[Dnsmasq-discuss] DNS resolving local names with multiple DNS servers
I've got an Ubuntu 13.04 Linux PC connected to two networks: * Internet connection * Router providing a local network (Wi-Fi) with DNS serving local names (example.lan) Via NetworkManager, dnsmasq is set up with the DNS server IP addresses for these two networks. The PC is having trouble getting the local names in example.lan, because it seems dnsmasq is using the Internet connection DNS server for the example.lan query, and that is returning NXDOMAIN response. Rather than waiting for a better response from the local DNS server (which is local but responding more slowly due to being over Wi-Fi), it is just passing the NXDOMAIN response to the client. At least, I think that's what is happening; please tell me if I'm wrong. What I'd hope for is for dnsmasq to not just use the first response it gets, but use the first response that's not NXDOMAIN. I think the Linux resolver (/etc/resolv.conf) does this, and it would be great if dnsmasq could use the same algorithm. Could dnsmasq support this algorithm? Note--I suppose one response might be to specify the example.lan domain in one 'server' parameter of the dnsmasq config. Two problems: 1) dnsmasq is being used from NetworkManager, and it seems NetworkManager is only telling dnsmasq the DNS IP addresses (via D-Bus) to dnsmasq, and not telling it any domain names (even if I enter the example.lan in the NetworkManager "extra search domain" config). 2) The router providing the local network is a remote dial-up device which can optionally provide a (slow) dial-up connection to the Internet. In that case, it becomes a general Internet connection, so I don't want to restrict it to just "example.lan". Regards, Craig McQueen ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] dnssec on android?
It looks like there will be some issues getting dnssec on on android by switching to dnsmasq: https://code.google.com/p/android/issues/detail?id=65510 What is dnsmasq's behavior on how/when to switch to tcp? -- Dave Täht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Per entry TTL override
On Mon, 2014-03-31 at 12:59 +0200, Olivier Mauras wrote: > Hello, > > Is it thinkable to allow a per entry TTL override system ? > I have actually two different needs that i'd like to discuss. > First NXDOMAINS. I'd like to cache NXDOMAIN from some forwarded > domains to a specific value. Cache time based on default SOA TTL may > be too long in some cases and requires a manual cache refresh :( > Easy example: > Infra team provisions a new server and ping the hostname asked to see > if it's not already taken - Yes they could act differently > It's not, so result is cached and will stay for 1H - default SOA TTL. > Server provisioning takes 10mn, and hostname is still cached as NX for > 50mn :( > > Second is entry override. Some specific DNS entries could have a > different TTL than the default one - But not globally per entry gives > much more flexibility :) > > > Would that make sense to have a binding for request replies - like the > dhcp lua script support - or would this make more sense as specific > harcoded options? If this makes any sense at all indeed :) > > > Thanks, > Olivier > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss Seemed like i had a double neg-ttl declared in my config and my command line at the same time which make it to not be correctly handled... Also seems that no matter what neg-ttl is set to, the first NXDOMAIN on a cold cache, always get the SOA TTL, am i missing something ? Any feedback on per entry TTL override ? Thanks, Olivier signature.asc Description: This is a digitally signed message part ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] mixing synth-domain and auth-domain does not appear to work for me.
On 02/04/14 21:24, Simon Kelley wrote: > > This is, I think, just an oversight. synth-domain certainly generates > "Locally defined DNS records" which is what the auth-zone is specified > to contain. > Actually, there is a reason. It doesn't in general make sense to include the records created by synth-domain in a zone transfer, since there are likely to be a lot of them. They could be included in answers for the auth-zone, at the expense of the additional complication that the zone answered by dnsmasq becomes no longer exactly the zone that's transfered to a secondary (since the synth-domain answers can't be included in the transfer). Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] mixing synth-domain and auth-domain does not appear to work for me.
