<div dir="ltr"><span id="gmail-docs-internal-guid-dbe70189-7fff-45cb-3bf6-e9c8f8104402"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Hi,</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">We have our own DNS proxy implemented, and we are trying to integrate it into our existing network stack that currently contains NetworkManager + dnsmasq. The plan is for our network stack to contain NetworkManager + dnsmasq + our DNS proxy.</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">There is a problem I can’t solve, and I was wondering if you may point me in the right direction.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Our DNS proxy runs locally, listens on a local address (e.g. 127.8.8.8), and proxies all incoming DNS queries to a DNS server via DNS-over-HTTPS. It has to do some other things too, that’s the reason we had to implement our own DNS proxy in the first place.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">1) We would like dnsmasq to send DNS queries to our proxy first; and if the proxy misbehaves and does not respond to a DNS query within a period of time, we would like dnsmasq to send the same query to the network-provided DNS server. To implement this behavior, we are dropping a config file into /etc/NetworkManager/dnsmasq.d, and the config has a line like “server=127.8.8.8”</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">If I read the dnsmasq source code correctly, in the presence of this config file dnsmasq will always keep 127.8.8.8 as the primary resolver, and the network-provided DNS server will be used as the secondary resolver. The information about the network-provided DNS server is provided by NetworkManager via dbus; after the machine gets connected to a new network, NetworkManager will send an update to dnsmasq (using SetServers/SetServersEx or a similar message), and dnsmasq will only update the secondary resolver, but it will keep 127.8.8.8 as the primary one. Is my understanding correct?</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">2) Now we get to the problem I am trying to solve. Our proxy needs to detect whether we are behind a captive portal. A common way to detect captive portals is to open a specific URL and check the result. (Our proxy is using </span><a href="http://connectivitycheck.gstatic.com/generate_204" style="text-decoration-line:none"><span style="font-size:11pt;font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">http://connectivitycheck.gstatic.com/generate_204</span></a><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">.) The problem is that this method works only if the network-provided DNS server is used for resolving <a href="http://connectivitycheck.gstatic.com">connectivitycheck.gstatic.com</a>. Unfortunately, with the config described in (1), dnsmasq will send the DNS query for <a href="http://connectivitycheck.gstatic.com">connectivitycheck.gstatic.com</a> to our proxy rather than the network-provided DNS server, and the detection method does not work in this case.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">I’ve been looking at potential solutions, and I could see a few options.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">2.a) Find another way to detect captive portals. Some way that does not attempt to reach any URLs.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">2.b) Could dnsmasq be configured to send DNS queries for a specific domain name straight to the secondary resolver? Then we would configure dnsmasq to ignore the primary resolver 127.8.8.8 and use the network-provided DNS server when resolving </span><span style="font-size:11pt;font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline"><a href="http://connectivitycheck.gstatic.com">connectivitycheck.gstatic.com</a></span><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">.</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">I have found options in the configs that allow sending a specific domain to a specific DNS server address, but that is not exactly what we need as we do not know the address of the network-provided DNS server in advance.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">2.c) If our proxy could know the address of the network-provided DNS server, it could use that specific DNS address when reaching to </span><a href="http://connectivitycheck.gstatic.com/generate_204" style="text-decoration-line:none"><span style="font-size:11pt;font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">http://connectivitycheck.gstatic.com/generate_204</span></a></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">The problem is that only dnsmasq holds the information about the current network-provided DNS server. And I could not find any way to get this information from dnsmasq via dbus. dnsmasq supports messages like “SetServers” but nothing like “GetServers”.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Is getting the network-provided DNS server (or, alternatively, the full list of DNS servers) something that is or could be supported by dnsmasq?</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Thanks,</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11pt;font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Evgeny</span></p></span><br class="gmail-Apple-interchange-newline"></div>