[Dnsmasq-discuss] Problems using 'split horizon' approach
Simon Kelley
simon at thekelleys.org.uk
Mon Aug 22 12:19:50 BST 2005
Dave Ewart wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I've now worked out exactly what DNS request 'poisons' the dnsmasq
> cache. (This appears to be completely reproducible, although it is
> possible there are other, related queries which might have the same
> effect.)
>
> After doing a tcpdump, it became clear that the cache became poisoned
> after dnsmasq received an 'ANY' request for the system with the
> split-horizon setup.
>
> i.e.
>
> $ host apollo
> apollo.ceu.ox.ac.uk has address 10.99.0.2
> $ host -t any apollo
> apollo.ceu.ox.ac.uk has address 163.1.168.2
> $ host apollo
> apollo.ceu.ox.ac.uk has address 10.99.0.2
> apollo.ceu.ox.ac.uk has address 163.1.168.2
>
> etc.
>
> The tcpdump shows that during the 'any' request, the dnsmasq host cannot
> serve it (presumably because it only has an 'A' record?) and the request
> is forwarded to the upstream DNS server, which returns the public IP,
> which then gets included in the cache.
>
> Is this the expected behaviour of dnsmasq in these circumstances?
>
Did we ever establish which version you are using? ISTR that you are
using Debian "woody", and maybe therefore the very old 1.4 dnsmasq
release. If that's the case, then yes, I would expect that behaviour,
and the fix it to upgrade to dnsmasq 2.22 in "sarge". If you are using
dnsmasq 2.22 then I'm very interested, since this problem was long ago
thought to be fixed in the 2.x series.
If needs be the Debian dnsmasq-2.22_2 package will build from source and
run quite successfully on a Woody system.
HTH
Simon.
More information about the Dnsmasq-discuss
mailing list