[Dnsmasq-discuss] Ability to delegate to one server but fall back to another after NXDOMAIN?

Simon Kelley simon at thekelleys.org.uk
Wed Jan 15 17:30:55 GMT 2014


On 13/01/14 13:59, Jesse Glick wrote:
> version 2.68 cachesize 150
> dnsmasq: compile time options: IPv6 GNU-getopt DBus no-i18n no-IDN
> DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth
>
> Let us say I have two DNS servers I wish to delegate to:
>
> A: Trusted to serve addresses (and other records) for the general
> Internet, plus also a few private domains I care about.
>
> B: Needed to serve addresses for a few machines in a particular subnet
> (whose names and even domain are unknown to me); not trusted to serve
> any other records.
>
> So I tried
>
> dnsmasq --strict-order --no-resolv --server=A --server=B --all-servers
>
> hoping that this would ask A first, and if that failed to produce a
> valid response, then ask B.
>
> Instead, this seemed to _only_ ask A for anything. When it responded
> with NXDOMAIN, dnsmasq did not consult B, even when B would have
> responded with a valid address record.
>
> I do not want to list --server=B first, or run without --strict-order,
> since I do not want B serving falsified records for unrelated names. I
> know how to use --server=/bcorp/B to restrict B to answering queries
> about names in the *.bcorp domain, but I do not necessarily know what
> this domain is.
>
> Is this a bug? Or is there some other option I need to use to get this
> behavior? Or would dnsmasq need to be patched to get such behavior
> (and if so, would such a patch potentially be accepted upstream)? Or
> is there some other DNS masquerader which is designed for that
> purpose?

No, it's not a bug, it's a design decision, the intention is that you'll 
use server=/domain/<server-address> to send queries for a particular 
domain to a special server.

This question has been considered many time here over the years, it's 
worth searching the archives for more detail.

There's a (very old) patch in contrib/try-all-ns that would make a 
staring point, if you want to take that route.


Cheers,

Simon.

>
> Analogously, I would like a version of --addn-hosts which is consulted
> only if --server=A responds with NXDOMAIN. But this could be simulated
> by running a second copy of dnsmasq on a different port on localhost.
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>




More information about the Dnsmasq-discuss mailing list