DNSMasq Wildcard Round-Robin DNS

[Asad Ali]

Hello everyone I'm trying to achieve something here but I'm not sure if what I'm trying to do is even possible with DNSMasq or not so I need you guys help.

I need to assign multiple static IP addresses to Wildcard domains for example:

*.google.com should point to:
x.x.x.x
x.x.x.x
x.x.x.x

Example 2:
example.google.com should point to same addreses as above:
x.x.x.x
x.x.x.x
x.x.x.x

and so on....

I can achieve that by using hosts file for fixed
domain like Google.com but not with Wildcard entries for it and if I use:

address=/google.com/x.x.x.x

that works with Wildcard domains but with only single IP.

So is there any way to combine them both together?

I really hope I made myself clear....... :/

Thanks!!!

 

[thelonelycoder]

While you can add multiple IPs for a domain in the hosts format, that is not possible with the address= format.
Here's Mr. Dnsmasq's reply to such a question: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2013q3/007465.html

 

[Asad Ali]

While you can add multiple IPs for a domain in the hosts format, that is not possible with the address= format.
Here's Mr. Dnsmasq's reply to such a question: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2013q3/007465.html

I already saw that when I was researching about it and that post is from 2013 so it still applies?

Also I found something similar ( I think ) to what I need here but I don't seem to make it work properly.

https://serverfault.com/questions/8...d-a-wildcard-cname-into-dnsmasq/853996#853996

 

[thelonelycoder]

I already saw that when I was researching about it and that post is from 2013 so it still applies?

Also I found something similar ( I think ) to what I need here but I don't seem to make it work properly.

https://serverfault.com/questions/8...d-a-wildcard-cname-into-dnsmasq/853996#853996

Interesting. But does that work for non local resolving?
Best way to find out is to try...

 

[Asad Ali]

I did try to make it work but unfortunately I'm not yet able to that's why I need you guys help


Sent from my iPhone using Tapatalk

 

[thelonelycoder]

I did try to make it work but unfortunately I'm not yet able to that's why I need you guys help


Sent from my iPhone using Tapatalk

Maybe later, could be useful. But as with multiple DNS server entries, the first one is used in (I'm guessing) 99% of the queries.

 

[Asad Ali]

Maybe later, could be useful. But as with multiple DNS server entries, the first one is used in (I'm guessing) 99% of the queries.

With the hosts file its random and uses all the IP's in Round-Robin way and it's not just the first IP which gets priority ( as far as I checked )

 

[john9527]

With the hosts file its random and uses all the IP's in Round-Robin way and it's not just the first IP which gets priority ( as far as I checked )

Unless you specify 'strict' order, it has an algorithm that periodically issues queries to all the servers and then prioritizes the server with the fastest response.

 

[Asad Ali]

Unless you specify 'strict' order, it has an algorithm that periodically issues queries to all the servers and then prioritizes the server with the fastest response.

Yup I know about that regarding multiple DNS servers but here I'm talking about multiple ips for single or Wildcard domain.


Sent from my iPhone using Tapatalk

 

[ColinTaylor]

Can I ask what the point of this is? It appears to be similar to load-balancing a website except in reverse.

 

[Asad Ali]

Can I ask what the point of this is? It appears to be similar to load-balancing a website except in reverse.

My ISP have a Google caching server and they have 8 IP's for that so I need to balance them equally to avoid overloading therm.

 

[Asad Ali]

Ok so I did some more tests with the code given here (https://serverfault.com/questions/853282/is-it-possible-to-add-a-wildcard-cname-into-dnsmasq) and as soon as I enter these lines ( combined or one by one ) the DNSMasq service failed to start and gives me this error in the log:

Feb  5 00:48:34 dnsmasq[15996]: unsupported option (check that dnsmasq was compiled with DHCP/TFTP/DNSSEC/DBus support) at line 31 of /etc/dnsmasq.conf
Feb  5 00:48:34 dnsmasq[15996]: FAILED to start up

The code lines I tried ( with the last three lines breaking it )

cname=*.google.com,default.google.com
auth-server=google.com,eth0
interface-name=google.com,eth0
auth-zone=google.com,127.0.0.0/24,eth0

So that means the current DNSMasq on the router is not supporting these options?

 

[ColinTaylor]

So that means the current DNSMasq on the router is not supporting these options?

I did the same test yesterday and got the same results. Although I think you'd need to change eth0 to br0. So I came to the same conclusion.

