[Dnsmasq-discuss] A reason for setting NS records in dnsmasq

Simon Kelley simon at thekelleys.org.uk
Sun Dec 9 21:48:30 GMT 2012 

On 01/11/12 21:58, Gui Iribarren wrote:

> Hello Simon,
> (...resurrecting
> http://comments.gmane.org/gmane.network.dns.dnsmasq.general/4721)
> i'm currently trying to make clients of a wireless community network have
> public resolvable addresses.
> This wouldn't make much sense in ipv4 world where leases are in private
> ranges,
> but it does make a lot of sense combined with dnsmasq nifty (and certainly
> unique) feature of ra-names, since SLAAC addresses are global :)
>
> I have to overcome 3 difficulties:
> 1) My dnsmasq server is reachable on ipv6 only (ipv4 is not public)
> 2) nic.ar (registrar) doesn't support setting ipv6 NS records at all.
> 3) dnsmasq doesn't offer NS records for a local=/domain/
>
> To overcome (1) and (2), in the registrar I've pointed deltalibre.org.ar NS
> records to the public ipv4 of a dual-stack server, running bind9.
> That bind9 has a zone defined esperita.deltalibre.org.ar as "forward-only"
> and forwarders clause pointing to the ipv6 of dnsmasq server.
> [So in effect, the bind9 acts as a "man in the middle" between my ipv4-only
> registrar, and my ipv6-only dnsmasq.]
> So far so good.
>
> Problem is, when i "dig -t NS @8.8.8.8 esperita.deltalibre.org.ar", i get a
> SERVFAIL :(
>
> This prevents me from querying anything inside that subdomain; digging
> colmena.esperita.deltalibre.org.ar also gives back a SERVFAIL
>
> (querying the dnsmasq server directly works)
>
> $ dig -t AAAA @2a00:1508:1:f003::1
> colmena.esperita.deltalibre.org.ar+nocmd +nocomments
> ;colmena.esperita.deltalibre.org.ar. IN    AAAA
> colmena.esperita.deltalibre.org.ar. 600    IN AAAA
> 2a00:1508:1:f003:fad1:11ff:fe50:4757
> ;; Query time: 116 msec
> ;; SERVER: 2a00:1508:1:f003::1#53(2a00:1508:1:f003::1)
> ;; WHEN: Thu Nov  1 18:42:33 2012
> ;; MSG SIZE  rcvd: 80
>
> If i could get the dnsmasq running at 2a00:1508:1:f003::1 to reply with an
> NS record pointing to itself, when queried about esperita.deltalibre.org.ar,
> all this scheme should work.
>
> Which would in turn be a *very* elegant and simple way of handling DNS
> resolving for clients. A kind of "dyndns" service of the future :)
>
> What do you think? would that be an argument for implementing this into
> dnsmasq?
> (or maybe there's another way to do this i'm overlooking)
> (dnsmasq is running on a space-tight openwrt, so running bind9+dnsmasq is
> not an option)
>


OK, I started with this and ended up with something that looks really 
very useful, but I'm not sure it solves exactly your problem. This is 
still very much work in progress, so the configuration and functions may 
change.

Essentially, I've added a complete authoritative mode to dnsmasq, in 
about 800 lines of code.

The documentation has not been done yet, but you need two lines minimum 
in the config file to configure it.

First

auth-server=<nameserver>,<interface>

The nameserver is the DNS name that resolves (from the outside) to the 
address of the dnsmasq server, and the interface is where those queries 
will arrive, so that dnsmasq treats then as authoritative.

So I have

auth-server=thekelleys.org.uk,cable


where cable is the name of the interface to my cablemodem, and 
thekelleys.org.uk is resolved, via dyndns, to the public IPv4 address of 
my system.


Second

auth-zone=<domain>,<subnet>,.....

This is the domain that you want to appear in the global dns, and some 
subnets which are used both as a filter and to make reverse DNS 
automagically work.

So I have

auth-zone=lan.thekelleys.org.uk,2a01:348:29f::/48

Since I have publically accessible IPv6 addresses.

The configuration ouside of dnsmasq consists of the A record for 
thekelleys.org.uk, and an NS record for lan.thekelleys.org.uk pointing 
to thekelleys.org.uk and finally an NS record for 
2.9.f.0.8.4.3.0.1.0.a.2.ip6.arpa which also points to thekelleys.org.uk 
to do reverse DNS.

What appears in *.lan.thekelleys.org.uk is reasonably simple.

1) Anything in /etc/hosts and friends in *.lan.thekelleys.org.uk
2) Anything with domain *.lan.thekelleys.org.uk defined by --mx-host, 
--srv-host,  --txt-record, --dns-rr, --cname, and --interface-name.
3) The name of any DHCP lease, as <name>.lan.thekelleys.org.uk

With the caveat that for A and AAAA records, the address must lie in one 
of the subnets given in the --auth-zone option. This means that, for 
instance, the RFC1918 addresses of my internal machines don't escape, 
since I've not specified those subnets.


You should be able to do

dig aaaa spike.lan.thekelleys.org.uk

and get the IPv6 address of the machine I'm typing this on. You should 
then be able to do a reverse query on that address and get back to the 
machine name.

Importantly, queries via the auth interface are _only_ answered with 
internal data, they are never forwarded, so it's safe to make the 
service available on the internet and doesn't set up an open DNS relay.



That's enough information to set up globally-accessible DNS for machines 
inside a network, using dnsmasq.  There's actually quite a lot more, 
including zone-transfer support to allow secondary authoritative 
servers. If you poke around lan.thekelleys.org.uk, you'll see that 
working, using the secondary DNS service from Dyndns.org (who donated 
the service for testing purposes - thanks guys!)

I'll write about the extra features soon, but in the meantime, I'd be 
very interested to hear of experiences using the stuff above, as 
available in

http://www.thekelleys.org.uk/dnsmasq/test-releases/dnsmasq-2.65test3.tar.gz


Cheers,

Simon.

More information about the Dnsmasq-discuss mailing list