9

I am setting up a small private network within my University network. I have a Centos 6 box (sun) sitting between my private network and the university WAN. eth0 on the sun is connected to the WAN and eth1 to my private network via a netgear smart switch. sun acts as a router for the private network, forwards traffic from eth1 to eth0 using NAT configured using iptables. The clients on the private network (of which there is just at the moment, mercury) are assigned an IP, gateway etc and hostname via dnsmasq running on the sun. dnsmasq is configured to send a specific IP and hostname to the MAC address(es) of the client(s).

I have hardcode the hostname/IPs in /etc/hosts on sun only:

# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.42.1    sun sun.beowulf.iecs
192.168.42.2    mercury mercury.beowulf.iecs

At the moment, the IP address of eth0 (WAN facing) is assigned via DHCP (sun eth0 gets assigned the same IP all the time regardless; this is how the University does things but I'm in the process of getting this changed to allow me to assign a static IP). My /etc/resolv.conf on sun is:

; generated by /sbin/dhclient-script
search biol.uregina.ca
nameserver 142.3.102.202
nameserver 142.3.100.15

which seems to be being overwritten when I reboot so I have the following /etc/dnsmasq-resolv.conf

search beowulf.iecs biol.uregina.ca
nameserver 127.0.0.1
nameserver 8.8.8.8

and have instructed dnsmasq to use it instead of /etc/resolv.conf

# Change this line if you want dns to get its upstream servers from
# somewhere other that /etc/resolv.conf
resolv-file=/etc/dnsmasq-resolv.conf

# By  default,  dnsmasq  will  send queries to any of the upstream
# servers it knows about and tries to favour servers to are  known
# to  be  up.  Uncommenting this forces dnsmasq to try each query
# with  each  server  strictly  in  the  order  they   appear   in
# /etc/resolv.conf
strict-order

Mostly this setup is working. The problem I have (and I'm not sure it is a major one, but...) is that nslookup and dig both fail to resolve names for sun and mercury unless I inform these commands which DNS server to query:

# nslookup sun.beowulf.iecs sun.beowulf.iecs
Server:     sun.beowulf.iecs
Address:    192.168.42.1#53

Name:   sun.beowulf.iecs
Address: 192.168.42.1

# nslookup sun sun.beowulf.iecs
Server:     sun.beowulf.iecs
Address:    192.168.42.1#53

Name:   sun
Address: 192.168.42.1

# nslookup sun
Server:     142.3.102.202
Address:    142.3.102.202#53

** server can't find sun: NXDOMAIN

# nslookup sun.beowulf.iecs
Server:     142.3.102.202
Address:    142.3.102.202#53

** server can't find sun.beowulf.iecs: NXDOMAIN

The same output is given for mercury instead of **sun*. Representative dig output is:

# dig @192.168.42.1 mercury.beowulf.iecs

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @192.168.42.1 mercury.beowulf.iecs
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65090
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mercury.beowulf.iecs.      IN  A

;; ANSWER SECTION:
mercury.beowulf.iecs.   0   IN  A   192.168.42.2

;; Query time: 0 msec
;; SERVER: 192.168.42.1#53(192.168.42.1)
;; WHEN: Wed Jun 25 12:05:31 2014
;; MSG SIZE  rcvd: 54

and not working when I don't specify the nameserver to use: 

# dig mercury.beowulf.iecs

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> mercury.beowulf.iecs
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29153
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;mercury.beowulf.iecs.      IN  A

;; AUTHORITY SECTION:
.           7988    IN  SOA a.root-servers.net. nstld.verisign-grs.com. 2014062500 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 142.3.102.202#53(142.3.102.202)
;; WHEN: Wed Jun 25 12:05:37 2014
;; MSG SIZE  rcvd: 113

In the last example above (dig) the SERVER: 142.3.102.202#53(142.3.102.202) is the first DNS server in /etc/resolv.conf so by default sun seems to be using this nameserver instead of dnsmasq that I would have expected it to use because of the settings in /etc/dnsmasq.conf.

So, is this a problem? I can ping sun and mercury from sun, and connect to mercury from sun using SSH.

If this is a problem (or even if it isn't), is there a way to configure sun and dnsmasq running on it to resolve the private host names automatically?

