Date: Sat, 20 Sep 2025 07:27:35 -0400 From: Karl Denninger <karl@denninger.net> To: freebsd-net@freebsd.org Subject: Re: DHCP on multi-homed host, some thoughts Message-ID: <c767d95d-e50c-4545-b757-e060c8829c81@denninger.net> In-Reply-To: <sr41p98p-q26p-28rs-33r0-528s05p481q3@yvfgf.mnoonqbm.arg> References: <6abe9da1-9818-438b-ad8f-5424e50a39ce@FreeBSD.org> <sr41p98p-q26p-28rs-33r0-528s05p481q3@yvfgf.mnoonqbm.arg>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a cryptographically signed message in MIME format.
--------------ms040803010807080602090207
Content-Type: multipart/alternative;
boundary="------------wZnF4uh8tZC3OkdD2PHKhtmB"
--------------wZnF4uh8tZC3OkdD2PHKhtmB
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64
T24gOS8yMC8yMDI1IDAzOjA2LCBCam9lcm4gQS4gWmVlYiB3cm90ZToNCj4gT24gRnJpLCAx
OSBTZXAgMjAyNSwgQW5kcml5IEdhcG9uIHdyb3RlOg0KPg0KPiBbbXVsdGlob21lIHN0ZXVw
XQ0KPg0KPiBXaGF0IHlvdSBhcmUgZGVzY3JpYmluZyBpcyBpbiBubyB3YXkgc3BlY2lhbCB0
byBESENQLg0KPiBFdmVuIGEgbWFudWFsIGNvbmZpZ3VyYXRpb24gd291bGQgaGF2ZSB0aGUg
c2FtZSBpc3N1ZSwgd291bGRuJ3QgaXQ/DQo+DQo+IEZvciBJUHY2IHRoZXJlIGV4aXN0IGEg
c2V0IG9mIFJGQ3Mgd2hpY2ggaGF2ZSBpZGVhcyBvbiBob3cgdG8gZGVhbCB3aXRoDQo+IG11
bHRpLWhvbWluZy4NCj4NCj4gVGhlIG9uZSBtYWluIGlzc3VlIChyb3V0aW5nIGFuZCBzb3Vy
Y2UgYWRkcmVzcyBzZWxlY3Rpb24gc29ydGVkKSwNCj4gaXMgYW5kIHJlbWFpbnMgRE5TIGFz
IHdlIGhhdmUgbm8gZGVmYXVsdCB3YXkgdG8gcGljayB1cCByZXNvbHZlcnMgb24gYQ0KPiBw
ZXItaW50ZXJmYWNlIG9yIHBlci1kb21haW4gc2V0dGluZy7CoCBZb3UnbGwgZmluZCB0aGF0
IHBlci1pbnRlcmZhY2UNCj4gZG9lc24ndCByZWFsbHkgd29yayBhcyB5b3UnZCBoYXZlIHRv
IGtub3cgd2hpY2ggcGF0aCB5b3UgZ28gYmVmb3JlDQo+IHlvdSBkbyB0aGUgRE5TIGxvb2t1
cC4NCj4NCj4gQnV0IGNob3NpbmcgYW4gdXBzdHJlYW0gRE5TIHdpdGggdGhlIHdyb25nIHNv
dXJjZSBhZGRyZXNzIG9mdGVuIHdvbid0DQo+IHdvcmsuwqAgQXQgbGVhc3QgaGVyZSBJU1Bz
IHdvbid0IGFsbG93IHlvdSB0byB1c2UgdGhlaXIgcmVzb2x2ZXIgaWYgeW91DQo+IGFyZSBu
b3QgY29taW5nIGZyb20gdGhlaXIgSVAgcmFuZ2UuDQo+IFRoZSBhbnN3ZXIgdGhlbiByZWFs
bHkgaXMgdG8gcnVuIGEgbG9jYWwgcmVzb2x2ZXIgaW5kZXBlbmRlbnQgb24NCj4gdXBzdHJl
YW0gZm9yIGFzIGxvbmcgYXMgdGhhdCBpcyBmZWFzaWJsZSBhbmQgd29ya2luZyAoKikuDQo+
DQo+IEluIHRoYXQgd2F5IHRoZSBESENQIGFwcHJvYWNoICh3aGljaCBJIHRoaW5rIHNob3Vs
ZCBoYXZlIHdvcmtlZCB3aXRoDQo+IG11bHRpcGxlIElGIGp1c3QgZmluZSB0byBtZXJnZSBh
IHJlc29sdi5jb25mKSBpc24ndCB0aGF0IGJhZC7CoCBVc2UgdGhlDQo+IEROUyB3aGVyZSB5
b3VyIGRlZmF1bHQgcm91dGUgZ29lcy4NCj4NCj4gTXkgMC4wMDA1IGN0cw0KPiAvYnoNCg0K
TXkgYW5zd2VyIGhhcyAvYWx3YXlzIC9iZWVuIHRvIHJ1biBhIGxvY2FsIHJlc29sdmVyLg0K
DQpUaGUgcmVhc29uIGlzIG5vdCBqdXN0IHdoYXQgeW91IG5vdGU7IGl0IGlzIC9hbHNvIC90
aGF0IHRoZXJlIGFyZSANCmZyZXF1ZW50bHksIG9uIG5ldHdvcmtzIEknbSByZXNwb25zaWJs
ZSBmb3IsIHR3byBkaWZmZXJlbnQgcmVzb2x2ZWQgDQphZGRyZXNzZXMgZm9yIGEgZ2l2ZW4g
cmVzb3VyY2UgZGVwZW5kaW5nIG9uIHdoZXRoZXIgaXQgaXMgb3V0c2lkZSBvciANCmluc2lk
ZSB0aGUgbG9jYWwgbmV0d29yaywgYXQgbGVhc3QgZm9yIElQdjQsIGJlY2F1c2Ugb2YgTkFU
Lg0KDQpQb3J0IGZvcndhcmRpbmcgYXQgdGhlIGdhdGV3YXkgdGFrZXMgY2FyZSBvZiBhY2Nl
c3MgZnJvbSB0aGUgb3V0c2lkZSANCmhvd2V2ZXIgeW91IGRvIHdhbnQgQklORCdzICJycHoi
IG9yIHVuYm91bmQncyBlcXVpdmFsZW50IGZvciBhY2Nlc3NlcyANCnRoYXQgY29tZSBmcm9t
IGluc2lkZSB0aGUgZ2F0ZXdheS4NCg0KLS0gDQpLYXJsIERlbm5pbmdlcg0Ka2FybEBkZW5u
aW5nZXIubmV0DQovVGhlIE1hcmtldCBUaWNrZXIvDQovW1MvTUlNRSBlbmNyeXB0ZWQgZW1h
aWwgcHJlZmVycmVkXS8NCg==
--------------wZnF4uh8tZC3OkdD2PHKhtmB
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html>
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DUTF=
-8">
</head>
<body>
<div class=3D"moz-cite-prefix">On 9/20/2025 03:06, Bjoern A. Zeeb
wrote:<br>
</div>
<blockquote type=3D"cite"
cite=3D"mid:sr41p98p-q26p-28rs-33r0-528s05p481q3@yvfgf.mnoonqbm.arg=
">On
Fri, 19 Sep 2025, Andriy Gapon wrote:
<br>
<br>
[multihome steup]
<br>
<br>
What you are describing is in no way special to DHCP.
<br>
Even a manual configuration would have the same issue, wouldn't
it?
<br>
<br>
For IPv6 there exist a set of RFCs which have ideas on how to deal
with
<br>
multi-homing.
<br>
<br>
The one main issue (routing and source address selection sorted),
<br>
is and remains DNS as we have no default way to pick up resolvers
on a
<br>
per-interface or per-domain setting.=C2=A0 You'll find that
per-interface
<br>
doesn't really work as you'd have to know which path you go before
<br>
you do the DNS lookup.
<br>
<br>
But chosing an upstream DNS with the wrong source address often
won't
<br>
work.=C2=A0 At least here ISPs won't allow you to use their resolve=
r if
you
<br>
are not coming from their IP range.
<br>
The answer then really is to run a local resolver independent on
<br>
upstream for as long as that is feasible and working (*).
<br>
<br>
In that way the DHCP approach (which I think should have worked
with
<br>
multiple IF just fine to merge a resolv.conf) isn't that bad.=C2=A0=
Use
the
<br>
DNS where your default route goes.
<br>
<br>
My 0.0005 cts
<br>
/bz</blockquote>
<p>My answer has=C2=A0<i>always=C2=A0</i>been to run a local resolver=
=2E</p>
<p>The reason is not just what you note; it is=C2=A0<i>also=C2=A0</i>=
that
there are frequently, on networks I'm responsible for, two
different resolved addresses for a given resource depending on
whether it is outside or inside the local network, at least for
IPv4, because of NAT.</p>
<p>Port forwarding at the gateway takes care of access from the
outside however you do want BIND's "rpz" or unbound's equivalent
for accesses that come from inside the gateway.</p>
<div class=3D"moz-signature">-- <br>
Karl Denninger<br>
<a href=3D"mailto:karl@denninger.net" class=3D"moz-txt-link-freetex=
t">karl@denninger.net</a><br>
<i>The Market Ticker</i><br>
<font size=3D"-2"><i>[S/MIME encrypted email preferred]</i></font><=
/div>
</body>
</html>
--------------wZnF4uh8tZC3OkdD2PHKhtmB--
--------------ms040803010807080602090207
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC
C4owggWZMIIDgaADAgECAhRZU8dKdMneRI1Vq5kv0k54Q5rQuDANBgkqhkiG9w0BAQsFADB2
MQswCQYDVQQGEwJVUzESMBAGA1UECAwJVGVubmVzc2VlMRYwFAYDVQQKDA1EZW5uaW5nZXIu
TmV0MRcwFQYDVQQDDA5EZW5uaW5nZXIgUm9vdDEiMCAGCSqGSIb3DQEJARYTYWRtaW5AZGVu
bmluZ2VyLm5ldDAeFw0yNDA1MDkyMTA4MDNaFw00NDA1MDQyMTA4MDNaMF0xCzAJBgNVBAYT
AlVTMRIwEAYDVQQIDAlUZW5uZXNzZWUxFjAUBgNVBAoMDURlbm5pbmdlci5uZXQxIjAgBgNV
BAMMGURlbm5pbmdlci5OZXQgU2lnbmluZyBJbnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDbR0tSiuLG5HPfo+cWtdeYQ8jc8Bjfuo0GTcNRT0glHnH1apUtInIktUknEZDH
ohahInN+mMBdKg54FCHOiYZrJbyxBIo9FwX7hRmOc+spxmSYWnOd2E/YcGInMK4ZpjPzldzB
Yt1n3zygkhx2bssxTJS3x4nv1qAXfLSZd1VwqoQufifEoPyTtymkkvHLv86vLgqAqooM/cXc
4LSIQ5u2uM308n42r8RkKtp7X1v9fJW8oRZN2XnFZtiUPH44YY2rHqyN2Hea9Y3+TXbldXjo
xhPHTA+JYVFq8KTmbQBqU7YcMhlIG0cSxPeFLMxnP6pqPcIVTAlK+a6YGRFppfjZAgMBAAGj
ggE2MIIBMjAdBgNVHQ4EFgQUH+VuxXhBxaJAQrvDekwkH91hBi4wgbMGA1UdIwSBqzCBqIAU
RFYC4p6L6KITnEvrpx2cyt+PcMmheqR4MHYxCzAJBgNVBAYTAlVTMRIwEAYDVQQIDAlUZW5u
ZXNzZWUxFjAUBgNVBAoMDURlbm5pbmdlci5OZXQxFzAVBgNVBAMMDkRlbm5pbmdlciBSb290
MSIwIAYJKoZIhvcNAQkBFhNhZG1pbkBkZW5uaW5nZXIubmV0ghQZE7NBItWtQsCouuwU6jZ+
HPPwnjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+gLaAr
hilodHRwOi8vd3d3LmRlbm5pbmdlci5uZXQvcm9vdC1yZXZva2VkLmNybDANBgkqhkiG9w0B
AQsFAAOCAgEAfFbhPc82AfhyUqONs7IccYD36w+OP4nQgwfC4IWf3y/aQAZ2Zk6IITzYqwf7
PFM0bJRT3zi7xyetolqHDhfMJvnOQWpITZiyM/FSKwIvuBsy/uJUqPuqui4XQMYoSbAA1qmI
