[Dnsmasq-discuss] How to declare dnsmasq as authoritative for the 10.x subnet?

Wojtek Swiatek w at swtk.info
Mon Sep 10 12:50:47 BST 2018 

Hello Simon

Le sam. 8 sept. 2018 à 17:20, Simon Kelley <simon at thekelleys.org.uk> a
écrit :

>
> auth-zone specifies the zone within the domain-name tree first, then
> (optionally) the subnet range which gets serverd for reverse queries, so
> something like
>
> auth-zone=swtk.info/0.0.0.0/8
>
> would do the trick.
>
> The important thing to understand about dnsmasq is that it continues to
> work as a normal DNS forwarder, and only acts as an authoritative server
> when queries arrive at a particular interface or address. Typically,
> it's acting as DNS forwarder on "internal" networks, and as
> authoritative when queries arrive from the "internet" side of the router
> it's running on. To tell it which queries to answer in authoritative
> mode, you need to use the --auth-server configuration.
>
>
I am a bit confused because the manpage mentions only commas in auth-zone
but I tried your version anyway and it does not work. The complete setup
for the authoritative part is now

auth-server=srv.swtk.info,lan0,br0
auth-zone=swtk.info,10.0.0.0/8,lan0,br0
auth-sec-servers=rpi1,bind

This is a result of several trial and errors and it is the one which goes
closest to the solution, as the bind server now states

Sep 10 13:45:37 bind named[11209]: transfer of '10.in-addr.arpa/IN' from
10.100.10.254#53: connected using 10.200.0.158#38535
Sep 10 13:45:37 bind named[11209]: transfer of '10.in-addr.arpa/IN' from
10.100.10.254#53: failed while receiving responses: SERVFAIL
Sep 10 13:45:37 bind named[11209]: transfer of '10.in-addr.arpa/IN' from
10.100.10.254#53: Transfer status: SERVFAIL
Sep 10 13:45:37 bind named[11209]: transfer of '10.in-addr.arpa/IN' from
10.100.10.254#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001
secs (0 bytes/sec)

I believe that dnsmasq is not authoritative but does not allow for the
transfer from the secondary.
What is particularly weird is that the direct resolution (for domain
swtk.info) is transferred correctly. It looks like this is specifically the
transfer of the 10.x zone which is problematic.



> There's quite a long step-by-step guide to setting up auth mode as a
> separate  section of the man page. It's worth reading that.
>

Yes, I did read it several times (if you mean the "AUTHORITATIVE
CONFIGURATION" section)

Cheers
Wojtek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20180910/e4dea34c/attachment.html>

More information about the Dnsmasq-discuss mailing list