Dnsmasq (DNS service) should respond on red interface

areguera · October 30, 2016, 2:09am

The following code is preventing NS from serving DNS requests on the red interface of a dual-homed server with both green and red interfaces configuration:

foreach ($ndb->red()) {
    push(@interfaces,$_->key);
}

This code is located in the file /etc/e-smith/templates/etc/dnsmasq.conf/40bind and it prevents dnsmasq from responding to DNS requests made from clients in the red interface. For example, it adds an except-interface option to /etc/dnsmasq.conf file for the red interface. This seems to happen always, even though you set (through the web interface) dnsmasq network service to be enabled in the red interface.

Could anyone confirm this issue please, and talk a bit whether it is the way it should be or not.

This is happening in NethServer release 7.2.1511 (rc1).

Thanks.

Stefano_Zamboni · October 30, 2016, 7:11am

Red interface is the untrusted one, so I can’t see a single valid reason to answer to DNS requests.

That said, explain your problem, thank you

areguera · November 2, 2016, 1:42am

Consider one nethserver offering DHCP and DNS to clients connected through its green interface. Then one of these clients is another nethserver that doesn’t trust clients on its same level, except its parent nethserver of course.

The second nethserver considers the first nethserver’s green network untrusted, so connects to it using its red interface. The second nethserver’s green interface is used to connect trusted users based on the second nethserver administrator’s perspective.

The second nethserver administrator wants to offer a DNS replica of first nethserver DNS service so the entire network benefit from such a redundancy. To do this, the administrator tried to enable DNS in the red interface.

giacomo · November 2, 2016, 11:16am

I can confirm that NS doesn’t listen for DNS requests from the red interfaces and this is by design.

I tried to understand your needs but without success

Just a shot in the dark: why not to create a VPN between your servers?

areguera · November 2, 2016, 12:45pm

Yes. That is the default design and probably the best choice in most cases. However, it is necessary to notice here that in the Network Services web ui it is possible to specify the network interface the service will be enabled on. One of those interfaces is the red one. But when you mark it, it doesn’t work. Shouldn’t be such default design customization feature working?

Be more specific please.

Yes. That would be an option if only communication between nethservers would be necessary. However, the network between nethservers connects clients that should access services both in nethserver 1 and nethserver 2. Where nethserver 1 has one level of trust, and nethserver 2 has another level of trust for those clients that connect that intermediate network.

giacomo · November 2, 2016, 1:08pm

Ouch! You’re right, this case should be handled.
But the “Network services” page only takes care only for the firewall part, it doesn’t reconfigure the services.

In this scenario, I would go with a template-custom

areguera · November 2, 2016, 1:21pm

Exactly what I did