Re: [libvirt-users] add external access to routed dnsmasq
On 04/04/2016 04:24 PM, Jeff wrote:
I have created a routed virtual network. From within the routed net,
DNS requests to the dnsmasq interface virbr2 work fine.
On the libvirt host, DNS requests to the dnsmasq interface virbr2 work fine.
I would like to allow external hosts, on the same network as the
libvirt host, to query the dnsmasq interface. However external DNS
queries to the virbr2 interface time out.
The iptables firewall for this interface and port look clear.
This is purposefully disabled by the option "--bind-dynamic" that
libvirt passes to dnsmasq when starting it, in response to CVE 2012-3411:
https://bugzilla.redhat.com/show_bug.cgi?id=833033
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3411
question: How to enable external dns queries to my routed virtual
network?
The dnsmasq started by libvirtd can only be queried from the host or
from a virtual guest that is attached to the same network as the
dnsmasq, and libvirt doesn't have an option to change this. However, you
can run a separate dnsmasq on the host that forwards queries for the
domain named in the libvirt config to the IP address of the network
(which ends up being the IP address of the bridge created or the
network). You would then point the rest of your DNS infrastructure to
the host's public IP address for that same domain.
Note that if you do this, you may need to set the "localOnly" attribute
to no in the libvirt network config in order to prevent an infinite loop
when trying to resolve an unknown name in the libvirt network's domain
(search for "localOnly" in this page for an explanation:
http://www.libvirt.org/formatnetwork.html )