[Dnsmasq-discuss] [Feature Request?] Per-Domain resolv.conf

Thomas Stephens spiralman at gmail.com
Sat Sep 29 21:41:02 BST 2007


Oops, forgot to "reply to all" for that last email.

Ok, I figured the problem out. I had been adding the nameservers
properly through DBus (the "for domain xxxxx" was present), but,
looking more closely at the log-queries output, I saw that dnsmasq had
cached the failed query for internal names, and thus was not
re-querying the nameservers. (well, it was, but only after appending
the "search" domain from my ISP first).

To solve the problem, I modified my script to clear the dnsmasq cache
each time the VPN client connects and disconnects. This is probably
not 100% efficient, but it works for me.

For anybody interested, I've attached the script I'm using to do this.
It could probably use some cleaning up, but it works for me. You can
use it by modifying your /etc/vpnc/connection.conf file, and add the
line: Script /path/to/dnsmasq-script. It will then be run every time
you connect and disconnect from that VPN.

Thanks for all the help

Thomas

On 9/29/07, Simon Kelley <simon at thekelleys.org.uk> wrote:
> Thomas Stephens wrote:
> > Thanks for the quick reply.
> >
> > I've been working on this, including looking at the gentoo resolvconf
> > code, and I've gotten a script written, which is adding the proper
> > nameserver IP addresses and domain names through DBus, according to
> > syslog.
> >
> > The problem is that, even for addresses at mywork.com, dnsmasq is
> > using my global (Internet) name server, not the mywork.com one. When I
> > add the nameservers via dbus, syslog shows messages along these lines:
> >
> > adding work nameserver #1
> > adding work nameserver #2
> > adding public nameserver
> >
> > (where the public nameserver is specified in dnsmasq.conf). This seems
> > like a simple ordering problem to me. Is there a simple way to fix it?
>
> Order is irrelevant: you need to tell dnsmasq to use the work
> nameservers for certain domains in the same way that
>
> address=/domain/1.2.3.4
>
> does in the configuration file.
>
> The following dbus-send invokation does that:
>
> dbus-send --system  --dest='uk.org.thekelleys.dnsmasq'
> /uk/org/thekelleys/dnsmasq uk.org.thekelleys.SetServers uint32:12345
> string:my.domain.com
>
> and results in this being logged:
>
> dnsmasq: setting upstream servers from DBus
> dnsmasq: using nameserver 0.0.48.57#53 for domain my.domain.com
> dnsmasq: using nameserver 192.168.0.4#53
>
> The 192.168.0.4#53 nameserver is from /etc/resolv.conf
>
> If you're not seeing the "for domain xxxx" stuff then your DBus-prodding
> is going wrong somewhere.
>
>
> >
> > Also, when I disconnect from the VPN, I am sending a dbus SetServers
> > command without any data. Is this sufficient to clear the DBus
> > specified servers and revert to the dnsmasq.conf ones?
>
> It is.
>
> Cheers,
>
> Simon.
>
> >
> > Thanks
> > Thomas
> >
> > On 9/26/07, Simon Kelley <simon at thekelleys.org.uk> wrote:
> >
> >>Thomas Stephens wrote:
> >>
> >>>Hello. I am using dnsmasq locally on my computer to solve a split-dns
> >>>problem with the vpnc VPN client. I've got it working, but it's very
> >>>hackish. The setup is:
> >>>
> >>>When I log into my company's VPN, I need to be able to resolve company
> >>>hostnames. This is done by querying the DNS servers which are sent to
> >>>vpnc. The problem is, they only resolve internal names. Normally,
> >>>using resolvconf, vpnc will concatenate my external and internal
> >>>nameservers. However, since they are all "up" the first one queried
> >>>will respond, but will respond with host-not-found if it's the public
> >>>DNS and an internal name, or vice-versa.
> >>>
> >>>I got around the problem by adding a server= line to dnsmasq.conf for
> >>>each of the nameservers. For the public nameserver, I did not specify
> >>>a domain, but for the VPN name servers, I had to specify the domain as
> >>>mycompany.com.
> >>>
> >>>This mostly works, but there are some problems:
> >>>
> >>>1) If my company decides to change DNS server IP addresses, I've gotta
> >>>change the dnsmasq config file.
> >>>
> >>>2) When I'm not logged into VPN, all accesses to my company's domain
> >>>(i.e. www.mycompany.com) fail, even if they are accessible outside the
> >>>VPN.
> >>>
> >>>3) corollary: I have to manually specify the address of the vpn
> >>>connection gateway with an address directive. If this IP changes I
> >>>must, again, change the dnsmasq.conf file.
> >>>
> >>>The solution I'd like to implement is this: point dnsmasq at a
> >>>resolv.conf for the default nameserver, as well as a resolv.conf for
> >>>the VPN. When I connect with vpnc, the vpn-resolv.conf gets written,
> >>>and when I disconnect it gets deleted or cleared (this part I've
> >>>already implemented).
> >>>
> >>>I would then tell dnsmasq that the vpn-resolv.conf file is only to be
> >>>used for mycompany.com domain names (either with syntax like
> >>>resolv-file=/mycompany.com/vpn-resolv.conf or by having dnsmasq read
> >>>the domain field of the resolv.conf file). This way, when the
> >>>vpn-resolv.conf file is filled in (I'm connected to the VPN), internal
> >>>names get resolved. When I'm not connected, all requests go to the
> >>>default DNS.
> >>>
> >>>If this is already possible through some other mechanism, please let
> >>>me know. I'm using dnsmasq 2.40 in Debian unstable.
> >>
> >>
> >>Two possible alternative solutions come to mind:
> >>
> >>1)
> >>It's possible to include configuration sub-file from dnsmasq.conf, so
> >>you could re-write that to contain the relevent address and server lines
> >>in the vpn setup scripts. You'd have to restart dnsmasq as well.
> >>
> >>2)
> >>Noting the resolvconf stuff later in the thread: I know that the Gentoo
> >>resolvconf maintainers did some work on this, and use the Dbus interface
> >>to dnsmasq to set the upstream servers for the VPN domain. You might be
> >>able to grab their code and/or ideas.
> >>
> >>Note that I'm open to arguments that neither of these is good enough and
> >>that your orignal idea is better; I just suggest these as alternatives.
> >>
> >>HTH.
> >>
> >>Simon.
> >>
> >>
> >>>Thanks,
> >>>Thomas
> >>>
> >>>_______________________________________________
> >>>Dnsmasq-discuss mailing list
> >>>Dnsmasq-discuss at lists.thekelleys.org.uk
> >>>http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>>
> >>
> >>
> >
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dnsmasq-script
Type: application/octet-stream
Size: 1178 bytes
Desc: not available
Url : http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20070929/048d3022/dnsmasq-script.obj


More information about the Dnsmasq-discuss mailing list