<html theme="lavender"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head><body text="#000000"><br>
<span>Jake Howard wrote on 4/5/2020 6:48 AM:</span><br>
<blockquote type="cite"
cite="mid:a52f18d4-f550-470a-97ed-2bf0737ad241@www.fastmail.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<title></title>
<style type="text/css">p.MsoNormal,p.MsoNoSpacing{margin:0}</style>
<blockquote type="cite" id="qt"><div><div><br></div></div><div>Dnsmasq
uses the _destination_ address of the query. I'm not familiar<br></div><div>with
Docker. Is it using NAT?<br></div></blockquote>
<div><br></div>
<div>Can't say i'm especially familiar with Docker's networking stack,
but it definitely looks and feels like something NAT-ish to me!<br></div>
<div>Interestingly enough, the log entry for where the query came from
is correctly detected, but I guess it's not using that address to
localise?<br></div>
<div><br>Thanks,<br></div>
<div>- Jake Howard<br></div>
</blockquote>
Default Docker iptables chains (for containers running published
services on 80/443)<br>
<br>
# Generated by xtables-save v1.8.2 on Sun Apr 5 20:00:11 2020<br>
*nat<br>
:PREROUTING ACCEPT [0:0]<br>
:INPUT ACCEPT [0:0]<br>
:POSTROUTING ACCEPT [0:0]<br>
:OUTPUT ACCEPT [0:0]<br>
:DOCKER - [0:0]<br>
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER<br>
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE<br>
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport
443 -j MASQUERADE<br>
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport
80 -j MASQUERADE<br>
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER<br>
-A DOCKER -i docker0 -j RETURN<br>
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 443 -j DNAT
--to-destination 172.17.0.4:443<br>
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
172.17.0.4:80<br>
COMMIT<br>
# Completed on Sun Apr 5 20:00:11 2020<br>
# Generated by xtables-save v1.8.2 on Sun Apr 5 20:00:11 2020<br>
*filter<br>
:INPUT ACCEPT [0:0]<br>
:FORWARD DROP [0:0]<br>
:OUTPUT ACCEPT [0:0]<br>
:DOCKER - [0:0]<br>
:DOCKER-ISOLATION-STAGE-1 - [0:0]<br>
:DOCKER-ISOLATION-STAGE-2 - [0:0]<br>
:DOCKER-USER - [0:0]<br>
-A FORWARD -j DOCKER-USER<br>
-A FORWARD -j DOCKER-ISOLATION-STAGE-1<br>
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j
ACCEPT<br>
-A FORWARD -o docker0 -j DOCKER<br>
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT<br>
-A FORWARD -i docker0 -o docker0 -j ACCEPT<br>
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport
443 -j ACCEPT<br>
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport
80 -j ACCEPT<br>
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j
DOCKER-ISOLATION-STAGE-2<br>
-A DOCKER-ISOLATION-STAGE-1 -j RETURN<br>
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP<br>
-A DOCKER-ISOLATION-STAGE-2 -j RETURN<br>
-A DOCKER-USER -j RETURN<br>
COMMIT<br>
# Completed on Sun Apr 5 20:00:11 2020<br>
<br>
Dan
<blockquote type="cite"
cite="mid:a52f18d4-f550-470a-97ed-2bf0737ad241@www.fastmail.com">
<div><br></div>
<div>On Sat, 4 Apr 2020, at 19:01, Simon Kelley wrote:<br></div>
<blockquote type="cite" id="qt"><div>On 31/03/2020 13:51, Jake Howard
wrote:<br></div><div>> Hello!<br></div><div>> <br></div><div>>
Had a breakthrough on what's going on, and it's down to a caveat I<br></div><div>>
missed when reading the man page on localise-queries:<br></div><div>> <br></div><div>>>
Return answers to DNS queries from /etc/hosts and *--interface-name*<br></div><div>>
which depend on the interface over which the query was received.<br></div><div>> <br></div><div>>
And of course, this issue has to do with docker. With Docker, even<br></div><div>>
though the container is listening on 2 different interfaces, and 2<br></div><div>>
different IPs, the inner container, and thus dnsmasq, only sees 1<br></div><div>>
interface, with all addresses coming from it. Hence localisation isn't<br></div><div>>
quite working.<br></div><div>> <br></div><div>> If I run dnsmasq
with the exact same config but on the host, where it<br></div><div>>
can see the different interfaces, works perfectly!<br></div><div>> <br></div><div>>
Testing was done in 2.79 and 2.76, with a config file practically<br></div><div>>
identical to your CLI arguments.<br></div><div>> <br></div><div>>
Technically, there's not a bug here per-say, but it'd be really handy
if<br></div><div>> there was a way of looking at the source IP when
determining which<br></div><div>> record to return rather than just
the interface?<br></div><div><br></div><div>Dnsmasq uses the
_destination_ address of the query. I'm not familiar<br></div><div>with
Docker. Is it using NAT?<br></div><div><br></div><div><br></div><div>Simon.<br></div><div><br></div><div><br></div><div>> <br></div><div>>
