[Dnsmasq-discuss] returns REFUSED when first response comes from non-recursive server

Simon Kelley simon at thekelleys.org.uk
Mon Feb 27 21:52:27 GMT 2017


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The behaviour of believing the first REFUSED answer has been changed
for the forthcoming release.


There's a couple of long discussions about this on here.

Cheers,

Simon.

On 27/02/17 16:42, /dev/rob0 wrote:
> On Mon, Feb 27, 2017 at 04:40:14PM +0100, Daniel Pocock wrote:
>> On 27/02/17 13:31, Chris Novakovic wrote:
>>> On 27/02/17 10:04, Daniel Pocock wrote:
>>>> 
>>>> I've observed the following problem:
>>>> 
>>>> - dnsmasq is sending queries to 5 servers, one of them is not
>>>>  recursive and only answers for a private domain
>>>> 
>>>> - if the first response dnsmasq receives comes from the 
>>>> non-recursive server (REFUSED), then dnsmasq is sending a 
>>>> REFUSED response to the client
>>>> 
>>>> - dnsmasq subsequently receives a response from one of the 
>>>> recursive servers
>>> 
>>> This is expected behaviour. One possibility is to configure 
>>> dnsmasq to forward requests to the non-recursive server only 
>>> for the private domain, e.g.:
>>> 
>>> --server=/private.domain/non.recursive.server.ip
>>> 
>>> and a matching --rev-server directive if appropriate.
>> 
>> The router is running OpenWRT, I could make that change manually
>>  but then I wouldn't be able to fully manage it with the GUI any
>>  more.
>> 
>> Can you confirm if this is the only way it can work according to
>>  the DNS spec, or is it a dnsmasq design decision?
> 
> --server without the domain specified MUST be a recursive server, 
> willing to resolve your queries for any names.
> 
> --server/domain.example/ip.add.re.ss will only send queries for 
> domain.example (and *.domain.example) to ip.add.re.ss.
> 
>> Could a software approach be taken by default, waiting to see if
>> any resolver provides a positive response before sending back
>> REFUSED to the client?
> 
> I don't see a valid use case for this.  You have a configuration 
> error, by listing a non-recursive server among your upstream 
> recursive servers.
> 
> Perhaps the OpenWRT people didn't know enough about dnsmasq to 
> support this situation, or perhaps they didn't care.  But dnsmasq 
> documentation of --server is clear enough about it.
> 
> Another problem you will have is when one of the actual upstream 
> recursive servers replies for "domain.example" with incorrect
> data.
> 
> (Side note: simple is good; listing more recursive servers will 
> generally not improve performance.  If some of the servers you're 
> listing are not reliable enough, try one of the Google Public DNS 
> addresses, or run your own recursive resolver.)
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJYtJ+aAAoJEBXN2mrhkTWiRp4P/3B+B6+g4K6zDOd71J6oA5gM
Ap33LcRHWAwBWwMz7NVIrvjTSSQ06r301h7vS5xs3jFSm2j6onvft9cpz4OhkUpq
9h0t8xuNpA/4Tyhr0/f3w+qrrZe85IOOKnVfk2tRoWr3p7+u0yYYJ6+aFom/n4me
F3hBYK95fBGwk9n1dTLt0/a+KEjZA4Z9+aCx0YXpBhnjM15dfkrIyTyBI1FORmQ4
/WHJQiDbqeZ7IFpKQDt5LMhbgxe7a1zMrUbQ/+AJhvHCd04pw79xUvJdM5LEjQT3
r3tmirmdKCyQsdZsjUQTzxjaKu9uC25j8vT5KHrFwS3Qq5vucZ26uM/6FdwiIRBr
TvwNh5ccnlPz/Z3eZ/vZa/hmWcA6/Arfwas5knfhOpeyyYn7D0jC7cDs0WFySlha
9BdmZScxQtPzXoPk/bZg7BHp2N2uhk3zVwOMBVYYVTtmNL9DHQLJgktJ+0Ni16/W
YDVQQKD0LstDnGDh5AeFCNa1gBhrEkIW071IhEMQ1N5sGTml0NM0PXEVL35/sX58
oZGWj5UwVOM+TKK7q++zFCwTQES/SzJrTqlQ5rVlmk5S6b++vcfm7HABnUNXep1z
7fV1qxvChiayYBQjZc1j2TeTbDk7WAsKPXictlMwOfxqp/nTpF5nMaV+Jr+30Ned
HX3wzkH+rk1OdlkigpfD
=YTU9
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list