file > to omit the "--local=/$DOMAINNAME/" suffix which has cured the problem I > was having with localdomain DNS lookups. > I still see issues related to using an internal DNS where response involves CNAME. Apparently the original host header is striped-off in the response resulting in broken vhost reply from Apache. Anybody seeing this behavior? -- Hilsen/Regards Michael Rasmussen Get my public GnuPG keys: michael <at> rasmussen <dot> cc http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E mir <at> datanom <dot> net http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C mir <at> miras <dot> org http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917 -------------------------------------------------------------- |
|
From: Bob B. <gra...@sp...> - 2011-10-16 13:08:01
|
Michael Rasmussen wrote: > I still see issues related to using an internal DNS where response > involves CNAME. Apparently the original host header is striped-off in > the response resulting in broken vhost reply from Apache. Anybody > seeing this behavior? My DNS server is located with my ISP on the RED interface and use dnsmasq on IPCop for my lan, so I don't have any external traffic for DNS. So I suspect I wouldn't see your problem. After editing rc.dnsmasq I haven't noticed any unusual performance to any of my services. Bob |
|
From: Michael R. <mi...@mi...> - 2011-10-16 13:14:00
Attachments:
signature.asc
|
On Sun, 16 Oct 2011 14:07:50 +0100 Bob Brewer <gra...@sp...> wrote: > > My DNS server is located with my ISP on the RED interface and use > dnsmasq on IPCop for my lan, so I don't have any external traffic for > DNS. So I suspect I wouldn't see your problem. > I think my issues relates to public domains handled different external than internal. This apparently confuses IPCop when it needs to route requests. Does anybody knows how to force IPCop to use an internal DNS first when RED is configured via DHCP from ISP? -- Hilsen/Regards Michael Rasmussen Get my public GnuPG keys: michael <at> rasmussen <dot> cc http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E mir <at> datanom <dot> net http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C mir <at> miras <dot> org http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917 -------------------------------------------------------------- |
|
From: Michael R. <mi...@mi...> - 2011-10-16 13:26:50
Attachments:
signature.asc
|
On Sun, 16 Oct 2011 15:13:51 +0200 Michael Rasmussen <mi...@mi...> wrote: > I think my issues relates to public domains handled different external > than internal. This apparently confuses IPCop when it needs to route > requests. > > Does anybody knows how to force IPCop to use an internal DNS first when > RED is configured via DHCP from ISP? > I have nailed the problem down to the following: 1) Configure transparet proxy on Green 2) Squid uses whatever DNS IPCop is assigned on RED 3) Since default route is unknown when RED is configured by DHCP you cannot manually configure DNS - The configuration window for RED is an all or nothing meaning you must give both DNS and default route manually since leaving default route empty results in an unconfigured RED. Suggestion: It should be possible to enter DNS manually and leaving default route to be assigned by DHCP on RED. -- Hilsen/Regards Michael Rasmussen Get my public GnuPG keys: michael <at> rasmussen <dot> cc http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E mir <at> datanom <dot> net http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C mir <at> miras <dot> org http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917 -------------------------------------------------------------- |
|
From: John C. <sec...@jo...> - 2011-10-16 13:50:41
|
On Sun, Oct 16, 2011 at 13:10:27, Michael Rasmussen wrote: > On Sun, 16 Oct 2011 12:55:43 +0100 > Bob Brewer <gra...@sp...> wrote: > > > > > As suggested in this thread I have edited my /etc/rc.d/rc.dnsmasq > file > > to omit the "--local=/$DOMAINNAME/" suffix which has cured the > problem > > I was having with localdomain DNS lookups. > > > I still see issues related to using an internal DNS where response > involves CNAME. Apparently the original host header is striped-off in > the response resulting in broken vhost reply from Apache. Anybody > seeing this behavior? > My IPCop uses my ISP's DNS servers, likewise PC's in GREEN/BLUE, and also set as DNS for servers in ORANGE. DNS servers in ORANGE are non-recursive, basically used to host zone records for public services (web, mail, DNS). Everything is Microsoft-based. I have multiple static RED IP's Here's how it works for me: DNS servers host zone record for mydomain.com & "A" records for www.domain.com (live web site) and www-test.domain.com (test web site), et al. Live web site is hosted on server in DMZ, and once correct port forwarding record is added via IPCop's Web GUI, is accessible to outside world. Test web site is hosted on PC in GREEN, so I add a host record for www-test.domain.com via IPCop's Web GUI using GREEN IP, and PC's in GREEN (and BLUE) can access test site internally. But, if I need to open up the test web site to an outside world viewer, I can simply add a port forwarding rule via IPCop to make test site visible to that viewer. PC's in GREEN/BLUE have a variety of fixed ip addresses, and dhcp-assigned ones with both fixed and dynamic leases. With this setup eveything worked fine with v1.4.xx versions, but it didn't with v2.0.0 until I made the edit to rc.dnsmasq. Here is output from NSLOOKUP run on a GREEN pc (after rc.dnsmasq edit & reboot): C:\Users\XXXX>nslookup Default Server: ipcop.domain.com Address: 192.168.0.254 > www-test.domain.com Server: ipcop.domain.com Address: 192.168.0.254 Name: www-test.domain.com Address: 192.168.0.10 > server 87.194.0.66 Default Server: ns1.betherenow.co.uk Address: 87.194.0.66 > www-test.domain.com Server: ns1.betherenow.co.uk Address: 87.194.0.66 Non-authoritative answer: Name: www-test.domain.com Address: XXX.XXX.XXX.XXX I've used "domain.com" here instead of the real domain name. 87.194.0.66 is the IP of one of my ISP's DNS servers. XXX.XXX.XXX.XXX is one of my public IP addresses. Haven't noticed any issues with this, but I'm no DNS expert :-( John |