MW/z7VZZHwaRFoeWE40UirYcf0fNcooBZ72bmd+iBaVyjtZvky0Vgcz0eC6e6LR5kNb23yC6
TkyQIlGyQkK5/afXUYFzk49rOHVbVyxW3oXRfq8Ow6HCrpDGAS8p84S04MFwBVAUfbe4aXs3
bampaI2LzKgkVywyFP14LSvvdjCfLYfnLy1Z9hm2EHMqNHA2tCGdRhWp2d7aZC1MYFqng0ZS
fjPJjqHrI1qPU0p6k9A1GxAtrQlL2v/IUzUnMZkiawFV3qlxMGZf/kTYTUOcJhx1KU4zSLHu
80qO7ldRpp5gHssCAGFbeTu2gp6LxfmaFhLPDBJ1VGfdPx9lUrU/9OcoHczcl5x2Rb8IUZyX
9elzP5WdAU8p5R/DLlOAq24VcabhFtYBCA2dOESLupSfWKNQuJCN/1gz7ysSc+mjnnPV77IO
mpszJfkFFJEDNJlGIVKX1vwwygtC/9Ulox8frgbZlRAYAgDc/YbOBFxticVVre0Y3Ujx6Kzb
tkgZRlgfdZWbT1W5smncqJxg5qAL8e/yTb3fCe2nJ0jhiP4wggXpMIIE0aADAgECAhMAmNFt
CiCF3j+FwQLYtBTmGjzkMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNVBAYTAlVTMRIwEAYDVQQI
DAlUZW5uZXNzZWUxFjAUBgNVBAoMDURlbm5pbmdlci5uZXQxIjAgBgNVBAMMGURlbm5pbmdl
ci5OZXQgU2lnbmluZyBJbnQwHhcNMjQwNTEwMTkyNjU5WhcNMjkwNTA5MTkyNjU5WjBXMQsw
CQYDVQQGEwJVUzESMBAGA1UECAwJVGVubmVzc2VlMRcwFQYDVQQKDA5LYXJsIERlbm5pbmdl
cjEbMBkGA1UEAwwSa2FybEBkZW5uaW5nZXIubmV0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
MIICCgKCAgEAvh1UssVbSYctzobPjwBkbjv/w4WvQNepeRTwE6+sLnXvc41+X9pa5EclPL4Q
l02Vu1m71mSqXGfK9HbWZoivbhefBHOoYb35MSc24PelhwcORbpneWoWc7giQ7QgFlvEe/yj
fs8M0H9fgdzFS5m2lwBQbis8kioSjHB2yt/8I1GE4Mvt1Cur9kga6ML5FAQvo8TYN1stdhrE
13FEv/BWCF4FVT4H2Wa2ySW+R1jkKb74SC6Twg98bGCRTShD5bVylh0+0LXNhzaopIDcI/KK
jm/j3mRjIlmqbGrSpvJsbjjhjhAYQKE1U8FB5TDU4OkFAibblhQit/KjgspPR2o/vOpVFPER
uhZEV1oDGzUJtZlkREIcN2sYBi0p7Y4585ya+b7L10mEenPlyi3eSkGXEuiy/BR2DY6lShwW
DPoQ5602TKmttCSwBdWGoLrQ4jEVEVNt4lku2wPbTHF3KpHJU0g7RbcWoUYn10SOxKathkir
hF3v9U32+QhPELGwqRrH0sL9rWf0qalRtPDHUYl8TebZmYkFqNeSMlqHijl5f4SsQPSj7gx5
4F19Ntm9ZcvuWTmW8QQGWTKHeMuG+BYkVIUSPe6/ZQsbD/xDx7rkyGfNgWIa4W7Wm/B7kaNq
H53tk3wFmNgZQOxMTPF0oTHfW0T2azU6JD0D1AlgoAnSAE0CAwEAAaOCAaYwggGiMDoGCCsG
AQUFBwEBBC4wLDAqBggrBgEFBQcwAYYeaHR0cDovL29jc3AuZGVubmluZ2VyLm5ldDo3Nzc3
MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr
BgEFBQcDBDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgQ2xpZW50IENlcnRp
ZmljYXRlMB0GA1UdDgQWBBSxJZjVnlYLAT3uzvDYgc4742J6UTCBswYDVR0jBIGrMIGogBQf
5W7FeEHFokBCu8N6TCQf3WEGLqF6pHgwdjELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVRlbm5l
c3NlZTEWMBQGA1UECgwNRGVubmluZ2VyLk5ldDEXMBUGA1UEAwwORGVubmluZ2VyIFJvb3Qx
IjAgBgkqhkiG9w0BCQEWE2FkbWluQGRlbm5pbmdlci5uZXSCFFlTx0p0yd5EjVWrmS/STnhD
mtC4MB0GA1UdEQQWMBSBEmthcmxAZGVubmluZ2VyLm5ldDANBgkqhkiG9w0BAQsFAAOCAQEA
TrQ45/tBN3SiuqItFv/V+CF3h7Hxe0YLsL+A/P+q9ZhxIscaNjaclgQhPA+rUr+l8DGoXJ/w
