[Dnsmasq-discuss] [Feature Request?] Per-Domain resolv.conf

Thomas Stephens spiralman at gmail.com
Wed Sep 26 13:56:17 BST 2007


Aaron,

I have (and am using) resolvconf (I'm on Debian, so compatibility is
not an issue), but it does not fulfill my needs, as I explained in the
first email, for the following reason:

All resolvconf does is concatenate the nameservers together, so
resolv.conf looks like:

nameserver [internal nameserver]
nameserver [external nameserver]
search [work.com] [isp.com]

I can also adjust the order of the nameservers. The problem is that
the default resolving algorithm in libc only moves onto the next
nameserver if it cannot connect to the nameserver. Unfortunately, all
the nameservers always work (when I'm not connected, only the external
nameserver is in resolv.conf). So, what happens is, given the above
order, and a request for an external name:

1) resolv connects to the internal nameserver.
2) internal nameserver returns a failure (only internal names are matched)
3) resolv returns "host not found"

If you reverse the order (external first), you get the same problem
when trying to connect to the nameserver.

This is why I need something smarter (currently dnsmasq) which will
check the domain name requested, and route the request to the proper
nameserver. dnsmasq works, but since I cannot maintain a connection to
VPN (it times out regularly, and connection cannot be automated), I
would like the deferring to the internal nameserver to be dynamic.

Thanks,
Thomas

On 9/25/07, Aaron D. Brooks <aaron.brooks at sicortex.com> wrote:
> Thomas,
>
>     You might be interested in looking at the solution used in Gentoo
> for what is an inherent problem with a multi-homed system with dynamic
> configuration.
>
>     Gentoo uses their own net-dns/resolvconf-gentoo which hooks into
> the init scripts (and dhcp clients) of each interface so that it can
> be notified when an interface's configuration changes. resolvconf
> stitches the resolution information for each interface into one
> resolv.conf file which can be use directly as /etc/resolv.conf.
>
>     resolveconf has further specific support for dnsmasq which
> generates an /etc/dnsmasq-resolv.conf file which you point dnsmasq to,
> allowing your system /etc/resolv.conf to point to localhost (dnsmasq).
>
>     Because of the nature of hooking into the init/rc scripts,
> resolvconf is very specific to Gentoo at this time but maybe it's
> worth a look to make something which is more amenable to a Debian
> environment.
>
> -Aaron
>
> --
> Aaron Brooks - Senior Software Engineer
> http://SiCortex.com - Teraflops from Miliwatts
>
>
> On Tue, Sep 25, 2007 at 05:39:03PM -0500, Thomas Stephens wrote:
> > Hello. I am using dnsmasq locally on my computer to solve a split-dns
> > problem with the vpnc VPN client. I've got it working, but it's very
> > hackish. The setup is:
> >
> > When I log into my company's VPN, I need to be able to resolve company
> > hostnames. This is done by querying the DNS servers which are sent to
> > vpnc. The problem is, they only resolve internal names. Normally,
> > using resolvconf, vpnc will concatenate my external and internal
> > nameservers. However, since they are all "up" the first one queried
> > will respond, but will respond with host-not-found if it's the public
> > DNS and an internal name, or vice-versa.
> >
> > I got around the problem by adding a server= line to dnsmasq.conf for
> > each of the nameservers. For the public nameserver, I did not specify
> > a domain, but for the VPN name servers, I had to specify the domain as
> > mycompany.com.
> >
> > This mostly works, but there are some problems:
> >
> > 1) If my company decides to change DNS server IP addresses, I've gotta
> > change the dnsmasq config file.
> >
> > 2) When I'm not logged into VPN, all accesses to my company's domain
> > (i.e. www.mycompany.com) fail, even if they are accessible outside the
> > VPN.
> >
> > 3) corollary: I have to manually specify the address of the vpn
> > connection gateway with an address directive. If this IP changes I
> > must, again, change the dnsmasq.conf file.
> >
> > The solution I'd like to implement is this: point dnsmasq at a
> > resolv.conf for the default nameserver, as well as a resolv.conf for
> > the VPN. When I connect with vpnc, the vpn-resolv.conf gets written,
> > and when I disconnect it gets deleted or cleared (this part I've
> > already implemented).
> >
> > I would then tell dnsmasq that the vpn-resolv.conf file is only to be
> > used for mycompany.com domain names (either with syntax like
> > resolv-file=/mycompany.com/vpn-resolv.conf or by having dnsmasq read
> > the domain field of the resolv.conf file). This way, when the
> > vpn-resolv.conf file is filled in (I'm connected to the VPN), internal
> > names get resolved. When I'm not connected, all requests go to the
> > default DNS.
> >
> > If this is already possible through some other mechanism, please let
> > me know. I'm using dnsmasq 2.40 in Debian unstable.
> >
> > Thanks,
> > Thomas
> >
> > _______________________________________________
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss at lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>



More information about the Dnsmasq-discuss mailing list