[Dnsmasq-discuss] Ignore certain returned DNS response?

[Simon Kelley]

On 08/10/14 13:13, Glen Huang wrote:
> Is it possible to ask dnsmasq to ignore DNS responses whose records
> match a certain list of ip, and keep waiting for another response?
> 
> The rational behind this is that in China, when querying a domain
> like youtube.com or twitter.com, a fake ip is quickly returned,
> fooling dnsmasq to discard the genuine response that comes after it.
> Luckily the returned fake ips are of a limited set. So it’s
> relatively easy to distinguish such bogus responses.

Sigh. Now if Twitter and Youtube did DNSSEC signatures, such silly games
would no longer be possible.
> 
> I can’t find an option which does this in the man page. So this might
> be a feature request. I guess it should work like the bogus-nxdomain
> option, but instead of treating the ip as nxdomain, dnsmasq would
> ignore it, and keep wait for another response.
> 
> I’m willing to take a stab at this feature (it could take some time
> though, since I’m not familiar with the internels of dnsmasq). But
> before doing so, I want to make sure that I didn’t missing any option
> that already does that and this feature does belong to dnsmasq.
> 

There's no way to do this in the current dnsmasq releases, but I'd
certainly consider a patch to implement it. You're right that the code
can be modelled on bogus-nxdomain.

You can use code like that in check_for_bogus_wildcard() to detect the
bad answer (the option-parsing code would be identical) the check needs
to be called from near the start of reply_query() and should just return
from that function if bogus answer is detected.


Cheers,

Simon.



> Thank you. _______________________________________________ 
> Dnsmasq-discuss mailing list Dnsmasq-discuss at lists.thekelleys.org.uk 
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>