yAl1E0SSBK+9phIc/9xFOBg3rCy4ngubzP+lHS1t03nMCBSUNsu5qPzqLBPiKaPabUu3Gr9o
koRezSszgM3/zNJfr8cMO93csCK/fBccsMx5q+3nxB5XeT7UciicjfEzUA4m2mQxBmGk9SSU
147Gy8UmdSq57Tw82KqUrQ1pJ6IOzVPLREpwlqGbHykSU3MwtPYPtfQeFVjvO/XcWvoFQjbV
UyhzAqMMYFudxoVLlJQiAgU38OScTLDgKxCO41h7VOjb2mss0zHndzGCBZUwggWRAgEBMHQw
XTELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVRlbm5lc3NlZTEWMBQGA1UECgwNRGVubmluZ2Vy
Lm5ldDEiMCAGA1UEAwwZRGVubmluZ2VyLk5ldCBTaWduaW5nIEludAITAJjRbQoghd4/hcEC
2LQU5ho85DANBglghkgBZQMEAgMFAKCCAvIwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc
BgkqhkiG9w0BCQUxDxcNMjUwOTIwMTEyNzM1WjBPBgkqhkiG9w0BCQQxQgRAUCTWID5DrCLu
4ll/hz1EKlA0b8feD0uNzZsewUcLhqjRnX/GsPIa41frQDBTL0lpF0630e5S6/j07SmgigvS
kTCBgwYJKwYBBAGCNxAEMXYwdDBdMQswCQYDVQQGEwJVUzESMBAGA1UECAwJVGVubmVzc2Vl
MRYwFAYDVQQKDA1EZW5uaW5nZXIubmV0MSIwIAYDVQQDDBlEZW5uaW5nZXIuTmV0IFNpZ25p
bmcgSW50AhMAmNFtCiCF3j+FwQLYtBTmGjzkMIGFBgsqhkiG9w0BCRACCzF2oHQwXTELMAkG
A1UEBhMCVVMxEjAQBgNVBAgMCVRlbm5lc3NlZTEWMBQGA1UECgwNRGVubmluZ2VyLm5ldDEi
MCAGA1UEAwwZRGVubmluZ2VyLk5ldCBTaWduaW5nIEludAITAJjRbQoghd4/hcEC2LQU5ho8
5DCCAVcGCSqGSIb3DQEJDzGCAUgwggFEMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDQYIKoZIhvcNAwICAQUwDQYIKoZIhvcNAwICAQUwBwYFKw4DAgcwDQYIKoZI
hvcNAwICAQUwBwYFKw4DAhowCwYJYIZIAWUDBAIBMAsGCWCGSAFlAwQCAjALBglghkgBZQME
AgMwCwYJYIZIAWUDBAIEMAsGCWCGSAFlAwQCBzALBglghkgBZQMEAggwCwYJYIZIAWUDBAIJ
MAsGCWCGSAFlAwQCCjALBgkqhkiG9w0BAQEwCwYJK4EFEIZIPwACMAgGBiuBBAELADAIBgYr
gQQBCwEwCAYGK4EEAQsCMAgGBiuBBAELAzALBgkrgQUQhkg/AAMwCAYGK4EEAQ4AMAgGBiuB
BAEOATAIBgYrgQQBDgIwCAYGK4EEAQ4DMA0GCSqGSIb3DQEBAQUABIICAB7C2WuAMryQGVZX
9s/eifgjnoPGDDOHQUH+Vo/2XeXVqhmMoYajSh3HvbwzmONgd7ByU+jEU5EKK3I2Tat3ckZJ
8J/ZHF3of18WEbPvuJqVCXsgtOcWGb+H6hHwrdvylGhjS0styxP9IzIHi5y5q0RRRo7IDu8t
lNqbVFhjQ5D8CloRpcdZRsXP/Xnma/NrNMeLdqH6LFjN2ykk6L7PpCmu+U7AWKkCfEyavspf
oJ5qHP/rK6kUsw0/NA3a2qnRwaL7a66If6C9qpfwEDzOPpi/foMrvMYEA6AF1ttHEn3QtClb
LL2+Xm6eG6N8lPE4aaMynUATRuxDFh2YmxGK+oR0ix/0BjfN/RUA+adyQCfRlUU2/R28B1RX
1ubSA1HghSZBwXYbKU7zPLqAzp71jz5EK4D+gV4kGnCR11ZcYC2q1+PkcpUWEAu4fEvjgF0w
LdVVH8A/TLj2977c/wLhtdhGu2uLBiLGkI3GRxnqUpLaYMSHiyd3Gfj7U5vWsXAx4AaWGV4g
rHN1w15FJUXSVAkYiVpuBaq48ht5tziCKPf/u/5xT3wYl1l9tYj2REi2QzSgQKxrv7+kzNfl
09GeiHqEPUGTV6uH8oF/t6+YhEV9IndviI5yhLodcr6DdN0/9BBrcxQljqayOkVuukK13fdF
WIOdEC7DTE9Mn/8SY+ikAAAAAAAA
--------------ms040803010807080602090207--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c767d95d-e50c-4545-b757-e060c8829c81>