[Dnsmasq-discuss] Using resolv.conf search vs. dnsmasq --server
Simon Kelley
simon at thekelleys.org.uk
Wed Jan 5 21:25:52 GMT 2011
Paul Smith wrote:
> Hi all. Recently I've been banging my head against issues surrounding
> resolv.conf management when connecting to two (or more) VPNs with
> private DNS servers. What a nightmare!! I'm thinking about some kind
> of solution/proposal but in the meantime I have a question.
>
> One way to go about this is to combine all the various contents of the
> private resolv.conf files into one and add in all the different search
> domains and nameservers. For example, if I have a standard nameserver
> of 1.1.1.1 with domain localnet, and one VPN with nameserver 2.2.2.2 and
> domain vpn2.com and another VPN with nameserver 3.3.3.3 and domain
> vpn3.com, then you'd get a resolv.conf file like:
>
> search vpn3.com vpn2.com localnet
> nameserver 1.1.1.1
> nameserver 2.2.2.2
> nameserver 3.3.3.3
>
> Of course the order depends on which interface came up first. However,
> when I do this sometimes I can't resolve hosts in the latter VPNs (but
> sometimes it works). Is it because some DNS servers are returning some
> kind of authoritative "no" and dnsmasq is quitting? I'm not intimately
> familiar with all the details of DNS. If I configured this via dnsmasq
> (so the above would be dnsmasq's resolv-file and /etc/resolv.conf used
> nameserver 127.0.0.1) and added the "--all-servers" flag, would it work
> better?
Yes, and no. It doesn't work well to try and iteratively query DNS
servers until one gives an answer; with the above configuration the if
the first server tried (the order is indeterminate) says "no such
domain" than that's the answer.
>
> My other option would be to add just the searchpaths to resolv.conf and
> use dnsmasq as a proxy DNS server, with --server options (or config
> file), so that resolv.conf contained:
>
> search vpn3.com vpn2.com localnet
> nameserver 127.0.0.1
>
> and the dnsmasq config said:
>
> server=/vpn2.com/2.2.2.2
> server=/vpn3.com/3.3.3.3
> resolv-file=/var/run/dnsmasq/resolv.conf
>
> and /var/run/dnsmasq/resolv.conf would contain:
>
> nameserver 1.1.1.1
>
> to catch all the default resolutions.
>
Much, much better.
> I can see why this works well for FQDNs since it can match and go
> directly to the correct nameserver. But it even works better for
> unqualified hostnames: can you explain dnsmasq's behavior here? Given
> the above setup, how does dnsmasq go about trying to resolve a hostname
> "foobar"?
Largely, it doesn't: the resolver adds the search strings to the end of
"foobar" before the query even gets to dnsmasq. It worth reading `man
resolv.conf` for details of the process, and turning on log-queries in
dnsmasq to see what's actually happening.
Cheers,
Simon.
>
More information about the Dnsmasq-discuss
mailing list