[Dnsmasq-discuss] Ignore certain returned DNS response?

Glen Huang curvedmark at gmail.com
Wed Oct 15 06:39:49 BST 2014


Hi Simon,

Your heads up was of tremendous help. Here is the patch I created. It implements a “ignore-address” option for the feature in question. Tested in China's network environment, should be working.

Let me know if it looks good to you. (also just out of curiosity, why leave those trailing spaces in the code? I did flow the coding style of dnsmasq though)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ignore-address.patch
Type: application/octet-stream
Size: 4402 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20141015/82486186/attachment.obj>
-------------- next part --------------

On Oct 9, 2014, at 10:48 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:

> On 08/10/14 13:13, Glen Huang wrote:
>> Is it possible to ask dnsmasq to ignore DNS responses whose records
>> match a certain list of ip, and keep waiting for another response?
>> 
>> The rational behind this is that in China, when querying a domain
>> like youtube.com or twitter.com, a fake ip is quickly returned,
>> fooling dnsmasq to discard the genuine response that comes after it.
>> Luckily the returned fake ips are of a limited set. So it’s
>> relatively easy to distinguish such bogus responses.
> 
> Sigh. Now if Twitter and Youtube did DNSSEC signatures, such silly games
> would no longer be possible.
>> 
>> I can’t find an option which does this in the man page. So this might
>> be a feature request. I guess it should work like the bogus-nxdomain
>> option, but instead of treating the ip as nxdomain, dnsmasq would
>> ignore it, and keep wait for another response.
>> 
>> I’m willing to take a stab at this feature (it could take some time
>> though, since I’m not familiar with the internels of dnsmasq). But
>> before doing so, I want to make sure that I didn’t missing any option
>> that already does that and this feature does belong to dnsmasq.
>> 
> 
> There's no way to do this in the current dnsmasq releases, but I'd
> certainly consider a patch to implement it. You're right that the code
> can be modelled on bogus-nxdomain.
> 
> You can use code like that in check_for_bogus_wildcard() to detect the
> bad answer (the option-parsing code would be identical) the check needs
> to be called from near the start of reply_query() and should just return
> from that function if bogus answer is detected.
> 
> 
> Cheers,
> 
> Simon.
> 
> 
> 
>> Thank you. _______________________________________________ 
>> Dnsmasq-discuss mailing list Dnsmasq-discuss at lists.thekelleys.org.uk 
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>> 
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



More information about the Dnsmasq-discuss mailing list