[Dnsmasq-discuss] how to set NS for a zone?

Carlos Carvalho carlos at fisica.ufpr.br
Tue Mar 8 16:30:16 GMT 2011 

Simon Kelley (simon at thekelleys.org.uk) wrote on 7 March 2011 21:44:
 >Carlos Carvalho wrote:
 >
 >> For dnsmasq to be authoritative it has to answer queries about the
 >> zone by itself, without querying anybody else; if an entry isn't known
 >> to the authoritative server it means it doesn't exist. So dnsmasq must
 >> have local=/the.zone/ in the config. Therefore it won't send queries
 >> to other servers about it.
 >> 
 >> Also, another server would reach the parent but might as well check
 >> the indicated authoritative zone server for good measure, and would
 >> get from it the answer that it doesn't exist(?!)...
 >> 
 >
 >So, can somebody set down under exactly what circumstances being able to
 >set an NS record in dnsmasq would be useful? It's clearly pretty easy to
 >add as a feature, but I'm not sure why the need.

Sorry, I think what I wrote above is the answer: if dnsmasq is to be
authoritative for a zone it has to answer all questions about it, and
be configured to not forward any questions; instead, other servers
must be configured to forward questions to dnsmasq. If dnsmasq itself
forward questions about its own zone a loop is created.

 >(Being able to return NS records for arbitrary domains looks like a
 >really good way to confuse the unwary, but that's maybe a different point)

It's not for arbitrary domains, it's only for the zone it's
authoritative. The one that has local=/my.zone/ in the config.

I've made some tests and it seems that answering NS queries is not
only a "good behavior", it's essential. They're shown bellow; the
domain is of a new university here.

Objective: make dnsmasq the authoritative zone server, because it has
all the info, both for static names and for dhcp-assigned ones.

We're using (for now...) ISC named as the recursor, in a different
machine. Both would be listed as dns servers for the domain in the
national registrar:

named: 200.134.33.2
dnsmasq: 200.134.33.10

named is configured as cache-only but forwarding requests to dnsmasq
for the zone. This is named.conf.local:

zone "unila.edu.br" {
        type forward;
        forward only;
        forwarders { 200.134.33.10; };    <===== dnsmasq machine
};

zone "33.134.200.in-addr.arpa" {
        type forward;
        forward only;
        forwarders { 200.134.33.10; };
};

dnsmasq is configured as (dns part only)

addn-hosts=/etc/dnsmasq/hosts
log-queries
local=/unila.edu.br/
local=/33.134.200.in-addr.arpa/
server=200.134.33.2             <===== named machine
bind-interfaces
localise-queries
bogus-priv
filterwin2k
no-resolv
no-poll
stop-dns-rebind
mx-host=unila.edu.br,unila2.unila.edu.br
cname=mx.unila.edu.br,unila2.unila.edu.br
cname=correio.unila.edu.br,unila2.unila.edu.br
domain-needed

Summary: named is cache-only and send all queries about unila.edu.br
to dnsmasq, while dnsmasq answers all queries about unila.edu.br by
itself and send everything else to named.

The setup works IFF you ask the servers directly:

% host unila1.unila.edu.br 200.134.33.10
unila1.unila.edu.br     A       200.134.33.254

% host unila1.unila.edu.br 200.134.33.2
unila1.unila.edu.br     A       200.134.33.254

and the dnsmasq log shows the query from named:

Mar  8 13:18:31 dnsmasq[27535]: query[A] unila1.unila.edu.br from 200.134.33.2
Mar  8 13:18:31 dnsmasq[27535]: /etc/dnsmasq/hosts unila1.unila.edu.br is 200.134.33.254

which shows the named forward works.

However queries without the explicit nameserver don't work:

% host parana.unila.edu.br       
;; connection timed out; no servers could be reached

% dig unila1.unila.edu.br +trace      

; <<>> DiG 9.7.2-P3 <<>> unila1.unila.edu.br +trace
;; global options: +cmd
.                       358303  IN      NS      c.root-servers.net.
.                       358303  IN      NS      f.root-servers.net.
.                       358303  IN      NS      e.root-servers.net.
.                       358303  IN      NS      a.root-servers.net.
.                       358303  IN      NS      m.root-servers.net.
.                       358303  IN      NS      g.root-servers.net.
.                       358303  IN      NS      i.root-servers.net.
.                       358303  IN      NS      d.root-servers.net.
.                       358303  IN      NS      h.root-servers.net.
.                       358303  IN      NS      b.root-servers.net.
.                       358303  IN      NS      l.root-servers.net.
.                       358303  IN      NS      j.root-servers.net.
.                       358303  IN      NS      k.root-servers.net.
;; Received 272 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms

br.                     172800  IN      NS      f.dns.br.
br.                     172800  IN      NS      e.dns.br.
br.                     172800  IN      NS      c.dns.br.
br.                     172800  IN      NS      a.dns.br.
br.                     172800  IN      NS      d.dns.br.
br.                     172800  IN      NS      b.dns.br.
;; Received 289 bytes from 128.8.10.90#53(d.root-servers.net) in 156 ms

unila.edu.br.           86400   IN      NS      ns.unila.edu.br.
unila.edu.br.           86400   IN      NS      ns2.unila.edu.br.
;; Received 104 bytes from 200.219.159.10#53(f.dns.br) in 9 ms

;; connection timed out; no servers could be reached

Note that the query doesn't reach dnsmasq. Is it because it doesn't
have NS or something else is amiss?

Of course, with named configured for answering the zone
authoritatively it works.

More information about the Dnsmasq-discuss mailing list