[Dnsmasq-discuss] [patch] don't cache NODATA when upstream doesn't support recursion

Ben Winslow rain at bluecherry.net
Fri Apr 6 07:35:30 BST 2012


Hello,

After a very confusing ordeal with dnsmasq, I've discovered that it will 
cache a negative result when it does not find an acceptable answer in 
the reply even if the upstream server does not support recursion.  This 
is particularly nasty if you're using --server to send some requests to 
a server which does not support recursion, since a CNAME response can 
then poison (well, somewhere between poison and delete) an arbitrary name.

For example:
# dnsmasq --server=/home/10.0.0.1
$ dig +nostats +nocmd +noquestion lichtenberg.example.com
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46262
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; ANSWER SECTION:
lichtenberg.example.com. 3278    IN      A      172.16.0.1


$ dig +nostats +nocmd +noquestion lichtenberg.home
;; The upstream server for .home does not offer recursion to this
;; client, so it does not include any data about the canonical name
;; lichtenberg.example.com. in the response.
;;
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9087
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; ANSWER SECTION:
lichtenberg.home.        3600    IN      CNAME  lichtenberg.example.com.


$ dig +nostats +nocmd +noquestion lichtenberg.example.com
;; The good data we had cached for lichtenberg.example.com. has been
;; replaced with with an empty response.
;;
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30135
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0


The attached patch prevents dnsmasq from adding the negative cache entry 
unless the Recursion Available bit is set in the response, which 
prevents the cache damage for me.  Now I just need to figure out how to 
get the behavior I want, since dnsmasq doesn't support recursion...


Cheers,
-- 
Ben Winslow <rain at bluecherry.net>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: dnsmasq-neg-cache-fix.diff
Type: text/x-patch
Size: 525 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20120406/6b57b5aa/attachment.bin>


More information about the Dnsmasq-discuss mailing list