[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt-users] Specify DNS and gateway for dnsmasq

Il 13-03-2018 20:48 Laine Stump ha scritto:
On 03/13/2018 11:08 AM, Gionatan Danti wrote:
On 13/03/2018 15:30, Michal Privoznik wrote:> The default GW depends on
the IP address you assigned to your network:

<ip address='' netmask=''/>

This says the default GW is However, you can insert
other routes too:

<route address="" prefix="24" gateway=""/>

...however this wouldn't be of use to you - the routes listed in a
libvirt network are routes that are added on the *host*, not on the
guest. (these are used when there is a network behind a guest that the
host can only access via that guest).

For handling DNS, you need to focus on <dns/> element. For instance, to
set a different forwarder than GW:

   <forwarder addr=""/>

For NATed/routed networks, sure. However, I have an isolated network
like that (without the "forward" element):

We don't want DNS requests to be forwarded by dnsmasq from an isolated
network - forwarded DNS requests and responses can be used as a
clandestine medium for communicating outside the guest (we actually had
a bug report about this).

libvirt's virtual networks are intended to be a simple way to setup the
most common networking scenario. It sounds like you're beyond that, so
you probably should do your own network setup on the host outside of
libvirt. A libvirt virtual network is really just the combination of a
bridge device, a dnsmasq instance + config, some iptables rules, and
optionally some routes.

  <bridge name='virbr1' stp='on' delay='0'/>
  <mac address='52:54:00:97:1b:15'/>
  <domain name='TEST'/>
  <ip address='' netmask=''>
      <range start='' end=''/>

When the client asks for an IP via DHCP, it obtain a valid IP address
but *no* gateway. Is it the expected behavior for an isolated network?
From my understanding, network isolation is accomplished by firewall
rules in the FORWARD table, rather than by not assigning the gateway IP
address to clients.

It does both of those things (no gateway combined with iptables rules to prevent traffic from being forwarded from the bridge). Why set a default gateway when 1) it can't be used and 2) it may conflict with the default
gateway set on a 2nd interface in the guest that *can* be used to reach
outside the host? (a common use of an isolated network is to to contain
inter-guest communication between guests that have 2nd interfaces used
for communication with the outside).

Hi Laine,
thanks for the detailed answer!

One more question: what about setting a custom DNS? For example, consider the scenario where a specific guest acts as a DNS server (ie: active directory server) and other clients in the same isolated network should use its IP address as DNS.

If I understand it correctly, I can use the "dns forward" directive to, well, forward dnsmasq's requests to the specific IP address. But what about directly assigning the correct DNS server to the running guests?


Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: g danti assyoma it - info assyoma it
GPG public key ID: FF5F32A8

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]