Discussion:
[Dnsmasq-discuss] dnsmasq to provide public DNS service
T o n g
2016-06-29 03:28:02 UTC
Permalink
If I'm to provide DNS service to the public (outside my local network)
using dnsmasq, how to do it, e.g., how to set the listen-address? It
didn't work out of the box after I installed it in my Ubuntu (16.04 LTS
xenial) so I changed to the following, but it stops working:

$ cat /etc/dnsmasq.d/public.conf
# listen to public
listen-address=0.0.0.0
# provide only DNS service and disable DHCP and TFTP on it
no-dhcp-interface=eth0

$ dig +short docs.google.com
;; connection timed out; no servers could be reached

$ netstat -ulnp | grep :53
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
udp 0 0 0.0.0.0:53
0.0.0.0:* -
udp6 0 0 :::53 :::*


Please help.
Thanks.
T o n g
2016-06-30 12:03:07 UTC
Permalink
Does no reply means impossible, or just nobody has look into it yet?
Post by T o n g
If I'm to provide DNS service to the public (outside my local network)
using dnsmasq, how to do it, e.g., how to set the listen-address? It
didn't work out of the box after I installed it in my Ubuntu (16.04 LTS
$ cat /etc/dnsmasq.d/public.conf # listen to public
listen-address=0.0.0.0 # provide only DNS service and disable DHCP
and TFTP on it no-dhcp-interface=eth0
$ dig +short docs.google.com ;; connection timed out; no servers
could be reached
$ netstat -ulnp | grep :53 (Not all processes could be identified,
non-owned process info
will not be shown, you would have to be root to see it all.)
udp 0 0 0.0.0.0:53
0.0.0.0:* -
udp6 0 0 :::53 :::*
Please help.
Thanks.
Albert ARIBAUD
2016-06-30 12:37:17 UTC
Permalink
Hi Tong,

Le Thu, 30 Jun 2016 12:03:07 +0000 (UTC)
Post by T o n g
Does no reply means impossible, or just nobody has look into it yet?
It is perfectly possible tu run dnsmasq as a "public" DNS, if by this
you mean "make it serve requests from other hosts than the one it is
running on", or even, "make it serve requests from any host" --
although the latter is risky, as you'd basically create an open DNS
server.

Now, for th reason why your tests fail, there is not enough info in
your post to allow diagnosing what is wrong. Notably, you do not
indicate how the machine from which you run dig gets its DNS servers:
the issue could just as well be there.
Post by T o n g
Post by T o n g
If I'm to provide DNS service to the public (outside my local
network) using dnsmasq, how to do it, e.g., how to set the
listen-address? It didn't work out of the box after I installed it
in my Ubuntu (16.04 LTS xenial) so I changed to the following, but
$ cat /etc/dnsmasq.d/public.conf # listen to public
listen-address=0.0.0.0 # provide only DNS service and disable
DHCP and TFTP on it no-dhcp-interface=eth0
$ dig +short docs.google.com ;; connection timed out; no servers
could be reached
$ netstat -ulnp | grep :53 (Not all processes could be
identified, non-owned process info
will not be shown, you would have to be root to see it
all.) udp 0 0 0.0.0.0:53
0.0.0.0:* -
udp6 0 0 :::53 :::*
Please help.
Thanks.
Amicalement,
--
Albert.
T o n g
2016-07-02 17:07:50 UTC
Permalink
Oh, sorry for responding late.

The machine from which I run dig gets its DNS servers is the one that I
tweaked the /etc/dnsmasq.d/public.conf file, by doing which my DNS
breaks. And on removing the file, my DNS service (servered by local
dnsmasq) works again.

And, yes, basically I'm creating an open DNS server, and since nobody is
doing that, I can't find any information on how to set it up properly.

Please help. Thanks
Post by Albert ARIBAUD
Hi Tong,
Le Thu, 30 Jun 2016 12:03:07 +0000 (UTC)
Post by T o n g
Does no reply means impossible, or just nobody has look into it yet?
It is perfectly possible tu run dnsmasq as a "public" DNS, if by this
you mean "make it serve requests from other hosts than the one it is
running on", or even, "make it serve requests from any host" -- although
the latter is risky, as you'd basically create an open DNS server.
Now, for th reason why your tests fail, there is not enough info in your
post to allow diagnosing what is wrong. Notably, you do not indicate how
the issue could just as well be there.
Post by T o n g
Post by T o n g
If I'm to provide DNS service to the public (outside my local
network) using dnsmasq, how to do it, e.g., how to set the
listen-address? It didn't work out of the box after I installed it in
my Ubuntu (16.04 LTS xenial) so I changed to the following, but it
$ cat /etc/dnsmasq.d/public.conf # listen to public
listen-address=0.0.0.0 # provide only DNS service and disable
DHCP and TFTP on it no-dhcp-interface=eth0
$ dig +short docs.google.com ;; connection timed out; no servers
could be reached
$ netstat -ulnp | grep :53 (Not all processes could be
identified, non-owned process info
will not be shown, you would have to be root to see it
all.) udp 0 0 0.0.0.0:53 0.0.0.0:*
-
udp6 0 0 :::53 :::*
Albert ARIBAUD
2016-07-02 19:27:11 UTC
Permalink
Hi Tong,

Le Sat, 2 Jul 2016 17:07:50 +0000 (UTC)
Post by T o n g
Oh, sorry for responding late.
The machine from which I run dig gets its DNS servers is the one that
I tweaked the /etc/dnsmasq.d/public.conf file, by doing which my DNS
breaks. And on removing the file, my DNS service (servered by local
dnsmasq) works again.
And, yes, basically I'm creating an open DNS server, and since nobody
is doing that, I can't find any information on how to set it up
properly.
Nobody should do that indeed, because it is a very bad idea: your
machine may then serve as an amplifier for DDoS attacks.

Still, the configuration -- as far as dnsmasq is concerned -- is the
same for an open DNS and a LAN DNS.

Could you please describe your setup from a network perspective ?
Post by T o n g
Please help. Thanks
Post by Albert ARIBAUD
Hi Tong,
Le Thu, 30 Jun 2016 12:03:07 +0000 (UTC)
Post by T o n g
Does no reply means impossible, or just nobody has look into it yet?
It is perfectly possible tu run dnsmasq as a "public" DNS, if by
this you mean "make it serve requests from other hosts than the one
it is running on", or even, "make it serve requests from any host"
-- although the latter is risky, as you'd basically create an open
DNS server.
Now, for th reason why your tests fail, there is not enough info in
your post to allow diagnosing what is wrong. Notably, you do not
indicate how the machine from which you run dig gets its DNS
servers: the issue could just as well be there.
Post by T o n g
Post by T o n g
If I'm to provide DNS service to the public (outside my local
network) using dnsmasq, how to do it, e.g., how to set the
listen-address? It didn't work out of the box after I installed
it in my Ubuntu (16.04 LTS xenial) so I changed to the
$ cat /etc/dnsmasq.d/public.conf # listen to public
listen-address=0.0.0.0 # provide only DNS service and disable
DHCP and TFTP on it no-dhcp-interface=eth0
$ dig +short docs.google.com ;; connection timed out; no
servers could be reached
$ netstat -ulnp | grep :53 (Not all processes could be
identified, non-owned process info
will not be shown, you would have to be root to see it
all.) udp 0 0 0.0.0.0:53
0.0.0.0:* -
udp6 0 0 :::53 :::*
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Amicalement,
--
Albert.
T o n g
2016-07-03 22:40:05 UTC
Permalink
Post by Albert ARIBAUD
Post by T o n g
The machine from which I run dig gets its DNS servers is the one that I
tweaked the /etc/dnsmasq.d/public.conf file, by doing which my DNS
breaks. And on removing the file, my DNS service (servered by local
dnsmasq) works again.
And, yes, basically I'm creating an open DNS server, and since nobody
is doing that, I can't find any information on how to set it up
properly.
Nobody should do that indeed, because it is a very bad idea: your
machine may then serve as an amplifier for DDoS attacks.
I'm more interested to know how to do that than actually provide the DNS
service. BTW, on to that thought, how the ISP or Google's DNS server able
to avoid being an amplifier for DDoS attacks?
Post by Albert ARIBAUD
Still, the configuration -- as far as dnsmasq is concerned -- is the
same for an open DNS and a LAN DNS.
Could you please describe your setup from a network perspective ?
I don't quite understand what you are asking. Consider it is my own box
behind my ISP. How this network setup has anything to do with the
question?

