[Dnsmasq-discuss] A reason for setting NS records in dnsmasq

Gui Iribarren gui at altermundi.net
Thu Nov 1 21:58:18 GMT 2012


> Simon Kelley (simon at ...) wrote on 7 March 2011 21:44:
>  >So, can somebody set down under exactly what circumstances being able to
>  >set an NS record in dnsmasq would be useful? It's clearly pretty easy to
>  >add as a feature, but I'm not sure why the need.

Hello Simon,
(...resurrecting
http://comments.gmane.org/gmane.network.dns.dnsmasq.general/4721)
i'm currently trying to make clients of a wireless community network have
public resolvable addresses.
This wouldn't make much sense in ipv4 world where leases are in private
ranges,
but it does make a lot of sense combined with dnsmasq nifty (and certainly
unique) feature of ra-names, since SLAAC addresses are global :)

I have to overcome 3 difficulties:
1) My dnsmasq server is reachable on ipv6 only (ipv4 is not public)
2) nic.ar (registrar) doesn't support setting ipv6 NS records at all.
3) dnsmasq doesn't offer NS records for a local=/domain/

To overcome (1) and (2), in the registrar I've pointed deltalibre.org.ar NS
records to the public ipv4 of a dual-stack server, running bind9.
That bind9 has a zone defined esperita.deltalibre.org.ar as "forward-only"
and forwarders clause pointing to the ipv6 of dnsmasq server.
[So in effect, the bind9 acts as a "man in the middle" between my ipv4-only
registrar, and my ipv6-only dnsmasq.]
So far so good.

Problem is, when i "dig -t NS @8.8.8.8 esperita.deltalibre.org.ar", i get a
SERVFAIL :(

This prevents me from querying anything inside that subdomain; digging
colmena.esperita.deltalibre.org.ar also gives back a SERVFAIL

(querying the dnsmasq server directly works)

$ dig -t AAAA @2a00:1508:1:f003::1
colmena.esperita.deltalibre.org.ar+nocmd +nocomments
;colmena.esperita.deltalibre.org.ar. IN    AAAA
colmena.esperita.deltalibre.org.ar. 600    IN AAAA
2a00:1508:1:f003:fad1:11ff:fe50:4757
;; Query time: 116 msec
;; SERVER: 2a00:1508:1:f003::1#53(2a00:1508:1:f003::1)
;; WHEN: Thu Nov  1 18:42:33 2012
;; MSG SIZE  rcvd: 80

If i could get the dnsmasq running at 2a00:1508:1:f003::1 to reply with an
NS record pointing to itself, when queried about esperita.deltalibre.org.ar,
all this scheme should work.

Which would in turn be a *very* elegant and simple way of handling DNS
resolving for clients. A kind of "dyndns" service of the future :)

What do you think? would that be an argument for implementing this into
dnsmasq?
(or maybe there's another way to do this i'm overlooking)
(dnsmasq is running on a space-tight openwrt, so running bind9+dnsmasq is
not an option)

Thanks and cheers!

Gui

ps. original thread and arguments follow:

