[Dnsmasq-discuss] Conceptual patch to reject CNAME as NODATA
Simon Kelley
simon at thekelleys.org.uk
Tue Nov 7 22:28:51 GMT 2017
My feeling is that this is sensible. The patch does have flaws, as you
fear. From inspection:
1) You're not checking the value of header->ancount, but assuming that
it's one. It may be zero in the case of a NODATA reply, or it may be
more than one, if the answer isn't a CNAME, or if the target of the
CNAME is included.
2) So you need to iterate through all the RRs in the answer section,
looking for a CNAME whose name matches the question.
3) This is probably better done in rfc1035.c, which where DNS packet
code tends to exist.
Did you hit a real-world problem which inspired this?
Cheers,
Simon.
On 07/11/17 04:08, Josh Soref wrote:
> This isn't tested [1], but I wanted to toss it out as an idea...
>
> The existing codepath says:
>> if we forwarded a query for a locally known name (because it was for
>> an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
>> since we know that the domain exists, even if upstream doesn't
>
> Just as NXDOMAIN should be mapped to NODATA, the same logic should be
> applied for CNAME, because CNAME is by definition incompatible with
> any other entries. So, the idea is to check if the answer is a CNAME
> and then map it as NODATA.
>
> I suspect I've made a number of errors in this patch, but the idea
> seems reasonable.
>
> [1] https://github.com/jsoref/dnsmasq/commit/7c55d91ce41255d83501d95ec03a97f82563e180.patch
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20171107/f0e0ceb8/attachment.sig>
More information about the Dnsmasq-discuss
mailing list