[Dnsmasq-discuss] Authorized DNS served by dnsmasq is not recognized by third-parties resolvers
Nicholas Guriev
guriev-ns at ya.ru
Wed Jul 15 08:00:58 BST 2020
Hello everyone!
I am trying to set up my own DNS server for it returns an A record of a
specific domain. I chose dnsmasq for this purpose and configured it to
act as authorized server for example.mymedia.su. Unfortunately, I found
some DNS-resolvers can not retrieve demo IP [1]. At the time of writing,
two of them returns nothing. Third one which can not resolve the domain,
is hosted by my ISP.
Relevant part of config file on my server:
#listen-address=0.0.0.0,::
no-dhcp-interface=
bind-interfaces
hostsdir=/srv/dnsmasq
auth-ttl=60
clear-on-reload
no-poll
no-resolv
log-queries
log-async
log-facility=/var/log/dnsmasq.log
auth-server=dandelion.mymedia.su,venet0
cname=*.comp2.mymedia.su,comp2.mymedia.su
auth-zone=comp2.mymedia.su
cname=*.example.mymedia.su,example.mymedia.su
auth-zone=example.mymedia.su
Later, I configured BIND server on port 5353 to host the same zones. I
happened to notice it returns authority section with an NS record in
contrast to dnsmasq. This solves problems with the remaining three
resolvers that do not wish to accept answers with no authority section.
While trying to debug the issue, I have captured with tcpdump DNS
datagrams from the server. You can open attached *.pcap files with
Wireshark to see how the problematic resolver is talking with dnsmasq
and with BIND.
Here are queries sent by hand:
mymedia at barberry:~$ dig @dandelion.mymedia.su qq.tw-1.example.mymedia.su
; <<>> DiG 9.16.1-Ubuntu <<>> @dandelion.mymedia.su qq.tw-1.example.mymedia.su
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2791
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qq.tw-1.example.mymedia.su. IN A
;; ANSWER SECTION:
qq.tw-1.example.mymedia.su. 60 IN CNAME example.mymedia.su.
example.mymedia.su. 60 IN A 192.0.2.4
;; Query time: 120 msec
;; SERVER: 168.235.68.25#53(168.235.68.25)
;; WHEN: Ср июл 15 09:16:29 MSK 2020
;; MSG SIZE rcvd: 103
mymedia at barberry:~$ dig @dandelion.mymedia.su qq.tw-1.example.mymedia.su -p5353
; <<>> DiG 9.16.1-Ubuntu <<>> @dandelion.mymedia.su qq.tw-1.example.mymedia.su -p5353
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61712
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qq.tw-1.example.mymedia.su. IN A
;; ANSWER SECTION:
qq.tw-1.example.mymedia.su. 60 IN CNAME example.mymedia.su.
example.mymedia.su. 60 IN A 192.0.2.4
;; AUTHORITY SECTION:
example.mymedia.su. 60 IN NS dandelion.mymedia.su.
;; Query time: 128 msec
;; SERVER: 168.235.68.25#5353(168.235.68.25)
;; WHEN: Ср июл 15 09:17:32 MSK 2020
;; MSG SIZE rcvd: 109
mymedia at barberry:~$ dig @31.7.37.37 qq.tw-1.example.mymedia.su
; <<>> DiG 9.16.1-Ubuntu <<>> @31.7.37.37 qq.tw-1.example.mymedia.su
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16021
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;qq.tw-1.example.mymedia.su. IN A
;; ANSWER SECTION:
qq.tw-1.example.mymedia.su. 60 IN CNAME example.mymedia.su.
;; Query time: 724 msec
;; SERVER: 31.7.37.37#53(31.7.37.37)
;; WHEN: Ср июл 15 09:36:57 MSK 2020
;; MSG SIZE rcvd: 69
Is there a way to make dnsmasq reply along with the authority section
and simulate BIND behaviour?
[1]: https://dnschecker.org/#A/qq.tw-1.example.mymedia.su
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test-dnsmasq.pcap
Type: application/vnd.tcpdump.pcap
Size: 250 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200715/6a3ff990/attachment.pcap>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test-bind9.pcap
Type: application/vnd.tcpdump.pcap
Size: 274 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200715/6a3ff990/attachment-0001.pcap>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200715/6a3ff990/attachment.sig>
More information about the Dnsmasq-discuss
mailing list