[Dnsmasq-discuss] Authoritative and recursive service from the same interface

[Marc Heckmann]

Hello,

I'm currently running dnsmasq in a Docker container and have setup a domain
for which dnsmasq is to be authoritative for. This is to do subdomain
delegation to the dnsmasq server. I am using the auth-server & auth-zone
configuration options for this. This works as expected and is verifiable
using dig with the "+norecurse" option to query for the NS and SOA records.
However, as it's a Docker container, I only have and actually need a single
interface (eth0) and when I specify eth0 in the "auth-server" option, i.e
"auth-server=<glue_record>,eth0", I noticed that it stops answering
recursive queries for names that it is not authoritative for.

I worked around this by replacing "eth0" with an IP that is not present in
the container's network namespace and dnsmasq now does what I want which is
to answer to both non-recursive and recursive queries from the same
interface.

My question is the following: Are there any side effects to this hack? Is
there any reason why dnsmasq should not be able to provide recursive and
authoritative service from the same interface? I can understand the
security reasons for wanting to prevent this on an Internet exposed
interface, but why not at allow for an option to officially support
providing both kinds of service on the same interface?

Thanks.

-m
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20180927/9d724d4e/attachment.html>