Start using dnsmasq as the initial dns server #1196
Conversation
So far we have not been using dnsmasq for DNS queries, we just used it to configure public dns server addresses in the VM. Therefore, all the dns queries hit to a public dns server after the VM, for sure. Now, we configure dnsmasq to also run as a dns server. This way, if the address is cached locally in the dnsmasq, we skip going to a public server and respond locally from the host. To be able to do that, we assign a private ipv6 address to the dnsmasq server, make it listen there and as part of the DHCP requests, we send the dnsmasq's address to the client as the dns server.
|
Aren't we already use systemd-resolved (not saying that is good option), which comes by default for caching the responses from public DNS servers? Why do we want to use dnsmasq here? |
|
We use it locally in the VM. This is when the cache is missed and we go out of the VM. So we catch it in the host before going to public internet. This will be especially useful for private networking + service endpoints. Customers will be able to assign whatever name they want to an internal service (such as postgres) and connect to it. For that, we will resolve the hostname to a private ip in the dnsmasq. |
| @@ -347,17 +347,26 @@ def cloudinit(unix_user, public_key, nics) | |||
| end.join("\n") | |||
|
|
|||
| raparams = nics.map { "ra-param=#{_1.tap}" }.join("\n") | |||
|
|
|||
| interfaces = nics.map { "interface=#{_1.tap}" }.join("\n") | |||
| dnsmasq_address_ip6 = NetAddr::IPv6Net.parse(nics.first.net6).nth(3) | |||
There was a problem hiding this comment.
Is it more customary to put this at the customary gateway address as well, e.g. ::1? To avoid too many "odd" addresses in the customer's prefix.
There was a problem hiding this comment.
Differently, is another viable option to pick a ULA prefix of some sort (or even get a public one from RIPE/ARIN) and put the DNS server in there? Since we control the route tables anyway, all we really would like is an address that does not conflict, right? Or does it it need to be in-prefix for some reason?
There are some ramifications on how the user experiences split horizon DNS with multiple interfaces, so this isn't a prescription, more like, do we have to think about that or is it foreclosed by other restrictions?
So far we have not been using dnsmasq for DNS queries, we just used it
to configure public dns server addresses in the VM. Therefore, all the
dns queries hit to a public dns server after the VM, for sure. Now, we
configure dnsmasq to also run as a dns server. This way, if the address
is cached locally in the dnsmasq, we skip going to a public server and
respond locally from the host. To be able to do that, we assign a
private ipv6 address to the dnsmasq server, make it listen there and as
part of the DHCP requests, we send the dnsmasq's address to the client
as the dns server.