[libvirt-users] add external access to routed dnsmasq

[Laine Stump]

On 04/04/2016 04:24 PM, Jeff wrote:
> I have created a routed virtual network. From within the routed net,
> DNS requests to the dnsmasq interface virbr2 work fine.
>
> On the libvirt host, DNS requests to the dnsmasq interface virbr2 work fine.
>
> I would like to allow external hosts, on the same network as the
> libvirt host, to query the dnsmasq interface. However external DNS
> queries to the virbr2 interface time out.
>
> The iptables firewall for this interface and port look clear.

This is purposefully disabled by the option "--bind-dynamic" that 
libvirt passes to dnsmasq when starting it, in response to CVE 2012-3411:

https://bugzilla.redhat.com/show_bug.cgi?id=833033
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3411


> question: How to enable external dns queries to my routed virtual network?

The dnsmasq started by libvirtd can only be queried from the host or 
from a virtual guest that is attached to the same network as the 
dnsmasq, and libvirt doesn't have an option to change this. However, you 
can run a separate dnsmasq on the host that forwards queries for the 
domain named in the libvirt config to the IP address of the network 
(which ends up being the IP address of the bridge created or the 
network). You would then point the rest of your DNS infrastructure to 
the host's public IP address for that same domain.

Note that if you do this, you may need to set the "localOnly" attribute 
to no in the libvirt network config in order to prevent an infinite loop 
when trying to resolve an unknown name in the libvirt network's domain 
(search for "localOnly" in this page for an explanation: 
http://www.libvirt.org/formatnetwork.html )