openresolv-discuss

Hi

> On 14/08/2012 23:06, Ed W wrote:
> > Hi, DNSMasq has an option to restrict the use of a DNS server to a
> > specific interface. (format is server=1.2.3.4@eth1 )
>
> No, it means that queries to that DNS server 1.2.3.4 will be sent via 
> eth1.
> AFAIK it has no relevance in DNSmasq selecting which DNS server to 
> actually query.

You are correct, I phrased that badly.  What I *meant* to write is as 
your comment, we can enforce requests to that specific DNS server to be 
sent down a specific interface.

On the surface this seems to be the preferred option for a number of 
situations, including VPNs, captive portals and similar?


> > Would you consider such a feature request? Is there some existing
> > ability that I might have overlooked that can implement this?
>
> I'm not entirely sure what you're asking for.
> An application generally tells the host "I want to look up domain foo".
> At no point in this request is an interface specificed - it's 
> interface agnostic.

Additionally, I use some forced routing and iptables options to direct 
traffic down specific outbound routes.  For all intents and purposes 
this drops traffic except that where it goes down the correct interface, 
and as such I then only use either my global DNS servers, or the 
additional servers for that one specific interface.


> What openresolv can do is prefer each interface by metric as such and 
> force an ordering on the DNS servers listed.
> Generally DNS resolvers try the forwarders in order first and you can 
> force DNSmasq to do this by using the strict-order option.
> Doing this, your 3G DNS servers will be last in the food chain and 
> only used if all else fails.

Sure, but I think this causes some significant slowdowns in the event 
that the primary DNS is unreachable?

My situation is that I don't have a clear preference metric, we use 
source routing so that every client behind the firewall can be routed to 
a specific outbound interface, ie machine 1 can be forced to use wifi 1, 
machine 2 can be forced to use wired inet 1.  We mark incoming data 
coming into the firewall and then we can route related connections back 
out in the correct way, ie dnsmasq/squid can mark related outbound 
connections to match the incoming connection and we can route based on 
those marks, so client traffic can be completely forced out of the 
desired connection.  I'm finding a few gotchas with this setup, I had 
thought that forcing outbound interface might have helped...

Thanks

Ed W