[Dnsmasq-discuss] [PATCH] --dont-mirror-queries option
Simon Kelley
simon at thekelleys.org.uk
Tue Mar 1 18:50:14 GMT 2016
On 24/02/16 23:38, Kurt H Maier wrote:
> On Wed, Feb 24, 2016 at 05:20:14PM +0000, Simon Kelley wrote:
>>
>> I wonder if a better solution to the loop-detection is to mark queries
>> with a UID of all the servers they've been forwarded by, in an EDNS0
>> option. That would avoid the false detection of queries coming from
>> master, but not from the dnsmasq instance on master. It would also
>> detect arbitrary loops. Dnsmasq has the relevant code to examine and
>> add EDNS0, so it wouldn't be too difficult to add.
>
> What guarantees does dnsmasq have that other servers won't strip the
> EDNS0 field or otherwise modify the query? All it takes is one
> misconfigured OPT RR and you risk losing the 'chain of custody' data.
>
> I'm not against exploring this approach to loop-detection in general,
> since I haven't had trouble working with EDNS0 for some years, but
> it doesn't solve the immediate reflection problem we're facing now.
>
> Thanks for giving this some thought, I'm interested to see what you
> decide!
>
This approach assumes that all the servers are dnsmasq, and running the
loop-detection code, which is a reasonable assumption. Once a query
escapes from the "cloud" of interconnected dnsmasq servers towards an
upstream server, the EDNS0 options are no longer required and can be
stripped without problem. (They will be stripped from replies.)
Cheers,
Simon.
>
> khm
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list