[Dnsmasq-discuss] Enhancement idea: localhost DNS

Bill C. Riemers briemers at redhat.com
Thu Jun 5 22:00:36 BST 2008


Simon Kelley wrote:
> Bill C. Riemers wrote:
>
> There's no really good way to do this, because there's no well 
> defined, portable way to have network configuration systems handle the
> information about nameservers which comes from the various sources
> which configure networking.
>
> Something that you need to think about is race conditions on
> modification of /etc/resolv.conf. The various scripts can change the
> file at any time, and leave it inconsistent states. Really, they
> should create resolv.cof.new and then do an atomic "mv resolv.conf.new
> resolv.conf", but not all do. Dnsmasq already has some tricks to avoid
> problems with this: it will be much more difficult to get right if
> dnsmasq is re-writing the file.
Actually, the tricks explain why polling doesn't seem to work.   I had
to modify the various network scripts to send a HUP signal after the
files were written to dnsmasq.  That of course also involved new selinux
rules...

> You might be able to avoid changing the scripts if there's some way to
> configure the distros netconf system with a static nameserver which
> comes first in resolv.conf. Then you can end up with
>
> nameserver 127.0.0.1
> nameserver <dynamic nameserver from DHCP, vpnc, etc>
>
> dnsmasq will ignore 127.0.0.1 since it's clever enough to know that it
> is listening on that address, everything else will use it since it's
> first.

Hmmm.   I hadn't thought of that.   I know there is an option to have
dhcp prefix a name server. I'll have to see if  vpnc has a similar option.


>>
>> My questions are:
>>    1. Does anyone have better ideas on how I can accomplish the same
>> thing?
>
> Something I've thought about, but not investigated in detail, is to
> provide a new NSS module which does pretty much the same thing as the
> existing dns module, but doesn't use /etc/resolv.conf, instead using
> 127.0.0.1 for DNS lookups. Then all you could just change one line in
> /etc/nsswitch.conf from
>
> hosts:          files dns
>
> to
>
> hosts:          files dnsmasq
>
> and have all name resolution go to dnsmasq via 127.0.0.1
> Dnsmasq would still use /etc/resolv.conf, so the standard network
> scripts would work.

Overall it seems messy.   Especially since the existing nss modules are
not really independent of libc.   For example /etc/resolv.conf is hard
coded in libc not in libnss_dns.so.

Another option I tried is:

iptables -t nat -A OUTPUT -p tcp -m tcp --dport 53 -m owner --uid-owner
dnsmasq -j ACCEPT
iptables -t nat -A OUTPUT -p udp -m udp --dport 53 -m owner --uid-owner
dnsmasq -j ACCEPT
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 53 -j REDIRECT
--to-ports 53
iptables -t nat -A OUTPUT -p udp -m udp --dport 53 -j REDIRECT
--to-ports 53

But since I had to modify the networking scripts to send a HUP signal to
dnsmasq, also changing the output name made sense.  (I was assuming I
would fix the polling if I implemented resolv.conf rewriting, but now I
know that is a non-trivial task.)

Bill




More information about the Dnsmasq-discuss mailing list