|
From: Olaf W. <wei...@ip...> - 2011-10-16 16:31:28
|
On 2011-10-16 15:49, John Campbell wrote: > Haven't noticed any issues with this, but I'm no DNS expert :-( in your case it is fine. For estimated 99% IPCop users it's not, as it leaks internal names to ISP. Olaf |
|
From: Olaf W. <wei...@ip...> - 2011-10-16 16:29:13
|
On 2011-10-16 15:26, Michael Rasmussen wrote: > The configuration window for RED is an > all or nothing You should _really_ verify that before making any assumptions. Olaf |
|
From: Michael R. <mi...@mi...> - 2011-10-16 17:19:11
Attachments:
signature.asc
|
On Sun, 16 Oct 2011 18:29:05 +0200 Olaf Westrik <wei...@ip...> wrote: > > You should _really_ verify that before making any assumptions. > You are right. But I still have problems when enabling transparent proxy on Green. If the proxy is enabled I get this response while requesting a public domain from a client on Green: The DNS server returned: Name Error: The domain name does not exist. How can I fix this? -- Hilsen/Regards Michael Rasmussen Get my public GnuPG keys: michael <at> rasmussen <dot> cc http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E mir <at> datanom <dot> net http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C mir <at> miras <dot> org http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917 -------------------------------------------------------------- |
|
From: Michael R. <mi...@mi...> - 2011-10-16 17:20:18
Attachments:
signature.asc
|
On Sun, 16 Oct 2011 19:19:03 +0200 Michael Rasmussen <mi...@mi...> wrote: > But I still have problems when enabling transparent proxy on Green. If > the proxy is enabled I get this response while requesting a public > domain from a client on Green: A public domain hosted on Orange that is. -- Hilsen/Regards Michael Rasmussen Get my public GnuPG keys: michael <at> rasmussen <dot> cc http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E mir <at> datanom <dot> net http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C mir <at> miras <dot> org http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917 -------------------------------------------------------------- |
|
From: Michael R. <mi...@mi...> - 2011-10-16 17:29:59
Attachments:
signature.asc
|
On Sun, 16 Oct 2011 19:19:03 +0200 Michael Rasmussen <mi...@mi...> wrote: > > The DNS server returned: > > Name Error: The domain name does not exist. > A question: When squid is making a DNS lookup is it then not using the DNS server configured for RED, or is it in fact using IPCop's own configuration which would mean the hosts file? Could a fix be to add the internal DNS to IPCop's resolve.conf? -- Hilsen/Regards Michael Rasmussen Get my public GnuPG keys: michael <at> rasmussen <dot> cc http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD3C9A00E mir <at> datanom <dot> net http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE501F51C mir <at> miras <dot> org http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE3E80917 -------------------------------------------------------------- |
|
From: Andrew M. <and...@af...> - 2011-10-17 01:47:42
|
Hi, On 17/10/2011 4:29 AM, Michael Rasmussen wrote: >> The DNS server returned: >> >> Name Error: The domain name does not exist. I think this is your answer (if you are using PPPoE on IPCop as dialup). Disconnect RED Adjust dialup setting (PPPoE), change DNS from automatic to manual, put in the server that you want to provide your DNS. Mine is in my DMZ (Orange). Cheers -- Kind Regards AndrewM Andrew McGlashan Broadband Solutions now including VoIP Current Land Line No: 03 9012 2102 Mobile: 04 2574 1827 Fax: 03 9012 2178 National No: 1300 85 3804 Affinity Vision Australia Pty Ltd http://www.affinityvision.com.au http://adsl2choice.net.au In Case of Emergency -- http://www.affinityvision.com.au/ice.html |
|
From: Joe Acquisto-j. <jo...@j4...> - 2017-10-05 12:50:07
|
>>> On 10/5/2017 at 2:58 AM, Administrator <ad...@di...> wrote: > Hi > > Is ipcop vulnerable to any of this: > https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html > > # dnsmasq -v > Dnsmasq version 2.72 Copyright (c) 2000-2014 Simon Kelley > Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua > TFTP no-conntrack ipset auth no-DNSSEC loop-detect > > Yours > David > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > IPCop-devel mailing list > IPC...@li... > https://lists.sourceforge.net/lists/listinfo/ipcop-devel I would guess the answer is Yes. And the solution would appear to be: use pfSense or another product as IPCop appears to have gone into stasis. joe a. |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X