[Dnsmasq-discuss] Re: Is there a way to "block" IPv6 address queries?
Eric P. Scott
eps+dnsmasq@ana.com
Mon, 11 Apr 2005 19:51:46 -0700 (PDT)
I guess I should clarify; I'm not trying to "be kind to my DNS
server" (although that's a nice side effect) so much as improve
responsiveness for client machines. Assume my connectivity to
the public DNS is slow, congested, lossy, etc. I want to reduce
the several second delay on every address lookup due to misguided
client software hoping for IPv6 reachability that isn't actually
there.
>That's negative caching. The way it's done is specified in RFC 2308 and
>dnsmasq supports it. The crucial thing is that there needs to be an SOA
>record in the authority section of the reply in order for a negative
>cache entry to be generated. I've noticed that recently my ISP's
>nameservers have stopped including an NS section. They probably think
>doing that will reduce the load on their nameservers. Poor fools.
RFC 2308 says:
A negative answer that resulted from a no data error (NODATA) should
be cached such that it can be retrieved and returned in response to
another query for the same <QNAME, QTYPE, QCLASS> that resulted in
the cached negative response.
I don't think this is working for me in 2.22.
>I suspect that your ISP has done the same thing. Try running a query
>using "dig" for an unknown domain and see what you get: it should look
>like this:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4694
>but if it looks like this instead, that's the source of the problem.
>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25755
Does this help? [No, I don't see any NS records included.]
% dig www.nonxx.net in aaaa
; <<>> DiG 8.3 <<>> www.nonxx.net in aaaa
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31092
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;; www.nonxx.net, type = AAAA, class = IN
;; AUTHORITY SECTION:
net. 3H IN SOA a.gtld-servers.net. nstld.verisign-grs.com. (
1113256832 ; serial
30M ; refresh
15M ; retry
1W ; expiry
15M ) ; minimum
;; Total query time: 25 msec
;; FROM: me to SERVER: 206.13.28.12
;; WHEN: Mon Apr 11 15:01:10 2005
;; MSG SIZE sent: 31 rcvd: 104
% dig www.cnn.com in aaaa
; <<>> DiG 8.3 <<>> www.cnn.com in aaaa
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42213
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;; www.cnn.com, type = AAAA, class = IN
;; ANSWER SECTION:
www.cnn.com. 2m14s IN CNAME cnn.com.
;; AUTHORITY SECTION:
cnn.com. 8m50s IN SOA bender.turner.com. hostmaster.tbsnames.turner.com. (
2005040700 ; serial
15M ; refresh
5M ; retry
1W ; expiry
15M ) ; minimum
;; Total query time: 16 msec
;; FROM: me to SERVER: 206.13.28.12
;; WHEN: Mon Apr 11 15:01:53 2005
;; MSG SIZE sent: 29 rcvd: 113
% dig cnn.com in aaaa
; <<>> DiG 8.3 <<>> cnn.com in aaaa
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51456
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;; cnn.com, type = AAAA, class = IN
;; AUTHORITY SECTION:
cnn.com. 3m56s IN SOA bender.turner.com. hostmaster.tbsnames.turner.com. (
2005040700 ; serial
15M ; refresh
5M ; retry
1W ; expiry
15M ) ; minimum
;; Total query time: 16 msec
;; FROM: me to SERVER: 206.13.28.12
;; WHEN: Mon Apr 11 15:02:09 2005
;; MSG SIZE sent: 25 rcvd: 95
It shouldn't be hard to duplicate my tests.
To recap, there are now three open issues:
1) Is negative caching functioning as expected?
[For AAAA queries when dnsmasq has been compiled with -DNO_IPV6]
2) Is cached NXDOMAIN information being used to its full extent?
3) Is it practical to--as an option--intercept IPv6 address
lookups as previously described?
-=EPS=-