|
 |
c401cc |
From 366178eb52c78bef4bfefb9005af46d47fb0a9a9 Mon Sep 17 00:00:00 2001
|
|
|
c401cc |
Message-Id: <366178eb52c78bef4bfefb9005af46d47fb0a9a9.1391615407.git.jdenemar@redhat.com>
|
|
|
c401cc |
From: Laine Stump <laine@laine.org>
|
|
|
c401cc |
Date: Wed, 5 Feb 2014 03:09:10 -0700
|
|
|
c401cc |
Subject: [PATCH] network: only prevent forwarding of DNS requests for
|
|
|
c401cc |
unqualified names
|
|
|
c401cc |
|
|
|
c401cc |
https://bugzilla.redhat.com/show_bug.cgi?id=1061099
|
|
|
c401cc |
|
|
|
c401cc |
In commit f386825 we began adding the options
|
|
|
c401cc |
|
|
|
c401cc |
--domain-needed
|
|
|
c401cc |
--local=/$mydomain/
|
|
|
c401cc |
|
|
|
c401cc |
to all dnsmasq commandlines with the stated reason of preventing
|
|
|
c401cc |
forwarding of DNS queries for names that weren't fully qualified
|
|
|
c401cc |
domain names ("FQDN", i.e. a name that included some "."s and a domain
|
|
|
c401cc |
name). This was later changed to
|
|
|
c401cc |
|
|
|
c401cc |
domain-needed
|
|
|
c401cc |
local=/$mydomain/
|
|
|
c401cc |
|
|
|
c401cc |
when we moved the options from the dnsmasq commandline to a conf file.
|
|
|
c401cc |
|
|
|
c401cc |
The original patch on the list, and discussion about it, is here:
|
|
|
c401cc |
|
|
|
c401cc |
https://www.redhat.com/archives/libvir-list/2012-August/msg01594.html
|
|
|
c401cc |
|
|
|
c401cc |
When a domain name isn't specified (mydomain == ""), the addition of
|
|
|
c401cc |
"domain-needed local=//" will prevent forwarding of domain-less
|
|
|
c401cc |
requests to the virtualization host's DNS resolver, but if a domain
|
|
|
c401cc |
*is* specified, the addition of "local=/domain/" will prevent
|
|
|
c401cc |
forwarding of any requests for *qualified* names within that domain
|
|
|
c401cc |
that aren't resolvable by libvirt's dnsmasq itself.
|
|
|
c401cc |
|
|
|
c401cc |
An example of the problems this causes - let's say a network is
|
|
|
c401cc |
defined with:
|
|
|
c401cc |
|
|
|
c401cc |
<domain name='example.com'/>
|
|
|
c401cc |
<dhcp>
|
|
|
c401cc |
..
|
|
|
c401cc |
<host mac='52:54:00:11:22:33' ip='1.2.3.4' name='myguest'/>
|
|
|
c401cc |
</dhcp>
|
|
|
c401cc |
|
|
|
c401cc |
This results in "local=/example.com/" being added to the dnsmasq options.
|
|
|
c401cc |
|
|
|
c401cc |
If a guest requests "myguest" or "myguest.example.com", that will be
|
|
|
c401cc |
resolved by dnsmasq. If the guest asks for "www.example.com", dnsmasq
|
|
|
c401cc |
will not know the answer, but instead of forwarding it to the host, it
|
|
|
c401cc |
will return NOT FOUND to the guest. In most cases that isn't the
|
|
|
c401cc |
behavior an admin is looking for.
|
|
|
c401cc |
|
|
|
c401cc |
A later patch (commit 4f595ba) attempted to remedy this by adding a
|
|
|
c401cc |
"forwardPlainNames" attribute to the <dns> element. The idea was that
|
|
|
c401cc |
if forwardPlainNames='yes' (default is 'no'), we would allow
|
|
|
c401cc |
unresolved names to be forwarded. However, that patch was botched, in
|
|
|
c401cc |
that it only removed the "domain-needed" option when
|
|
|
c401cc |
forwardPlainNames='yes', and left the "local=/mydomain/".
