[ previous ] [ next ] [ threads ]
 
 From:  Peter Allgeyer <allgeyer at web dot de>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  DNS forwarder problem
 Date:  Thu, 01 Mar 2007 13:22:08 +0100
Hi,

I found out an interesting behaviour of the dnsmasq DNS forwarder: It
always resolves the local machines name to an IP address, too. For
example: If you have configured your m0n0wall with the name mymono and
have enabled the DNS forwarder, your m0n0wall will answer to a nslookup
with the IP adress of the LAN interface. Why is this problematic? I've
configured the captive portal with a redirect to mymono on the opt
interface (HTTPS server name). Since mymono is resolvable at the
outside, too, I've said the dns forwarder to override mymono to the IP
on the opt interface. So far so good. Now my clients on the opt side are
resolving mymono to two IP addresses: that one of the inside interface
and the correct one of the opt interface. Windows seems to have little
problems with that configuration, but the mac clients often get a
timeout in the browser (because the captive portal redirects are going
to the wrong IP).

, so I looked a little bit deaper into it, to understand why dnsmasq
resolves the own hostname. dnsmasq answers requests to every hostname
found in /etc/hosts. Normally that are localhost and the hostname of the
machine itself. If one has configured other hostnames to be overriden by
the resolver they are filled into /etc/hosts, too. To avoid resolving
the hostname of the firewall, I would define a second file calles
hosts.dnsmasq and fill in localhost and every hostnames to be overriden
by the resolver. Then I would call dnsmasq with -h and
-H /etc/hosts.dnsmasq:

-h, --no-hosts
        Don't read the hostnames in /etc/hosts.
-H, --addn-hosts=<file>
        Additional hosts file. Read the specified  file  as  well as
        /etc/hosts. If -h is given, read only the specified  file.  This
        option  may be repeated for more than one additional hosts file.

If we only want to resolve one host to one IP address, we could use -y
instead:

-y, --localise-queries
     Return answers to DNS queries from /etc/hosts  which  depend  on
     the  interface  over  which the query was received. If a name in
     /etc/hosts has more than one address associated with it, and  at
     least one of those addresses is on the same subnet as the inter-
     face  to  which  the  query  was  sent,  then  return  only  the
     address(es)  on  that  subnet. This allows for a server  to have
     multiple addresses in /etc/hosts corresponding to  each  of  its
     interfaces,  and  hosts  will  get  the correct address based on
     which network they are attached to. Currently this  facility  is
     limited to IPv4.

I would expect the firewalls dns forwarder to forward requests only and
not to answer them on its own behalf (except for the ones it has an
explicit overwrite entry), so -h -H <filename> would be my preferred
way.

Comments on this would be appreciated.

BR, PIT


---------------------------------------------------------------------------
 copyleft(c) by |           (Never thought I'd be telling Malcolm and
 Peter Allgeyer |   _-_     Ilya the same thing... :-)   -- Larry Wall
                | 0(o_o)0   in <199711071819 dot KAA29909 at wall dot org>
---------------oOO--(_)--OOo-----------------------------------------------