[Dnsmasq-discuss] Reverse lookups not working in authoritative mode
franco.broi at iongeo.com
Fri Mar 14 02:42:19 UTC 2014
On Thu, 2014-03-13 at 20:38 +0000, Simon Kelley wrote:
> On 13/03/14 01:01, Franco Broi wrote:
> > On Wed, 2014-03-12 at 17:29 +0000, Simon Kelley wrote:
> >> On 12/03/14 11:09, Franco Broi wrote:
> >>> Sorry about the top posting, useless MS webmail.
> >>> The reason I need the authoritative dns is because I'm in a regional
> >>> office of a big company. It's a requirement that we provide an
> >>> authoritative server for our local machines so they can be accessed
> >>> from anywhere within the company WAN.
> >>> When I run the host and dig commands I'm specifying a dns to use, so
> >>> there's no other dns involved, plus I've disabled resolve.conf and
> >>> there are no other dns's defined.
> >>> Dig seems to work but host doesn't. When I strace the dnsmasq server
> >>> I can see it sending the hostname but it just doesn't register with
> >>> host as a successful lookup. host works fine in non-authoritative
> >>> mode and from my other dnsmasq servers - non authoritative.
> >>> Does the format of the return message from dnsmasq change with the
> >>> different modes?
> >> It can differ, for instance a hostname can appear at different
> >> full-qualified domain names deoending on "inside" or "outside" queries,
> >> but that's not relevant here.
> >> What does
> >> dig NS perth1.aus.abc.com
> >> return. 1) When sent to the dnsmasq server,
> > ;; AUTHORITY SECTION:
> > aus.abc.com. 600 IN SOA perth1.aus.abc.com. hostmaster.perth1.abc.gxt.com. 1394671494 1200 180 1209600 600
> >> and 2) When sent to your
> >> main company DNS server.
> > Can't do this yet, setting the dnsmasq to authoritative was a
> > prerequisite to having our zone included in the global dns. I also had
> > to enable zone transfers which I did by setting a fictional secondary
> > server, without this zone transfer were not allowed.
> You shouldn't need to use fictional servers, just give the domain names
> of your companies horitative nameserver(s) which will be doing the
> zone transfers.
I'm confused, I thought the auth-sec-servers option specified backup
servers for the local zone for which we are authoritative? Are you
saying I should put the global server names here instead?
You might be able to tell by now that I know nothing about DNS, that's
why I want to use dnsmasq...
> I'm not clear there's actually a problem here: I think that when queried
> via the external interface specified by --auth-server, you'll get the
> correct answer to the in-addr.arpa queries.
You are right, it does work from perth1 but not from other machines. I
will take this to mean it's ok.
> Note that "host" is a really bad debugging tool for this. "dig" is much
> better since you get to control exactly what query is sent and you get
> to see the exact answer received.
I think corporate IT are now happy that it works although they did make
a fuss about dnsmasq not supporting reverse zone transfers - why do they
need those? Can't they be deduced from the forward zone?
BTW I'm also using dnsmasq for dhcp and tftp to boot diskless cluster
nodes, works a treat although I do miss the dhcp stanzas which are a bit
more intuitive than tags.
Cheers and thanks for the help.
More information about the Dnsmasq-discuss