[Dnsmasq-discuss] dnsmasq to provide public DNS service

/dev/rob0 rob0 at gmx.co.uk
Thu Jul 14 15:33:34 BST 2016 

On Thu, Jul 14, 2016 at 03:35:58PM +0200, Albert ARIBAUD wrote:
> Le Thu, 14 Jul 2016 00:21:20 +0000 (UTC)
> T o n g <mlist4suntong at yahoo.com> a écrit:
> 
> > After struggled for a few days, I finally decided that I should 
> > reply, to bring some closure on this. Thank you for all these 
> > days of your tireless help. However, my conclusion is still the 
> > same as my first post -- dnsmasq is unable to provide public DNS 
> > service -- It can be used as DNS server for local host, or local 
> > network, but just not for the general public. We've ruled out 
> > everything possible, and the only thing left is dnsmasq.
> 
> Your conclusion is wrong; the only thing you can conclude from your 
> trials is that dnsmasq will not operate properly in an environment 
> which does not conform to Internet standards -- and *that* is 
> hardly a surprise.

Agreed.  One simple way to test (and to disprove) Tong's conclusion 
is to try it with other software, BIND or unbound or pdns-recursor,
for example, and to see how those work.

> > I.e., if there is any probelm with my ISP or my hosting provider, I 
> > wouldn't have been able to start a working second SSH session
> > listening to port 53 (instead of 22). 
> 
> You are again not concluding properly. DNS requires *UDP* port 53 as
> well as *TCP* port 53. Your assumption that DNS somehow can do with
> *TCP* port 53 alone is unfounded and plain wrong.
> 
> > In other words, all else the same, swap in SSH to listen to port 53,
> > it works; swap in dnsmasq, and it fails. With all else the same,
> > dnsmasq is the only problem. 
> 
> This experiment only proves that *TCP* port 53 works between your 
> home and box, but that was apready proven by previous tests I 
> suggested. However, dnsmasq requires *UDP* port 53 -- and due to a 
> crippled access, you cannot use that UDP port, contrary to a 
> considerable quantity of other persons who daily prove that dnsmasq 
> can be used way beyond a LAN.

I'll agree that dnsmasq as an authoritative server to the Internet 
might not be insane, but dnsmasq as resolver for an ISP or larger 
network is not a good idea.  It's only forwarding queries, not
actually doing the recursion itself.

> > Thanks anyway for all your helps. 
> 
> You're welcome. :)

And a very good job on your part for trying to help.  Unfortunately 
this matter feels very much like an "XY" problem: "I want to do X, I 
think Y would do it for me, so I am asking how to do Y."  As is 
common in such cases, "Y" makes little sense.

If Tong should decide to bring this up again, I would strongly 
suggest asking about "X", the real goal.  
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

More information about the Dnsmasq-discuss mailing list