[Dnsmasq-discuss] [patch] don't cache NODATA when upstream doesn't support recursion
Ben Winslow
rain at bluecherry.net
Fri Apr 6 07:35:30 BST 2012
Hello,
After a very confusing ordeal with dnsmasq, I've discovered that it will
cache a negative result when it does not find an acceptable answer in
the reply even if the upstream server does not support recursion. This
is particularly nasty if you're using --server to send some requests to
a server which does not support recursion, since a CNAME response can
then poison (well, somewhere between poison and delete) an arbitrary name.
For example:
# dnsmasq --server=/home/10.0.0.1
$ dig +nostats +nocmd +noquestion lichtenberg.example.com
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46262
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; ANSWER SECTION:
lichtenberg.example.com. 3278 IN A 172.16.0.1
$ dig +nostats +nocmd +noquestion lichtenberg.home
;; The upstream server for .home does not offer recursion to this
;; client, so it does not include any data about the canonical name
;; lichtenberg.example.com. in the response.
;;
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9087
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; ANSWER SECTION:
lichtenberg.home. 3600 IN CNAME lichtenberg.example.com.
$ dig +nostats +nocmd +noquestion lichtenberg.example.com
;; The good data we had cached for lichtenberg.example.com. has been
;; replaced with with an empty response.
;;
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30135
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
The attached patch prevents dnsmasq from adding the negative cache entry
unless the Recursion Available bit is set in the response, which
prevents the cache damage for me. Now I just need to figure out how to
get the behavior I want, since dnsmasq doesn't support recursion...
Cheers,
--
Ben Winslow <rain at bluecherry.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dnsmasq-neg-cache-fix.diff
Type: text/x-patch
Size: 525 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20120406/6b57b5aa/attachment.bin>
More information about the Dnsmasq-discuss
mailing list