On Thu, Oct 10, 2024 at 10:13:05AM +0000, Roger Lucas via Dnsmasq-discuss wrote:
> 
> We have corporate Windows domain servers which delegate
> "labs.internal.company.com" to a DNSMASQ instance running on the
> lab gateway.
> 
> This DNSMASQ instance has to run in authoritative mode otherwise we have
> problems with Windows DNS refusing to use it.
> 
> The setup has worked well for years, until the lab network grew so
> big that we broke it up into sub-networks.

Acknowledge


> Each sub-network has its own gateway running DNSMASQ.
> These sub-networks for the labs are lab1.labs.internal.company.com,
> lab2.labs.internal.company.com, lab3.labs.internal.company.com, etc.
> 
> On the main lab gateway, I have a DNSMASQ config as below:
> 
> resolv-file=/etc/resolv.conf.dnsmasq
> server=/lab1.labs.internal.company.com/10.64.241.1
> server=/lab2.labs.internal.company.com/10.64.242.1
> server=/lab3.labs.internal.company.com/10.64.243.1
> no-dhcp-interface=eno1,lo
> dhcp-range=10.64.0.50,10.64.0.199,12h
> log-queries
> log-facility=/var/log/dnsmasq.log
> log-dhcp
> auth-server=labs.internal.company.com
> auth-zone=labs.internal.company.com
> auth-soa=2,admin.labs.internal.company.com
> auth-ttl=600
> 
> The main lab gateway is running DNSMASQ v2.90.
> 
> The problem is that I don't get any delegated queries to the lab[123]
> DNSMASQ instances.
> When I send a DNS query to the lab gateway for a server in any of the
> lab[123] sub-domains, I get an immediate NXDOMAIN back.
> If I query the appropriate sub-domain server for the same FQDN, I get
> the expected reply.
> If I run tcpdump on the sub-domain server, I don't see any query
> coming in when I try to look up the FQDN on the main lab gateway,
> so the query isn't being passed on to the sub-domain server.
> 
> I'm sure this is related to the auth-server aspect and I've read the
> DNSMASQ man page and Googled, but I can't see how to get it to work.

As I see it, is the extension of the chain incomplete. [1]

With "chain" I mean chain of DNServers. With "extension" I mean
the insertion of a DNS in the chain.

 
> Thanks in advance for any suggestions!

Back to the drawing board, draw the chain on it.
Make a cut in the chain, insert the extra DNS.
Complete the chain, put in all the needed connections.

Please report back.


Groeten
Geert Stappers

[1] And I think that parts of the extension are wrong,
    but it could be that I misread the provided information.
-- 
Silence is hard to parse

_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Reply via email to