Re: [Dnsmasq-discuss] Authoritative and recursive service from the same interface

[Marc Heckmann]

Very nice, I will test this.

I am curious though: what will be used for the NS record if the auth-server
configuration is omitted?

-m


On Fri, Sep 28, 2018 at 4:42 PM Simon Kelley 
wrote:

> On 28/09/18 02:33, Marc Heckmann wrote:
> > Hello,
> >
> > I'm currently running dnsmasq in a Docker container and have setup a
> > domain for which dnsmasq is to be authoritative for. This is to do
> > subdomain delegation to the dnsmasq server. I am using the auth-server &
> > auth-zone configuration options for this. This works as expected and is
> > verifiable using dig with the "+norecurse" option to query for the NS
> > and SOA records. However, as it's a Docker container, I only have and
> > actually need a single interface (eth0) and when I specify eth0 in the
> > "auth-server" option, i.e "auth-server=,eth0", I noticed
> > that it stops answering recursive queries for names that it is not
> > authoritative for.
> >
> > I worked around this by replacing "eth0" with an IP that is not present
> > in the container's network namespace and dnsmasq now does what I want
> > which is to answer to both non-recursive and recursive queries from the
> > same interface.
> >
> > My question is the following: Are there any side effects to this hack?
> > Is there any reason why dnsmasq should not be able to provide recursive
> > and authoritative service from the same interface? I can understand the
> > security reasons for wanting to prevent this on an Internet exposed
> > interface, but why not at allow for an option to officially support
> > providing both kinds of service on the same interface?
> >
> > Thanks.
> >
> > -m
> >
> >
>
>
> This patch, in the pending 2.80 release, addresses this, is allows you
> to omit the auth-server configuration and get both recursive and
> authoritative answers on the interface(s) that dnsmasq is listening on.
>
>
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=397c0502e255ea0a470982666dea93e0b2f52043
>
>
>
> Cheers,
>
> Simon.
>
>
> >
> > ___
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss@lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
>
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] Authoritative and recursive service from the same interface

[Marc Heckmann]

Hello,

I'm currently running dnsmasq in a Docker container and have setup a domain
for which dnsmasq is to be authoritative for. This is to do subdomain
delegation to the dnsmasq server. I am using the auth-server & auth-zone
configuration options for this. This works as expected and is verifiable
using dig with the "+norecurse" option to query for the NS and SOA records.
However, as it's a Docker container, I only have and actually need a single
interface (eth0) and when I specify eth0 in the "auth-server" option, i.e
"auth-server=,eth0", I noticed that it stops answering
recursive queries for names that it is not authoritative for.

I worked around this by replacing "eth0" with an IP that is not present in
the container's network namespace and dnsmasq now does what I want which is
to answer to both non-recursive and recursive queries from the same
interface.

My question is the following: Are there any side effects to this hack? Is
there any reason why dnsmasq should not be able to provide recursive and
authoritative service from the same interface? I can understand the
security reasons for wanting to prevent this on an Internet exposed
interface, but why not at allow for an option to officially support
providing both kinds of service on the same interface?

Thanks.

-m
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss