Re: dnsmasq integration improvement suggestion

From: Petr Menšík <pemensik redhat com>
To: Thomas Haller <thaller redhat com>, networkmanager-list gnome org
Subject: Re: dnsmasq integration improvement suggestion
Date: Mon, 30 May 2022 12:49:19 +0200

On 5/28/22 22:22, Thomas Haller wrote:

As you say, NetworkManager can run dnsmasq as DNS plugin by configuring
`[main].dns=dnsmasq` in `man NetworkManager.conf`.

In that mode, NetworkManager will spawn the dnsmasq process.
Doing that is undesirable, for several reasons.

I agree, it would be much better, if dnsmasq could run as a separate
service. In the best case, dnsmasq could be D-Bus activated, then it
doesn't even have to be a systemd service (altough, on systemd systems,
of course systemd would start the dnsmasq service).

When would dnsmasq reload those files? Usually, we would prefer that
everything can be configured via D-Bus. Of course, if dnsmasq by
default runs without D-Bus, then that wouldn't work. What would those
configuration snippes contain beside `enable-dbus`?

I thought it could contain dnssec for selected networks. However that is
not possible to set via dbus (or alternatives). It requires restart,
because some structures are initialized different way. Just pure
reconfiguration by re-reading config file is not enough. It would
require no small changes in dnsmasq to allow enabling validation runtime.

/etc/NetworkManager/dnsmasq.d is a semidocumented thing, where users
could hack the setup by dropping snippets. I wonder how bad it would be
to move away from the way how we do it currently. Maybe we could
symlink all files there from /run. Or maybe we would need to add a
separate dns=dnsmasq2 plugin for the new way.


I would prefer the notion that dnsmasq is just running as a stand-alone
service, and NetworkManager can push interface-specific DNS
configuration to it (basically, like with systemd-resolved) and also
with the notion that there could be other services that configure their
part. For example, WireGuard's wg-quick could configure the DNS server
on the WireGuard interface (though, currently I think that would call
/usr/sbin/resolvconf -- unless systemd-resolved is detected).


There is a problem that no generic interface good for reconfiguration of
running services exist. resolvconf can configure something and
openresolv package attempts to do such thing. It is possible to make
generic query to dbus (or varlink?) which services provide some
interface? Then VPN could send required configuration to all interested
providers. I am not working with dbus often. What would be the best way
for other services to provide unified API?

I doubt we want each VPN provider to implement all possible DNS caches.
Can generic api be used instead?

best,
Thomas


-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik redhat com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

Follow-Ups:
- Re: dnsmasq integration improvement suggestion
  - From: Thomas Haller

References:
- dnsmasq integration improvement suggestion
  - From: Petr Menšík
- Re: dnsmasq integration improvement suggestion
  - From: Thomas Haller

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]