[Dnsmasq-discuss] Iterative queries (Re: "NS" records)

clemens fischer ino-news at spotteswoode.dnsalias.org
Wed May 12 19:15:56 BST 2010


Simon Kelley wrote:

> Dewey Sasser wrote:
>
>> I've googled and searched the mailing list archives to no avail.
>>
>> I have a NAS device that queries the DNS server for it's own domain
>> and appears to expect an "NS" record response for the domain. I've
>> demonstrated with BIND and a test zone file that this is the
>> expectation, but I'd much rather use dnsmasq for the simplicity of
>> administration.
>>
>> How can I cause dnsmasq to return an NS record?
>
> There's currently no facility to do that.
>
> Do you know exactly what query the NAS server is making? Both NS and
> SOA queries return information in the authority section.
>
> Doing something which simply allows straightforward "NS" queries to be
> answered would be simple, if that's enough.

When testing the recent testing version with the "rebind-domain-ok"
option (2.53test25) I noticed that dnsmasq doesn't do iterative queries,
"only" recursive ones.  This means dnsmasq forwards queries to an ISP's
resolver but it cannot be used with the "server"s set to the
*.root-servers.net.

Could it be that the NAS device tried an iterative query and thus needed
SOA and NS RR's?

On a related note, I'm reluctant to use dnsmasq as the only DNS resolver
because of this, because of the "recent" discoveries about cache
poisoning attacks.  I cannot be sure that my provider has its act
together and does everything to thwart them.  Moreover, my provider
(kabel-deutschland.de) takes part in censoring the 'net after IMO
misguided legislation against child pornography[1].  Please, I don't want
any big discussion on this list about this particular point, but so far
my life was peaceful and simple by using resolvers doing top down
iterative queries.  I used pdnsd[2] and lately bind-9.7 after it grew
support like dnsmasq's new "rebind-domain-ok".

Is it much work to fit dnsmasq with iterative query support, considering
that all the code is practically there?  If so, dnsmasq would surely be
the most compact program with all its features!


[1] (most of it in german, sorry)
http://www.google.com/search?q=ursula%20von%20der%20leien%20child%20porn%20dns&num=50
[2] http://www.phys.uu.nl/~rombouts/pdnsd.html


clemens




More information about the Dnsmasq-discuss mailing list