[Dnsmasq-discuss] Forward subdomain or TXT requests to upstream

[A C]

I already have a local=/domain/ setting but I suuppose I can try an 
additional server line however I don't think it quite is the same.

The question I have then is about the expected behavior because what is 
described in the configuration examples isn't exactly what I have.  In 
the exmaple it shows forwarding hostnames of the form 
host.internal.example.com to the internal server.  The problem is I 
don't use that structure.  My internal hostnames all use FQDNs that are 
the same as my external domain.  So if my domain was example.com then 
all my internal hosts are simply host.example.com not 
host.internal.example.com.

What I then want specifically is to be able to specify that any host 
wtih a subdomain of _domainkey.example.com goes outbound.

Basically I seem to want the opposite of what it's describing, all 
generics stay inside and only specifics go outbound.


On 2022-04-16 12:21, Donald Muller wrote:
> 
> 
>> -----Original Message-----
>> From: Dnsmasq-discuss <dnsmasq-discuss-bounces at lists.thekelleys.org.uk>
>> On Behalf Of A C
>> Sent: Saturday, April 16, 2022 3:21 AM
>> To: dnsmasq-discuss at lists.thekelleys.org.uk
>> Subject: [Dnsmasq-discuss] Forward subdomain or TXT requests to upstream
>>
>> I have dnsmasq on my router set to use my own domain name internally
>> (let's just call it example.com)
>>
>> I do have that same domain in a domain provider outside with DNS records.
>>
>> What I'd like to do is forward outbound queries (meaning from inside my
>> home network and destined for dnsmasq normally) for certain subdomains
>> of my main domain to pass through and arrive at the external provider.
>>
>> E.g. if I perform a dig on a normal host:
>>
>> dig host.example.com
>>
>> dnsmasq is going to respond like it normally does, looking through what
>> was loaded in the configuration files (I'm using a dhcp-hostsfile) and
>> return that info (which would end up being an internal record)
>>
>> However, if I dig on a subdomain:
>> dig subdomain.example.com
>>
>> I want to send that along to an upstream server.
>>
>> To be more specific what I'm actually trying to do is reach TXT records
>> of my domain that are hosted at my domain provider's DNS while leaving A
>> queries local so I get my local IP addresses when I'm on an internal
>> machine.  I would prefer not to copy the external TXT records internally
>> because they are SPF, DMARC and DKIM records so I'd rather just use the
>> existing ones.
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
> 
> Have you tried the --server option? From the manpage.
> 
> -S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>]][@<interface>][@<source-ip>[#<port>]]
> Specify IP address of upstream servers directly. Setting this flag does not suppress reading of /etc/resolv.conf, use --no-resolv to do that. If one or more optional domains are given, that server is used only for those domains and they are queried only using the specified server. This is intended for private nameservers: if you have a nameserver on your network which deals with names of the form xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving the flag --server=/internal.thekelleys.org.uk/192.168.1.1 will send all queries for internal machines to that nameserver, everything else will go to the servers in /etc/resolv.conf. DNSSEC validation is turned off for such private nameservers, UNLESS a --trust-anchor is specified for the domain in question. An empty domain specification, // has the special meaning of "unqualified names only" ie names without any dots in them. A non-standard port may be specified as part of the IP address using a # character. More than one --server flag is allowed, with repeated domain or ipaddr parts as required.
> More specific domains take precedence over less specific domains, so: --server=/google.com/1.2.3.4 --server=/www.google.com/2.3.4.5 will send queries for google.com and gmail.google.com to 1.2.3.4, but www.google.com will go to 2.3.4.5
> 
> Matching of domains is normally done on complete labels, so /google.com/ matches google.com and www.google.com but NOT supergoogle.com. This can be overridden with a * at the start of a pattern only: /*google.com/ will match google.com and www.google.com AND supergoogle.com. The non-wildcard form has priority, so if /google.com/ and /*google.com/ are both specified then google.com and www.google.com will match /google.com/ and /*google.com/ will only match supergoogle.com.
> 
> For historical reasons, the pattern /.google.com/ is equivalent to /google.com/ if you wish to match any subdomain of google.com but NOT google.com itself, use /*.google.com/
> 
> The special server address '#' means, "use the standard servers", so --server=/google.com/1.2.3.4 --server=/www.google.com/# will send queries for google.com and its subdomains to 1.2.3.4, except www.google.com (and its subdomains) which will be forwarded as usual.
> 
> Also permitted is a -S flag which gives a domain but no IP address; this tells dnsmasq that a domain is local and it may answer queries from /etc/hosts or DHCP but should never forward queries on that domain to any upstream servers. --local is a synonym for --server to make configuration files clearer in this case.
> 
> IPv6 addresses may include an %interface scope-id, eg fe80::202:a412:4512:7bbf%eth0.
> 
> The optional string after the @ character tells dnsmasq how to set the source of the queries to this nameserver. It can either be an ip-address, an interface name or both. The ip-address should belong to the machine on which dnsmasq is running, otherwise this server line will be logged and then ignored. If an interface name is given, then queries to the server will be forced via that interface; if an ip-address is given then the source address of the queries will be set to that address; and if both are given then a combination of ip-address and interface name will be used to steer requests to the server. The query-port flag is ignored for any servers which have a source address specified but the port may be specified directly as part of the source address. Forcing queries to an interface is not implemented on all platforms supported by dnsmasq.