Ideally, I just want to use a file, say /etc/dnsmasq.d/public.conf, to
turn it on. Then, I can easily turn it off by removing the file. It's not
just I'm broadcasting to the world that I have this. It's for my own
personal usage. Had I been able to do it myself, there won't be a public
discussion/announcement of it. I.e., nobody would have known.
Post by Albert ARIBAUD
Post by T o n g
Post by Albert ARIBAUD
Hi Tong,
Le Thu, 30 Jun 2016 12:03:07 +0000 (UTC)
Post by T o n g
Does no reply means impossible, or just nobody has look into it yet?
It is perfectly possible tu run dnsmasq as a "public" DNS, if by this
you mean "make it serve requests from other hosts than the one it is
running on", or even, "make it serve requests from any host" --
although the latter is risky, as you'd basically create an open DNS
server.
Now, for th reason why your tests fail, there is not enough info in
your post to allow diagnosing what is wrong. Notably, you do not
the issue could just as well be there.
Post by T o n g
Post by T o n g
If I'm to provide DNS service to the public (outside my local
network) using dnsmasq, how to do it, e.g., how to set the
listen-address? It didn't work out of the box after I installed it
in my Ubuntu (16.04 LTS xenial) so I changed to the following, but
$ cat /etc/dnsmasq.d/public.conf # listen to public
listen-address=0.0.0.0 # provide only DNS service and disable
DHCP and TFTP on it no-dhcp-interface=eth0
$ dig +short docs.google.com ;; connection timed out; no
servers could be reached
$ netstat -ulnp | grep :53 (Not all processes could be
identified, non-owned process info
will not be shown, you would have to be root to see it
all.) udp 0 0 0.0.0.0:53 0.0.0.0:* -
udp6 0 0 :::53 :::*
_______________________________________________
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Amicalement,
Albert ARIBAUD
2016-07-04 08:56:05 UTC
Permalink
Hi Tong,

Le Sun, 3 Jul 2016 22:40:05 +0000 (UTC)
Post by T o n g
Post by Albert ARIBAUD
Post by T o n g
The machine from which I run dig gets its DNS servers is the one
that I tweaked the /etc/dnsmasq.d/public.conf file, by doing which
my DNS breaks. And on removing the file, my DNS service (servered
by local dnsmasq) works again.
And, yes, basically I'm creating an open DNS server, and since
nobody is doing that, I can't find any information on how to set
it up properly.
Nobody should do that indeed, because it is a very bad idea: your
machine may then serve as an amplifier for DDoS attacks.
I'm more interested to know how to do that than actually provide the
DNS service. BTW, on to that thought, how the ISP or Google's DNS
server able to avoid being an amplifier for DDoS attacks?
They have DDoS mitigation machines between their DNS servers and the
rest of the world, which watch traffic and curb / cut it when they
detect abnormal traffic, e.g. sudden heavy traffic to one (set of)
destination(s).
Post by T o n g
Post by Albert ARIBAUD
Still, the configuration -- as far as dnsmasq is concerned -- is the
same for an open DNS and a LAN DNS.
Could you please describe your setup from a network perspective ?
I don't quite understand what you are asking. Consider it is my own
box behind my ISP. How this network setup has anything to do with the
question?
Basically, my question boils down to two questions: is dnsmasq using
external DNS servers as upstreams, or does it use a local recursive
server such as bind or unbound? Also, do you test your dnsmasq with
another host on the LAN, or from the same machine that hosts dnsmasq?
Post by T o n g
Ideally, I just want to use a file, say /etc/dnsmasq.d/public.conf,
to turn it on. Then, I can easily turn it off by removing the file.
It's not just I'm broadcasting to the world that I have this. It's
for my own personal usage.
Lots of people use dnsmasq for serving their LAN, myself included, so
that works pretty much out-of-the-box if you just make dnsmasq listen
to the LAN interface of the host running it.

Providing worldwide access is then not a dnsmasq question, but a
LAN-to-Internet routing question.

As I'm still not sure how much open you want your dnsmasq to be, I'm
asking explicitly: do you want your dnsmasq to serve DNS queries from
your LAN only, or from anywhere in the world?
Post by T o n g
Had I been able to do it myself, there
won't be a public discussion/announcement of it. I.e., nobody would
have known.
As an aside: never rely on "people not knowing". Security by obscurity
is arguably worse than no security at all, as you /believe/ you have
some security which you actually don't have. Take my word for it: if
you "secretly" leave your dnsmasq open to the world, it /will/ be used,
and by people who are interested in taking advantage of the resource.

Amicalement,
--
Albert.
T o n g
2016-07-04 13:05:35 UTC
Permalink
Post by Albert ARIBAUD
Post by T o n g
Post by Albert ARIBAUD
Post by T o n g
The machine from which I run dig gets its DNS servers is the one
that I tweaked the /etc/dnsmasq.d/public.conf file, by doing which
my DNS breaks. And on removing the file, my DNS service (servered by
local dnsmasq) works again.
And, yes, basically I'm creating an open DNS server, and since
nobody is doing that, I can't find any information on how to set it
up properly.
Nobody should do that indeed, because it is a very bad idea: your
machine may then serve as an amplifier for DDoS attacks.
I'm more interested to know how to do that than actually provide the
DNS service. BTW, on to that thought, how the ISP or Google's DNS
server able to avoid being an amplifier for DDoS attacks?
They have DDoS mitigation machines between their DNS servers and the
rest of the world, which watch traffic and curb / cut it when they
detect abnormal traffic, e.g. sudden heavy traffic to one (set of)
destination(s).
Thanks,
Post by Albert ARIBAUD
Post by T o n g
Post by Albert ARIBAUD
Still, the configuration -- as far as dnsmasq is concerned -- is the
same for an open DNS and a LAN DNS.
Could you please describe your setup from a network perspective ?
I don't quite understand what you are asking. Consider it is my own box
behind my ISP. How this network setup has anything to do with the
question?
Basically, my question boils down to two questions: is dnsmasq using
external DNS servers as upstreams, or does it use a local recursive
server such as bind or unbound? Also, do you test your dnsmasq with
another host on the LAN, or from the same machine that hosts dnsmasq?
Post by T o n g
Ideally, I just want to use a file, say /etc/dnsmasq.d/public.conf, to
turn it on. Then, I can easily turn it off by removing the file. It's
not just I'm broadcasting to the world that I have this. It's for my
own personal usage.
Lots of people use dnsmasq for serving their LAN, myself included, so
that works pretty much out-of-the-box if you just make dnsmasq listen to
the LAN interface of the host running it.
Providing worldwide access is then not a dnsmasq question, but a
LAN-to-Internet routing question.
OK. that explains why when I changed mine from 192.168.1.1 of the
following to 0.0.0.0 and it stops working:

