3

Out of the box, my LXC containers connect to a running instance of dnsmasq, which is started with the lxc-net service.

In my case, I am running a local unbound DNS server that connects to a thing called ncdns which lets me browse .bit domains that are registered via Namecoin.

The two of these conflict. My lxc containers depend on dnsmasq for DNS, which runs on port 53. At the same time my unbound server must run on port 53 in order for me to reach .bit domains. (see the comments on this post for the unlikelihood of being able to include a nameserver in resolv.conf using a nonstandard port; I also asked on an IRC channel and basically learned that pointing resolv.conf to a DNS server on a nonstandard port is basically not possible).

So what I need to do is create a combined DNS server that supports LXC's stuff and can also resolve .bit domains, and run THAT on port 53.

It may be assumed that my unbound server recursively resolves .bit domains, and forwards all other domains to my router, so it can effectively resolve all domains.

Questions are as follows:

1: How do you tell lxc-net NOT to start dnsmasq?

2: I assume unbound won't just work as the DNS server for my LXC containers without further configuration. How do I configure unbound so that it does what dnsmasq does for my lxc containers? (An answer to this question could be either the location of the dnsmasq conf files that it uses when started by lxc-net (which I have not yet found) so that I can attempt to copy that configuration under unbound, or some other documentation that has the same information as the dnsmasq conf files used by lxc-net)

jcarpenter2
  • 233
  • 1
  • 3
  • 14
  • 1
    Found some stuff, looked in `/etc/init.d/lxc-net`, that file simply loads `/usr/lib/x86_64-linux-gnu/lxc/lxc-net` and that is what starts dnsmasq. As far as I can tell there's no conf file used by dnsmasq, just command line arguments passed to it from the lxc-net script. Unfortunately I see no way to disable dnsmasq, other than modifying that script so that it doesn't start. – jcarpenter2 Nov 20 '17 at 04:53

1 Answers1

3

Okay, I think I got it. I'll accept this answer, but mark my words I'll post another question if down the road this turns out not to have worked.

I'm still running 3 (!) DNS servers on this computer: dnsmasq as it came with LXC (not quite "as it came", see below), along with ncdns the Namecoin DNS server and unbound.

Again, I can only run 1 DNS server on port 53, so I have to choose one or the other for that port. I can either take my unbound setup and extend it to do what dnsmasq does, or vice versa. Because dnsmasq appears to already be intricately configured to work with LXC, and also serves as a DHCP server which unbound cannot do, I decided to take it as the starting point.

I created a /etc/dnsmasq.conf file with the following content:

listen-address=127.0.0.1
resolv-file=/etc/resolv.dnsmasq.conf
server=/bit./127.0.0.1#5301

The first line enables dnsmasq to listen to my local address, resolving names for not just LXC containers but my PC as well. The second line tells dnsmasq to use a special resolv file, which I copied and pasted from resolv.conf (and which, in case any one cares, points to my router's IP). The third and last line adds a .bit stub domain for which requests are forwarded to my unbound server running on port 5301.

I also changed my resolv.conf file to simply

nameserver 127.0.0.1

so that all DNS lookups are fulfilled by dnsmasq.

jcarpenter2
  • 233
  • 1
  • 3
  • 14