[Dnsmasq-discuss] Reverse lookups not working in authoritative mode

Franco Broi franco.broi at iongeo.com
Fri Mar 14 02:42:19 UTC 2014


On Thu, 2014-03-13 at 20:38 +0000, Simon Kelley wrote: 
> On 13/03/14 01:01, Franco Broi wrote:
> > On Wed, 2014-03-12 at 17:29 +0000, Simon Kelley wrote: 
> >> On 12/03/14 11:09, Franco Broi wrote:
> >>>
> >>> Sorry about the top posting, useless MS webmail.
> >>>
> >>> The reason I need the authoritative dns is because I'm in a regional
> >>> office of a big company. It's a requirement that we provide an
> >>> authoritative server for our local machines so they can be accessed
> >>> from anywhere within the company WAN.
> >>>
> >>> When I run the host and dig commands I'm specifying a dns to use, so
> >>> there's no other dns involved, plus I've disabled resolve.conf and
> >>> there are no other dns's defined.
> >>>
> >>> Dig seems to work but host doesn't. When I strace the dnsmasq server
> >>> I can see it sending the hostname but it just doesn't register with
> >>> host as a successful lookup. host works fine in non-authoritative
> >>> mode and from my other dnsmasq servers - non authoritative.
> >>>
> >>> Does the format of the return message from dnsmasq change with the
> >>> different modes? 
> >>
> >> It can differ, for instance a hostname can appear at different
> >> full-qualified domain names deoending on "inside" or "outside" queries,
> >> but that's not relevant here.
> >>
> >> What does
> >>
> >> dig NS perth1.aus.abc.com
> >>
> >> return. 1) When sent to the dnsmasq server,
> > 
> > ;; AUTHORITY SECTION:
> > aus.abc.com.		600	IN	SOA	perth1.aus.abc.com. hostmaster.perth1.abc.gxt.com. 1394671494 1200 180 1209600 600
> > 
> > 
> >>  and 2) When sent to your
> >> main company DNS server.
> > 
> > Can't do this yet, setting the dnsmasq to authoritative was a
> > prerequisite to having our zone included in the global dns. I also had
> > to enable zone transfers which I did by setting a fictional secondary
> http://dnsreactions.tumblr.com/post/53919990746/debugging-with-nslookup-or-host

Funny!

> > server, without this zone transfer were not allowed.
> 
> You shouldn't need to use fictional servers, just give the domain names
> of your companies horitative nameserver(s) which will be doing the
> zone transfers.

I'm confused, I thought the auth-sec-servers option specified backup
servers for the local zone for which we are authoritative? Are you
saying I should put the global server names here instead?

You might be able to tell by now that I know nothing about DNS, that's
why I want to use dnsmasq...

> 
> I'm not clear there's actually a problem here: I think that when queried
> via the external interface specified by --auth-server, you'll get the
> correct answer to the in-addr.arpa queries.

You are right, it does work from perth1 but not from other machines. I
will take this to mean it's ok.

> 
> Note that "host" is a really bad debugging tool for this. "dig" is much
> better since you get to control exactly what query is sent and you get
> to see the exact answer received.
> 

I think corporate IT are now happy that it works although they did make
a fuss about dnsmasq not supporting reverse zone transfers - why do they
need those? Can't they be deduced from the forward zone?

BTW I'm also using dnsmasq for dhcp and tftp to boot diskless cluster
nodes, works a treat although I do miss the dhcp stanzas which are a bit
more intuitive than tags.

Cheers and thanks for the help.

> 
> Cheers,
> 
> Simon
> 
> 





More information about the Dnsmasq-discuss mailing list