[Dnsmasq-discuss] [PATCH] --dont-mirror-queries option

[Simon Kelley]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 13/02/16 14:21, Chris Novakovic wrote:
> On 13/02/2016 13:09, Simon Kelley wrote:
>> Will try and remember to reply to your other points, but on this
>> one, the way I'd do it (assuming you don't have problems with
>> slow or intermittent connectivity) is to have one (primary)
>> dnsmasq which is the DHCP server for all three networks. You
>> declare all the address ranges in the config of the primary, and
>> tell the secondaries to do dhcp-relay to the primary.
>> 
>> That keeps all the DHCP address information in the primary, so as
>> long as the secondaries forward to the primary, all names should
>> be resolvable.
> 
> Ideally this is what I would have done, but the three sites (which
> each use their own /26 subnet inside a common /24) are
> geographically distant, connected to each other via a layer-3 VPN
> over somewhat unreliable links --- this means that each site really
> has to have an authoritative DHCP server for its own /26 subnet,
> and the only thing suitable for splitting across all three sites is
> DNS service (that way, if area1 gets cut off from the rest of the
> /24, area1's dnsmasq can still assign DHCP leases for its own /26,
> and it doesn't matter that it can't resolve a name that's active on
> area2 because it wouldn't be able to communicate with that host
> anyway).


I can see that this sort of setup is a problem in search of a
solution, and I quite like the distributed flooding arrangement.

I wonder if a better solution to the loop-detection is to mark queries
with a UID of all the servers they've been forwarded by, in an EDNS0
option. That would avoid the false detection of queries coming from
master, but not from the dnsmasq instance on master. It would also
detect arbitrary loops. Dnsmasq has the relevant code to examine and
add EDNS0, so it wouldn't be too difficult to add.

That really would be a dynamic versions of the loop detect mode, and
could be configured and documented as such.


Cheers,

Simon.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJWzeZOAAoJEBXN2mrhkTWiUr8P/i0jxmuqBztwDeXrKm2MfXFG
GNSTIFdwa+Az2hxSufXWt6jm4gbCIVUUZx8EB9K1h3LMiAf0Vd0CpoLTeJNQYrYk
C0PL25XfyrPivLprgN3/w8eD9NPDfDVl7/6AbUrc4nbq2OhW1dzX2QF+Ah7sRICF
U8P9wt40EwMGfeWFWqtUf0W1hd+YQ/YwT1BmxQyHU3uXjic+NQ/oCk2BJyIh9HrI
UIU4bVmAYrosSRdWPeBYyOBoE+4uPIuDCsdT0xSLo8qL7cTnTHC5mX2vDvPanAgJ
TQuqbIL9PF+07B467nkTPlNpfRwCAbLk42e0rhCoRxJ7VIOFTXA89vScEsYkYU8v
mL8T+fPFI+R1eTiZJFrJQ2QPEYo3xX5NjYOmy3glEtz/F/lyRjc4Ulc/0QRFtBpa
Er1OSQttPGfVuuAVbGoP5wAMhkh/hODe+MxtITsSIwfsTYA8Ymc6YYifYH5gchol
tNsSVASw5ryWKJdnMdThJoNLnh0zr15FjHyIrgeuBHZq4XVkQb5wtgZZ0WfSNW56
+cC7tuYemnQihnq3l8iZ6oiY0+am4+rReyRYMGvPu8vZZtbgUmJQE1q3tJQy8Ett
HKh/5iOH855M/BVUIMK7swizSaGflFAaCDZAQNmX5Q7n6pgODxq1CWACHXMHKSwu
1UGiBJe/d3RLzZk9MqyK
=ZREx
-----END PGP SIGNATURE-----