[Dnsmasq-discuss] MX forwarding

Gene Czarcinski gene at czarc.net
Fri Aug 31 15:26:30 BST 2012 

On 08/31/2012 09:59 AM, Simon Kelley wrote:
> On 30/08/12 17:20, Gene Czarcinski wrote:
>> On 08/30/2012 10:31 AM, Simon Kelley wrote:
>>> On 30/08/12 13:11, Gene Czarcinski wrote:
>>>> The patch below has been tested and returns NXDOMAIN for A and AAAA
>>>> plain-name queries (which stops /usr/bin/host) from doing an MX query
>>>> (domain-needed is specified).  But a "host -t DS com" and "host -t DS
>>>> org" returns the expected info.
>>>>
>>>> A really simple patch:
>>>> -----------------------------------------------------------------------------------------------------------
>>>>
>>>>
>>>> diff -uNr dnsmasq-2.59.orig/src/forward.c dnsmasq-2.59/src/forward.c
>>>> --- dnsmasq-2.59.orig/src/forward.c    2011-10-07 10:09:30.000000000
>>>> -0400
>>>> +++ dnsmasq-2.59/src/forward.c    2012-08-30 07:27:33.553302341 -0400
>>>> @@ -210,7 +210,7 @@
>>>>      if (flags == 0 && !(qtype & F_QUERY) &&
>>>>          option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') &&
>>>> namelen
>>>> != 0)
>>>>        /* don't forward A or AAAA queries for simple names, except the
>>>> empty name */
>>>> -    flags = F_NOERR;
>>>> +    flags = F_NXDOMAIN;
>>>>
>>>>      if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
>>>>        flags = F_NOERR;
>>>> --------------------------------------------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>> But that change returns NXDOMAIN, which is an reversion of one of the
>>> changes made to fix Debian bug 630637.
>>>
>>> I'm happy to add MX to A and AAAA records for special-casing, but not
>>> the above patch.
>>>
>> Yes, you can add MX to the extract_request() so that for A, AAAA, ANY,
>> and now MX will be the "flag" will be set.  However, it is important not
>> to return a null response ... NXDOMAIN is the proper return ... or at
>> least that is what I get when I enter a bad plain-name to a bind/named
>> server ... sure, the query gets forwarded up the chain and rattles a lot
>> of other servers, but that answer of an A query will stop host.  In
>> Addition, you will get NXDOMAIN [reply code 3 or "no such name" as
>> wireshark puts it] if you specifically query MX such as "host -t MX
>> badname."
>>
>> However, from what you are saying, I am not sure how the code is suppose
>> to work but with the patch above applied it seems to work just fine (at
>> least it gave the keys for "host com.", "host org.", and "host net.").
>> At the same time, NXDOMAIN is returned for plain-name A, AAAA, and ANY.
>> Yes, you specifically specify MX such as "host -t MX badname." the the
>> query will be forwarded.  The main thing is to return a NXDOMAIN
>> response rather than a "null" response which is what you get from
>> "F_NOERR".  BTW, I am not certain what the purpose of the next "if"
>> statement is.
>>
> The problem with returning an NXDOMAIN response for (eg) com is that it
> means that the .com domain doesn't exist. Something querying say an MX
> record for com which gets an NXDOMAIN response is at liberty to cache
> that, and assume that com doesn't exist, and that a query for
> _any_query_type_ will also return NXDOMAIN. A sufficiently complete
> recursive resolver will get the information that .com is NXDOMAIN, and
> completely correctly deduce that google.com is also NXDOMAIN. A NODATA
> reply doesn't have this property.
>
>> Thanks for the patience,  Gene
> No problem. To be honest, I can't remember all the details of which this
> got changed, which 1) makes it difficult to reason about it, and 2)
> makes me reluctant to make further changes without understanding them.
>
> Cheers,
>
> Simon.
>
Well, I believe that I just shot myself in the foot because I just 
proved to myself that NXDOMAIN was wrong.  My reference to how things 
should work (what the responses should be) is bind (named). Doing a 
"host com." A, AAAA, MX queries each with a "null" response such as you 
get from using F_NOERR and not F_NXDOMAIN.

My only objective is to not do unintentional forwarding.  Thus, adding 
T_MX to extract_request() should duplicate the responses when 
"domain-needed" is specified.

Gene

More information about the Dnsmasq-discuss mailing list