$ cat /etc/dnsmasq.d/public.conf
# listen to public
listen-address=0.0.0.0
# provide only DNS service and disable DHCP and TFTP on it
no-dhcp-interface=eth0

So, it confirms that dnsmasq only works for LAN, but not for the public.
Post by Albert ARIBAUD
As I'm still not sure how much open you want your dnsmasq to be, I'm
asking explicitly: do you want your dnsmasq to serve DNS queries from
your LAN only, or from anywhere in the world?
Yep, beyond the LAN, for anywhere in the world, as I said in my OP,
"I'm to provide DNS service to the public (outside my local network)".
Post by Albert ARIBAUD
Post by T o n g
Had I been able to do it myself, there won't be a public
discussion/announcement of it. I.e., nobody would have known.
As an aside: never rely on "people not knowing". Security by obscurity
is arguably worse than no security at all, as you /believe/ you have
some security which you actually don't have. Take my word for it: if you
"secretly" leave your dnsmasq open to the world, it /will/ be used,
and by people who are interested in taking advantage of the resource.
OK. Noted. I'll turn it off as soon as I'm done then.
Albert ARIBAUD
2016-07-04 14:15:51 UTC
Permalink
Hi Tong,

Le Mon, 4 Jul 2016 13:05:35 +0000 (UTC)
Post by T o n g
Post by Albert ARIBAUD
Post by T o n g
Post by Albert ARIBAUD
Post by T o n g
The machine from which I run dig gets its DNS servers is the one
that I tweaked the /etc/dnsmasq.d/public.conf file, by doing
which my DNS breaks. And on removing the file, my DNS service
(servered by local dnsmasq) works again.
And, yes, basically I'm creating an open DNS server, and since
nobody is doing that, I can't find any information on how to
set it up properly.
Nobody should do that indeed, because it is a very bad idea: your
machine may then serve as an amplifier for DDoS attacks.
I'm more interested to know how to do that than actually provide
the DNS service. BTW, on to that thought, how the ISP or Google's
DNS server able to avoid being an amplifier for DDoS attacks?
They have DDoS mitigation machines between their DNS servers and the
rest of the world, which watch traffic and curb / cut it when they
detect abnormal traffic, e.g. sudden heavy traffic to one (set of)
destination(s).
Thanks,
Post by Albert ARIBAUD
Post by T o n g
Post by Albert ARIBAUD
Still, the configuration -- as far as dnsmasq is concerned -- is
the same for an open DNS and a LAN DNS.
Could you please describe your setup from a network
perspective ?
I don't quite understand what you are asking. Consider it is my
own box behind my ISP. How this network setup has anything to do
with the question?
Basically, my question boils down to two questions: is dnsmasq using
external DNS servers as upstreams, or does it use a local recursive
server such as bind or unbound? Also, do you test your dnsmasq with
another host on the LAN, or from the same machine that hosts
dnsmasq?
Post by T o n g
Ideally, I just want to use a file,
say /etc/dnsmasq.d/public.conf, to turn it on. Then, I can easily
turn it off by removing the file. It's not just I'm broadcasting
to the world that I have this. It's for my own personal usage.
Lots of people use dnsmasq for serving their LAN, myself included,
so that works pretty much out-of-the-box if you just make dnsmasq
listen to the LAN interface of the host running it.
Providing worldwide access is then not a dnsmasq question, but a
LAN-to-Internet routing question.
OK. that explains why when I changed mine from 192.168.1.1 of the
Actually no, that does not explain it.
Post by T o n g
$ cat /etc/dnsmasq.d/public.conf
# listen to public
listen-address=0.0.0.0
# provide only DNS service and disable DHCP and TFTP on it
no-dhcp-interface=eth0
So, it confirms that dnsmasq only works for LAN, but not for the public.
Actually, it can perfectly work for open access, as long as 1) the host
it is running on can access the Internet, and 2) outside hosts can send
DNS requests to your dnsmasq host. So,

1) Does your dnsmasq host have access to the Internet?

2) Have you configured your Internet access so that DNS requests
incoming from the outside are routed to your dnsmasq host?

Amicalement,
--
Albert.
T o n g
2016-07-05 00:42:25 UTC
Permalink
Post by Albert ARIBAUD
Hi Tong,
Le Mon, 4 Jul 2016 13:05:35 +0000 (UTC)
Post by T o n g
Post by Albert ARIBAUD
Post by T o n g
Post by Albert ARIBAUD
Post by T o n g
The machine from which I run dig gets its DNS servers is the one
that I tweaked the /etc/dnsmasq.d/public.conf file, by doing
which my DNS breaks. And on removing the file, my DNS service
(servered by local dnsmasq) works again.
And, yes, basically I'm creating an open DNS server, and since
nobody is doing that, I can't find any information on how to set
it up properly.
Nobody should do that indeed, because it is a very bad idea: your
machine may then serve as an amplifier for DDoS attacks.
I'm more interested to know how to do that than actually provide the
DNS service. BTW, on to that thought, how the ISP or Google's DNS
server able to avoid being an amplifier for DDoS attacks?
They have DDoS mitigation machines between their DNS servers and the
rest of the world, which watch traffic and curb / cut it when they
detect abnormal traffic, e.g. sudden heavy traffic to one (set of)
destination(s).
Thanks,
Post by Albert ARIBAUD
Post by T o n g
Post by Albert ARIBAUD
Still, the configuration -- as far as dnsmasq is concerned -- is
the same for an open DNS and a LAN DNS.
Could you please describe your setup from a network perspective ?
I don't quite understand what you are asking. Consider it is my own
box behind my ISP. How this network setup has anything to do with
the question?
Basically, my question boils down to two questions: is dnsmasq using
external DNS servers as upstreams, or does it use a local recursive
server such as bind or unbound? Also, do you test your dnsmasq with
another host on the LAN, or from the same machine that hosts dnsmasq?
Post by T o n g
Ideally, I just want to use a file,
say /etc/dnsmasq.d/public.conf, to turn it on. Then, I can easily
turn it off by removing the file. It's not just I'm broadcasting to
the world that I have this. It's for my own personal usage.
Lots of people use dnsmasq for serving their LAN, myself included, so
that works pretty much out-of-the-box if you just make dnsmasq listen
to the LAN interface of the host running it.
Providing worldwide access is then not a dnsmasq question, but a
LAN-to-Internet routing question.
OK. that explains why when I changed mine from 192.168.1.1 of the
Actually no, that does not explain it.
Post by T o n g
$ cat /etc/dnsmasq.d/public.conf # listen to public
listen-address=0.0.0.0 # provide only DNS service and disable DHCP
and TFTP on it no-dhcp-interface=eth0
So, it confirms that dnsmasq only works for LAN, but not for the public.
Actually, it can perfectly work for open access, as long as 1) the host
it is running on can access the Internet, and 2) outside hosts can send
DNS requests to your dnsmasq host. So,
Oh, good. I thought it was the end.
Post by Albert ARIBAUD
1) Does your dnsmasq host have access to the Internet?
2) Have you configured your Internet access so that DNS requests
incoming from the outside are routed to your dnsmasq host?
Yeah, those "out-side" factors, I know how to control, and they are
working fine. For example, I have use `listen-address=192.168.1.1` before
to provide DNS service for my own home network, and it works fine.

This box I'm configuring, it has its own public IP, not on 192.168.x.x.
The SSH, DNS, etc ports are open to the would as well.

Oh, should I listen to its Gateway IP instead of 0.0.0.0?

