[Dnsmasq-discuss] Re: Is there a way to "block" IPv6 address queries?

Eric P. Scott eps+dnsmasq@ana.com
Mon, 11 Apr 2005 19:51:46 -0700 (PDT)


I guess I should clarify; I'm not trying to "be kind to my DNS
server" (although that's a nice side effect) so much as improve
responsiveness for client machines.  Assume my connectivity to
the public DNS is slow, congested, lossy, etc.  I want to reduce
the several second delay on every address lookup due to misguided
client software hoping for IPv6 reachability that isn't actually
there.

>That's negative caching. The way it's done is specified in RFC 2308 and 
>dnsmasq supports it. The crucial thing is that there needs to be an SOA 
>record in the authority section of the reply in order for a negative 
>cache entry to be generated. I've noticed that recently my ISP's 
>nameservers have stopped including an NS section. They probably think 
>doing that  will reduce the load on their nameservers. Poor fools.

RFC 2308 says:

   A negative answer that resulted from a no data error (NODATA) should
   be cached such that it can be retrieved and returned in response to
   another query for the same <QNAME, QTYPE, QCLASS> that resulted in
   the cached negative response.

I don't think this is working for me in 2.22.

>I suspect that your ISP has done the same thing. Try running a query 
>using "dig" for an unknown domain and see what you get: it should look 
>like this:

>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4694

>but if it looks like this instead, that's the source of the problem.

>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25755

Does this help?  [No, I don't see any NS records included.]

% dig www.nonxx.net in aaaa

; <<>> DiG 8.3 <<>> www.nonxx.net in aaaa 
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31092
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;;	www.nonxx.net, type = AAAA, class = IN

;; AUTHORITY SECTION:
net.			3H IN SOA	a.gtld-servers.net. nstld.verisign-grs.com. (
					1113256832	; serial
					30M		; refresh
					15M		; retry
					1W		; expiry
					15M )		; minimum


;; Total query time: 25 msec
;; FROM: me to SERVER: 206.13.28.12
;; WHEN: Mon Apr 11 15:01:10 2005
;; MSG SIZE  sent: 31  rcvd: 104

% dig www.cnn.com in aaaa

; <<>> DiG 8.3 <<>> www.cnn.com in aaaa 
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42213
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;;	www.cnn.com, type = AAAA, class = IN

;; ANSWER SECTION:
www.cnn.com.		2m14s IN CNAME	cnn.com.

;; AUTHORITY SECTION:
cnn.com.		8m50s IN SOA	bender.turner.com. hostmaster.tbsnames.turner.com. (
					2005040700	; serial
					15M		; refresh
					5M		; retry
					1W		; expiry
					15M )		; minimum


;; Total query time: 16 msec
;; FROM: me to SERVER: 206.13.28.12
;; WHEN: Mon Apr 11 15:01:53 2005
;; MSG SIZE  sent: 29  rcvd: 113

% dig cnn.com in aaaa

; <<>> DiG 8.3 <<>> cnn.com in aaaa 
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51456
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;;	cnn.com, type = AAAA, class = IN

;; AUTHORITY SECTION:
cnn.com.		3m56s IN SOA	bender.turner.com. hostmaster.tbsnames.turner.com. (
					2005040700	; serial
					15M		; refresh
					5M		; retry
					1W		; expiry
					15M )		; minimum


;; Total query time: 16 msec
;; FROM: me to SERVER: 206.13.28.12
;; WHEN: Mon Apr 11 15:02:09 2005
;; MSG SIZE  sent: 25  rcvd: 95

It shouldn't be hard to duplicate my tests.

To recap, there are now three open issues:

1) Is negative caching functioning as expected?
[For AAAA queries when dnsmasq has been compiled with -DNO_IPV6]
2) Is cached NXDOMAIN information being used to its full extent?
3) Is it practical to--as an option--intercept IPv6 address
lookups as previously described?

					-=EPS=-