[Dnsmasq-discuss] returns REFUSED when first response comes from non-recursive server

/dev/rob0 rob0 at gmx.co.uk
Mon Feb 27 16:42:02 GMT 2017

On Mon, Feb 27, 2017 at 04:40:14PM +0100, Daniel Pocock wrote:
> On 27/02/17 13:31, Chris Novakovic wrote:
> > On 27/02/17 10:04, Daniel Pocock wrote:
> >>
> >> I've observed the following problem:
> >>
> >> - dnsmasq is sending queries to 5 servers, one of them is not 
> >> recursive and only answers for a private domain
> >>
> >> - if the first response dnsmasq receives comes from the 
> >> non-recursive server (REFUSED), then dnsmasq is sending a 
> >> REFUSED response to the client
> >>
> >> - dnsmasq subsequently receives a response from one of the 
> >> recursive servers
> > 
> > This is expected behaviour. One possibility is to configure 
> > dnsmasq to forward requests to the non-recursive server only
> > for the private domain, e.g.:
> > 
> > --server=/private.domain/non.recursive.server.ip
> > 
> > and a matching --rev-server directive if appropriate.
> The router is running OpenWRT, I could make that change manually 
> but then I wouldn't be able to fully manage it with the GUI any 
> more.
> Can you confirm if this is the only way it can work according to 
> the DNS spec, or is it a dnsmasq design decision?

--server without the domain specified MUST be a recursive server, 
willing to resolve your queries for any names.

--server/domain.example/ip.add.re.ss will only send queries for 
domain.example (and *.domain.example) to ip.add.re.ss.

> Could a software approach be taken by default, waiting to see
> if any resolver provides a positive response before sending
> back REFUSED to the client?

I don't see a valid use case for this.  You have a configuration 
error, by listing a non-recursive server among your upstream 
recursive servers.

Perhaps the OpenWRT people didn't know enough about dnsmasq to 
support this situation, or perhaps they didn't care.  But dnsmasq 
documentation of --server is clear enough about it.

Another problem you will have is when one of the actual upstream 
recursive servers replies for "domain.example" with incorrect data.

(Side note: simple is good; listing more recursive servers will 
generally not improve performance.  If some of the servers you're 
listing are not reliable enough, try one of the Google Public DNS 
addresses, or run your own recursive resolver.)
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

More information about the Dnsmasq-discuss mailing list