Dnsmasq with auth-zone while using multiple dnsmasq-instances

_bernd · January 15, 2025, 8:24pm

Hey.

I have the following dnsmasq config:


#######################################################################
# Domain and Sub-Domains
server=/home.arpa/192.168.0.1
server=/home.arpa/fde6:a09a:b373::1

server=/net.mgmt.home.arpa/192.168.16.1
server=/net.mgmt.home.arpa/fde6:a09a:b373:10::1

server=/srv.mgmt.home.arpa/192.168.17.1
server=/srv.mgmt.home.arpa/fde6:a09a:b373:11::1

server=/srv.home.arpa/192.168.24.1
server=/srv.home.arpa/fde6:a09a:b373:18::1

server=/printer.iot.home.arpa/192.168.49.1
server=/printer.iot.home.arpa/fde6:a09a:b373:31::1

server=/htpc.iot.home.arpa/192.168.56.1
server=/htpc.iot.home.arpa/fde6:a09a:b373:38::1

server=/admin.clients.home.arpa/192.168.64.1
server=/admin.clients.home.arpa/fde6:a09a:b373:40::1

server=/user.clients.home.arpa/192.168.65.1
server=/user.clients.home.arpa/fde6:a09a:b373:41::1

server=/guest.clients.home.arpa/192.168.71.1
server=/guest.clients.home.arpa/fde6:a09a:b373:47::1

  server=/0.168.192.in-addr.arpa/192.168.0.1
 server=/16.168.192.in-addr.arpa/192.168.16.1
 server=/17.168.192.in-addr.arpa/192.168.17.1
 server=/24.168.192.in-addr.arpa/192.168.24.1
 server=/49.168.192.in-addr.arpa/192.168.49.1
 server=/64.168.192.in-addr.arpa/192.168.64.1
 server=/65.168.192.in-addr.arpa/192.168.65.1
 server=/71.168.192.in-addr.arpa/192.168.71.1


server=/0.0.0.0.3.7.3.b.a.9.0.a.6.e.d.f.ip6.arpa/fde6:a09a:b373::1
server=/0.1.0.0.3.7.3.b.a.9.0.a.6.e.d.f.ip6.arpa/fde6:a09a:b373:10::1
server=/1.1.0.0.3.7.3.b.a.9.0.a.6.e.d.f.ip6.arpa/fde6:a09a:b373:11::1
server=/8.1.0.0.3.7.3.b.a.9.0.a.6.e.d.f.ip6.arpa/fde6:a09a:b373:18::1
server=/1.3.0.0.3.7.3.b.a.9.0.a.6.e.d.f.ip6.arpa/fde6:a09a:b373:31::1
server=/0.4.0.0.3.7.3.b.a.9.0.a.6.e.d.f.ip6.arpa/fde6:a09a:b373:40::1
server=/1.4.0.0.3.7.3.b.a.9.0.a.6.e.d.f.ip6.arpa/fde6:a09a:b373:41::1
server=/7.4.0.0.3.7.3.b.a.9.0.a.6.e.d.f.ip6.arpa/fde6:a09a:b373:47::1

#######################################################################
# LOOPBACK
config dnsmasq 'loopback_dns'
    option  domain              'home.arpa'
    option  local               '/home.arpa/'
    option  addnmount           '/usr/local/var/run'
    option  leasefile           '/dev/null'
    option  resolvfile          '/usr/local/var/run/resolv.conf.d/resolv.conf.auto'
    list    interface           'loopback'
    list    rebind_protection   '0'
    list    rebind_domain       '/home.arpa/'
    option  add_local_domain    '1'
    option  add_local_fqdn      '0'
    option  fqdn                '1'
    option  localservice        '0'
    option  cachesize           '1000'
    option  dnsforwardmax       '1000'

config cname
    option  cname               'ntp.home.arpa.'
    option  target              'cpe.home.arpa.'

config srvhost
    option  srv                 '_ntp._udp.home.arpa.'
    option  target              'ntp.home.arpa.'
    option  port                '123'


#######################################################################
# VLAN 16/0x10: net.mgmt
config dnsmasq 'vlan16_dns'
    option  domain              'net.mgmt.home.arpa'
    option  local               '/net.mgmt.home.arpa/'
    option  addnmount           '/usr/local/var/run'
    option  leasefile           '/usr/local/var/run/dhcp.leases.vlan16'
    option  resolvfile          '/usr/local/var/run/resolv.conf.d/resolv.conf.auto'
    list    interface           'vlan16'
    list    notinterface        'loopback'
    list    server              '/home.arpa/192.168.0.1'
    list    rebind_protection   '0'
    list    rebind_domain       '/home.arpa/'
    option  add_local_domain    '0'
    option  add_local_fqdn      '0'
    option  fqdn                '1'
    option  localservice        '0'
    option  cachesize           '1000'
    option  dnsforwardmax       '1000'

