[Dnsmasq-discuss] CNAME trouble with no AAAA

Simon Kelley simon at thekelleys.org.uk
Sat Oct 26 22:20:53 BST 2019 

On 26/10/2019 03:47, Dominick C. Pastore wrote:
> On Fri, Oct 25, 2019, at 4:48 PM, Simon Kelley wrote:
>> On 20/10/2019 17:55, Dominick C. Pastore wrote:
>>> I apologize for continuing the discussion on this. The patch (applied on top of 2.80-1 provided by Debian Buster) completely solved the issues I was having, but I did notice a couple other things.
>>>
>>> First, locally configured CNAMEs and records other than A or AAAA do not seem to play well together. For example, MX and TXT requests still get forwarded upstream, even after the patch. I played around with this a bit and discovered:
>>>
>>> 1. Unlike "host-record", "txt-record" and "mx-host" on the target are not enough to keep Dnsmasq from ignoring a locally defined CNAME. (I did not try others, like "srv-host".)
>>
>> This is true, and difficult to fix for very obscure reasons. It should
>> be more explicitly documented, or better, fixed.
> 
> To be fair, the man page doesn't say that this should work. Although I suppose it also doesn't say that "host-record" should work and that one does. If it would be helpful, I don't mind contributing documentation updates, although I'm not sure what Dnsmasq's conventions are for external contributions.

We bite the hand of anyone who improves docs......


> 
>>> 2. In fact, Dnsmasq never follows a CNAME for MX or TXT requests, even when the CNAME does point to a host Dnsmasq knows locally. (I assume this is the reason for #1.)
>>>
>> Actually it's not, it just that the CNAME code was never generalised to
>> handle stuff not in the cache. I've spent an enjoyable afternoon down
>> the rabbit-hole testing and rewriting, and this should be fixed now. The
>> prohibition on mixing local and upstream continues, but you can now
>> define a TXT/MX/SRV locally and a local CNAME pointing to it, and as
>> long as you define an A or AAAA record of the same name, all will be fine.
>>
>>> Second, it seems that when Dnsmasq caches a NXDOMAIN response from upstream, it starts giving a NODATA response for other request types on the same name. Strangely, log-queries indicates the requests are forwarded, but right after a SIGHUP to clear the cache, sending one of the NODATA queries results in NXDOMAIN.
>>
>> I can't reproduce this. Could you provide a simple example?
> 
> Here is how I am able to reproduce it:
> 
> 1. Query Dnsmasq for type A on a nonexistent domain (using dig). Get NXDOMAIN.
> 2. Query Dnsmasq for type AAAA on the same domain. Get NODATA.
> 3. Send SIGHUP to Dnsmasq to clear cache.
> 4. Query Dnsmasq for type AAAA on the same domain again. This time, get NXDOMAIN.
> 
> Here are the actual commands and output pasted from the shell:
> 
> dominickpastore at platinum:~$ dig @127.0.0.1 +nocmd +nostats +noquestion vlvtdnpxed.com A
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46341
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; AUTHORITY SECTION:
> com.                    899     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com. 1572043374 1800 900 604800 86400
> dominickpastore at platinum:~$ dig @127.0.0.1 +nocmd +nostats +noquestion vlvtdnpxed.com AAAA
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40388
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> dominickpastore at platinum:~$ sudo killall -HUP dnsmasq
> [sudo] password for dominickpastore:
> dominickpastore at platinum:~$ dig @127.0.0.1 +nocmd +nostats +noquestion vlvtdnpxed.com AAAA
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31058
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; AUTHORITY SECTION:
> com.                    899     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com. 1572043429 1800 900 604800 86400
> 
> Querying the upstream server directly always results in NXDOMAIN.
> 
> The other thing I noticed is that only an A or AAAA request triggers this. SRV, TXT, and MX requests do not. But once an A or AAAA request is made for a nonexistent domain, all other request types for that domain result in NODATA until the cache is flushed. To demonstrate what I mean:
> 
> sudo killall -HUP dnsmasq
> dig @127.0.0.1 vlvtdnpxed.com TXT    # gives NXDOMAIN
> dig @127.0.0.1 vlvtdnpxed.com SRV    # gives NXDOMAIN
> dig @127.0.0.1 vlvtdnpxed.com AAAA   # gives NXDOMAIN
> dig @127.0.0.1 vlvtdnpxed.com TXT    # gives NODATA
> dig @127.0.0.1 vlvtdnpxed.com SRV    # gives NODATA
> dig @127.0.0.1 vlvtdnpxed.com A      # gives NODATA
> dig @127.0.0.1 vlvtdnpxed.com AAAA   # gives NXDOMAIN
> 

You're running 2.80, right? I think we (not me) nailed this one already

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=162e5e0062ce923c494cc64282f293f0ed64fc10

Cheers,

Simon.



> Thanks,
> Nick
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>

More information about the Dnsmasq-discuss mailing list