1

I am trying to understand how dnsmasq's forwarding works. What I read from the manual is this:

"[...]Dnsmasq accepts DNS queries and either answers them from a small, local, cache or forwards them to a real, recursive, DNS server.[...]"

So as far as I understand if I do a DNS-request my machine asks dnsmasq for the ip adress for a given domain. If dnsmasq cannot answer this dnsmasq will forward this request "to a real, recursive, DNS server."

How does this forwarding work? I tried to answer this question by myself by way of googling but this did not really answer my question.

When I look at it via wireshark I see this kind of pattern:

127.0.0.1   ->  127.0.1.1   (standard query)
192.168.1.2 ->  192.168.1.1 (standard query)
192.168.1.1 ->  192.168.1.2 (standard query response)
127.0.1.1   ->  127.0.0.1   (standard query response)

Can someone explain what is going on there?

Edit:

What I am asking for is how does dnsmasq know what the answer of 192.168.1.1 is. In fact 192.168.1.1 tells only 192.168.1.2 the ip address. How does 127.0.1.1 get to know the ip address? How is the information transferred?

I would expect something like this:

192.168.1.1 -> 127.0.1.1 OR
192.168.1.2 -> 127.0.1.1

I would expect that there is some routing going on to transfer the information but it is not.

user3542317
  • 13
  • It's conditional forwarding, if the host isn't a match in dnsmasq it queries a dns server you specify to resolve which then passes it back to dnsmasq then giving to your client. It seems like you know that, so I am not sure what you're asking. –  Nov 03 '16 at 15:02
  • I edited the original post. I hope you understand what I am asking for. – user3542317 Nov 03 '16 at 15:29

1 Answers1

0

Wireshark works somewhere between Network and Transport on the TCP/IP model. So you're not seeing what data is being exchanged at an Application level, so that is why your wireshark output doesn't make much sense when you're trying watch DNS. You're simply seeing the packets flow and direction after the application has determined what is to occur. You would have to watch dnsmasq for the information you're looking for. If you add -q to your script that starts dnsmasq it will send the log to syslog.

Here is an example output I was able to find.

Jan 17 23:33:15 server001 dnsmasq[10708]: query[A] sgi.com from 192.168.0.20
Jan 17 23:33:15 server001 dnsmasq[10708]: forwarded sgi.com to 127.0.0.2
Jan 17 23:33:15 server001 dnsmasq[10708]: query[AAAA] sgi.com from 192.168.0.20
Jan 17 23:33:15 server001 dnsmasq[10708]: forwarded sgi.com to 127.0.0.2
Jan 17 23:33:15 server001 dnsmasq[10708]: dnssec-query[DS] sgi.com to 127.0.0.2
Jan 17 23:33:15 server001 dnsmasq[10708]: dnssec-query[DS] sgi.com to 127.0.0.2
Jan 17 23:33:15 server001 dnsmasq[10708]: validation result is INSECURE
Jan 17 23:33:15 server001 dnsmasq[10708]: reply sgi.com is 192.48.138.174
Jan 17 23:33:15 server001 dnsmasq[10708]: validation result is INSECURE
Jan 17 23:33:15 server001 dnsmasq[10708]: reply sgi.com is NODATA-IPv6
  • Can you tell me how or better where to add the -q? As far as I know I have only the dnsmasq-base packet and it starts automatically. This is ubuntu 16.04. – user3542317 Nov 03 '16 at 16:36
  • Are you using Network Manager? That's probably what is starting it. I'd poke around with NM to find the command that's starting dnsmasq. I don't know the specific path. –  Nov 03 '16 at 16:51
  • Yes I am using Network Manager. Thank you for your effort by the way. – user3542317 Nov 03 '16 at 16:58