[Dnsmasq-discuss] dnsmasq to provide public DNS service

[Albert ARIBAUD]

Hi Tong,

Le Thu, 7 Jul 2016 02:41:15 +0000 (UTC)
T o n g <mlist4suntong at yahoo.com> a écrit:

> Yes, the "box" is what I referred as the machine that I run the
> dnsmasq and trying to configure. This is the only thing I'm talking
> about so far. Nothing else. 

> Once again, the box I'm configuring, is a dedicated servers from the 
> hosting company, and I have full (remote) control of it and have 
> installed the latest Ubuntu into it. it has its own realy public IP.
> The SSH, DNS, etc ports are open to the would as well.

OK, sorry for the misunderstanding. So I will assume this box has only
one network interface, which is facing the Internet, and is reacheable
through a public IP (which we do not need).

> > You should not even specify any interface= option.  
> 
> OK. So how dnsmasq decides whether to serve local host, or local
> network (LAN) or the general public (WAN)? If is it not
> listen-address, then what it is? 

You don't tell dnsmasq about "LAN" vs "WAN"; dnsmasq does not accept or
ignore/reject DNS requests based on their coming "from LAN" or "from
WAN"; it accepts or ignores/rejects them based on the interface on
which it has received them and the IP address they were sent to. Since
your box has a single interface which has a single IPv4 address, all
requests will be received on the same interface and have the same IPv4
destination.
 
> >> The outside world is not involved yet -- I haven't been able to
> >> make itself work first.  
> > 
> > Before making dnsmasq work with clients from outside your LAN, you
> > need to verify that your "box" meets conditions 1 and 2 above.
> > 
> > Let's start with condition 1. You can check it by running a
> > traceroute from your "box" to some known internet host (e.g.
> > google.com). What does such a traceroute print out?  
> 
> What do you need the traceroute print out for? 

To make sure the machine running dnsmasq can access the Internet on
its own. Obviously you can access it, but some networking rules may
prevent it from reaching out freely.

> Can the dnsmasq be used as DNS server not only to local host, or
> local network, but also the general public as well or not? If yes,
> what would the configuration be? 
> 
> Does dnsmasq comes with that feature (serving the local network or
> the general public) out of box? Else what kind of alternation need to
> be made to the configuration file? 

Yes dnsmasq can server the whole world if you want it to, and as I
already told you, it should work out of the box.

Therefore, if it does not work in your case, it is because either
its configuration is improper, or the networking setup of the box it
runs on is improper (or both).

Which is why I am asking you questions and sugesting tests in order to
diagnose the situation and fix it.

But for that, I need precise, exact and complete answers to the
question I am asking.

So let's start with a few basics, by checking that you can actually
communicate from your own machine to the dedicated server over the
standard DNS ports.
.
For this I suggest that we use the 'netcat' command both on your
dedicated server and on the machine from which you access this server.

To determine which variant of netcat is present on these machines, if
any, could you run the following command, once on the dedicated server,
and once on the machine you are using to access the server:

	netcat -h

... and copy-paste both outputs in your reply?

Once we have netcat available on both ends, we will be able to mimic
DNS exchanges between the machines but without dnsmasq being involved;
either this mimicking will work, meaning that the networking is set up
properly, or it won't, meaning the networking has to be fixed before
even considering running dnsmasq.

Once we're sure the networking is OK, then we can introduce dnsmasq in
the picture.

Amicalement,
-- 
Albert.