[Dnsmasq-discuss] VPN support - Flush Cache, specify multiple IP's for server=, and somehow supporting using addresses from resolv.conf in server lines.

Bill C Riemers briemers at redhat.com
Fri Feb 19 14:36:01 GMT 2010


Hi,

I've been having problems with DNSMASQ when using VPN.   The general
problem is I only want DNS entries for work resolved across my VPN
server.   However, I have run across several challenges I'm hoping there
are simple solutions.
Right now the main problems I am trying to address are:
   - If I lookup a domain prior to connecting to vpn, dnsmasq cache's
that answer for when I'm connected to vpn.
   - I can not figure out a way to tell DNSMASQ to use either of my
local name servers for domains not at work.   So
     if I have to shutdown one of the servers, I have to edit my dnsmasq
configuration.
   - I have figured out a way to override all non-work domains to be
looked up locally.   For example, I do not work
     to have a DNS query log from whenever I connect to facebook.

Here is what I have so far:

1. My work uses dynamic addresses for the DNS servers.   When I connect
via openvpn, netmanager updates my resolv.conf.   I have not found a
good way to specify to put 127.0.0.1 into the list for DNSMASQ when
using the
dynamic DNS server address.   However, I have found I can specify a
manual list of addresses.   This means occassionally
I have to edit the addresses, but for the most part it works.

When I'm connected via VPN I have the following /etc/resolv.conf:

# Generated by NetworkManager
search redhat.com engsupport.redhat.com local
nameserver 127.0.0.1
nameserver 172.16.52.28
nameserver 10.11.255.47
# NOTE: the libc resolver may not support more than 3 nameservers.
# The nameservers listed below may not be recognized.
nameserver 172.31.253.11
nameserver 172.31.253.12


When not connected to VPN I have the following:

search local
nameserver 127.0.0.1
nameserver 172.31.253.11
nameserver 172.31.253.12

   I find DNSMASQ picks up the change in resolv.conf correctly.  
However, it does not flush it's cache.   So if for example, I mistakenly
try to login to my work e-mail prior to connecting to VPN, or after a
VPN drop then the address will resolve to opendns.   After I connect to
VPN, it will still resolv to opendns, until I restart dnsmasq, or the
DNS entry expires.

2.  To avoid having non-work addresses resolving though the work dns, I
have a huge list of server lines.  e.g.

server=/aero/172.31.253.11
server=/asia/172.31.253.11
server=/biz/172.31.253.11
server=/cat/172.31.253.11
server=/facebook.com/172.31.253.11
server=/google.com/172.31.253.11
server=/coop/172.31.253.11
server=/edu/172.31.253.11
...
        The course what I really wanted to do is specify a
/etc/resolv.conf.novpn file and then take care of vpn lookups with a
line like:

server=/redhat.com/10.11.255.47 if connected via VPN

but I have no way of telling DNSMASQ to only use that line when I am
connected via VPN.

By listing the reverse list I have two problems.   1. My list will
probably never be completely comprehensive.   2. I can only specify one
server on the server line.   So if I shutdown 172.31.253.11, DNSMASQ
will not use 172.31.253.12 as a backup.

This whole problem could be resolved if there is some way to specify
multiple IP addresses.    Then I could do something like:
server=/redhat.com/10.32.255.47,172.31.253.11,172.31.253.12

Meaning of course, try 10.32.255.47.   If it is unreachable (because I'm
not connected to VPN) then try the next one.

Even better if something like:

server=/redhat.com/{/etc/resolv.conf}

Meaning to use the specified file for redhat.com.

Then the remaining problems would be how to tell DNSMASQ to flush it's
cache whenever /etc/resolv.conf is updated, and how to use the dynamic
ip address for DNS supplied via openvpn instead of hard coding a static
address.

Bill




More information about the Dnsmasq-discuss mailing list