diff --git a/debian/systemd_howto b/debian/systemd_howto index 31908e5..52d707d 100644 --- a/debian/systemd_howto +++ b/debian/systemd_howto @@ -1,41 +1,41 @@ -HOWTO -===== -dnsmasq comes with the possibility to run multiple systemd service instances on the same machine. -There is the main service which is enabled by default via `systemctl enable dnsmasq.service` and uses the configuration from `/etc/default/dnsmasq`. - -Additional service instances can be enabled via `systemctl enable dnsmasq@.service` that use the configuration from `/etc/default/dnsmasq.`. -It is recommended to use a separate configuration file and directory for each instance. -Additionally make sure that all instances use either different ports and/or ip addresses to avoid binding collisions. - -Example setup for an instance called "alt" -#1 File `/etc/dnsmasq.alt.conf` copied from `/etc/dnsmasq.conf` -#2 Directory `/etc/dnsmasq.alt.d` -#3 File `/etc/default/dnsmasq.alt` copied from `/etc/default/dnsmasq` with following adaptions: - * The options DNSMASQ_OPTS and CONFIG_DIR point to the correct configuration file and directory. - DNSMASQ_OPTS="... --conf-file=/etc/dnsmasq.alt.conf ..." - CONFIG_DIR=/etc/dnsmasq.alt.d,.dpkg-dist,.dpkg-old,.dpkg-new - * The option DNSMASQ_EXCEPT must contain "lo" to avoid that an instance becomes the machine's DNS resolver. - DNSMASQ_EXCEPT="lo" - * If the additional instance should bind to all IP addresses of a specific interface, e.g. "dnsalt01", then the following addition could be used: - DNSMASQ_OPTS="... --bind-dynamic --interface=dnsalt01 ..." - Additionally the main instance must be stopped from binding to interfaces that are used by other instances: - DNSMASQ_OPTS="... --bind-dynamic --except-interface=dnsalt* ..." - * If the additional instance should not use the machine's DNS resolver, normally that's the dnsmasq main instance, as upstream server, then the following addition could be used: - IGNORE_RESOLVCONF=yes -#4 Enable additional instance via `systemctl enable dnsmasq@alt.service` -#5 Start additional instance without reboot via `systemctl start dnsmasq@alt.service` - - - -TODO -==== -#1 - Found shortcoming on 2019-03-10 -Only the option DNSMASQ_EXCEPT="lo" avoids that an DNS instance will be set as the machine's DNS resolver. -This may interfere with the wish to run an additional instance on a different port on the localhost addresses. -My suggestion in the initial Debian report [1] was to specify a explicit variable for this. - -[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914305#5 - - -#2 - Preferred configuration way -Should the variables DNSMASQ_INTERFACE and DNSMASQ_EXCEPT be used instead of --interface and --except-interface? (while "lo" still has to be in DNSMASQ_EXCEPT as of now) +HOWTO +===== +dnsmasq comes with the possibility to run multiple systemd service instances on the same machine. +There is the main service which is enabled by default via `systemctl enable dnsmasq.service` and uses the configuration from `/etc/default/dnsmasq`. + +Additional service instances can be enabled via `systemctl enable dnsmasq@.service` that use the configuration from `/etc/default/dnsmasq.`. +It is recommended to use a separate configuration file and directory for each instance. +Additionally make sure that all instances use either different ports and/or ip addresses to avoid binding collisions. + +Example setup for an instance called "alt" +#1 File `/etc/dnsmasq.alt.conf` copied from `/etc/dnsmasq.conf` +#2 Directory `/etc/dnsmasq.alt.d` +#3 File `/etc/default/dnsmasq.alt` copied from `/etc/default/dnsmasq` with following adaptions: + * The options DNSMASQ_OPTS and CONFIG_DIR point to the correct configuration file and directory. + DNSMASQ_OPTS="... --conf-file=/etc/dnsmasq.alt.conf ..." + CONFIG_DIR=/etc/dnsmasq.alt.d,.dpkg-dist,.dpkg-old,.dpkg-new + * The option DNSMASQ_EXCEPT must contain "lo" to avoid that an instance becomes the machine's DNS resolver. + DNSMASQ_EXCEPT="lo" + * If the additional instance should bind to all IP addresses of a specific interface, e.g. "dnsalt01", then the following addition could be used: + DNSMASQ_OPTS="... --bind-dynamic --interface=dnsalt01 ..." + Additionally the main instance must be stopped from binding to interfaces that are used by other instances: + DNSMASQ_OPTS="... --bind-dynamic --except-interface=dnsalt* ..." + * If the additional instance should not use the machine's DNS resolver, normally that's the dnsmasq main instance, as upstream server, then the following addition could be used: + IGNORE_RESOLVCONF=yes +#4 Enable additional instance via `systemctl enable dnsmasq@alt.service` +#5 Start additional instance without reboot via `systemctl start dnsmasq@alt.service` + + + +TODO +==== +#1 - Found shortcoming on 2019-03-10 +Only the option DNSMASQ_EXCEPT="lo" avoids that an DNS instance will be set as the machine's DNS resolver. +This may interfere with the wish to run an additional instance on a different port on the localhost addresses. +My suggestion in the initial Debian report [1] was to specify an explicit variable for this. + +[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914305#5 + + +#2 - Preferred configuration way +Should the variables DNSMASQ_INTERFACE and DNSMASQ_EXCEPT be used instead of --interface and --except-interface? (while "lo" still has to be in DNSMASQ_EXCEPT as of now) diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index addc29c..8f0ffdb 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -515,7 +515,7 @@ address of 0.0.0.0 and its IPv6 equivalent of :: so \fB--address=/example.com/#\fP will return NULL addresses for example.com and its subdomains. This is partly syntactic sugar for \fB--address=/example.com/0.0.0.0\fP and \fB--address=/example.com/::\fP but is also more efficient than including both -as seperate configuration lines. Note that NULL addresses normally work in the same way as localhost, so beware that clients looking up these names are likely to end up talking to themselves. +as separate configuration lines. Note that NULL addresses normally work in the same way as localhost, so beware that clients looking up these names are likely to end up talking to themselves. .TP .B --ipset=/[/...]/[,...] Places the resolved IP addresses of queries for one or more domains in @@ -748,7 +748,7 @@ fast. Versions of dnsmasq prior to 2.80 defaulted to not checking unsigned replies, and used .B --dnssec-check-unsigned -to switch this on. Such configurations will continue to work as before, but those which used the default of no checking will need to be altered to explicitly select no checking. The new default is because switching off checking for unsigned replies is inherently dangerous. Not only does it open the possiblity of forged replies, but it allows everything to appear to be working even when the upstream namesevers do not support DNSSEC, and in this case no DNSSEC validation at all is occuring. +to switch this on. Such configurations will continue to work as before, but those which used the default of no checking will need to be altered to explicitly select no checking. The new default is because switching off checking for unsigned replies is inherently dangerous. Not only does it open the possiblity of forged replies, but it allows everything to appear to be working even when the upstream namesevers do not support DNSSEC, and in this case no DNSSEC validation at all is occurring. .TP .B --dnssec-no-timecheck DNSSEC signatures are only valid for specified time windows, and should be rejected outside those windows. This generates an diff --git a/src/cache.c b/src/cache.c index 6168073..720508f 100644 --- a/src/cache.c +++ b/src/cache.c @@ -771,7 +771,7 @@ int cache_recv_insert(time_t now, int fd) else if (flags & F_CNAME) { struct crec *newc = really_insert(daemon->namebuff, NULL, C_IN, now, ttl, flags); - /* This relies on the fact the the target of a CNAME immediately preceeds + /* This relies on the fact that the target of a CNAME immediately precedes it because of the order of extraction in extract_addresses, and the order reversal on the new_chain. */ if (newc)