 

[Asad Ali]

I believe this post by @RMerlin clears that up ( assuming the support is still not added )

https://www.snbforums.com/threads/dnsmasq-authoritative-dns.30418/#post-238213

Although I think you'd need to change eth0 to br0

Still same error.

 

[john9527]

unsupported option (check that dnsmasq was compiled with DHCP/TFTP/DNSSEC/DBus support)

DHCP - yes
TFTP - yes
DNSSEC - yes
DBus - no, requires a library not present in the build

Dnsmasq version 2.78  Copyright (c) 2000-2017 Simon Kelley
Compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-auth DNSSEC loop-detect no-inotify

 

[Asad Ali]

DHCP - yes
TFTP - yes
DNSSEC - yes
DBus - no, requires a library not present in the build

Dnsmasq version 2.78  Copyright (c) 2000-2017 Simon Kelley
Compile time options: IPv6 GNU-getopt no-RTC no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-auth DNSSEC loop-detect no-inotify

Ok and we can't add that?


Sent from my iPhone using Tapatalk

 

[john9527]

Ok and we can't add that?

Don't know....haven't tried. It's not always easy to add new libraries.

My ISP have a Google caching server and they have 8 IP's for that so I need to balance them equally to avoid overloading therm.

But I'm trying to figure out what I am missing and why you are worried about load balancing your ISPs servers? They will do that automatically across all users, not just your accesses.

 

[Asad Ali]

But I'm trying to figure out what I am missing and why you are worried about load balancing your ISPs servers? They will do that automatically across all users, not just your accesses.

To be honest It's mostly for my own learning and satisfaction, Its not something I can't live without but trying new stuff is fun lol

Also My ISP is giving those caching server IP's for only google.com but Im using it for Youtube.com and Google Play Store by using DNSMasq static paths so that's why i wanted to divide those 8 IP's between google.com, youtube.com and google play store.

 

[Fitz Mutch]

EDIT: for your purposes, you could change the iptables rule from REDIRECT to DNAT, to use the public DNS resolvers, since you aren't using dnscrypt-proxy.

This guy shows how to do basic round-robin using iptables. It requires the statistic module extension to iptables.
https://gist.github.com/apparentlymart/d8ebc6e96c42ce14f64b

Just for fun I ran 4 instances of dnscrypt-proxy and configured dnsmasq to use the round-robin configuration below. My example create 4 round-robin pools, one for each DNS resolver that dnsmasq is aware of. You run the following script once to setup the iptables rules. It does not improve performance of DNS lookups. Maybe good for countersurveillance?

/jffs/scripts/dnsmasq-rr.sh

#!/bin/sh
#---
src_port_start=65001
dst_port_start=65051
num_dst_ports=4
num_packets_per_port=1
#---
iptables -t nat -F OUTPUT
#---
num_src_ports=$num_dst_ports
src_port_end=$(($src_port_start + $num_src_ports - 1))
dst_port_end=$(($dst_port_start + $num_dst_ports - 1))
dstport_offset=0
srcport=$src_port_start
while [ $srcport -le $src_port_end ]; do
  dstport=$(($dst_port_start + $dstport_offset))
  nth_packet=$(($num_dst_ports * $num_packets_per_port))
  while [ $nth_packet -gt 0 ]; do
    nth_packet_per_port=$num_packets_per_port
    while [ $nth_packet_per_port -gt 0 ]; do
      if [ $nth_packet -gt 1 ]; then
        iptables -t nat -A OUTPUT -p udp -d 127.0.0.1 --dport ${srcport} -m statistic --mode nth --every ${nth_packet} --packet 0 -j REDIRECT --to-port ${dstport}
      else
        iptables -t nat -A OUTPUT -p udp -d 127.0.0.1 --dport ${srcport} -j REDIRECT --to-port ${dstport}
      fi
      let nth_packet_per_port--
      let nth_packet--
    done
    let dstport++
    [ $dstport -gt $dst_port_end ] && dstport=$dst_port_start
  done
  let dstport_offset++
  [ $dstport_offset -ge $num_dst_ports ] && dstport_offset=0
  let srcport++
done
#---
iptables -t nat -vnL OUTPUT
#---
echo
echo "add the following lines to /jffs/configs/dnsmasq.conf.add"
echo "then type: service restart_dnsmasq"
echo
echo "strict-order"
srcport=$src_port_start
while [ $srcport -le $src_port_end ]; do
  echo "server=127.0.0.1#${srcport}"
  let srcport++
done
echo