So far I can't get itself working. I.e., this is all it is using its own
server within itself:

$ dig +short docs.google.com
;; connection timed out; no servers could be reached

The outside world is not involved yet -- I haven't been able to make
itself work first.
Albert ARIBAUD
2016-07-05 16:55:59 UTC
Permalink
Hi Tong,

Le Tue, 5 Jul 2016 00:42:25 +0000 (UTC)
Post by T o n g
Post by Albert ARIBAUD
1) Does your dnsmasq host have access to the Internet?
2) Have you configured your Internet access so that DNS requests
incoming from the outside are routed to your dnsmasq host?
Yeah, those "out-side" factors, I know how to control, and they are
working fine. For example, I have use `listen-address=192.168.1.1`
before to provide DNS service for my own home network, and it works
fine.
Yes, listening to a LAN address allows serving client on the LAN. But
this does absolutely not mean that conditions 1 and 2 above are met
and that clients from the Net can be served.
Post by T o n g
This box I'm configuring, it has its own public IP, not on
192.168.x.x. The SSH, DNS, etc ports are open to the would as well.
This piece of information raises a lot of questions. Could you please
anwer by 'yes' or 'no' to the following?

1. Does the "box" you are referring to run the dnsmasq you are trying
to configure?

2. Is this box also the gateway from your LAN to the Internet?

3. Does it hace two network interfaces, one facing the Internet and one
facing the LAN?
Post by T o n g
Oh, should I listen to its Gateway IP instead of 0.0.0.0?
You should not specifiy listen-address *at all* unless you want
your dnsmasq to serve *only* your LAN or to serve *only* the Net.

You should not even specify any interface= option.
Post by T o n g
The outside world is not involved yet -- I haven't been able to make
itself work first.
Before making dnsmasq work with clients from outside your LAN, you need
to verify that your "box" meets conditions 1 and 2 above.

Let's start with condition 1. You can check it by running a traceroute
from your "box" to some known internet host (e.g. google.com). What
does such a traceroute print out?

Amicalement,
--
Albert.
T o n g
2016-07-07 02:41:15 UTC
Permalink
Post by Albert ARIBAUD
Hi Tong,
Le Tue, 5 Jul 2016 00:42:25 +0000 (UTC)
Post by T o n g
Post by Albert ARIBAUD
1) Does your dnsmasq host have access to the Internet?
2) Have you configured your Internet access so that DNS requests
incoming from the outside are routed to your dnsmasq host?
Yeah, those "out-side" factors, I know how to control, and they are
working fine. For example, I have use `listen-address=192.168.1.1`
before to provide DNS service for my own home network, and it works
fine.
Yes, listening to a LAN address allows serving client on the LAN. But
this does absolutely not mean that conditions 1 and 2 above are met and
that clients from the Net can be served.
Post by T o n g
This box I'm configuring, it has its own public IP, not on 192.168.x.x.
The SSH, DNS, etc ports are open to the would as well.
This piece of information raises a lot of questions. Could you please
anwer by 'yes' or 'no' to the following?
1. Does the "box" you are referring to run the dnsmasq you are trying to
configure?
Yes, the "box" is what I referred as the machine that I run the dnsmasq
and trying to configure. This is the only thing I'm talking about so far.
Nothing else.
Post by Albert ARIBAUD
2. Is this box also the gateway from your LAN to the Internet?
No.
Post by Albert ARIBAUD
3. Does it hace two network interfaces, one facing the Internet and one
facing the LAN?
No.

Once again, the box I'm configuring, is a dedicated servers from the
hosting company, and I have full (remote) control of it and have
installed the latest Ubuntu into it. it has its own realy public IP. The
SSH, DNS, etc ports are open to the would as well.
Post by Albert ARIBAUD
Post by T o n g
Oh, should I listen to its Gateway IP instead of 0.0.0.0?
You should not specifiy listen-address *at all* unless you want your
dnsmasq to serve *only* your LAN or to serve *only* the Net.
You should not even specify any interface= option.
OK. So how dnsmasq decides whether to serve local host, or local network
(LAN) or the general public (WAN)? If is it not listen-address, then what
it is?
Post by Albert ARIBAUD
Post by T o n g
The outside world is not involved yet -- I haven't been able to make
itself work first.
Before making dnsmasq work with clients from outside your LAN, you need
to verify that your "box" meets conditions 1 and 2 above.
Let's start with condition 1. You can check it by running a traceroute
from your "box" to some known internet host (e.g. google.com). What does
such a traceroute print out?
What do you need the traceroute print out for?

Can the dnsmasq be used as DNS server not only to local host, or local
network, but also the general public as well or not? If yes, what would
the configuration be?

Does dnsmasq comes with that feature (serving the local network or the
general public) out of box? Else what kind of alternation need to be made
to the configuration file?
Albert ARIBAUD
2016-07-07 10:33:53 UTC
Permalink
Hi Tong,

Le Thu, 7 Jul 2016 02:41:15 +0000 (UTC)
Post by T o n g
Yes, the "box" is what I referred as the machine that I run the
dnsmasq and trying to configure. This is the only thing I'm talking
about so far. Nothing else.
Once again, the box I'm configuring, is a dedicated servers from the
hosting company, and I have full (remote) control of it and have
installed the latest Ubuntu into it. it has its own realy public IP.
The SSH, DNS, etc ports are open to the would as well.
OK, sorry for the misunderstanding. So I will assume this box has only
one network interface, which is facing the Internet, and is reacheable
through a public IP (which we do not need).
Post by T o n g
Post by Albert ARIBAUD
You should not even specify any interface= option.
OK. So how dnsmasq decides whether to serve local host, or local
network (LAN) or the general public (WAN)? If is it not
listen-address, then what it is?
You don't tell dnsmasq about "LAN" vs "WAN"; dnsmasq does not accept or
ignore/reject DNS requests based on their coming "from LAN" or "from
WAN"; it accepts or ignores/rejects them based on the interface on
which it has received them and the IP address they were sent to. Since
your box has a single interface which has a single IPv4 address, all
requests will be received on the same interface and have the same IPv4
destination.
Post by T o n g
Post by Albert ARIBAUD
Post by T o n g
The outside world is not involved yet -- I haven't been able to
make itself work first.
Before making dnsmasq work with clients from outside your LAN, you
need to verify that your "box" meets conditions 1 and 2 above.
Let's start with condition 1. You can check it by running a
traceroute from your "box" to some known internet host (e.g.
google.com). What does such a traceroute print out?
What do you need the traceroute print out for?
To make sure the machine running dnsmasq can access the Internet on
its own. Obviously you can access it, but some networking rules may
prevent it from reaching out freely.
Post by T o n g
Can the dnsmasq be used as DNS server not only to local host, or
local network, but also the general public as well or not? If yes,
what would the configuration be?
Does dnsmasq comes with that feature (serving the local network or
the general public) out of box? Else what kind of alternation need to
be made to the configuration file?
Yes dnsmasq can server the whole world if you want it to, and as I
already told you, it should work out of the box.

Therefore, if it does not work in your case, it is because either
its configuration is improper, or the networking setup of the box it
runs on is improper (or both).

Which is why I am asking you questions and sugesting tests in order to
diagnose the situation and fix it.

But for that, I need precise, exact and complete answers to the
question I am asking.

So let's start with a few basics, by checking that you can actually
communicate from your own machine to the dedicated server over the
standard DNS ports.
.
For this I suggest that we use the 'netcat' command both on your
dedicated server and on the machine from which you access this server.

To determine which variant of netcat is present on these machines, if
any, could you run the following command, once on the dedicated server,
and once on the machine you are using to access the server:

netcat -h

... and copy-paste both outputs in your reply?

Once we have netcat available on both ends, we will be able to mimic
DNS exchanges between the machines but without dnsmasq being involved;
either this mimicking will work, meaning that the networking is set up
properly, or it won't, meaning the networking has to be fixed before
even considering running dnsmasq.

Once we're sure the networking is OK, then we can introduce dnsmasq in
the picture.

Amicalement,
--
Albert.
T o n g
2016-07-07 13:06:42 UTC
Permalink
Post by Albert ARIBAUD
To determine which variant of netcat is present on these machines, if
any, could you run the following command, once on the dedicated server,
netcat -h
... and copy-paste both outputs in your reply?
Both machines are running the latest Ubuntu. I.e., the output are the
same for both of them.

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial

$ apt-cache policy netcat-openbsd
netcat-openbsd:
Installed: 1.105-7ubuntu1
Candidate: 1.105-7ubuntu1
Version table:
*** 1.105-7ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status

$ netcat -h
OpenBSD netcat (Debian patchlevel 1.105-7ubuntu1)
...
Post by Albert ARIBAUD
Once we have netcat available on both ends, we will be able to mimic DNS
exchanges between the machines but without dnsmasq being involved;
The connect is not the problem. I've stopped dnsmasq temporarily and
start SSH listening to port 53 and I was able to connect from home.
Albert ARIBAUD
2016-07-08 16:49:53 UTC
Permalink
Hi Tong,

Le Thu, 7 Jul 2016 13:06:42 +0000 (UTC)
Post by T o n g
Post by Albert ARIBAUD
To determine which variant of netcat is present on these machines,
if any, could you run the following command, once on the dedicated
netcat -h
... and copy-paste both outputs in your reply?
Both machines are running the latest Ubuntu. I.e., the output are the
same for both of them.
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial
$ apt-cache policy netcat-openbsd
Installed: 1.105-7ubuntu1
Candidate: 1.105-7ubuntu1
*** 1.105-7ubuntu1 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64
Packages 100 /var/lib/dpkg/status
$ netcat -h
OpenBSD netcat (Debian patchlevel 1.105-7ubuntu1)
...
Post by Albert ARIBAUD
Once we have netcat available on both ends, we will be able to
mimic DNS exchanges between the machines but without dnsmasq being
involved;
The connect is not the problem. I've stopped dnsmasq temporarily and
start SSH listening to port 53 and I was able to connect from home.
The SSH test only proves you can access the box on TCP port 22
(assuming you're usign the defaults) from your home; this does not prove
anything regarding TCP port 53 or UDP port 53, which are what DNS uses.

So:

1. Open a terminal and start an SSH session to your box. In this
session, disable dnsmasq then run

netcat -u -l -p 53

3. On your home machine open one terminal and run

netcat -u xyz 53

where xyz should be replaced with the public IP of your box.

4. Type some text then hit the Enter key on your home machine.
Does your box display the text?

5. Type some other text then hit the Enter key in the shell to your box.
Does the netcat running locally display the text?

Amicalement,
--
Albert.
T o n g
2016-07-09 02:08:36 UTC
Permalink
Post by T o n g
Post by Albert ARIBAUD
Once we have netcat available on both ends, we will be able to mimic
DNS exchanges between the machines but without dnsmasq being involved;
The connect is not the problem. I've stopped dnsmasq temporarily and
start SSH listening to port 53 and I was able to connect from home.
The SSH test only proves you can access the box on TCP port 22 (assuming
you're usign the defaults) from your home; this does not prove anything
regarding TCP port 53 or UDP port 53, which are what DNS uses.
1. Open a terminal and start an SSH session to your box. In this
session, disable dnsmasq then run
netcat -u -l -p 53
3. On your home machine open one terminal and run
netcat -u xyz 53
where xyz should be replaced with the public IP of your box.
4. Type some text then hit the Enter key on your home machine.
Does your box display the text?
5. Type some other text then hit the Enter key in the shell to your box.
Does the netcat running locally display the text?
Sorry for responding late, because I didn't get anything from the server,
my box. However, I did started a second SSH session before, to listen to
port 53 instead of 22, and it worked before. Then I looked up... Long
story short,

If I start `netcat -t` then it works; if I start `netcat -u` then it
doesn't work. I.e., the hosting company is blocking the UDP accesses.

But my dnsmasq does listen to TCP port as well though:

$ netstat -lnp | grep :53
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:53 0.0.0.0:*
LISTEN -
tcp6 0 0 :::53 :::*
LISTEN -
udp 0 0 0.0.0.0:53
0.0.0.0:* -
udp6 0
0 :::53 :::*
-

Will TCP only without UDP not OK?

I tried,

dig +tcp +short cnn.com @mybox, and will get:

;; communications error to mybox_ip#53: connection reset

from my home or,

;; communications error to mybox_ip#53: end of file

if trying from within my box.

Why is that?
Albert ARIBAUD
2016-07-09 10:30:26 UTC
Permalink
Hi Tong,

Le Sat, 9 Jul 2016 02:08:36 +0000 (UTC)
Post by T o n g
Post by Albert ARIBAUD
Post by T o n g
Post by Albert ARIBAUD
Once we have netcat available on both ends, we will be able to
mimic DNS exchanges between the machines but without dnsmasq
being involved;
The connect is not the problem. I've stopped dnsmasq temporarily
and start SSH listening to port 53 and I was able to connect from
home.
The SSH test only proves you can access the box on TCP port 22
(assuming you're usign the defaults) from your home; this does not
prove anything regarding TCP port 53 or UDP port 53, which are what
DNS uses.
1. Open a terminal and start an SSH session to your box. In this
session, disable dnsmasq then run
netcat -u -l -p 53
3. On your home machine open one terminal and run
netcat -u xyz 53
where xyz should be replaced with the public IP of your box.
4. Type some text then hit the Enter key on your home machine.
Does your box display the text?
5. Type some other text then hit the Enter key in the shell to your
box. Does the netcat running locally display the text?
Sorry for responding late, because I didn't get anything from the
server, my box. However, I did started a second SSH session before,
to listen to port 53 instead of 22, and it worked before. Then I
looked up... Long story short,
If I start `netcat -t` then it works; if I start `netcat -u` then it
doesn't work.
... and this shows why it is important to run the tests exactly as
requested, rather than assume result from other tests...
Post by T o n g
I.e., the hosting company is blocking the UDP accesses.
... but again, do not jump to conclusions, t least not without further
testing: yes, it could be your hosting company dropping any UDP traffic
incoming on your box, *but* it could also be your own box settings, or
your ISP dropping UDP port 53 going out of your access except for a
given set of source addresses, or your home machine dropping it
silently...

The proven point is: right now, your box does not seem to receive UDP
port 53 traffic from your home machine. What you can look into now is
whether your box and home machine have any network filtering in place
(iptable-save should show that). This, at least, will take the machines
out of the suspect list and that will narrow it down to your ISP and
your hosting provider.
Post by T o n g
$ netstat -lnp | grep :53
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:53 0.0.0.0:*
LISTEN -
tcp6 0 0 :::53 :::*
LISTEN -
udp 0 0 0.0.0.0:53
0.0.0.0:* -
udp6 0
0 :::53 :::*
-
Will TCP only without UDP not OK?
(someone correct me if I'm inexact here) DNS uses UDP port 53 as long
as the request and response can fit in a single UDP datagram (packet),
and will switch to TCP if a single UDP datagram is not big enough. I do
not know, and do not think, that you can run a DNS server over a TCP
port alone.
Post by T o n g
I tried,
;; communications error to mybox_ip#53: connection reset
from my home or,
;; communications error to mybox_ip#53: end of file
if trying from within my box.
Why is that?
Let's first tackle the second one (box to box), as it does not involve
your ISP and hosting provider networks, and therefore points at a
purely local (configuration?) problem on your box.

