Re: [Dnsmasq-discuss] dnsmasq cname limitations
Hi, don't know anything about dnsmasq internals, but for DNSSEC it seems extra queries are possible, and the response depends on which flags are set (ad/do). Would certainly be possible for CNAMEs as well, guess it's just not implemented. On 2021-11-06 at 23:22, Dominick C. Pastore wrote: > As far as I know, there is no technical or security reason why a Dnsmasq-like > server would *need* this limitation, but Dnsmasq has it due to design > limitiations. > > Dnsmasq either responds to a request entirely locally (using /etc/hosts, > records from the config file, and records from DHCP) or relies on the > upstream server to provide the complete response. Since replies with CNAMEs > must include the target record as well, a local CNAME to an upstream > A//etc. would have to combine a local and upstream response. That's not > possible with Dnsmasq's design.. > > Nick > > On Sat, Nov 6, 2021, at 4:47 PM, Salatiel Filho wrote: >> Thanks, but I would like to know the reason why there is that limitation. >> Maybe Simon could explain the reason behind it. >> >> >> Atenciosamente/Kind regards, >> Salatiel >> >> >> >> On Sat, Nov 6, 2021 at 4:58 PM Horn Bucking wrote: >>> >>> Hi, why does dnsmasq cname require an entry on /etc/hosts? >>> >>> From the dnsmasq man page: >>> >>> --cname=,[,][,] >>> Return a CNAME record which indicates that is really . >>> There is a significant limitation on the target; it must be a DNS record >>> which is known to dnsmasq and NOT a DNS record which comes from an upstream >>> server. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq cname limitations
As far as I know, there is no technical or security reason why a Dnsmasq-like server would *need* this limitation, but Dnsmasq has it due to design limitiations. Dnsmasq either responds to a request entirely locally (using /etc/hosts, records from the config file, and records from DHCP) or relies on the upstream server to provide the complete response. Since replies with CNAMEs must include the target record as well, a local CNAME to an upstream A//etc. would have to combine a local and upstream response. That's not possible with Dnsmasq's design.. Nick On Sat, Nov 6, 2021, at 4:47 PM, Salatiel Filho wrote: > Thanks, but I would like to know the reason why there is that limitation. > Maybe Simon could explain the reason behind it. > > > Atenciosamente/Kind regards, > Salatiel > > > > On Sat, Nov 6, 2021 at 4:58 PM Horn Bucking wrote: >> >> Hi, why does dnsmasq cname require an entry on /etc/hosts? >> >> From the dnsmasq man page: >> >> --cname=,[,][,] >> Return a CNAME record which indicates that is really . There >> is a significant limitation on the target; it must be a DNS record which is >> known to dnsmasq and NOT a DNS record which comes from an upstream server. >> > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq cname limitations
> Hi, why does dnsmasq cname require an entry on /etc/hosts? From the dnsmasq man page: --cname=,[,][,] Return a CNAME record which indicates that is really . There is a significant limitation on the target; it must be a DNS record which is known to dnsmasq and NOT a DNS record which comes from an upstream server. A potential workaround would be to recreate the A/ records for the CNAME target within dnsmasq. Of course, that's only viable if the respective IPs are both known and not subject to change. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq cname limitations
Thanks, but I would like to know the reason why there is that limitation. Maybe Simon could explain the reason behind it. Atenciosamente/Kind regards, Salatiel On Sat, Nov 6, 2021 at 4:58 PM Horn Bucking wrote: > > Hi, why does dnsmasq cname require an entry on /etc/hosts? > > From the dnsmasq man page: > > --cname=,[,][,] > Return a CNAME record which indicates that is really . There > is a significant limitation on the target; it must be a DNS record which is > known to dnsmasq and NOT a DNS record which comes from an upstream server. > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] dnsmasq cname limitations
Hi, why does dnsmasq cname require an entry on /etc/hosts? I would like to override "somedomain.com" to "some-load-balancer.com" as a CNAME.If I start dnsmasq as: # dnsmasq -dq -r /etc/resolv.upstream --cname somedomain.com,some-load-balancer.com If I try to ping somedomain.com, I will get : ping: unknown host somedomain.com If I try to nslookup somedomain.com Server:127.0.0.1 Address:127.0.0.1#53 somedomain.comcanonical name = some-load-balancer.com. So I would expect that to work. Is there a reason for that not being allowed by dnsmasq? Security reasons somehow ? I have a scenario where I need to make a container for a legacy application point somedomain.com ( hardcoded ) to an external loadbalancer's CNAME whose IP is, of course, dynamic and I can not add it to /etc/hosts. Thanks! ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Monthly posting
Hi, "How To Ask Questions The Smart Way" has immediately after the introduction an advice on before you ask. http://www.catb.org/esr/faqs/smart-questions.html#before Following that advice is still no guarantee for a quick response. So when you are still stuck with something that you think it is dnsmasq related, you have to make more effort. Greatest challenge is most likely being persistent in solving the problem. ( Not being persistent in demanding an answer ) The dnsmasq man page is feature complete. And known as hard to read for those who are new to it. But still do read it and try to understand it. Reading it again is known being effective for getting better understanding. Find a copy of it in source code of dnsmasq and read it by `man man/dnsmasq.8`, or when installed by `man dnsmasq` or at https://dnsmasq.org/docs/dnsmasq-man.html Pattern seen on the mailing list is unawareness of network-server-client-model. Expressing such problems is indeed hard, but also the road to a solution. Know that you are the main stake holder of the problem that you are facing. The highest reward for finding a solution goes to you. Keep the eco system that you are consulting healthy by sharing also your success stories. Avoid "DNS doesn't work", make it "My DNS client gets odd replies from dnsmasq", "My DNS requests don't get forwarded" or another non-generic issue. Use real DNS tools like `dig` or `host` instead of `ping`. A `.pcap`-file that can be fetched with `wget` is preferred above (email program malformed) output of `tcpdump` or `wireshark`. Dnsmasq is a mature project, meaning not often a release. However we constantly want to improve. Yes, patches welcome. Patches are not always reviewed within three days. Retransmit of your review request after eight days is not too pushy. Aim for common interest. If you find it here, fine. If you cannot find it here, you might found a clue for looking elsewhere on "common interest". Do know there are real humans behind the email addresses. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss