[Dnsmasq-discuss] Two dnsmasq servers connected by a VPN
Jan 'RedBully' Seiffert
redbully at cc.fh-luh.de
Sun Feb 4 17:36:54 GMT 2007
Pedro Côrte-Real wrote:
> I have a VPN permanently connected between two sites. It's a routed
> one, so each network has its own subnet. There's a dnsmasq server on
> each side doing DNS and DHCP. The problem is that I want laptops to
> have the same network name independent of which side they're in. I
> have two main options:
>
> - Make the VPN bridged and have both sides use the same subnet. I
> would then still run two dnsmasq servers (so that when the VPN is down
> both sides still get DNS/DHCP) but since the laptop IP's are the same
> on both sides it just works. I'd have to block DHCP packets on the
> firewalls so that on each side the remote server doesn't respond as
> well.
>
I think this could work, but you need the same entries on both sides, so
on both sides the answer is right (so you need some kind of sync). But i
would share your performance concerns (from the traffic POV, not dnsmasq).
You need to put explicit entrys for every wandering host into /etc/hosts
(or an addn-hosts-file), because dnsmasq is clever enough to say "host
unknown" if it did not give out the lease. But then you would always get
an answer even if the host is not up in any net.
> - Maintain the current routed VPN and the laptops get different IP's
> on the two sides. Have dnsmasq somehow point DNS to the other side's
> IP when the laptop isn't registered using DHCP. Is there any way to do
> this?
>
This would not work IMHO, because dnsmasq only has "one view" of
upstream (sure, you can configure special upstream server for special
domains, but it would not fit you simplicity approach). But maybe i need
to sleep longer with the man-page of dnsmasq under my pillow, and it can
be solved chaining the right options the right way.
After thinking two days about it, it would propose this
guerrilla-approach (which would need some coding):
- hook up a script on the new "run-script-on-dhcp-action"-facility
- this script maintains a db with the local leases (or uses dnmasqs
lease-file)
- it now tries to sync the local entries with the remote dnsmasq, for
example in an addn-hosts=/etc/dnsmasq.d/remote-lease, transported with
ssh (take a look at private/public-key auth bound to a specific command)
just to sketch things...
> This is probably not possible and I'll have to use bridging. I was
> avoiding that because of performance concerns.
>
Basically thats a request for some kind of
dnsmasq-failover-cluster-protocol (could this be done with some
rudimentary (zone)transfer support?).
As long as all nodes are up, they act as one, maintaining the ability to
still handle requests locally if interconnects fail. This is the second
time i hear a need for this, and always was a VPN involved (the
"distributed networks act as one, with fail over scheme"-problem).
Sigh, if it wouldn't be so complicated (how to resync after reconnect,
what to do in case of collision, only two things which come to my mind
in seconds), and error prone (esp. security wise), addn. the code-bloat...
All in all a enterprisy feature. (And cool, but worth the hassle?)
I'm not that deep into "real" DNS server, but i think this is best
solved with them. They can do most of what dnsmasq can do (only are
bigger, need an external dhcpd and are harder to grasp IMHO), plus
things like zone transfers and such things, which may help you in this
situation. But i don't know for sure.
> Thanks,
>
> Pedro.
>
Greeting
Jan
--
If it's relevant, you need it redundant
More information about the Dnsmasq-discuss
mailing list