[Dnsmasq-discuss] A reason for setting NS records in dnsmasq

Simon Kelley simon at thekelleys.org.uk
Fri Nov 2 11:58:47 GMT 2012


On 01/11/12 21:58, Gui Iribarren wrote:
>> Simon Kelley (simon at ...) wrote on 7 March 2011 21:44:
>>  >So, can somebody set down under exactly what circumstances being able to
>>  >set an NS record in dnsmasq would be useful? It's clearly pretty easy to
>>  >add as a feature, but I'm not sure why the need.
> 
> Hello Simon,
> (...resurrecting
> http://comments.gmane.org/gmane.network.dns.dnsmasq.general/4721)
> i'm currently trying to make clients of a wireless community network
> have public resolvable addresses.
> This wouldn't make much sense in ipv4 world where leases are in private
> ranges,
> but it does make a lot of sense combined with dnsmasq nifty (and
> certainly unique) feature of ra-names, since SLAAC addresses are global :)
> 
> I have to overcome 3 difficulties:
> 1) My dnsmasq server is reachable on ipv6 only (ipv4 is not public)
> 2) nic.ar <http://nic.ar> (registrar) doesn't support setting ipv6 NS
> records at all.
> 3) dnsmasq doesn't offer NS records for a local=/domain/
> 
> To overcome (1) and (2), in the registrar I've pointed deltalibre.org.ar
> <http://deltalibre.org.ar> NS records to the public ipv4 of a dual-stack
> server, running bind9.
> That bind9 has a zone defined esperita.deltalibre.org.ar
> <http://esperita.deltalibre.org.ar> as "forward-only" and forwarders
> clause pointing to the ipv6 of dnsmasq server.
> [So in effect, the bind9 acts as a "man in the middle" between my
> ipv4-only registrar, and my ipv6-only dnsmasq.]
> So far so good.
> 
> Problem is, when i "dig -t NS @8.8.8.8 <http://8.8.8.8>
> esperita.deltalibre.org.ar <http://esperita.deltalibre.org.ar>", i get a
> SERVFAIL :(
> 
> This prevents me from querying anything inside that subdomain; digging
> colmena.esperita.deltalibre.org.ar
> <http://colmena.esperita.deltalibre.org.ar> also gives back a SERVFAIL
> 
> (querying the dnsmasq server directly works)
> 
> $ dig -t AAAA @2a00:1508:1:f003::1 colmena.esperita.deltalibre.org.ar
> <http://colmena.esperita.deltalibre.org.ar> +nocmd +nocomments
> ;colmena.esperita.deltalibre.org.ar
> <http://colmena.esperita.deltalibre.org.ar>. IN    AAAA
> colmena.esperita.deltalibre.org.ar
> <http://colmena.esperita.deltalibre.org.ar>. 600    IN AAAA   
> 2a00:1508:1:f003:fad1:11ff:fe50:4757
> ;; Query time: 116 msec
> ;; SERVER: 2a00:1508:1:f003::1#53(2a00:1508:1:f003::1)
> ;; WHEN: Thu Nov  1 18:42:33 2012
> ;; MSG SIZE  rcvd: 80
> 
> If i could get the dnsmasq running at 2a00:1508:1:f003::1 to reply with
> an NS record pointing to itself, when queried about
> esperita.deltalibre.org.ar <http://esperita.deltalibre.org.ar>, all this
> scheme should work.
> 
> Which would in turn be a *very* elegant and simple way of handling DNS
> resolving for clients. A kind of "dyndns" service of the future :)
> 
> What do you think? would that be an argument for implementing this into
> dnsmasq?

That looks very interesting. It's out of comfort-zone for DNS-wrangling,
but I will cause it to be looked at by people who know more about this.
If they think it's a valid thing to do, I'll implement enough NS record
functionality to make it possible.

One thought: to make this work, you are going to have to make dnsmasq
open to queries from "outside". That's normally seen as a really bad
idea. It may be necessary to limit the domains and/or query types for
queries from outside.

Cheers,

Simon.






More information about the Dnsmasq-discuss mailing list