[Dnsmasq-discuss] Authorized DNS served by dnsmasq is not recognized by third-parties resolvers

Nicholas Guriev guriev-ns at ya.ru
Wed Jul 15 08:00:58 BST 2020


Hello everyone!

I am trying to set up my own DNS server for it returns an A record of a
specific domain. I chose dnsmasq for this purpose and configured it to
act as authorized server for example.mymedia.su. Unfortunately, I found
some DNS-resolvers can not retrieve demo IP [1]. At the time of writing,
two of them returns nothing. Third one which can not resolve the domain,
is hosted by my ISP.

Relevant part of config file on my server:

    #listen-address=0.0.0.0,::
    no-dhcp-interface=
    bind-interfaces
    hostsdir=/srv/dnsmasq
    auth-ttl=60
    clear-on-reload
    no-poll
    no-resolv
    log-queries
    log-async
    log-facility=/var/log/dnsmasq.log
    
    auth-server=dandelion.mymedia.su,venet0
    
    cname=*.comp2.mymedia.su,comp2.mymedia.su
    auth-zone=comp2.mymedia.su
    
    cname=*.example.mymedia.su,example.mymedia.su
    auth-zone=example.mymedia.su

Later, I configured BIND server on port 5353 to host the same zones. I
happened to notice it returns authority section with an NS record in
contrast to dnsmasq. This solves problems with the remaining three
resolvers that do not wish to accept answers with no authority section.

While trying to debug the issue, I have captured with tcpdump DNS
datagrams from the server. You can open attached *.pcap files with
Wireshark to see how the problematic resolver is talking with dnsmasq
and with BIND.

Here are queries sent by hand:

    mymedia at barberry:~$ dig @dandelion.mymedia.su qq.tw-1.example.mymedia.su
    
    ; <<>> DiG 9.16.1-Ubuntu <<>> @dandelion.mymedia.su qq.tw-1.example.mymedia.su
    ; (2 servers found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2791
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;qq.tw-1.example.mymedia.su.	IN	A
    
    ;; ANSWER SECTION:
    qq.tw-1.example.mymedia.su. 60	IN	CNAME	example.mymedia.su.
    example.mymedia.su.	60	IN	A	192.0.2.4
    
    ;; Query time: 120 msec
    ;; SERVER: 168.235.68.25#53(168.235.68.25)
    ;; WHEN: Ср июл 15 09:16:29 MSK 2020
    ;; MSG SIZE  rcvd: 103
    
    mymedia at barberry:~$ dig @dandelion.mymedia.su qq.tw-1.example.mymedia.su -p5353
    
    ; <<>> DiG 9.16.1-Ubuntu <<>> @dandelion.mymedia.su qq.tw-1.example.mymedia.su -p5353
    ; (2 servers found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61712
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
    ;; WARNING: recursion requested but not available
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;qq.tw-1.example.mymedia.su.	IN	A
    
    ;; ANSWER SECTION:
    qq.tw-1.example.mymedia.su. 60	IN	CNAME	example.mymedia.su.
    example.mymedia.su.	60	IN	A	192.0.2.4
    
    ;; AUTHORITY SECTION:
    example.mymedia.su.	60	IN	NS	dandelion.mymedia.su.
    
    ;; Query time: 128 msec
    ;; SERVER: 168.235.68.25#5353(168.235.68.25)
    ;; WHEN: Ср июл 15 09:17:32 MSK 2020
    ;; MSG SIZE  rcvd: 109
    mymedia at barberry:~$ dig @31.7.37.37 qq.tw-1.example.mymedia.su
    
    ; <<>> DiG 9.16.1-Ubuntu <<>> @31.7.37.37 qq.tw-1.example.mymedia.su
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16021
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;qq.tw-1.example.mymedia.su.	IN	A
    
    ;; ANSWER SECTION:
    qq.tw-1.example.mymedia.su. 60	IN	CNAME	example.mymedia.su.
    
    ;; Query time: 724 msec
    ;; SERVER: 31.7.37.37#53(31.7.37.37)
    ;; WHEN: Ср июл 15 09:36:57 MSK 2020
    ;; MSG SIZE  rcvd: 69

Is there a way to make dnsmasq reply along with the authority section
and simulate BIND behaviour?

 [1]: https://dnschecker.org/#A/qq.tw-1.example.mymedia.su

-------------- next part --------------
A non-text attachment was scrubbed...
Name: test-dnsmasq.pcap
Type: application/vnd.tcpdump.pcap
Size: 250 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200715/6a3ff990/attachment.pcap>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test-bind9.pcap
Type: application/vnd.tcpdump.pcap
Size: 274 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200715/6a3ff990/attachment-0001.pcap>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200715/6a3ff990/attachment.sig>


More information about the Dnsmasq-discuss mailing list