1. Preamble: make sure dnsmasq is running.

2. Run a default (UDP) dig request. What does it output? Please do not
describe it, copy-paste it.

3. What does iptables-save display? Again, please do not describe it,
copy-paste it.

Amicalement,
--
Albert.
T o n g
2016-07-09 16:17:45 UTC
Permalink
Post by Albert ARIBAUD
Post by T o n g
Post by Albert ARIBAUD
Post by T o n g
Post by Albert ARIBAUD
Once we have netcat available on both ends, we will be able to
mimic DNS exchanges between the machines but without dnsmasq being
involved;
The connect is not the problem. I've stopped dnsmasq temporarily and
start SSH listening to port 53 and I was able to connect from home.
The SSH test only proves you can access the box on TCP port 22
(assuming you're usign the defaults) from your home; this does not
prove anything regarding TCP port 53 or UDP port 53, which are what
DNS uses.
1. Open a terminal and start an SSH session to your box. In this
session, disable dnsmasq then run
netcat -u -l -p 53
3. On your home machine open one terminal and run
netcat -u xyz 53
where xyz should be replaced with the public IP of your box.
4. Type some text then hit the Enter key on your home machine.
Does your box display the text?
5. Type some other text then hit the Enter key in the shell to your
box. Does the netcat running locally display the text?
Sorry for responding late, because I didn't get anything from the
server, my box. However, I did started a second SSH session before, to
listen to port 53 instead of 22, and it worked before. Then I looked
up... Long story short,
If I start `netcat -t` then it works; if I start `netcat -u` then it
doesn't work.
... and this shows why it is important to run the tests exactly as
requested, rather than assume result from other tests...
Yeah, agree.
Post by Albert ARIBAUD
Post by T o n g
I.e., the hosting company is blocking the UDP accesses.
... but again, do not jump to conclusions, t least not without further
testing: ...
I'm quite positive it's my hosting company, but agree, will use more
testing to prove that.
Post by Albert ARIBAUD
Post by T o n g
$ netstat -lnp | grep :53 (Not all processes could be identified,
non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:53 0.0.0.0:*
LISTEN -
tcp6 0 0 :::53 :::*
LISTEN -
udp 0 0 0.0.0.0:53 0.0.0.0:* -
udp6 0 0 :::53 :::*
-
Will TCP only without UDP not OK?
(someone correct me if I'm inexact here) DNS uses UDP port 53 as long as
the request and response can fit in a single UDP datagram (packet), and
will switch to TCP if a single UDP datagram is not big enough. I do not
know, and do not think, that you can run a DNS server over a TCP port
alone.
That's actually even better. I mean, I don't care whether it UDP or TCP,
as long as it can resolve names, I'm happy. If the general public can't
use it except me, then it is even better.

So, let's forget about UDP, and focus on TCP instead. As long as I can
achieve the following, I'm happy:

$ dig +tcp +short cnn.com @8.8.8.8
157.166.226.26
157.166.226.25
Post by Albert ARIBAUD
Post by T o n g
I tried,
;; communications error to mybox_ip#53: connection reset
from my home or,
;; communications error to mybox_ip#53: end of file
if trying from within my box.
Why is that?
Let's first tackle the second one (box to box), as it does not involve
your ISP and hosting provider networks, and therefore points at a purely
local (configuration?) problem on your box.
1. Preamble: make sure dnsmasq is running.
2. Run a default (UDP) dig request. What does it output?
$ dig +short cnn.com @localhost
157.166.226.26
157.166.226.25

$ dig +tcp +short cnn.com @localhost
157.166.226.26
157.166.226.25

$ dig cnn.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56353
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;cnn.com. IN A

;; ANSWER SECTION:
cnn.com. 65 IN A 157.166.226.26
cnn.com. 65 IN A 157.166.226.25

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jul 09 16:14:34 UTC 2016
;; MSG SIZE rcvd: 68
Post by Albert ARIBAUD
3. What does iptables-save display?
$ sudo iptables-save
# Generated by iptables-save v1.6.0 on Sat Jul 9 16:08:46 2016
*filter
:INPUT ACCEPT [990:208464]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1019:100580]
:f2b-sshd - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p udp -m udp --dport 68 -j ACCEPT
-A f2b-sshd -j RETURN
COMMIT
# Completed on Sat Jul 9 16:08:46 2016

I believe this is the standard setting from fail2ban because I have
fail2ban_0.9.3-1 installed (and nothing else related).
Albert ARIBAUD
2016-07-10 19:50:03 UTC
Permalink
Hi Tong,

Le Sat, 9 Jul 2016 16:17:45 +0000 (UTC)
Post by T o n g
$ dig cnn.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> cnn.com
;; global options: +cmd
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56353
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
; EDNS: version: 0, flags:; udp: 1280
;cnn.com. IN A
cnn.com. 65 IN A 157.166.226.26
cnn.com. 65 IN A 157.166.226.25
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jul 09 16:14:34 UTC 2016
;; MSG SIZE rcvd: 68
OK, so dnsmasq is running locally on UDP
Post by T o n g
Post by Albert ARIBAUD
3. What does iptables-save display?
$ sudo iptables-save
# Generated by iptables-save v1.6.0 on Sat Jul 9 16:08:46 2016
*filter
:INPUT ACCEPT [990:208464]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1019:100580]
:f2b-sshd - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p udp -m udp --dport 68 -j ACCEPT
-A f2b-sshd -j RETURN
COMMIT
# Completed on Sat Jul 9 16:08:46 2016
I believe this is the standard setting from fail2ban because I have
fail2ban_0.9.3-1 installed (and nothing else related).
OK, so no blocking at your box level except for what fail2ban may
decide to block. Now we're faily sure your probelm is with either your
ISP or your hosting provider.

Regarding running the DNS on TCP alone: problem is, you might force the
dig command to use TCP, but that's a specific case; all DNS resolutions
happening on your machine in any other process that dug will keep on
trying UDP first when the request size warrants it, because that's the
standard.

Amicalement,
--
Albert.
T o n g
2016-07-14 00:21:20 UTC
Permalink
Post by Albert ARIBAUD
Regarding running the DNS on TCP alone: problem is, you might force the
dig command to use TCP, but that's a specific case; all DNS resolutions
happening on your machine in any other process that dug will keep on
trying UDP first when the request size warrants it, because that's the
standard.
That's not a problem for me. If I have to use TCP, then I'll always use
`dig +tcp`, so UDP will never be in the way.
Post by Albert ARIBAUD
OK, so no blocking at your box level except for what fail2ban may decide
to block. Now we're faily sure your probelm is with either your ISP or
your hosting provider.
After struggled for a few days, I finally decided that I should reply, to
bring some closure on this. Thank you for all these days of your tireless
help. However, my conclusion is still the same as my first post -- dnsmasq
is unable to provide public DNS service -- It can be used as DNS server
for local host, or local network, but just not for the general public.
We've ruled out everything possible, and the only thing left is dnsmasq.

I.e., if there is any probelm with my ISP or my hosting provider, I
wouldn't have been able to start a working second SSH session listening
to port 53 (instead of 22).

In other words, all else the same, swap in SSH to listen to port 53, it
works; swap in dnsmasq, and it fails. With all else the same, dnsmasq is
the only problem.