Thanks!<br></div><div>> <br></div><div>> On Mon, 30 Mar 2020, at
20:42, Simon Kelley wrote:<br></div><div>>> On 28/03/2020 20:38,
Jake Howard wrote:<br></div><div>>> > Hi,<br></div><div>>>
> <br></div><div>>> > My intention is to have 1 dnsmasq
instance, accessible over 2 interfaces<br></div><div>>> >
(listening on all), and have the response to a query differ based on the<br></div><div>>>
> interface, and therefore its incoming IP. From what i've read,
that's<br></div><div>>> > exactly what localise-queries is
meant to do, but it doesn't appear to<br></div><div>>> > be
unless I put the entries into /etc/hosts directly.<br></div><div>>><br></div><div>>><br></div><div>>>
OK, what you're expecting to happen and what I'm expecting to happen
are<br></div><div>>> the same. That's good.<br></div><div>>><br></div><div>>>
I just did a quick test, and it seems to work fine for me. The<br></div><div>>>
example.com addresses are in /tmp/hosts.<br></div><div>>><br></div><div>>><br></div><div>>>
srk@holly:~/dnsmasq/dnsmasq$ src/dnsmasq -d --log-queries<br></div><div>>>
--localise-queries -p 10000 --addn-hosts=/tmp/hosts<br></div><div>>>
dnsmasq: started, version 2.81rc4-5-gd162bee cachesize 150<br></div><div>>>
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n<br></div><div>>>
no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC<br></div><div>>>
loop-detect inotify dumpfile<br></div><div>>> dnsmasq: reading
/etc/resolv.conf<br></div><div>>> dnsmasq: using nameserver
127.0.1.1#53<br></div><div>>> dnsmasq: read /etc/hosts - 9
addresses<br></div><div>>> dnsmasq: read /tmp/hosts - 2 addresses<br></div><div>>>
dnsmasq: query[A] example.com from 127.0.0.1<br></div><div>>>
dnsmasq: /tmp/hosts example.com is 192.168.151.43<br></div><div>>>
dnsmasq: /tmp/hosts example.com is 192.168.150.43<br></div><div>>>
dnsmasq: query[A] example.com from 192.168.150.49<br></div><div>>>
dnsmasq: /tmp/hosts example.com is 192.168.150.43<br></div><div>>><br></div><div>>><br></div><div>>>
If it's not working for you, that's a bug, but we need to find what it<br></div><div>>>
is about your setup that tickles the bug.<br></div><div>>><br></div><div>>>
Can you boil it down to the simplest configuration that displays the<br></div><div>>>
problem, and also specify which version of dnsmasq you're using?<br></div><div>>><br></div><div>>><br></div><div>>>
cheers,<br></div><div>>><br></div><div>>> Simon.<br></div><div>>><br></div><div>>><br></div><div>>>
> <br></div><div>>> > Thanks,<br></div><div>>> > -
Jake Howard<br></div><div>>> > <br></div><div>>> > On
Sat, 28 Mar 2020, at 17:59, Simon Kelley wrote:<br></div><div>>>
>> On 19/03/2020 21:47, Jake Howard wrote:<br></div><div>>>
>> > Hello!<br></div><div>>> >> > <br></div><div>>>
>> > Is `localise-queries` meant to work against entries added
via <br></div><div>>> >> > `addn-hosts`? Querying a
record returns both IPs, but always in the<br></div><div>>>
>> same <br></div><div>>> >> > order. The order is
correctly fixed when the records are put in <br></div><div>>>
>> > `/etc/hosts` directly.<br></div><div>>> >><br></div><div>>>
>><br></div><div>>> >> Yes, localise-queries works
with entries added via addn-hosts, but it<br></div><div>>>
>> doesn't have anything to do with the order that records appear,
so that<br></div><div>>> >> doesn't address your problem.
What are you trying to achieve?<br></div><div>>> >><br></div><div>>>
>><br></div><div>>> >> Simon.<br></div><div>>>
>><br></div><div>>> >><br></div><div>>> >>
> <br></div><div>>> >> > Config:<br></div><div>>>
>> > <br></div><div>>> >> > ```<br></div><div>>>
>> > localise-queries<br></div><div>>> >> >
no-resolv<br></div><div>>> >> > cache-size=10000<br></div><div>>>
>> > log-queries<br></div><div>>> >> >
log-facility=/var/log/pihole.log<br></div><div>>> >> >
local-ttl=2<br></div><div>>> >> > log-async<br></div><div>>>
>> > server=8.8.8.8<br></div><div>>> >> >
server=8.8.4.4<br></div><div>>> >> > server=1.1.1.1<br></div><div>>>
>> > server=1.0.0.1<br></div><div>>> >> >
interface=eth0<br></div><div>>> >> >
server=/use-application-dns.net/<br></div><div>>> >> > <br></div><div>>>
>> > addn-hosts=/etc/vpn-hosts.conf<br></div><div>>>
>> > localise-queries<br></div><div>>> >> > <br></div><div>>>
>> > ```<br></div><div>>> >> > <br></div><div>>>
>> > This is from pihole, but AFAIK that shouldn't make a
difference<br></div><div>>> if I'm <br></div><div>>>
>> > modifying the config directly.<br></div><div>>>
>> > <br></div><div>>> >> > Would appreciate
some input, or being told i'm wrong!<br></div><div>>> >>
> <br></div><div>>> >> > Thanks,<br></div><div>>>
>> > <br></div><div>>> >> > - Jake Howard<br></div></blockquote>
</blockquote>
<br>
</body></html>