[Dnsmasq-discuss] VPN support - Flush Cache, specify multiple IP's for server=, and somehow supporting using addresses from resolv.conf in server lines.
Bill C Riemers
briemers at redhat.com
Mon Mar 1 14:56:37 GMT 2010
Hi,
I just wanted to follow-up with the resolution to my problem.
First, someone off list forward me information that there is a:
clear-on-reload
option for dnsmasq. This seems to completely resolve the
problem of needing to restart dnsmasq when connecting via
VPN. Note: It seems to take a minute or two for dnsmasq
to poll the new /etc/resolv.conf.
Second, it occurred to me that when I'm connected via VPN the
connections to my work domain name servers is routed to a
separate network. So a simple set of iptable mappings can
take care of routing connections when I'm not connected to
vpn:
-A PREROUTING -d 172.16.52.28/32 -i eth0 -p udp -m udp --dport 53 -j
DNAT --to-d
estination 172.31.253.11
-A PREROUTING -d 172.16.52.28/32 -i eth0 -p tcp -m tcp --dport 53 -j
DNAT --to-d
estination 172.31.253.11
-A PREROUTING -d 10.11.255.27/32 -i eth0 -p udp -m udp --dport 53 -j
DNAT --to-d
estination 172.31.253.12
-A PREROUTING -d 10.11.255.27/32 -i eth0 -p tcp -m tcp --dport 53 -j
DNAT --to-d
estination 172.31.253.12
With these rules in place I was able to simplify my dnsmasq.conf
server rules to simply:
server=/redhat.com/172.16.52.28
server=/redhat.com/10.11.255.27
I don't think the secondary server line actually does anything. If
172.16.52.28 is
down I probably still need to edit dnsmasq.conf to switch to 10.11.255.27.
I also modify my vpn configuration, so when connected via vpn it still lists
my domain servers as 127.0.0.1, 172.31.253.11, and 172.31,253.12.
Walla. Now when I'm connected via vpn only redhat.com addresses are
looked-up
via redhat. When I'm not connected via vpn everything goes to my normal
domain name servers.
Bill
On 19/02/10 09:36 AM, Bill C Riemers wrote:
> Hi,
>
> I've been having problems with DNSMASQ when using VPN. The general
> problem is I only want DNS entries for work resolved across my VPN
> server. However, I have run across several challenges I'm hoping there
> are simple solutions.
> Right now the main problems I am trying to address are:
> - If I lookup a domain prior to connecting to vpn, dnsmasq cache's
> that answer for when I'm connected to vpn.
> - I can not figure out a way to tell DNSMASQ to use either of my
> local name servers for domains not at work. So
> if I have to shutdown one of the servers, I have to edit my dnsmasq
> configuration.
> - I have figured out a way to override all non-work domains to be
> looked up locally. For example, I do not work
> to have a DNS query log from whenever I connect to facebook.
>
> Here is what I have so far:
>
> 1. My work uses dynamic addresses for the DNS servers. When I connect
> via openvpn, netmanager updates my resolv.conf. I have not found a
> good way to specify to put 127.0.0.1 into the list for DNSMASQ when
> using the
> dynamic DNS server address. However, I have found I can specify a
> manual list of addresses. This means occassionally
> I have to edit the addresses, but for the most part it works.
>
> When I'm connected via VPN I have the following /etc/resolv.conf:
>
> # Generated by NetworkManager
> search redhat.com engsupport.redhat.com local
> nameserver 127.0.0.1
> nameserver 172.16.52.28
> nameserver 10.11.255.47
> # NOTE: the libc resolver may not support more than 3 nameservers.
> # The nameservers listed below may not be recognized.
> nameserver 172.31.253.11
> nameserver 172.31.253.12
>
>
> When not connected to VPN I have the following:
>
> search local
> nameserver 127.0.0.1
> nameserver 172.31.253.11
> nameserver 172.31.253.12
>
> I find DNSMASQ picks up the change in resolv.conf correctly.
> However, it does not flush it's cache. So if for example, I mistakenly
> try to login to my work e-mail prior to connecting to VPN, or after a
> VPN drop then the address will resolve to opendns. After I connect to
> VPN, it will still resolv to opendns, until I restart dnsmasq, or the
> DNS entry expires.
>
> 2. To avoid having non-work addresses resolving though the work dns, I
> have a huge list of server lines. e.g.
>
> server=/aero/172.31.253.11
> server=/asia/172.31.253.11
> server=/biz/172.31.253.11
> server=/cat/172.31.253.11
> server=/facebook.com/172.31.253.11
> server=/google.com/172.31.253.11
> server=/coop/172.31.253.11
> server=/edu/172.31.253.11
> ...
> The course what I really wanted to do is specify a
> /etc/resolv.conf.novpn file and then take care of vpn lookups with a
> line like:
>
> server=/redhat.com/10.11.255.47 if connected via VPN
>
> but I have no way of telling DNSMASQ to only use that line when I am
> connected via VPN.
>
> By listing the reverse list I have two problems. 1. My list will
> probably never be completely comprehensive. 2. I can only specify one
> server on the server line. So if I shutdown 172.31.253.11, DNSMASQ
> will not use 172.31.253.12 as a backup.
>
> This whole problem could be resolved if there is some way to specify
> multiple IP addresses. Then I could do something like:
> server=/redhat.com/10.32.255.47,172.31.253.11,172.31.253.12
>
> Meaning of course, try 10.32.255.47. If it is unreachable (because I'm
> not connected to VPN) then try the next one.
>
> Even better if something like:
>
> server=/redhat.com/{/etc/resolv.conf}
>
> Meaning to use the specified file for redhat.com.
>
> Then the remaining problems would be how to tell DNSMASQ to flush it's
> cache whenever /etc/resolv.conf is updated, and how to use the dynamic
> ip address for DNS supplied via openvpn instead of hard coding a static
> address.
>
> Bill
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list