[Dnsmasq-discuss] Ignore certain returned DNS response?

Simon Kelley simon at thekelleys.org.uk
Wed Nov 19 18:25:59 GMT 2014


On 19/11/14 01:42, Glen Huang wrote:
> Hey Simon,
> 
> Is the patch good for merging?

Yes.

A general announcement: I've been kept away from dnsmasq work by Real
Life for the last couple of months. I'm planning to try and catch up on
this, and all the other outstanding patches and issues over the next
three weeks or so. Anyone who has something outstanding that's not dealt
with as part of that, PLEASE contact me and remind me.


Sorry for the delay and silence.


Cheers,

Simon.



> 
> I have been personally using the patch for over a month without problems. 
> 
>> On Oct 9, 2014, at 10:48 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
>>
>> On 08/10/14 13:13, Glen Huang wrote:
>>> Is it possible to ask dnsmasq to ignore DNS responses whose records
>>> match a certain list of ip, and keep waiting for another response?
>>>
>>> The rational behind this is that in China, when querying a domain
>>> like youtube.com or twitter.com, a fake ip is quickly returned,
>>> fooling dnsmasq to discard the genuine response that comes after it.
>>> Luckily the returned fake ips are of a limited set. So it’s
>>> relatively easy to distinguish such bogus responses.
>>
>> Sigh. Now if Twitter and Youtube did DNSSEC signatures, such silly games
>> would no longer be possible.
>>>
>>> I can’t find an option which does this in the man page. So this might
>>> be a feature request. I guess it should work like the bogus-nxdomain
>>> option, but instead of treating the ip as nxdomain, dnsmasq would
>>> ignore it, and keep wait for another response.
>>>
>>> I’m willing to take a stab at this feature (it could take some time
>>> though, since I’m not familiar with the internels of dnsmasq). But
>>> before doing so, I want to make sure that I didn’t missing any option
>>> that already does that and this feature does belong to dnsmasq.
>>>
>>
>> There's no way to do this in the current dnsmasq releases, but I'd
>> certainly consider a patch to implement it. You're right that the code
>> can be modelled on bogus-nxdomain.
>>
>> You can use code like that in check_for_bogus_wildcard() to detect the
>> bad answer (the option-parsing code would be identical) the check needs
>> to be called from near the start of reply_query() and should just return
>> from that function if bogus answer is detected.
>>
>>
>> Cheers,
>>
>> Simon.
>>
>>
>>
>>> Thank you. _______________________________________________ 
>>> Dnsmasq-discuss mailing list Dnsmasq-discuss at lists.thekelleys.org.uk 
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
> 




More information about the Dnsmasq-discuss mailing list