Can DNSmasq be configured to search secondary domain?

[hcgonzalezpr]

I got 2 asus routers a AC-3100( Router1 ) and a AC-66U ( Router2 ) connected via a IPsec VPN (Other device).

Router1 = 192.168.1.1/24
local domain : router1net

Router2 = 192.168.0.1/24
local domain : router2net

If I add "server=/router2net/192.168.0.1" to my Router1 dnsmasq config from a windows computer in the router1net network I can type "ping router2.router2net" and it resolves the name. What I want to be able to do is just to type ping router2 and have look in both router1net and router2net for that host name.

EDIT:
In order for this to work the server needs to be added without the domain but withe slashes. Ex: "server=//192.168.0.1"

EDIT 2 :
This using server=// can create a loop between the 2 dnsmasq servers. I tried using --dns-loop-detect but its currently not compiled : dnsmasq: loop detection not available: set HAVE_LOOP in src/config.h

 

[ColinTaylor]

I don't know whether this would work on an Asus router, but in the Unix world you would normally achieve this by adding a "search" option to /etc/resolv.conf.

 

[hcgonzalezpr]

I don't know whether this would work on an Asus router, but in the Unix world you would normally achieve this by adding a "search" option to /etc/resolv.conf.

On a normal linux install thats would I would do, but on the asus routers /etc/resolv.conf points to /rom/etc/resolv.conf.

I did try adding the search option in /tmp/resolv.conf but it looks dnsmasq is not using at all even though the configuration is set to resolv-file=/tmp/resolv.conf

 

[ColinTaylor]

I did try adding the search option in /tmp/resolv.conf but it looks dnsmasq is not using at all even though the configuration is set to resolv-file=/tmp/resolv.conf

How did you test it?
1) Edit /tmp/resolv.conf
2) killall dnsmasq
3) dnsmasq --log-async
4) nslookup on your client machine.

 

[john9527]

I did try adding the search option in /tmp/resolv.conf but it looks dnsmasq is not using at all even though the configuration is set to resolv-file=/tmp/resolv.conf

/tmp/resolv.conf is rebuilt whenever dnsmasq starts or there is a change in the nameservers, for example when starting an openvpn client. Also, resolv and hosts files for dnsmasq are NOT dynamic. If you are experimenting, you can send a SIGHUP to read those changes without restarting dnsmasq.

killall -SIGHUP dnsmasq

 

[tomsk]

/tmp/resolv.conf is rebuilt whenever dnsmasq starts or there is a change in the nameservers, for example when starting an openvpn client. Also, resolv and hosts files for dnsmasq are NOT dynamic. If you are experimenting, you can send a SIGHUP to read those changes without restarting dnsmasq.

killall -SIGHUP dnsmasq

oh...i didn't know it rebuilt the resolve.conf file every time nameservers change.... you learn something every day here! I was looking at how dnsmasq can work with ipset... i understand how resolved IP addresses for a domain can be added to a set.. but i don't get how it works the other way around. Example...if you specify an address, then dnsmasq will return that address every time it is queried with a matching host name.... what happens if you specify ipset instead of address and and then a hostname is contained in the set.... what is returned?

 

[john9527]

oh...i didn't know it rebuilt the resolve.conf file every time nameservers change.

Maybe need to clarify a bit.....it's rebuilt on a start or nameserver change when done under control of the firmware under normal operation. If you are starting/stopping via command line, not so. So the @ColinTaylor method of testing above is also valid.

what happens if you specify ipset instead of address and and then a hostname is contained in the set.... what is returned?

Not sure I understand your question here. Linking dnsmasq to an ipset tells dnsmasq to update the ipset with it's lookup result. So if you have an ipset statement with a domain name and ipset name, and access that domain, dnsmasq adds the returned ip address to that ipset. An example where this is useful, is where a domain can have multiple ip's, such as a CDN for a streaming service. This way, you don't need to worry about all the individual ip's. Then for example, you can test against that set in an iptables rule to do traffic redirection.

 

[hcgonzalezpr]

How did you test it?
1) Edit /tmp/resolv.conf
2) killall dnsmasq
3) dnsmasq --log-async
4) nslookup on your client machine.

I created a init-start script that adds the entries :
echo "search router1 router2" >> /tmp/resolv.conf
echo "nameserver 192.168.0.254" >> /tmp/resolv.conf < This is the other network device that has the IPsec Tunnel and does the NAT to the internet.

When the Router boots, I see the /tmp/resolv.conf still has my changes. I do have the WAN port disable, as i'm using 192.168.0.254 as gateway.

what happens if you specify ipset instead of address and and then a hostname is contained in the set.... what is returned?

Tomsk, let me see if I understand, you mean what happens if I do ping -a 192.168.0.1 ? It does not resolve the name.

killall -SIGHUP dnsmasq

John9527, thanks for the suggesting the kill flag, I give a try so I can test with out having to wait for the router to reboot.

 

[tomsk]

Maybe need to clarify a bit.....it's rebuilt on a start or nameserver change when done under control of the firmware under normal operation. If you are starting/stopping via command line, not so. So the @ColinTaylor method of testing above is also valid.


Not sure I understand your question here. Linking dnsmasq to an ipset tells dnsmasq to update the ipset with it's lookup result. So if you have an ipset statement with a domain name and ipset name, and access that domain, dnsmasq adds the returned ip address to that ipset. An example where this is useful, is where a domain can have multiple ip's, such as a CDN for a streaming service. This way, you don't need to worry about all the individual ip's. Then for example, you can test against that set in an iptables rule to do traffic redirection.

Thanks John...that part i get..... but is dnsmasq itself able to make any use of the ipset or is it just a one way street and the ipset is only useful in a firewall rule?

 

[tomsk]

, let me see if I understand, you mean what happens if I do ping -a 192.168.0.1 ? It does not resolve the name.

It is just curiosity really.... i see the below writeup from the dnsmasq man page, and the part about domains and subdomains being matched in the same way as --address got me thinking

--ipset=/<domain>/[domain/]<ipset>[,<ipset>]
Places the resolved IP addresses of queries for the specified domains in the specified netfilter ip sets. Domains and subdomains are matched in the same way as --address. These ip sets must already exist. See ipset(8) for more details.

 

[john9527]

Tomsk, let me see if I understand, you mean what happens if I do ping -a 192.168.0.1 ? It does not resolve the name.

Actually, this was a really good question.....and when I searched I couldn't find the answer. So.....test it. I have some ipsets set up on streaming services.
If the ping Reverse DNS matches exactly, it is indeed added to the ipset (hulu.com). If the RDNS resolves to a CDN, no (I used a ip that I know was a result of a netflix lookup, but resolves to an amazonaws domain, then no).

 

[john9527]

Thanks John...that part i get..... but is dnsmasq itself able to make any use of the ipset or is it just a one way street and the ipset is only useful in a firewall rule?

I don't know of any way that dnsmasq itself can leverage ipsets.....but I am open to being proved wrong.

 

[ColinTaylor]

I created a init-start script that adds the entries :

init-start might not be a reliable place to put your changes. Try creating a dnsmasq.postconf file as described here.

 

[hcgonzalezpr]

init-start might not be a reliable place to put your changes. Try creating a dnsmasq.postconf file as described here.

I'm using dnsmasq.postconf for the items that affect the dnsmaq.conf file, but for resolv.conf, it has to be done using the one of the service scripts as there are no config file for them in the wiki. On one of the other post in this forum RMerlin mentions using wan-start as example, but i'm not using the wan interface on this router, hence using init-start that come before wan-start.

I do see my changes in the file so its not getting overwritten.

 

[ColinTaylor]

I do see my changes in the file so its not getting overwritten.

OK, that's fair enough .

I wasn't sure if making changes that effected dnsmasq in the web interface (rather than at boot time) might cause resolv.conf to be regenerated. If it did then a dnsmasq.postconf script could be written that grep's resolv.conf for "search" and if absent adds it.

* dnsmasq.postconf can modify any file, not just dnsmasq.conf

 

[hcgonzalezpr]

I figure it out, I re-read the documentation for the 999 time.

For the "server=" flag it says: An empty domain specification, // has the special meaning of "unqualified names only" ie names without any dots in them.

So by adding "server=//192.168.0.1" it first looks on the dhcp list then if does not find it it forwards the request to any of the server specified with //.

Also found out the hardway that --resolv-file just reads the nameserver lines it ignores everything else in the file, documentation says : Read the IP addresses of the upstream nameservers from <file>, instead of /etc/resolv.conf. For the format of this file see resolv.conf(5). The only lines relevant to dnsmasq are nameserver ones.


@john9527 / @ColinTaylor thanks for the tips on manually running the dnsmaq this helped me figure how to make it show the logs in debug mode.

 

[hcgonzalezpr]

I revert my configuration in the mean while, I dont want to the looping behaviour I was creating with the server=// setting.