On 02/04/14 11:46, David Beveridge wrote: > So I have a few static hosts defined in /etc/hosts and I want to > serve authoritative records for them. > I also have some machines which get address via dhcp and slaac which I want > to publish using synth-domain. > > Each option works alone, but when I mix the options > eg > auth-zone=thekelleys.org.uk,192.168.0.0/24 > synth-domain=thekelleys.org.uk,192.168.0.0/24,internal- > > with synth-domain only > # dig internal-192-168-0-56.thekelleys.org.uk @223.27.66.79 > ;; ANSWER SECTION: > internal-192-168-0-56.thekelleys.org.uk. 0 IN A 192.168.0.56 > > with both defined, no answer is returned. > eg > root@ns1 /etc/dnsmasq.d # dig internal-192-168-0-56.thekelleys.org.uk @ > 223.27.66.79 > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> > internal-192-168-0-56.thekelleys.org.uk @223.27.66.79 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 768 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;internal-192-168-0-56.thekelleys.org.uk. IN A > > ;; Query time: 0 msec > ;; SERVER: 223.27.66.79#53(223.27.66.79) > ;; WHEN: Wed Apr 2 21:30:13 2014 > ;; MSG SIZE rcvd: 57 > > > The behaviour is the same for Ipv6. This is, I think, just an oversight. synth-domain certainly generates "Locally defined DNS records" which is what the auth-zone is specified to contain. > > regards, > dave. > > PS: any reason why synth-domain is limited to /64 for IPv6? Prefix length has to be greater than or equal to 64, is that what you mean? It's about implementation convenience. C doesn't provide a integer data type larger than 64 bits for doing masking. of the address-part. Cheers, Simon. > > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DHCPv6 hostname resolving
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/04/14 18:08, Quintus wrote: > Hi Albert, > > Am 02.04.2014 17:59, schrieb Albert ARIBAUD: >> "ra-names enables a mode which gives DNS names to >> dual-stack hosts which do SLAAC for IPv6. > > I am aware of the ra-names option, but as far as I understand the > manpage, it is specifically targetted at SLAAC network setups. In > my network I?m not doing SLAAC, but stateful DHCPv6 so that this > option won?t work. SLAAC does not work at all with /80 subnets. > Yes, slaac is not relevant here. Please could you do the following? 1) Check the dnsmasq leases file (normally /var/lib/misc/dnsmasq.leases) to see if the name "atlantis" appears in the relevant DHCPv6 lease? 2) See if the plain name (not FQDN) resolves dig atlantis 3) See if atlantis.internal.xxx.eu resolves. dig atlantis.internal.xxx.eu It looks like maybe the domain=, option is possibly broken. Cheers, Simon. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlM8WDsACgkQKPyGmiibgrf2hACgq0GHxRQY9PdK6TSgjb11aJWN gtIAnAxDOk9peYLF2AmMS3BUH1EfdOEB =D0WU -END PGP SIGNATURE- ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DHCPv6 hostname resolving
Hi Albert, Am 02.04.2014 17:59, schrieb Albert ARIBAUD: > "ra-names enables a mode which gives DNS names to dual-stack > hosts which do SLAAC for IPv6. I am aware of the ra-names option, but as far as I understand the manpage, it is specifically targetted at SLAAC network setups. In my network I’m not doing SLAAC, but stateful DHCPv6 so that this option won’t work. SLAAC does not work at all with /80 subnets. > Amicalement, Vale, Quintus signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DHCPv6 hostname resolving
On Wed, Apr 2, 2014 at 8:59 AM, Albert ARIBAUD wrote: > Le 02/04/2014 17:26, Quintus a écrit : >> >> Hi there, > > > Hi Quintus, > > >> with DHPv4, dnsmasq properly converts the hostnames send to it to A >> records we can query for. It seems however that this is not the case >> with DHCPv6 and records; while I can perfectly query for the A >> record of "atlantis.cable.internal.xxx.eu" (and even the one of >> "atlantis" without any further qualification is found), querying for its >> record just returns NXDOMAIN, i.e. it's not found. >> >> Is this a bug, or do I have to enable that feature somehow so it works >> the same for DHCPv6 as it does for DHCPv4? > > > As per the manpage for dnsmasq, you should set 'ra-names' in the IPv6 > dhcp-range? e.g., instead of > > >> >> dhcp-range=set:wired6,2001:4dd0:ff00:8918:1::2,2001:4dd0:ff00:8918:1:::fffe,80,6h >> >> dhcp-range=set:wifi6,2001:4dd0:ff00:8918:2::2,2001:4dd0:ff00:8918:2:::fffe,80,6h > > > Use > > dhcp-range=set:wired6,2001:4dd0:ff00:8918:1::2,2001:4dd0:ff00:8918:1:::fffe,80,6h,ra-names > dhcp-range=set:wifi6,2001:4dd0:ff00:8918:2::2,2001:4dd0:ff00:8918:2:::fffe,80,6h,ra-names > > From the manpage: > > "ra-names enables a mode which gives DNS names to dual-stack > hosts which do SLAAC for IPv6. Dnsmasq uses the host's IPv4 > lease to derive the name, network segment and MAC address and > assumes that the host will also have an IPv6 address calculated > using the SLAAC algorithm, on the same network segment. The > address is pinged, and if a reply is received, an record is > added to the DNS for this IPv6 address. Note that this is only > happens for directly-connected networks, (not one doing DHCP via > a relay) and it will not work if a host is using privacy exten- > sions. ra-names can be combined with ra-stateless and slaac." There is even an internet draft on this... not that it's found a home within any working groups: http://tools.ietf.org/html/draft-taht-kelley-hunt-dhcpv4-to-slaac-naming-00 > Amicalement, > -- > Albert. > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss -- Dave Täht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DHCPv6 hostname resolving
Le 02/04/2014 17:26, Quintus a écrit : Hi there, Hi Quintus, with DHPv4, dnsmasq properly converts the hostnames send to it to A records we can query for. It seems however that this is not the case with DHCPv6 and records; while I can perfectly query for the A record of "atlantis.cable.internal.xxx.eu" (and even the one of "atlantis" without any further qualification is found), querying for its record just returns NXDOMAIN, i.e. it’s not found. Is this a bug, or do I have to enable that feature somehow so it works the same for DHCPv6 as it does for DHCPv4? As per the manpage for dnsmasq, you should set 'ra-names' in the IPv6 dhcp-range? e.g., instead of dhcp-range=set:wired6,2001:4dd0:ff00:8918:1::2,2001:4dd0:ff00:8918:1:::fffe,80,6h dhcp-range=set:wifi6,2001:4dd0:ff00:8918:2::2,2001:4dd0:ff00:8918:2:::fffe,80,6h Use dhcp-range=set:wired6,2001:4dd0:ff00:8918:1::2,2001:4dd0:ff00:8918:1:::fffe,80,6h,ra-names dhcp-range=set:wifi6,2001:4dd0:ff00:8918:2::2,2001:4dd0:ff00:8918:2:::fffe,80,6h,ra-names From the manpage: "ra-names enables a mode which gives DNS names to dual-stack hosts which do SLAAC for IPv6. Dnsmasq uses the host's IPv4 lease to derive the name, network segment and MAC address and assumes that the host will also have an IPv6 address calculated using the SLAAC algorithm, on the same network segment. The address is pinged, and if a reply is received, an record is added to the DNS for this IPv6 address. Note that this is only happens for directly-connected networks, (not one doing DHCP via a relay) and it will not work if a host is using privacy exten- sions. ra-names can be combined with ra-stateless and slaac." Amicalement, -- Albert. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] DHCPv6 hostname resolving
Hi there, with DHPv4, dnsmasq properly converts the hostnames send to it to A records we can query for. It seems however that this is not the case with DHCPv6 and records; while I can perfectly query for the A record of "atlantis.cable.internal.xxx.eu" (and even the one of "atlantis" without any further qualification is found), querying for its record just returns NXDOMAIN, i.e. it’s not found. Is this a bug, or do I have to enable that feature somehow so it works the same for DHCPv6 as it does for DHCPv4? My Configuration: -- ## General options ## domain-needed bogus-priv expand-hosts ## DHCP DNS domains ## # Main domain=internal.xxx.eu # IPv4 domain=cable.internal.xxx.eu,10.37.59.0/26 domain=wifi.internal.xxx.eu,10.37.59.64/26 # IPv6 domain=cable.internal6.xxx.eu,2001:4dd0:ff00:8918:1::/80 domain=wifi.internal6.xxx.eu,2001:4dd0:ff00:8918:2::/80 ## DHCP ranges ## # Main DHCP ranges. dhcp-range=set:wired,10.37.59.3,10.37.59.62,6h dhcp-range=set:wifi,10.37.59.66,10.37.59.126,6h # Main IPv6 address range dhcp-range=set:wired6,2001:4dd0:ff00:8918:1::2,2001:4dd0:ff00:8918:1:::fffe,80,6h dhcp-range=set:wifi6,2001:4dd0:ff00:8918:2::2,2001:4dd0:ff00:8918:2:::fffe,80,6h # Don’t forget to advertise router information to # IPv6-capable clients enable-ra # We are not the IPv4 router (but the IPv6 one). dhcp-option=tag:wired,3,10.37.59.1 dhcp-option=tag:wifi,3,10.37.59.65 ## Misc ## log-dhcp log-queries -- Queries: -- % dig atlantis.cable.internal.xxx.eu A ; <<>> DiG 9.9.2-P2 <<>> atlantis.cable.internal.xxx.eu A ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63422 ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;atlantis.cable.internal.xxx.eu.IN A ;; ANSWER SECTION: atlantis.cable.internal.xxx.eu. 0 IN A 10.37.59.42 ;; Query time: 1 msec ;; SERVER: 10.37.59.2#53(10.37.59.2) ;; WHEN: Wed Apr 2 16:46:33 2014 ;; MSG SIZE rcvd: 80 -- and -- % dig atlantis.cable.internal.xxx.eu ; <<>> DiG 9.9.2-P2 <<>> atlantis.cable.internal.xxx.eu ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22012 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;atlantis.cable.internal.xxx.eu.IN ;; Query time: 79 msec ;; SERVER: 10.37.59.2#53(10.37.59.2) ;; WHEN: Wed Apr 2 16:46:36 2014 ;; MSG SIZE rcvd: 64 -- Log shows this: -- dnsmasq-dhcp[1513]: 2999666139 available DHCP range: 10.37.59.3 -- 10.37.59.62 dnsmasq-dhcp[1513]: 2999666139 vendor class: dhcpcd-6.3.2:Linux-3.13.7-1-ARCH:x86_64:GenuineIntel dnsmasq-dhcp[1513]: 2999666139 client provides name: atlantis dnsmasq-dhcp[1513]: 2999666139 DHCPREQUEST(eth0) 10.37.59.42 3c:97:0e:b6:c6:c3 dnsmasq-dhcp[1513]: 2999666139 tags: wired, eth0 dnsmasq-dhcp[1513]: 2999666139 DHCPACK(eth0) 10.37.59.42 3c:97:0e:b6:c6:c3 atlantis dnsmasq-dhcp[1513]: 2999666139 requested options: 1:netmask, 121:classless-static-route, 33:static-route, dnsmasq-dhcp[1513]: 2999666139 requested options: 3:router, 6:dns-server, 12:hostname, 15:domain-name, dnsmasq-dhcp[1513]: 2999666139 requested options: 28:broadcast, 42:ntp-server, 51:lease-time, dnsmasq-dhcp[1513]: 2999666139 requested options: 54:server-identifier, 58:T1, 59:T2, 119:domain-search dnsmasq-dhcp[1513]: 2999666139 next server: 10.37.59.2 dnsmasq-dhcp[1513]: 2999666139 sent size: 1 option: 53 message-type 5 dnsmasq-dhcp[1513]: 2999666139 sent size: 4 option: 54 server-identifier 10.37.59.2 dnsmasq-dhcp[1513]: 2999666139 sent size: 4 option: 51 lease-time 6h dnsmasq-dhcp[1513]: 2999666139 sent size: 4 option: 58 T1 3h dnsmasq-dhcp[1513]: 2999666139 sent size: 4 option: 59 T2 5h15m dnsmasq-dhcp[1513]: 2999666139 sent size: 4 option: 1 netmask 255.255.255.192 dnsmasq-dhcp[1513]: 2999666139 sent size: 4 option: 28 broadcast 10.37.59.63 dnsmasq-dhcp[1513]: 2999666139 sent size: 4 option: 6 dns-server 10.37.59.2 dnsmasq-dhcp[1513]: 2999666139 sent size: 37 option: 15 domain-name cable.internal.xxx.eu dnsmasq-dhcp[1513]: 2999666139 sent size: 8 option: 12 hostname atlantis dnsmasq-dhcp[1513]: 2999666139 sent size: 4 option: 3 router 10.37.59.1 dnsmasq-dhcp[1513]: 12187573 available DHCP range: 2001:4dd0:ff00:8918:1::2 -- 2001:4dd0:ff00:8918:1:::fff dnsmasq-dhcp[1513]: 12187573 vendor class: 40712 dnsmasq-dhcp[1513]: 12187573 client MAC address: 3c:97:0e:b6:c6:c3 dnsmasq-dhcp[1513]: 12187573 client provides name: atlantis dnsmasq-dhcp[1513]: 12187573 DHCPSOLICIT(eth0) 00:01:00:01:1a:93:42:fa:3c:97:0e:b6:c6:c3 dnsmasq-dhcp[1513]: 12187573 DHCPREPLY(eth0) 2001:4dd0:ff00:89
[Dnsmasq-discuss] mixing synth-domain and auth-domain does not appear to work for me.
So I have a few static hosts defined in /etc/hosts and I want to serve authoritative records for them. I also have some machines which get address via dhcp and slaac which I want to publish using synth-domain. Each option works alone, but when I mix the options eg auth-zone=thekelleys.org.uk,192.168.0.0/24 synth-domain=thekelleys.org.uk,192.168.0.0/24,internal- with synth-domain only # dig internal-192-168-0-56.thekelleys.org.uk @223.27.66.79 ;; ANSWER SECTION: internal-192-168-0-56.thekelleys.org.uk. 0 IN A 192.168.0.56 with both defined, no answer is returned. eg root@ns1 /etc/dnsmasq.d # dig internal-192-168-0-56.thekelleys.org.uk @ 223.27.66.79 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> internal-192-168-0-56.thekelleys.org.uk @223.27.66.79 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 768 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;internal-192-168-0-56.thekelleys.org.uk. IN A ;; Query time: 0 msec ;; SERVER: 223.27.66.79#53(223.27.66.79) ;; WHEN: Wed Apr 2 21:30:13 2014 ;; MSG SIZE rcvd: 57 The behaviour is the same for Ipv6. regards, dave. PS: any reason why synth-domain is limited to /64 for IPv6? ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss