[Dnsmasq-discuss] Fwd: dnsmasq localise-queries + addn-hosts

Sun Apr 5 21:05:21 BST 2020

Jake Howard wrote on 4/5/2020 6:48 AM:
>>
>> Dnsmasq uses the _destination_ address of the query. I'm not familiar
>> with Docker. Is it using NAT?
>
> Can't say i'm especially familiar with Docker's networking stack, but
> it definitely looks and feels like something NAT-ish to me!
> Interestingly enough, the log entry for where the query came from is
> correctly detected, but I guess it's not using that address to localise?
>
> Thanks,
> - Jake Howard
Default Docker iptables chains (for containers running published
services on 80/443)

# Generated by xtables-save v1.8.2 on Sun Apr  5 20:00:11 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport
443 -j MASQUERADE
-A POSTROUTING -s 172.17.0.4/32 -d 172.17.0.4/32 -p tcp -m tcp --dport
80 -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 443 -j DNAT
--to-destination 172.17.0.4:443
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
172.17.0.4:80
COMMIT
# Completed on Sun Apr  5 20:00:11 2020
# Generated by xtables-save v1.8.2 on Sun Apr  5 20:00:11 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport
443 -j ACCEPT
-A DOCKER -d 172.17.0.4/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport
80 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j
DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Sun Apr  5 20:00:11 2020

Dan
>
> On Sat, 4 Apr 2020, at 19:01, Simon Kelley wrote:
>> On 31/03/2020 13:51, Jake Howard wrote:
>> > Hello!
>> > 
>> > Had a breakthrough on what's going on, and it's down to a caveat I
>> > missed when reading the man page on localise-queries:
>> > 
>> >> Return answers to DNS queries from /etc/hosts and *--interface-name*
>> > which depend on the interface over which the query was received.
>> > 
>> > And of course, this issue has to do with docker. With Docker, even
>> > though the container is listening on 2 different interfaces, and 2
>> > different IPs, the inner container, and thus dnsmasq, only sees 1
>> > interface, with all addresses coming from it. Hence localisation isn't
>> > quite working.
>> > 
>> > If I run dnsmasq with the exact same config but on the host, where it
>> > can see the different interfaces, works perfectly!
>> > 
>> > Testing was done in 2.79 and 2.76, with a config file practically
>> > identical to your CLI arguments.
>> > 
>> > Technically, there's not a bug here per-say, but it'd be really
>> handy if
>> > there was a way of looking at the source IP when determining which
>> > record to return rather than just the interface?
>>
>> Dnsmasq uses the _destination_ address of the query. I'm not familiar
>> with Docker. Is it using NAT?
>>
>>
>> Simon.
>>
>>
>> > 
>> > Thanks!
>> > 
>> > On Mon, 30 Mar 2020, at 20:42, Simon Kelley wrote:
>> >> On 28/03/2020 20:38, Jake Howard wrote:
>> >> > Hi,
>> >> > 
>> >> > My intention is to have 1 dnsmasq instance, accessible over 2
>> interfaces
>> >> > (listening on all), and have the response to a query differ
>> based on the
>> >> > interface, and therefore its incoming IP. From what i've read,
>> that's
>> >> > exactly what localise-queries is meant to do, but it doesn't
>> appear to
>> >> > be unless I put the entries into /etc/hosts directly.
>> >>
>> >>
>> >> OK, what you're expecting to happen and what I'm expecting to
>> happen are
>> >> the same. That's good.
>> >>
>> >> I just did a quick test, and it seems to work fine for me. The
>> >> example.com addresses are in /tmp/hosts.
>> >>
>> >>
>> >> srk at holly:~/dnsmasq/dnsmasq$ src/dnsmasq -d --log-queries
>> >> --localise-queries -p 10000 --addn-hosts=/tmp/hosts
>> >> dnsmasq: started, version 2.81rc4-5-gd162bee cachesize 150
>> >> dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n
>> >> no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC
>> >> loop-detect inotify dumpfile
>> >> dnsmasq: reading /etc/resolv.conf
>> >> dnsmasq: using nameserver 127.0.1.1#53
>> >> dnsmasq: read /etc/hosts - 9 addresses
>> >> dnsmasq: read /tmp/hosts - 2 addresses
>> >> dnsmasq: query[A] example.com from 127.0.0.1
>> >> dnsmasq: /tmp/hosts example.com is 192.168.151.43
>> >> dnsmasq: /tmp/hosts example.com is 192.168.150.43
>> >> dnsmasq: query[A] example.com from 192.168.150.49
>> >> dnsmasq: /tmp/hosts example.com is 192.168.150.43
>> >>
>> >>
>> >> If it's not working for you, that's a bug, but we need to find what it
>> >> is about your setup that tickles the bug.
>> >>
>> >> Can you boil it down to the simplest configuration that displays the
>> >> problem, and also specify which version of dnsmasq you're using?
>> >>
>> >>
>> >> cheers,
>> >>
>> >> Simon.
>> >>
>> >>
>> >> > 
>> >> > Thanks,
>> >> > - Jake Howard
>> >> > 
>> >> > On Sat, 28 Mar 2020, at 17:59, Simon Kelley wrote:
>> >> >> On 19/03/2020 21:47, Jake Howard wrote:
>> >> >> > Hello!
>> >> >> > 
>> >> >> > Is `localise-queries` meant to work against entries added via 
>> >> >> > `addn-hosts`? Querying a record returns both IPs, but always
>> in the
>> >> >> same 
>> >> >> > order. The order is correctly fixed when the records are put in 
>> >> >> > `/etc/hosts` directly.
>> >> >>
>> >> >>
>> >> >> Yes, localise-queries  works with entries added via addn-hosts,
>> but it
>> >> >> doesn't have anything to do with the order that records appear,
>> so that
>> >> >> doesn't address your problem. What are you trying to achieve?
>> >> >>
>> >> >>
>> >> >> Simon.
>> >> >>
>> >> >>
>> >> >> > 
>> >> >> > Config:
>> >> >> > 
>> >> >> > ```
>> >> >> > localise-queries
>> >> >> > no-resolv
>> >> >> > cache-size=10000
>> >> >> > log-queries
>> >> >> > log-facility=/var/log/pihole.log
>> >> >> > local-ttl=2
>> >> >> > log-async
>> >> >> > server=8.8.8.8
>> >> >> > server=8.8.4.4
>> >> >> > server=1.1.1.1
>> >> >> > server=1.0.0.1
>> >> >> > interface=eth0
>> >> >> > server=/use-application-dns.net/
>> >> >> > 
>> >> >> > addn-hosts=/etc/vpn-hosts.conf
>> >> >> > localise-queries
>> >> >> > 
>> >> >> > ```
>> >> >> > 
>> >> >> > This is from pihole, but AFAIK that shouldn't make a difference
>> >> if I'm 
>> >> >> > modifying the config directly.
>> >> >> > 
>> >> >> > Would appreciate some input, or being told i'm wrong!
>> >> >> > 
>> >> >> > Thanks,
>> >> >> > 
>> >> >> > - Jake Howard

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200405/79d33b2d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4056 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200405/79d33b2d/attachment-0001.bin>