On Thu, Jul 14, 2016 at 03:35:58PM +0200, Albert ARIBAUD wrote: > Le Thu, 14 Jul 2016 00:21:20 +0000 (UTC) > T o n g <mlist4sunt...@yahoo.com> a écrit: > > > After struggled for a few days, I finally decided that I should > > reply, to bring some closure on this. Thank you for all these > > days of your tireless help. However, my conclusion is still the > > same as my first post -- dnsmasq is unable to provide public DNS > > service -- It can be used as DNS server for local host, or local > > network, but just not for the general public. We've ruled out > > everything possible, and the only thing left is dnsmasq. > > Your conclusion is wrong; the only thing you can conclude from your > trials is that dnsmasq will not operate properly in an environment > which does not conform to Internet standards -- and *that* is > hardly a surprise.
Agreed. One simple way to test (and to disprove) Tong's conclusion is to try it with other software, BIND or unbound or pdns-recursor, for example, and to see how those work. > > I.e., if there is any probelm with my ISP or my hosting provider, I > > wouldn't have been able to start a working second SSH session > > listening to port 53 (instead of 22). > > You are again not concluding properly. DNS requires *UDP* port 53 as > well as *TCP* port 53. Your assumption that DNS somehow can do with > *TCP* port 53 alone is unfounded and plain wrong. > > > In other words, all else the same, swap in SSH to listen to port 53, > > it works; swap in dnsmasq, and it fails. With all else the same, > > dnsmasq is the only problem. > > This experiment only proves that *TCP* port 53 works between your > home and box, but that was apready proven by previous tests I > suggested. However, dnsmasq requires *UDP* port 53 -- and due to a > crippled access, you cannot use that UDP port, contrary to a > considerable quantity of other persons who daily prove that dnsmasq > can be used way beyond a LAN. I'll agree that dnsmasq as an authoritative server to the Internet might not be insane, but dnsmasq as resolver for an ISP or larger network is not a good idea. It's only forwarding queries, not actually doing the recursion itself. > > Thanks anyway for all your helps. > > You're welcome. :) And a very good job on your part for trying to help. Unfortunately this matter feels very much like an "XY" problem: "I want to do X, I think Y would do it for me, so I am asking how to do Y." As is common in such cases, "Y" makes little sense. If Tong should decide to bring this up again, I would strongly suggest asking about "X", the real goal. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss