[Dnsmasq-discuss] A reason for setting NS records in dnsmasq
Simon Kelley
simon at thekelleys.org.uk
Wed Jan 23 19:38:05 GMT 2013
On 23/01/13 17:45, Gui Iribarren wrote:
> On 01/11/2013 10:22 AM, Gui Iribarren wrote:
>> Simon,
>> sorry for not giving a single feedback on this until now,
>> december wasn't my geekiest month :)
>> but i'm getting back on this at the moment and hope to report results soon
>
> Simon, I know I have praised you much already,
> but you just keep giving me reasons to do so :)
>
> ### Previously... ###
>
> $ dig demo.deltalibre.org.ar @8.8.8.8 +all ns
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12711
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;demo.deltalibre.org.ar. IN NS
>
> ;; Query time: 951 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Wed Jan 23 07:27:11 2013
> ;; MSG SIZE rcvd: 40
>
> ### Running dnsmasq version 2.66test4 ###
> ### with auth-server config ###
>
> $ dig demo.deltalibre.org.ar @8.8.8.8 +all ns
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44364
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;demo.deltalibre.org.ar. IN NS
>
> ;; ANSWER SECTION:
> demo.deltalibre.org.ar. 600 IN NS gw-demo.deltalibre.org.ar.
>
> ;; Query time: 616 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Wed Jan 23 07:27:21 2013
> ;; MSG SIZE rcvd: 62
>
> This is marvellous, just as proposed and promised!
>
> And the non-open-relay thing is perfect:
>
> $ dig altermundi.net @2a00:1508:1:feca::1 +all ns
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20143
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;altermundi.net. IN NS
>
> ;; Query time: 620 msec
> ;; SERVER: 2a00:1508:1:feca::1#53(2a00:1508:1:feca::1)
> ;; WHEN: Wed Jan 23 07:59:45 2013
> ;; MSG SIZE rcvd: 32
>
> What I find particularly interesting is that, contrary to what I supposed,
> the decision to recurse depends on over which interface the query is arriving,
> and not on the destination IP!
>
> root at wdr3500:~# tail -n2 /etc/dnsmasq.conf
> auth-server=gw-demo.deltalibre.org.ar,librenet6
> auth-zone=demo.deltalibre.org.ar,2a00:1508:1:feca::/64
>
> that librenet6 is the tunnel broker interface that connects to The v6 Internet
>
> root at wdr3500:~# ip -6 a s dev librenet6
> 15: librenet6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1280 qlen 1000
> inet6 fe80::802d:fbff:fe7e:8892/64 scope link
> valid_lft forever preferred_lft forever
> root at wdr3500:~# ip -6 a s dev br-lan
> 8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
> inet6 2a00:1508:1:feca::1/64 scope global
> valid_lft forever preferred_lft forever
> inet6 fe80::6670:2ff:fe3d:90e7/64 scope link
> valid_lft forever preferred_lft forever
>
> If I query from a locally connected computer, which is connected to br-lan
> I find a beloved recursive dns caching server
>
> home:~$ dig @2a00:1508:1:feca::1 aaaa altermundi.net +all
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1521
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;altermundi.net. IN AAAA
>
> ;; ANSWER SECTION:
> altermundi.net. 28797 IN AAAA 2a00:1508:1:f001::103
>
> ;; Query time: 1 msec
> ;; SERVER: 2a00:1508:1:feca::1#53(2a00:1508:1:feca::1)
> ;; WHEN: Wed Jan 23 14:20:04 2013
> ;; MSG SIZE rcvd: 60
>
> While if I query from any remote site, so that the query enters through librenet6,
> voila! no recursion. And I'm contacting the same IP... I'm impressed
>
> remotepc:~# dig @2a00:1508:1:feca::1 aaaa altermundi.net +all
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44811
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;altermundi.net. IN AAAA
>
> ;; Query time: 266 msec
> ;; SERVER: 2a00:1508:1:feca::1#53(2a00:1508:1:feca::1)
> ;; WHEN: Wed Jan 23 14:22:27 2013
> ;; MSG SIZE rcvd: 32
>
Sadly, that feature isn't quite as good as you think. Probably if you do
the same query over TCP (dig +vc) you'll get a different result, and it
may also change if you set --bind-interfaces.
Making it behave in the way you observed isn't even possible in all
cases, as some OS's can't provide the required information. (I just
learned how to determine the arrival interface for a TCP connection on
Linux, which involves the use of obsolete APIs, I don't know how or even
if it's possible on *BSD.)
To be sure of consistent results, it's necessary to send queries to the
an address of the interface they arrive at, not an address on another
interface on the server. If you always do that, there will never be any
surprises. You can relax that rule a bit if you have two interfaces with
the same class-of-service, ie recursive DNS, or auth DNS, in that case
swapping addresses around is OK.
> In case I would get native ipv6 and could drop the tunnel,
> i'd simply put "eth1" in the auth-server= line
>
> (In my previous emails, I misunderstood how the auth-server line
> would work)
>
> Well... seems I got where I wanted, so I'll stop the flattery ;)
I'm glad you like it.
>
> Sunshine!
>
> Gui
>
> ps. I spotted a trivial typo in the 2.66test6 man page,
>
> diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
> --- a/man/dnsmasq.8
> +++ b/man/dnsmasq.8
> @@ -1709,7 +1709,7 @@
>
> .nf
> .B auth-server=server.example.com,eth0
> -.B auth=zone=our.zone.com,1.2.3.0/24
> +.B auth-zone=our.zone.com,1.2.3.0/24
> .fi
>
> and two records in the external DNS
> @@ -1733,7 +1733,7 @@
>
> .nf
> .B auth-server=our.zone.com,eth0
> -.B auth=zone=our.zone.com,1.2.3.0/24
> +.B auth-zone=our.zone.com,1.2.3.0/24
> .fi
>
> .nf
>
>
OK, will fix.
Thanks for the testing.
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list