[Dnsmasq-discuss] Reverse lookups not working in authoritative mode

Simon Kelley simon at thekelleys.org.uk
Thu Mar 13 20:38:55 UTC 2014


On 13/03/14 01:01, Franco Broi wrote:
> On Wed, 2014-03-12 at 17:29 +0000, Simon Kelley wrote: 
>> On 12/03/14 11:09, Franco Broi wrote:
>>>
>>> Sorry about the top posting, useless MS webmail.
>>>
>>> The reason I need the authoritative dns is because I'm in a regional
>>> office of a big company. It's a requirement that we provide an
>>> authoritative server for our local machines so they can be accessed
>>> from anywhere within the company WAN.
>>>
>>> When I run the host and dig commands I'm specifying a dns to use, so
>>> there's no other dns involved, plus I've disabled resolve.conf and
>>> there are no other dns's defined.
>>>
>>> Dig seems to work but host doesn't. When I strace the dnsmasq server
>>> I can see it sending the hostname but it just doesn't register with
>>> host as a successful lookup. host works fine in non-authoritative
>>> mode and from my other dnsmasq servers - non authoritative.
>>>
>>> Does the format of the return message from dnsmasq change with the
>>> different modes? 
>>
>> It can differ, for instance a hostname can appear at different
>> full-qualified domain names deoending on "inside" or "outside" queries,
>> but that's not relevant here.
>>
>> What does
>>
>> dig NS perth1.aus.abc.com
>>
>> return. 1) When sent to the dnsmasq server,
> 
> ;; AUTHORITY SECTION:
> aus.abc.com.		600	IN	SOA	perth1.aus.abc.com. hostmaster.perth1.abc.gxt.com. 1394671494 1200 180 1209600 600
> 
> 
>>  and 2) When sent to your
>> main company DNS server.
> 
> Can't do this yet, setting the dnsmasq to authoritative was a
> prerequisite to having our zone included in the global dns. I also had
> to enable zone transfers which I did by setting a fictional secondaryhttp://dnsreactions.tumblr.com/post/53919990746/debugging-with-nslookup-or-host
> server, without this zone transfer were not allowed.

You shouldn't need to use fictional servers, just give the domain names
of your companies authoritative nameserver(s) which will be doing the
zone transfers.

I'm not clear there's actually a problem here: I think that when queried
via the external interface specified by --auth-server, you'll get the
correct answer to the in-addr.arpa queries.

Note that "host" is a really bad debugging tool for this. "dig" is much
better since you get to control exactly what query is sent and you get
to see the exact answer received.


Cheers,

Simon





More information about the Dnsmasq-discuss mailing list