[Dnsmasq-discuss] Restrict DNS reply to specific clients

Albert ARIBAUD albert.aribaud at free.fr
Wed Feb 3 11:50:47 GMT 2016


Hi again Guy,

Le Wed, 3 Feb 2016 12:24:26 +0100
"Guy Wijnants" <Guy.Wijnants at Imtech-Telecom.Be> a écrit:

> Hi Albert,
> 
> Thank you for the quick response.
> You can compare our DNS server as kind of an ISP DNS server in the
> way that it hosts public domains and acts as DNS resolver for our
> clients. If I enable dnsmasq all queries are passed to dnsmasq to
> check whether the domain needs to be blocked, if it does not need to
> be blocked dnsmasq will pass the query through to the named service
> which further handles the query. But dnsmasq does not have something
> like the allow option to limit the hosts that can query the server.
> 
> Situation now:
> Everyone can set our DNS server as their primary DNS server as
> dnsmasq does not filter to who can query the DNS server. In the named
> service you have the option to filter who can query the DNS server
> (allow-recursion function). But because our dnsmasq speaks to the
> named service using its own ip, the named service always allow the
> query and no filtering is done whatsoever. Example: Our server is
> master of the public domain www.iammaster.com You at home set our DNS
> (we give it ip 193.0.0.1) server as its primary DNS server. You query
> www.google.com and our server WILL respond with the corresponding IP.
> You query www.iammaster.com and our server WILL respond with the
> corresponding IP. Our clients (in network 192.168.0.0/24) sets our
> server as its primary DNS server and query www.google.com and our
> server WILL respond with the corresponding IP.
> 
> Situation I need:
> People from the internet cannot set our DNS server as their primary
> DNS, our clients with network for example 192.168.0.0/24 can query
> our DNS server. Our DNS server ofcourse still responds to the query
> for public domains where it is master from. Example You at home set
> our DNS (we give it ip 193.0.0.1) server as its primary DNS server.
> You query www.google.com and our server WILL NOT respond as you are
> not allowed to query our server. You set a different DNS server as
> your primary DNS (8.8.8.8 for example) and you query
> www.iammaster.com and our server WILL respond with the corresponding
> IP for this domain. Our clients (in network 192.168.0.0/24) sets our
> server as its primary DNS server and query www.google.com and our
> server WILL respond with the corresponding IP. Our clients query
> www.iammaster.com and our server WILL respond with the corresponding
> IP for this domain.
> 
> Configuration now:
> Dnsmasq listen on ip 193.0.0.1 port 53 when the site is allowed to be
> resolved dnsmasq passes the request to 193.0.0.1:5353 (where our
> named service listens on). The 'allow-recursion { localhost;
> x.x.x.x/24; y.y.y.y/24; };' is bypassed as dnsmasq use 193.0.0.1 (or
> localhost) as source address (and not the originating source ip of
> the requestor) for the query.
> 
> Thanks in advance for your support!

IIUC, what you want is two different things:

- a general name server for your internal network users to use, either
  by hard-coding it in their /etc/resolv.conf or through a DHCP option.
  This server needs at least one recursive-able server as its upstream,
  and only needs to be accessed from inside your network;

- an authoritative name server for some domains, for external use
  through the NS entry in these domains' zone files. That server does
  not need any upstream, and only needs to be accessed from outside
  your network.

Ideally these two services should be run by two different dnsmasq
instances, the general one inside your LAN and the authoritative one
facing outside; this would ensure the authoritative instance could not
act as an open DNS and possibly as a participant in a DNS amplification
attack.

I you really need a single instance, then I suspect you run it on a
machine which has two interfaces, one with a LAN IP, one with the
public IP corresponding to the NS entries in the zone files of your
domains. In that case, --auth-server may be the option you need.

That way, outside users would be unable to reach the server through
the 'LAN' interface, and would therefore only be able to access the
authoritative [part of the] server, which would not answer to queries
other that for the domains you have set i up with.

> Best regards,
> 
> Guy

Amicalement,
-- 
Albert.



More information about the Dnsmasq-discuss mailing list