[Dnsmasq-discuss] returns REFUSED when first response comes from non-recursive server
Simon Kelley
simon at thekelleys.org.uk
Mon Feb 27 21:52:27 GMT 2017
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
The behaviour of believing the first REFUSED answer has been changed
for the forthcoming release.
There's a couple of long discussions about this on here.
Cheers,
Simon.
On 27/02/17 16:42, /dev/rob0 wrote:
> On Mon, Feb 27, 2017 at 04:40:14PM +0100, Daniel Pocock wrote:
>> On 27/02/17 13:31, Chris Novakovic wrote:
>>> On 27/02/17 10:04, Daniel Pocock wrote:
>>>>
>>>> I've observed the following problem:
>>>>
>>>> - dnsmasq is sending queries to 5 servers, one of them is not
>>>> recursive and only answers for a private domain
>>>>
>>>> - if the first response dnsmasq receives comes from the
>>>> non-recursive server (REFUSED), then dnsmasq is sending a
>>>> REFUSED response to the client
>>>>
>>>> - dnsmasq subsequently receives a response from one of the
>>>> recursive servers
>>>
>>> This is expected behaviour. One possibility is to configure
>>> dnsmasq to forward requests to the non-recursive server only
>>> for the private domain, e.g.:
>>>
>>> --server=/private.domain/non.recursive.server.ip
>>>
>>> and a matching --rev-server directive if appropriate.
>>
>> The router is running OpenWRT, I could make that change manually
>> but then I wouldn't be able to fully manage it with the GUI any
>> more.
>>
>> Can you confirm if this is the only way it can work according to
>> the DNS spec, or is it a dnsmasq design decision?
>
> --server without the domain specified MUST be a recursive server,
> willing to resolve your queries for any names.
>
> --server/domain.example/ip.add.re.ss will only send queries for
> domain.example (and *.domain.example) to ip.add.re.ss.
>
>> Could a software approach be taken by default, waiting to see if
>> any resolver provides a positive response before sending back
>> REFUSED to the client?
>
> I don't see a valid use case for this. You have a configuration
> error, by listing a non-recursive server among your upstream
> recursive servers.
>
> Perhaps the OpenWRT people didn't know enough about dnsmasq to
> support this situation, or perhaps they didn't care. But dnsmasq
> documentation of --server is clear enough about it.
>
> Another problem you will have is when one of the actual upstream
> recursive servers replies for "domain.example" with incorrect
> data.
>
> (Side note: simple is good; listing more recursive servers will
> generally not improve performance. If some of the servers you're
> listing are not reliable enough, try one of the Google Public DNS
> addresses, or run your own recursive resolver.)
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCAAGBQJYtJ+aAAoJEBXN2mrhkTWiRp4P/3B+B6+g4K6zDOd71J6oA5gM
Ap33LcRHWAwBWwMz7NVIrvjTSSQ06r301h7vS5xs3jFSm2j6onvft9cpz4OhkUpq
9h0t8xuNpA/4Tyhr0/f3w+qrrZe85IOOKnVfk2tRoWr3p7+u0yYYJ6+aFom/n4me
F3hBYK95fBGwk9n1dTLt0/a+KEjZA4Z9+aCx0YXpBhnjM15dfkrIyTyBI1FORmQ4
/WHJQiDbqeZ7IFpKQDt5LMhbgxe7a1zMrUbQ/+AJhvHCd04pw79xUvJdM5LEjQT3
r3tmirmdKCyQsdZsjUQTzxjaKu9uC25j8vT5KHrFwS3Qq5vucZ26uM/6FdwiIRBr
TvwNh5ccnlPz/Z3eZ/vZa/hmWcA6/Arfwas5knfhOpeyyYn7D0jC7cDs0WFySlha
9BdmZScxQtPzXoPk/bZg7BHp2N2uhk3zVwOMBVYYVTtmNL9DHQLJgktJ+0Ni16/W
YDVQQKD0LstDnGDh5AeFCNa1gBhrEkIW071IhEMQ1N5sGTml0NM0PXEVL35/sX58
oZGWj5UwVOM+TKK7q++zFCwTQES/SzJrTqlQ5rVlmk5S6b++vcfm7HABnUNXep1z
7fV1qxvChiayYBQjZc1j2TeTbDk7WAsKPXictlMwOfxqp/nTpF5nMaV+Jr+30Ned
HX3wzkH+rk1OdlkigpfD
=YTU9
-----END PGP SIGNATURE-----
More information about the Dnsmasq-discuss
mailing list