[Dnsmasq-discuss] Becoming authoritative DNS for additional netblock

A C agcme at hotmail.com
Wed Dec 2 08:00:06 GMT 2015


On 2015-12-01 23:43, Albert ARIBAUD wrote:
> Hi "A C",
>
> Le Tue, 1 Dec 2015 22:46:40 -0800
> A C <agcme at hotmail.com> a écrit:
>
>> On 2015-12-01 22:22, Albert ARIBAUD wrote:
>>> Hi "A C",
>>>
>>> Cc:ing Simon in case the problem is indeed a weird dependency of
>>> "server=" on "local=" -- or to ascertain it doesn't.
>>>
>>> Le Tue, 1 Dec 2015 19:53:37 -0800
>>> A C <agcme at hotmail.com> a écrit:
>>>
>>>> I just got it working.  Your statement "but if the first line wins"
>>>> gave me an idea.  I cleaned up the config file and put these two
>>>> lines in with this specific order:
> ------------------------------------------------------
>>>> server=/vpn.example.com/10.0.0.140
>>>> local=/vpn.example.com/
> ------------------------------------------------------
>>>> This is exactly reversed of the order I was using (I had local
>>>> first, then server).  It works now, any machine on the main
>>>> network can send a DNS query to the router for any of the VPN
>>>> machines and the query is forwarded over to the VPN server (I am
>>>> able to see the packet arrive on the VPN server).
>>>>
>>>> So perhaps the documents should add that the server/local lines are
>>>> order specific when handling subdomains of the base local domain
>>>> otherwise it attempts to be authoritative for all of the domain
>>>> even if there are other server lines.  The server line works fine
>>>> for external domains because they don't conflict with the local
>>>> domain (in fact I've used them before for that purpose, to fix
>>>> broken outside DNS servers by routing specific domains to
>>>> alternate DNS servers).  I just had never tried a subdomain of my
>>>> own domain and I simply duplicated an old server line all of which
>>>> came after the local directive at the top of the file.
>>> I am not sure that two lines are needed for one subdomain -- the
>>> documentation imples that "server=" does not need a "companion" line
>>> with "local=", and logically, no local= line should be needed for a
>>> server= line to work.
>>>
>>> Did you try just removing the "local=/vpn..." line from the (now)
>>> working config?
>>>
>>> If it still works with just the "server=" line, then your problem
>>> was elsewhere and some other change of yours has fixed it.
>>>
>>> If it needs the "local=" line along with the "server=" line to work,
>>> then there is a weird problem indeed, which IMO justifies my cc:ing
>>> Simon.
>>>
>>
>> The local=/vpn.../ line is already gone, only my base domain is local.
> This does not match the extract you gave above (which I marked with
> lines in this reply) where you have two lines where the domain part of
> the local= directive starts with "vpn."
>
> I infer that what you have in your working config is not
>
> 	server=/vpn.example.com/10.0.0.140
> 	local=/vpn.example.com/
>
> as indicated above, but actually
>
> 	server=/vpn.example.com/10.0.0.140 
> 	local=/example.com/
>
> and what you witness is that it works in this order, but will not work
> in that order:
>
> 	local=/example.com/
> 	server=/vpn.example.com/10.0.0.140
>
> Am I correct?
>


Yes, that was a typo on my part.  The actual config file has
local=/example.com/ I just typed the vpn into the email by accident. 
The config file has no other local directives.

Also, your final observation is correct.  If local appears before
server, the queries to the subdomain fail.  If local appears after
server it works.  Just for fun I tried out a couple extra server lines
that point to entirely different domains outside of mine (e.g.
server=/example.org/1.2.3.4 where local=/example.com/).  In that case
the position of server and local doesn't matter the query is forwarded
as I remembered from previous usage.  So there appears to be an
interaction between local and server when both contain the same domain
and the order must be from most specific to least specific.



More information about the Dnsmasq-discuss mailing list