|
|
|
c401cc |
|
|
|
c401cc |
Really we should have been just including the option "--domain-needed
|
|
|
c401cc |
--local=//" (note the lack of domain name) regardless of the
|
|
|
c401cc |
configured domain of the network, so that requests for names without a
|
|
|
c401cc |
domain would be treated as "local to dnsmasq" and not forwarded, but
|
|
|
c401cc |
all others (including those in the network's configured domain) would
|
|
|
c401cc |
be forwarded. We also shouldn't include *either* of those options if
|
|
|
c401cc |
forwardPlainNames='yes'. This patch makes those corrections.
|
|
|
c401cc |
|
|
|
c401cc |
This patch doesn't remedy the fact that default behavior was changed
|
|
|
c401cc |
by the addition of this feature. That will be handled in a subsequent
|
|
|
c401cc |
patch.
|
|
|
c401cc |
|
|
|
c401cc |
(cherry picked from commit f69a6b987d616cf2679ec551a8b905b6a2aace6d)
|
|
|
c401cc |
|
|
|
c401cc |
Conflicts:
|
|
|
c401cc |
src/network/bridge_driver.c - <forwarder> was added upstream
|
|
|
c401cc |
tests/networkxml2confdata/nat-network-dns-forwarders.conf - this
|
|
|
c401cc |
test was added upstream
|
|
|
c401cc |
|
|
|
c401cc |
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
|
|
|
c401cc |
---
|
|
|
c401cc |
src/network/bridge_driver.c | 16 ++++++----------
|
|
|
c401cc |
tests/networkxml2confdata/dhcp6-network.conf | 4 ++--
|
|
|
c401cc |
tests/networkxml2confdata/nat-network-dns-hosts.conf | 4 ++--
|
|
|
c401cc |
tests/networkxml2confdata/netboot-network.conf | 4 ++--
|
|
|
c401cc |
tests/networkxml2confdata/netboot-proxy-network.conf | 4 ++--
|
|
|
c401cc |
5 files changed, 14 insertions(+), 18 deletions(-)
|
|
|
c401cc |
|
|
|
c401cc |
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
|
|
|
c401cc |
index 57c88ae..678ab6d 100644
|
|
|
c401cc |
--- a/src/network/bridge_driver.c
|
|
|
c401cc |
+++ b/src/network/bridge_driver.c
|
|
|
c401cc |
@@ -698,9 +698,6 @@ networkDnsmasqConfContents(virNetworkObjPtr network,
|
|
|
c401cc |
"strict-order\n",
|
|
|
c401cc |
network->def->name);
|
|
|
c401cc |
|
|
|
c401cc |
- if (!network->def->dns.forwardPlainNames)
|
|
|
c401cc |
- virBufferAddLit(&configbuf, "domain-needed\n");
|
|
|
c401cc |
-
|
|
|
c401cc |
if (network->def->domain) {
|
|
|
c401cc |
virBufferAsprintf(&configbuf,
|
|
|
c401cc |
"domain=%s\n"
|
|
|
c401cc |
@@ -708,14 +705,13 @@ networkDnsmasqConfContents(virNetworkObjPtr network,
|
|
|
c401cc |
network->def->domain);
|
|
|
c401cc |
}
|
|
|
c401cc |
|
|
|
c401cc |
- if (network->def->domain || !network->def->dns.forwardPlainNames) {
|
|
|
c401cc |
- /* need to specify local even if no domain specified, unless
|
|
|
c401cc |
- * the config says we should forward "plain" names (i.e. not
|
|
|
c401cc |
- * fully qualified, no '.' characters)
|
|
|
c401cc |
+ if (!network->def->dns.forwardPlainNames) {
|
|
|
c401cc |
+ virBufferAddLit(&configbuf, "domain-needed\n");
|
|
|
c401cc |
+ /* need to specify local=// whether or not a domain is
|
|
|
c401cc |
+ * specified, unless the config says we should forward "plain"
|
|
|
c401cc |
+ * names (i.e. not fully qualified, no '.' characters)
|
|
|
c401cc |
*/
|
|
|
c401cc |
- virBufferAsprintf(&configbuf,
|
|
|
c401cc |
- "local=/%s/\n",
|
|
|
c401cc |
- network->def->domain ? network->def->domain : "");
|
|
|
c401cc |
+ virBufferAddLit(&configbuf, "local=//\n");
|
|
|
c401cc |
}
|
|
|
c401cc |
|
|
|
c401cc |
if (pidfile)
|
|
|
c401cc |
diff --git a/tests/networkxml2confdata/dhcp6-network.conf b/tests/networkxml2confdata/dhcp6-network.conf
|
|
|
c401cc |
index 5fde07f..92ea2a4 100644
|
|
|
c401cc |
--- a/tests/networkxml2confdata/dhcp6-network.conf
|
|
|
c401cc |
+++ b/tests/networkxml2confdata/dhcp6-network.conf
|
|
|
c401cc |
@@ -5,10 +5,10 @@
|
|
|
c401cc |
##
|
|
|
c401cc |
## dnsmasq conf file created by libvirt
|
|
|
c401cc |
strict-order
|
|
|
c401cc |
-domain-needed
|
|
|
c401cc |
domain=mynet
|
|
|
c401cc |
expand-hosts
|
|
|
c401cc |
-local=/mynet/
|
|
|
c401cc |
+domain-needed
|
|
|
c401cc |
+local=//
|
|
|
c401cc |
except-interface=lo
|
|
|
c401cc |
bind-dynamic
|
|
|
c401cc |
interface=virbr0
|
|
|
c401cc |
diff --git a/tests/networkxml2confdata/nat-network-dns-hosts.conf b/tests/networkxml2confdata/nat-network-dns-hosts.conf
|
|
|
c401cc |
index 2577882..021316f 100644
|
|
|
c401cc |
--- a/tests/networkxml2confdata/nat-network-dns-hosts.conf
|
|
|
c401cc |
+++ b/tests/networkxml2confdata/nat-network-dns-hosts.conf
|
|
|
c401cc |
@@ -5,10 +5,10 @@
|
|
|
c401cc |
##
|
|
|
c401cc |
## dnsmasq conf file created by libvirt
|
|
|
c401cc |
strict-order
|
|
|
c401cc |
-domain-needed
|
|
|
c401cc |
domain=example.com
|
|
|
c401cc |
expand-hosts
|
|
|
c401cc |
-local=/example.com/
|
|
|
c401cc |
+domain-needed
|
|
|
c401cc |
+local=//
|
|
|
c401cc |
except-interface=lo
|
|
|
c401cc |
bind-dynamic
|
|
|
c401cc |
interface=virbr0
|
|
|
c401cc |
diff --git a/tests/networkxml2confdata/netboot-network.conf b/tests/networkxml2confdata/netboot-network.conf
|
|
|
c401cc |
index b6f3c23..ce33176 100644
|
|
|
c401cc |
--- a/tests/networkxml2confdata/netboot-network.conf
|
|
|
c401cc |
+++ b/tests/networkxml2confdata/netboot-network.conf
|
|
|
c401cc |
@@ -5,10 +5,10 @@
|
|
|
c401cc |
##
|
|
|
c401cc |
## dnsmasq conf file created by libvirt
|
|
|
c401cc |
strict-order
|
|
|
c401cc |
-domain-needed
|
|
|
c401cc |
domain=example.com
|
|
|
c401cc |
expand-hosts
|
|
|
c401cc |
-local=/example.com/
|
|
|
c401cc |
+domain-needed
|
|
|
c401cc |
+local=//
|
|
|
c401cc |
except-interface=lo
|
|
|
c401cc |
bind-interfaces
|
|
|
c401cc |
listen-address=192.168.122.1
|
|
|
c401cc |
diff --git a/tests/networkxml2confdata/netboot-proxy-network.conf b/tests/networkxml2confdata/netboot-proxy-network.conf
|
|
|
c401cc |
index 1e969fa..f4d3880 100644
|
|
|
c401cc |
--- a/tests/networkxml2confdata/netboot-proxy-network.conf
|
|
|
c401cc |
+++ b/tests/networkxml2confdata/netboot-proxy-network.conf
|
|
|
c401cc |
@@ -5,10 +5,10 @@
|
|
|
c401cc |
##
|
|
|
c401cc |
## dnsmasq conf file created by libvirt
|
|
|
c401cc |
strict-order
|
|
|
c401cc |
-domain-needed
|
|
|
c401cc |
domain=example.com
|
|
|
c401cc |
expand-hosts
|
|
|
c401cc |
-local=/example.com/
|
|
|
c401cc |
+domain-needed
|
|
|
c401cc |
+local=//
|
|
|
c401cc |
except-interface=lo
|
|
|
c401cc |
bind-interfaces
|
|
|
c401cc |
listen-address=192.168.122.1
|
|
|
c401cc |
--
|
|
|
c401cc |
1.8.5.3
|
|
|
c401cc |
|