[Dnsmasq-discuss] MX forwarding
Gene Czarcinski
gene at czarc.net
Fri Aug 31 15:26:30 BST 2012
On 08/31/2012 09:59 AM, Simon Kelley wrote:
> On 30/08/12 17:20, Gene Czarcinski wrote:
>> On 08/30/2012 10:31 AM, Simon Kelley wrote:
>>> On 30/08/12 13:11, Gene Czarcinski wrote:
>>>> The patch below has been tested and returns NXDOMAIN for A and AAAA
>>>> plain-name queries (which stops /usr/bin/host) from doing an MX query
>>>> (domain-needed is specified). But a "host -t DS com" and "host -t DS
>>>> org" returns the expected info.
>>>>
>>>> A really simple patch:
>>>> -----------------------------------------------------------------------------------------------------------
>>>>
>>>>
>>>> diff -uNr dnsmasq-2.59.orig/src/forward.c dnsmasq-2.59/src/forward.c
>>>> --- dnsmasq-2.59.orig/src/forward.c 2011-10-07 10:09:30.000000000
>>>> -0400
>>>> +++ dnsmasq-2.59/src/forward.c 2012-08-30 07:27:33.553302341 -0400
>>>> @@ -210,7 +210,7 @@
>>>> if (flags == 0 && !(qtype & F_QUERY) &&
>>>> option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') &&
>>>> namelen
>>>> != 0)
>>>> /* don't forward A or AAAA queries for simple names, except the
>>>> empty name */
>>>> - flags = F_NOERR;
>>>> + flags = F_NXDOMAIN;
>>>>
>>>> if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
>>>> flags = F_NOERR;
>>>> --------------------------------------------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>> But that change returns NXDOMAIN, which is an reversion of one of the
>>> changes made to fix Debian bug 630637.
>>>
>>> I'm happy to add MX to A and AAAA records for special-casing, but not
>>> the above patch.
>>>
>> Yes, you can add MX to the extract_request() so that for A, AAAA, ANY,
>> and now MX will be the "flag" will be set. However, it is important not
>> to return a null response ... NXDOMAIN is the proper return ... or at
>> least that is what I get when I enter a bad plain-name to a bind/named
>> server ... sure, the query gets forwarded up the chain and rattles a lot
>> of other servers, but that answer of an A query will stop host. In
>> Addition, you will get NXDOMAIN [reply code 3 or "no such name" as
>> wireshark puts it] if you specifically query MX such as "host -t MX
>> badname."
>>
>> However, from what you are saying, I am not sure how the code is suppose
>> to work but with the patch above applied it seems to work just fine (at
>> least it gave the keys for "host com.", "host org.", and "host net.").
>> At the same time, NXDOMAIN is returned for plain-name A, AAAA, and ANY.
>> Yes, you specifically specify MX such as "host -t MX badname." the the
>> query will be forwarded. The main thing is to return a NXDOMAIN
>> response rather than a "null" response which is what you get from
>> "F_NOERR". BTW, I am not certain what the purpose of the next "if"
>> statement is.
>>
> The problem with returning an NXDOMAIN response for (eg) com is that it
> means that the .com domain doesn't exist. Something querying say an MX
> record for com which gets an NXDOMAIN response is at liberty to cache
> that, and assume that com doesn't exist, and that a query for
> _any_query_type_ will also return NXDOMAIN. A sufficiently complete
> recursive resolver will get the information that .com is NXDOMAIN, and
> completely correctly deduce that google.com is also NXDOMAIN. A NODATA
> reply doesn't have this property.
>
>> Thanks for the patience, Gene
> No problem. To be honest, I can't remember all the details of which this
> got changed, which 1) makes it difficult to reason about it, and 2)
> makes me reluctant to make further changes without understanding them.
>
> Cheers,
>
> Simon.
>
Well, I believe that I just shot myself in the foot because I just
proved to myself that NXDOMAIN was wrong. My reference to how things
should work (what the responses should be) is bind (named). Doing a
"host com." A, AAAA, MX queries each with a "null" response such as you
get from using F_NOERR and not F_NXDOMAIN.
My only objective is to not do unintentional forwarding. Thus, adding
T_MX to extract_request() should duplicate the responses when
"domain-needed" is specified.
Gene
More information about the Dnsmasq-discuss
mailing list