Re: [Dnsmasq-discuss] dnsmasq not responding to DNS queries for local addresses when WAN down
Hi Justin, There's nothing wrong with dnsmasq. Instead, when your wan in down, all dns queries from lan gets faked by answering fake 10.0.0.1 address which is used for showing the router's wan state and reason. You could turn it off with Enable WAN down browser redirect notice under Administration / System web ui page. Best Regards, Vladislav Grishenko -Original Message- From: Dnsmasq-discuss [mailto:dnsmasq-discuss- boun...@lists.thekelleys.org.uk] On Behalf Of Justin Smith Sent: Sunday, July 19, 2015 2:20 PM To: dnsmasq-discuss@lists.thekelleys.org.uk Subject: [Dnsmasq-discuss] dnsmasq not responding to DNS queries for local addresses when WAN down Hi, My home network uses an Asus RT-N66U running Merlin's firmware (ver 378.55). I have dnsmasq running on the router. My problem is that when the WAN interface goes down (as it does occasionally) dnsmasq no longer returns the correct IP address to DNS queries to local hosts. For example (fake domain name): WAN UP === justin@juka:~$ nslookup myhost1 Server: 127.0.1.1 Address: 127.0.1.1#53 Name: myhost1 Address: 192.168.30.3 WAN DOWN == justin@juka:~$ nslookup myhost1 Server: 127.0.1.1 Address: 127.0.1.1#53 Name: myhost1.mydomain.com Address: 10.0.0.1 My dnsmasq.conf looks something like this (personal data suppressed/changed): bind-dynamic interface=br0 no-negcache cache-size=1500 domain-needed bogus-priv no-resolv no-poll server=aaa.bbb.ccc.ddd # ISP DNS server IP address local=/mydomain.com/ domain=mydomain.com dhcp-range=192.168.30.200,192.168.30.250,24h dhcp-host=f4:6d:04:da:3e:c4,myhost1,192.168.30.3 dhcp-host=38:2c:4a:af:e4:53,myhost2,192.168.30.4 ... dhcp-authoritative My resolv.conf on the router looks like: # cat /tmp/etc/resolv.conf nameserver 127.0.0.1 Does anyone offer advice on how to correctly set up dnsmasq? Thanks, Justin. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9
Le dimanche 14 juin 2015 19:44:14, vous avez écrit : Hi, On Sun, Jun 14, 2015 at 9:06 AM, Stéphane Guedon steph...@22decembre.eu wrote: Le vendredi 12 juin 2015, 13:16:09 Maciej Soltysiak a écrit : A user on my service, who has dnssec-check-unsigned enabled gets an unsigned response from a signed zone and the intended reaction of dnsmasq kicks in. Not a bug then. Is my understanding correct? As far as I understand, I have the same issue (except that dnsmasq itself is serving the non signed zone and unbound the signed) ! To solve that, I propose to make the unsigned zone on another domain or zone than the signed one. server.domain.org is signed and the public face of your server. server.intern.domain.org is unsigned. Your users can then use this address, and the dns can still have different answer depending where they are. Do you understand me ? Do you think it is a good idea ? (I am thinking of using it for my case). Yes, I understand, I think it would work and it's a clever workaround for the issue, however in my case it does not help to maintain the end goal which was to provide authenticated response to that domain so that it is always trustworthy. That actually is becoming a DNSSEC question. Is there a way to provide split-horizon answers on signed zones? Can one name have 2 different valid answers and RRSIGs? perhaps if the signature could be for a name/ttl pair, not just the name and have different ttls on those names? Dunno. Perhaps me trying to use dns records to test whether the responses are coming over dnscrypt or not is flawed in nature. Thanks anyway, Maciej Actually, it works at first glance (basic resolution and connectivity works), but it fails fast : when you have to work on your website that is hosted on your home server, nothing works anymore ! So I am returning to my previous setup before wondering what I should do. I am going to write an article about this and all the workarounds that have been tried. Maybe it will then give me an idea on the solution. -- The file signature.asc is not attached to be read by you. It's a digital signature by GPG. If you want to know why I use it, and why you should as well, you can read my article there: http://www.22decembre.eu/2015/03/21/introduction-en/ signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnssec-check-unsigned failure with v2.73rc9
Le dimanche 14 juin 2015 19:44:14, vous avez écrit : Hi, On Sun, Jun 14, 2015 at 9:06 AM, Stéphane Guedon steph...@22decembre.eu wrote: Le vendredi 12 juin 2015, 13:16:09 Maciej Soltysiak a écrit : A user on my service, who has dnssec-check-unsigned enabled gets an unsigned response from a signed zone and the intended reaction of dnsmasq kicks in. Not a bug then. Is my understanding correct? As far as I understand, I have the same issue (except that dnsmasq itself is serving the non signed zone and unbound the signed) ! To solve that, I propose to make the unsigned zone on another domain or zone than the signed one. server.domain.org is signed and the public face of your server. server.intern.domain.org is unsigned. Your users can then use this address, and the dns can still have different answer depending where they are. Do you understand me ? Do you think it is a good idea ? (I am thinking of using it for my case). Yes, I understand, I think it would work and it's a clever workaround for the issue, however in my case it does not help to maintain the end goal which was to provide authenticated response to that domain so that it is always trustworthy. That actually is becoming a DNSSEC question. Is there a way to provide split-horizon answers on signed zones? Can one name have 2 different valid answers and RRSIGs? perhaps if the signature could be for a name/ttl pair, not just the name and have different ttls on those names? Dunno. Perhaps me trying to use dns records to test whether the responses are coming over dnscrypt or not is flawed in nature. Thanks anyway, Maciej Actually, it works at first glance (basic resolution and connectivity works), but it fails fast : when you have to work on your website that is hosted on your home server, nothing works anymore ! So I am returning to my previous setup before wondering what I should do. I am going to write an article about this and all the workarounds that have been tried. Maybe it will then give me an idea on the solution. -- The file signature.asc is not attached to be read by you. It's a digital signature by GPG. If you want to know why I use it, and why you should as well, you can read my article there: http://www.22decembre.eu/2015/03/21/introduction-en/ signature.asc Description: This is a digitally signed message part. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
