[Dnsmasq-discuss] A reason for setting NS records in dnsmasq

Gui Iribarren gui at altermundi.net
Tue Nov 6 06:28:56 GMT 2012


On Fri, Nov 2, 2012 at 9:46 AM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> On 02/11/12 12:43, Gui Iribarren wrote:
>>
>> On Fri, Nov 2, 2012 at 8:58 AM, Simon Kelley <simon at thekelleys.org.uk
>> <mailto:simon at thekelleys.org.uk>> wrote:
>>
>>     That looks very interesting. It's out of comfort-zone for DNS-wrangling,
>>     but I will cause it to be looked at by people who know more about this.
>>     If they think it's a valid thing to do, I'll implement enough NS record
>>     functionality to make it possible.
>>
>>
>> When I first changed the NS at the registrar, (from a proper,
>> authoritative one) to pointing to my frankestein, there was a window of
>> a couple of hours, until it propagated completely, where i could ask
>> 8.8.8.8, and my dnsmasq would return a cached correct NS reply, thus it
>> all worked for an afternoon. I was delighted. :)
>> since then i've been banging my head, trying different configs in bind9
>> / dnsmasq, until accepting an NS record in dnsmasq would make it.

I learned today that i still don't fully understand the DNS protocol :P
the scheme is actually partially working after all, i can't believe it!
(resolving hostnames is the partially working side)

$ dig roberlandia.esperita.deltalibre.org.ar -taaaa +all @8.8.8.8
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8568
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;roberlandia.esperita.deltalibre.org.ar.    IN AAAA

;; ANSWER SECTION:
roberlandia.esperita.deltalibre.org.ar.    600 IN AAAA
2a00:1508:1:f003:56e6:fcff:feb9:b645

;; Query time: 1428 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Nov  6 00:58:47 2012
;; MSG SIZE  rcvd: 84

that answer comes from a dnsmasq buried deep under NATs but happily
reachable through an ipv6 tunnel

still, NS records fail as described, and that's the non-working part
of the scheme.

AAAA records resolve fine because the authoratitative bind9 provides
"glue" when asked for esperita.deltalibre.org.ar NS, and then dnsmasq
can be queried directly for the AAAA, avoiding the NS query to dnsmasq
which would fail.

After all, currently any "DNS Report" warns that
esperita.deltalibre.org.ar is broken, because of the SERVFAILS when
querying the nameserver about the NS records, which should reply
pointing to itself.

>>
>> Definitely: as it stands right now, when asked for A records, it answers
>> with 10.x.x.x to queries from the Internet, which is a *big* no-no...
>> So that would need a "reverse" bogus-priv option or something
> That's true, but more generally accepting queries from outside that then
> get forwarded outside make  a DNS forwarder into a DoS amplifier. There
> would have to be access control that only accepted queries that can be
> answered internally.
Nice point, hadn't thought about it. Seems publishing the real
domains/ips wasn't such a good idea after all - now the genie is out
the bottle :(


>
>>
>> But i'm really glad you liked the idea
>>
>> it's a simple free-ride on the inspiringly elegant hack that is ra-names ;)
>>
> Flattery will get you anywhere :)  I can only accept credit for the
> implementation: I'm aware of at least two different inventors, neither
> of them me.

Granted. But if openwrt (to mention just one) chose to ship dnsmasq by
default, it's probably because of code efficiency/size/features and
not developer humbleness :P

Thanks!

Gui

>
> Cheers,
>
> Simon.
>
>
>



More information about the Dnsmasq-discuss mailing list