Hi Lucas, your answers are not exactly providing too many extra details, so I try to generalise a bit.
On 15.10.24 16:24, Roger Lucas wrote:
For me, the question isn't whether DNSMASQ should be configured to be authoritative or not. I'm comfortable with the fact that Windows will only pass sub-domain queries to a DNS server that is authoritative.
Authoritative DNS servers are meant to be queried publically by recursive DNS servers. The whole point of dnsmasq's auth-* options is to make local DNS records held by dnsmasq accessible to public DNS. Your Windows DNS server forcing authoritative behaviour seems very much like an artificial requirement. An authoritative nameserver would be expected to answer queries for its specified domain from its own data, i.e. without needing to reference any other source. dnsmasq's documentation says much the same, and this is why you see an NXDOMAIN for your requests. So if your Windows DNS server really is rejecting dnsmasq's replies when its not configured authoritatively, then it is likely working as a recursive resolver for that query. As a recursive resolver, it has to query SOA/NS/DS records to follow the recursion chain in order to fulfill a client's original DNS request (e.g. for an A record), and that would force dnsmasq's authoritative mode. However, recursion would not be necessary here, as conditional forwarding would allow the DNS server to retrieve the requested records directly, without having to walk the full recursion chain, in addition to the obvious benefit that you wouldn't have to configure dnsmasq as authoritative, and with a significantly lower count of DNS requests. Yet at the same time, your Windows DNS server seems also to be acting as an authoritative DNS server for the requested domain, and it has not been configured correctly to conditional forward rather than to delegate your lab domains, probably because that's somehow conflicting with its authoritative behaviour. Since you don't intend to publish those DNS records, a conditional forward seems the correct and more secure way to access your dnsmasq DNS records. I am not familiar with Windows DNS, so I can't comment on whether or how that could be achieved. (On a side note, ISC Bind discourages to combine authoritative and recursive DNS server functions in one instance). But if that Windows DNS can delegate zones, then the most obvious approach to tackle your issue seems to be to have it delegate each of your domains to each of your three respective dnsmasq instances directly, instead of introducing yet another indirection. That would save you from one additional unnecessary recursion step, and you would also be able keep dnsmasq. Either way, I still think the key to your issue lies with your Windows DNS configuration rather than dnsmasq. Kind regards, Buck _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
