[Dnsmasq-discuss] No caching unless recursion enabled?

Simon Kelley simon at thekelleys.org.uk
Mon Jan 25 22:02:43 GMT 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The no-caching behaviour is provided by this code, at the end of
extract_addresses() in rfc1035.c


 /* Don't put stuff from a truncated packet into the cache.
     Don't cache replies from non-recursive nameservers, since we may
get a
     reply containing a CNAME but not its target, even though the target
     does exist. */
  if (!(header->hb3 & HB3_TC) &&
      !(header->hb4 & HB4_CD) &&
      (header->hb4 & HB4_RA) &&
      !no_cache_dnssec)
    cache_end_insert();



Removing the

(header->hb4 & HB4_RA) &&

line will provide the behaviour you're seeking. I don't propose to
make this change in the distributed dnsmasq code.



Cheers,

Simon.


On 24/01/16 22:25, bob tatus wrote:
> Hi Simon,
> 
> The records that I am looking up are all A records, no CNAMEs in
> use here, I've confirmed this by performing a dig against the Bind
> server for queries that were missing the cache with recursion
> disabled. Additionally if I perform a tcpdump I can see the
> requests listing as "A?" and "AAAA?", while on the named logs show
> "A +" and "AAAA +" in the query logs.
> 
> Technically the Bind server does have recursion enabled, however
> it is only allowed from a single IP address, that is the IP address
> of a Squid proxy server.
> 
> This allows clients in the network to browse the Internet via the 
> Squid proxy, as the Squid proxy server will still be able to
> perform recursive DNS queries for random domains on the Internet.
> The point of this configuration is to prevent all other client
> systems in the network from otherwise resolving external DNS, which
> has been done as a security measure.
> 
> On the Bind server as soon as I put in the "allow-recursion { 
> Squid-IP; };" value, the query log on this Bind server gets 
> absolutely smashed due to the amount of DNS queries coming in that 
> are no longer being cached. These queries are all for A records of 
> other internal systems on the local network, so prime candidates
> for caching.
> 
> As soon as I comment this out and restart the named service
> (thereby allowing recursion from any host), the DNS query logs drop
> off completely, as does the tcpdump port 53 traffic, and I can see
> the cache hits of dnsmasq rising quickly.
> 
> Thanks.
> 
>> To: dnsmasq-discuss at lists.thekelleys.org.uk From: 
>> simon at thekelleys.org.uk Date: Sat, 23 Jan 2016 09:24:08 +0000 
>> Subject: Re: [Dnsmasq-discuss] No caching unless recursion 
>> enabled?
>> 
> 
> 
> On 21/01/16 23:16, bob tatus wrote:
>>>> 
>>>> Hi there,
>>>> 
>>>> I've been using Dnsmasq for a few days now with no problems, 
>>>> it was caching well and helping a lot.
>>>> 
>>>> Yesterday I disabled recursive DNS queries on my DNS server 
>>>> (Bind 9) as this is not required within the environment,
>>>> since doing this it appears that the caching is no longer
>>>> working correctly.
>>>> 
>>>> To test I enabled recursion once more and the cache hit rate
>>>>  started climbing again and I saw significantly less queries 
>>>> being logged on the bind server, confirming that this was
>>>> the issue.
>>>> 
>>>> I've checked the man page but have not found anything about 
>>>> this? I need to have recursive DNS queries disabled on the
>>>> DNS server and still have the clients that use this DNS
>>>> server cache the queries received with Dnsmasq.
>>>> 
>>>> The DNS server in question is authoritative for the queries 
>>>> that I want to cache so there should not be any need for 
>>>> recursive DNS.
>>>> 
>>>> Thanks, Robert.
> 
> I just looked in the current code, and there's nothing obvious that
>  would account for this effect.
> 
> I would note that not having recursion available on _any_ server 
> used by dnsmasq as an upstream is unwise. It may work but it will
> be fragile. The most obvious case is if you add a CNAME to the 
> authoritative zone which points outside it. Dnsmasq will not look
> up the target of the CNAME, it relies on the upstream server to do 
> that, and if the upstream server doesn't (because recursion is 
> disabled) then you'll get a valid but wrong answer.
> 
> Cheers,
> 
> Simon.
> 
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Dnsmasq-discuss mailing list
>>>> Dnsmasq-discuss at lists.thekelleys.org.uk 
>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>>
>>
>>
>>>>
>>>> 
_______________________________________________
>> Dnsmasq-discuss mailing list 
>> Dnsmasq-discuss at lists.thekelleys.org.uk 
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJWppuCAAoJEBXN2mrhkTWiLNMP/3aTFmcu3LhuqyStcH7Acv6h
tjM+dQgkbJoMqw5wb3wd/lDXta+obHvMhzweWlGNdtTncpyCto5mDCuAxtdDv5U0
oauJP62UEELY0aPDoZkAi9rmcjuWhvIjfvj/cul0aP4HX+2rjW9pfr3LcUSeIrXL
K5e+GVGMyNIrpK8BjUAkaVZoe3Dg8qFMbBxcuws2xoTRwWm2RPUF5hPk6e1kuztv
yrQOg0cqP452kudCNhoiMPklmYd6FiUmDzqLfqCOUYpTP7aesdFndwjA/85wHvLp
zZZyNBtQTT92mB1/+sZvTugoBG/r+BPHE3Qhb8RaeEx3ecdHXOEwMgSAQkWG4wPb
arsHsUULRO7ozYb7XSwFok3x8ykdsLP79n+lNfud4kFKKI7Nomq/PUtL0YFqK7eq
evHRw1ZhgOVN4TaCNAAxterntHW77zHK6NR+/ce2YBbr7GJwaZbElwdvm2VdIUPb
XDY5kuHcGcpaLR7Qdbz8pRR7b9uKFJBpq+Fz5vA/F3dCRgM6eicollDvMGkFgarT
/+7LqlO8C7vqYl0E5BXA6DsLt4CZG+ngvRfCq7ppo7IfM7ERxdqulFWgrthKjNAU
qWctAM5JnjPmzl4u/hXGDOfecqVAoFF6xXMRCZqIsJH5NUzBenKSQb0jf4ycmWLc
r29NxT1Jb9KzeKdRPU69
=WHTh
-----END PGP SIGNATURE-----

More information about the Dnsmasq-discuss mailing list