LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

LCE: Challenges for Linux networking

LCE: Challenges for Linux networking

Posted Nov 8, 2012 9:57 UTC (Thu) by yaap (subscriber, #71398)
Parent article: LCE: Challenges for Linux networking

I'm not sure the needed support is fully there for DNS for a mobile device or even a desktop.

The current situation is that there is only a global list of DNS servers (/etc/resolv.conf). But this is for redundancy only: a next entry in the list is used if no previous entry replied (down), but not if they replied negatively. And this is a limitation with VPN.

Let's say you have a VPN to mycompany.com. Ideally, you would want requests for anything in the mycompany.com domain to go to your company DNS servers. But your personal / non-work related request would go to your regular ISP. Today this is not possible easily as far as I can see (if you have a solution, please share). So what one do is to send all request to your company DNS.

But now let's say you're on the road, and want a personal VPN to your home, while having your company VPN on and regular (local) Internet access.
Both your home network and company networks will have internals hosts which are not known by any others DNS servers (myserver.home and internalonly.mycompany.com for example). I don't know a way to handle this with DNS only today (hacking your /etc/hosts is possible, but not nice). If it's possible I'd be glad to learn how.

The issue here is that DNS configuration is global, and mutliple DNS servers is only for failure protection. You would want DNS local configuration per interface, with some policy configuration (sending request in a domain advertized for an interface would be enough to address all scenarios above).

This handling is common to all Unix, and is sufficient for servers but not for fancier (but still possible) configurations.
Windows is different but not fully satisfying either IMHO. It has DNS configuration per interface, but will send DNS requests only on one highest priority interface at first. Then on all interfaces if no reply has been received after 1s. So in the scenarios above it would resolve the local/private names, but with a systematic delay of 1s. And it would send useless requests all over.

(Log in to post comments)

LCE: Challenges for Linux networking

Posted Nov 8, 2012 10:55 UTC (Thu) by Fowl (subscriber, #65667) [Link]

dnsmasq has a configuration to forward queries for certain domains to different dns server. I use it on my OpenWRT router to forward AD related queries to the Windows box without suffering when it enviably has a senior's moment.

I believe dnsmasq is now being used as a local dns cache on some distros with ::0/127.0.0.1 being the address in /etc/resolv.conf. By combining these features and with the correct configuration/integration it looks like the dns side could be solved entirely in userspace.

ie. a local resolver could use the source of a query and current interface/vpn state to route queries properly. As an aside; DNS seems like a good place for "happy eyeballs"/sending requests on multiple interfaces and letting them race for least latency.

LCE: Challenges for Linux networking

Posted Nov 8, 2012 12:38 UTC (Thu) by erwbgy (subscriber, #4104) [Link]

The PowerDNS recursive resolver has similar functionality. For example I have: 

$ cat /etc/pdns-recursor/recursor.conf
setuid=pdns-recursor
setgid=pdns-recursor
local-address=127.0.0.1
dont-query=127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, ::1/128
forward-zones-file=/etc/pdns-recursor/forward_zones
$ cat /etc/pdns-recursor/forward_zones
local=10.7.96.21
10.in-addr.arpa=10.7.96.21
$ cat /etc/resolv.conf
nameserver 127.0.0.1
search local
for my '.local' domain managed using the pdns puppet module.

LCE: Challenges for Linux networking

Posted Nov 9, 2012 0:33 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

I got tired of it and simply linked my AD domain subtree into the global DNS. I've been living happily ever after.

LCE: Challenges for Linux networking

Posted Nov 9, 2012 9:20 UTC (Fri) by yaap (subscriber, #71398) [Link]

Thanks a lot, I didn't know about that dnsmasq feature.

I looked a bit about dnsmasq and NetworkManager, and it seems there is already some integration supported. The following page for Ubuntu shows some integration is in the works where indeed dnsmasq is used to handle DNS request routing:
https://blueprints.launchpad.net/ubuntu/+spec/foundations...

With a bit of time (for upstreaming too as I use Debian) it looks as this will be handled out of the box. Nice!

LCE: Challenges for Linux networking

Posted Nov 8, 2012 14:02 UTC (Thu) by foom (subscriber, #14868) [Link]

> You would want DNS local configuration per interface, with some policy configuration (sending request in a domain advertized for an interface would be enough to address all scenarios above).

Yup, MacOSX does just that, out of the box.

LCE: Challenges for Linux networking

Posted Nov 8, 2012 18:33 UTC (Thu) by Russ.Dill@gmail.com (subscriber, #52805) [Link]

I usually use SOCKS5 to solve VPN issues. For some VPNs, that means using ssh to forward a connection, for others, it means running a VPN client in linux.uml and exporting that via SOCKS5. Then, applications can be directed to a specific connection by specifying a proxy, or more complex rules can be used for applications that support a proxy.pac file.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds