Join Log in
Score:1
Lion avatar Server

Wildcard CNAME record specified by libvirts dnsmasq:options namespace doesn't work, only specific subdomains works

jp flag
Lion

Since v5.6.0, libvirt added a dnsmasq namespace with the element, which allows to specify options directly to the underlying dnsmasq server. I'd like to create a wildcard DNS entry for my applications with that option. So I used virsh net-edit, changed <network> to <network xmlns:dnsmasq='http://libvirt.org/schemas/network/dnsmasq/1.0'> and added the following options:

  <dnsmasq:options>
    <dnsmasq:option value='cname=boards.cnx65-k8s.hobel.internal,cnx65-k8s.hobel.internal'/>
    <dnsmasq:option value='cname=*.app.cnx65-k8s.hobel.internal,cnx65-k8s.hobel.internal'/>
  </dnsmasq:options>

After that, the network was restarted (virsh net-destroy && virsh net-start) and the targeting VM too (virsh destroy && virsh start).

The cname=boards.cnx65-k8s.hobel.internal works perfectly:

$ dig +short boards.cnx65-k8s.hobel.internal @192.168.10.1
cnx65-k8s.hobel.internal.
192.168.10.136

But dig +short x.app.cnx65-k8s.hobel.internal @192.168.10.1 doesn't resolve to any ip address. The generated configuration file /var/lib/libvirt/dnsmasq/hobel.internal.conf contains both cname entries at the end:

strict-order
user=libvirt-dnsmasq
local=/hobel.internal/
domain=hobel.internal
expand-hosts
pid-file=/run/libvirt/network/hobel.internal.pid
except-interface=lo
bind-dynamic
interface=virbr1
dhcp-range=192.168.10.10,192.168.10.254,255.255.255.0
dhcp-no-override
dhcp-authoritative
dhcp-lease-max=245
dhcp-hostsfile=/var/lib/libvirt/dnsmasq/hobel.internal.hostsfile
addn-hosts=/var/lib/libvirt/dnsmasq/hobel.internal.addnhosts
cname=boards.cnx65-k8s.hobel.internal,cnx65-k8s.hobel.internal
cname=*.app.cnx65-k8s.hobel.internal,cnx65-k8s.hobel.internal

According to this answer, I added auth-server and interface-name to the options:

  <dnsmasq:options>
    <dnsmasq:option value='cname=boards.cnx65-k8s.hobel.internal,cnx65-k8s.hobel.internal'/>
    <dnsmasq:option value='cname=*.app.cnx65-k8s.hobel.internal,cnx65-k8s.hobel.internal'/>
    <dnsmasq:option value='auth-server=cnx65-k8s.hobel.internal,virbr1'/>
    <dnsmasq:option value='interface-name=cnx65-k8s.hobel.internal,virbr1'/>
  </dnsmasq:options>

But x.app.cnx65-k8s.hobel.internal is still not resolved:

$ dig x.app.cnx65-k8s.hobel.internal @192.168.10.1

; <<>> DiG 9.16.1-Ubuntu <<>> x.app.cnx65-k8s.hobel.internal @192.168.10.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43624
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;x.app.cnx65-k8s.hobel.internal.        IN      A

;; Query time: 0 msec
;; SERVER: 192.168.10.1#53(192.168.10.1)
;; WHEN: Sat Jul 03 12:14:05 CEST 2021
;; MSG SIZE  rcvd: 59

Why is this not working? Even the official libvirt documentation lists a cname wildcard entry as example:

<dnsmasq:option value="cname=*.foo.example.com,master.example.com"/>
278
1 + 2
Lion avatar
jp flag
Lion
Why did I get a downvote for this question? Just downvoting with any answer or at least comment is very poor and not constructive!
0
Reply
pt flag
larsks
Have you looked at the generated configuration file for the network? Are the options in there as expected? If they are, you have a dnsmasq question, not a libvirt question.
0
Reply
Score:0
avatar Server
pt flag
larsks

I think you have a dnsmasq configuration problem; maybe the interface name? It looks like you can use a wildcard. Given the following configuration for my default network:

<network xmlns:dnsmasq='http://libvirt.org/schemas/network/dnsmasq/1.0' connections='1'>
  <name>default</name>
  <uuid>34eaa498-ba0f-4762-a0f9-27f53dd07687</uuid>
  <forward mode='nat'>
    <nat>
      <port start='1024' end='65535'/>
    </nat>
  </forward>
  <bridge name='virbr0' stp='on' delay='0'/>
  <mac address='52:54:00:5d:a7:ff'/>
  <ip address='192.168.122.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.122.2' end='192.168.122.254'/>
    </dhcp>
  </ip>
  <dnsmasq:options>
    <dnsmasq:option value='cname=foo.example.com,master.example.com'/>
    <dnsmasq:option value='cname=*.foo.example.com,master.example.com'/>
    <dnsmasq:option value='auth-zone=example.com'/>
    <dnsmasq:option value='auth-server=example.com,*'/>
  </dnsmasq:options>
</network>

I end up with /var/lib/libvirt/dnsmasq/default.conf that looks like:

strict-order
pid-file=/run/libvirt/network/default.pid
except-interface=lo
bind-dynamic
interface=virbr0
dhcp-range=192.168.122.2,192.168.122.254,255.255.255.0
dhcp-no-override
dhcp-authoritative
dhcp-lease-max=253
dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile
addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts
cname=foo.example.com,master.example.com
cname=*.foo.example.com,master.example.com
auth-zone=example.com
auth-server=example.com,*

The following queries work from a vm attached to that network:

[root@example-vm ~]# dig +short foo.example.com
master.example.com.
[root@example-vm ~]# dig +short a.foo.example.com
master.example.com.
[root@example-vm ~]# dig +short b.foo.example.com
master.example.com.

And as expected this fails to return anything:

[root@example-vm ~]# dig +short bar.example.com

(Tests were run on Fedora 34, using libvirt-7.0.0-4.fc34.x86_64 and dnsmasq-2.85-1.fc34.x86_64)

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.