[Dnsmasq-discuss] Problems using 'split horizon' approach
Dave Ewart
davee at ceu.ox.ac.uk
Mon Aug 22 09:46:54 BST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I've now worked out exactly what DNS request 'poisons' the dnsmasq
cache. (This appears to be completely reproducible, although it is
possible there are other, related queries which might have the same
effect.)
After doing a tcpdump, it became clear that the cache became poisoned
after dnsmasq received an 'ANY' request for the system with the
split-horizon setup.
i.e.
$ host apollo
apollo.ceu.ox.ac.uk has address 10.99.0.2
$ host -t any apollo
apollo.ceu.ox.ac.uk has address 163.1.168.2
$ host apollo
apollo.ceu.ox.ac.uk has address 10.99.0.2
apollo.ceu.ox.ac.uk has address 163.1.168.2
etc.
The tcpdump shows that during the 'any' request, the dnsmasq host cannot
serve it (presumably because it only has an 'A' record?) and the request
is forwarded to the upstream DNS server, which returns the public IP,
which then gets included in the cache.
Is this the expected behaviour of dnsmasq in these circumstances?
Dave.
- --
Dave Ewart
davee at ceu.ox.ac.uk
Computing Manager, Cancer Epidemiology Unit
Cancer Research UK / Oxford University
PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370
N 51.7518, W 1.2016
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDCZD+bpQs/WlN43ARAi/EAJ4hXo0brZGhfg0HDv6oTGjFuCLj7ACgpXIR
IKa3tuaoxCZmZq2BX76roEg=
=OdyG
-----END PGP SIGNATURE-----
More information about the Dnsmasq-discuss
mailing list