>  >(Being able to return NS records for arbitrary domains looks like a
>  >really good way to confuse the unwary, but that's maybe a different
point)
>
> It's not for arbitrary domains, it's only for the zone it's
> authoritative. The one that has local=/my.zone/ in the config.
>
> I've made some tests and it seems that answering NS queries is not
> only a "good behavior", it's essential. They're shown bellow; the
> domain is of a new university here.
>
> Objective: make dnsmasq the authoritative zone server, because it has
> all the info, both for static names and for dhcp-assigned ones.
>
> We're using (for now...) ISC named as the recursor, in a different
> machine. Both would be listed as dns servers for the domain in the
> national registrar:
>
> named: 200.134.33.2
> dnsmasq: 200.134.33.10
>
> named is configured as cache-only but forwarding requests to dnsmasq
> for the zone. This is named.conf.local:
>
> zone "unila.edu.br" {
>         type forward;
>         forward only;
>         forwarders { 200.134.33.10; };    <===== dnsmasq machine
> };
>
> zone "33.134.200.in-addr.arpa" {
>         type forward;
>         forward only;
>         forwarders { 200.134.33.10; };
> };
>
> dnsmasq is configured as (dns part only)
>
> addn-hosts=/etc/dnsmasq/hosts
> log-queries
> local=/unila.edu.br/
> local=/33.134.200.in-addr.arpa/
> server=200.134.33.2             <===== named machine
> bind-interfaces
> localise-queries
> bogus-priv
> filterwin2k
> no-resolv
> no-poll
> stop-dns-rebind
> mx-host=unila.edu.br,unila2.unila.edu.br
> cname=mx.unila.edu.br,unila2.unila.edu.br
> cname=correio.unila.edu.br,unila2.unila.edu.br
> domain-needed
>
> Summary: named is cache-only and send all queries about unila.edu.br
> to dnsmasq, while dnsmasq answers all queries about unila.edu.br by
> itself and send everything else to named.
>
> The setup works IFF you ask the servers directly:
>
> % host unila1.unila.edu.br 200.134.33.10
> unila1.unila.edu.br     A       200.134.33.254
>
> % host unila1.unila.edu.br 200.134.33.2
> unila1.unila.edu.br     A       200.134.33.254
>
> and the dnsmasq log shows the query from named:
>
> Mar  8 13:18:31 dnsmasq[27535]: query[A] unila1.unila.edu.br from
200.134.33.2
> Mar  8 13:18:31 dnsmasq[27535]: /etc/dnsmasq/hosts unila1.unila.edu.br is
200.134.33.254
>
> which shows the named forward works.
>
> However queries without the explicit nameserver don't work:
>
> % host parana.unila.edu.br
> ;; connection timed out; no servers could be reached
>
> % dig unila1.unila.edu.br +trace
>
> ; <<>> DiG 9.7.2-P3 <<>> unila1.unila.edu.br +trace
> ;; global options: +cmd
> .                       358303  IN      NS      c.root-servers.net.
> .                       358303  IN      NS      f.root-servers.net.
> .                       358303  IN      NS      e.root-servers.net.
> .                       358303  IN      NS      a.root-servers.net.
> .                       358303  IN      NS      m.root-servers.net.
> .                       358303  IN      NS      g.root-servers.net.
> .                       358303  IN      NS      i.root-servers.net.
> .                       358303  IN      NS      d.root-servers.net.
> .                       358303  IN      NS      h.root-servers.net.
> .                       358303  IN      NS      b.root-servers.net.
> .                       358303  IN      NS      l.root-servers.net.
> .                       358303  IN      NS      j.root-servers.net.
> .                       358303  IN      NS      k.root-servers.net.
> ;; Received 272 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms
>
> br.                     172800  IN      NS      f.dns.br.
> br.                     172800  IN      NS      e.dns.br.
> br.                     172800  IN      NS      c.dns.br.
> br.                     172800  IN      NS      a.dns.br.
> br.                     172800  IN      NS      d.dns.br.
> br.                     172800  IN      NS      b.dns.br.
> ;; Received 289 bytes from 128.8.10.90#53(d.root-servers.net) in 156 ms
>
> unila.edu.br.           86400   IN      NS      ns.unila.edu.br.
> unila.edu.br.           86400   IN      NS      ns2.unila.edu.br.
> ;; Received 104 bytes from 200.219.159.10#53(f.dns.br) in 9 ms
>
> ;; connection timed out; no servers could be reached
>
> Note that the query doesn't reach dnsmasq. Is it because it doesn't
> have NS or something else is amiss?
>
> Of course, with named configured for answering the zone
> authoritatively it works.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20121101/2f487236/attachment-0001.html>


More information about the Dnsmasq-discuss mailing list