Page MenuHomeVyOS Platform

pdns_recursor should support explicitly configuring query source address
Closed, ResolvedPublic

Description

In certain split DNS configurations, there is a need for more fine-grained control over the local address DNS forwarding uses to issue queries.

Consider a VyOS device with the following topology:

  • WAN eth0
  • LAN eth1 10.5.1.1/24
  • Site-to-Site VTI vti0 169.254.47.194/30
  • Remote site 10.10.1.1/24 behind VPN (routed via vti0)

There are some number of intermediate routers between the VyOS device and subnet 10.10.1.1/24. The point-to-point interface address (169.xxx) is not advertised to subsequent routers.

Suppose I want to split tunnel domains under remotesite1.mydomain.com to a DNS server at 10.10.1.5. The default pdns_recursor behavior will select the source address of the DNS query packet based on the outbound interface of the query (which is determined by the OS to be vti0). Thus the query gets issued with a source of 169.254.47.194, which is not routable on the DNS server's subnet. Query will be unroutable and never arrive.

dnsmasq supports a syntax in the server definition where the query source address can be explicitly defined. For example server=/remotesite1.mydomain.com/[email protected].

The equivalent in pdns_recursor appears to be the query-local-address option in recursor.conf. We should expose this setting to the config. I have not located an obvious way to set the source address per-downstream resolver, but some control is better than no control.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible