This is the first in what will, hopefully, become a series. I would like to highlight projects that are widely used, even to the point of being part of critical infrastructure, but are nevertheless small projects with small (often unsponsored) development teams. We start the series talking to Simon Kelley.
dnsmasq is one of the unsung heroes of the Internet: a small piece of software used very widely, but with a very small development team, and no corporate backing. It is used as the DHCP and caching DNS server on a wide variety of home-market routers, as well as other devices, and is the default DHCP and DNS caching server for libvirt, and by extension, OpenStack. A couple years ago, I contacted Simon Kelley, the author of dnsmasq, and asked if he was up for an interview. He was, but my blog wasn’t in a maintainable position at that point, so it got pushed back. I contacted him again recently, and we managed to make it happen. This interview was conducted via e-mail on December 10, 2017.
So…here we go!
Simon, thank you for taking time out of your schedule (when you could be programming) to answer my questions. This is quite an honor, and I hope you enjoy the questions.
What itch were you scratching, that is, what was your original need and intention for dnsmasq?
Long ago, around the turn of the century, I had a PC, running Linux, and a net connection via a dial-up modem. If the PC was not connected to the net then Netscape navigator would return an error immediately, because the UDP packet doing a DNS query got a “no route to host” error. Then I got a second-hand 486 laptop, and discovered that I could connect that to my PC and give it a net connection too, using this amazing thing called ip-masquerading (what later became NAT.) But when the Netscape on the laptop would send the UDP DNS query to the ISP, it would get to the desktop, where it would evaporate, and Netscape would hang (it was single-threaded, at least in the DNS code) for a long time-out. I wanted to fix that annoying behaviour. The IP-masquerade use is where the DNSmasq name came from.
Did you intend to release it as open source from the beginning?
To the extent that I intended to release it, yes.
How much did you know about DNS and DHCP when you started?
Almost nothing, about the internals anyway. I started with RFC 1035 and went from there.
What is the most interesting bug you’ve run into?
Not one of mine - I found a Linux kernel bug once, in the API to control the ARP cache. The bug was long-ago fixed, but in a sense, the work-around still persists in dnsmasq. It was difficult to find because it was intermittent and hard to reproduce, and it took a long time to consider that the problem may not have been mine, but in the Kernel.
Related: when fixing a bug (found by you or reported), what has been your most “What was I thinking when I wrote that” moment?
Plenty of those. I once found a “&” versus “&&” confusion which nobody had spotted as a functional error, by code inspection.
Have you ever found bugs in other DHCP and DNS products/libraries as a result of your testing? What was the most interesting one? Feel free to share others, if you wish.
There are lots of DHCP clients in things like printers and scanners and general IoT devices which behave badly and need workarounds. Intel produced some awful bugs in PXE implementations which went into netboot ROMS and never got updated.
What was your most “you’ve got to be kidding me” moment when learning new corners of DHCP and DNS and/or your biggest “I wish I had known that when I started” moment?
It’s always amused me that the format of a DNS packet - which is very size constrained to fit into UDP packets, wastes 16 bits for a count of the number of questions in a query. This has been constrained to be exactly one for all of the life of DNS, so the 16 bits are completely wasted. DNS in general is an amazingly under-specified and obscure area. It’s been around forever, and is developed by people who have been around for a long time and grown up with it. They tend to vastly underestimate how much implied knowledge they are assuming when writing RFCs. As for what I wished I’d known: I wished I’d found the RFC which is an errata to the original three DNSSEC RFCs earlier; I found several of the bugs the hard way.
What was your reaction when you found out dnsmasq was used as the default forwarder/DHCP server for OpenStack? What is it like having your project used in one the most well known open source projects in the world?
That happened after dnsmasq was incorporated into Android, so it was sort of an anti-climax after getting into the majority of smart phones on the planet.
[ed. note: point taken]
Besides OpenStack, what are some of the most interesting use cases you’ve heard about for dnsmasq?
I took some patches from someone who was providing satellite Internet to trans-oceanic sailors. Bandwidth costs were high enough that it made sense to audit almost every byte sent and received, including for DNS resolution.
Have you ever gotten contributions (code or otherwise) back from router manufacturers that have used dnsmasq?
Probably, but I don’t remember anything significant in terms of code. Comcast paid for a year of my time to implement DNSSEC, which was pretty good of them.
What kind of contributions have you turned down?
That’s people who make a patch to solve their particular problem and don’t give any thought to making it general, or generally useful.
Could you talk about one significant or difficult contribution you turned down and why? - From my co-worker Eric Duncan @eduncan911
The one that’s happened over and over again is to change the behaviour on receiving a “no-such-domain” reply from an upstream nameserver. People want to implement local DNS hacks by getting dnsmasq to keep trying another upstream server when the first returns NXDOMAIN, but that’s always seemed to me to be a really bad thing to do: NXDOMAIN is a valid answer, and not a failure return.
Do you have a group of steady contributors, or is it pretty much just you (and occasional contributions)?
There are steady contributors, but long-term, it’s just me.
You are pretty active on the mailing list. For the second quarter of 2017, nearly 80 messages of the 229 are from you. How much time do you spend on the project (code and helping users)?
Very variable, and less than I used to. I used to have a job with a very FOSS-friendly employer. I was sitting in front of computer most days, and my boss was happy for me to spend time on dnsmasq. Nowadays, I’m semi-retired, and I spend my days doing other stuff, so I have to make time to sit down and work on dnsmasq.
What is your motivation for self-hosting, vs. moving to something like Github or Bitbucket?
The self-hosting setup existed before Github etc, or at least before they were visible and known to be reliable. It works, so I’ve never had the activation energy to move it. I’m a sysadmin and I like having a host to do my stuff, my way.
Your FAQ says it will run on Linux, *BSD, and embedded systems. What is the most interesting platform you’ve heard of using dnsmasq?
Somebody ran it on QNX once, I believe.
Commit 1 in the dnsmasq git repository happened on January 22, 2004, and says it is an “import of dnsmasq-2.0.tar.gz.” When was your first public release (version 0.4)? How long had you been working on it before then?
Around 2000. There were quite a few releases in the 1.x series, which were before the DHCP server was added. It didn’t seem worth adding those when I moved into git.
What are your future plans, dreams, and hopes for dnsmasq?
Like all code that’s 15 years old, there are deep design decisions and trade-off that are hard to change but which don’t necessarily make sense any more. I’d like to do a version 3.0 which addresses those, but I’m not sure I have the commitment left in me to do it.
In relation to the recent security fixes contributed by Google did you know they were working on dnsmasq, or did the fixes come as a suprise?
They didn’t tell me they were working on dnsmasq before they started, but once they’d found holes, they let me know well before the public disclosure. There’s a whole raft of stuff which happens in case like this, and the Google security people were really good at helping to work through it. A lot is helping distributions to get patched packages ready in advance: I spend a lot of effort helping people backport the fixes to the older versions.
Have any steps been taken to do a full audit, or is that what Google did?
There have been quite a few audits over the years, before Google did its stuff. SUSE did one, and the Mozilla foundation sponsored one. The Google people used fuzzing to find the holes that had been missed by the audits - it’s very impressive.
Has the recent security news changed the development process any?
I plan to use Google’s service to do ongoing fuzzing of new releases.
Anything significant on the dnsmasq road map? Are there additions that could be done, or do you cover all of the DNS/DHCP spec now?
I don’t cover the whole spec - the USP [ed. note: Unique Selling Point] is to cover the bits that my users need, without carrying the bloat of everything else. I guess that new stuff is still likely in the area of IPv6 address/name management. IPv6 will take over the world one day, won’t it?
[ed. note: We hope.]
Do you have a Patreon, Flattr, or other funding source to which people could contribute?
I have a PayPal account at firstname.lastname@example.org. Contributions happily accepted.
Thanks again! I hope our paths will cross some day!
I hope that’s useful. Please feel free to come back with more questions, or for clarifications on the answers.
That wraps it up! I greatly appreciate Simon taking time to do this. If you have questions, ask them in the comments.
The official page for dnsmasq can be found on the Kelley’s page
Who should I interview next? Let me know!
Thank you to my wife for proof-reading and to my co-workers at New Context for ideas and feedback about the questions. We’re hiring! It’s a great place to work!