[Dnsmasq-discuss] DNS resolving local names with multiple DNS servers
I've got an Ubuntu 13.04 Linux PC connected to two networks: * Internet connection * Router providing a local network (Wi-Fi) with DNS serving local names (example.lan) Via NetworkManager, dnsmasq is set up with the DNS server IP addresses for these two networks. The PC is having trouble getting the local names in example.lan, because it seems dnsmasq is using the Internet connection DNS server for the example.lan query, and that is returning NXDOMAIN response. Rather than waiting for a better response from the local DNS server (which is local but responding more slowly due to being over Wi-Fi), it is just passing the NXDOMAIN response to the client. At least, I think that's what is happening; please tell me if I'm wrong. What I'd hope for is for dnsmasq to not just use the first response it gets, but use the first response that's not NXDOMAIN. I think the Linux resolver (/etc/resolv.conf) does this, and it would be great if dnsmasq could use the same algorithm. Could dnsmasq support this algorithm? Note--I suppose one response might be to specify the example.lan domain in one 'server' parameter of the dnsmasq config. Two problems: 1) dnsmasq is being used from NetworkManager, and it seems NetworkManager is only telling dnsmasq the DNS IP addresses (via D-Bus) to dnsmasq, and not telling it any domain names (even if I enter the example.lan in the NetworkManager extra search domain config). 2) The router providing the local network is a remote dial-up device which can optionally provide a (slow) dial-up connection to the Internet. In that case, it becomes a general Internet connection, so I don't want to restrict it to just example.lan. Regards, Craig McQueen ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Fwd: mixing synth-domain and auth-domain does not appear to work for me.
On Thu, Apr 3, 2014 at 6:24 AM, Simon Kelley si...@thekelleys.org.uk wrote: On 02/04/14 11:46, David Beveridge wrote: So I have a few static hosts defined in /etc/hosts and I want to serve authoritative records for them. I also have some machines which get address via dhcp and slaac which I want to publish using synth-domain. Each option works alone, but when I mix the options eg auth-zone=thekelleys.org.uk,192.168.0.0/24 synth-domain=thekelleys.org.uk,192.168.0.0/24,internal- with synth-domain only # dig internal-192-168-0-56.thekelleys.org.uk @223.27.66.79 ;; ANSWER SECTION: internal-192-168-0-56.thekelleys.org.uk. 0 IN A 192.168.0.56 with both defined, no answer is returned. The behaviour is the same for Ipv6. This is, I think, just an oversight. synth-domain certainly generates Locally defined DNS records which is what the auth-zone is specified to contain. So if the auth-domain exists and the lookup fails there it does not try to do a lookup in synth-domain. I'm not sure how commonly people might want to do that. regards, dave. PS: any reason why synth-domain is limited to /64 for IPv6? Prefix length has to be greater than or equal to 64, is that what you mean? It's about implementation convenience. C doesn't provide a integer data type larger than 64 bits for doing masking. of the address-part. Fair enough. So I have a copy of dnsmasq running on my bind dns server just to handle the synthetic reverse (which bind can't do), so each /64 needs to be individually configured in dnsmasq. It's good to know why. I can't just get lazy and synth a whole /48 or /32. Probably out of scope for what dnsmasq is designed for anyway. dave Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] PTR records with auth-zone and auth-server
I'm using dnsmasq 2.68. It's mostly working, however I'm having a few troubles with PTR records when using auth-zone and auth-server. If I use these options, then: * PTR look-up of IP addresses defined by interface-name=example.lan,br0 return an answer, but the returned status is NXDOMAIN rather than NOERROR. * No custom PTR records can be defined with ptr-record. If I remove the auth-zone and auth-server options, then PTR records work as expected. Is there a good reason that this isn't working when using auth-zone and auth-server options? Regards, Craig McQueen ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] mixing synth-domain and auth-domain does not appear to work for me.
On Thu, Apr 3, 2014 at 6:38 AM, Simon Kelley si...@thekelleys.org.uk wrote: On 02/04/14 21:24, Simon Kelley wrote: This is, I think, just an oversight. synth-domain certainly generates Locally defined DNS records which is what the auth-zone is specified to contain. Actually, there is a reason. It doesn't in general make sense to include the records created by synth-domain in a zone transfer, since there are likely to be a lot of them. They could be included in answers for the auth-zone, at the expense of the additional complication that the zone answered by dnsmasq becomes no longer exactly the zone that's transfered to a secondary (since the synth-domain answers can't be included in the transfer). I agree, you definitely would not want to zone transfer the entire synth zone just the records from the auth zone. Actually, once you introduce synth records to a zone, transferring it is not practical at all. I think I have misunderstood what auth-zone does. It seems it is not required in this situation. I just tested and discovered that:- If I remove the auth-zone statement from the config file the synth-zone will still serve records it finds in /etc/hosts. In this way I can still have a mixed zone with manually created records and synthesized records in the same zone. The synth-domain kind of implies that the zone is authorative, so no need for the auth-zone statement as well. dave ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnssec on android?
On 03/04/14 02:37, Dave Taht wrote: It looks like there will be some issues getting dnssec on on android by switching to dnsmasq: https://code.google.com/p/android/issues/detail?id=65510 What is dnsmasq's behavior on how/when to switch to tcp? If the client uses UDP to query dnsmasq, then dnsmasq will use UDP to query upstream. If the client uses TCP to query dnsmasq, then dnsmasq uses TCP to query upstream. The same applies to DNSKEY and DS queries, UDP if the original query came by UDP, TCP if TCP. The normal situation is: client queries dnsmasq over UDP, dnsmasq queries upstream over UDP, repsonse is truncated, truncated response returned to client. Client retries over TCP, dnsmasq queries upstream over TCP, all is good. The same situation applies with DNSSEC, with one additional wrinkle, it's possible that the answer to the actual query comes back untruncated over UDP, but a subsequent query needed to do validation (ie getting DNSKEYS or DS records) is truncated. In this case, dnsmasq marks the original answer as truncated itself and returns it, so that the client will retry using TCP. Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Per entry TTL override
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/04/14 22:32, Olivier Mauras wrote: On Mon, 2014-03-31 at 12:59 +0200, Olivier Mauras wrote: Hello, Is it thinkable to allow a per entry TTL override system ? I have actually two different needs that i'd like to discuss. First NXDOMAINS. I'd like to cache NXDOMAIN from some forwarded domains to a specific value. Cache time based on default SOA TTL may be too long in some cases and requires a manual cache refresh :( Easy example: Infra team provisions a new server and ping the hostname asked to see if it's not already taken - Yes they could act differently It's not, so result is cached and will stay for 1H - default SOA TTL. Server provisioning takes 10mn, and hostname is still cached as NX for 50mn :( Second is entry override. Some specific DNS entries could have a different TTL than the default one - But not globally per entry gives much more flexibility :) Would that make sense to have a binding for request replies - like the dhcp lua script support - or would this make more sense as specific harcoded options? If this makes any sense at all indeed :) Thanks, Olivier ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss Seemed like i had a double neg-ttl declared in my config and my command line at the same time which make it to not be correctly handled... Also seems that no matter what neg-ttl is set to, the first NXDOMAIN on a cold cache, always get the SOA TTL, am i missing something ? neg-ttl does not override the SOA TTL, it provides a TTL for NXDOMAIN if the upstream server doesn't include an SOA. (Lots of ISP nameservers seem to strip that information for bandwidth saving) If you upstream servers include SOA, as they should, then neg-ttl will have no effect. Any feedback on per entry TTL override I'm not sure about that, it seems to me to be fiddly and prone to errors. You first example could be fixed by using --no-negcache. It would be less efficient, but it would always work. If you're going to set a TTL in that case, what's the correct value that will always work? I don't think there is one. I'm interested in other opinions. Cheers, Simon. Thanks, Olivier ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlM9xqcACgkQKPyGmiibgrf1IACeLu0EOFKHF0AGeALvFtxnSd/6 PUUAnRliZ55VNxqPSyY69h5ytA7KjyEV =UO5/ -END PGP SIGNATURE- ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] mixing synth-domain and auth-domain does not appear to work for me.
On 03/04/14 08:35, David Beveridge wrote: On Thu, Apr 3, 2014 at 6:38 AM, Simon Kelley si...@thekelleys.org.uk wrote: On 02/04/14 21:24, Simon Kelley wrote: This is, I think, just an oversight. synth-domain certainly generates Locally defined DNS records which is what the auth-zone is specified to contain. Actually, there is a reason. It doesn't in general make sense to include the records created by synth-domain in a zone transfer, since there are likely to be a lot of them. They could be included in answers for the auth-zone, at the expense of the additional complication that the zone answered by dnsmasq becomes no longer exactly the zone that's transfered to a secondary (since the synth-domain answers can't be included in the transfer). I agree, you definitely would not want to zone transfer the entire synth zone just the records from the auth zone. Actually, once you introduce synth records to a zone, transferring it is not practical at all. I think I have misunderstood what auth-zone does. It seems it is not required in this situation. I just tested and discovered that:- If I remove the auth-zone statement from the config file the synth-zone will still serve records it finds in /etc/hosts. In this way I can still have a mixed zone with manually created records and synthesized records in the same zone. The synth-domain kind of implies that the zone is authorative, so no need for the auth-zone statement as well. OK. Happy ending :) Cheers, Simon. dave ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] PTR records with auth-zone and auth-server
On 04/04/14 07:28, Simon Kelley wrote: On 03/04/14 08:22, Craig McQueen wrote: * No custom PTR records can be defined with ptr-record. That's behaving as documented, --ptr-record doesn't appear in the list of data included in an authoritative zone given in the AUTHORITATIVE CONFIGURATION section of the man page. The reason is, I think, that PTR-records can have any name, not just w.x.y.x.in-addr.arpa. It's therefore difficult to use the subnet(s) associated with an auth-zone to filter them. It would be possible to filter on the name using the domain associated with an auth zone, and filter w.x.y.x.in-addr.arpa on the subnet. That's quite complex to understand/document/use. DNS-SD (RFC 6763) makes use of PTR records that end in the domain name. E.g. ending in example.com.: _http._tcp.example.com. lb._dns-sd._udp.example.com. DNS-SD also makes use of PTR records that end in the reverse mapping name of the network address of the subnet. E.g. for subnet 192.168.5.0/24, some PTR records ending in 0.5.168.192.in-addr.arpa.: b._dns-sd._udp.0.5.168.192.in-addr.arpa. lb._dns-sd._udp.0.5.168.192.in-addr.arpa. It would be good to allow ptr-record options that match either of these cases. The first case (ending in example.com.) should be straight-forward. The reverse case should also be okay, unless I'm overlooking some complication. I haven't looked into the IPv6 case. DNS-SD also uses SRV and TXT records, ending in .example.com. Thanks, Craig McQueen ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss