[Dnsmasq-discuss] Two questions about authoritative mode

Raphaël Halimi raphael.halimi at gmail.com
Thu May 31 11:50:55 BST 2018 

Hi,

I have two questions about authoritative mode.

I have a home LAN, with a classic Bind / ISC DHCP / HPA TFTP setup
(started long before dnsmasq ever existed).

Recently I decided to rent a server to externalize some public services
(web, mail and DNS servers). This server is a libvirt/KVM hypervisor and
all virtual machines are connected through a purely virtual bridge, and
dnsmasq handles the DNS/DHCP/TFTP part of this LAN (the private part
only, no relation to the the public DNS mentioned above). So I'm quite
new to dnsmasq and so far I'm quite impressed by the vast possibilities
it allows with such a small footprint. Note that for practical reasons,
I don't use libvirt's builtin iptables/dnsmasq configurations, I made my
own.

So, I interconnected both LANs through a VPN (OpenVPN) and all machines
can happily communicate. Now I'm trying to ease the DNS administration
part, and that's where I'm stuck on a couple of minor problems (really
minor, since my setup works quite well, I'm just trying to perfect it a
bit).

What I'm trying to do is to allow my home LAN's DNS system (Bind) to
know about the remote LAN's zone, and fetch the zone data from the
remote LAN's dnsmasq (through AXFR). It was quite easy to define a slave
type zone, in Bind, and then allow zone transfers in dnsmasq with two
configuration lines:

auth-sec-servers=<Bind server's IP>
auth-peer=<Bind server's IP>

Now, the problem is that I'd like the remote LAN to be completely
unaware (DNS-wise, at least) of the home LAN's DNS system; in other
words, I don't want the Bind server's IP to be listed as a secondary
server in the remote LAN's zone data. So I tried to remove the
"auth-sec-servers=..." line, but unfortunately this prevented the zone
transfer to work.

I know it works with Bind: I can define slave zones on some server,
while the actual zone file on the master has no mention of any slave
server (of course, it's still allowed in the server's configuration by
an "allow-transfer" directive, though), making the slave server
completely stealth. So this is my first question: is there a way to
achieve this with dnsmasq ? If not, is this planned, or could it be
considered for a future release ?

My second question is more of a feature... inquiry (I was about to write
"request" but that would be not only rude, but also not totally faithful
to my state of mind).

As stated in dnsmasq's manual page (version 2.76, Debian stretch): "at
present, reverse (in-addr.arpa and ip6.arpa) zones are not available in
zone transfers, so there is no point arranging secondary servers for
reverse lookups". So my second question is quite simple: is it planned
for a future release ? By searching the mailing list, I saw that a lot
of features were considered by the developer(s ?) kind of "outside of
scope for such a tiny tool" a decade ago, yet they were finally
implemented and are nowadays supported (the power of popular demand, I
guess). Since the code for managing AXFR requests is already there,
would this feature be hard to implement ?

(note that as much as I'd like to, I couldn't help with this, since I'm
a pure admin, my development skills are limited to shell and, to some
extent, Perl).

Thanks a lot in advance for answering those two questions.

Regards,

-- 
Raphaël Halimi

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1000 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20180531/449178ec/attachment.sig>

More information about the Dnsmasq-discuss mailing list