[Dnsmasq-discuss] Iterative queries (Re: "NS" records)
simon at thekelleys.org.uk
Wed May 12 22:06:25 BST 2010
clemens fischer wrote:
> Simon Kelley wrote:
>> Dewey Sasser wrote:
>>> I've googled and searched the mailing list archives to no avail.
>>> I have a NAS device that queries the DNS server for it's own domain
>>> and appears to expect an "NS" record response for the domain. I've
>>> demonstrated with BIND and a test zone file that this is the
>>> expectation, but I'd much rather use dnsmasq for the simplicity of
>>> How can I cause dnsmasq to return an NS record?
>> There's currently no facility to do that.
>> Do you know exactly what query the NAS server is making? Both NS and
>> SOA queries return information in the authority section.
>> Doing something which simply allows straightforward "NS" queries to be
>> answered would be simple, if that's enough.
> When testing the recent testing version with the "rebind-domain-ok"
> option (2.53test25) I noticed that dnsmasq doesn't do iterative queries,
> "only" recursive ones. This means dnsmasq forwards queries to an ISP's
> resolver but it cannot be used with the "server"s set to the
> Could it be that the NAS device tried an iterative query and thus needed
> SOA and NS RR's?
> On a related note, I'm reluctant to use dnsmasq as the only DNS resolver
> because of this, because of the "recent" discoveries about cache
> poisoning attacks. I cannot be sure that my provider has its act
> together and does everything to thwart them. Moreover, my provider
> (kabel-deutschland.de) takes part in censoring the 'net after IMO
> misguided legislation against child pornography. Please, I don't want
> any big discussion on this list about this particular point, but so far
> my life was peaceful and simple by using resolvers doing top down
> iterative queries. I used pdnsd and lately bind-9.7 after it grew
> support like dnsmasq's new "rebind-domain-ok".
> Is it much work to fit dnsmasq with iterative query support, considering
> that all the code is practically there? If so, dnsmasq would surely be
> the most compact program with all its features!
It would be a huge architectural change: at the moment dnsmasq gets a
query, and either answers it locally, or passes it upstream. If it
passes it upstream it retains only a small datastructure needed to pass
the answer back to the original requestor. The entire DNS codepath
doesn't normally allocate any memory, and uses a single packet buffer.
To add the ability to recurse would require much more heavyweight
machinery: in-progress queries would need dynamically allocated
workspace. I think you'd lose the unique selling point of dnsmasq for
small routers: it's starts very small for what it does, and it stays
small as it runs.
More information about the Dnsmasq-discuss