Discussion:
[Dnsmasq-discuss] Try next forward servers after NXDOMAIN
Petteri Heinonen
2009-04-19 07:29:07 UTC
Permalink
Hello list users. I have currently experiencing a seemingly simple DNS
related problem, but I haven't been able to find a decent solution for
it. Here is the setup:

- Our organization has the primary master DNS, which does not serve
dynamic DNS updates however. Only static entries there.
- In one of our departments (the one I happen to be administrator of)
hosts would need to use dynamic DNS updates however.
- The domain (lets call that ourdomain.com) would need to be same
everywhere, so I cannot use for example subdomain.ourdomain.com.

Now I haven't found a way to create a zone in Bind9 which would first
try to resolve names locally, and if not found locally, would then
forward the query to primary master DNS server. If that would be
possible, I could configure that local Bind server to catch the DNS
update requests, and keep local repository of those. Then, when a query
for such a dynamically updated hostname arrives, Bind could find that
locally and give a proper response. And, still forward queries for which
the local entry is not found, to the primary server. But, that kind of
"hybrid" master+forward zone type does not exist in Bind.

When I found dnsmasq, I thought that it could be a help: I can define
several forwarding servers for a single domain there. But, it seems that
upon receiving a first NXDOMAIN from any of the forward servers, this
NXDOMAIN is immediately replied to the client. What I would need, is
that upon receiving a NXDOMAIN from a server, the next server in the
list would be tried. And if the last server in the list would also give
NXDOMAIN, only after that NXDOMAIN would be returned to client also.

For me it seems that there is no such functionality in dnsmasq
currently. I took a look at the source code, and it doesn't look overly
complex. However, my C skills are not that good, so I probably cannot
make this kind of change all by myself. That's where I'm asking help; is
there anyone on the list who would have examined the dnsmasq source and
could possibly give some advice what would need to be changed in order
to achieve the functionality described above? Any help would be greatly
appreciated.

Regards, Petteri Heinonen
r***@gmail.com
2009-04-20 18:21:50 UTC
Permalink
On Sun, Apr 19, 2009 at 2:29 AM, Petteri Heinonen <
Post by Petteri Heinonen
Hello list users. I have currently experiencing a seemingly simple DNS
related problem, but I haven't been able to find a decent solution for it.
- Our organization has the primary master DNS, which does not serve dynamic
DNS updates however. Only static entries there.
- In one of our departments (the one I happen to be administrator of) hosts
would need to use dynamic DNS updates however.
- The domain (lets call that ourdomain.com) would need to be same
everywhere, so I cannot use for example subdomain.ourdomain.com.
Now I haven't found a way to create a zone in Bind9 which would first try
to resolve names locally, and if not found locally, would then forward the
query to primary master DNS server. If that would be possible, I could
configure that local Bind server to catch the DNS update requests, and keep
local repository of those. Then, when a query for such a dynamically updated
hostname arrives, Bind could find that locally and give a proper response.
And, still forward queries for which the local entry is not found, to the
primary server. But, that kind of "hybrid" master+forward zone type does not
exist in Bind.
When I found dnsmasq, I thought that it could be a help: I can define
several forwarding servers for a single domain there. But, it seems that
upon receiving a first NXDOMAIN from any of the forward servers, this
NXDOMAIN is immediately replied to the client. What I would need, is that
upon receiving a NXDOMAIN from a server, the next server in the list would
be tried. And if the last server in the list would also give NXDOMAIN, only
after that NXDOMAIN would be returned to client also.
This behavior should never be default, and probably should not even be
available on the default upstream server list (it would totally break any
sort of redundancy, to wait for the slowest server). But for individual
domains maybe it isn't so bad.

Simon, would you consider an overlay-server configuration option that treats
NXDOMAIN replies in this way, for explicitly listed domains only?
Post by Petteri Heinonen
For me it seems that there is no such functionality in dnsmasq currently. I
took a look at the source code, and it doesn't look overly complex. However,
my C skills are not that good, so I probably cannot make this kind of change
all by myself. That's where I'm asking help; is there anyone on the list who
would have examined the dnsmasq source and could possibly give some advice
what would need to be changed in order to achieve the functionality
described above? Any help would be greatly appreciated.
Regards, Petteri Heinonen
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Tom Metro
2009-04-21 05:56:38 UTC
Permalink
Post by Petteri Heinonen
- The domain (lets call that ourdomain.com) would need to be same
everywhere, so I cannot use for example subdomain.ourdomain.com.
That's a key limitation, of course. If you were able to segregate your
local dynamic hosts into a subdomain, then you could just use a
--local=/subdomain.ourdomain.com/ to have those dynamic hosts served by
Dnsmasq's DHCP cache, or a similar --server= option to direct queries
for tat subdomain to a local server, like the Bind setup you mentioned.

I thought I remembered an option to map domains matching a pattern to
another domain - something like
map=/(*)pattern.ourdomain.com/$1.subdomain.ourdomain.com/ - which would
have allowed you to map those dynamic hosts transparently to a local
subdomain, but I misremembered and such an option doesn't exist.
(Surprisingly :-) ) It only would have helped anyway if you could have
coerced all the dynamic host names to follow some unique pattern.

The other option I see that might work would require some scripting, but
avoids hacking the Dnsmasq source. You'd create a custom script called
via --dhcp-script= whenever a DHCP lease was added or removed (assuming
that's the source of your dynamic DNS entries), which would then use
DBus to update Dnsmasq's configuration by adding/removing an
--address=/dynamichost.ourdomain.com/1.2.3.4/ entry. If I'm interpreting
the man page correctly, that should short circuit the resolution of
dynamichost.ourdomain.com while permitting other ourdomain.com hosts to
be forwarded as usual.

-Tom
--
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/
Petteri Heinonen
2009-04-21 07:06:19 UTC
Permalink
Post by r***@gmail.com
On Sun, Apr 19, 2009 at 2:29 AM, Petteri Heinonen <
Post by Petteri Heinonen
Hello list users. I have currently experiencing a seemingly simple DNS
related problem, but I haven't been able to find a decent solution for it.
- Our organization has the primary master DNS, which does not serve dynamic
DNS updates however. Only static entries there.
- In one of our departments (the one I happen to be administrator of) hosts
would need to use dynamic DNS updates however.
- The domain (lets call that ourdomain.com) would need to be same
everywhere, so I cannot use for example subdomain.ourdomain.com.
Now I haven't found a way to create a zone in Bind9 which would first try
to resolve names locally, and if not found locally, would then forward the
query to primary master DNS server. If that would be possible, I could
configure that local Bind server to catch the DNS update requests, and keep
local repository of those. Then, when a query for such a dynamically updated
hostname arrives, Bind could find that locally and give a proper response.
And, still forward queries for which the local entry is not found, to the
primary server. But, that kind of "hybrid" master+forward zone type does not
exist in Bind.
When I found dnsmasq, I thought that it could be a help: I can define
several forwarding servers for a single domain there. But, it seems that
upon receiving a first NXDOMAIN from any of the forward servers, this
NXDOMAIN is immediately replied to the client. What I would need, is that
upon receiving a NXDOMAIN from a server, the next server in the list would
be tried. And if the last server in the list would also give NXDOMAIN, only
after that NXDOMAIN would be returned to client also.
This behavior should never be default, and probably should not even be
available on the default upstream server list (it would totally break any
sort of redundancy, to wait for the slowest server). But for individual
domains maybe it isn't so bad.
Simon, would you consider an overlay-server configuration option that treats
NXDOMAIN replies in this way, for explicitly listed domains only?
Post by Petteri Heinonen
For me it seems that there is no such functionality in dnsmasq currently. I
took a look at the source code, and it doesn't look overly complex. However,
my C skills are not that good, so I probably cannot make this kind of change
all by myself. That's where I'm asking help; is there anyone on the list who
would have examined the dnsmasq source and could possibly give some advice
what would need to be changed in order to achieve the functionality
described above? Any help would be greatly appreciated.
Regards, Petteri Heinonen
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Hello again, I looked at this little bit more, and is seems that there is something in the man pages vs. actual functionality that I don't exactly understand. These are on current man page:

-o, --strict-order
By default, dnsmasq will send queries to any of the upstream servers it knows about and tries to favour servers that are known to be up.
Setting this flag forces dnsmasq to try each query with each server strictly in the order they appear in /etc/resolv.conf

--all-servers
By default, when dnsmasq has more than one upstream server available, it will send queries to just one server. Setting this flag forces
dnsmasq to send all queries to all available servers. The reply from the server which answers first will be returned to the original
requestor.

And let's assume I have the following config:

all-servers
strict-order
no-resolv
no-hosts
no-poll
log-queries
log-facility=/tmp/dnsmasq.log
server=/domain.com/10.0.80.200
server=/domain.com/10.41.0.200

Now I would understand this so, that if a query comes for some host at domain.com, and first server answers with for example REFUSED, then next server would be tried. This seems not to be true however. If first server responds with REFUSED, then that REFUSED will be forwarded to the client also. Same is probably true for SERVFAIL also, although I cannot verify that. Saying that "Setting this flag forces dnsmasq to try *each query with each server* strictly in the order they appear in /etc/resolv.conf" would somehow lead me to believe that other servers should be tried after REFUSED or SERVFAIL. Not sure if this is a bug or just me misunderstanding the documentation?

Regards, Petteri Heinonen

--
Rune Kock
2009-04-21 15:32:22 UTC
Permalink
On Sun, Apr 19, 2009 at 09:29, Petteri Heinonen
Post by Petteri Heinonen
- Our organization has the primary master DNS, which does not serve dynamic
DNS updates however. Only static entries there.
- In one of our departments (the one I happen to be administrator of) hosts
would need to use dynamic DNS updates however.
- The domain (lets call that ourdomain.com) would need to be same
everywhere, so I cannot use for example subdomain.ourdomain.com.
Why can't you just use dnsmasq as DHCP and DNS for your local
department. Then your local hosts will automatically be registered,
and their addresses can be resolved from any other machine in the
department. Dnsmasq should still query the upstream server for any
machine name that it doesn't know itself.

Of course, this will still not allow machines outside of your
department to resolve the addresses of your hosts, unless you can tell
them to use your dnsmasq for their queries. But then that can never
be fixed without the cooperation of the authoritative DNS-server for
the domain.

Or maybe I just don't fully understand the problem.


Rune

Loading...