Discussion:
[Dnsmasq-discuss] dnsmasq: routing non /24 reverse in-addr.arpa requests
Alessandro Bottonelli
2016-08-28 09:33:02 UTC
Permalink
Hi,

very new to dnsmasq, and also very impressed. I replaced bind last night
'cause I needed to route different subnets reverses to different name
servers. Not a clean setup, I know. But that's what my Customer has been
doing over the last twenty years. Cannot do anything about it.

Here's the current /etc/dnsmasq.conf content (I added the line numbers):

-----
1. # routing PTR queries to nameservers:
2. server=/50.150.10.in-addr.arpa/10.150.50.17
3. server=/51.150.10.in-addr.arpa/10.150.50.17
4. server=/52.150.10.in-addr.arpa/10.150.50.17
5. server=/53.150.10.in-addr.arpa/10.150.50.17
6. server=/54.150.10.in-addr.arpa/10.150.50.17
7. server=/156.240.10.in-addr.arpa/10.150.50.17
8. server=/157.240.10.in-addr.arpa/10.150.50.17
9. server=/158.240.10.in-addr.arpa/10.150.50.17
10. server=/129.240.10.in-addr.arpa/10.240.129.113
11. # anything else not defined above (strict-order is set)
11. server=/10.in-addr.arpa/10.159.59.41
----

The issue is with line 7, actually 10.240.156.x IS NOT a /24 net. I
tried different syntax forms, I searched, but could not find a way to
tell dnsmasq about that.

Is it possible?

Or alternatively; is there a way to tell dnsmasq to ignore NXDOMAIN from
previous servers and keep asking? I KNOW, intellectually very wrong. But
real life is real life :-)

Thanks in advance for any help.
--
Alessandro
Albert ARIBAUD
2016-08-28 09:53:59 UTC
Permalink
Hi Alessandro,

Le Sun, 28 Aug 2016 11:33:02 +0200
Post by Alessandro Bottonelli
Hi,
very new to dnsmasq, and also very impressed. I replaced bind last
night 'cause I needed to route different subnets reverses to
different name servers. Not a clean setup, I know. But that's what my
Customer has been doing over the last twenty years. Cannot do
anything about it.
Here's the current /etc/dnsmasq.conf content (I added the line
-----
2. server=/50.150.10.in-addr.arpa/10.150.50.17
3. server=/51.150.10.in-addr.arpa/10.150.50.17
4. server=/52.150.10.in-addr.arpa/10.150.50.17
5. server=/53.150.10.in-addr.arpa/10.150.50.17
6. server=/54.150.10.in-addr.arpa/10.150.50.17
7. server=/156.240.10.in-addr.arpa/10.150.50.17
8. server=/157.240.10.in-addr.arpa/10.150.50.17
9. server=/158.240.10.in-addr.arpa/10.150.50.17
10. server=/129.240.10.in-addr.arpa/10.240.129.113
11. # anything else not defined above (strict-order is set)
11. server=/10.in-addr.arpa/10.159.59.41
----
The issue is with line 7, actually 10.240.156.x IS NOT a /24 net. I
tried different syntax forms, I searched, but could not find a way to
tell dnsmasq about that.
[10.240.156.x looks like a /24 (sub)net to me, what with three bytes out
of four being constant. Do you mean the third byte may be something
else than 156? Or is x being restricted to less than whole 0..255
range?]
Post by Alessandro Bottonelli
Is it possible?
Can you use rev-server? The manpage gives an example with a subnet size
for rev-server (whereas it does not give any size for server). Maybe
other values than 24 work too -- I haven't checked the source code,
only the manpage.
Post by Alessandro Bottonelli
Or alternatively; is there a way to tell dnsmasq to ignore NXDOMAIN
from previous servers and keep asking? I KNOW, intellectually very
wrong. But real life is real life :-)
Thanks in advance for any help.
Amicalement,
--
Albert.
Alessandro Bottonelli
2016-08-28 12:56:35 UTC
Permalink
Post by Albert ARIBAUD
Hi Alessandro,
Le Sun, 28 Aug 2016 11:33:02 +0200
Here's the current /etc/dnsmasq.conf content (I added the line
-----
2. server=/50.150.10.in-addr.arpa/10.150.50.17
3. server=/51.150.10.in-addr.arpa/10.150.50.17
4. server=/52.150.10.in-addr.arpa/10.150.50.17
5. server=/53.150.10.in-addr.arpa/10.150.50.17
6. server=/54.150.10.in-addr.arpa/10.150.50.17
7. server=/156.240.10.in-addr.arpa/10.150.50.17
8. server=/157.240.10.in-addr.arpa/10.150.50.17
9. server=/158.240.10.in-addr.arpa/10.150.50.17
10. server=/129.240.10.in-addr.arpa/10.240.129.113
11. # anything else not defined above (strict-order is set)
11. server=/10.in-addr.arpa/10.159.59.41
----
The issue is with line 7, actually 10.240.156.x IS NOT a /24 net. I
tried different syntax forms, I searched, but could not find a way to
tell dnsmasq about that.
[10.240.156.x looks like a /24 (sub)net to me, what with three bytes out
of four being constant. Do you mean the third byte may be something
else than 156? Or is x being restricted to less than whole 0..255
range?]
The latter you wrote. My line 7 is wrong I know, but I don't know how to
write it differently.
I can rev 10.240.156.6 by asking 10.150.50.17. But 10.240.156.101 is
reversed only by 10.159.59.41 (tried with dig -x 10.240.156.101
@10.159.59.41 and works fine).

And that's my issue, what's the syntax (if available) to tell dnsmasq to
ask for reverse for less than 0.255 range? Say ask 10.240.156.[0-63]
revs to 10.150.50.17 and ask 10.240.156.[64-255] revs to 10.159.59.41.

And/Or, as previously asked, is there a way to tell dnsmasq to ignore
NXDOMAIN coming from one server (say 10.150.50.17) and keep asking the
others (till the and of the server list)?

Thanks,
--
Alessandro
Albert ARIBAUD
2016-08-28 15:56:32 UTC
Permalink
Hi again Alessandro,

Le Sun, 28 Aug 2016 14:56:35 +0200
Post by Alessandro Bottonelli
Post by Albert ARIBAUD
Hi Alessandro,
Le Sun, 28 Aug 2016 11:33:02 +0200
-----
2. server=/50.150.10.in-addr.arpa/10.150.50.17
3. server=/51.150.10.in-addr.arpa/10.150.50.17
4. server=/52.150.10.in-addr.arpa/10.150.50.17
5. server=/53.150.10.in-addr.arpa/10.150.50.17
6. server=/54.150.10.in-addr.arpa/10.150.50.17
7. server=/156.240.10.in-addr.arpa/10.150.50.17
8. server=/157.240.10.in-addr.arpa/10.150.50.17
9. server=/158.240.10.in-addr.arpa/10.150.50.17
10. server=/129.240.10.in-addr.arpa/10.240.129.113
11. # anything else not defined above (strict-order is set)
11. server=/10.in-addr.arpa/10.159.59.41
----
The issue is with line 7, actually 10.240.156.x IS NOT a /24 net. I
tried different syntax forms, I searched, but could not find a way
to tell dnsmasq about that.
[10.240.156.x looks like a /24 (sub)net to me, what with three bytes out
of four being constant. Do you mean the third byte may be something
else than 156? Or is x being restricted to less than whole 0..255
range?]
The latter you wrote. My line 7 is wrong I know, but I don't know how
to write it differently.
I can rev 10.240.156.6 by asking 10.150.50.17. But 10.240.156.101 is
reversed only by 10.159.59.41 (tried with dig -x 10.240.156.101
@10.159.59.41 and works fine).
And that's my issue, what's the syntax (if available) to tell dnsmasq
to ask for reverse for less than 0.255 range? Say ask
10.240.156.[0-63] revs to 10.150.50.17 and ask 10.240.156.[64-255]
revs to 10.159.59.41.
And/Or, as previously asked, is there a way to tell dnsmasq to ignore
NXDOMAIN coming from one server (say 10.150.50.17) and keep asking
the others (till the and of the server list)?
Post by Albert ARIBAUD
Can you use rev-server? The manpage gives an example with a subnet
size for rev-server (whereas it does not give any size for server).
Maybe other values than 24 work too -- I haven't checked the source
code, only the manpage.
Did you try this?
Post by Alessandro Bottonelli
Thanks,
Amicalement,
--
Albert.
Alessandro Bottonelli
2016-08-28 17:03:48 UTC
Permalink
Post by Albert ARIBAUD
Hi again Alessandro,
Le Sun, 28 Aug 2016 14:56:35 +0200
------ 8< cut >8 ------
And that's my issue, what's the syntax (if available) to tell dnsmasq
to ask for reverse for less than 0.255 range? Say ask
10.240.156.[0-63] revs to 10.150.50.17 and ask 10.240.156.[64-255]
revs to 10.159.59.41.
And/Or, as previously asked, is there a way to tell dnsmasq to ignore
NXDOMAIN coming from one server (say 10.150.50.17) and keep asking
the others (till the and of the server list)?
Post by Albert ARIBAUD
Can you use rev-server? The manpage gives an example with a subnet
size for rev-server (whereas it does not give any size for server).
Maybe other values than 24 work too -- I haven't checked the source
code, only the manpage.
Did you try this?
Ah! I didn't miss it, much worst! I dismissed it! Pardon :-/ that was
just because I didn't find such "rev-server" option in the man page. Now
I double-checked, and *yes* the dnsmasq version I actually installed
last night (from standard repositories) is quite old (Dnsmasq version
2.48).

So I downloaded the sources for v.2.76 and indeed found the rev-server
option in the man page!

Now I have to plan the make and install of a "/usr/local/sbin/dnsmasq"
and the replacement of the repository version. I've to do it directly on
a fully operational, 7x24, mission-critical server, 600 Km away.
Therefore, I've to do it just like porcupines make love: VERY
CAUTIOUSLY! :-)))

Such rev-server option looks very promising.

Since you have been helping a lot, I will post the results to the list
in a few days, for your an anybody's else reference.

Grazie mille Albert,
--
Alessandro

PS
And thank you very much to Simon (and to any other contributor) for the
good work!
Albert ARIBAUD
2016-08-29 05:06:40 UTC
Permalink
Hi Alessandro,

Le Sun, 28 Aug 2016 19:03:48 +0200
Post by Alessandro Bottonelli
Now I have to plan the make and install of a
"/usr/local/sbin/dnsmasq" and the replacement of the repository
version. I've to do it directly on a fully operational, 7x24,
mission-critical server, 600 Km away. Therefore, I've to do it just
like porcupines make love: VERY CAUTIOUSLY! :-)))
There is an advantage to your situation over that of porcupine
reproduction: you can set up the newer dnsmasq to run on a non-standard
port, which allows you to run tests on it using dig et al. while at the
same time not disturbing the production setup (but be wary not to kill
the wrong dnsmasq, though! I suggest running the tested dnsmasq in the
foreground in its own terminal, killing it with ^C rather than 'kill').
Post by Alessandro Bottonelli
Such rev-server option looks very promising.
Since you have been helping a lot, I will post the results to the
list in a few days, for your an anybody's else reference.
Thanks a lot.
Post by Alessandro Bottonelli
Grazie mille Albert,
NP!

Amicalement,
--
Albert.
Loading...