Gavin Simpson
  • 285
  • 1
  • 5
  • 11
  • Do you have a nameserver running on your localhost? – jeffatrackaid Jun 25 '14 at 18:32
  • @jeffatrackaid Yes, dnsmasq running on the Centos box, **sun** in the above Q. – Gavin Simpson Jun 25 '14 at 18:33
  • 1
    Appears you are querying different nameservers. Appears 142.3.102.202 does not have any A records configured for the domain. So I am not sure where you are managing records? – jeffatrackaid Jun 25 '14 at 18:38
  • @jeffatrackaid Thanks again. Between your comment here and Iain's answer, I have realised my mistake. Whilst I may have instructed dnsmasq to not use `/etc/resolv.conf`, **sun** doesn't know about this and continues to use `/etc/resolv.conf`, which is being overwritten by `dhclient-script` when it asks for an IP address from the WAN DHCP server. FWIW, the private DNS information is being served from **sun** (192.168.42.1), but **sun** doesn't know this because of what is in `/etc/resolv.conf` – Gavin Simpson Jun 25 '14 at 19:03

2 Answers2

9

dig (domain information groper) and nslookup (query Internet name servers interactively) are tools that query name servers. Unless a specific name server is specified as a commandline argument they will query the name server(s) found in /etc/resolv.conf. They simply don't look at alternative sources of host information such as the /etc/hosts file or other sources specified in /etc/nsswitch.conf.

If you want to force all dns queries through dnsmasq on your sun host, the /etc/resolv.conf there should point to dnsmasq, i.e. it should look like:

#/etc/resolv.conf on sun
nameserver 127.0.0.1

To prevent that file from getting overwritten when you restart the network interface eth0 edit /etc/sysconfig/network-scripts/ifcfg-eth0 and add the option PEERDNS=no

Second in /etc/dnsmasq-resolv.conf you're trying to configure dnsmasq to use itself as the upstream name server nameserver 127.0.0.1... That file should look like:

#/etc/dnsmasq-resolv.conf
search beowulf.iecs biol.uregina.ca
nameserver 8.8.8.8

if you want to use Google's name server. It might be a good idea to use the University name servers 142.3.102.202 & 142.3.100.15 there instead as it is not uncommon to have certain resources only visible from the campus network.

If your mercury host is configured by DHCP it should get it's configuration from dnsmasq and the /etc/resolv.conf there points to the dnsmasq name server on 192.168.42.1

HBruijn
  • 77,029
  • 24
  • 135
  • 201
  • +1 Thanks for this. I had come to realisation too that **sun** itself will use whatever is in `/etc/resolv.conf` to resolve names. I was conflating the dnsmasq configuration with what **sun** was actually using. Note the `8.8.8.8` in `/etc/dnsmasq-resolv.conf` was there just temporarily as when I edited it I didn't have the IPs of the University domain servers immediately to hand. I will specify those nameservers when I finalise this. To fully solve my problem, until the University assigns me a properly static IP, I'll need to stop `dhclient-script` overwriting `/etc/resolv.conf`. Thanks again – Gavin Simpson Jun 25 '14 at 19:13
  • Accepting this answer because it is more specific to my actual problem and contains more detail. That said, I diagnosed the problem (my mistaken thinking) from Iain's answer and comments from @jeffatrackaid. – Gavin Simpson Jun 25 '14 at 20:28
4

The 142.3.102.202 and 142.3.100.15 do not know anything about your local private network so they correctly return NXDOMAIN. These are also the default name servers for the system so when you don't specify a name server they will be used.

You will need to overwrite the contents of /etc/resolv.conf and configure the nameserver directives to point to your local dnsmasq name server which in turn should be configured to forward queries it cannot answer upstream.

Philip Allgaier
  • 268
  • 1
  • 5
  • 18
user9517
  • 115,471
  • 20
  • 215
  • 297
  • Thanks for this. If I temporarily insert `nameserver 127.0.0.1` into `/etc/resolv.conf` and comment out the other entries, then `dig` and `nslookup` work correctly. I hadn't fully groked that even though dnsmasq wasn't using `/etc/resolv.conf`, the computer **sun** was still using the information therein. So it seems to fully sort this out I'll need to work out how to stop `dhclient` overwriting `/etc/resolv.conf` until I am assigned a static IP by the WAN admins. – Gavin Simpson Jun 25 '14 at 19:06
  • 1
    @GavinSimpson this may be a way to set the nameservers in /etc/resolv.conf http://unix.stackexchange.com/questions/3668/what-file-to-i-have-to-edit-to-make-static-dns-server-in-centos – user9517 Jun 25 '14 at 21:16
  • Thanks again Iain; I too had just discovered that `PEERDNS=no` solution via a different route. Adding that to `/etc/sysconfig/network-scripts/ifcfg-eth0` solved the overwriting of `/etc/resolv.conf` for me. – Gavin Simpson Jun 25 '14 at 21:35