Re: [Dnsmasq-discuss] Best way to handle dual-wans with dnsmasq (John Knight)
Hi John, we are using kind of hack for similar purpose in dnssec-trigger package. If udhcpc serves domain or search directives for resolv.conf, they can be used to redirect just those domains to management servers. It can work centrally managed. But requires special handling of search domains, that is not usually done. Do not know whether udhcpc is capable such configuration. You would have to ask administrator to add some domain name into DHCP offered. I doubt you can configure dnsmasq to query both servers. It usually picks one fastest and stick to it until it responds. If the management server does not provide full DNS resolver, it would not work. How would it respond to addresses it does not know? NXDomain means authoritative reply, no such domain exist. You should not ask other server to confirm or deny that information. Is that management DNS service dnsmasq based as well? Every other server requires some 'zone' concept, that organizes names into domains and subdomains. Just dnsmasq does not care and can serve whatever name it chooses. I think some rule to distinguish management names and normal traffic has to be made first. Regards, Petr On 8/26/19 7:28 PM, John Knight wrote: > Hi Petr, > > I think what you are suggesting is to use server entry to define the IP > Addresss corresponding to the domain name of the dns server on the management > interface. Unfortunately, in my case we use udhcpc to learn of the upstream > dns server;s IP address. There is no domain name for the management > server... only an IP address. The only thing I will know is that the > xx.xx.xx.xx IP address I learned via udhcpc is on the management wan > interface... I won't know its domain name. So for any given dns request > dnsmasq gets, dnsmasq will potentially need to query both wans (data and > management) to resolve the IP address. Is this possible to do? It will NOT > have a domain name to direct it to the right wan to query. > > Thanks, > > John > > > From: John Knight > Sent: Monday, August 26, 2019 10:07 AM > To: dnsmasq-discuss@lists.thekelleys.org.uk > Subject: Re: Best way to handle dual-wans with dnsmasq (John Knight) > > Hi Petr, > > In my situation with dual-wans, I am not too concerned about management > network being accessible to all users, so using a single dnsmasq is > acceptable. I am using dnsmasq to serve dhcp and dns requests on the data > network, but it only needs to support dns requests on the management network. > > What I have tried so far is to add the nameserver entries for both wans to > resolv.conf. However, I am seeing dns queries only go to the data wan... > they are not going to the management wan. How does dnsmasq know that > nameserver xx.xx.xx.xx is on management wan, and nameserver yy.yy.yy.yy is on > data wan... and how does dnsmasq know to query both wans for any given dns > request? I think what I had hoped is that dnsmasq would first query dns > server upstream on the data wan, then if it did not resolve the address, it > would then try to query the dns server on the management wan. > > I know there is a listen address which I presume is somehow used to in > essence route the request to a given wan, but I am not sure. I think what I > really need is an example on how to do this. > > Thanks for your help with this. > > John > __ > Confidential This e-mail and any files transmitted with it are the property > of Belkin International, Inc. and/or its affiliates, are confidential, and > are intended solely for the use of the individual or entity to whom this > e-mail is addressed. If you are not one of the named recipients or otherwise > have reason to believe that you have received this e-mail in error, please > notify the sender and delete this message immediately from your computer. Any > other use, retention, dissemination, forwarding, printing or copying of this > e-mail is strictly prohibited. Pour la version fran?aise: > http://www.belkin.com/email-notice/French.html F?r die deutsche ?bersetzung: > http://www.belkin.com/email-notice/German.html > __ > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: 65C6C973 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Best way to handle dual-wans with dnsmasq (John Knight)
Hi Petr, I think what you are suggesting is to use server entry to define the IP Addresss corresponding to the domain name of the dns server on the management interface. Unfortunately, in my case we use udhcpc to learn of the upstream dns server;s IP address. There is no domain name for the management server... only an IP address. The only thing I will know is that the xx.xx.xx.xx IP address I learned via udhcpc is on the management wan interface... I won't know its domain name. So for any given dns request dnsmasq gets, dnsmasq will potentially need to query both wans (data and management) to resolve the IP address. Is this possible to do? It will NOT have a domain name to direct it to the right wan to query. Thanks, John From: John Knight Sent: Monday, August 26, 2019 10:07 AM To: dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: Best way to handle dual-wans with dnsmasq (John Knight) Hi Petr, In my situation with dual-wans, I am not too concerned about management network being accessible to all users, so using a single dnsmasq is acceptable. I am using dnsmasq to serve dhcp and dns requests on the data network, but it only needs to support dns requests on the management network. What I have tried so far is to add the nameserver entries for both wans to resolv.conf. However, I am seeing dns queries only go to the data wan... they are not going to the management wan. How does dnsmasq know that nameserver xx.xx.xx.xx is on management wan, and nameserver yy.yy.yy.yy is on data wan... and how does dnsmasq know to query both wans for any given dns request? I think what I had hoped is that dnsmasq would first query dns server upstream on the data wan, then if it did not resolve the address, it would then try to query the dns server on the management wan. I know there is a listen address which I presume is somehow used to in essence route the request to a given wan, but I am not sure. I think what I really need is an example on how to do this. Thanks for your help with this. John __ Confidential This e-mail and any files transmitted with it are the property of Belkin International, Inc. and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. Pour la version fran?aise: http://www.belkin.com/email-notice/French.html F?r die deutsche ?bersetzung: http://www.belkin.com/email-notice/German.html __ ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Best way to handle dual-wans with dnsmasq (John Knight)
Hi Petr, In my situation with dual-wans, I am not too concerned about management network being accessible to all users, so using a single dnsmasq is acceptable. I am using dnsmasq to serve dhcp and dns requests on the data network, but it only needs to support dns requests on the management network. What I have tried so far is to add the nameserver entries for both wans to resolv.conf. However, I am seeing dns queries only go to the data wan... they are not going to the management wan. How does dnsmasq know that nameserver xx.xx.xx.xx is on management wan, and nameserver yy.yy.yy.yy is on data wan... and how does dnsmasq know to query both wans for any given dns request? I think what I had hoped is that dnsmasq would first query dns server upstream on the data wan, then if it did not resolve the address, it would then try to query the dns server on the management wan. I know there is a listen address which I presume is somehow used to in essence route the request to a given wan, but I am not sure. I think what I really need is an example on how to do this. Thanks for your help with this. John __ Confidential This e-mail and any files transmitted with it are the property of Belkin International, Inc. and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. Pour la version fran?aise: http://www.belkin.com/email-notice/French.html F?r die deutsche ?bersetzung: http://www.belkin.com/email-notice/German.html __ ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Best way to handle dual-wans with dnsmasq
Hi John, unless you want too much work, I would suggest using separate domain for management names. If you are not afraid management network would be accessible to all users, just use --server=/mgmt.example.net/1.2.3.4 and --server=5.6.7.8 for normal names (or just read /etc/resolv.conf for them). If names are not in separate domain, I doubt there is good solution. using --server/host-mgmt-1.XY/1.2.3.4 may work, but I think you should ask administrators to create easier system in such case :) I think I have understood it right, your dnsmasq is just dns proxy for both networks and does not serve any DHCP or DNS to those networks, right? On 8/26/19 4:58 AM, John Knight wrote: > Hi, > > I have a system that has two WAN interfaces... one WAN is used for > management, and the other WAN is used for normal internet access. Each WAN > has its own DNS and DHCP Servers upstream. The DNS Server on the Management > WAN will serve out IP addresses for the management sites, while the other WAN > will use public DNS Servers to resolve IP addresses for DNS queries. > > I am interested in knowing best practice in how to configure dnsmasq for > these dual-wan situations? Do I need to run two dnsmasq processes or can a > single dnsmasq process handle multiple WANs? The management processes > running on the system will use eth0.10 (VLAN 10) to access the management > WAN, while normal user traffic will use eth0 (untagged) interface to get to > the internet. > > Does anyone have a sample configuration on how to configure this? > > Thanks in advance, > > John > > __ > Confidential This e-mail and any files transmitted with it are the property > of Belkin International, Inc. and/or its affiliates, are confidential, and > are intended solely for the use of the individual or entity to whom this > e-mail is addressed. If you are not one of the named recipients or otherwise > have reason to believe that you have received this e-mail in error, please > notify the sender and delete this message immediately from your computer. Any > other use, retention, dissemination, forwarding, printing or copying of this > e-mail is strictly prohibited. Pour la version française: > http://www.belkin.com/email-notice/French.html Für die deutsche Übersetzung: > http://www.belkin.com/email-notice/German.html > __ > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: 65C6C973 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Best way to handle dual-wans with dnsmasq
Hi, I have a system that has two WAN interfaces... one WAN is used for management, and the other WAN is used for normal internet access. Each WAN has its own DNS and DHCP Servers upstream. The DNS Server on the Management WAN will serve out IP addresses for the management sites, while the other WAN will use public DNS Servers to resolve IP addresses for DNS queries. I am interested in knowing best practice in how to configure dnsmasq for these dual-wan situations? Do I need to run two dnsmasq processes or can a single dnsmasq process handle multiple WANs? The management processes running on the system will use eth0.10 (VLAN 10) to access the management WAN, while normal user traffic will use eth0 (untagged) interface to get to the internet. Does anyone have a sample configuration on how to configure this? Thanks in advance, John __ Confidential This e-mail and any files transmitted with it are the property of Belkin International, Inc. and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. Pour la version française: http://www.belkin.com/email-notice/French.html Für die deutsche Übersetzung: http://www.belkin.com/email-notice/German.html __ ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss