[Dnsmasq-discuss] A reason for setting NS records in dnsmasq

Gui Iribarren gui at altermundi.net
Wed Jan 23 17:45:24 GMT 2013


On 01/11/2013 10:22 AM, Gui Iribarren wrote:
> Simon,
> sorry for not giving a single feedback on this until now,
> december wasn't my geekiest month :)
> but i'm getting back on this at the moment and hope to report results soon

Simon, I know I have praised you much already,
but you just keep giving me reasons to do so :)

### Previously... ###

    $ dig demo.deltalibre.org.ar @8.8.8.8 +all ns
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12711
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;demo.deltalibre.org.ar.		IN	NS
    
    ;; Query time: 951 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Wed Jan 23 07:27:11 2013
    ;; MSG SIZE  rcvd: 40
    
### Running dnsmasq version 2.66test4 ###
### with auth-server config           ###
    
    $ dig demo.deltalibre.org.ar @8.8.8.8 +all ns
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44364
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;demo.deltalibre.org.ar.		IN	NS
    
    ;; ANSWER SECTION:
    demo.deltalibre.org.ar.	600	IN	NS	gw-demo.deltalibre.org.ar.
    
    ;; Query time: 616 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Wed Jan 23 07:27:21 2013
    ;; MSG SIZE  rcvd: 62

This is marvellous, just as proposed and promised!

And the non-open-relay thing is perfect:

    $ dig altermundi.net @2a00:1508:1:feca::1 +all ns
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20143
    ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; WARNING: recursion requested but not available
    
    ;; QUESTION SECTION:
    ;altermundi.net.			IN	NS
    
    ;; Query time: 620 msec
    ;; SERVER: 2a00:1508:1:feca::1#53(2a00:1508:1:feca::1)
    ;; WHEN: Wed Jan 23 07:59:45 2013
    ;; MSG SIZE  rcvd: 32

What I find particularly interesting is that, contrary to what I supposed,
the decision to recurse depends on over which interface the query is arriving,
and not on the destination IP! 

    root at wdr3500:~# tail -n2 /etc/dnsmasq.conf
    auth-server=gw-demo.deltalibre.org.ar,librenet6
    auth-zone=demo.deltalibre.org.ar,2a00:1508:1:feca::/64

that librenet6 is the tunnel broker interface that connects to The v6 Internet

    root at wdr3500:~# ip -6 a s dev librenet6
    15: librenet6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1280 qlen 1000
        inet6 fe80::802d:fbff:fe7e:8892/64 scope link 
           valid_lft forever preferred_lft forever
    root at wdr3500:~# ip -6 a s dev br-lan
    8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 
        inet6 2a00:1508:1:feca::1/64 scope global 
           valid_lft forever preferred_lft forever
        inet6 fe80::6670:2ff:fe3d:90e7/64 scope link 
           valid_lft forever preferred_lft forever

If I query from a locally connected computer, which is connected to br-lan
I find a beloved recursive dns caching server

    home:~$ dig @2a00:1508:1:feca::1 aaaa altermundi.net +all
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1521
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;altermundi.net.			IN	AAAA

    ;; ANSWER SECTION:
    altermundi.net.		28797	IN	AAAA	2a00:1508:1:f001::103

    ;; Query time: 1 msec
    ;; SERVER: 2a00:1508:1:feca::1#53(2a00:1508:1:feca::1)
    ;; WHEN: Wed Jan 23 14:20:04 2013
    ;; MSG SIZE  rcvd: 60

While if I query from any remote site, so that the query enters through librenet6,
voila! no recursion. And I'm contacting the same IP... I'm impressed

    remotepc:~# dig @2a00:1508:1:feca::1 aaaa altermundi.net +all
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44811
    ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; WARNING: recursion requested but not available

    ;; QUESTION SECTION:
    ;altermundi.net.                        IN      AAAA

    ;; Query time: 266 msec
    ;; SERVER: 2a00:1508:1:feca::1#53(2a00:1508:1:feca::1)
    ;; WHEN: Wed Jan 23 14:22:27 2013
    ;; MSG SIZE  rcvd: 32

In case I would get native ipv6 and could drop the tunnel,
i'd simply put "eth1" in the auth-server= line

(In my previous emails, I misunderstood how the auth-server line
would work)

Well... seems I got where I wanted, so I'll stop the flattery ;)

Sunshine!

Gui

ps. I spotted a trivial typo in the 2.66test6 man page, 

diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -1709,7 +1709,7 @@
 
 .nf
 .B auth-server=server.example.com,eth0
-.B auth=zone=our.zone.com,1.2.3.0/24
+.B auth-zone=our.zone.com,1.2.3.0/24
 .fi
 
 and two records in the external DNS
@@ -1733,7 +1733,7 @@
 
 .nf
 .B auth-server=our.zone.com,eth0
-.B auth=zone=our.zone.com,1.2.3.0/24
+.B auth-zone=our.zone.com,1.2.3.0/24
 .fi
 
 .nf




More information about the Dnsmasq-discuss mailing list