lost and found ( for me ? )

LXC, dnsmasq : How to configure dnsmasq to have dnsmasq add MAC address of containers when dnsmasq sends DNS queries to other DNS servers.

hattori@ubuntu:~$ tail -1 /etc/lsb-release
DISTRIB_DESCRIPTION="Ubuntu 14.04.3 LTS"
hattori@ubuntu:~$

hattori@ubuntu:~$ dnsmasq --version
Dnsmasq version 2.68  Copyright (c) 2000-2013 Simon Kelley

By adding MAC address in DNS queries, DNS servers could identify devices even though those devices are behind NAT environment by looking at MAC address in DNS queries. ( If DNS servers can recognize that. )

dnsmasq can add MAC address in DNS queries in EDNS0.

man dnsmasq

      --add-mac
             Add the MAC address of the requestor to DNS  queries  which  are
             forwarded  upstream.  This  may  be used to DNS filtering by the
             upstream server. The MAC  address  can  only  be  added  if  the
             requestor is on the same subnet as the dnsmasq server. Note that
             the mechanism used to achieve this (an EDNS0 option) is not  yet
             standardised,  so  this  should be considered experimental. Also
             note that exposing MAC addresses in this way may  have  security
             and  privacy  implications.  The warning about caching given for
             --add-subnet applies to --add-mac too.

By default, dnsmasq does not add MAC address in DNS queries.

dnsmasq configuration file for LXC(lxc-net) is /etc/init/lxc-net.conf.
So I modified that so that dnsmasq can add MAC address into DNS queries.

Copy a current config file.

hattori@ubuntu:~$ sudo cp /etc/init/lxc-net.conf ./lxc-net.conf.20151024

Edit lxc-net.conf.
Add  '--add-mac' option in that file.

$ diff /etc/init/lxc-net.conf lxc-net.conf.20151024
65c65
< dnsmasq $LXC_DOMAIN_ARG -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=${varrun}/dnsmasq.pid --conf-file=${LXC_DHCP_CONFILE} --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE} --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases --dhcp-authoritative --add-mac || cleanup
---
> dnsmasq $LXC_DOMAIN_ARG -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=${varrun}/dnsmasq.pid --conf-file=${LXC_DHCP_CONFILE} --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE} --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases --dhcp-authoritative || cleanup


stop and start lxc-net to reflect that change.


check current PID of dnsmasq.

hattori@ubuntu:~$ cat /var/run/lxc/dnsmasq.pid
1480


Here are current options.

hattori@ubuntu:~$ ps aux | grep 1480 | grep -v grep
lxc-dns+  1480  0.0  0.0  28204   968 ?        S    10月23   0:00 dnsmasq -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=/run/lxc/dnsmasq.pid --conf-file= --listen-address 10.0.3.1 --dhcp-range 10.0.3.2,10.0.3.254 --dhcp-lease-max=253 --dhcp-no-override --except-interface=lo --interface=lxcbr0 --dhcp-leasefile=/var/lib/misc/dnsmasq.lxcbr0.leases --dhcp-authoritative
root      1533  0.0  0.0 450312 14808 ?        Sl   10月23   0:00 /usr/sbin/libvirtd -d


stop and start lxc-net.

hattori@ubuntu:~$ sudo stop lxc-net
lxc-net stop/waiting

hattori@ubuntu:~$ sudo start lxc-net
lxc-net start/running


hattori@ubuntu:~$ cat /var/run/lxc/dnsmasq.pid
6558

dnsmasq has started with --add-mac option.

hattori@ubuntu:~$ ps aux | grep 6558 | grep -v grep
lxc-dns+  6558  0.0  0.0  28204   960 ?        S    00:59   0:00 dnsmasq -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=/run/lxc/dnsmasq.pid --conf-file= --listen-address 10.0.3.1 --dhcp-range 10.0.3.2,10.0.3.254 --dhcp-lease-max=253 --dhcp-no-override --except-interface=lo --interface=lxcbr0 --dhcp-leasefile=/var/lib/misc/dnsmasq.lxcbr0.leases --dhcp-authoritative --add-mac


Start a container.

hattori@ubuntu:~$ sudo lxc-start -n ubuntu01 -d


Connect to the container and check MAC address of that container.

hattori@ubuntu:~$ sudo lxc-ls -f
NAME             STATE    IPV4       IPV6  AUTOSTART  
----------------------------------------------------
ubuntu-original  STOPPED  -          -     NO         
ubuntu01         RUNNING  10.0.3.47  -     NO         
ubuntu02         STOPPED  -          -     NO         
ubuntu03         STOPPED  -          -     NO         
ubuntu04         STOPPED  -          -     NO         
hattori@ubuntu:~$

hattori@ubuntu:~$ ssh 10.0.3.47 -l ubuntu
ubuntu@10.0.3.47's password:
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.13.0-66-generic x86_64)

* Documentation:  https://help.ubuntu.com/
Last login: Sat Oct 24 00:26:17 2015 from 10.0.3.1
ubuntu@ubuntu01:~$


Here is a resolv.conf of the container.
This container sends DNS queries to dnsmasq(10.0.3.1).

root@ubuntu01:~# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.0.3.1
root@ubuntu01:~#


Here is a MAC address of the container.

root@ubuntu01:~# ip addr show eth0 | grep 'link/ether'
   link/ether 00:16:3e:09:dc:c2 brd ff:ff:ff:ff:ff:ff


Here is a capture data collected on LXC host when dnsmasq sent DNS queries to other DNS servers.
Having looked at the capture data, you can see MAC address in DNS queries which was added by dnsmasq.

    Queries
       www.google.com: type A, class IN
           Name: www.google.com
           Type: A (Host address)
           Class: IN (0x0001)
   Additional records
       <Root>: type OPT
           Name: <Root>
           Type: OPT (EDNS0 option)
           UDP payload size: 4096
           Higher bits in extended RCODE: 0x0
           EDNS0 version: 0
           Z: 0x0
           Data length: 10
           Option: Unknown (65001)
               Option Code: Unknown (65001)
               Option Length: 6
               Option Data: 00163e09dcc2


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.