> Simon Kelley (simon@...) wrote on 7 March 2011 21:44:<br>> >So, can somebody set down under exactly what circumstances being able to<br>> >set an NS record in dnsmasq would be useful? It's clearly pretty easy to<br>
> >add as a feature, but I'm not sure why the need.<br><br>Hello Simon,<br>(...resurrecting <a href="http://comments.gmane.org/gmane.network.dns.dnsmasq.general/4721">http://comments.gmane.org/gmane.network.dns.dnsmasq.general/4721</a>)<br>
i'm currently trying to make clients of a wireless community network have public resolvable addresses.<br>This wouldn't make much sense in ipv4 world where leases are in private ranges,<br>but it does make a lot of sense combined with dnsmasq nifty (and certainly unique) feature of ra-names, since SLAAC addresses are global :)<br>
<br>I have to overcome 3 difficulties:<br>1) My dnsmasq server is reachable on ipv6 only (ipv4 is not public)<br>2) <a href="http://nic.ar">nic.ar</a> (registrar) doesn't support setting ipv6 NS records at all.<br>3) dnsmasq doesn't offer NS records for a local=/domain/<br>
<br>To overcome (1) and (2), in the registrar I've pointed <a href="http://deltalibre.org.ar">deltalibre.org.ar</a> NS records to the public ipv4 of a dual-stack server, running bind9.<br>That bind9 has a zone defined <a href="http://esperita.deltalibre.org.ar">esperita.deltalibre.org.ar</a> as "forward-only" and forwarders clause pointing to the ipv6 of dnsmasq server.<br>
[So in effect, the bind9 acts as a "man in the middle" between my ipv4-only registrar, and my ipv6-only dnsmasq.]<br>So far so good.<br><br>Problem is, when i "dig -t NS @<a href="http://8.8.8.8">8.8.8.8</a> <a href="http://esperita.deltalibre.org.ar">esperita.deltalibre.org.ar</a>", i get a SERVFAIL :(<br>
<br>This prevents me from querying anything inside that subdomain; digging <a href="http://colmena.esperita.deltalibre.org.ar">colmena.esperita.deltalibre.org.ar</a> also gives back a SERVFAIL<br><br>(querying the dnsmasq server directly works)<br>
<br>$ dig -t AAAA @2a00:1508:1:f003::1 <a href="http://colmena.esperita.deltalibre.org.ar">colmena.esperita.deltalibre.org.ar</a> +nocmd +nocomments<br>;<a href="http://colmena.esperita.deltalibre.org.ar">colmena.esperita.deltalibre.org.ar</a>. IN AAAA<br>
<a href="http://colmena.esperita.deltalibre.org.ar">colmena.esperita.deltalibre.org.ar</a>. 600 IN AAAA 2a00:1508:1:f003:fad1:11ff:fe50:4757<br>;; Query time: 116 msec<br>;; SERVER: 2a00:1508:1:f003::1#53(2a00:1508:1:f003::1)<br>
;; WHEN: Thu Nov 1 18:42:33 2012<br>;; MSG SIZE rcvd: 80<br><br>If i could get the dnsmasq running at 2a00:1508:1:f003::1 to reply with an NS record pointing to itself, when queried about <a href="http://esperita.deltalibre.org.ar">esperita.deltalibre.org.ar</a>, all this scheme should work.<br>
<br>Which would in turn be a *very* elegant and simple way of handling DNS resolving for clients. A kind of "dyndns" service of the future :)<br><br>What do you think? would that be an argument for implementing this into dnsmasq?<br>
(or maybe there's another way to do this i'm overlooking)<br>(dnsmasq is running on a space-tight openwrt, so running bind9+dnsmasq is not an option)<br><br>Thanks and cheers!<br><br>Gui<br><br>ps. original thread and arguments follow:<br>
<br>> >(Being able to return NS records for arbitrary domains looks like a<br>> >really good way to confuse the unwary, but that's maybe a different point)<br>> <br>> It's not for arbitrary domains, it's only for the zone it's<br>
> authoritative. The one that has local=/my.zone/ in the config.<br>> <br>> I've made some tests and it seems that answering NS queries is not<br>> only a "good behavior", it's essential. They're shown bellow; the<br>
> domain is of a new university here.<br>> <br>> Objective: make dnsmasq the authoritative zone server, because it has<br>> all the info, both for static names and for dhcp-assigned ones.<br>> <br>> We're using (for now...) ISC named as the recursor, in a different<br>
> machine. Both would be listed as dns servers for the domain in the<br>> national registrar:<br>> <br>> named: 200.134.33.2<br>> dnsmasq: 200.134.33.10<br>> <br>> named is configured as cache-only but forwarding requests to dnsmasq<br>
> for the zone. This is named.conf.local:<br>> <br>> zone "<a href="http://unila.edu.br">unila.edu.br</a>" {<br>> type forward;<br>> forward only;<br>> forwarders { 200.134.33.10; }; <===== dnsmasq machine<br>
> };<br>> <br>> zone "33.134.200.in-addr.arpa" {<br>> type forward;<br>> forward only;<br>> forwarders { 200.134.33.10; };<br>> };<br>> <br>> dnsmasq is configured as (dns part only)<br>
