openresolv-discuss

On 15/08/2012 10:02, Ed W wrote:
>>> Hi, DNSMasq has an option to restrict the use of a DNS server to a
>>> specific interface. (format is server=1.2.3.4@eth1 )
>>
>> No, it means that queries to that DNS server 1.2.3.4 will be sent via
>> eth1.
>> AFAIK it has no relevance in DNSmasq selecting which DNS server to
>> actually query.
> 
> You are correct, I phrased that badly.  What I *meant* to write is as
> your comment, we can enforce requests to that specific DNS server to be
> sent down a specific interface.
> 
> On the surface this seems to be the preferred option for a number of
> situations, including VPNs, captive portals and similar?

No, this option is for when you want to query a DNS server over an
interface that conflicts with your normal routing table. No more, no less.

>>> Would you consider such a feature request? Is there some existing
>>> ability that I might have overlooked that can implement this?
>>
>> I'm not entirely sure what you're asking for.
>> An application generally tells the host "I want to look up domain foo".
>> At no point in this request is an interface specificed - it's
>> interface agnostic.
> 
> Additionally, I use some forced routing and iptables options to direct
> traffic down specific outbound routes.  For all intents and purposes
> this drops traffic except that where it goes down the correct interface,
> and as such I then only use either my global DNS servers, or the
> additional servers for that one specific interface.
> 
> 
>> What openresolv can do is prefer each interface by metric as such and
>> force an ordering on the DNS servers listed.
>> Generally DNS resolvers try the forwarders in order first and you can
>> force DNSmasq to do this by using the strict-order option.
>> Doing this, your 3G DNS servers will be last in the food chain and
>> only used if all else fails.
> 
> Sure, but I think this causes some significant slowdowns in the event
> that the primary DNS is unreachable?
> 
> My situation is that I don't have a clear preference metric, we use
> source routing so that every client behind the firewall can be routed to
> a specific outbound interface, ie machine 1 can be forced to use wifi 1,
> machine 2 can be forced to use wired inet 1.  We mark incoming data
> coming into the firewall and then we can route related connections back
> out in the correct way, ie dnsmasq/squid can mark related outbound
> connections to match the incoming connection and we can route based on
> those marks, so client traffic can be completely forced out of the
> desired connection.  I'm finding a few gotchas with this setup, I had
> thought that forcing outbound interface might have helped...

I understand how you route to specific machines.
However, I don't understand how you can possibly do this for DNS lookups.

Given a DNS server on wired with domain foo, another on wireless with
domain bar and another on 3G without a domain, openresolv allows this
when using DNSmasq, unbound, bind, etc.

If I lookup aaa.foo, it will query wired DNS first, then wireless, then 3G.
If I lookup aaa.bar, it will query wireless DNS first, then wired, then 3G.
If I lookup xxx.com it will query wired DNS, then wireless then 3G.

We just don't know at the point of lookup which interest a request for
xxx.com is actually for, hence I think the above is your only real solution.

Thanks

Roy