Re: [Dnsmasq-discuss] Authoritative and recursive service from the same interface

[Eric Luehrsen]

On 09/28/2018 06:46 PM, Simon Kelley wrote:

On 28/09/18 23:07, Marc Heckmann wrote:

Very nice, I will test this.

I am curious though: what will be used for the NS record if the
auth-server configuration is omitted?



It appears to return an NS record of "." ie the DNS root. Which is not
particularly sensible. This may need some more thought

Simon.



-m


On Fri, Sep 28, 2018 at 4:42 PM Simon Kelley mailto:si...@thekelleys.org.uk>> wrote:

 On 28/09/18 02:33, Marc Heckmann wrote:
 > Hello,
 >
 > I'm currently running dnsmasq in a Docker container and have setup a
 > domain for which dnsmasq is to be authoritative for. This is to do
 > subdomain delegation to the dnsmasq server. I am using the
 auth-server &
 > auth-zone configuration options for this. This works as expected
 and is
 > verifiable using dig with the "+norecurse" option to query for the NS
 > and SOA records. However, as it's a Docker container, I only have and
 > actually need a single interface (eth0) and when I specify eth0 in the
 > "auth-server" option, i.e "auth-server=,eth0", I noticed
 > that it stops answering recursive queries for names that it is not
 > authoritative for.
 >
 > I worked around this by replacing "eth0" with an IP that is not
 present
 > in the container's network namespace and dnsmasq now does what I want
 > which is to answer to both non-recursive and recursive queries
 from the
 > same interface.
 >
 > My question is the following: Are there any side effects to this hack?
 > Is there any reason why dnsmasq should not be able to provide
 recursive
 > and authoritative service from the same interface? I can
 understand the
 > security reasons for wanting to prevent this on an Internet exposed
 > interface, but why not at allow for an option to officially support
 > providing both kinds of service on the same interface?
 >
 > Thanks.
 >
 > -m
 >
 >


 This patch, in the pending 2.80 release, addresses this, is allows you
 to omit the auth-server configuration and get both recursive and
 authoritative answers on the interface(s) that dnsmasq is listening on.

 
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=397c0502e255ea0a470982666dea93e0b2f52043


In other software something like the following makes a reasonable 
non-functioning default, when things go wrong. It terminates locally 
instead of whatever root-as-NS will cause.

7200 IN SOA localhost. nobody.invalid. 1 3600 1200 9600 300
7200 IN NS localhost.

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Authoritative and recursive service from the same interface

[Simon Kelley]

On 28/09/18 23:07, Marc Heckmann wrote:
> Very nice, I will test this.
> 
> I am curious though: what will be used for the NS record if the
> auth-server configuration is omitted?


It appears to return an NS record of "." ie the DNS root. Which is not
particularly sensible. This may need some more thought

Simon.

> 
> -m
> 
> 
> On Fri, Sep 28, 2018 at 4:42 PM Simon Kelley  > wrote:
> 
> On 28/09/18 02:33, Marc Heckmann wrote:
> > Hello,
> >
> > I'm currently running dnsmasq in a Docker container and have setup a
> > domain for which dnsmasq is to be authoritative for. This is to do
> > subdomain delegation to the dnsmasq server. I am using the
> auth-server &
> > auth-zone configuration options for this. This works as expected
> and is
> > verifiable using dig with the "+norecurse" option to query for the NS
> > and SOA records. However, as it's a Docker container, I only have and
> > actually need a single interface (eth0) and when I specify eth0 in the
> > "auth-server" option, i.e "auth-server=,eth0", I noticed
> > that it stops answering recursive queries for names that it is not
> > authoritative for.
> >
> > I worked around this by replacing "eth0" with an IP that is not
> present
> > in the container's network namespace and dnsmasq now does what I want
> > which is to answer to both non-recursive and recursive queries
> from the
> > same interface.
> >
> > My question is the following: Are there any side effects to this hack?
> > Is there any reason why dnsmasq should not be able to provide
> recursive
> > and authoritative service from the same interface? I can
> understand the
> > security reasons for wanting to prevent this on an Internet exposed
> > interface, but why not at allow for an option to officially support
> > providing both kinds of service on the same interface?
> >
> > Thanks.
> >
> > -m
> >
> >
> 
> 
> This patch, in the pending 2.80 release, addresses this, is allows you
> to omit the auth-server configuration and get both recursive and
> authoritative answers on the interface(s) that dnsmasq is listening on.
> 
> 
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=397c0502e255ea0a470982666dea93e0b2f52043
> 
> 
> 
> Cheers,
> 
> Simon.
> 
> 
> >
> > ___
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss@lists.thekelleys.org.uk
> 
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
> 
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> 
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Authoritative and recursive service from the same interface

