[Dnsmasq-discuss] Using resolv.conf search vs. dnsmasq --server

[Simon Kelley]

Paul Smith wrote:
> Hi all.  Recently I've been banging my head against issues surrounding
> resolv.conf management when connecting to two (or more) VPNs with
> private DNS servers.  What a nightmare!!  I'm thinking about some kind
> of solution/proposal but in the meantime I have a question.
> 
> One way to go about this is to combine all the various contents of the
> private resolv.conf files into one and add in all the different search
> domains and nameservers.  For example, if I have a standard nameserver
> of 1.1.1.1 with domain localnet, and one VPN with nameserver 2.2.2.2 and
> domain vpn2.com and another VPN with nameserver 3.3.3.3 and domain
> vpn3.com, then you'd get a resolv.conf file like:
> 
> 	search vpn3.com vpn2.com localnet
> 	nameserver 1.1.1.1
> 	nameserver 2.2.2.2
> 	nameserver 3.3.3.3
> 
> Of course the order depends on which interface came up first.  However,
> when I do this sometimes I can't resolve hosts in the latter VPNs (but
> sometimes it works).  Is it because some DNS servers are returning some
> kind of authoritative "no" and dnsmasq is quitting?  I'm not intimately
> familiar with all the details of DNS.  If I configured this via dnsmasq
> (so the above would be dnsmasq's resolv-file and /etc/resolv.conf used
> nameserver 127.0.0.1) and added the "--all-servers" flag, would it work
> better?

Yes, and no. It doesn't work well to try and iteratively query DNS
servers until one gives an answer; with the above configuration the if
the first server tried (the order is indeterminate) says "no such
domain" than that's the answer.
> 
> My other option would be to add just the searchpaths to resolv.conf and
> use dnsmasq as a proxy DNS server, with --server options (or config
> file), so that resolv.conf contained:
> 
> 	search vpn3.com vpn2.com localnet
> 	nameserver 127.0.0.1
> 
> and the dnsmasq config said:
> 
> 	server=/vpn2.com/2.2.2.2
> 	server=/vpn3.com/3.3.3.3
> 	resolv-file=/var/run/dnsmasq/resolv.conf
> 
> and /var/run/dnsmasq/resolv.conf would contain:
> 
> 	nameserver 1.1.1.1
> 
> to catch all the default resolutions.
> 

Much, much better.

> I can see why this works well for FQDNs since it can match and go
> directly to the correct nameserver.  But it even works better for
> unqualified hostnames: can you explain dnsmasq's behavior here?  Given
> the above setup, how does dnsmasq go about trying to resolve a hostname
> "foobar"?

Largely, it doesn't: the resolver adds the search strings to the end of
"foobar" before the query even gets to dnsmasq. It worth reading `man
resolv.conf` for details of the process, and turning on log-queries in
dnsmasq to see what's actually happening.


Cheers,

Simon.

>