[Dnsmasq-discuss] can an authoritative dnsmasq forward queries as well?

Simon Kelley simon at thekelleys.org.uk
Fri Mar 20 20:38:12 GMT 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The trick here it to understand that dnsmasq works in two different
modes, depending on where queries come from (or actually where they're
sent to).

auth-server=hosting.example.com,10.10.111.11

means that queries sent to 10.10.111.11 will be regarded as
authoritative queries, and only answers for *.example.com will be
answered, and not recursive queries. (hence the warning you see.)

Normally, this address would be a globally-routable address and not an
RFC-1918 address like 10.*.*.*, because there needs to be a delegation
to tell any DNS server out there on the network to send queries for
*example.com to that address, I'm therefore a bit confused as to how
you have things set up.

The basic principle is that dnsmasq listens on at least two
addresses/interfaces and does different things on each. The
externally-facing interface (with non-RFC1918 address) is for
authoritative queries, and the internally-facing interface (which may
have an RFC1918 address for queries which may need to be forwarded.


Cheers,

Simon.




On 20/03/15 13:17, Harald Dunkel wrote:
> Hi folks,
> 
> Question: Can I use the same dnsmasq as an authoritative DNServer
> as well as a forwarder for external queries? No DHCP, but static
> tables in /etc/hosts and /etc/ethers. dnsmasq is version 2.72
> 
> Here is my configuration:
> 
> domain-needed bogus-priv no-resolv server=8.8.4.4 all-servers 
> auth-server=hosting.example.com,10.10.111.11 
> auth-zone=hosting.example.com,10.10.111.0/24 
> auth-sec-servers=172.19.88.123,172.19.88.124 
> domain=hosting.example.com,10.10.111.0/24,local expand-hosts 
> read-ethers cache-size=1024 log-queries log-dhcp 
> log-facility=/var/log/dnsmasq.log
> 
> 
> 
> hosting.example.com can use itself to resolve queries for
> foo.hosting.example.com and for "external" hostnames. Other hosts
> in 10.10.111.0/24 can use this server to resolve
> foo.hosting.example.com as well, but if they query for external
> hostnames, then they get "WARNING: recursion requested but not
> available". Sample:
> 
> # dig @10.10.111.11 www.heise.de A
> 
> ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @10.10.111.11 www.heise.de
> A ; (1 server found) ;; global options: +cmd ;; Got answer: ;;
> ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49662 ;; flags: qr
> rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING:
> recursion requested but not available
> 
> ;; QUESTION SECTION: ;www.heise.de.                  IN      A
> 
> ;; Query time: 0 msec ;; SERVER: 10.10.111.11#53(10.10.111.11) ;;
> WHEN: Thu Mar 19 15:51:35 2015 ;; MSG SIZE  rcvd: 30
> 
> 
> 
> I spent (way too) many hours to figure out why dnsmasq doesn't act
> as a forwarder for all hosts in the local subnet in this case.
> AFAICS the configuration should work, but maybe I missed something.
> Every helpful comment is highly appreciated.
> 
> 
> Harri
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlUMhTQACgkQKPyGmiibgrdbAACgl/gpfDwnrI6NDOe8NoqAsW77
wzcAoKM3rZagD+8JUA0nrygIUg4HFyO2
=+g3D
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list