Thanks anyway for all your helps.
Mark Steward
2016-07-14 01:32:00 UTC
Permalink
I'm not sure about that conclusion. The overwhelming likelihood is that
your ISP is blocking UDP on port 53. This is very common on domestic ISPs,
precisely to stop people shooting themselves in the foot by running open
resolvers.

I've only skim-read this thread. Did you properly test listening on UDP 53
with nc -u -l53 or equivalent? Could you reach it from another machine on
the internet? If not, that's your problem, not dnsmasq.

If you do convince your ISP to open up access, can I recommend you at least
use port knocking to reduce the likelihood of being used by botnets?
Honeypots demonstrate that an open service on IPv4 will often be picked up
in hours.

Mark
Post by T o n g
Post by Albert ARIBAUD
Regarding running the DNS on TCP alone: problem is, you might force the
dig command to use TCP, but that's a specific case; all DNS resolutions
happening on your machine in any other process that dug will keep on
trying UDP first when the request size warrants it, because that's the
standard.
That's not a problem for me. If I have to use TCP, then I'll always use
`dig +tcp`, so UDP will never be in the way.
Post by Albert ARIBAUD
OK, so no blocking at your box level except for what fail2ban may decide
to block. Now we're faily sure your probelm is with either your ISP or
your hosting provider.
After struggled for a few days, I finally decided that I should reply, to
bring some closure on this. Thank you for all these days of your tireless
help. However, my conclusion is still the same as my first post -- dnsmasq
is unable to provide public DNS service -- It can be used as DNS server
for local host, or local network, but just not for the general public.
We've ruled out everything possible, and the only thing left is dnsmasq.
I.e., if there is any probelm with my ISP or my hosting provider, I
wouldn't have been able to start a working second SSH session listening
to port 53 (instead of 22).
In other words, all else the same, swap in SSH to listen to port 53, it
works; swap in dnsmasq, and it fails. With all else the same, dnsmasq is
the only problem.
Thanks anyway for all your helps.
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Mark Steward
2016-07-14 01:56:50 UTC
Permalink
Just read the last few emails again. Your ISP may well be doing deeper
inspection and blocking TCP-based DNS too.

I've just tried the following on one of my boxes:

sudo dnsmasq -d -i* -p7821

and on another:

dig -p7821 @myhost.tld google.com

and it worked fine.

If this works for you, please remember to set up port knocking. Or set up
something sensible, like a VPN or tunneling over SSH.

Mark
Post by Mark Steward
I'm not sure about that conclusion. The overwhelming likelihood is that
your ISP is blocking UDP on port 53. This is very common on domestic ISPs,
precisely to stop people shooting themselves in the foot by running open
resolvers.
I've only skim-read this thread. Did you properly test listening on UDP 53
with nc -u -l53 or equivalent? Could you reach it from another machine on
the internet? If not, that's your problem, not dnsmasq.
If you do convince your ISP to open up access, can I recommend you at
least use port knocking to reduce the likelihood of being used by botnets?
Honeypots demonstrate that an open service on IPv4 will often be picked up
in hours.
Mark
Post by T o n g
Post by Albert ARIBAUD
Regarding running the DNS on TCP alone: problem is, you might force the
dig command to use TCP, but that's a specific case; all DNS resolutions
happening on your machine in any other process that dug will keep on
trying UDP first when the request size warrants it, because that's the
standard.
That's not a problem for me. If I have to use TCP, then I'll always use
`dig +tcp`, so UDP will never be in the way.
Post by Albert ARIBAUD
OK, so no blocking at your box level except for what fail2ban may decide
to block. Now we're faily sure your probelm is with either your ISP or
your hosting provider.
After struggled for a few days, I finally decided that I should reply, to
bring some closure on this. Thank you for all these days of your tireless
help. However, my conclusion is still the same as my first post -- dnsmasq
is unable to provide public DNS service -- It can be used as DNS server
for local host, or local network, but just not for the general public.
We've ruled out everything possible, and the only thing left is dnsmasq.
I.e., if there is any probelm with my ISP or my hosting provider, I
wouldn't have been able to start a working second SSH session listening
to port 53 (instead of 22).
In other words, all else the same, swap in SSH to listen to port 53, it
works; swap in dnsmasq, and it fails. With all else the same, dnsmasq is
the only problem.
Thanks anyway for all your helps.
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Albert ARIBAUD
2016-07-14 13:35:58 UTC
Permalink
Hi Tong,

Le Thu, 14 Jul 2016 00:21:20 +0000 (UTC)
Post by T o n g
After struggled for a few days, I finally decided that I should
reply, to bring some closure on this. Thank you for all these days of
your tireless help. However, my conclusion is still the same as my
first post -- dnsmasq is unable to provide public DNS service -- It
can be used as DNS server for local host, or local network, but just
not for the general public. We've ruled out everything possible, and
the only thing left is dnsmasq.
Your conclusion is wrong; the only thing you can conclude from your
trials is that dnsmasq will not operate properly in an environment
which does not conform to Internet standards -- and *that* is hardly a
surprise.
Post by T o n g
I.e., if there is any probelm with my ISP or my hosting provider, I
wouldn't have been able to start a working second SSH session
listening to port 53 (instead of 22).
You are again not concluding properly. DNS requires *UDP* port 53 as
well as *TCP* port 53. Your assumption that DNS somehow can do with
*TCP* port 53 alone is unfounded and plain wrong.
Post by T o n g
In other words, all else the same, swap in SSH to listen to port 53,
it works; swap in dnsmasq, and it fails. With all else the same,
dnsmasq is the only problem.
This experiment only proves that *TCP* port 53 works between your home
and box, but that was apready proven by previous tests I suggested.
However, dnsmasq requires *UDP* port 53 -- and due to a crippled
access, you cannot use that UDP port, contrary to a considerable
quantity of other persons who daily prove that dnsmasq can be used way
beyond a LAN.
Post by T o n g
Thanks anyway for all your helps.
You're welcome. :)

Amicalement,
--
Albert.
/dev/rob0
2016-07-14 14:33:34 UTC
Permalink
Post by Albert ARIBAUD
Le Thu, 14 Jul 2016 00:21:20 +0000 (UTC)
Post by T o n g
After struggled for a few days, I finally decided that I should
reply, to bring some closure on this. Thank you for all these
days of your tireless help. However, my conclusion is still the
same as my first post -- dnsmasq is unable to provide public DNS
service -- It can be used as DNS server for local host, or local
network, but just not for the general public. We've ruled out
everything possible, and the only thing left is dnsmasq.
Your conclusion is wrong; the only thing you can conclude from your
trials is that dnsmasq will not operate properly in an environment
which does not conform to Internet standards -- and *that* is
hardly a surprise.
Agreed. One simple way to test (and to disprove) Tong's conclusion
is to try it with other software, BIND or unbound or pdns-recursor,
for example, and to see how those work.
Post by Albert ARIBAUD
Post by T o n g
I.e., if there is any probelm with my ISP or my hosting provider, I
wouldn't have been able to start a working second SSH session
listening to port 53 (instead of 22).
You are again not concluding properly. DNS requires *UDP* port 53 as
well as *TCP* port 53. Your assumption that DNS somehow can do with
*TCP* port 53 alone is unfounded and plain wrong.
Post by T o n g
In other words, all else the same, swap in SSH to listen to port 53,
it works; swap in dnsmasq, and it fails. With all else the same,
dnsmasq is the only problem.
This experiment only proves that *TCP* port 53 works between your
home and box, but that was apready proven by previous tests I
suggested. However, dnsmasq requires *UDP* port 53 -- and due to a
crippled access, you cannot use that UDP port, contrary to a
considerable quantity of other persons who daily prove that dnsmasq
can be used way beyond a LAN.
I'll agree that dnsmasq as an authoritative server to the Internet
might not be insane, but dnsmasq as resolver for an ISP or larger
network is not a good idea. It's only forwarding queries, not
actually doing the recursion itself.
Post by Albert ARIBAUD
Post by T o n g
Thanks anyway for all your helps.
You're welcome. :)
And a very good job on your part for trying to help. Unfortunately
this matter feels very much like an "XY" problem: "I want to do X, I
think Y would do it for me, so I am asking how to do Y." As is
common in such cases, "Y" makes little sense.

