[Dnsmasq-discuss] Authoritative and recursive service from the same interface

[Simon Kelley]

On 28/09/18 02:33, Marc Heckmann wrote:
> Hello,
> 
> I'm currently running dnsmasq in a Docker container and have setup a
> domain for which dnsmasq is to be authoritative for. This is to do
> subdomain delegation to the dnsmasq server. I am using the auth-server &
> auth-zone configuration options for this. This works as expected and is
> verifiable using dig with the "+norecurse" option to query for the NS
> and SOA records. However, as it's a Docker container, I only have and
> actually need a single interface (eth0) and when I specify eth0 in the
> "auth-server" option, i.e "auth-server=<glue_record>,eth0", I noticed
> that it stops answering recursive queries for names that it is not
> authoritative for.
> 
> I worked around this by replacing "eth0" with an IP that is not present
> in the container's network namespace and dnsmasq now does what I want
> which is to answer to both non-recursive and recursive queries from the
> same interface.
> 
> My question is the following: Are there any side effects to this hack?
> Is there any reason why dnsmasq should not be able to provide recursive
> and authoritative service from the same interface? I can understand the
> security reasons for wanting to prevent this on an Internet exposed
> interface, but why not at allow for an option to officially support
> providing both kinds of service on the same interface?
> 
> Thanks.
> 
> -m
> 
> 


This patch, in the pending 2.80 release, addresses this, is allows you
to omit the auth-server configuration and get both recursive and
authoritative answers on the interface(s) that dnsmasq is listening on.

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=397c0502e255ea0a470982666dea93e0b2f52043



Cheers,

Simon.


> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>