Getting dnsmasq to create and report cname records

Hello, another not-so-easy and not-so-important question.

I have several hosts in my LAN that have multiple aliases, mostly set in the router /etc/hosts file. The /etc/ethers file is also used to assign the canonical name to hosts that I keep on DHCP without a static IP address, then aliases are found in /etc/hosts.

Excerpt from /etc/ethers (made-up MAC-addr):

## /etc/ethers
00:01:02:03:05:05 mybox-canonical

Let us assume dnsmasq is configured to serve 192.168.1.10 to the above host.

Excerpt from /etc/hosts:

## /etc/hosts
192.168.1.10        mybox-canonical mybox ftp www

Is it possible to configure dnsmasq so that it will use all locally known aliases to create and report cname records? Ideally, I would like nslookup on Windows to do the right thing too, and reply along the lines of:

win:c> nslookup mybox.lan
Server:  router.lan
Address:  192.168.1.254

Name:    mybox.lan
Address:  192.168.1.10

Also known as:
mybox-canonical.lan
ftp.lan
www.lan

win:c>

Or something like that. Not sure nslookup on Windows is able to do that, but at least the stock nslookup on linux should?

I do have a working dig on my ubuntu box, so I can check if my new config is working. Well, if I knew how to use dig, that is. What would be an appropriate query to check all aliases for mybox.lan on DNS server router.lan?

The first query would be dig -h

The output from that indicates the next query would be dig @router.lan lan cname mybox

1 Like

Hello, it's you again! :slight_smile:

Ehm, I did try dig -h | grep -i cname

Thanks, I tried but no cname record is reported. I think I have to tweak dnsmasq config on the router. Must cnames be enabled explicitly?

Try just dig -h on its own, without filtering for "cname".

Yes. They're DNS records just like any other. If your DNS server doesn't know about any CNAMEs, it won't be able to tell any clients about them.

I have very little knowledge about the workings of the DNS, and specifically about dnsmasq. That's why I was expecting cname records to have some special status and deserve a specific dig option to be grepped. My ignorance is slowly being eroded by your help. Thank you.

So the appropriate question would be:

How do I tell dnsmasq to create (and serve) cname records automatically from the available information in /etc/hosts and /etc/ethers? Or if dnsmasq isn't able to do that on its own, how do I configure the records manually?

http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html contains everything you might ever want to know about dnsmasq, including how to create CNAME records.

Personally, I'd leave /etc/hosts and /etc/ethers out of your DNS so that they can continue to provide local overrides to DNS, or to provide information that only that specific host should know.

There really isn't anything in DNS that will answer "Give me all the names that this host is also known by". Seeing CNAME data is a side effect of some resolution. All a CNAME does is say that "If you're asking me for the IP address of www.example.com, then I know that you should ask somebody about host1423.some-cloud-provider.net for the answer." Note that the CNAME doesn't even have to be resolved by the same resolver, or even the same upper-level domain. A CNAME lets you have one host name be an "alias" of another, so that, among other things, you don't need to maintain the IP address in all the records, some of which you might not even have rights to edit.

Further, the various "names" for a host might not come from CNAME records at all. It's totally valid to have records like (unbound style - "A" record is IPv4 address from name, "AAAA" record is IPv6 address from name):

mac.example.com               A          10.11.12.13
mymac.example.com             A          10.11.12.13
files.example.com             A          10.11.12.13

In this case, you'll never "see" the others in a query for one of them.

Even with CNAME records, you'll only see those that are in the resolution path taken, not those on parallel paths, if you even see them at all. If you ask a resolver about the address for a given host name, if it can give you an answer it doesn't have to "tell" you how it got it.

nslookup is pretty simplistic. dig and drill generally can be used to provide more information.

DNS does a great job with giving information about a specific host. I think it's a terrible tool for trying to reliably capture or query network topology.

2 Likes

I see, thanks @jeff.

My use case wasn't exactly about network topology; rather, I wanted to be able to locate equipment - for example, ask for switch00.lan and get an answer that would point me to switch00-basement.lan; or be reminded of service/open port assignments - for example, ask about ftp.lan and get an answer pointing me to computer-20.lan.

EDIT: I do remember some resolver client that returned known aliases for a cname. Only, I can't remember what system it was. I thought it could be a nifty feature.

I have added a couple cname lines at the end of /etc/dnsmasq.conf, such as

cname=mybox,ftp,www,mybox-canonical

and sent a sighup to dnsmasq with

/etc/init.d/dnsmasq restart

but the dig command on ubuntu didn't notice.

If it's hard to setup I'll probably forget about this at least for the time being, but not being able to set it up in the first place is a bit niggling :slight_smile:

You might need to edit /etc/config/dhcp, and put your CNAME record in UCI syntax.

You might take a look as using TXT records, for example, as one way to store "human-readable" data. SRV records for "services" as well ...

... but do you really want all of that "public" for anyone on your network to be able to query? If you do decide to go that way, perhaps run a "private" instance of unbound or the like that you know how to get to (either or both by host name, or by isolation in a restricted VLAN), but "everyone else" can't.

Yes, many resolvers will return CNAME records that they use in getting to their "answer", but they're not required to do so.

1 Like

If all you're trying to do is have nicknames for your own systems, then CNAME records can do this.

As an example, this is a quick and dirty test from my DNS box at home (called, imaginatively, dns.lan):

/etc/hosts

192.168.69.1    lan-router
/etc/dnsmasq.d/dnsmasq.conf

cname=fred,lan-router
@dig dns.lan lan cname fred

[...]

;; ANSWER SECTION:
fred.                   2       IN      CNAME   lan-router.
lan-router.             2       IN      A       192.168.69.1

My DNS box isn't OpenWRT, so my configuration is straight from the kelleys.org.uk man page. If I was going to do the same on OpenWRT, I'd have to put it into UCI syntax in /etc/dhcp.

@jeff's point about privacy on your network is a valid one. Consider who'll be using your network and how much you want them to know. Then design your network management accordingly.

1 Like

Adding

cname=alias[,alias],cname

entries to /etc/dnsmasq.conf actually works.
It was operator error, though it seems unlikely, or simply a dns caching glitch.

I will leave SRV and TXT records untouched - it's only a small LAN anyway, and the security issues raised by @jeff and reinforced by @iplaywithtoys are real, even if it's only friends and family (none of which are too aware of technical issues; some barely know what an IP address is because I told them).

Thanks as usual. This forum is a real resource.. I might have a few more dnsmasq questions in the future, but still on the futile side :slight_smile:

2 Likes