Bug #3483
closedDHCP server - lack of implicit values validation
Added by Doktor Notor over 10 years ago. Updated over 10 years ago.
100%
Description
1/ Put some IPv6 IPs as DNS servers into System - General Setup
2/ Disable DNS forwarder
3/ Configure some DHCPv4 pool, leaving the DNS servers empty.
Result: DHCP server does not run at all, due to putting the IPv6 DNS servers into DHCPv4 config file.
https://forum.pfsense.org/index.php/topic,73022.0.html
https://forum.pfsense.org/index.php/topic,73026.0.html
Updated by Bryan Paradis over 10 years ago
There was a fix implemented for the same sort of thing happening with Dns zones here that seems to strip off any bad ones or ipv6
https://redmine.pfsense.org/issues/3015
https://redmine.pfsense.org/projects/pfsense/repository/revisions/9399370b367df7b73b84d605f4f44599c93b0bbe/diff/etc/inc/services.inc
Updated by Phillip Davis over 10 years ago
Should be fixed by:
https://github.com/pfsense/pfsense/pull/970 - master branch
https://github.com/pfsense/pfsense/pull/971 - 2.1.1
Updated by Phillip Davis over 10 years ago
And also, if you have DNS Forwarder disabled, no DNS servers specified on the DHCPv4 page, and no IPv4 DHCP servers on System->General Setup, then no name server line is written to the DHCPv4 conf file (dhcpd.conf).
That has to be the expected behavior - the system has no IPv4 DNS available to it, so it can't tell IPv4 clients any DNS server IP address(es).
Updated by Bryan Paradis over 10 years ago
Phillip Davis wrote:
And also, if you have DNS Forwarder disabled, no DNS servers specified on the DHCPv4 page, and no IPv4 DHCP servers on System->General Setup, then no name server line is written to the DHCPv4 conf file (dhcpd.conf).
That has to be the expected behavior - the system has no IPv4 DNS available to it, so it can't tell IPv4 clients any DNS server IP address(es).
You beat me to coding it :) Was just getting ready to work on this!
Updated by Phillip Davis over 10 years ago
/etc/inc/vpn.inc
function vpn_pppoe_configure(&$pppoecfg)
function vpn_l2tp_configure()
search for 'dnsserver'
both those functions look like they only work on IPv4 anyway, but they can put IPv6 DNS server IP addresses from System->General Setup into their conf files. That might be a bug. But I don't use any of those sorts of links, so not sure if they will happily tunnel IPv6 inside their IPv4 VPN.
Bryan (or someone who knows), if it does need fixing, you might like to make similar fixes in these 2 functions to restrict it to just putting DNS servers with IPv4 addresses into the conf files.
Updated by Bryan Paradis over 10 years ago
Phillip Davis wrote:
/etc/inc/vpn.inc
function vpn_pppoe_configure(&$pppoecfg)
function vpn_l2tp_configure()
search for 'dnsserver'
both those functions look like they only work on IPv4 anyway, but they can put IPv6 DNS server IP addresses from System->General Setup into their conf files. That might be a bug. But I don't use any of those sorts of links, so not sure if they will happily tunnel IPv6 inside their IPv4 VPN.
Bryan (or someone who knows), if it does need fixing, you might like to make similar fixes in these 2 functions to restrict it to just putting DNS servers with IPv4 addresses into the conf files.
vpn_l2tp_configure()
The process seems to load up fine even with a ipv6 dns server in the mpd4 conf file. I looked at the mdp4 and mdp5 manuals and there is no mention of ipv6 in the IPCP layer until version 5. We are running version 4 currently at least.
So no it doesn't error out when there is an ipv6 dns in the general system setup but does the ipv6 dns entry work? I doubt it but I am not sure and can't test further right now.
Just to note it takes the first two servers only I think as it adds the router LAN and then the first dns server it seems.
Updated by Bryan Paradis over 10 years ago
Phillip Davis wrote:
/etc/inc/vpn.inc
function vpn_pppoe_configure(&$pppoecfg)
function vpn_l2tp_configure()
search for 'dnsserver'
both those functions look like they only work on IPv4 anyway, but they can put IPv6 DNS server IP addresses from System->General Setup into their conf files. That might be a bug. But I don't use any of those sorts of links, so not sure if they will happily tunnel IPv6 inside their IPv4 VPN.
Bryan (or someone who knows), if it does need fixing, you might like to make similar fixes in these 2 functions to restrict it to just putting DNS servers with IPv4 addresses into the conf files.
vpn_pppoe_configure()
Seems like the same thing based on mpd4 again. So doubt it knows what to do with it but doesn't appear to error out the process.
Updated by Phillip Davis over 10 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 3ad6b569d64043a75bbb63453658ed005e89ef2c.
Updated by Phillip Davis over 10 years ago
Applied in changeset 6a2016960b433f579b73f539ac5f64f5e956369e.
Updated by Ermal Luçi over 10 years ago
Applied in changeset 042436e8f2e1ffee2411894fbb61ad961d13bf4f.
Updated by Ermal Luçi over 10 years ago
Applied in changeset a63f8ba8f37edf07c9d40c9134f98c74e36a83d7.
Updated by Chris Buechler over 10 years ago
- Status changed from Feedback to Resolved