[Dnsmasq-discuss] Ignore certain returned DNS response?
Simon Kelley
simon at thekelleys.org.uk
Thu Oct 9 15:48:35 BST 2014
On 08/10/14 13:13, Glen Huang wrote:
> Is it possible to ask dnsmasq to ignore DNS responses whose records
> match a certain list of ip, and keep waiting for another response?
>
> The rational behind this is that in China, when querying a domain
> like youtube.com or twitter.com, a fake ip is quickly returned,
> fooling dnsmasq to discard the genuine response that comes after it.
> Luckily the returned fake ips are of a limited set. So it’s
> relatively easy to distinguish such bogus responses.
Sigh. Now if Twitter and Youtube did DNSSEC signatures, such silly games
would no longer be possible.
>
> I can’t find an option which does this in the man page. So this might
> be a feature request. I guess it should work like the bogus-nxdomain
> option, but instead of treating the ip as nxdomain, dnsmasq would
> ignore it, and keep wait for another response.
>
> I’m willing to take a stab at this feature (it could take some time
> though, since I’m not familiar with the internels of dnsmasq). But
> before doing so, I want to make sure that I didn’t missing any option
> that already does that and this feature does belong to dnsmasq.
>
There's no way to do this in the current dnsmasq releases, but I'd
certainly consider a patch to implement it. You're right that the code
can be modelled on bogus-nxdomain.
You can use code like that in check_for_bogus_wildcard() to detect the
bad answer (the option-parsing code would be identical) the check needs
to be called from near the start of reply_query() and should just return
from that function if bogus answer is detected.
Cheers,
Simon.
> Thank you. _______________________________________________
> Dnsmasq-discuss mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list