[Dnsmasq-discuss] A reason for setting NS records in dnsmasq
Gui Iribarren
gui at altermundi.net
Wed Jan 23 17:45:24 GMT 2013
On 01/11/2013 10:22 AM, Gui Iribarren wrote:
> Simon,
> sorry for not giving a single feedback on this until now,
> december wasn't my geekiest month :)
> but i'm getting back on this at the moment and hope to report results soon
Simon, I know I have praised you much already,
but you just keep giving me reasons to do so :)
### Previously... ###
$ dig demo.deltalibre.org.ar @8.8.8.8 +all ns
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12711
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;demo.deltalibre.org.ar. IN NS
;; Query time: 951 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jan 23 07:27:11 2013
;; MSG SIZE rcvd: 40
### Running dnsmasq version 2.66test4 ###
### with auth-server config ###
$ dig demo.deltalibre.org.ar @8.8.8.8 +all ns
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44364
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;demo.deltalibre.org.ar. IN NS
;; ANSWER SECTION:
demo.deltalibre.org.ar. 600 IN NS gw-demo.deltalibre.org.ar.
;; Query time: 616 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jan 23 07:27:21 2013
;; MSG SIZE rcvd: 62
This is marvellous, just as proposed and promised!
And the non-open-relay thing is perfect:
$ dig altermundi.net @2a00:1508:1:feca::1 +all ns
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20143
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;altermundi.net. IN NS
;; Query time: 620 msec
;; SERVER: 2a00:1508:1:feca::1#53(2a00:1508:1:feca::1)
;; WHEN: Wed Jan 23 07:59:45 2013
;; MSG SIZE rcvd: 32
What I find particularly interesting is that, contrary to what I supposed,
the decision to recurse depends on over which interface the query is arriving,
and not on the destination IP!
root at wdr3500:~# tail -n2 /etc/dnsmasq.conf
auth-server=gw-demo.deltalibre.org.ar,librenet6
auth-zone=demo.deltalibre.org.ar,2a00:1508:1:feca::/64
that librenet6 is the tunnel broker interface that connects to The v6 Internet
root at wdr3500:~# ip -6 a s dev librenet6
15: librenet6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1280 qlen 1000
inet6 fe80::802d:fbff:fe7e:8892/64 scope link
valid_lft forever preferred_lft forever
root at wdr3500:~# ip -6 a s dev br-lan
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
inet6 2a00:1508:1:feca::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::6670:2ff:fe3d:90e7/64 scope link
valid_lft forever preferred_lft forever
If I query from a locally connected computer, which is connected to br-lan
I find a beloved recursive dns caching server
home:~$ dig @2a00:1508:1:feca::1 aaaa altermundi.net +all
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1521
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;altermundi.net. IN AAAA
;; ANSWER SECTION:
altermundi.net. 28797 IN AAAA 2a00:1508:1:f001::103
;; Query time: 1 msec
;; SERVER: 2a00:1508:1:feca::1#53(2a00:1508:1:feca::1)
;; WHEN: Wed Jan 23 14:20:04 2013
;; MSG SIZE rcvd: 60
While if I query from any remote site, so that the query enters through librenet6,
voila! no recursion. And I'm contacting the same IP... I'm impressed
remotepc:~# dig @2a00:1508:1:feca::1 aaaa altermundi.net +all
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44811
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;altermundi.net. IN AAAA
;; Query time: 266 msec
;; SERVER: 2a00:1508:1:feca::1#53(2a00:1508:1:feca::1)
;; WHEN: Wed Jan 23 14:22:27 2013
;; MSG SIZE rcvd: 32
In case I would get native ipv6 and could drop the tunnel,
i'd simply put "eth1" in the auth-server= line
(In my previous emails, I misunderstood how the auth-server line
would work)
Well... seems I got where I wanted, so I'll stop the flattery ;)
Sunshine!
Gui
ps. I spotted a trivial typo in the 2.66test6 man page,
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -1709,7 +1709,7 @@
.nf
.B auth-server=server.example.com,eth0
-.B auth=zone=our.zone.com,1.2.3.0/24
+.B auth-zone=our.zone.com,1.2.3.0/24
.fi
and two records in the external DNS
@@ -1733,7 +1733,7 @@
.nf
.B auth-server=our.zone.com,eth0
-.B auth=zone=our.zone.com,1.2.3.0/24
+.B auth-zone=our.zone.com,1.2.3.0/24
.fi
.nf
More information about the Dnsmasq-discuss
mailing list