[Dnsmasq-discuss] Minimal config: small # of A records, no upstream server

Johnny Utahh lists.thekelleys.org.uk at johnnyutahh.com
Fri Jul 3 16:59:36 BST 2020 

On 2020-07-03 12:39 AM, Geert Stappers wrote:
> On Thu, Jul 02, 2020 at 08:44:02PM -0700, Frank wrote:
>> On Jul 2, 2020, at 7:18 PM, Johnny Utahh <lists.thekelleys.org.uk at johnnyutahh.com> wrote:
>>> On 2020-07-02 12:57 PM, Geert Stappers wrote:
>>>> On Thu, Jul 02, 2020 at 06:16:49AM -0500, Johnny Utahh wrote:
>>>>> On 2020-07-02 2:18 AM, Geert Stappers wrote:
>>>>>> On Wed, Jul 01, 2020 at 10:06:36PM -0500, Johnny Utahh wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> Do I need to make any edits/additions to the dnsmasq.conf below to support
>>>>>>> the following scenario?
>>>>>>>
>>>>>>> Ubuntu 20.04
>>>>>>> dnsmasq 2.80
>>>>>>>
>>>>>>> Details:
>>>>>>>
>>>>>>> I want to provide a _minimal_ DNS server. It *only* serves a few A records
>>>>>>> (from /etc/hosts).
>>>>>>>
>>>>>>> A key point: I want to make sure it does NOTHING else. No
>>>>>>> upstream-DNS-server/service connection. Any DNS requests sent to said server
>>>>>>> outside of the /etc/hosts A-record list will fail. Further: no DHCP, tftp,
>>>>>>> or any others. All of the other bells and whistles I do not know about: I
>>>>>>> want them disabled, too. Just plain old proper DNS records serving and
>>>>>>> associated error-condition handling.
>>>>>>>
>>>>>>> Additionally, the dnsmasq-based DNS server will bind/interface/respond-to
>>>>>>> only `eth8`.
>>>>>>>
>>>>>>>
>>>>>>>      /etc/dnsmasq.conf:
>>>>>>>      interface=eth8
>>>>>>>      no-dhcp-interface=eth8
>>>>>>>
>>>>>> That is indeed not enough for the desired use case.
>>>>>>
>>>>> Thanks, quite good to know. What edits or additions (to the following
>>>>> `/etc/dnsmasq.conf` or any other file) are needed to serve this use case?
>>>> Something that tells Dnsmasq to do non default things.
>>>>
>>>>    server=127.0.0.1#13131
>>>>
>>>> The idea is that dnsmasq does go searching for an upstream DNS. That it
>>>> uses localhost  port 13131.  With nothing at 13131 should result in
>>>> a "nothing here" and thus ending the DNS resolve attempt. If that truely
>>>> gets back to the DNS client as "hostname not found" is unknown to me.
>>>>
>>>> In other words: Default behaviour of dnsmasq is to use the DNS available
>>>> to the host.  Original Poster doesn't want that, so should do something
>>>> extra to prevent.  But be aware that I never have travelled that road.
>>>> Euh yes, I would like to hear how it went.
>>> I'm presuming the only issue here is preventing searches and potential
>>> "uplinks" with upstream DNS nameservers and that "disabling all
>>> other features" is addressed by the following settings:
>>>
>>>      /etc/dnsmasq.conf:
>>>      port=[myport]
>>>      no-resolv
>>>      no-poll
>>>      interface=eth8
>>>      no-dhcp-interface=eth8
>>>      no-hosts
>>>      addn-hosts=/etc/dnsmasq_a_records
>>>      domain=[mydomain.tld]
>>>
>>>> The idea is that dnsmasq does go searching for an upstream DNS.
>>> Okay, copy that, very helpful. It seems dnsmasq is currently
>>> determined to hunt for upstream namesevers and there's no elegant
>>> way to disable this... but I explore this point more-exhaustively
>>> with these points/comments:
>>>
>>> 1. I'm surprised there's no directive/setting to specifically prevent
>>> dnsmasq from searching for an upstream DNS. If so: why is my scenario
>>> (seemingly?) rare enough that such a feature (presumably?) was
>>> not needed?  While this use case is not predominate, this does not
>>> seem like an uncommon use case, namely for "isolated VPNs."
>>>
>>> 2. Does `no-resolv` + `no-poll` effectively implement the feature
>>> described in #1?
>>>
>>> 3. I'm happy to implement `server=127.0.0.1#[unused_port_number]`
>>> to effectively provide the feature described in #1. However, I'm
>>> concerned about a couple, potential, derivative behaviors:
>>>
>>> 3.a.  How certain are we that this "workaround" completely disables
>>> the upstream searching/connections?
>>>
>>> 3.b. Minor concern: does a continual attempt to connect with a
>>> non-served port (especially if it's a UDP request) effectively create
>>> some performance degradation over time (particularly if "reconnects"
>>> are attempted frequently)?
>>>
>>> 4. Are there truly, absolutely no other options to prevent
>>> upstream-nameserver searches?  Does someone besides Geert have any
>>> direct experience with or hear of others trying this?
>>>
>>> 5. If I restrict the interface bindings to a VPN-only ethernet device
>>> (that is itself isolated from the public internet), does this help
>>> with this "upstream searching restriction"?
>>>
>> no-resolv
>> no-poll
>>
>> Assuming the man page is correct, those are the two options you want
>> to prevent DNS from being forwarded. Don’t put a server statement
>> in your config as Geert is suggesting.
> Acknowledge on that.
>   
>
>>> In any case, I will test this approach and report back what I find.
> Looking forward to it.
>

Does this (the "no upstream servers configured" log output) provide 
sufficient evidence for test success (for the above-mentioned use case)?


syslog excerpt when running with the following .conf:
dnsmasq[xxxxx]: warning: no upstream servers configured

/etc/dnsmasq.conf:
port=[myport]
domain-needed
bogus-priv
no-resolv
no-poll
interface=[mydev]
no-dhcp-interface=[mydev]
bind-interfaces
no-hosts
addn-hosts=/etc/dnsmasq_records
domain=[mydomain]

Ubuntu 20.04
dnsmasq 2.80
-- 
//
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200703/32e7e441/attachment.html>

More information about the Dnsmasq-discuss mailing list