Hi, We have our own DNS proxy implemented, and we are trying to integrate it into our existing network stack that currently contains NetworkManager + dnsmasq. The plan is for our network stack to contain NetworkManager + dnsmasq + our DNS proxy.
There is a problem I can’t solve, and I was wondering if you may point me in the right direction. Our DNS proxy runs locally, listens on a local address (e.g. 127.8.8.8), and proxies all incoming DNS queries to a DNS server via DNS-over-HTTPS. It has to do some other things too, that’s the reason we had to implement our own DNS proxy in the first place. 1) We would like dnsmasq to send DNS queries to our proxy first; and if the proxy misbehaves and does not respond to a DNS query within a period of time, we would like dnsmasq to send the same query to the network-provided DNS server. To implement this behavior, we are dropping a config file into /etc/NetworkManager/dnsmasq.d, and the config has a line like “server=127.8.8.8” If I read the dnsmasq source code correctly, in the presence of this config file dnsmasq will always keep 127.8.8.8 as the primary resolver, and the network-provided DNS server will be used as the secondary resolver. The information about the network-provided DNS server is provided by NetworkManager via dbus; after the machine gets connected to a new network, NetworkManager will send an update to dnsmasq (using SetServers/SetServersEx or a similar message), and dnsmasq will only update the secondary resolver, but it will keep 127.8.8.8 as the primary one. Is my understanding correct? 2) Now we get to the problem I am trying to solve. Our proxy needs to detect whether we are behind a captive portal. A common way to detect captive portals is to open a specific URL and check the result. (Our proxy is using http://connectivitycheck.gstatic.com/generate_204.) The problem is that this method works only if the network-provided DNS server is used for resolving connectivitycheck.gstatic.com. Unfortunately, with the config described in (1), dnsmasq will send the DNS query for connectivitycheck.gstatic.com to our proxy rather than the network-provided DNS server, and the detection method does not work in this case. I’ve been looking at potential solutions, and I could see a few options. 2.a) Find another way to detect captive portals. Some way that does not attempt to reach any URLs. 2.b) Could dnsmasq be configured to send DNS queries for a specific domain name straight to the secondary resolver? Then we would configure dnsmasq to ignore the primary resolver 127.8.8.8 and use the network-provided DNS server when resolving connectivitycheck.gstatic.com. I have found options in the configs that allow sending a specific domain to a specific DNS server address, but that is not exactly what we need as we do not know the address of the network-provided DNS server in advance. 2.c) If our proxy could know the address of the network-provided DNS server, it could use that specific DNS address when reaching to http://connectivitycheck.gstatic.com/generate_204 The problem is that only dnsmasq holds the information about the current network-provided DNS server. And I could not find any way to get this information from dnsmasq via dbus. dnsmasq supports messages like “SetServers” but nothing like “GetServers”. Is getting the network-provided DNS server (or, alternatively, the full list of DNS servers) something that is or could be supported by dnsmasq? Thanks, Evgeny
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
