Bug 1331796

Summary: RFE: network: allow specifying domain forwarder (dnsmasq server= option)
Product: [Community] Virtualization Tools Reporter: Andreas Schneider <asn>
Component: libvirtAssignee: Laine Stump <laine>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: crobinso, dyuan, laine, libvirt-maint, rbalakri, yalzhang
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-20 01:46:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andreas Schneider 2016-04-29 14:18:19 UTC 
I'm using vagrant, libvirt and lxc to setup a Samba AD DC and FreeIPA DC. The domain controllers have fixed ip addresses and both provide a DNS server for their domains. So I need forwarders for their domain names.

What I need in the dnsmasq.conf that libvirt creates is the following:

server=/samba.site/192.168.122.10
server=/ipa.site/192.168.122.20

With these lines all queries for samba.site are redirected to the nameserver Samba is running. And the queries for ipa.site are going to the IPA name server.

However if I look at this network xml format for libvirt I only see it supports:

<dns>
  <forwarder addr="8.8.8.8"/>
</dns>

https://libvirt.org/formatnetwork.html

Please add support that I can specify a domain for the forwarder! Thanks.
Comment 1 Laine Stump 2016-05-02 13:43:05 UTC 
I've actually had that on my private todo list for quite awhile. Having somebody request it will hopefully move it higher on the list :-)
Comment 2 Laine Stump 2016-08-14 04:10:01 UTC 
Posted a patch upstream:

https://www.redhat.com/archives/libvir-list/2016-August/msg00642.html
Comment 3 Laine Stump 2016-08-20 01:46:04 UTC 
Pushed upstream, will be in libvirt-2.2.0:

commit 0b6336c2d98ff0e3545a0334f506ae90b664c85f
Author: Laine Stump <laine>
Date:   Thu Aug 11 22:28:27 2016 -0400

    network: allow limiting a <forwarder> element to certain domains
    
    For some unknown reason the original implementation of the <forwarder>
    element only took advantage of part of the functionality in the
    dnsmasq feature it exposes - it allowed specifying the ip address of a
    DNS server which *all* DNS requests would be forwarded to, like this:
    
       <forwarder addr='192.168.123.25'/>
    
    This is a frontend for dnsmasq's "server" option, which also allows
    you to specify a domain that must be matched in order for a request to
    be forwarded to a particular server. This patch adds support for
    specifying the domain. For example:
    
       <forwarder domain='example.com' addr='192.168.1.1'/>
       <forwarder domain='www.example.com'/>
       <forwarder domain='travesty.org' addr='10.0.0.1'/>
    
    would forward requests for bob.example.com, ftp.example.com and
    joe.corp.example.com all to the DNS server at 192.168.1.1, but would
    forward requests for travesty.org and www.travesty.org to
    10.0.0.1. And due to the second line, requests for www.example.com,
    and odd.www.example.com would be resolved by the libvirt network's own
    DNS server (i.e. thery wouldn't be immediately forwarded) even though
    they also match 'example.com' - the match is given to the entry with
    the longest matching domain. DNS requests not matching any of the
    entries would be resolved by the libvirt network's own DNS server.
Comment 4 yalzhang@redhat.com 2017-03-17 03:06:35 UTC 
Hi Laine,

"DNS requests not matching any of the entries would be resolved by the libvirt network's own DNS server."

If I set this in the network's xml:

  <dns>
    <forwarder domain='redhat.com'/>
    <forwarder domain='baidu.com' addr='8.8.8.8'/>
  </dns>

The conf file will be like this:

# cat /var/lib/libvirt/dnsmasq/net2.conf
......
strict-order
no-resolv   
server=/redhat.com/#
server=/baidu.com/8.8.8.8
....

The 'no-resolv' means "Don't read /etc/resolv.conf. Get upstream servers only from the command line or the dnsmasq configuration file." (As long as I set forwarder, there will be "no-resolv")

This will cause my guest can not get the dns service if I try to resolve any domain name other than "*.baidu.com".

If this is expected? Or we can reserve the host's name server as its upstream server?
Comment 5 Laine Stump 2017-03-17 16:34:31 UTC 
You are correct. We should only add no-resolv if there is at least one <forwarder> that specifies an IP address with no qualifying domain.

I just sent a patch to libvir-list to fix this:

  https://bugzilla.redhat.com/show_bug.cgi?id=1331796#c4
Comment 6 Laine Stump 2017-03-21 13:50:17 UTC 
Oops, I cut/pasted the wrong link and didn't even notice! Here is the patch I sent upstream:

https://www.redhat.com/archives/libvir-list/2017-March/msg00860.html
Comment 7 Laine Stump 2017-03-21 15:40:22 UTC 
The fix for the issue in Comment 4 has been pushed to upstream libvirt, and will be in release 3.2.0:

commit 15b5902db939f2fadd32c91bc2fd66774ff89662
Author: Laine Stump <laine>
Date:   Fri Mar 17 12:25:43 2017 -0400

    network: don't add "no-resolv" if we still need DNS servers from resolv.conf