[Dnsmasq-discuss] dnsmasq cname limitations

Petr Menšík pemensik at redhat.com
Wed Nov 24 14:38:30 UTC 2021 

Hi,

any DNS server able to do recursive iterations themselves. If it can
resolve without providing forwarders, it would work. Unbound is a good
example, ISC BIND9 alias named as well.

What kind of service is running on it? If you can run a server
somewhere, could it run fully recursive server able to do also those
queries?

I guess you could make cron.daily job to fetch target using dig +short
and write dnsmasq configuration snippet and restart. I afraid dnsmasq
would not work in near future.

Cheers,

Petr

On 11/9/21 23:49, Salatiel Filho wrote:
> Hi Petr, thanks for the explanation. I hope that someday that will be
> possible. Do you know of any dns server that would allow me to have
> that ?
> Concerning your question, query to some-load-balancer.com returns
> another CNAME that has a dynamic IP. I have no control over
> some-load-balancer.com, so that IP can be changed at anytime ( and
> usually it is changed every month ) and everytime they change it  I
> face problems and I have to update  /etc/hosts. That's the reason I
> thought I could use dnsmasq CNAMEs for it, but in the current
> implementation I would still need to update the /etc/hosts every time.
> In this case I will stick to a static entry " somedomain.com"  in
> /etc/hosts  and  update that IP when needed.
>
> Query:
> # nslookup some-load-balancer.com ( names/ips obfuscated )
> Non-authoritative answer:
> some-load-balancer.com    canonical name = another.cname.here.
> Name:    another.cname.here
> Address: 10.11.12.13
>
>
>
>
> Atenciosamente/Kind regards,
> Salatiel
>
> On Mon, Nov 8, 2021 at 8:23 AM Petr Menšík <pemensik at redhat.com> wrote:
>> Hi Salatiel,
>>
>> Short answer is because the way dnsmasq is implemented.
>>
>> Primary reason is not security decision, but lightweight implementation
>> in dnsmasq. It relies on recursive upstream servers to deliver complete
>> recursed answer. If it contains CNAME, it has to contain also its
>> target. It might be answer record or negative answer (NXDOMAIN).
>>
>> But dnsmasq cannot process incomplete answers, which would require
>> dependent query to be sent again. If there is cname without anything
>> following, dnsmasq would have to query upstream server again with its
>> target. Because of internal design it is not so easy as it seems.
>> Dnsmasq does not store full names of pending queries, only their hashes.
>> Inability to finish incomplete responses and only then deliver final
>> result to original query is caused by missing code. It is not usually
>> required.
>>
>> There is something similar implemented for dnssec validation, but it
>> requires non-disabled cache for example. Because it cannot finish
>> incomplete responses, it also needs to know final answer for cname in
>> command line.
>>
>> I think it would require multiple improvements in internal code. For
>> example current query retries are driven by clients. They retry only
>> when clients retry query to dnsmasq. For well-working internal retries
>> it would have to stop storing just hash of original query, but full
>> original query itself. While it should not be very hard, it would mean
>> non-trivial code and algorithm changes. With possible regressions caused
>> by such changes.
>>
>> Cheers,
>> Petr
>>
>> On 11/6/21 20:11, Salatiel Filho wrote:
>>> Hi, why does dnsmasq cname require an entry on /etc/hosts?
>>> I would like to override "somedomain.com" to "some-load-balancer.com"
>>> as a CNAME.If I start dnsmasq as:
>>> # dnsmasq -dq -r /etc/resolv.upstream --cname
>>> somedomain.com,some-load-balancer.com
>>> If I try to ping somedomain.com, I will get :
>>> ping: unknown host somedomain.com
>>> If I try to nslookup somedomain.com
>>> Server:        127.0.0.1
>>> Address:    127.0.0.1#53
>>> somedomain.com    canonical name = some-load-balancer.com.
>> If you query some-load-balancer.com, how does the response looks like?
>> Unlike HTTP protocol, it would not receive name of original query
>> somedomain.com. Would it return always set of addresses not known on
>> configure time?
>>> So I would expect that to work. Is there a reason for that not being
>>> allowed by dnsmasq? Security reasons somehow ?
>>> I have a scenario where I need to make a container for a legacy
>>> application point somedomain.com ( hardcoded )  to an external
>>> loadbalancer's CNAME whose  IP is, of course, dynamic and I can not
>>> add it to /etc/hosts.
>>>
>>> Thanks!
>>>
>> --
>> Petr Menšík
>> Software Engineer
>> Red Hat, http://www.redhat.com/
>> email: pemensik at redhat.com
>> PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the Dnsmasq-discuss mailing list