[Dnsmasq-discuss] [PATCH] --dont-mirror-queries option

Kurt H Maier khm at sciops.net
Wed Feb 24 23:38:16 GMT 2016


On Wed, Feb 24, 2016 at 05:20:14PM +0000, Simon Kelley wrote:
> 
> I wonder if a better solution to the loop-detection is to mark queries
> with a UID of all the servers they've been forwarded by, in an EDNS0
> option. That would avoid the false detection of queries coming from
> master, but not from the dnsmasq instance on master. It would also
> detect arbitrary loops. Dnsmasq has the relevant code to examine and
> add EDNS0, so it wouldn't be too difficult to add.

What guarantees does dnsmasq have that other servers won't strip the
EDNS0 field or otherwise modify the query?  All it takes is one
misconfigured OPT RR and you risk losing the 'chain of custody' data.

I'm not against exploring this approach to loop-detection in general,
since I haven't had trouble working with EDNS0 for some years, but
it doesn't solve the immediate reflection problem we're facing now.

Thanks for giving this some thought, I'm interested to see what you
decide!


khm



More information about the Dnsmasq-discuss mailing list