Discussion:
[Dnsmasq-discuss] How to declare dnsmasq as authoritative for the 10.x subnet?
Wojtek Swiatek
2018-09-06 14:36:12 UTC
Permalink
Hello everyone,

Following the documentation for auth-zone, I tried to declare my dnsmasq
server as authoritative for the 10.0.0.0/8 zone (I server several IP
sub-ranges in 10.x). Unfortunately, whatever I try I end up with

Sep 06 16:29:28 bind named[4677]: zone 10.in-addr.arpa/IN: refresh:
non-authoritative answer from master 10.100.10.254#53 (source 0.0.0.0#0)

on the secondary bind server (the direct zones are transferred OK).

How should I set this up? I tried

auth-zone=10.0.0.0/8
auth-zone=10.in-addr.arpa

but none of them worked (no errors in dnsmasq, just the bind message above).

Thanks for any pointers!
Simon Kelley
2018-09-08 14:53:50 UTC
Permalink
Post by Wojtek Swiatek
Hello everyone,
Following the documentation for auth-zone, I tried to declare my dnsmasq
server as authoritative for the 10.0.0.0/8 <http://10.0.0.0/8> zone (I
server several IP sub-ranges in 10.x). Unfortunately, whatever I try I
end up with
non-authoritative answer from master 10.100.10.254#53 (source 0.0.0.0#0)
on the secondary bind server (the direct zones are transferred OK).
How should I set this up? I tried
auth-zone=10.0.0.0/8 <http://10.0.0.0/8>
auth-zone=10.in-addr.arpa
but none of them worked (no errors in dnsmasq, just the bind message above).
Thanks for any pointers!
auth-zone specifies the zone within the domain-name tree first, then
(optionally) the subnet range which gets serverd for reverse queries, so
something like

auth-zone=swtk.info/0.0.0.0/8

would do the trick.

The important thing to understand about dnsmasq is that it continues to
work as a normal DNS forwarder, and only acts as an authoritative server
when queries arrive at a particular interface or address. Typically,
it's acting as DNS forwarder on "internal" networks, and as
authoritative when queries arrive from the "internet" side of the router
it's running on. To tell it which queries to answer in authoritative
mode, you need to use the --auth-server configuration.


There's quite a long step-by-step guide to setting up auth mode as a
separate section of the man page. It's worth reading that.


Cheers

Simon.

Cheers,

Simon.
Post by Wojtek Swiatek
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Wojtek Swiatek
2018-09-10 11:50:47 UTC
Permalink
Hello Simon
Post by Simon Kelley
auth-zone specifies the zone within the domain-name tree first, then
(optionally) the subnet range which gets serverd for reverse queries, so
something like
auth-zone=swtk.info/0.0.0.0/8
would do the trick.
The important thing to understand about dnsmasq is that it continues to
work as a normal DNS forwarder, and only acts as an authoritative server
when queries arrive at a particular interface or address. Typically,
it's acting as DNS forwarder on "internal" networks, and as
authoritative when queries arrive from the "internet" side of the router
it's running on. To tell it which queries to answer in authoritative
mode, you need to use the --auth-server configuration.
I am a bit confused because the manpage mentions only commas in auth-zone
but I tried your version anyway and it does not work. The complete setup
for the authoritative part is now

auth-server=srv.swtk.info,lan0,br0
auth-zone=swtk.info,10.0.0.0/8,lan0,br0
auth-sec-servers=rpi1,bind

This is a result of several trial and errors and it is the one which goes
closest to the solution, as the bind server now states

Sep 10 13:45:37 bind named[11209]: transfer of '10.in-addr.arpa/IN' from
10.100.10.254#53: connected using 10.200.0.158#38535
Sep 10 13:45:37 bind named[11209]: transfer of '10.in-addr.arpa/IN' from
10.100.10.254#53: failed while receiving responses: SERVFAIL
Sep 10 13:45:37 bind named[11209]: transfer of '10.in-addr.arpa/IN' from
10.100.10.254#53: Transfer status: SERVFAIL
Sep 10 13:45:37 bind named[11209]: transfer of '10.in-addr.arpa/IN' from
10.100.10.254#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001
secs (0 bytes/sec)

I believe that dnsmasq is not authoritative but does not allow for the
transfer from the secondary.
What is particularly weird is that the direct resolution (for domain
swtk.info) is transferred correctly. It looks like this is specifically the
transfer of the 10.x zone which is problematic.
Post by Simon Kelley
There's quite a long step-by-step guide to setting up auth mode as a
separate section of the man page. It's worth reading that.
Yes, I did read it several times (if you mean the "AUTHORITATIVE
CONFIGURATION" section)

Cheers
Wojtek

Loading...