[Dnsmasq-discuss] Odd DNS behaviour for www.freesat.co.uk

Simon Kelley simon at thekelleys.org.uk
Mon Feb 17 21:05:34 GMT 2020



On 17/02/2020 18:19, Paul Martin wrote:
> dnsmasq 2.80 (Debian).
> 
> Performing an "A" query against www.freesat.co.uk returns the expected
> response on the first query.
> 
> However, the target of the CNAME is cached as a negative response,
> even though it was never looked up.  This could be considered a form
> of cache poisoning.
> 
> The problem could be that both A and CNAME records are returned by the
> domain's authoritative server and this is confusing dnsmasq's cache.
> 
> The DNS zone configuration here is definitely incorrect, but dnsmasq's
> behaviour in this instance is a concern.
> 
> Setting "no-negcache" in dnsmasq.conf works around this problem.
> 
> 
> 
> Feb 17 18:03:15 thinkpad dnsmasq[10582]: query[A] www.freesat.co.uk from 127.0.0.1
> Feb 17 18:03:15 thinkpad dnsmasq[10582]: forwarded www.freesat.co.uk to 1.1.1.1
> Feb 17 18:03:15 thinkpad dnsmasq[10582]: reply www.freesat.co.uk is <CNAME>
> Feb 17 18:03:15 thinkpad dnsmasq[10582]: reply ghs.googlehosted.com is NODATA-IPv4
> 
> Feb 17 18:05:51 thinkpad dnsmasq[10582]: query[A] www.freesat.co.uk from 127.0.0.1
> Feb 17 18:05:51 thinkpad dnsmasq[10582]: cached www.freesat.co.uk is <CNAME>
> Feb 17 18:05:51 thinkpad dnsmasq[10582]: cached ghs.googlehosted.com is NODATA-IPv4
> 
> Feb 17 18:06:12 thinkpad dnsmasq[10582]: query[A] ghs.googlehosted.com from 127.0.0.1
> Feb 17 18:06:12 thinkpad dnsmasq[10582]: cached ghs.googlehosted.com is NODATA-IPv4
> 
> 
> 
> $ dig www.freesat.co.uk @ns1.peer1.net
> 
> ; <<>> DiG 9.11.14-3-Debian <<>> www.freesat.co.uk @ns1.peer1.net
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22745
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;www.freesat.co.uk.             IN      A
> 
> h;; ANSWER SECTION:
> www.freesat.co.uk.      300     IN      CNAME   ghs.googlehosted.com.
> www.freesat.co.uk.      300     IN      A       216.239.34.21
> www.freesat.co.uk.      300     IN      A       216.239.32.21
> www.freesat.co.uk.      300     IN      A       216.239.36.21
> www.freesat.co.uk.      300     IN      A       216.239.38.21
> 
> ;; AUTHORITY SECTION:
> freesat.co.uk.          259200  IN      NS      ns1.peer1.net.
> freesat.co.uk.          259200  IN      NS      ns2.peer1.net.
> 
> ;; ADDITIONAL SECTION:
> ns1.peer1.net.          21600   IN      A       69.90.13.5
> ns2.peer1.net.          21600   IN      A       69.90.13.6
> 
> ;; Query time: 12 msec
> ;; SERVER: 69.90.13.5#53(69.90.13.5)
> ;; WHEN: Mon Feb 17 17:42:57 GMT 2020
> ;; MSG SIZE  rcvd: 210
> 
> $ dig www.freesat.co.uk a
> 
> ; <<>> DiG 9.11.14-3-Debian <<>> www.freesat.co.uk a
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51256
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;www.freesat.co.uk.             IN      A
> 
> ;; ANSWER SECTION:
> www.freesat.co.uk.      300     IN      CNAME   ghs.googlehosted.com.
> www.freesat.co.uk.      300     IN      A       216.239.36.21
> www.freesat.co.uk.      300     IN      A       216.239.34.21
> www.freesat.co.uk.      300     IN      A       216.239.38.21
> www.freesat.co.uk.      300     IN      A       216.239.32.21
> 
> ;; Query time: 14 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Feb 17 18:03:15 GMT 2020
> ;; MSG SIZE  rcvd: 144
> 
> $ dig www.freesat.co.uk a
> 
> ; <<>> DiG 9.11.14-3-Debian <<>> www.freesat.co.uk a
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24120
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;www.freesat.co.uk.             IN      A
> 
> ;; ANSWER SECTION:
> www.freesat.co.uk.      144     IN      CNAME   ghs.googlehosted.com.
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Feb 17 18:05:51 GMT 2020
> ;; MSG SIZE  rcvd: 80
> 
> $ dig ghs.googlehosted.com a
> 
> ; <<>> DiG 9.11.14-3-Debian <<>> ghs.googlehosted.com a
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9646
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;ghs.googlehosted.com.          IN      A
> 
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Feb 17 18:06:12 GMT 2020
> ;; MSG SIZE  rcvd: 49
> 
> 
> 
> (I have already sent an email trying to get freesat.co.uk to fix their
> zone but suspect that it will fall on deaf ears.)
> 


It's pretty difficult to see what dnsmasq can do here, other than give
up on caching such negative data.

A reply _from_a_recursive_server_ which includes a CNAME, but no data
for the target of the CNAME, contains the implication that the target
doesn't exist.

Apart from the zone admins, I think the other responsible parties here
may be the recursive server you are using, (cloudflare at 1.1.1.1) By
returning the data they are, they cause the problem.

Testing here, I see different answers to the query www.freesat.co.uk at
random,

1) SERVEFAIL
2) The four A records
3) A complete CNAME, including the A record for ghs.googlehosted.com.
4) Both 2 and 3 combined.

I've not observed the incomplete CNAME that you saw, so maybe this has
been fixed by Cloudflare?

It's a nasty corner case.

Simon.



More information about the Dnsmasq-discuss mailing list