I have created a routed virtual network. From within the routed net, DNS requests to the dnsmasq interface virbr2 work fine. On the libvirt host, DNS requests to the dnsmasq interface virbr2 work fine. I would like to allow external hosts, on the same network as the libvirt host, to query the dnsmasq interface. However external DNS queries to the virbr2 interface time out. The iptables firewall for this interface and port look clear. question: How to enable external dns queries to my routed virtual network? my config: dnsmasq-2.66-14.el7_1.x86_64 libvirt-1.2.17-13.el7_2.3.x86_64 thanks, Jeff
Laine Stump
2016-Apr-11 18:05 UTC
Re: [libvirt-users] add external access to routed dnsmasq
On 04/04/2016 04:24 PM, Jeff wrote:> I have created a routed virtual network. From within the routed net, > DNS requests to the dnsmasq interface virbr2 work fine. > > On the libvirt host, DNS requests to the dnsmasq interface virbr2 work fine. > > I would like to allow external hosts, on the same network as the > libvirt host, to query the dnsmasq interface. However external DNS > queries to the virbr2 interface time out. > > The iptables firewall for this interface and port look clear.This is purposefully disabled by the option "--bind-dynamic" that libvirt passes to dnsmasq when starting it, in response to CVE 2012-3411: https://bugzilla.redhat.com/show_bug.cgi?id=833033 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3411> question: How to enable external dns queries to my routed virtual network?The dnsmasq started by libvirtd can only be queried from the host or from a virtual guest that is attached to the same network as the dnsmasq, and libvirt doesn't have an option to change this. However, you can run a separate dnsmasq on the host that forwards queries for the domain named in the libvirt config to the IP address of the network (which ends up being the IP address of the bridge created or the network). You would then point the rest of your DNS infrastructure to the host's public IP address for that same domain. Note that if you do this, you may need to set the "localOnly" attribute to no in the libvirt network config in order to prevent an infinite loop when trying to resolve an unknown name in the libvirt network's domain (search for "localOnly" in this page for an explanation: http://www.libvirt.org/formatnetwork.html )