[Dnsmasq-discuss] NXDOMAIN/vpn/dnsmasq
Simon Kelley
simon at thekelleys.org.uk
Wed Apr 22 21:08:56 BST 2009
Apologies for not responding to the threads floating round on dnsmasq's
response to NXDOMAIN. I'm trying to get on top of an email backlog after
going on holiday, and every time I make enough space to read through the
the threads, I find have they have become longer.
In desperation, I'll just throw in what I know here, and hope that it's
of some use.
The idea that it might be possible to get dnsmasq to query a nameserver,
and if it gets an NXDOMAIN reply, then go onto another nameserver, is a
dangerous one. There do exist patches to provide this behaviour in the
contrib/ area, but I've never added the feature to my releases.
The problem is that it makes things unreliable: there's no way in the
DNS protocol for dnsmasq to signal to its client "hold on, I'm just
working through a list of servers", so there's a danger that the client
will time-out whilst the extended check is done. Every server that gets
checked is another chance of a dropped packet and therefore an
erroneously lost query. Dnsmasq uses a strategy of querying all possible
servers in parallel to get round this. That stategy conflicts with
checking servers in order.
The openvpn approach is a good one: automatically configuring dnsmasq to
send different domains to different servers. I'd encourage contributions
to making that work better.
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list