[Dnsmasq-discuss] dig +trace failing
Simon Kelley
simon at thekelleys.org.uk
Wed Sep 19 12:27:12 BST 2018
The change in question causes dnsmasq to always return SERVFAIL for
queries without the "use recursion" bit set.
The relevant quote in the reference
http://cs.unc.edu/~fabian/course_papers/cache_snooping.pdf
is this:
Recommendation 2: secondly, and most importantly, non-authoritative
requests to DNS caches should not be allowed. For instance dnscache, a
popular caching-only DNS implementation, tries to prevent cache
snooping by refusing to answer non-recursive queries [3]. Another option
is to never consult the cache when responding to non-RD queries.
So dnsmasq could adopt the alternative: when rd is not set, never answer
from the cache, but always forward the query. That would allow dig
+trace to work.
Does hat seem sensible?
Cheers,
Simon.
On 19/09/18 11:16, Dominik DL6ER wrote:
> Dear list members,
>
> I expect "dig +trace" to show a trace of the delegation path from the
> root name servers for the name being looked up. This behavior is broken
> since commit 087eb76140725f8f1892ba6f251ea052d3440966
> <http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=087eb76140725f8f1892ba6f251ea052d3440966>
> and is not fixed until now (I compiled and tested the most recent
> "master" branch of dnsmasq).
>
>
>
> With dnsmasq v2.80test6, and v2.79, I see:
>
> $ dig +trace www.example.com
> ; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace www.example.com
> ;; global options: +cmd
> ;; Received 17 bytes from 192.168.2.11#53(pi.hole) in 76 ms
>
> With dnsmasq v2.78 (and previously), I see:
>
> $ dig +trace www.example.com
> ; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace www.example.com
> ;; global options: +cmd
> . 42569 IN NS l.root-servers.net.
> . 42569 IN NS k.root-servers.net.
> . 42569 IN NS e.root-servers.net.
> . 42569 IN NS h.root-servers.net.
> . 42569 IN NS j.root-servers.net.
> . 42569 IN NS i.root-servers.net.
> . 42569 IN NS g.root-servers.net.
> . 42569 IN NS a.root-servers.net.
> . 42569 IN NS b.root-servers.net.
> . 42569 IN NS m.root-servers.net.
> . 42569 IN NS c.root-servers.net.
> . 42569 IN NS f.root-servers.net.
> . 42569 IN NS d.root-servers.net.
> ;; Received 241 bytes from 192.168.2.11#53(pi.hole) in 115 ms
>
>
> Best regards,
> Dominik
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list