On 28/09/18 23:07, Marc Heckmann wrote:
> Very nice, I will test this.
> 
> I am curious though: what will be used for the NS record if the
> auth-server configuration is omitted?


It appears to return an NS record of "." ie the DNS root. Which is not
particularly sensible. This may need some more thought....

Simon.

> 
> -m
> 
> 
> On Fri, Sep 28, 2018 at 4:42 PM Simon Kelley <si...@thekelleys.org.uk
> <mailto:si...@thekelleys.org.uk>> wrote:
> 
>     On 28/09/18 02:33, Marc Heckmann wrote:
>     > Hello,
>     >
>     > I'm currently running dnsmasq in a Docker container and have setup a
>     > domain for which dnsmasq is to be authoritative for. This is to do
>     > subdomain delegation to the dnsmasq server. I am using the
>     auth-server &
>     > auth-zone configuration options for this. This works as expected
>     and is
>     > verifiable using dig with the "+norecurse" option to query for the NS
>     > and SOA records. However, as it's a Docker container, I only have and
>     > actually need a single interface (eth0) and when I specify eth0 in the
>     > "auth-server" option, i.e "auth-server=<glue_record>,eth0", I noticed
>     > that it stops answering recursive queries for names that it is not
>     > authoritative for.
>     >
>     > I worked around this by replacing "eth0" with an IP that is not
>     present
>     > in the container's network namespace and dnsmasq now does what I want
>     > which is to answer to both non-recursive and recursive queries
>     from the
>     > same interface.
>     >
>     > My question is the following: Are there any side effects to this hack?
>     > Is there any reason why dnsmasq should not be able to provide
>     recursive
>     > and authoritative service from the same interface? I can
>     understand the
>     > security reasons for wanting to prevent this on an Internet exposed
>     > interface, but why not at allow for an option to officially support
>     > providing both kinds of service on the same interface?
>     >
>     > Thanks.
>     >
>     > -m
>     >
>     >
> 
> 
>     This patch, in the pending 2.80 release, addresses this, is allows you
>     to omit the auth-server configuration and get both recursive and
>     authoritative answers on the interface(s) that dnsmasq is listening on.
> 
>     
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=397c0502e255ea0a470982666dea93e0b2f52043
> 
> 
> 
>     Cheers,
> 
>     Simon.
> 
> 
>     >
>     > _______________________________________________
>     > Dnsmasq-discuss mailing list
>     > Dnsmasq-discuss@lists.thekelleys.org.uk
>     <mailto:Dnsmasq-discuss@lists.thekelleys.org.uk>
>     > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>     >
> 
> 
>     _______________________________________________
>     Dnsmasq-discuss mailing list
>     Dnsmasq-discuss@lists.thekelleys.org.uk
>     <mailto:Dnsmasq-discuss@lists.thekelleys.org.uk>
>     http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 


_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to