[Dnsmasq-discuss] MX forwarding

Simon Kelley simon at thekelleys.org.uk
Fri Aug 31 14:59:44 BST 2012 

On 30/08/12 17:20, Gene Czarcinski wrote:
> On 08/30/2012 10:31 AM, Simon Kelley wrote:
>> On 30/08/12 13:11, Gene Czarcinski wrote:
>>> The patch below has been tested and returns NXDOMAIN for A and AAAA
>>> plain-name queries (which stops /usr/bin/host) from doing an MX query
>>> (domain-needed is specified).  But a "host -t DS com" and "host -t DS
>>> org" returns the expected info.
>>>
>>> A really simple patch:
>>> -----------------------------------------------------------------------------------------------------------
>>>
>>>
>>> diff -uNr dnsmasq-2.59.orig/src/forward.c dnsmasq-2.59/src/forward.c
>>> --- dnsmasq-2.59.orig/src/forward.c    2011-10-07 10:09:30.000000000
>>> -0400
>>> +++ dnsmasq-2.59/src/forward.c    2012-08-30 07:27:33.553302341 -0400
>>> @@ -210,7 +210,7 @@
>>>     if (flags == 0 && !(qtype & F_QUERY) &&
>>>         option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') &&
>>> namelen
>>> != 0)
>>>       /* don't forward A or AAAA queries for simple names, except the
>>> empty name */
>>> -    flags = F_NOERR;
>>> +    flags = F_NXDOMAIN;
>>>
>>>     if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
>>>       flags = F_NOERR;
>>> --------------------------------------------------------------------------------------------------------------
>>>
>>>
>>>
>> But that change returns NXDOMAIN, which is an reversion of one of the
>> changes made to fix Debian bug 630637.
>>
>> I'm happy to add MX to A and AAAA records for special-casing, but not
>> the above patch.
>>
> Yes, you can add MX to the extract_request() so that for A, AAAA, ANY,
> and now MX will be the "flag" will be set.  However, it is important not
> to return a null response ... NXDOMAIN is the proper return ... or at
> least that is what I get when I enter a bad plain-name to a bind/named
> server ... sure, the query gets forwarded up the chain and rattles a lot
> of other servers, but that answer of an A query will stop host.  In
> Addition, you will get NXDOMAIN [reply code 3 or "no such name" as
> wireshark puts it] if you specifically query MX such as "host -t MX
> badname."
> 
> However, from what you are saying, I am not sure how the code is suppose
> to work but with the patch above applied it seems to work just fine (at
> least it gave the keys for "host com.", "host org.", and "host net."). 
> At the same time, NXDOMAIN is returned for plain-name A, AAAA, and ANY. 
> Yes, you specifically specify MX such as "host -t MX badname." the the
> query will be forwarded.  The main thing is to return a NXDOMAIN
> response rather than a "null" response which is what you get from
> "F_NOERR".  BTW, I am not certain what the purpose of the next "if"
> statement is.
> 

The problem with returning an NXDOMAIN response for (eg) com is that it
means that the .com domain doesn't exist. Something querying say an MX
record for com which gets an NXDOMAIN response is at liberty to cache
that, and assume that com doesn't exist, and that a query for
_any_query_type_ will also return NXDOMAIN. A sufficiently complete
recursive resolver will get the information that .com is NXDOMAIN, and
completely correctly deduce that google.com is also NXDOMAIN. A NODATA
reply doesn't have this property.

> Thanks for the patience,  Gene

No problem. To be honest, I can't remember all the details of which this
got changed, which 1) makes it difficult to reason about it, and 2)
makes me reluctant to make further changes without understanding them.

Cheers,

Simon.


> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>

More information about the Dnsmasq-discuss mailing list