[Dnsmasq-discuss] Ability to delegate to one server but fall back to another after NXDOMAIN?

[Jesse Glick]

version 2.68 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt DBus no-i18n no-IDN
DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth

Let us say I have two DNS servers I wish to delegate to:

A: Trusted to serve addresses (and other records) for the general
Internet, plus also a few private domains I care about.

B: Needed to serve addresses for a few machines in a particular subnet
(whose names and even domain are unknown to me); not trusted to serve
any other records.

So I tried

dnsmasq --strict-order --no-resolv --server=A --server=B --all-servers

hoping that this would ask A first, and if that failed to produce a
valid response, then ask B.

Instead, this seemed to _only_ ask A for anything. When it responded
with NXDOMAIN, dnsmasq did not consult B, even when B would have
responded with a valid address record.

I do not want to list --server=B first, or run without --strict-order,
since I do not want B serving falsified records for unrelated names. I
know how to use --server=/bcorp/B to restrict B to answering queries
about names in the *.bcorp domain, but I do not necessarily know what
this domain is.

Is this a bug? Or is there some other option I need to use to get this
behavior? Or would dnsmasq need to be patched to get such behavior
(and if so, would such a patch potentially be accepted upstream)? Or
is there some other DNS masquerader which is designed for that
purpose?

Analogously, I would like a version of --addn-hosts which is consulted
only if --server=A responds with NXDOMAIN. But this could be simulated
by running a second copy of dnsmasq on a different port on localhost.