[libvirt-users] Specify DNS and gateway for dnsmasq

Wed Mar 14 07:21:50 UTC 2018

Il 13-03-2018 20:48 Laine Stump ha scritto:
> On 03/13/2018 11:08 AM, Gionatan Danti wrote:
>> On 13/03/2018 15:30, Michal Privoznik wrote:> The default GW depends 
>> on
>> the IP address you assigned to your network:
>>> 
>>> <ip address='192.168.122.1' netmask='255.255.255.0'/>
>>> 
>>> This says the default GW is 192.168.122.1/24. However, you can insert
>>> other routes too:
>>> 
>>> <route address="192.168.222.0" prefix="24" gateway="192.168.122.2"/>
> 
> ...however this wouldn't be of use to you - the routes listed in a
> libvirt network are routes that are added on the *host*, not on the
> guest. (these are used when there is a network behind a guest that the
> host can only access via that guest).
> 
>>> 
>>> For handling DNS, you need to focus on <dns/> element. For instance, 
>>> to
>>> set a different forwarder than GW:
>>> 
>>> <dns>
>>>    <forwarder addr="8.8.8.8"/>
>>> </dns>
>> 
>> For NATed/routed networks, sure. However, I have an isolated network
>> like that (without the "forward" element):
> 
> We don't want DNS requests to be forwarded by dnsmasq from an isolated
> network - forwarded DNS requests and responses can be used as a
> clandestine medium for communicating outside the guest (we actually had
> a bug report about this).
> 
> libvirt's virtual networks are intended to be a simple way to setup the
> most common networking scenario. It sounds like you're beyond that, so
> you probably should do your own network setup on the host outside of
> libvirt. A libvirt virtual network is really just the combination of a
> bridge device, a dnsmasq instance + config, some iptables rules, and
> optionally some routes.
> 
>> 
>> <network>
>>   <name>net1</name>
>>   <uuid>dcf5c09b-dcb6-4fd3-86b8-6312a7b94bf6</uuid>
>>   <bridge name='virbr1' stp='on' delay='0'/>
>>   <mac address='52:54:00:97:1b:15'/>
>>   <domain name='TEST'/>
>>   <ip address='192.168.10.1' netmask='255.255.255.0'>
>>     <dhcp>
>>       <range start='192.168.10.128' end='192.168.10.254'/>
>>     </dhcp>
>>   </ip>
>> </network>
>> 
>> When the client asks for an IP via DHCP, it obtain a valid IP address
>> but *no* gateway. Is it the expected behavior for an isolated network?
>> From my understanding, network isolation is accomplished by firewall
>> rules in the FORWARD table, rather than by not assigning the gateway 
>> IP
>> address to clients.
> 
> It does both of those things (no gateway combined with iptables rules 
> to
> prevent traffic from being forwarded from the bridge). Why set a 
> default
> gateway when 1) it can't be used and 2) it may conflict with the 
> default
> gateway set on a 2nd interface in the guest that *can* be used to reach
> outside the host? (a common use of an isolated network is to to contain
> inter-guest communication between guests that have 2nd interfaces used
> for communication with the outside).

Hi Laine,
thanks for the detailed answer!

One more question: what about setting a custom DNS? For example, 
consider the scenario where a specific guest acts as a DNS server (ie: 
active directory server) and other clients in the same isolated network 
should use its IP address as DNS.

If I understand it correctly, I can use the "dns forward" directive to, 
well, forward dnsmasq's requests to the specific IP address. But what 
about directly assigning the correct DNS server to the running guests?

Thanks.

-- 
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g.danti at assyoma.it - info at assyoma.it
GPG public key ID: FF5F32A8