[Dnsmasq-discuss] With --all-servers option enabled, query failed due to first answer with no answer section
Simon Kelley
simon at thekelleys.org.uk
Thu Jul 31 20:14:56 BST 2014
On 24/07/14 08:20, 毕勤 wrote:
> Well,I just figured out that it might due to the DNS Hijack of China's
> Great Firewall.
>
> The GFW hijack the DNS process and return a fake response pacakge,with the
> response code=0(means no error) but no Answer RRs(Answer RRs=0).It's
> obviously unlogical but legalized for resolver.
>
> So,may be I should not require this problem to be solved by dnsmasq,I can
> use iptables to drop that kind of fake response.
>
Be careful, that answer is perfectly sensible. It means that there's
some data in the DNS for that name, but not of the type you asked for.
For instance if a asked for an IPv6 address (AAAA record) for a host
which didn't have an IPv6 address, but it did have an IPv4 address (A
record) then I'd get an reply with zero answer RRs and zero error code.
This sort of reply is called NODATA.
In answer to you original question. Dnsmasq always believes answers it
gets if the answer is NXDOMAIN or NODATA because they are common and
legitimate answers. It's not generally good to go slower by trying
another server when you have am answer already.
For your application, it would be quite easy to patch dnsmasq to change
the behaviour. I think the problem might be that the GW could then start
returning a different valid but wrong answer, and you'd be no further
forward.
Cheers,
Simon.
> I'm sorry if any bother.
>
> Bi Qin
>
>
> On Thu, Jul 24, 2014 at 10:01 AM, 毕勤 <leavic at gmail.com> wrote:
>
>> Hi List,
>>
>> I have config multiple dns servers in the config file with
>> "-all-servers" option enabled.The reason why I did this is to get correct
>> answer from foreign DNS(due to the dns poison of China's Great Firewall)
>> without losing the fast query speed from local(China) DNS.
>>
>> The problem is, when I queried some certain domain(
>> scontent-a.cdninstagram.com .eg),the first answer from local DNS has no
>> answer section(still a dns poison issue) then Dnsmasq accept and take this
>> as the final answer, as it's the first answer.This make the queries for
>> that domain from desktop failed.
>>
>> In the meantime,force to dig that domain with google DNS will give
>> me the correct answer with answer section. I understand that's a correct
>> behavior as described in the Dnsmasq's Manpage for "--all-servers"
>> option.And I can deal with it with the "server=/domain/DNS" option to use
>> certain DNS for certain domain as a temporary solution.
>>
>> But could it be more intelligent?When "--all-server" option
>> enabled,force to Dnsmasq to query from other servers configed if the first
>> answer has no answer section.
>> Which means,Dnsmasq will take the first answer with answer section
>> as result ,rather than the first answer just returned.
>>
>> Thank you!
>>
>> Bi Qin
>>
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list