Jake Howard wrote on 4/5/2020 6:48 AM: >> >> Dnsmasq uses the _destination_ address of the query. I'm not familiar >> with Docker. Is it using NAT? > > Can't say i'm especially familiar with Docker's networking stack, but > it definitely looks and feels like something NAT-ish to me! > Interestingly enough, the log entry for where the query came from is > correctly detected, but I guess it's not using that address to localise? > > Thanks, > - Jake Howard Default Docker iptables chains (for containers running published services on 80/443)
# Generated by xtables-save v1.8.2 on Sun Apr 5 20:00:11 2020 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 443 -j MASQUERADE -A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport 80 -j MASQUERADE -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A DOCKER -i docker0 -j RETURN -A DOCKER ! -i docker0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.17.0.4:443 -A DOCKER ! -i docker0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.17.0.4:80 COMMIT # Completed on Sun Apr 5 20:00:11 2020 # Generated by xtables-save v1.8.2 on Sun Apr 5 20:00:11 2020 *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :DOCKER - [0:0] :DOCKER-ISOLATION-STAGE-1 - [0:0] :DOCKER-ISOLATION-STAGE-2 - [0:0] :DOCKER-USER - [0:0] -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT -A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN -A DOCKER-USER -j RETURN COMMIT # Completed on Sun Apr 5 20:00:11 2020 Dan > > On Sat, 4 Apr 2020, at 19:01, Simon Kelley wrote: >> On 31/03/2020 13:51, Jake Howard wrote: >> > Hello! >> > >> > Had a breakthrough on what's going on, and it's down to a caveat I >> > missed when reading the man page on localise-queries: >> > >> >> Return answers to DNS queries from /etc/hosts and *--interface-name* >> > which depend on the interface over which the query was received. >> > >> > And of course, this issue has to do with docker. With Docker, even >> > though the container is listening on 2 different interfaces, and 2 >> > different IPs, the inner container, and thus dnsmasq, only sees 1 >> > interface, with all addresses coming from it. Hence localisation isn't >> > quite working. >> > >> > If I run dnsmasq with the exact same config but on the host, where it >> > can see the different interfaces, works perfectly! >> > >> > Testing was done in 2.79 and 2.76, with a config file practically >> > identical to your CLI arguments. >> > >> > Technically, there's not a bug here per-say, but it'd be really >> handy if >> > there was a way of looking at the source IP when determining which >> > record to return rather than just the interface? >> >> Dnsmasq uses the _destination_ address of the query. I'm not familiar >> with Docker. Is it using NAT? >> >> >> Simon. >> >> >> > >> > Thanks! >> > >> > On Mon, 30 Mar 2020, at 20:42, Simon Kelley wrote: >> >> On 28/03/2020 20:38, Jake Howard wrote: >> >> > Hi, >> >> > >> >> > My intention is to have 1 dnsmasq instance, accessible over 2 >> interfaces >> >> > (listening on all), and have the response to a query differ >> based on the >> >> > interface, and therefore its incoming IP. From what i've read, >> that's >> >> > exactly what localise-queries is meant to do, but it doesn't >> appear to >> >> > be unless I put the entries into /etc/hosts directly. >> >> >> >> >> >> OK, what you're expecting to happen and what I'm expecting to >> happen are >> >> the same. That's good. >> >> >> >> I just did a quick test, and it seems to work fine for me. The >> >> example.com addresses are in /tmp/hosts. >> >> >> >> >> >> srk@holly:~/dnsmasq/dnsmasq$ src/dnsmasq -d --log-queries >> >> --localise-queries -p 10000 --addn-hosts=/tmp/hosts >> >> dnsmasq: started, version 2.81rc4-5-gd162bee cachesize 150 >> >> dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n >> >> no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC >> >> loop-detect inotify dumpfile >> >> dnsmasq: reading /etc/resolv.conf >> >> dnsmasq: using nameserver 127.0.1.1#53 >> >> dnsmasq: read /etc/hosts - 9 addresses >> >> dnsmasq: read /tmp/hosts - 2 addresses >> >> dnsmasq: query[A] example.com from 127.0.0.1 >> >> dnsmasq: /tmp/hosts example.com is 192.168.151.43 >> >> dnsmasq: /tmp/hosts example.com is 192.168.150.43 >> >> dnsmasq: query[A] example.com from 192.168.150.49 >> >> dnsmasq: /tmp/hosts example.com is 192.168.150.43 >> >> >> >> >> >> If it's not working for you, that's a bug, but we need to find what it >> >> is about your setup that tickles the bug. >> >> >> >> Can you boil it down to the simplest configuration that displays the >> >> problem, and also specify which version of dnsmasq you're using? >> >> >> >> >> >> cheers, >> >> >> >> Simon. >> >> >> >> >> >> > >> >> > Thanks, >> >> > - Jake Howard >> >> > >> >> > On Sat, 28 Mar 2020, at 17:59, Simon Kelley wrote: >> >> >> On 19/03/2020 21:47, Jake Howard wrote: >> >> >> > Hello! >> >> >> > >> >> >> > Is `localise-queries` meant to work against entries added via >> >> >> > `addn-hosts`? Querying a record returns both IPs, but always >> in the >> >> >> same >> >> >> > order. The order is correctly fixed when the records are put in >> >> >> > `/etc/hosts` directly. >> >> >> >> >> >> >> >> >> Yes, localise-queries works with entries added via addn-hosts, >> but it >> >> >> doesn't have anything to do with the order that records appear, >> so that >> >> >> doesn't address your problem. What are you trying to achieve? >> >> >> >> >> >> >> >> >> Simon. >> >> >> >> >> >> >> >> >> > >> >> >> > Config: >> >> >> > >> >> >> > ``` >> >> >> > localise-queries >> >> >> > no-resolv >> >> >> > cache-size=10000 >> >> >> > log-queries >> >> >> > log-facility=/var/log/pihole.log >> >> >> > local-ttl=2 >> >> >> > log-async >> >> >> > server=8.8.8.8 >> >> >> > server=8.8.4.4 >> >> >> > server=1.1.1.1 >> >> >> > server=1.0.0.1 >> >> >> > interface=eth0 >> >> >> > server=/use-application-dns.net/ >> >> >> > >> >> >> > addn-hosts=/etc/vpn-hosts.conf >> >> >> > localise-queries >> >> >> > >> >> >> > ``` >> >> >> > >> >> >> > This is from pihole, but AFAIK that shouldn't make a difference >> >> if I'm >> >> >> > modifying the config directly. >> >> >> > >> >> >> > Would appreciate some input, or being told i'm wrong! >> >> >> > >> >> >> > Thanks, >> >> >> > >> >> >> > - Jake Howard
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss