[Dnsmasq-discuss] functional difference between SERVFAIL and NXDOMAIN replies

Simon Kelley simon at thekelleys.org.uk
Mon Oct 10 19:53:46 BST 2005

Brandon Boles wrote:
> Hi folks,
> I have my local DNS (running dnsmasq) that is used for as a DNS cache as
> well as serving up names for my local, internal network.  I also connect
> with a vpn client to another network, which gives me another DNS server
> for internal names on the vpn network.  So here is what my resolv.conf
> ends up looking like once I connect via vpn:
> nameserver   localdns
> nameserver   vpndns
> What I want to happen is, all DNS queries to go through 'localdns' first
> (the machine running dnsmasq), and if the query fails for whatever reason,
> try 'vpndns'.  What is really happening is that if I query for a machine
> on my vpn ('nslookup vpnmachine'), I get a 'NXDOMAIN' response from
> dnsmasq and my query stops, not even trying the 'vpndns' nameserver.  Just
> for kicks, I reversed the order of the nameservers in resolv.conf.  This
> seems to work properly.  I'll query for 'localmachine' ('nslookup
> localmachine'), and I get a 'SERVFAIL' response from the 'vpndns' server,
> but then I get a correct response from 'localdns'.
> Is the proper response to 'NXDOMAIN' to stop any further queries?  If so,
> is there a way I can change this with dnsmasq so that I can get a
> 'SERVFAIL' response instead (without breaking everything)?  Or, should I
> be troubleshooting something else entirely?  Any help would be greatly
> appreciated!  Thanks!

NXDOMAIN means "we know the answer, and the answer is that the domain 
doesn't exist", SERVFAIL means "something is broken, we have no valid 
information on the answer". Clearly, the behaviour you are seeing (stop 
trying additional nameservers) is valid in the NXDOMAIN case.

The way I would go about solving your problem is to use dnsmasq's 
ability to direct queries in different domains to different servers. 
Setup your resolv.conf on all the client machines so that all queries 
are sent only to the machine running dnsmasq, and then in 
/etc/dnsmasq.conf, put

server=/vpndomain/<IP of VPN DNS server>
server=<IP of general server>

Now a query for machine.vpndomain will be forwarded down the VPN to a 
DNS server which can handle it. and other queries will be sent to the 
general DNS servers, as before.


More information about the Dnsmasq-discuss mailing list