[Dnsmasq-discuss] Enhancement idea: localhost DNS
Bill C. Riemers
briemers at redhat.com
Thu Jun 5 22:00:36 BST 2008
Simon Kelley wrote:
> Bill C. Riemers wrote:
>
> There's no really good way to do this, because there's no well
> defined, portable way to have network configuration systems handle the
> information about nameservers which comes from the various sources
> which configure networking.
>
> Something that you need to think about is race conditions on
> modification of /etc/resolv.conf. The various scripts can change the
> file at any time, and leave it inconsistent states. Really, they
> should create resolv.cof.new and then do an atomic "mv resolv.conf.new
> resolv.conf", but not all do. Dnsmasq already has some tricks to avoid
> problems with this: it will be much more difficult to get right if
> dnsmasq is re-writing the file.
Actually, the tricks explain why polling doesn't seem to work. I had
to modify the various network scripts to send a HUP signal after the
files were written to dnsmasq. That of course also involved new selinux
rules...
> You might be able to avoid changing the scripts if there's some way to
> configure the distros netconf system with a static nameserver which
> comes first in resolv.conf. Then you can end up with
>
> nameserver 127.0.0.1
> nameserver <dynamic nameserver from DHCP, vpnc, etc>
>
> dnsmasq will ignore 127.0.0.1 since it's clever enough to know that it
> is listening on that address, everything else will use it since it's
> first.
Hmmm. I hadn't thought of that. I know there is an option to have
dhcp prefix a name server. I'll have to see if vpnc has a similar option.
>>
>> My questions are:
>> 1. Does anyone have better ideas on how I can accomplish the same
>> thing?
>
> Something I've thought about, but not investigated in detail, is to
> provide a new NSS module which does pretty much the same thing as the
> existing dns module, but doesn't use /etc/resolv.conf, instead using
> 127.0.0.1 for DNS lookups. Then all you could just change one line in
> /etc/nsswitch.conf from
>
> hosts: files dns
>
> to
>
> hosts: files dnsmasq
>
> and have all name resolution go to dnsmasq via 127.0.0.1
> Dnsmasq would still use /etc/resolv.conf, so the standard network
> scripts would work.
Overall it seems messy. Especially since the existing nss modules are
not really independent of libc. For example /etc/resolv.conf is hard
coded in libc not in libnss_dns.so.
Another option I tried is:
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 53 -m owner --uid-owner
dnsmasq -j ACCEPT
iptables -t nat -A OUTPUT -p udp -m udp --dport 53 -m owner --uid-owner
dnsmasq -j ACCEPT
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 53 -j REDIRECT
--to-ports 53
iptables -t nat -A OUTPUT -p udp -m udp --dport 53 -j REDIRECT
--to-ports 53
But since I had to modify the networking scripts to send a HUP signal to
dnsmasq, also changing the output name made sense. (I was assuming I
would fix the polling if I implemented resolv.conf rewriting, but now I
know that is a non-trivial task.)
Bill
More information about the Dnsmasq-discuss
mailing list