Re: [Dnsmasq-discuss] disabling reverse dns lookup in dnsmasq
Hi Simon, Is there a way to enable reverse lookup for a certain type of network in dnsmasq? Like requests comming from 192.168.0.0/24 and disable reverse lookup for the rest? Best Regards, Guy > Op 17 feb. 2016 om 18:34 heeft Simon Kelley het > volgende geschreven: > > You mean you don't want dnsmasq to forward any DNS queries and only > answer stuff locally? Just don't configure any upstream servers, and use > --no-resolv to stop dnsmasq find upstream servers in /etc/resolv.conf. > > cheers, > > Simon > > > >> On 17/02/16 12:57, green krypton wrote: >> sorry i mean recursive lookups :) >> >> On Wed, Feb 17, 2016 at 6:25 PM, green krypton >> wrote: >> >>> Hi is there any way i can stop dnsmasq from doing reverse dns lookups. I >>> am trying not to use a firewall instead block at application layer.Can any >>> one help me with that? >>> >>> >>> using dnsmasq-2.68-5 >> >> >> >> ___ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Restrict DNS reply to specific clients
Hi Albert,
While reading your response I came to the conclusion that I forgot to mention 1
huge thing:
Using ip's from my previous examples
The DNS server is connected to a Firewall. The Firewall has the public IP
(193.0.0.1) on it and NAT's DNS requests to the private ip address of the DNS
server (example 10.1.1.1).
Some of our clients are behind a public IP range (as example 200.1.1.0 /24) and
have the DNS servers public ip (193.0.0.1) as their primary DNS server.
This means although they are very good solution, they will not work for my
setup.
Thank you for the assistance
Kind regards,
Guy
-Original Message-
From: Albert ARIBAUD [mailto:albert.arib...@free.fr]
Sent: woensdag 3 februari 2016 12:51
To: Guy Wijnants
Cc: dnsmasq-discuss@lists.thekelleys.org.uk
Subject: Re: [Dnsmasq-discuss] Restrict DNS reply to specific clients
Hi again Guy,
Le Wed, 3 Feb 2016 12:24:26 +0100
"Guy Wijnants" a écrit:
> Hi Albert,
>
> Thank you for the quick response.
> You can compare our DNS server as kind of an ISP DNS server in the way
> that it hosts public domains and acts as DNS resolver for our clients.
> If I enable dnsmasq all queries are passed to dnsmasq to check whether
> the domain needs to be blocked, if it does not need to be blocked
> dnsmasq will pass the query through to the named service which further
> handles the query. But dnsmasq does not have something like the allow
> option to limit the hosts that can query the server.
>
> Situation now:
> Everyone can set our DNS server as their primary DNS server as dnsmasq
> does not filter to who can query the DNS server. In the named service
> you have the option to filter who can query the DNS server
> (allow-recursion function). But because our dnsmasq speaks to the
> named service using its own ip, the named service always allow the
> query and no filtering is done whatsoever. Example: Our server is
> master of the public domain www.iammaster.com You at home set our DNS
> (we give it ip 193.0.0.1) server as its primary DNS server. You query
> www.google.com and our server WILL respond with the corresponding IP.
> You query www.iammaster.com and our server WILL respond with the
> corresponding IP. Our clients (in network 192.168.0.0/24) sets our
> server as its primary DNS server and query www.google.com and our
> server WILL respond with the corresponding IP.
>
> Situation I need:
> People from the internet cannot set our DNS server as their primary
> DNS, our clients with network for example 192.168.0.0/24 can query our
> DNS server. Our DNS server ofcourse still responds to the query for
> public domains where it is master from. Example You at home set our
> DNS (we give it ip 193.0.0.1) server as its primary DNS server.
> You query www.google.com and our server WILL NOT respond as you are
> not allowed to query our server. You set a different DNS server as
> your primary DNS (8.8.8.8 for example) and you query www.iammaster.com
> and our server WILL respond with the corresponding IP for this domain.
> Our clients (in network 192.168.0.0/24) sets our server as its primary
> DNS server and query www.google.com and our server WILL respond with
> the corresponding IP. Our clients query www.iammaster.com and our
> server WILL respond with the corresponding IP for this domain.
>
> Configuration now:
> Dnsmasq listen on ip 193.0.0.1 port 53 when the site is allowed to be
> resolved dnsmasq passes the request to 193.0.0.1:5353 (where our named
> service listens on). The 'allow-recursion { localhost; x.x.x.x/24;
> y.y.y.y/24; };' is bypassed as dnsmasq use 193.0.0.1 (or
> localhost) as source address (and not the originating source ip of the
> requestor) for the query.
>
> Thanks in advance for your support!
IIUC, what you want is two different things:
- a general name server for your internal network users to use, either
by hard-coding it in their /etc/resolv.conf or through a DHCP option.
This server needs at least one recursive-able server as its upstream,
and only needs to be accessed from inside your network;
- an authoritative name server for some domains, for external use
through the NS entry in these domains' zone files. That server does
not need any upstream, and only needs to be accessed from outside
your network.
Ideally these two services should be run by two different dnsmasq instances,
the general one inside your LAN and the authoritative one facing outside; this
would ensure the authoritative instance could not act as an open DNS and
possibly as a participant in a DNS amplification attack.
I you really need a single instance, then I suspect you run it on a machine
which has two interfaces, one with a LAN IP, one with the public IP
corresponding to the NS entries in the zone files
Re: [Dnsmasq-discuss] Restrict DNS reply to specific clients
Hi Albert,
Thank you for the quick response.
You can compare our DNS server as kind of an ISP DNS server in the way that it
hosts public domains and acts as DNS resolver for our clients.
If I enable dnsmasq all queries are passed to dnsmasq to check whether the
domain needs to be blocked, if it does not need to be blocked dnsmasq will pass
the query through to the named service which further handles the query.
But dnsmasq does not have something like the allow option to limit the hosts
that can query the server.
Situation now:
Everyone can set our DNS server as their primary DNS server as dnsmasq does not
filter to who can query the DNS server. In the named service you have the
option to filter who can query the DNS server (allow-recursion function).
But because our dnsmasq speaks to the named service using its own ip, the named
service always allow the query and no filtering is done whatsoever.
Example:
Our server is master of the public domain www.iammaster.com
You at home set our DNS (we give it ip 193.0.0.1) server as its primary DNS
server. You query www.google.com and our server WILL respond with the
corresponding IP. You query www.iammaster.com and our server WILL respond with
the corresponding IP.
Our clients (in network 192.168.0.0/24) sets our server as its primary DNS
server and query www.google.com and our server WILL respond with the
corresponding IP.
Situation I need:
People from the internet cannot set our DNS server as their primary DNS, our
clients with network for example 192.168.0.0/24 can query our DNS server.
Our DNS server ofcourse still responds to the query for public domains where it
is master from.
Example
You at home set our DNS (we give it ip 193.0.0.1) server as its primary DNS
server. You query www.google.com and our server WILL NOT respond as you are not
allowed to query our server.
You set a different DNS server as your primary DNS (8.8.8.8 for example) and
you query www.iammaster.com and our server WILL respond with the corresponding
IP for this domain.
Our clients (in network 192.168.0.0/24) sets our server as its primary DNS
server and query www.google.com and our server WILL respond with the
corresponding IP. Our clients query www.iammaster.com and our server WILL
respond with the corresponding IP for this domain.
Configuration now:
Dnsmasq listen on ip 193.0.0.1 port 53 when the site is allowed to be resolved
dnsmasq passes the request to 193.0.0.1:5353 (where our named service listens
on).
The 'allow-recursion { localhost; x.x.x.x/24; y.y.y.y/24; };' is bypassed as
dnsmasq use 193.0.0.1 (or localhost) as source address (and not the originating
source ip of the requestor) for the query.
Thanks in advance for your support!
Best regards,
Guy
-Original Message-
From: Albert ARIBAUD [mailto:albert.arib...@free.fr]
Sent: woensdag 3 februari 2016 11:52
To: Guy Wijnants
Cc: dnsmasq-discuss@lists.thekelleys.org.uk
Subject: Re: [Dnsmasq-discuss] Restrict DNS reply to specific clients
Hi Guy,
Le Wed, 3 Feb 2016 10:30:02 +0100
"Guy Wijnants" a écrit:
> Hi all,
>
> I have a DNS server that is master for some public domains. We also
> have clients that use the DNS server as their lookup server.
> For security issues we use dnsmasq to redirect some sites to a webpage
> that indicates that the site is not accepted.
> I have setted the dnsmasq before the named service. But this means
> that all internet clients can use our DNS server to query requests
> which is not good. I want to restrict the possible query requests to
> only our client networks.
> I had a filter setted up under the named service:
> allow-recursion { localhost; x.x.x.x/24; y.y.y.y/24; }; Dnsmasq uses
> the port 53 and if no match is made on the blocked list he forwards it
> to himself on port 5353 where the named.service runs.
> The named service sees the request as coming from localhost and does
> the recursion.
> I am sorry if this is unclear, I am not so familiar with dns or
> dnsmasq. If its not clear please says so and I will try to be more
> detailed. Version of dnsmasq: dnsmasq-2.65-6.fc17.x86_64 Thanks all in
> advance
I am not sure I understand either your need or the actual situation, but I
gather the issue is "some requests are servers which should not have".
Can you provide detailed scenarios, both for use case which work as you intend
and for use cases which do not work as you intend? For each scenario, please
describe where the request originates, which server it passes through, and (for
failure scenarios) whether it should not have.
> Best Regards,
>
> Guy Wijnants
Amicalement,
--
Albert.
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Restrict DNS reply to specific clients
Hi all,
I have a DNS server that is master for some public domains. We also have
clients that use the DNS server as their lookup server.
For security issues we use dnsmasq to redirect some sites to a webpage
that indicates that the site is not accepted.
I have setted the dnsmasq before the named service. But this means that
all internet clients can use our DNS server to query requests which is
not good. I want to restrict the possible query requests to only our
client networks.
I had a filter setted up under the named service:
allow-recursion { localhost; x.x.x.x/24; y.y.y.y/24; };
Dnsmasq uses the port 53 and if no match is made on the blocked list he
forwards it to himself on port 5353 where the named.service runs. The
named service sees the request as coming from localhost and does the
recursion.
I am sorry if this is unclear, I am not so familiar with dns or dnsmasq.
If its not clear please says so and I will try to be more detailed.
Version of dnsmasq: dnsmasq-2.65-6.fc17.x86_64
Thanks all in advance
Best Regards,
Guy Wijnants
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