> <br>> addn-hosts=/etc/dnsmasq/hosts<br>> log-queries<br>> local=/<a href="http://unila.edu.br/">unila.edu.br/</a><br>> local=/33.134.200.in-addr.arpa/<br>> server=200.134.33.2 <===== named machine<br>
> bind-interfaces<br>> localise-queries<br>> bogus-priv<br>> filterwin2k<br>> no-resolv<br>> no-poll<br>> stop-dns-rebind<br>> mx-host=<a href="http://unila.edu.br">unila.edu.br</a>,<a href="http://unila2.unila.edu.br">unila2.unila.edu.br</a><br>
> cname=<a href="http://mx.unila.edu.br">mx.unila.edu.br</a>,<a href="http://unila2.unila.edu.br">unila2.unila.edu.br</a><br>> cname=<a href="http://correio.unila.edu.br">correio.unila.edu.br</a>,<a href="http://unila2.unila.edu.br">unila2.unila.edu.br</a><br>
> domain-needed<br>> <br>> Summary: named is cache-only and send all queries about <a href="http://unila.edu.br">unila.edu.br</a><br>> to dnsmasq, while dnsmasq answers all queries about <a href="http://unila.edu.br">unila.edu.br</a> by<br>
> itself and send everything else to named.<br>> <br>> The setup works IFF you ask the servers directly:<br>> <br>> % host <a href="http://unila1.unila.edu.br">unila1.unila.edu.br</a> 200.134.33.10<br>> <a href="http://unila1.unila.edu.br">unila1.unila.edu.br</a> A 200.134.33.254<br>
> <br>> % host <a href="http://unila1.unila.edu.br">unila1.unila.edu.br</a> 200.134.33.2<br>> <a href="http://unila1.unila.edu.br">unila1.unila.edu.br</a> A 200.134.33.254<br>> <br>> and the dnsmasq log shows the query from named:<br>
> <br>> Mar 8 13:18:31 dnsmasq[27535]: query[A] <a href="http://unila1.unila.edu.br">unila1.unila.edu.br</a> from 200.134.33.2<br>> Mar 8 13:18:31 dnsmasq[27535]: /etc/dnsmasq/hosts <a href="http://unila1.unila.edu.br">unila1.unila.edu.br</a> is 200.134.33.254<br>
> <br>> which shows the named forward works.<br>> <br>> However queries without the explicit nameserver don't work:<br>> <br>> % host <a href="http://parana.unila.edu.br">parana.unila.edu.br</a> <br>
> ;; connection timed out; no servers could be reached<br>> <br>> % dig <a href="http://unila1.unila.edu.br">unila1.unila.edu.br</a> +trace <br>> <br>> ; <<>> DiG 9.7.2-P3 <<>> <a href="http://unila1.unila.edu.br">unila1.unila.edu.br</a> +trace<br>
> ;; global options: +cmd<br>> . 358303 IN NS <a href="http://c.root-servers.net">c.root-servers.net</a>.<br>> . 358303 IN NS <a href="http://f.root-servers.net">f.root-servers.net</a>.<br>
> . 358303 IN NS <a href="http://e.root-servers.net">e.root-servers.net</a>.<br>> . 358303 IN NS <a href="http://a.root-servers.net">a.root-servers.net</a>.<br>
> . 358303 IN NS <a href="http://m.root-servers.net">m.root-servers.net</a>.<br>> . 358303 IN NS <a href="http://g.root-servers.net">g.root-servers.net</a>.<br>
> . 358303 IN NS <a href="http://i.root-servers.net">i.root-servers.net</a>.<br>> . 358303 IN NS <a href="http://d.root-servers.net">d.root-servers.net</a>.<br>
> . 358303 IN NS <a href="http://h.root-servers.net">h.root-servers.net</a>.<br>> . 358303 IN NS <a href="http://b.root-servers.net">b.root-servers.net</a>.<br>
> . 358303 IN NS <a href="http://l.root-servers.net">l.root-servers.net</a>.<br>> . 358303 IN NS <a href="http://j.root-servers.net">j.root-servers.net</a>.<br>
> . 358303 IN NS <a href="http://k.root-servers.net">k.root-servers.net</a>.<br>> ;; Received 272 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms<br>> <br>> br. 172800 IN NS <a href="http://f.dns.br">f.dns.br</a>.<br>
> br. 172800 IN NS <a href="http://e.dns.br">e.dns.br</a>.<br>> br. 172800 IN NS <a href="http://c.dns.br">c.dns.br</a>.<br>> br. 172800 IN NS <a href="http://a.dns.br">a.dns.br</a>.<br>
> br. 172800 IN NS <a href="http://d.dns.br">d.dns.br</a>.<br>> br. 172800 IN NS <a href="http://b.dns.br">b.dns.br</a>.<br>> ;; Received 289 bytes from 128.8.10.90#53(<a href="http://d.root-servers.net">d.root-servers.net</a>) in 156 ms<br>
> <br>> <a href="http://unila.edu.br">unila.edu.br</a>. 86400 IN NS <a href="http://ns.unila.edu.br">ns.unila.edu.br</a>.<br>> <a href="http://unila.edu.br">unila.edu.br</a>. 86400 IN NS <a href="http://ns2.unila.edu.br">ns2.unila.edu.br</a>.<br>
> ;; Received 104 bytes from 200.219.159.10#53(<a href="http://f.dns.br">f.dns.br</a>) in 9 ms<br>> <br>> ;; connection timed out; no servers could be reached<br>> <br>> Note that the query doesn't reach dnsmasq. Is it because it doesn't<br>
> have NS or something else is amiss?<br>> <br>> Of course, with named configured for answering the zone<br>> authoritatively it works.<br>> <br><br><br><br>