[Dnsmasq-discuss] Split-horizon

Petr Menšík pemensik at redhat.com
Fri Oct 30 11:39:52 GMT 2020 

Hi Rubén,

it seems to me support for tags on source clients would be more useful
and easily understandable. Also, it already supports concept of tag: and
set: in DHCP world. It should work to adapt also DNS queries to use it.

I think, you would usually group of clients, which should share the same
settings, right? Instead of repeating address ranges over and over
again, what if:

dns-client=set:filtered,192.168.2.0/24
address=/doublie-click.net/127.0.0.1,tag:filtered

dns-client=set:devs,!192.168.2.1
address=/dev-domain.com/192.168.2.1


But I am not sure whether such origin, source filtering is a good idea.
It shares common cache, but would be a lot harder to analyse. Are
multiple instances harder to manage? Maybe just simplification of
multiple instances running would help sufficiently.

Note, dnsmasq does not even have access control lists for DNS. It allows
all queries coming from some interface. I think it does not make sense
implementing selective behaviour, until we are able to specify what
clients can make queries.

On 10/17/20 8:42 PM, Rubén Justo wrote:
> Hi all,
> 
> I've updated to the latest source code a patch I did some time ago, to add
> split-horizon functionality to the address options.
> 
> I use it to do some quick blocking just for some host/net, like:
> 
> address=/double-click.net/127.0.0.1;192.168.2.0/24    # block
> double-click.net to hosts in the net 192.168.2.0/24 but not others, like
> localhost 127.0.0.1
> 
> I use it also in development work or to do some man in the middle
> inspection:
> 
> address=/dev-domain.com/192.168.2.1;-192.168.2.1    # response with
> 192.168.2.1 for dev-domain.com, except if the client is 192.168.2.1
> 
> It is also possible to do some split horizon to upstream servers:
> 
> server=/dns-domain.com/192.168.2.1;192.168.2.0/24    # forward queries for *
> dns-domain.com originated from 192.168.2.0/24 clients, to the server in
> 192.168.2.1
> 
> I hope you find it useful. I use it to avoid having to set up multiple
> servers and/or doing some custom /etc/hosts.
> 
> Regards.
> Rubén.
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x4931CA5B6C9FC5CB_and_old_rev.asc
Type: application/pgp-keys
Size: 9364 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20201030/97251840/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20201030/97251840/attachment-0001.sig>

More information about the Dnsmasq-discuss mailing list