Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#2328 - Allocate resources to sort out odhcpd/dnsmasq interaction once and for all. #8271

Open
openwrt-bot opened this issue Jun 18, 2019 · 2 comments
Labels

Comments

@openwrt-bot
Copy link

@openwrt-bot openwrt-bot commented Jun 18, 2019

ldir:

As IPv6 is being adopted, increasingly people are seeing dnsmasq log 'spam'. See https://bugs.openwrt.org/index.php?do=details&task_id=1492&string=1492&search_name=&type%5B0%5D=&sev%5B0%5D=&pri%5B0%5D=&due%5B0%5D=&reported%5B0%5D=&cat%5B0%5D=&status%5B0%5D=open&percent%5B0%5D=&opened=&dev=&closed=&duedatefrom=&duedateto=&changedfrom=&changedto=&openedfrom=&openedto=&closedfrom=&closedto=

By default under openwrt, dhcpv4 leases are handled by dnsmasq whilst dhcpv6/RA is handled by openwrt's odhcpd.

odhcpd could handle both v4 & v6 but does not yet have the same configuration flexibility for dhcp options as dnsmasq. I guess this is why no one has been brave enough to switch to odhcpd for ipv4 operations as well as ipv6.

dnsmasq can also handle dhcpv6/RA but not quite as flexibly as odhcpd. dnsmasq will automatically find IP6 prefixes on interfaces and start handling them, whilst openwrt's strategy with odhcpd is to only handle stuff we tell you to handle, don't do it automagically.

As dnsmasq is the default resolver for openwrt and the wider LAN, it needs to know about DHCP/hostname allocations. For DHCPv4 this is easy, dnsmasq is controlling them. For DHCPv6 a hosts file (called a statefile in the odhcpd code) is handed to dnsmasq.

By default this host file is not read dynamically, so odhcpd has to signal dnsmasq to re-read the host file (and clear caches etc etc) upon every ipv6 lease change.

This generates a lot of log spam and process startup overhead. There are also questions about service operability during this time.

Effort needs to be put into sorting this out.

Temporary workarounds:

Use 'hostsdir' dnsmasq option instead of 'addn-hosts' - dnsmasq will dynamically scan changes/additions to hosts in hostsdir whereas addn-hosts needs a SIGHUP. Host deletions cannot be handled by this method, so odhcpd would still need to SIGHUP on lease expiry. It might reduce some of the spam.

Longer term:

Teach dnsmasq to accept hostname updates over an IPC mechanism. ubus? and carry on using odhcpd for ipv6.

Teach dnsmasq to handle ipv6 prefix additions/deletions/handling via an IPC mechanism in the same way as odhcpd. Drop odhcpd and use dnsmasq for everything.

Use odhcpd for everything and use another dns resolver that interfaces nicely with odhcpd.

Why don't I see this problem: I use dnsmasq to handle ipv6 but I'm lucky enough that this works for me.

This needs fixing/funding to sort it out though.

@openwrt-bot
Copy link
Author

@openwrt-bot openwrt-bot commented Jun 18, 2019

n8v8R:

*** no one has been brave enough to switch to odhcpd for ipv4 operations as well as ipv6.

Actually, I do and mostly being satisfied but do concur that it probably needs some maturity to match dsmasq on configuration flexibility for dhcp options.

There is probably no need to retire dnsmasq as dns resolver, be it just for its simplicity in configuration compared to knot or unbound (though admittedly being a fan of the latter), but switch dhcp management entirely to odhcpd (which I am also a fan of) but end the hybrid construct (one way or another).

@openwrt-bot
Copy link
Author

@openwrt-bot openwrt-bot commented Jun 19, 2019

supersebbo:

There is a potential exploit impact of the current setup. Reloading host files can take a significant amount of resources when large host files are used for applications such as AdBlock.

It would be trivial to craft a exploit to flood DHCPv6 packets to an OpenWRT router at a rate that meant it became IO blocked.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant