[Dnsmasq-discuss] Ignore certain returned DNS response?

Simon Kelley simon at thekelleys.org.uk
Sat Dec 27 15:38:43 GMT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Patch tidied and tweaked a little bit, and merged into the git repo.
Many thanks for this, and sorry it took so long to get around to it.


Cheers,

Simon.


On 19/11/14 01:42, Glen Huang wrote:
> Hey Simon,
> 
> Is the patch good for merging?
> 
> I have been personally using the patch for over a month without 
> problems.
> 
>> On Oct 9, 2014, at 10:48 PM, Simon Kelley 
>> <simon at thekelleys.org.uk> wrote:
>> 
>> On 08/10/14 13:13, Glen Huang wrote:
>>> Is it possible to ask dnsmasq to ignore DNS responses whose 
>>> records match a certain list of ip, and keep waiting for 
>>> another response?
>>> 
>>> The rational behind this is that in China, when querying a 
>>> domain like youtube.com or twitter.com, a fake ip is quickly 
>>> returned, fooling dnsmasq to discard the genuine response that 
>>> comes after it. Luckily the returned fake ips are of a limited 
>>> set. So it’s relatively easy to distinguish such bogus 
>>> responses.
>> 
>> Sigh. Now if Twitter and Youtube did DNSSEC signatures, such 
>> silly games would no longer be possible.
>>> 
>>> I can’t find an option which does this in the man page. So
>>> this might be a feature request. I guess it should work like
>>> the bogus-nxdomain option, but instead of treating the ip as 
>>> nxdomain, dnsmasq would ignore it, and keep wait for another 
>>> response.
>>> 
>>> I’m willing to take a stab at this feature (it could take some 
>>> time though, since I’m not familiar with the internels of 
>>> dnsmasq). But before doing so, I want to make sure that I 
>>> didn’t missing any option that already does that and this 
>>> feature does belong to dnsmasq.
>>> 
>> 
>> There's no way to do this in the current dnsmasq releases, but 
>> I'd certainly consider a patch to implement it. You're right
>> that the code can be modelled on bogus-nxdomain.
>> 
>> You can use code like that in check_for_bogus_wildcard() to 
>> detect the bad answer (the option-parsing code would be 
>> identical) the check needs to be called from near the start of 
>> reply_query() and should just return from that function if bogus 
>> answer is detected.
>> 
>> 
>> Cheers,
>> 
>> Simon.
>> 
>> 
>> 
>>> Thank you. _______________________________________________ 
>>> Dnsmasq-discuss mailing list 
>>> Dnsmasq-discuss at lists.thekelleys.org.uk 
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>>
>>
>>
>>>
>>> 
_______________________________________________
>> Dnsmasq-discuss mailing list 
>> Dnsmasq-discuss at lists.thekelleys.org.uk 
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUntJ+AAoJEBXN2mrhkTWiOugP/j+6uu26uhekhjC0A6CvcIks
aUAh2jIr/oow5PHfKaGkNnnY8R4XH44okyyzZm0onmPhp6HaG0pQPS8S+hg0hQaY
Lp8cnBKy+A0qMwUBT5elrwT9tUArsmTSUx9/u47YCGeIF62Sd8xPu73FalTlqq+/
5/8EJH+7VWouTnLvqq3A8pBsaQDZ1YBGlZ76ByPUQrPMSD+8iybO7Uhu9DbKv5UF
rA6BHgx89fq8mZ0qaRea3+NgFMX8lBdnElJLw+ZfZJz6MHQPU1bt5I9y1se1E979
9CQ792PIvM0PFLQCrobjhGPdO1ntQQPBnYL4cK5VlwH4EO/Ygnk5cdFQjArZP/hL
c8kL8VcZcziQc4x1trq8NZPJhz8jJEE9k5fw4YCA+FCPD6TMAjDkFxH//vK85Sj5
7thVxxaWtWUJjW/538PHvmFthwszF1FRxwdSXpBU7hZwG7jCQxK6gciDjHQUw9EE
vOS2bHb+hYWAeScG30tAOpPQ2iP5AMSkb0pCKPdHOGSQjWEkT1G2y3aCzVXAkpGl
aT0kwq+msz4HKu1hx3grPa7MMO1AW9sLKKEKs8fKdg0rP1Or2VU+8os3AYV4rmUi
X/wfjOPrZNGhcsDM6x7nACTQ4avx7Yikr5yPmlTPfW+EzKMzWeJ9z5/+tza+A60K
7K9jikX3iwRybQVRZx37
=lQlZ
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list