> Simon Kelley (simon@...) wrote on 7 March 2011 21:44: > >So, can somebody set down under exactly what circumstances being able to > >set an NS record in dnsmasq would be useful? It's clearly pretty easy to > >add as a feature, but I'm not sure why the need.
Hello Simon, (...resurrecting http://comments.gmane.org/gmane.network.dns.dnsmasq.general/4721) i'm currently trying to make clients of a wireless community network have public resolvable addresses. This wouldn't make much sense in ipv4 world where leases are in private ranges, but it does make a lot of sense combined with dnsmasq nifty (and certainly unique) feature of ra-names, since SLAAC addresses are global :) I have to overcome 3 difficulties: 1) My dnsmasq server is reachable on ipv6 only (ipv4 is not public) 2) nic.ar (registrar) doesn't support setting ipv6 NS records at all. 3) dnsmasq doesn't offer NS records for a local=/domain/ To overcome (1) and (2), in the registrar I've pointed deltalibre.org.ar NS records to the public ipv4 of a dual-stack server, running bind9. That bind9 has a zone defined esperita.deltalibre.org.ar as "forward-only" and forwarders clause pointing to the ipv6 of dnsmasq server. [So in effect, the bind9 acts as a "man in the middle" between my ipv4-only registrar, and my ipv6-only dnsmasq.] So far so good. Problem is, when i "dig -t NS @8.8.8.8 esperita.deltalibre.org.ar", i get a SERVFAIL :( This prevents me from querying anything inside that subdomain; digging colmena.esperita.deltalibre.org.ar also gives back a SERVFAIL (querying the dnsmasq server directly works) $ dig -t AAAA @2a00:1508:1:f003::1 colmena.esperita.deltalibre.org.ar+nocmd +nocomments ;colmena.esperita.deltalibre.org.ar. IN AAAA colmena.esperita.deltalibre.org.ar. 600 IN AAAA 2a00:1508:1:f003:fad1:11ff:fe50:4757 ;; Query time: 116 msec ;; SERVER: 2a00:1508:1:f003::1#53(2a00:1508:1:f003::1) ;; WHEN: Thu Nov 1 18:42:33 2012 ;; MSG SIZE rcvd: 80 If i could get the dnsmasq running at 2a00:1508:1:f003::1 to reply with an NS record pointing to itself, when queried about esperita.deltalibre.org.ar, all this scheme should work. Which would in turn be a *very* elegant and simple way of handling DNS resolving for clients. A kind of "dyndns" service of the future :) What do you think? would that be an argument for implementing this into dnsmasq? (or maybe there's another way to do this i'm overlooking) (dnsmasq is running on a space-tight openwrt, so running bind9+dnsmasq is not an option) Thanks and cheers! Gui ps. original thread and arguments follow: > >(Being able to return NS records for arbitrary domains looks like a > >really good way to confuse the unwary, but that's maybe a different point) > > It's not for arbitrary domains, it's only for the zone it's > authoritative. The one that has local=/my.zone/ in the config. > > I've made some tests and it seems that answering NS queries is not > only a "good behavior", it's essential. They're shown bellow; the > domain is of a new university here. > > Objective: make dnsmasq the authoritative zone server, because it has > all the info, both for static names and for dhcp-assigned ones. > > We're using (for now...) ISC named as the recursor, in a different > machine. Both would be listed as dns servers for the domain in the > national registrar: > > named: 200.134.33.2 > dnsmasq: 200.134.33.10 > > named is configured as cache-only but forwarding requests to dnsmasq > for the zone. This is named.conf.local: > > zone "unila.edu.br" { > type forward; > forward only; > forwarders { 200.134.33.10; }; <===== dnsmasq machine > }; > > zone "33.134.200.in-addr.arpa" { > type forward; > forward only; > forwarders { 200.134.33.10; }; > }; > > dnsmasq is configured as (dns part only) > > addn-hosts=/etc/dnsmasq/hosts > log-queries > local=/unila.edu.br/ > local=/33.134.200.in-addr.arpa/ > server=200.134.33.2 <===== named machine > bind-interfaces > localise-queries > bogus-priv > filterwin2k > no-resolv > no-poll > stop-dns-rebind > mx-host=unila.edu.br,unila2.unila.edu.br > cname=mx.unila.edu.br,unila2.unila.edu.br > cname=correio.unila.edu.br,unila2.unila.edu.br > domain-needed > > Summary: named is cache-only and send all queries about unila.edu.br > to dnsmasq, while dnsmasq answers all queries about unila.edu.br by > itself and send everything else to named. > > The setup works IFF you ask the servers directly: > > % host unila1.unila.edu.br 200.134.33.10 > unila1.unila.edu.br A 200.134.33.254 > > % host unila1.unila.edu.br 200.134.33.2 > unila1.unila.edu.br A 200.134.33.254 > > and the dnsmasq log shows the query from named: > > Mar 8 13:18:31 dnsmasq[27535]: query[A] unila1.unila.edu.br from 200.134.33.2 > Mar 8 13:18:31 dnsmasq[27535]: /etc/dnsmasq/hosts unila1.unila.edu.br is 200.134.33.254 > > which shows the named forward works. > > However queries without the explicit nameserver don't work: > > % host parana.unila.edu.br > ;; connection timed out; no servers could be reached > > % dig unila1.unila.edu.br +trace > > ; <<>> DiG 9.7.2-P3 <<>> unila1.unila.edu.br +trace > ;; global options: +cmd > . 358303 IN NS c.root-servers.net. > . 358303 IN NS f.root-servers.net. > . 358303 IN NS e.root-servers.net. > . 358303 IN NS a.root-servers.net. > . 358303 IN NS m.root-servers.net. > . 358303 IN NS g.root-servers.net. > . 358303 IN NS i.root-servers.net. > . 358303 IN NS d.root-servers.net. > . 358303 IN NS h.root-servers.net. > . 358303 IN NS b.root-servers.net. > . 358303 IN NS l.root-servers.net. > . 358303 IN NS j.root-servers.net. > . 358303 IN NS k.root-servers.net. > ;; Received 272 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms > > br. 172800 IN NS f.dns.br. > br. 172800 IN NS e.dns.br. > br. 172800 IN NS c.dns.br. > br. 172800 IN NS a.dns.br. > br. 172800 IN NS d.dns.br. > br. 172800 IN NS b.dns.br. > ;; Received 289 bytes from 128.8.10.90#53(d.root-servers.net) in 156 ms > > unila.edu.br. 86400 IN NS ns.unila.edu.br. > unila.edu.br. 86400 IN NS ns2.unila.edu.br. > ;; Received 104 bytes from 200.219.159.10#53(f.dns.br) in 9 ms > > ;; connection timed out; no servers could be reached > > Note that the query doesn't reach dnsmasq. Is it because it doesn't > have NS or something else is amiss? > > Of course, with named configured for answering the zone > authoritatively it works. >
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
