[Dnsmasq-discuss] dnsmasq cname limitations

Salatiel Filho salatiel.filho at gmail.com
Tue Nov 9 22:49:00 UTC 2021 

Hi Petr, thanks for the explanation. I hope that someday that will be
possible. Do you know of any dns server that would allow me to have
that ?
Concerning your question, query to some-load-balancer.com returns
another CNAME that has a dynamic IP. I have no control over
some-load-balancer.com, so that IP can be changed at anytime ( and
usually it is changed every month ) and everytime they change it  I
face problems and I have to update  /etc/hosts. That's the reason I
thought I could use dnsmasq CNAMEs for it, but in the current
implementation I would still need to update the /etc/hosts every time.
In this case I will stick to a static entry " somedomain.com"  in
/etc/hosts  and  update that IP when needed.

Query:
# nslookup some-load-balancer.com ( names/ips obfuscated )
Non-authoritative answer:
some-load-balancer.com    canonical name = another.cname.here.
Name:    another.cname.here
Address: 10.11.12.13




Atenciosamente/Kind regards,
Salatiel

On Mon, Nov 8, 2021 at 8:23 AM Petr Menšík <pemensik at redhat.com> wrote:
>
> Hi Salatiel,
>
> Short answer is because the way dnsmasq is implemented.
>
> Primary reason is not security decision, but lightweight implementation
> in dnsmasq. It relies on recursive upstream servers to deliver complete
> recursed answer. If it contains CNAME, it has to contain also its
> target. It might be answer record or negative answer (NXDOMAIN).
>
> But dnsmasq cannot process incomplete answers, which would require
> dependent query to be sent again. If there is cname without anything
> following, dnsmasq would have to query upstream server again with its
> target. Because of internal design it is not so easy as it seems.
> Dnsmasq does not store full names of pending queries, only their hashes.
> Inability to finish incomplete responses and only then deliver final
> result to original query is caused by missing code. It is not usually
> required.
>
> There is something similar implemented for dnssec validation, but it
> requires non-disabled cache for example. Because it cannot finish
> incomplete responses, it also needs to know final answer for cname in
> command line.
>
> I think it would require multiple improvements in internal code. For
> example current query retries are driven by clients. They retry only
> when clients retry query to dnsmasq. For well-working internal retries
> it would have to stop storing just hash of original query, but full
> original query itself. While it should not be very hard, it would mean
> non-trivial code and algorithm changes. With possible regressions caused
> by such changes.
>
> Cheers,
> Petr
>
> On 11/6/21 20:11, Salatiel Filho wrote:
> > Hi, why does dnsmasq cname require an entry on /etc/hosts?
> > I would like to override "somedomain.com" to "some-load-balancer.com"
> > as a CNAME.If I start dnsmasq as:
> > # dnsmasq -dq -r /etc/resolv.upstream --cname
> > somedomain.com,some-load-balancer.com
> > If I try to ping somedomain.com, I will get :
> > ping: unknown host somedomain.com
> > If I try to nslookup somedomain.com
> > Server:        127.0.0.1
> > Address:    127.0.0.1#53
> > somedomain.com    canonical name = some-load-balancer.com.
> If you query some-load-balancer.com, how does the response looks like?
> Unlike HTTP protocol, it would not receive name of original query
> somedomain.com. Would it return always set of addresses not known on
> configure time?
> >
> > So I would expect that to work. Is there a reason for that not being
> > allowed by dnsmasq? Security reasons somehow ?
> > I have a scenario where I need to make a container for a legacy
> > application point somedomain.com ( hardcoded )  to an external
> > loadbalancer's CNAME whose  IP is, of course, dynamic and I can not
> > add it to /etc/hosts.
> >
> > Thanks!
> >
> --
> Petr Menšík
> Software Engineer
> Red Hat, http://www.redhat.com/
> email: pemensik at redhat.com
> PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

More information about the Dnsmasq-discuss mailing list