[libvirt-users] Specify DNS and gateway for dnsmasq

Discussion:

Gionatan Danti

2018-03-12 17:45:10 UTC

Hi all,
how I can set dhcp options as DNS, gateway, etc in libvirt's network
definitions?

From what I read here[1], I can use the <option> tag. However, I can
not find nothing on libvirt official documentation.

I am missing something?
Thanks.

[1] https://www.redhat.com/archives/libvir-list/2013-March/msg00166.html

--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: ***@assyoma.it - ***@assyoma.it
GPG public key ID: FF5F32A8

Michal Privoznik

2018-03-13 14:30:18 UTC

Permalink

Post by Gionatan Danti
Hi all,
how I can set dhcp options as DNS, gateway, etc in libvirt's network
definitions?

The default GW depends on the IP address you assigned to your network:

<ip address='192.168.122.1' netmask='255.255.255.0'/>

This says the default GW is 192.168.122.1/24. However, you can insert
other routes too:

<route address="192.168.222.0" prefix="24" gateway="192.168.122.2"/>

For handling DNS, you need to focus on <dns/> element. For instance, to
set a different forwarder than GW:

<dns>
<forwarder addr="8.8.8.8"/>
</dns>

It's all documented here:

https://libvirt.org/formatnetwork.html#elementsStaticroute

and in the subsequent section.

Post by Gionatan Danti
From what I read here[1], I can use the <option> tag. However, I can not
find nothing on libvirt official documentation.

No, that was just a proposal. RFC, a discussion how should we implement
some special features of DHCP. Those are not patches and in fact patches
implementing that were never merged.

Michal

Gionatan Danti

2018-03-13 15:08:49 UTC

Permalink

On 13/03/2018 15:30, Michal Privoznik wrote:> The default GW depends on

Post by Michal Privoznik
<ip address='192.168.122.1' netmask='255.255.255.0'/>
This says the default GW is 192.168.122.1/24. However, you can insert
<route address="192.168.222.0" prefix="24" gateway="192.168.122.2"/>
For handling DNS, you need to focus on <dns/> element. For instance, to
<dns>
<forwarder addr="8.8.8.8"/>
</dns>

For NATed/routed networks, sure. However, I have an isolated network
like that (without the "forward" element):

<network>
<name>net1</name>
<uuid>dcf5c09b-dcb6-4fd3-86b8-6312a7b94bf6</uuid>
<bridge name='virbr1' stp='on' delay='0'/>
<mac address='52:54:00:97:1b:15'/>
<domain name='TEST'/>
<ip address='192.168.10.1' netmask='255.255.255.0'>
<dhcp>
<range start='192.168.10.128' end='192.168.10.254'/>
</dhcp>
</ip>
</network>

When the client asks for an IP via DHCP, it obtain a valid IP address
but *no* gateway. Is it the expected behavior for an isolated network?
From my understanding, network isolation is accomplished by firewall
rules in the FORWARD table, rather than by not assigning the gateway IP
address to clients.

Post by Michal Privoznik
No, that was just a proposal. RFC, a discussion how should we implement
some special features of DHCP. Those are not patches and in fact patches
implementing that were never merged.
Michal

Ok, thank you Michal.

--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: ***@assyoma.it - ***@assyoma.it
GPG public key ID: FF5F32A8

Laine Stump

2018-03-13 19:48:59 UTC

Permalink

Post by Gionatan Danti
On 13/03/2018 15:30, Michal Privoznik wrote:> The default GW depends on

...however this wouldn't be of use to you - the routes listed in a
libvirt network are routes that are added on the *host*, not on the
guest. (these are used when there is a network behind a guest that the
host can only access via that guest).

Post by Gionatan Danti

Post by Michal Privoznik
For handling DNS, you need to focus on <dns/> element. For instance, to
<dns>
<forwarder addr="8.8.8.8"/>
</dns>

For NATed/routed networks, sure. However, I have an isolated network

We don't want DNS requests to be forwarded by dnsmasq from an isolated
network - forwarded DNS requests and responses can be used as a
clandestine medium for communicating outside the guest (we actually had
a bug report about this).

libvirt's virtual networks are intended to be a simple way to setup the
most common networking scenario. It sounds like you're beyond that, so
you probably should do your own network setup on the host outside of
libvirt. A libvirt virtual network is really just the combination of a
bridge device, a dnsmasq instance + config, some iptables rules, and
optionally some routes.

Post by Gionatan Danti
<network>
<name>net1</name>
<uuid>dcf5c09b-dcb6-4fd3-86b8-6312a7b94bf6</uuid>
<bridge name='virbr1' stp='on' delay='0'/>
<mac address='52:54:00:97:1b:15'/>
<domain name='TEST'/>
<ip address='192.168.10.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.10.128' end='192.168.10.254'/>
    </dhcp>
</ip>
</network>
When the client asks for an IP via DHCP, it obtain a valid IP address
but *no* gateway. Is it the expected behavior for an isolated network?
From my understanding, network isolation is accomplished by firewall
rules in the FORWARD table, rather than by not assigning the gateway IP
address to clients.

It does both of those things (no gateway combined with iptables rules to
prevent traffic from being forwarded from the bridge). Why set a default
gateway when 1) it can't be used and 2) it may conflict with the default
gateway set on a 2nd interface in the guest that *can* be used to reach
outside the host? (a common use of an isolated network is to to contain
inter-guest communication between guests that have 2nd interfaces used
for communication with the outside).

Gionatan Danti

2018-03-14 07:21:50 UTC

Permalink

Post by Laine Stump

Post by Gionatan Danti
On 13/03/2018 15:30, Michal Privoznik wrote:> The default GW depends on

Post by Gionatan Danti

Post by Michal Privoznik
For handling DNS, you need to focus on <dns/> element. For instance, to
<dns>
<forwarder addr="8.8.8.8"/>
</dns>

For NATed/routed networks, sure. However, I have an isolated network

We don't want DNS requests to be forwarded by dnsmasq from an isolated
network - forwarded DNS requests and responses can be used as a
clandestine medium for communicating outside the guest (we actually had
a bug report about this).
libvirt's virtual networks are intended to be a simple way to setup the
most common networking scenario. It sounds like you're beyond that, so
you probably should do your own network setup on the host outside of
libvirt. A libvirt virtual network is really just the combination of a
bridge device, a dnsmasq instance + config, some iptables rules, and
optionally some routes.

Hi Laine,
thanks for the detailed answer!

One more question: what about setting a custom DNS? For example,
consider the scenario where a specific guest acts as a DNS server (ie:
active directory server) and other clients in the same isolated network
should use its IP address as DNS.

If I understand it correctly, I can use the "dns forward" directive to,
well, forward dnsmasq's requests to the specific IP address. But what
about directly assigning the correct DNS server to the running guests?

Thanks.

--
Danti Gionatan
Supporto Tecnico
Assyoma S.r.l. - www.assyoma.it
email: ***@assyoma.it - ***@assyoma.it
GPG public key ID: FF5F32A8

Laine Stump

2018-03-16 14:34:44 UTC

Permalink

Post by Gionatan Danti
One more question: what about setting a custom DNS? For example,
active directory server) and other clients in the same isolated network
should use its IP address as DNS.
If I understand it correctly, I can use the "dns forward" directive to,
well, forward dnsmasq's requests to the specific IP address.

This *should* work. When a network is isolated, we add "no-resolv" to
the dnsmasq conf file to prevent having unresolvable requests forwarded
to the hosts listed in /etc/resolv.conf on the host, but since
<forwarder> is handled by adding a server= option to dnsmasq.conf, that
should still work (I haven't tried it though).

Post by Gionatan Danti
But what
about directly assigning the correct DNS server to the running guests?

The would be nice, but there is no support for it.

TSHIMANGA Minkoka

2018-03-16 15:27:39 UTC

Permalink

Dears,
This is my first post in this mailing list.I have browsed the archives, but I
have not found a solution to my concern.So I decided to open a new thread.Please
excuse me, if it has already been addressed here or somewhere else. And just
provide me directions to the solutions.
I am using Fedora 27 with kernel 4.15.8-300.fc27.x86_64 and KVM libvirt 3.7.0-
4.fc27.x86_64.
My need is to be able to have the DNS server initialized by the KVM default
network to answer DNS MX query for the domain.The idea is to have something
similar to the below MX record lines in default network xml.
<network> <name>default</name> <uuid>11111111-2222-3333-4444-
555555555555</uuid> <forward mode='nat'> <nat> <port start='1024'
end='65535'/> </nat> </forward> <bridge name='virbr0' stp='on'
delay='0'/> <mac address='52:54:00:00:00:01'/> <domain name='example.com'
localOnly='yes'/> <dns enable='yes' forwardPlainNames='no'> <mx
domain='example.com' target='mail' priority='10'/> <mx domain='example.com'
target='mail_backup' priority='20'/> </dns> <ip address='192.168.122.1'
netmask='255.255.255.0'> <dhcp> <range start='192.168.122.100'
end='192.168.122.199'/> <host mac='52:54:00:00:00:10'
name='mail.example.com' ip='192.168.122.10'/> <host mac='52:54:00:00:00:20'
name='mail_backup.example.com' ip='192.168.122.20'/> </dhcp> </ip></network>
So that queries such the below.
dig @192.168.122.1 -t MX example.com
give answers such as below.
; <<>> DiG 9.11.2-P1-RedHat-9.11.2-1.P1.fc27 <<>> -t MX example.com;; global
options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
61856;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 8192;; QUESTION
SECTION:;example.com. IN MX
;; ANSWER SECTION:example.com. 3600 IN MX 10
mail.example.com.example.com. 3600 IN MX 20
mail_backup.example.com.
;; Query time: 558 msec;; SERVER: 192.168.122.1#53(192.168.122.1);; WHEN: Fri
Mar 16 16:21:00 WAT 2018;; MSG SIZE rcvd: 96

Best regards,
Tshimanga