DNS "SRV" records


I am trying to setup a Samba Active Directory Domain Controller for “MYLAN” domain. Therefore I want my Turris Omnia to serve the appropriate DNS entries.

Did I understand it right that dnsmasq is only used as DHCP server and hot resolving local domain names?
If that is correct, how can I add a SRV record for “_ldap._tcp.mylan” to resolve my domain controllers IP address?
Did I miss a howto which describes that scenario?

Commonly it would require an authoritative DNS server to serve records and not just a resolver. However, dnsmasq has apparently the option to serve/resolve records for private domains.

Suppose your router utilizes the vanilla resolver kresd (knot reolver) in which case you might want to look up the respective documentation - I am not familiar with it and thus cannot assist.

Else and alternatively there is unbound (my preference) as resolver which can either use dnsmasq (in tandem) for resolving private domains or it can serve (and resolve) records for private domain on its own.

There’s currently no nice way to do this in knot-resolver. (It has non-authoritative focus.) If dnsmasq is easy to configure serving SRV on Omnia (which I didn’t verify), I expect it will be most convenient for you to forward the mylan subtree to dnsmasq via this older guide.

please pretty please acknowledge already that the “most convenient” would have been to make knot optional and stick with dnsmasq(-full) for turris

I won’t. It depends what you want. For some use cases dnsmasq is better, for some it certainly isn’t (even on a router). Dnsmasq has an advantage here that it has always been designed specifically to run on routers whereas knot-resolver is not. Even so, I believe for most router users knot-resolver is better than dnsmasq (including my own Omnia), but… my opinion on this isn’t really relevant here (and perhaps not even “trust-worthy” as I develop knot-resolver) – it’s about the choice of each person (for their device) and of the Turris team (for the default).

It is possible to run with dnsmasq only on Omnia, though reportedly there were some problems with updates (I don’t really know, you can search this forum). To expand on other choices, some people on this forum prefer to ditch whole Turris OS for plain OpenWRT, or use a different HW.

1 Like


i have seen videos of talk at ripe et.al where turris folks share their frustration of making a dns resolver work with the professional community and earn sympathy.
i think most users (here) would sympathize as well.

the ratio of issues caused by vs. issues solved by knot for turris users further indicates that it might not be warranted to shove this onto unsupecting con-/prosumers (as a default) when there is something with a better feature set (for the job) already available.

i really appreciate the work that went into knot, i just dont think the countless hours of turris users, each figuring out that knot may no be the right tool for their job, helped much.

thank you!

I’m not sure I get your meaning exactly, but can you share links?

I think for vast majority of Omnia users it just works, even if most users with problems don’t write anywhere about that (thousands of Omnias are in use), and some users actually want features missing on dnsmasq (e.g. TLS forwarding). I believe one “marketing problem” here is that Omnia wants to present itself as secure, which is why Unbound was used in Turris 1.x (Knot-resolver wasn’t really usable at that point).

If you are talking about having knot or dnsmasq be authorative for the computers managed by samba, then no this is not supported by samba. Only their own internal DNS server or Bind through the DLZ plugin is supported. knot can be the forwarder though for “external” addresses.

To edit myself, this is documented:

Hi, and thanks to all for your reply. I tried two different ways:

  1. Using Samba internal DNS by intrudocing an additional subdomain. This was not the way I was looking for because of the additional subdomain.

  2. I used dnsmasq resolver for resolving the SRV entries which worked also and is my preferred solution.

May I ask why, since precisely this is recommended: