[Dnsmasq-discuss] dnsmasq forwarding unknown ip addresses queries

Gene Czarcinski gene at czarc.net
Wed Sep 5 19:03:18 BST 2012


On 09/05/2012 10:49 AM, Simon Kelley wrote:
> On 04/09/12 19:41, Gene Czarcinski wrote:
>> On 09/04/2012 11:02 AM, Gene Czarcinski wrote:
>>> OK, this is similar to my previous questions/issues involving dnsmasq
>>> forwarding queries for unknown names for the "name domain" that it is
>>> managing (even if that domain name is null).
>>>
>>> Now the second part.  Whether an instance of dnsmasq is providing a
>>> dhcp service or not, is there a way to specify what IP addresses
>>> (e.g., 192.168.1.0/24) is should answer and, if dnsmasq does not find
>>> that queried ip address in the specified range, then the query should
>>> NOT be forwarded?
>>>
>>> In looking at documentation (but not the code) and not doing any
>>> testing yet, I wonder if the following would accomplish what I need:
>>>        domain=virt,192.168.100.0/24
>>>
>>> If that would do the trick, then is there a way to specify that IP
>>> address range when the domain name is null (local=//)?
>>>
>> OK, I believe that I have come up with the answer to my questions.
>>
>> Rather than using "--domain virt --local=/virt/", I need to use
>> something like:
>>        "--domain=virt,192.168.122.0/24,local" or
>>        "--domain virt --local=/virt/ --local=/122.168.192.in-addr.arpa/"
>>
>> For the case of no domain name, I am not sure that
>> "domain=,192.168.122.0/24,local" would work but
>>       "--local=// --local=/122.168.192.in-addr.arpa/" should work.
>>
>> Comments?
>>
> Spot on. Nothing to argue with there.
>
> Simon.
>
>
OK, I have been looking at the code.  As best that I can tell, the code 
which handle local only specification of a reverse lookup (PTR) query 
will only work reliably for class a (8 bit), class b (16 bit) and class 
c (24 bit) networks.

For example, if "--local=/0.168.192.in-addr.arpa/" is specified and the 
network is 192.168.0.0/20 then a query for ip addr "192.168.1.1" will 
not be NXDOMAINed because you do not have a netmask specified.

I do NOT consider "fixing" this to be a reasonable request.  What 
dnsmasq is doing will handle most cases and where it does not then it is 
reasonable to expect an upstream dnsmasq to be configured with "bogus-priv".

Gene



More information about the Dnsmasq-discuss mailing list