[Dnsmasq-discuss] A reason for setting NS records in dnsmasq

[Simon Kelley]

On 02/11/12 12:43, Gui Iribarren wrote:
> 
> On Fri, Nov 2, 2012 at 8:58 AM, Simon Kelley <simon at thekelleys.org.uk
> <mailto:simon at thekelleys.org.uk>> wrote:
> 
>     That looks very interesting. It's out of comfort-zone for DNS-wrangling,
>     but I will cause it to be looked at by people who know more about this.
>     If they think it's a valid thing to do, I'll implement enough NS record
>     functionality to make it possible.
> 
> 
> When I first changed the NS at the registrar, (from a proper,
> authoritative one) to pointing to my frankestein, there was a window of
> a couple of hours, until it propagated completely, where i could ask
> 8.8.8.8, and my dnsmasq would return a cached correct NS reply, thus it
> all worked for an afternoon. I was delighted. :)
> since then i've been banging my head, trying different configs in bind9
> / dnsmasq, until accepting an NS record in dnsmasq would make it.
> 
> 
>     One thought: to make this work, you are going to have to make dnsmasq
>     open to queries from "outside". That's normally seen as a really bad
>     idea. It may be necessary to limit the domains and/or query types for
>     queries from outside.
> 
> 
> Definitely: as it stands right now, when asked for A records, it answers
> with 10.x.x.x to queries from the Internet, which is a *big* no-no...
> So that would need a "reverse" bogus-priv option or something
That's true, but more generally accepting queries from outside that then
get forwarded outside make  a DNS forwarder into a DoS amplifier. There
would have to be access control that only accepted queries that can be
answered internally.

> 
> But i'm really glad you liked the idea
> 
> it's a simple free-ride on the inspiringly elegant hack that is ra-names ;)
> 
Flattery will get you anywhere :)  I can only accept credit for the
implementation: I'm aware of at least two different inventors, neither
of them me.

Cheers,

Simon.