Baby step beyond DNS Masq

Philippe23 · Posted: Tue Oct 05, 2021 2:12 pm Post subject: Baby step beyond DNS Masq

I run a small server with a handful of vanity domains with it's own mail and webserver. I let my registration provider do DNS for me, so I don't have to worry about DNS redundancy, etc. (And I have no dynamic records.)

I've started running into issues with the mail part of it that a log of spam filtering software uses DNS as a querying mechanism. However, a lot of these services get cranky when large numbers of DNS requests come from the same DNS servers (meaning when those big upstream servers make the queries to the spam service's DNS servers on my behalf, like they do for a million other users of their DNS servers), so they start returning failure codes. Being in a large virtual hosting environment, all the DNS servers available to me fall into this pitfall. (As do 8.8.8.8, 1.1.1.1, 4.2.2.1, etc)

So, it's starting to feel like I can no longer run DNS Masq, since it will only query a handful of DNS servers (from what I can tell) -- ie, it won't query directly.

BIND feels like overkill, especially since I don't want to server and DNS zones authoritatively. But I imaging BIND is the most well documented DNS server ever.

1.) Am I wrong, is there a way to configure DNS Masq to query authoritative servers? (Or am I missing another setup?)
2.) Is there any software better suited to this poser configuration, I'm heading towards where I ask questions of authoritative servers, but don't have any zones of my own?

cboldt · Veteran Joined: 24 Aug 2005 Posts: 1046

dnsmasq will read resolv.conf (or a different file or files, if you prefer) for nameservers, I don't know of any limit to the number of nameservers listed there.

You can also reduce the load on external nameservers by caching the data a little longer ... --min-cache-ttl=<time> can be up to one hour.

pingtoo · Posted: Tue Oct 05, 2021 2:32 pm Post subject:

You can try pdnsd. I used in few production environments it work just fine. it use a simple /etc/hosts file a like syntax to serve authoritative records.

alamahant · Advocate Joined: 23 Mar 2019 Posts: 3878

Bind can also be used as a cache and forward-only server.
It comes down to
named.conf
config.
You dont need your own zones to run named.
Also with bind you can config external(ie internet) and internal (ie lan) views.
_________________

Philippe23 · Posted: Tue Oct 05, 2021 2:55 pm Post subject:

cboldt · Veteran Joined: 24 Aug 2005 Posts: 1046

Direct the output of your query of root servers for nameserver IPs to a file of your choice, /etc/resolv.conf is the prototypical location, and dnsmasq will rotate through that list of nameservers. If there are particular nameservers that you want dnsmasq to ignore (but your external nameserver list building tool may access), just exclude those IPs from the list the dnsmasq will use.

dnsmasq will re-read this list if/when it changes. Search for "resolv.conf" in the dnsmasq man page for the various related config settings.

If you are roughly familiar with dnsmasq, might as well stick with it. Took me quite a few hours to get a handle on much of the power, but baked into that was also learning about DNS (and DHCP) in general.

Use of DHCP on the LAN is instrumental too, as it keeps the client machines "in line," asking dnsmasq machine for DNS and keeping those clients from hitting the nameservers you want to avoid.

pingtoo · Posted: Tue Oct 05, 2021 3:46 pm Post subject:

pa4wdh · l33t Joined: 16 Dec 2005 Posts: 811

I'm a BIND fan, so i'll recommend that.
Function wise it might be a bit overkill for you, but you don't have to use it all. If you want it to be just a resolver, it will just be a resolver.

Extra benefits will be:
1) You'll learn new stuff, and since BIND is very common that might be useful
2) If your needs grow and you need more functionality there is a good chance BIND will be able to provide that
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com

Philippe23 · Posted: Tue Oct 05, 2021 7:47 pm Post subject:

pingtoo · Posted: Tue Oct 05, 2021 9:19 pm Post subject:

szatox · Advocate Joined: 27 Aug 2013 Posts: 3129

cboldt · Veteran Joined: 24 Aug 2005 Posts: 1046

Depends on the setting and what is meant by not changing somebody else's. dnsmasq enables settling TTL on material locally cached, so even though an original TTL is set (and not changed by originator), the TTL locally propagated can differ from TTL set by originator.

pingtoo · Posted: Wed Oct 06, 2021 6:47 pm Post subject:

szatox · Advocate Joined: 27 Aug 2013 Posts: 3129

pingtoo · Posted: Thu Oct 07, 2021 8:41 pm Post subject:

szatox · Advocate Joined: 27 Aug 2013 Posts: 3129

Google's DNS doesn't overextend TTL, it flushes every few seconds (at most). Read: heavy traffic.
And why didn't dnsmasq work? I think it's because it's just a cache and not a recursor. Recursor hits root servers, then TLD, then second level and so on until the question is answered. AFAIK dnsmasq simply uses whatever dns you have configured as your upstream. So the dnsmasq's upsteam (and the actual recursor DNS) was hammering the RBL's DNS with total volume of traffic combined from multiple users, and got rejected for nagging.

pingtoo · Posted: Fri Oct 08, 2021 2:55 pm Post subject:

Anon-E-moose · Posted: Fri Oct 08, 2021 6:45 pm Post subject:

I used bind for many years, but a year ago I swapped to unbound (in portage), and I don't miss bind at all.
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland

toralf · Posted: Fri Oct 08, 2021 9:24 pm Post subject:

I switched from dnsmasq to unbound 2 yrs ago both at my desktop and at my server - and never took a look back.
Just emerge unbound and add it to the default runlevel - that's all.