I'm using vagrant, libvirt and lxc to setup a Samba AD DC and FreeIPA DC. The domain controllers have fixed ip addresses and both provide a DNS server for their domains. So I need forwarders for their domain names. What I need in the dnsmasq.conf that libvirt creates is the following: server=/samba.site/192.168.122.10 server=/ipa.site/192.168.122.20 With these lines all queries for samba.site are redirected to the nameserver Samba is running. And the queries for ipa.site are going to the IPA name server. However if I look at this network xml format for libvirt I only see it supports: <dns> <forwarder addr="8.8.8.8"/> </dns> https://libvirt.org/formatnetwork.html Please add support that I can specify a domain for the forwarder! Thanks.
I've actually had that on my private todo list for quite awhile. Having somebody request it will hopefully move it higher on the list :-)
Posted a patch upstream: https://www.redhat.com/archives/libvir-list/2016-August/msg00642.html
Pushed upstream, will be in libvirt-2.2.0: commit 0b6336c2d98ff0e3545a0334f506ae90b664c85f Author: Laine Stump <laine> Date: Thu Aug 11 22:28:27 2016 -0400 network: allow limiting a <forwarder> element to certain domains For some unknown reason the original implementation of the <forwarder> element only took advantage of part of the functionality in the dnsmasq feature it exposes - it allowed specifying the ip address of a DNS server which *all* DNS requests would be forwarded to, like this: <forwarder addr='192.168.123.25'/> This is a frontend for dnsmasq's "server" option, which also allows you to specify a domain that must be matched in order for a request to be forwarded to a particular server. This patch adds support for specifying the domain. For example: <forwarder domain='example.com' addr='192.168.1.1'/> <forwarder domain='www.example.com'/> <forwarder domain='travesty.org' addr='10.0.0.1'/> would forward requests for bob.example.com, ftp.example.com and joe.corp.example.com all to the DNS server at 192.168.1.1, but would forward requests for travesty.org and www.travesty.org to 10.0.0.1. And due to the second line, requests for www.example.com, and odd.www.example.com would be resolved by the libvirt network's own DNS server (i.e. thery wouldn't be immediately forwarded) even though they also match 'example.com' - the match is given to the entry with the longest matching domain. DNS requests not matching any of the entries would be resolved by the libvirt network's own DNS server.
Hi Laine, "DNS requests not matching any of the entries would be resolved by the libvirt network's own DNS server." If I set this in the network's xml: <dns> <forwarder domain='redhat.com'/> <forwarder domain='baidu.com' addr='8.8.8.8'/> </dns> The conf file will be like this: # cat /var/lib/libvirt/dnsmasq/net2.conf ...... strict-order no-resolv server=/redhat.com/# server=/baidu.com/8.8.8.8 .... The 'no-resolv' means "Don't read /etc/resolv.conf. Get upstream servers only from the command line or the dnsmasq configuration file." (As long as I set forwarder, there will be "no-resolv") This will cause my guest can not get the dns service if I try to resolve any domain name other than "*.baidu.com". If this is expected? Or we can reserve the host's name server as its upstream server?
You are correct. We should only add no-resolv if there is at least one <forwarder> that specifies an IP address with no qualifying domain. I just sent a patch to libvir-list to fix this: https://bugzilla.redhat.com/show_bug.cgi?id=1331796#c4
Oops, I cut/pasted the wrong link and didn't even notice! Here is the patch I sent upstream: https://www.redhat.com/archives/libvir-list/2017-March/msg00860.html
The fix for the issue in Comment 4 has been pushed to upstream libvirt, and will be in release 3.2.0: commit 15b5902db939f2fadd32c91bc2fd66774ff89662 Author: Laine Stump <laine> Date: Fri Mar 17 12:25:43 2017 -0400 network: don't add "no-resolv" if we still need DNS servers from resolv.conf