Hi Buck, > Hi Lucas, > > your answers are not exactly providing too many extra details, so I try > to generalise a bit. >
Apologies, and thank you. > > On 15.10.24 16:24, Roger Lucas wrote: > > For me, the question isn't whether DNSMASQ should be configured to be > > authoritative or not. I'm comfortable with the fact that Windows will only > > pass sub-domain queries to a DNS server that is authoritative. > > Authoritative DNS servers are meant to be queried publically by > recursive DNS servers. > The whole point of dnsmasq's auth-* options is to make local DNS records > held by dnsmasq accessible to public DNS. > > Your Windows DNS server forcing authoritative behaviour seems very much > like an artificial requirement. I don't know much about the Windows infrastructure. My guess is that it is running a resolver, and only accepts authoritative responses. > > An authoritative nameserver would be expected to answer queries for its > specified domain from its own data, i.e. without needing to reference > any other source. dnsmasq's documentation says much the same, and this > is why you see an NXDOMAIN for your requests. > > So if your Windows DNS server really is rejecting dnsmasq's replies when > its not configured authoritatively, then it is likely working as a > recursive resolver for that query. As a recursive resolver, it has to > query SOA/NS/DS records to follow the recursion chain in order to > fulfill a client's original DNS request (e.g. for an A record), and that > would force dnsmasq's authoritative mode. Agreed. > > However, recursion would not be necessary here, as conditional > forwarding would allow the DNS server to retrieve the requested records > directly, without having to walk the full recursion chain, in addition > to the obvious benefit that you wouldn't have to configure dnsmasq as > authoritative, and with a significantly lower count of DNS requests. > > Yet at the same time, your Windows DNS server seems also to be acting as > an authoritative DNS server for the requested domain, and it has not > been configured correctly to conditional forward rather than to delegate > your lab domains, probably because that's somehow conflicting with its > authoritative behaviour. I'm not sure. I know that the sysadmin configured the Windows servers to use the main lab gateway for DNS queries for the lab domain, but I don't know the specifics of how that was done. > > Since you don't intend to publish those DNS records, a conditional > forward seems the correct and more secure way to access your dnsmasq DNS > records. > > I am not familiar with Windows DNS, so I can't comment on whether or how > that could be achieved. > (On a side note, ISC Bind discourages to combine authoritative and > recursive DNS server functions in one instance). > > But if that Windows DNS can delegate zones, then the most obvious > approach to tackle your issue seems to be to have it delegate each of > your domains to each of your three respective dnsmasq instances > directly, instead of introducing yet another indirection. > > That would save you from one additional unnecessary recursion step, and > you would also be able keep dnsmasq. > > Either way, I still think the key to your issue lies with your Windows > DNS configuration rather than dnsmasq. If I have understood correctly, I need the equivalent of the below DNS entries to be _somewhere_: lab1.labs.internal.company.com NS lab1-gw.labs.internal.company.com lab2.labs.internal.company.com NS lab2-gw.labs.internal.company.com lab3.labs.internal.company.com NS lab3-gw.labs.internal.company.com lab1-gw.labs.internal.company.com A 10.64.241.1 lab2-gw.labs.internal.company.com A 10.64.242.1 lab3-gw.labs.internal.company.com A 10.64.243.1 If I can put those (or their equivalent) on the Windows system, then it will immediately know to go directly to the appropriate lab gateway for those subdomains. I don't need to change my main lab gateway. If I can put those (or equivalent) on the main lab gateway, with it still running as an authoritative server, then it can tell the requester where the next "hop" in the DNS query chain is. I would prefer _not_ to put them on the Windows servers, because I then have to keep those updated as/when we rework the lab topology, and that's means more tickets with our IT team. I can't see how to put the NS records into DNSMASQ, however. A deep Google turned up this very old thread: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2011q1/004768.html That suggests that DNSMASQ doesn't support NS records, nor are they documented. Is there a way to add NS records with DNSMASQ? If not, because I'd rather not have the additional domain entries on the Windows servers, I suspect that the only other choice is to run BIND9 on the main lab gateway, and configure DNSMASQ as authoritative on the sub-labs? That way, a resolver can query against main lab gateway, then follow the NS response onward to the individual lab resolvers? > > Kind regards, > Buck > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss Many thanks, Roger _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
