Hi Buck, Thanks for your reply. Comments inline.
> ________________________________________ > From: Dnsmasq-discuss <dnsmasq-discuss-boun...@lists.thekelleys.org.uk> on > behalf of Buck Horn via Dnsmasq-discuss > <dnsmasq-discuss@lists.thekelleys.org.uk> > Sent: 15 October 2024 14:08 > To: dnsmasq-discuss@lists.thekelleys.org.uk > <dnsmasq-discuss@lists.thekelleys.org.uk> > Cc: Buck Horn <buckh...@weibsvolk.org> > Subject: Re: [Dnsmasq-discuss] Problem with auth and sub-domain servers > > CAUTION: This email originated from outside of Veea. Do not click links or > open attachments unless you recognize the sender and know the content is safe. > > > On 10.10.24 12:13, Roger Lucas via Dnsmasq-discuss wrote: > > We have corporate Windows domain servers which delegate > > "labs.internal.company.com" to a DNSMASQ > > instance running on the lab gateway. > > > > This DNSMASQ instance has to run in authoritative mode otherwise we have > > problems with Windows DNS refusing to use it. > > > Can you elaborate that 'authoritative' requirement? Our DNSMASQ instance is running internal to our company and doesn't resolve externally. Our corporate DNS is Microsoft Windows, and the sysadmin has told me that DNSMASQ must be running in authoritative mode for Windows to accept it. I don't understand why this requirement exists, but I trust him that it does. Hence, we have added the "auth-*" fields as below: auth-server=labs.internal.company.com auth-zone=labs.internal.company.com auth-soa=2,admin.labs.internal.company.com auth-ttl=600 With these in place, dnsmasq interacts reliably with Windows. > > dnsmasq would answer local definitions with the 'aa' bit set, so I have > difficulties reasoning what else that Windows DNS would look for. As you > write that you delegate DNS requests to your dnsmasq instance directly, > you would by-pass the authoritative lookup via public DNS anyway, and > the replies would be the same as if you wouldn't use authoritative modes? > > As you state this is a lab environment, I wonder if you are indeed using > dnsmasq in authoritative mode, making its records available via public > DNS servers? DNSMASQ is in authoritative mode, as per the config above, but nothing is accessible publicly. > > Also, it seems you are just catering or private range IPs, based on your > private DHCP range definition. Correct. > > It would be highly unusual (and could be considered unwanted) to have a > public DNS server return private IP addresses. Even if they would be > served, routers are likely to intercept and disregard them, as private > IP answers may be considered as DNS rebind attack attempts. Agreed. We aren't doing that. > > I somehow suspect that your issue should better be addressed by > configuring your Windows DNS server to accept answers directly from dnsmasq. That's what we have done, but Windows won't allow the domain to be resolved by DNSMASQ unless it is authoritative. > > When you run your setup without the auth-* lines, would that work? > If not, how do Windows DNS complaints look like? >From a client perspective, the DNS queries weren't resolved unless DNSMASQ was in authoritative mode. We went through this about 4 years ago, and since then it has worked completely reliably ... if DNSMASQ is authoritative. > > Kind regards, > Buck > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss For me, the question isn't whether DNSMASQ should be configured to be authoritative or not. I'm comfortable with the fact that Windows will only pass sub-domain queries to a DNS server that is authoritative. The question is whether DNSMASQ can pass on sub-domain queries to other servers when configured in authoritative mode for the domain. If not, then the question is whether DNSMASQ should allow that behavior. As I said in my reply to Geert, I'm OK if the answer to the above two questions is "No" because I'm quite comfortable installing BIND on the main lab gateway. I would *prefer* to use DNSMASQ because its simpler and we use it everywhere else through the labs, but I *can* use BIND if necessary. Many thanks, Roger _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
