DNSMasq Config Help - Conditional Forwarding

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

djtech2k

Regular Contributor
I had threads on here years ago on this subject but could not come to a full solution for the last problem so I'd like to try again.

I have a DNS server that runs inside of my router that does DNS resolution for a specific domain that only runs in my house. Currently, I have those DNS servers being issued via DHCP and they just resolve my internal domain traffic and forward the rest to the internet. It is configured this way because the way it used to work stopped working suddenly.

The wany I want it to work is that my router would forward all traffic for my internal domain to my internal DNS servers, and then send all other DNS traffic to my ISP DNS servers (or anywhere else on the internet). To me, this sounds like a conditional forwarder. Years ago, I had this working with some entries in the dnsmasq.conf.add and a dnsmasq.postconf script. As I reported in my thread on this a long time ago, that suddenly stopped working, so I had to revert to my current config.

So I am hoping that I can make this work and keep it simple. All internal domain traffic forward to internal DNS server(s), and everything else go to ISP DNS.

Any thoughts?
 

ColinTaylor

Part of the Furniture
Can you show us the previous config you were using that stopped working.

On the face of it you just need to use the sever command.
-S, --local, --server=[/[<domain>]/[domain/]][<ipaddr>[#<port>]][@<interface>][@<source-ip>[#<port>]]
Specify IP address of upstream servers directly. Setting this flag does not suppress reading of /etc/resolv.conf, use --no-resolv to do that. If one or more optional domains are given, that server is used only for those domains and they are queried only using the specified server. This is intended for private nameservers: if you have a nameserver on your network which deals with names of the form xxx.internal.thekelleys.org.uk at 192.168.1.1 then giving the flag --server=/internal.thekelleys.org.uk/192.168.1.1 will send all queries for internal machines to that nameserver, everything else will go to the servers in /etc/resolv.conf. DNSSEC validation is turned off for such private nameservers, UNLESS a --trust-anchor is specified for the domain in question. An empty domain specification, // has the special meaning of "unqualified names only" ie names without any dots in them. A non-standard port may be specified as part of the IP address using a # character. More than one --server flag is allowed, with repeated domain or ipaddr parts as required.

More specific domains take precedence over less specific domains, so: --server=/google.com/1.2.3.4 --server=/www.google.com/2.3.4.5 will send queries for *.google.com to 1.2.3.4, except *www.google.com, which will go to 2.3.4.5

The special server address '#' means, "use the standard servers", so --server=/google.com/1.2.3.4 --server=/www.google.com/# will send queries for *.google.com to 1.2.3.4, except *www.google.com which will be forwarded as usual.

Also permitted is a -S flag which gives a domain but no IP address; this tells dnsmasq that a domain is local and it may answer queries from /etc /hosts or DHCP but should never forward queries on that domain to any upstream servers. --local is a synonym for --server to make configuration files clearer in this case.

IPv6 addresses may include an %interface scope-id, eg fe80::202:a412:4512:7bbf%eth0.

The optional string after the @ character tells dnsmasq how to set the source of the queries to this nameserver. It can either be an ip-address, an interface name or both. The ip-address should belong to the machine on which dnsmasq is running, otherwise this server line will be logged and then ignored. If an interface name is given, then queries to the server will be forced via that interface; if an ip-address is given then the source address of the queries will be set to that address; and if both are given then a combination of ip-address and interface name will be used to steer requests to the server. The query-port flag is ignored for any servers which have a source address specified but the port may be specified directly as part of the source address. Forcing queries to an interface is not implemented on all platforms supported by dnsmasq.
 
Last edited:

djtech2k

Regular Contributor
I do not know exactly what it looked like, but I am confident that it is virtually the same as it is now. The main difference is the DNS servers specified in the DHCP scope now points to my internal DNS servers instead of just using the router IP.

dnsmasq.postconf
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

pc_replace "local=/my.domain/" "" $CONFIG

dnsmasq.conf.add
dhcp-option=lan,6,<<internal DNS IP>>,<<internal DNS IP>>,<<Public DNS>>,<<Public DNS>>
server=/my.domain/<<internal IP>>
dhcp-option=altdns,6,<<Public DNS>>,<<Public DNS>>
dhcp-host=<<MAC Address>>,net:altdns


Now I cannot remember exactly why I set some of these, like the "dhcp-host", but this is my current config that runs all DNS queries to my internal DNS servers, which I would rather not do. I would rather only send name resolution queries for my internal domain to those DNS servers and send all other queries to the public/internet DNS servers.
 

dave14305

Part of the Furniture
Reference to old thread:
 

ColinTaylor

Part of the Furniture
Now I cannot remember exactly why I set some of these, like the "dhcp-host", but this is my current config that runs all DNS queries to my internal DNS servers, which I would rather not do. I would rather only send name resolution queries for my internal domain to those DNS servers and send all other queries to the public/internet DNS servers.
I can understand why you would need to remove the local= line and add the server= line. I'd guess that you are forced to add the dhcp-option=lan,6 line otherwise DHCP clients will not register their names with the DNS server. I don't really see any alternative other than running both DHCP and DNS on the LAN server.

Side note: You could set the clients DNS servers in the GUI instead of using dhcp-option=lan,6 but I guess you wanted to add more than two server addresses.
 
Last edited:

djtech2k

Regular Contributor
Yeah when the problem started, I was finding that DNS responses for my internal domain were coming back as old entries. In other words, I would get IP resolution to old IP's for the name. The config should just forward that traffic and not try to resolve it from what I could see, but it stopped doing that for some reason. Again, this was long ago so I thought I would check to see if there was a new way of it that was fixed.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top