Re: [Dnsmasq-discuss] Upstream servers by host tag (or MAC)
Hi Michael, It works, i've created a docker-compose project with two dnsmasq instance, each one listening on one ethernet alias. I've disabled dchp on the children instance. Thanks for the advice! Hubert. Le 23/09/2021 à 18:43, Michael a écrit : On 9/23/21 04:35, Petr Menšík wrote: Hi Hubert, it may work, if you would run two dnsmasq instances. One for children with OpenDNS as upstream servers, another for everyone else. default instance: bind-interfaces listen-address=10.1.0.1 server=8.8.8.8 domain=home.arpa dhcp-option=option:dns-server,10.1.0.1,8.8.8.8 dhcp-option=tag:child,option:dns-server:10.1.0.2,208.67.222.123 ... children instance: bind-interfaces listen-address=10.1.0.2 server=208.67.222.123 server=/home.arpa/10.1.0.1 Because the second instance would forward local domain to main instance, which also registers dhcp, they should be able to resolve any local names. But other names would be served by different server. Children might have reserved different address range, but it might be handy to be on shared broadcast link. Good for link-local address resolution and easy local games setup. Not sure it is relevant anymore. Not sure if 10.1.0.2 can be on the same interface as 10.1.0.1. It would work fine with just DNS, but I think dhcp requires interface=eth0 or similar. Which would block the second instance from working correctly. I think alternative address would have to be on different interface. I do almost exactly this so I can confirm it works. I have one machine running docker. On that machine, I run two containers with their own IP addresses (macvlan). .1 for the primary including DHCP pointing to my main DNS. Then the .2 version that points to the safe DNS, but relays local name queries (and reverse) over to the .1. Then in config as you highlighted above, I point the child machines to the .2 and everything else to .1. It would be nice if you could use tags to point to different DNS servers, but until that is an option, this works. Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Upstream servers by host tag (or MAC)
On 23/09/2021 17:43, Michael wrote: > On 9/23/21 04:35, Petr Menšík wrote: >> Hi Hubert, >> >> it may work, if you would run two dnsmasq instances. One for children >> with OpenDNS as upstream servers, another for everyone else. >> >> default instance: >> >> bind-interfaces >> listen-address=10.1.0.1 >> server=8.8.8.8 >> domain=home.arpa >> dhcp-option=option:dns-server,10.1.0.1,8.8.8.8 >> dhcp-option=tag:child,option:dns-server:10.1.0.2,208.67.222.123 >> ... >> >> children instance: >> >> bind-interfaces >> listen-address=10.1.0.2 >> server=208.67.222.123 >> server=/home.arpa/10.1.0.1 >> >> Because the second instance would forward local domain to main instance, >> which also registers dhcp, they should be able to resolve any local >> names. But other names would be served by different server. >> >> Children might have reserved different address range, but it might be >> handy to be on shared broadcast link. Good for link-local address >> resolution and easy local games setup. Not sure it is relevant anymore. >> >> Not sure if 10.1.0.2 can be on the same interface as 10.1.0.1. It would >> work fine with just DNS, but I think dhcp requires interface=eth0 or >> similar. Which would block the second instance from working correctly. I >> think alternative address would have to be on different interface. >> > I do almost exactly this so I can confirm it works. > > > I have one machine running docker. On that machine, I run two > containers with their own IP addresses (macvlan). .1 for the primary > including DHCP pointing to my main DNS. Then the .2 version that > points to the safe DNS, but relays local name queries (and reverse) over > to the .1. > > > Then in config as you highlighted above, I point the child machines to > the .2 and everything else to .1. > > > It would be nice if you could use tags to point to different DNS > servers, but until that is an option, this works. > > Michael I think using different upstream servers based on the requesting client would be a problem because that would mean the same query would get different results. That would appear to be what you would like to see (IIUC), but you then have all sorts of issues with the caches - there would need to be separate caches for separate tag-selected servers, with all the complexity involved in managing that. Since running multiple copies of dnsmasq for DNS can be done on separate IPs (I suggest with only one of them serving DHCP) I would tend to go with that rather than adding multiple-cache complexity. Regards, Geoff. > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss -- Geoff Back What if we're all just characters in someone's nightmares? ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Upstream servers by host tag (or MAC)
On 9/23/21 04:35, Petr Menšík wrote: Hi Hubert, it may work, if you would run two dnsmasq instances. One for children with OpenDNS as upstream servers, another for everyone else. default instance: bind-interfaces listen-address=10.1.0.1 server=8.8.8.8 domain=home.arpa dhcp-option=option:dns-server,10.1.0.1,8.8.8.8 dhcp-option=tag:child,option:dns-server:10.1.0.2,208.67.222.123 ... children instance: bind-interfaces listen-address=10.1.0.2 server=208.67.222.123 server=/home.arpa/10.1.0.1 Because the second instance would forward local domain to main instance, which also registers dhcp, they should be able to resolve any local names. But other names would be served by different server. Children might have reserved different address range, but it might be handy to be on shared broadcast link. Good for link-local address resolution and easy local games setup. Not sure it is relevant anymore. Not sure if 10.1.0.2 can be on the same interface as 10.1.0.1. It would work fine with just DNS, but I think dhcp requires interface=eth0 or similar. Which would block the second instance from working correctly. I think alternative address would have to be on different interface. I do almost exactly this so I can confirm it works. I have one machine running docker. On that machine, I run two containers with their own IP addresses (macvlan). .1 for the primary including DHCP pointing to my main DNS. Then the .2 version that points to the safe DNS, but relays local name queries (and reverse) over to the .1. Then in config as you highlighted above, I point the child machines to the .2 and everything else to .1. It would be nice if you could use tags to point to different DNS servers, but until that is an option, this works. Michael ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Upstream servers by host tag (or MAC)
Hi Hubert, it may work, if you would run two dnsmasq instances. One for children with OpenDNS as upstream servers, another for everyone else. default instance: bind-interfaces listen-address=10.1.0.1 server=8.8.8.8 domain=home.arpa dhcp-option=option:dns-server,10.1.0.1,8.8.8.8 dhcp-option=tag:child,option:dns-server:10.1.0.2,208.67.222.123 ... children instance: bind-interfaces listen-address=10.1.0.2 server=208.67.222.123 server=/home.arpa/10.1.0.1 Because the second instance would forward local domain to main instance, which also registers dhcp, they should be able to resolve any local names. But other names would be served by different server. Children might have reserved different address range, but it might be handy to be on shared broadcast link. Good for link-local address resolution and easy local games setup. Not sure it is relevant anymore. Not sure if 10.1.0.2 can be on the same interface as 10.1.0.1. It would work fine with just DNS, but I think dhcp requires interface=eth0 or similar. Which would block the second instance from working correctly. I think alternative address would have to be on different interface. Cheers, Petr On 9/21/21 08:32, Hubert FONGARNAND via Dnsmasq-discuss wrote: > Hi, > > Here's my use case : > > Some hosts in my home are for my children (smartphone, tablet...). I want 1) > they access internet > filtered by OpenDNS, 2) they could resolves internal hosts name (example home > printer, nas). > > My idea was to add the possibility to use the "server" directive like that > > |server = tag:child,208.67. 222.123 // OpenDNS family shield for children. > |server = 8.8.8.8 // default upstream for everyone else| > > I know that i can use DHCP for doing > > |dhcp-option=tag:child,option:dns-server,208.67. 222.123| > > But with this solution my childs devices would not be able to resolv internal > hosts (private > domain) which are handled by dnsmasq itself. > > Thanks for your ideas. We can try patches on github ? > > Sincerely, > > Hubert > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss