[Dnsmasq-discuss] exceptions for a subdomain

Paul Chambers bod at bod.org
Mon Dec 29 15:48:12 GMT 2008


Please excuse me if I've missed something obvious here...

I have some default DNS servers set up:

server=208.67.222.222       # OpenDNS
server=208.67.220.220       # OpenDNS

and then route my employer's domain to their internal DNS server, over a 
VPN:

server=/acmecorp.com/10.22.33.44

Which leads to a chicken-and-egg problem. The VPN client wants to 
resolve vpn.acmecorp.com in order to establish the VPN tunnel.Though 
vpn.acmecorp.com does resolve via the public servers, since it's a 
subdomain of acmecorp, dnsmasq tries to resolve via 10.22.33.44 - which 
is unreachable since the tunnel isn't established yet.

How do I make vpn.acmecorp.com an exception to the rule that 
acmecorp.com requests should go to 10.22.33.44? so far I've been working 
around it by adding an 'address=' line for vpn.acmecorp.com, but if it 
ever moves, or they add load balancing...

I guess I could do something as simple as:
server=/vpn.acmecorp.com/208.67.222.222       # OpenDNS
server=/vpn.acmecorp.com/208.67.220.220       # OpenDNS

...though that gets a little clumsy for more than two upstream DNS 
servers (I actually use four, OpenDNS plus my ISP) and more than one 
domain (currently three - VPN, OWA, and mail). Anyone have a better 
idea?  What would server=/vpn.acmecorp.com/127.0.0.1 do? endless loop, I 
assume...

If I add the interface to the acmecorp rule, something like:

server=/acmecorp.com/10.22.33.44 at tun0

does dnsmasq ignore the rule and query the public servers if the 
interface isn't up? I haven't started digging though code yet, though it 
seemed to still try 10.22.33.44 even though tun0 was down. Though I 
guess that's not desirable behavior for everyone...

If that option were implemented, it would only be proper that cache 
entries obtained from a server via tun0 were treated specially if tun0 
went down? though what 'specially' means is a good question.

A second part of this is a bad practice our IT department has - they 
frequently use simple names in URLs, on the assumption that all the 
client devices on their network are set up to search 'acmecorp.com' in 
their resolvers.

I'd love to see a 'search=first.dom,second.dom,...' option added for 
simple names, so dnsmasq's cache could first be searched for a match, 
before firing off requests to upstream servers. I'd like to be able to 
write 'search=local.net,acmecorp.com,google.com' in my config file :)  
Yes, I know resolvers on desktop machines can already do this, but a) 
I'd like it done (and cached) centrally, and b) I have more 'appliance' 
type networking devices on my home network than I have desktops.

sorry for the long email...

-- Paul



More information about the Dnsmasq-discuss mailing list