Need way to tell aardvark DNS to refer to a particular DNS, and not host's configured DNS about aardvark-dns HOT 13 CLOSED

Is it possible to confirm that this is accepted as an enhancement?

Yes that is something we want to fix for sure. I don't think there is a workaround.

from aardvark-dns.

Hi @dshenai , Thanks for creating the issue.

As of now users don't directly configure aardvark-dns and not sure if there is a plan to provide any direct configuration. But I think a config via containers.conf can be opened up and podman can thus convey aardvark which resolver to use and by default it can keep using host's resolver.

Tagging other maintainers for their opinion on this @Luap99 @mheon @baude WDYT ?

from aardvark-dns.

We do not use the host's DNS, but the container's DNS, which defaults to the same nameservers as the host. Setting container default DNS servers in containers.conf ought to do what you want.

from aardvark-dns.

Okay its already there, see field dns_servers here: https://github.com/containers/common/blob/main/docs/containers.conf.5.md

from aardvark-dns.

We do not use the host's DNS, but the container's DNS, which defaults to the same nameservers as the host. Setting container default DNS servers in containers.conf ought to do what you want.

I don't think this is true, aardvark-dns has no access to the containers dns servers so it just uses the host /etc/resolv.conf as upstream servers:

from aardvark-dns.

...Did we not implement that yet? Because that was definitely in the original design doc.

from aardvark-dns.

Well, we have a session later today about new functionality, we can add this to it.

from aardvark-dns.

Thank you for your quick responses.
Is it possible to confirm that this is accepted as an enhancement?

Secondly, is there a way for now, to work around this so that the aardvark DNS talks to configured resolver inside the container? From the snippet that @Luap99 posted above, looks like this is not possible. Still being hopeful and asking the question.

Thank you

from aardvark-dns.

It'd also be great if we could completely disable using any DNS servers at all. Most of my containers don't have internet accesses (nftables firewall). Having aardvark forward requests to a DNS server in the internet allows for DNS tunneling attacks.

To make this useful this should be configurable per container though - either by having podman run multiple aardvark instances or by making aardvark aware where the request is coming from.
EDIT: I don't think that's necessary because podman adds the hosts DNS to the containers resolv.conf anyway so I can filter that via nftables.

from aardvark-dns.

This was fixed a while back in #240 AFAIK, so closing this.

from aardvark-dns.

Hi
There is slight mismatch here.
On a host how DNS resolution works: contents of resolve.conf are referred. If I update resolve.conf, I do not have to restart the host. It is plug and play.
On container with Netavark how the resolution will work as per #240: Every time I have to change the DNS, I need to restart the container. Could we not have plug and play here also?
Thank you

from aardvark-dns.

@dshenai Now podman allows to add custom resolvers at network level and they can be updated without restarting the container. Check https://docs.podman.io/en/latest/markdown/podman-network-update.1.html I think this should help you if i understood your problem correctly.

from aardvark-dns.

Thanks @flouthoc. That link proved helpful.

from aardvark-dns.