If Tong should decide to bring this up again, I would strongly
suggest asking about "X", the real goal.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
w***@gmail.com
2016-07-15 14:07:24 UTC
Permalink
also replied off-list...
Post by T o n g
After struggled for a few days, I finally decided that I should reply, to
bring some closure on this. Thank you for all these days of your tireless
help. However, my conclusion is still the same as my first post -- dnsmasq is
unable to provide public DNS service -- It can be used as DNS server for
local host, or local network, but just not for the general public. We've
ruled out everything possible, and the only thing left is dnsmasq.
I.e., if there is any probelm with my ISP or my hosting provider, I wouldn't
have been able to start a working second SSH session listening to port 53
(instead of 22).
you have missed the point... SSH is TCP... DNS is UDP... DNS switches to TCP
/ONLY/ if the reply is too large... these other services you're switching in to
test with are not UDP and that's the flaw in your testing... it is UDP on port
53 that your ISP is apparently blocking... if you want to test properly, then
you need to set up a UDP service on port 53 and see if it works from outside
your ISP...
Post by T o n g
In other words, all else the same, swap in SSH to listen to port 53, it
works; swap in dnsmasq, and it fails. With all else the same, dnsmasq is the
only problem.
see above... you must compare apples and apples... you cannot compare TCP
software against UDP software... that's apples and oranges and you will/have
come to the wrong conclusion via improper testing and invalid results data...
--
NOTE: No off-list assistance is given without prior approval.
*Please keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
T o n g
2016-07-07 13:13:37 UTC
Permalink
Post by Albert ARIBAUD
Yes dnsmasq can server the whole world if you want it to, and as I
already told you, it should work out of the box.
Therefore, if it does not work in your case, it is because either its
configuration is improper, or the networking setup of the box it runs on
is improper (or both).
As explained the the networking is not the problem. So maybe Ubuntu did
some its own config tweaking apart from the standard?

I've post the dnsmasq config (same for both systems) to
http://pastebin.ca/3655920

thanks
T o n g
2016-07-07 13:16:22 UTC
Permalink
Disregard my previous /etc/dnsmasq.conf post, just noticed that it is all
comments, no any settings.
/dev/rob0
2016-07-06 13:43:56 UTC
Permalink
Post by T o n g
Post by T o n g
And, yes, basically I'm creating an open DNS server, and since
nobody is doing that, I can't find any information on how to
set it up properly.
your machine may then serve as an amplifier for DDoS attacks.
I'm more interested to know how to do that than actually provide
the DNS service. BTW, on to that thought, how the ISP or Google's
DNS server able to avoid being an amplifier for DDoS attacks?
Having some familiarity with this, I can address this question, while
staying out of Albert's way as he valiantly tried to address the Big
Picture. :)

First off, Google is an entirely different thing, having little in
common with ISP recursive servers. Well, not quite, as the attacks
are the same, but the potential defenses are more limited.

See: https://en.wikipedia.org/wiki/Ingress_filtering

BCP 38 (and BCP 84 for upstream providers) can help quite a lot.
Basically if you know you're receiving a certain source IP address
from the wrong place, you know it's a spoof, and drop it.

Unfortunately most ISPs and backbones have not implemented this, so
the spammers & scammers spoof away. An ISP has another tool,
however: the firewall. They maintain strict separation between
recursive service for their own users and authoritative service for
their own zones.

The latter are open to the world, and refuse recursion from
everywhere. The former are only open to their own networks, and
those are the networks that would be allowed recursion.

Still, this is not enough, because an ISP of any size will be hosting
botnets galore within their own address space.

Note that an internal botnet host spoofing an external IP address
will be able to reach the recursive servers, but recursion would be
refused. That's good, but that still sends a REFUSED "reply" to the
spoofed IP address. So the recursive servers need a second layer of
defense: a firewall which drops anything from outside their networks.
(It's also useful in large ISPs to subdivide networks into different
parts, and to provide resolver farms which are limited to one part
only, rather than open to the ISP's entire network.)

Now the ISP recursive servers are not participating in external
amplification attacks, but what if the spoofed IP address was
internal to that ISP? So far there's no protection. And here's
where common ground exists between ISP resolvers and Google Public
DNS.

https://kb.isc.org/article/AA-01304/
https://kb.isc.org/article/AA-01316/

Recursive client rate limiting is a relatively new feature in ISC
BIND. It's currently the best that can be done. I strongly suspect
that Google also implements a feature like this.

Running recursive nameservers for an ISP is a specialised job. One
should not take on that responsibility without adequate preparation
and resources.

Running a "responsible" open resolver is even more specialised.
Google surely devotes quite a lot of expert manpower to the task. I
suspect they also are continually monitoring the service for spikes
and other attack indicators.

Dnsmasq is a wonderful piece of software which does a very nice job
at meeting the needs of most small, simple sites. I do not think
it's well suited for ISP use, and especially not for use as an open
resolver.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
T o n g
2016-07-07 03:19:53 UTC
Permalink
Running recursive nameservers for an ISP is a specialised job...
Running a "responsible" open resolver is even more specialised.
Just figured out what does it mean of Authoritative and/or Recursive DNS
Nameservers.

No, no, I'm not in any position doing any of those. I'm just using dnsmasq
as the *caching only* DNS, and am trying to extend that service outside
my local network.
T o n g
2016-07-07 02:55:17 UTC
Permalink
Post by /dev/rob0
Post by T o n g
Post by Albert ARIBAUD
Nobody should do that indeed, because it is a very bad idea: your
machine may then serve as an amplifier for DDoS attacks.
I'm more interested to know how to do that than actually provide the
DNS service. BTW, on to that thought, how the ISP or Google's DNS
server able to avoid being an amplifier for DDoS attacks?
Having some familiarity with this, I can address this question, while
staying out of Albert's way as he valiantly tried to address the Big
Picture. :)
Oh, thanks a lot for your detailed explanation.

That's exactly the kind of info I need. We all know that "anything could
happen". Once I asked how to use sendmail as the mail server so people
can send me emails to me, to my account of my own domain, and the
response was overwhelmingly: DON"T, then followed by "anything could
happen", without explaining what actually could happen ---

Your detailed explanation really helped me understand the situation and
complexity of the issue.
Post by /dev/rob0
Dnsmasq is a wonderful piece of software which does a very nice job at
meeting the needs of most small, simple sites. I do not think it's well
suited for ISP use, and especially not for use as an open resolver.
This is only for my personal use, and I'll turn it off once I'm done.
I.e., I care more about *can* it be done part, not much on the part of
"*should* it be done".

thanks again
Continue reading on narkive:
Search results for '[Dnsmasq-discuss] dnsmasq to provide public DNS service' (Questions and Answers)
3
replies
Can I link two wifi devices without a router?
started 2016-01-09 00:15:47 UTC
computer networking
Loading...