[Dnsmasq-discuss] Minimal config: small # of A records, no upstream server

Geert Stappers stappers at stappers.nl
Fri Jul 3 06:39:27 BST 2020


On Thu, Jul 02, 2020 at 08:44:02PM -0700, Frank wrote:
> On Jul 2, 2020, at 7:18 PM, Johnny Utahh <lists.thekelleys.org.uk at johnnyutahh.com> wrote:
> > On 2020-07-02 12:57 PM, Geert Stappers wrote:
> >> On Thu, Jul 02, 2020 at 06:16:49AM -0500, Johnny Utahh wrote:
> >>> On 2020-07-02 2:18 AM, Geert Stappers wrote:
> >>>> On Wed, Jul 01, 2020 at 10:06:36PM -0500, Johnny Utahh wrote:
> >>>>> Hello,
> >>>>> 
> >>>>> Do I need to make any edits/additions to the dnsmasq.conf below to support
> >>>>> the following scenario?
> >>>>> 
> >>>>> Ubuntu 20.04
> >>>>> dnsmasq 2.80
> >>>>> 
> >>>>> Details:
> >>>>> 
> >>>>> I want to provide a _minimal_ DNS server. It *only* serves a few A records
> >>>>> (from /etc/hosts).
> >>>>> 
> >>>>> A key point: I want to make sure it does NOTHING else. No
> >>>>> upstream-DNS-server/service connection. Any DNS requests sent to said server
> >>>>> outside of the /etc/hosts A-record list will fail. Further: no DHCP, tftp,
> >>>>> or any others. All of the other bells and whistles I do not know about: I
> >>>>> want them disabled, too. Just plain old proper DNS records serving and
> >>>>> associated error-condition handling.
> >>>>> 
> >>>>> Additionally, the dnsmasq-based DNS server will bind/interface/respond-to
> >>>>> only `eth8`.
> >>>>> 
> >>>>> 
> >>>>>     /etc/dnsmasq.conf:
> >>>>>     interface=eth8
> >>>>>     no-dhcp-interface=eth8
> >>>>> 
> >>>> That is indeed not enough for the desired use case.
> >>>> 
> >>> Thanks, quite good to know. What edits or additions (to the following
> >>> `/etc/dnsmasq.conf` or any other file) are needed to serve this use case?
> >> Something that tells Dnsmasq to do non default things.
> >> 
> >>   server=127.0.0.1#13131
> >> 
> >> The idea is that dnsmasq does go searching for an upstream DNS. That it
> >> uses localhost  port 13131.  With nothing at 13131 should result in
> >> a "nothing here" and thus ending the DNS resolve attempt. If that truely
> >> gets back to the DNS client as "hostname not found" is unknown to me.
> >> 
> >> In other words: Default behaviour of dnsmasq is to use the DNS available
> >> to the host.  Original Poster doesn't want that, so should do something
> >> extra to prevent.  But be aware that I never have travelled that road.
> >> Euh yes, I would like to hear how it went.
> > 
> > I'm presuming the only issue here is preventing searches and potential
> > "uplinks" with upstream DNS nameservers and that "disabling all
> > other features" is addressed by the following settings:
> > 
> >     /etc/dnsmasq.conf:
> >     port=[myport]
> >     no-resolv
> >     no-poll
> >     interface=eth8
> >     no-dhcp-interface=eth8
> >     no-hosts
> >     addn-hosts=/etc/dnsmasq_a_records
> >     domain=[mydomain.tld]
> > 
> >> The idea is that dnsmasq does go searching for an upstream DNS.
> > 
> > Okay, copy that, very helpful. It seems dnsmasq is currently
> > determined to hunt for upstream namesevers and there's no elegant
> > way to disable this... but I explore this point more-exhaustively
> > with these points/comments:
> > 
> > 1. I'm surprised there's no directive/setting to specifically prevent
> > dnsmasq from searching for an upstream DNS. If so: why is my scenario
> > (seemingly?) rare enough that such a feature (presumably?) was
> > not needed?  While this use case is not predominate, this does not
> > seem like an uncommon use case, namely for "isolated VPNs."
> > 
> > 2. Does `no-resolv` + `no-poll` effectively implement the feature
> > described in #1?
> > 
> > 3. I'm happy to implement `server=127.0.0.1#[unused_port_number]`
> > to effectively provide the feature described in #1. However, I'm
> > concerned about a couple, potential, derivative behaviors:
> > 
> > 3.a.  How certain are we that this "workaround" completely disables
> > the upstream searching/connections?
> > 
> > 3.b. Minor concern: does a continual attempt to connect with a
> > non-served port (especially if it's a UDP request) effectively create
> > some performance degradation over time (particularly if "reconnects"
> > are attempted frequently)?
> > 
> > 4. Are there truly, absolutely no other options to prevent
> > upstream-nameserver searches?  Does someone besides Geert have any
> > direct experience with or hear of others trying this?
> > 
> > 5. If I restrict the interface bindings to a VPN-only ethernet device
> > (that is itself isolated from the public internet), does this help
> > with this "upstream searching restriction"?
> > 
> 
> no-resolv
> no-poll
> 
> Assuming the man page is correct, those are the two options you want
> to prevent DNS from being forwarded. Don’t put a server statement
> in your config as Geert is suggesting.

Acknowledge on that.
 

> > In any case, I will test this approach and report back what I find.

Looking forward to it.



Regards
Geert Stappers
-- 
Silence is hard to parse



More information about the Dnsmasq-discuss mailing list