[Dnsmasq-discuss] Ignore certain returned DNS response?
Simon Kelley
simon at thekelleys.org.uk
Sat Dec 27 15:38:43 GMT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Patch tidied and tweaked a little bit, and merged into the git repo.
Many thanks for this, and sorry it took so long to get around to it.
Cheers,
Simon.
On 19/11/14 01:42, Glen Huang wrote:
> Hey Simon,
>
> Is the patch good for merging?
>
> I have been personally using the patch for over a month without
> problems.
>
>> On Oct 9, 2014, at 10:48 PM, Simon Kelley
>> <simon at thekelleys.org.uk> wrote:
>>
>> On 08/10/14 13:13, Glen Huang wrote:
>>> Is it possible to ask dnsmasq to ignore DNS responses whose
>>> records match a certain list of ip, and keep waiting for
>>> another response?
>>>
>>> The rational behind this is that in China, when querying a
>>> domain like youtube.com or twitter.com, a fake ip is quickly
>>> returned, fooling dnsmasq to discard the genuine response that
>>> comes after it. Luckily the returned fake ips are of a limited
>>> set. So it’s relatively easy to distinguish such bogus
>>> responses.
>>
>> Sigh. Now if Twitter and Youtube did DNSSEC signatures, such
>> silly games would no longer be possible.
>>>
>>> I can’t find an option which does this in the man page. So
>>> this might be a feature request. I guess it should work like
>>> the bogus-nxdomain option, but instead of treating the ip as
>>> nxdomain, dnsmasq would ignore it, and keep wait for another
>>> response.
>>>
>>> I’m willing to take a stab at this feature (it could take some
>>> time though, since I’m not familiar with the internels of
>>> dnsmasq). But before doing so, I want to make sure that I
>>> didn’t missing any option that already does that and this
>>> feature does belong to dnsmasq.
>>>
>>
>> There's no way to do this in the current dnsmasq releases, but
>> I'd certainly consider a patch to implement it. You're right
>> that the code can be modelled on bogus-nxdomain.
>>
>> You can use code like that in check_for_bogus_wildcard() to
>> detect the bad answer (the option-parsing code would be
>> identical) the check needs to be called from near the start of
>> reply_query() and should just return from that function if bogus
>> answer is detected.
>>
>>
>> Cheers,
>>
>> Simon.
>>
>>
>>
>>> Thank you. _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>>
>>
>>
>>>
>>>
_______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUntJ+AAoJEBXN2mrhkTWiOugP/j+6uu26uhekhjC0A6CvcIks
aUAh2jIr/oow5PHfKaGkNnnY8R4XH44okyyzZm0onmPhp6HaG0pQPS8S+hg0hQaY
Lp8cnBKy+A0qMwUBT5elrwT9tUArsmTSUx9/u47YCGeIF62Sd8xPu73FalTlqq+/
5/8EJH+7VWouTnLvqq3A8pBsaQDZ1YBGlZ76ByPUQrPMSD+8iybO7Uhu9DbKv5UF
rA6BHgx89fq8mZ0qaRea3+NgFMX8lBdnElJLw+ZfZJz6MHQPU1bt5I9y1se1E979
9CQ792PIvM0PFLQCrobjhGPdO1ntQQPBnYL4cK5VlwH4EO/Ygnk5cdFQjArZP/hL
c8kL8VcZcziQc4x1trq8NZPJhz8jJEE9k5fw4YCA+FCPD6TMAjDkFxH//vK85Sj5
7thVxxaWtWUJjW/538PHvmFthwszF1FRxwdSXpBU7hZwG7jCQxK6gciDjHQUw9EE
vOS2bHb+hYWAeScG30tAOpPQ2iP5AMSkb0pCKPdHOGSQjWEkT1G2y3aCzVXAkpGl
aT0kwq+msz4HKu1hx3grPa7MMO1AW9sLKKEKs8fKdg0rP1Or2VU+8os3AYV4rmUi
X/wfjOPrZNGhcsDM6x7nACTQ4avx7Yikr5yPmlTPfW+EzKMzWeJ9z5/+tza+A60K
7K9jikX3iwRybQVRZx37
=lQlZ
-----END PGP SIGNATURE-----
More information about the Dnsmasq-discuss
mailing list