[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt-users] add external access to routed dnsmasq



On 04/04/2016 04:24 PM, Jeff wrote:
I have created a routed virtual network. From within the routed net,
DNS requests to the dnsmasq interface virbr2 work fine.

On the libvirt host, DNS requests to the dnsmasq interface virbr2 work fine.

I would like to allow external hosts, on the same network as the
libvirt host, to query the dnsmasq interface. However external DNS
queries to the virbr2 interface time out.

The iptables firewall for this interface and port look clear.

This is purposefully disabled by the option "--bind-dynamic" that libvirt passes to dnsmasq when starting it, in response to CVE 2012-3411:

https://bugzilla.redhat.com/show_bug.cgi?id=833033
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3411


question: How to enable external dns queries to my routed virtual network?

The dnsmasq started by libvirtd can only be queried from the host or from a virtual guest that is attached to the same network as the dnsmasq, and libvirt doesn't have an option to change this. However, you can run a separate dnsmasq on the host that forwards queries for the domain named in the libvirt config to the IP address of the network (which ends up being the IP address of the bridge created or the network). You would then point the rest of your DNS infrastructure to the host's public IP address for that same domain.

Note that if you do this, you may need to set the "localOnly" attribute to no in the libvirt network config in order to prevent an infinite loop when trying to resolve an unknown name in the libvirt network's domain (search for "localOnly" in this page for an explanation: http://www.libvirt.org/formatnetwork.html )



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]