config dhcp                     'vlan16'
    option  interface           'vlan16'
    option  instance            'vlan16_dns'
    option  dhcpv4              'server'
    option  start               '32'
    option  limit               '215'
    list    dhcp_option         'option:dns-server, 192.168.16.1'
    list    dhcp_option         'option:domain-name, net.mgmt.home.arpa.'
    list    dhcp_option         'option:ntp-server, 192.168.0.1'
    list    dhcp_option         '100,UTC'  # PCode
    list    dhcp_option         '101,UTC'  # TCode
    list    dhcp_option         'option:domain-search, net.mgmt.home.arpa.'
    option  dhcpv6              'server'
    list    dhcp_option         'option6:dns-server, [fde6:a09a:b373:10::1]'
    list    dhcp_option         'option6:domain-search, net.mgmt.home.arpa.'
    list    dhcp_option         'option6:ntp-server, ntp.home.arpa.'
    option  leasetime           '1h'
    option  logdhcp             '1'
    option  ra                  'server'
    option  ra_slaac            '1'
    option  ra_useleasetime     '1'
    list    ra_flags            'managed-config'
    list    ra_flags            'other-config'
    option  force               '1'

# and so on...

I can happily dig in the backyard with dig -type [A|AAAA|ANY] and dig -x ${IP} and getting fine results.

Then I wanted to enable and use auth-server and auth-zone.
The funny thing is, I can query pc:~# dig AXFR home.arpa. and get a bunch of records; but I no longer got results on -t ANY. Also strange: A seams to work all the time, but AAAA no longer at all. So this rather feels unsafe and broken.
I assume from the multiple instance setup with dedicated listening interfaces, and zone delegations (See the explicit configuration in /etc/dnsmasq.conf), .... but as auth-server seams to be a global setting; ${things} now hit the fan from here on.
I had to cheat and use a dummy-interface, because I could not assign and use a new address from loopback, because loopback was already exclusively tight to an instance... So I disabled auth-* for now and are back to my previous config.

TL;DR; Does someone do has a working multiple-dnsmasq-instance-setup with dedicated/specfic domains per instance, and dnsmasq fakes/emulates to be more or less a wannabe functional authority server?

(The dnsmasq mailinglist has some posts on how to use, it but is rather quiet on that topic in the light of multiple zones and their domains.
It's also just so hacky and wrong right from the beginning on, to use dnsmasq at all for such a task; but I do still struggle if I really wanna get the hit of running kea and bind9 at home...)

_bernd · January 15, 2025, 8:30pm

What I've tried, which resulted in total or partial broken setups:

# Using loopback resulted in complains about that the (address) socket is already in use and can not be used at all
#auth-server=cpe.home.arpa,lo
# Using a dummy interface got me at a list a listening socket
#auth-server=cpe.home.arpa,dummy0

# Then for each zone we set an auth-zone, so far so good.
#auth-zone=home.arpa
#auth-zone=net.mgmt.home.arpa
#auth-zone=srv.mgmt.home.arpa
#auth-zone=printer.iot.home.arpa
#auth-zone=htpc.iot.home.arpa
#auth-zone=admin.clients.home.arpa
#auth-zone=user.clients.home.arpa
#auth-zone=guest.clients.home.arpa
#
# Grant access to localhost and my pc
#auth-peer=127.0.0.1,::1,192.168.64.173,fde6:a09a:b373:40::xxxx

efahl · January 15, 2025, 11:39pm

Yeah, I've played with auth-zone a few times and never got it working either.

Is this one of the threads you poked through? None of it seemed to work for me. https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2023q4/017337.html

_bernd · March 2, 2025, 10:17pm

Bump.

@efahl I wondered about how much of a hassle it would be to port the default OpenWrt setup to kea and bind to get a fully featured standard conform software setup.... Do you gained exp. with that?

Sure this would be not fit for 32 MB devices but many folks got x86 nowadays with plenty of disk space.... and cpu cores, too. I'm more thinking about that then being serious of course... But in the end it could be a net positive to use fully featured "bloated" software instead of minimal and down striped implementation IF we got the space and resources....

efahl · March 2, 2025, 10:49pm

I'd think it's a lot of work converting over to anything from dnsmasq.

I'd be more inclined to switch over to unbound, I think it has a much more modern architecture than bind and I played with it a bunch a few years back, along with it's sibling, nsd, on an alma box I set up as a dns playground. Multiple zones, multiple instances doing zone transfers, that sort of stuff... It's pretty nice and seemed extremely robust (which isn't surprising given its pedigree).

https://nlnetlabs.nl/projects/unbound/about/
https://nlnetlabs.nl/projects/nsd/about/