[Marc Heckmann]

Very nice, I will test this.

I am curious though: what will be used for the NS record if the auth-server
configuration is omitted?

-m


On Fri, Sep 28, 2018 at 4:42 PM Simon Kelley 
wrote:

> On 28/09/18 02:33, Marc Heckmann wrote:
> > Hello,
> >
> > I'm currently running dnsmasq in a Docker container and have setup a
> > domain for which dnsmasq is to be authoritative for. This is to do
> > subdomain delegation to the dnsmasq server. I am using the auth-server &
> > auth-zone configuration options for this. This works as expected and is
> > verifiable using dig with the "+norecurse" option to query for the NS
> > and SOA records. However, as it's a Docker container, I only have and
> > actually need a single interface (eth0) and when I specify eth0 in the
> > "auth-server" option, i.e "auth-server=,eth0", I noticed
> > that it stops answering recursive queries for names that it is not
> > authoritative for.
> >
> > I worked around this by replacing "eth0" with an IP that is not present
> > in the container's network namespace and dnsmasq now does what I want
> > which is to answer to both non-recursive and recursive queries from the
> > same interface.
> >
> > My question is the following: Are there any side effects to this hack?
> > Is there any reason why dnsmasq should not be able to provide recursive
> > and authoritative service from the same interface? I can understand the
> > security reasons for wanting to prevent this on an Internet exposed
> > interface, but why not at allow for an option to officially support
> > providing both kinds of service on the same interface?
> >
> > Thanks.
> >
> > -m
> >
> >
>
>
> This patch, in the pending 2.80 release, addresses this, is allows you
> to omit the auth-server configuration and get both recursive and
> authoritative answers on the interface(s) that dnsmasq is listening on.
>
>
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=397c0502e255ea0a470982666dea93e0b2f52043
>
>
>
> Cheers,
>
> Simon.
>
>
> >
> > ___
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss@lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
>
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Authoritative and recursive service from the same interface

[Simon Kelley]

On 28/09/18 02:33, Marc Heckmann wrote:
> Hello,
> 
> I'm currently running dnsmasq in a Docker container and have setup a
> domain for which dnsmasq is to be authoritative for. This is to do
> subdomain delegation to the dnsmasq server. I am using the auth-server &
> auth-zone configuration options for this. This works as expected and is
> verifiable using dig with the "+norecurse" option to query for the NS
> and SOA records. However, as it's a Docker container, I only have and
> actually need a single interface (eth0) and when I specify eth0 in the
> "auth-server" option, i.e "auth-server=,eth0", I noticed
> that it stops answering recursive queries for names that it is not
> authoritative for.
> 
> I worked around this by replacing "eth0" with an IP that is not present
> in the container's network namespace and dnsmasq now does what I want
> which is to answer to both non-recursive and recursive queries from the
> same interface.
> 
> My question is the following: Are there any side effects to this hack?
> Is there any reason why dnsmasq should not be able to provide recursive
> and authoritative service from the same interface? I can understand the
> security reasons for wanting to prevent this on an Internet exposed
> interface, but why not at allow for an option to officially support
> providing both kinds of service on the same interface?
> 
> Thanks.
> 
> -m
> 
> 


This patch, in the pending 2.80 release, addresses this, is allows you
to omit the auth-server configuration and get both recursive and
authoritative answers on the interface(s) that dnsmasq is listening on.

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=397c0502e255ea0a470982666dea93e0b2f52043



Cheers,

Simon.


> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss