[Dnsmasq-discuss] query rewriting

richardvoigt at gmail.com richardvoigt at gmail.com
Fri Dec 4 21:12:20 GMT 2009

On Fri, Dec 4, 2009 at 11:48 AM, Tom Metro <tmetro+dnsmasq at gmail.com> wrote:
> richardvoigt at gmail.com wrote:
>> Spoofing addresses in other people's domains doesn't solve any
>> problems, it only creates more (and is borderline illegal in many
>> areas).
> No more illegal than modifying your own hosts file. The scope of the
> modification is, of course, relevant. Doing this at an ISP would be bad.
> Doing this on your private LAN, not a problem.
>> What are you trying to accomplish?
> The use case is a web server that has both public and private IPs, where
> the private IPs are accessible through a VPN. If VPN connected
> developers wish to access the server via the private interface (which
> enables diagnostics), while using the public host name (to invoke the
> correct virtual host), mapping the private host name to the public host
> name is one way to do this. Avoiding the use of a static IP in that map
> makes sure things don't break if the IT guys change IP addresses.
> There are other, and probably better, ways to do this, such as adding a
> host name alias to the public virtual host that corresponds to a private
> IP address, but that would require both code (the host name is used by
> the application) and configuration changes in production.

Can the diagnostics be enabled conditionally based on the client IP
address, instead of the server IP address binding?  I guess that would
require clients to route traffic for your company's public IPs through
the VPN (and not just private IPs like I guess is done now).

> Simon Kelley wrote:
>> There's no way to do that, and it would be very difficult to provide one
>> for the following reason. Dnsmasq doesn't store a query when it forwards
>> it: it keeps the minimum amount of information needed to recognise the
>> reply and send it back to the original requestor.
> Yeah, I had a vague recollection of that from a prior discussion on CNAMEs.
>> If the domain was re-written before forwarding, there would be no-way
>> to restore the original question before returning the answer.
> If it was useful enough functionality, it should certainly be doable. It
> would just require a special case.
> One way is having a thread make the request and block until a reply or
> timeout happened. Though you'd probably need to limit the quantity of
> such requests you'd process to avoid being DoSed.
> Alternatively, could the memory structure you now keep on outstanding
> queries be modified to hold optional fields or a pointer to an optional
> extended data structure? Then you could add in the supplemental
> information for these special case queries without increasing the size
> of the query state information for typical queries.
> Theres always the hack approximation. A cron script that periodically
> looks up the target name, and sends a config change to dnsmasq via dbus
> to add an 'address' entry mapping the public host name to the private IP
> address.
>  -Tom
> --
> Tom Metro
> Venture Logic, Newton, MA, USA
> "Enterprise solutions through open source."
> Professional Profile: http://tmetro.venturelogic.com/
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

More information about the Dnsmasq-discuss mailing list