[Dnsmasq-discuss] Iterative queries (Re: "NS" records)
Jan 'RedBully' Seiffert
redbully at cc.hs-owl.de
Wed May 12 22:05:27 BST 2010
clemens fischer schrieb:
[snip]
> When testing the recent testing version with the "rebind-domain-ok"
> option (2.53test25) I noticed that dnsmasq doesn't do iterative queries,
> "only" recursive ones.
Yes, and that is the way it is intendet.
> This means dnsmasq forwards queries to an ISP's resolver
Or another fully recursing resolver.
[snip]
> On a related note, I'm reluctant to use dnsmasq as the only DNS resolver
> because of this, because of the "recent" discoveries about cache
> poisoning attacks.
dnsmasq has masures against this.
> I cannot be sure that my provider has its act together
Sure, the upstream server also has to be "clean".
> and does everything to thwart them. Moreover, my provider
> (kabel-deutschland.de) takes part in censoring the 'net after IMO
> misguided legislation against child pornography[1]. Please, I don't want
> any big discussion on this list about this particular point
No big discusion?
Forward your dnsmasq to a local _standalone_ recursor. Can run on the same machine.
Examples of standalone recursor are the powerdns recursor, or the recursor part
from djbdns.
They ONLY recurse (ok, plus cache), and that is what they do well.
Set their listen address to 127.0.0.1:2525, only allowed from 127.0.0.1, set
dnsmasqs upstream server to 127.0.0.1:2525, you can then also switch off
dnsmasqs port randomization.
> but so far my life was peaceful and simple by using resolvers doing
> top down iterative queries.
>
> Is it much work to fit dnsmasq with iterative query support, considering
> that all the code is practically there?
Yes, because dnsmasq has all the code to "handle DNS" (and dhcp, and tftp), but
its structure and control flow is quite simple (which makes the whole program
lean and mean), it only has minimal transient state for a query (and anything else).
For full recursion, you have to "keep on working" on a query, till it is fully
resolved (Send query here, answer or timeout, send query there...). This makes
full recursor "complicated". dnsmasq is more a simple pipeline: Receive query,
do we have it in cache? No -> dump it upstream (kind of fire and forget).
What makes dnsmasq often so sexy is the swiss army knife you additionally get in
the collectors box edition. Unfortunatly the knife starts to outgrow the box... ;)
> If so, dnsmasq would surely be the most compact program with all its features!
>
Simply par it with a standalone recursor.
>
> clemens
>
Greetings
Jan
--
Miksch's Law:
If a string has one end, then it has another end.
More information about the Dnsmasq-discuss
mailing list