[Dnsmasq-discuss] VPN support - Flush Cache, specify multiple IP's for server=, and somehow supporting using addresses from resolv.conf in server lines.

Simon Kelley simon at thekelleys.org.uk
Fri Feb 19 17:48:15 GMT 2010 

Bill C Riemers wrote:
> Hi,
> 
> I've been having problems with DNSMASQ when using VPN.   The general
> problem is I only want DNS entries for work resolved across my VPN
> server.   However, I have run across several challenges I'm hoping there
> are simple solutions.
> Right now the main problems I am trying to address are:
>    - If I lookup a domain prior to connecting to vpn, dnsmasq cache's
> that answer for when I'm connected to vpn.
>    - I can not figure out a way to tell DNSMASQ to use either of my
> local name servers for domains not at work.   So
>      if I have to shutdown one of the servers, I have to edit my dnsmasq
> configuration.
>    - I have figured out a way to override all non-work domains to be
> looked up locally.   For example, I do not work
>      to have a DNS query log from whenever I connect to facebook.
> 
> Here is what I have so far:
> 
> 1. My work uses dynamic addresses for the DNS servers.   When I connect
> via openvpn, netmanager updates my resolv.conf.   I have not found a
> good way to specify to put 127.0.0.1 into the list for DNSMASQ when
> using the
> dynamic DNS server address.   However, I have found I can specify a
> manual list of addresses.   This means occassionally
> I have to edit the addresses, but for the most part it works.
> 
> When I'm connected via VPN I have the following /etc/resolv.conf:
> 
> # Generated by NetworkManager
> search redhat.com engsupport.redhat.com local
> nameserver 127.0.0.1
> nameserver 172.16.52.28
> nameserver 10.11.255.47
> # NOTE: the libc resolver may not support more than 3 nameservers.
> # The nameservers listed below may not be recognized.
> nameserver 172.31.253.11
> nameserver 172.31.253.12
> 
> 
> When not connected to VPN I have the following:
> 
> search local
> nameserver 127.0.0.1
> nameserver 172.31.253.11
> nameserver 172.31.253.12
> 
>    I find DNSMASQ picks up the change in resolv.conf correctly.  
> However, it does not flush it's cache.   So if for example, I mistakenly
> try to login to my work e-mail prior to connecting to VPN, or after a
> VPN drop then the address will resolve to opendns.   After I connect to
> VPN, it will still resolv to opendns, until I restart dnsmasq, or the
> DNS entry expires.
> 
> 2.  To avoid having non-work addresses resolving though the work dns, I
> have a huge list of server lines.  e.g.
> 
> server=/aero/172.31.253.11
> server=/asia/172.31.253.11
> server=/biz/172.31.253.11
> server=/cat/172.31.253.11
> server=/facebook.com/172.31.253.11
> server=/google.com/172.31.253.11
> server=/coop/172.31.253.11
> server=/edu/172.31.253.11
> ...
>         The course what I really wanted to do is specify a
> /etc/resolv.conf.novpn file and then take care of vpn lookups with a
> line like:
> 
> server=/redhat.com/10.11.255.47 if connected via VPN
> 
> but I have no way of telling DNSMASQ to only use that line when I am
> connected via VPN.
> 
> By listing the reverse list I have two problems.   1. My list will
> probably never be completely comprehensive.   2. I can only specify one
> server on the server line.   So if I shutdown 172.31.253.11, DNSMASQ
> will not use 172.31.253.12 as a backup.
> 
> This whole problem could be resolved if there is some way to specify
> multiple IP addresses.    Then I could do something like:
> server=/redhat.com/10.32.255.47,172.31.253.11,172.31.253.12
> 
> Meaning of course, try 10.32.255.47.   If it is unreachable (because I'm
> not connected to VPN) then try the next one.
> 
> Even better if something like:
> 
> server=/redhat.com/{/etc/resolv.conf}
> 
> Meaning to use the specified file for redhat.com.
> 
> Then the remaining problems would be how to tell DNSMASQ to flush it's
> cache whenever /etc/resolv.conf is updated, and how to use the dynamic
> ip address for DNS supplied via openvpn instead of hard coding a static
> address.


Dnsmasq has a flag, clear-on-reload for the first part. For the second,
the normal scheme seems to be to configure dnsmasq via server lines in
the /etc/dnsmasq.conf to send specific domains to the vpn namesevers,
and default the rest to servers in /etc/resolv.conf.

If you want to dynamically update the VPM nameservers, you need to use
dnsmasq's DBus interface (which also has a "clear cache" function.

Have you looked at

http://roy.marples.name/projects/openresolv/

which may solve this problem for you?

Cheers,

Simon.




> 
> Bill
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>

More information about the Dnsmasq-discuss mailing list