LXD dnsmasq how to route queries for specific domains to different nameserver?

Hi all,

TL;DR: What is the recommended way to do custom dnsmasq configuration under LXD 3.0.3 (host is Ubuntu 18.04) ? Can I just add any dnsmasq directives to /etc/dnsmasq.d/lxd or is there another way?

Full story: I have an LXD container that is running a mail-server with rspamd, which is querying various DNSBL servers every time a new e-mail is received. However, those DNSBL queries get blocked, because the host (Ubuntu 18.04 with LXD 3.0.3) is forwarding all its DNS queries to Google DNS (8.8.8.8):

2020-08-19 04:20:09 #11338(controller) <imhkkk>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com (127.0.0.1 returned), possibly due to high volume
2020-08-19 04:20:09 #11338(controller) rspamd_log_reset_repeated: Last message repeated 7 times
2020-08-19 04:34:10 #11338(controller) <imhkkk>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com (127.0.0.1 returned), possibly due to high volume
2020-08-19 04:44:55 #11338(controller) <imhkkk>; monitored; rspamd_monitored_dns_cb: DNS query blocked on multi.uribl.com (127.0.0.1 returned), possibly due to high volume

The dnsmasq process on the host looks like this:

lxd 2613 0.0 0.0 53236 2268 ? S Aug07 1:04 dnsmasq --strict-order --bind-interfaces --pid-file=/var/lib/lxd/networks/lxdbr0/dnsmasq.pid --except-interface=lo --interface=lxdbr0 --quiet-dhcp --quiet-dhcp6 --quiet-ra --listen-address=10.166.77.1 --dhcp-no-override --dhcp-authoritative --dhcp-leasefile=/var/lib/lxd/networks/lxdbr0/dnsmasq.leases --dhcp-hostsfile=/var/lib/lxd/networks/lxdbr0/dnsmasq.hosts --dhcp-range 10.166.77.2,10.166.77.254,192h --listen-address=fd42:xx:yy:zz::1 --enable-ra --dhcp-range ::,constructor:lxdbr0,ra-stateless,ra-names -s lxd -S /lxd/ --conf-file=/var/lib/lxd/networks/lxdbr0/dnsmasq.raw -u lxd

As far as I understand, LXD’s dnsmasq is running on the lxdbr0 bridge and forwards all incoming DNS queries to the host’s systemd-resolve running on 127.0.0.53 as configured in /etc/resolv,conf , which in turn forwards them to Google DNS (8.8.8.8) as configured in /etc/systemd/resolved.conf .

I know that dnsmasq supports routing DNS queries for specific domains to specific DNS servers by using the server= directive e.g.

server=/ajax.googleapis.com/8.8.8.8
# would query the google public DNS server for the ajax.googleapis.com domain

so is it OK if I put server= directives in /etc/dnsmasq.d/lxd ?

Thank you in advance for your insights,
KP

Use the raw.dnsmasq config option against your lxdbr0 network.

1 Like

Thank you, I have used raw.dnsmasq to re-configure LXD’s dnsmasq to use Hetzner’s DNS (as provided over DHCP):

myuser@lxd-server:~$ cat /var/lib/lxd/networks/lxdbr0/dnsmasq.raw
server=/surbl.org/213.133.98.98
server=/multi.uribl.com/213.133.99.99

but apparently even Hetzner’s DNS servers are unacceptable by the DNSBL servers:

root@vm05:~# host -tTXT 2.0.0.127.multi.uribl.com
2.0.0.127.multi.uribl.com descriptive text "127.0.0.1 -> Query Refused. See http://uribl.com/refused.shtml for more information [Your DNS IP: 95.217.255.75]"

(I know this isn’t an LXD issue anymore, but I thought I might ask anyway) AFAIK dnsmasq is a lightweight resolver which can’t act as a recursive resolver, but needs to forward queries to a “real” recursive, DNS server. And it’s the same with systemd-resolved.

So, since I can’t use neither dnsmasq nor systemd-resolved to query the DNSBL servers, my only remaining option is to setup a full-blown Bind9 inside my container, right?