[Dnsmasq-discuss] Deferring to external nameserver for certain local domain names

Simon Kelley simon at thekelleys.org.uk
Tue Jan 15 19:28:00 GMT 2008 

Brandon Beck wrote:
> Hi Simon,
> 
> I looked into this some more.  I still feel like maybe something might 
> be wrong with either my configuration or maybe dnsmasq itself.  

Yes, you're still using 69.60.109.125 as the upstream server for 
mail.isomorphism.org and it's not giving the correct answers, probably 
because it's been configured to answer queries about some domains, but 
not answer general queries about any domains, and specifically not about 
google.com. Use your ISP's nameservers instead (or whatever you have in 
/etc/resolv.conf) and it will work.

I just
> launched dnsmasq using the -d argument and executed "host 
> mail.isomorphism.org <http://mail.isomorphism.org>".  The output was 
> slightly different this time and pretty interesting.  Here's the output 
> of the host command:
> 
> $ host mail.isomorphism.org <http://mail.isomorphism.org>
> mail.isomorphism.org <http://mail.isomorphism.org> is an alias for 
> ghs.GOOGLE.COM <http://ghs.GOOGLE.COM>.
> ghs.GOOGLE.COM <http://ghs.GOOGLE.COM> is an alias for ghs.l.GOOGLE.COM 
> <http://ghs.l.GOOGLE.COM>.
> Host ghs.l.GOOGLE.COM.austin.rr.com 
> <http://ghs.l.GOOGLE.COM.austin.rr.com> not found: 5(REFUSED)
> Host ghs.l.GOOGLE.COM.austin.rr.com 
> <http://ghs.l.GOOGLE.COM.austin.rr.com> not found: 5(REFUSED)
> 
> And the output from "dnsmasq -d":
> 
> $ sudo dnsmasq -d
> dnsmasq: started, version 2.39 cachesize 150
> dnsmasq: compile time options: IPv6 GNU-getopt no-ISC-leasefile DBus 
> I18N TFTP
> dnsmasq: DHCP, IP range 192.168.1.100 <http://192.168.1.100> -- 
> 192.168.1.200 <http://192.168.1.200>, lease time 12h
> dnsmasq: using local addresses only for domain isomorphism.org 
> <http://isomorphism.org>
> dnsmasq: using nameserver 69.60.109.125#53 for domain 
> mail.isomorphism.org <http://mail.isomorphism.org>
> dnsmasq: reading /etc/resolv.conf
> dnsmasq: ignoring nameserver 127.0.0.1 <http://127.0.0.1> - local interface
> dnsmasq: using local addresses only for domain isomorphism.org 
> <http://isomorphism.org>
> dnsmasq: using nameserver 69.60.109.125#53 for domain 
> mail.isomorphism.org <http://mail.isomorphism.org>
> dnsmasq: read /etc/hosts - 8 addresses
> dnsmasq: query[A] mail.isomorphism.org <http://mail.isomorphism.org> 
> from 127.0.0.1 <http://127.0.0.1>
> dnsmasq: forwarded mail.isomorphism.org <http://mail.isomorphism.org> to 
> 69.60.109.125 <http://69.60.109.125>
> dnsmasq: reply mail.isomorphism.org <http://mail.isomorphism.org> is <CNAME>
> dnsmasq: reply ghs.GOOGLE.COM <http://ghs.GOOGLE.COM> is <CNAME>
> dnsmasq: reply ghs.l.GOOGLE.COM <http://ghs.l.GOOGLE.COM> is <NODATA>-IPv4
> dnsmasq: query[AAAA] ghs.l.GOOGLE.COM <http://ghs.l.GOOGLE.COM> from 
> 127.0.0.1 <http://127.0.0.1>
> dnsmasq: query[AAAA] ghs.l.GOOGLE.COM.austin.rr.com 
> <http://ghs.l.GOOGLE.COM.austin.rr.com> from 127.0.0.1 <http://127.0.0.1>
> dnsmasq: query[MX] ghs.l.GOOGLE.COM <http://ghs.l.GOOGLE.COM> from 
> 127.0.0.1 <http://127.0.0.1>
> dnsmasq: query[MX] ghs.l.GOOGLE.COM.austin.rr.com 
> <http://ghs.l.GOOGLE.COM.austin.rr.com> from 127.0.0.1 <http://127.0.0.1>
> 
> So it seems like dnsmasq is somehow appending my domain name ( 
> isomorphism.org <http://isomorphism.org>) to full domain names.

do "man resolv.conf" and look at the section on "search". All will 
become clear.

> 
> Here is what is effectively in my dnsmasq.conf file (I stripped comments 
> and blank lines):
> 
> $ cat dnsmasq.conf | grep -v "^#" | grep -v "^\s*$"
> domain-needed
> server=/mail.isomorphism.org/69.60.109.125
> local=/isomorphism.org/
> except-interface=eth1
> expand-hosts
> domain=isomorphism.org <http://isomorphism.org>
> dhcp-range= 192.168.1.100 <http://192.168.1.100>,192.168.1.200 
> <http://192.168.1.200>,12h
> 
> ... bunch of lines mapping MAC address to ip address and name removed ...
> 
> dhcp-authoritative
> log-queries
> log-dhcp
> 
> 
> Am I doing something wrong here?  Maybe the domain-needed parameter is 
> causing this?
> 
> Thanks,
> Brandon
> 
> 
> On Jan 11, 2008 6:03 AM, Simon Kelley < simon at thekelleys.org.uk 
> <mailto:simon at thekelleys.org.uk>> wrote:
> 
>     Brandon Beck wrote:
>      > Hi Simon,
>      >
>      > I'm trying to implement your suggestion, but I'm having some
>     troubles with
>      > it.  Here's what I've done/what I know:
>      >
>      > 1)  I've added the
>     line"server=/mail.isomorphism.org/69.60.109.125" to my
>      > dnsmasq.conf.  The ip address corresponds to my primary name
>     server for my
>      > domain (ns.dominia.org <http://ns.dominia.org>).
> 
>      > *bbeck at server:~$ dig mail.isomorphism.org
>     <http://mail.isomorphism.org>
>      > *
>      > ; <<>> DiG 9.4.1-P1 <<>> mail.isomorphism.org
>     <http://mail.isomorphism.org>
>      > ;; global options:  printcmd
>      > ;; Got answer:
>      > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18191
>      > ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
>      >
>      > ;; QUESTION SECTION:
>      > ;mail.isomorphism.org.          IN      A
>      >
>      > ;; ANSWER SECTION:
>      > mail.isomorphism.org <http://mail.isomorphism.org>.   41407   IN
>          CNAME   ghs.GOOGLE.COM <http://ghs.GOOGLE.COM>.
>      > ghs.GOOGLE.COM <http://ghs.GOOGLE.COM>.         464425  IN    
>      CNAME   ghs.l.GOOGLE.COM <http://ghs.l.GOOGLE.COM>.
>      >
>      > ;; Query time: 0 msec
>      > ;; SERVER: 127.0.0.1#53(127.0.0.1 <http://127.0.0.1>)
>      > ;; WHEN: Thu Jan 10 22:46:21 2008
>      > ;; MSG SIZE  rcvd: 96
>      >
> 
>     I think the problem is just that you're using the wrong server. I guess
>     that the primary name server for your domain is configured as just that:
>     an authoritative nameserver. If instead, you just use the same
>     nameserver that's in /etc/resolv.conf, probably the recursive
>     nameserver
>     that's provided by your ISP, then it will just work.
> 
>     I did the same query as you to 69.60.109.125 <http://69.60.109.125>
>     and got the same answer. If
>     I send the query instead to my ISPs nameserver, via dnsmasq, I get the
>     correct answer
> 
>     srk at spike:~/dnsmasq-2.41/dnsmasq-2.41$ dig mail.isomorphism.org
>     <http://mail.isomorphism.org>
> 
>     ; <<>> DiG 9.3.2-P1 <<>> mail.isomorphism.org
>     <http://mail.isomorphism.org>
>     ;; global options:  printcmd
>     ;; Got answer:
>     ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64849
>     ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
> 
>     ;; QUESTION SECTION:
>     ;mail.isomorphism.org.          IN      A
> 
>     ;; ANSWER SECTION:
>     mail.isomorphism.org <http://mail.isomorphism.org>.   42503   IN    
>      CNAME   ghs.google.com <http://ghs.google.com>.
>     ghs.google.com <http://ghs.google.com>.         593393  IN    
>      CNAME   ghs.l.google.com <http://ghs.l.google.com>.
>     ghs.l.google.com <http://ghs.l.google.com>.       174     IN      A
>           72.14.207.121 <http://72.14.207.121>
> 
>     ;; Query time: 16 msec
>     ;; SERVER: 192.168.0.4#53( 192.168.0.4 <http://192.168.0.4>)
>     ;; WHEN: Fri Jan 11 11:59:14 2008
>     ;; MSG SIZE  rcvd: 102
> 
> 
>     HTH
> 
> 
>     Simon.
> 
> 
>     I get exc
> 
> 

Cheers,

Simon.

More information about the Dnsmasq-discuss mailing list