Re: dns=dnsmasq, directing unqualified names to DHCP-provided-DNS-servers on a specific interface

On Thu, Jan 23, 2020 at 10:16:14AM +0000, Samuel Harmer wrote:
Dear List,

Thoroughly enjoying NetworkManager (NM)! Just one thing I could not find an
obvious method to achieve so thought I would double-check.

I am trying to work out how to define (in NM settings) an interface should
be used for unqualified lookups. Specifically *unqualified*, I can't make
use of search->fully-qualified as there are private web servers that expect
the browser to be requesting an unqualified hostname. I can't alter this
bizarre (imo) design choice.

With pure dnsmasq I can use `[--]server=//192.168.n.n` and
`[--]server=/local/192.168.n.n` to specify a DNS server to send both
unqualified and private domain lookups to.

With NM I can specify `nmcli [...] set ipv4.dns-search ~local` to have
private zones looked up via NM's dnsmasq (assuming `dns=dnsmasq`), but I
can't see a way to direct (all) unqualified lookups to the interface (or
rather the DNS server(s) provided by the DHCP server on the interface).

The interface is not used as a default gateway, but I am guessing I could
fiddle around with adding back in `~.` and (misusing) ipv4.dns-priority so
all unqualified names go to a private DNS server(s) first, but this feels
like a cludge and would (I guess) still result in the unqualified names
being forwarded on to public DNS servers should one not exist in the
private DNS servers.
A less-cludgy inelegant alternative would be to `echo
"server-file=/etc/NetworkManager/unqualified.servers" >
/etc/NetworkManager/dnsmasq.d/unqualified`, then use a dispatcher to
populate unqualified.servers, followed by SIGHUP NetworkManager's dnsmasq

Neither option feels right.

Is this a missing feature or have I missed something?

Hi, unlike dnsmasq, NM doesn't have a way to specify that unqualified
domains should be handled differently.

Usually, in such cases a search domain is used, which gets appended by
the resolver to the unqualified name and then it is also used as a
routing domain to direct the query to a specific interface.

Does you private resolver also reply to queries for qualified names
with a specific local domain? If so, you can add 'mydomain' to
'ipv4.dns-search', and then if you type 'webserver' in the browser the
resolver will query 'webserver.mydomain' through that interface.

If that doesn't work for you, the only workarounds I can think of are
the ones you already described.


Attachment: signature.asc
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]