[Dnsmasq-discuss] Two questions about the cache and how dnsmasq forwards queries

/dev/rob0 rob0 at gmx.co.uk
Wed Feb 17 19:13:51 GMT 2010


On Tue, Feb 16, 2010 at 09:42:33AM +0100, SamLT wrote:
> Simon:
> > Maybe your ISPs DNS server is playing games?
> 
> I think my ISP also REDIRECTs DNS traffic to their nameservers, 
> since, I get the same result using google public dns service. (and 
> this doesn't happen @home with an other ISP).
> 
> Well, this is going to be... fun!

snip

> I'd like to collect as much information as I can before I contact 
> my ISP, eventhough I think they'll just ignore me anyway...

What I do, and whilst it seemed ugly at first, I grew to like and
appreciate it: I run ISC BIND named(8) on an alternate port, totally
ignoring ISP upstream resolvers.

True, a redirection would still be a problem, but this could be an
easy way to gather more facts.

BIND as recursion-only is quite simple. And the dnsmasq interface is
also simple:
    no-resolv
    server=127.0.0.1#1053
    # the following to prevent duplicate caching
    cache-size=0
And of course, "nameserver 127.0.0.1" in resolv.conf (and protect it
from your DHCP client, if applicable.)

The named.conf(5) file:
options {
        directory "/var/named";
        listen-on port 1053 { 127.0.0.1; };
};
controls {
        inet 127.0.0.1 port 1035 allow { localhost; };
};
zone "." IN {
        type hint;
        file "named.root";
};

(using the root hints file which can be obtained at
ftp://ftp.internic.net/domain/named.root installed as
/var/named/named.root and readable by the named user.)

named can run entirely as a non-root process this way.  You might
want to use a shell alias for rndc(8) to use 1035 rather than 953;
but in this configuration I have little need for rndc. Note, since
only 127.0.0.1 is bound, there is no need for access controls; only
shell users on the same host could query named directly. If that
worries you, get rid of your untrusted shell users. :) In Linux you
could restrict to the dnsmasq user like this:
    iptables -vI OUTPUT -d 127.0.0.1 -p tcp --dport 1053 -j REJECT
    iptables -vI OUTPUT -d 127.0.0.1 -p udp --dport 1053 -j DROP
    iptables -vI OUTPUT -d 127.0.0.1 -p tcp --dport 1053 -m owner \
        --uid-owner dnsmasq -j ACCEPT
    iptables -vI OUTPUT -d 127.0.0.1 -p udp --dport 1053 -m owner \
        --uid-owner dnsmasq -j ACCEPT
(Note the use of -I, the order of these commands is important; they
yield rules at the top of filter/OUTPUT in reverse order. First
ACCEPT from dnsmasq user; then DROP or REJECT from any other.)

The ISC folks and DNS gurus I have met generally recommend keeping
recursion separate from authoritative DNS service, and this does the
job well.

I have not encountered an ISP doing DNS redirection. I'd be very
angry if I did!
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header



More information about the Dnsmasq-discuss mailing list