[Dnsmasq-discuss] returns REFUSED when first response comes from non-recursive server
simon at thekelleys.org.uk
Mon Feb 27 21:52:27 GMT 2017
-----BEGIN PGP SIGNED MESSAGE-----
The behaviour of believing the first REFUSED answer has been changed
for the forthcoming release.
There's a couple of long discussions about this on here.
On 27/02/17 16:42, /dev/rob0 wrote:
> On Mon, Feb 27, 2017 at 04:40:14PM +0100, Daniel Pocock wrote:
>> On 27/02/17 13:31, Chris Novakovic wrote:
>>> On 27/02/17 10:04, Daniel Pocock wrote:
>>>> I've observed the following problem:
>>>> - dnsmasq is sending queries to 5 servers, one of them is not
>>>> recursive and only answers for a private domain
>>>> - if the first response dnsmasq receives comes from the
>>>> non-recursive server (REFUSED), then dnsmasq is sending a
>>>> REFUSED response to the client
>>>> - dnsmasq subsequently receives a response from one of the
>>>> recursive servers
>>> This is expected behaviour. One possibility is to configure
>>> dnsmasq to forward requests to the non-recursive server only
>>> for the private domain, e.g.:
>>> and a matching --rev-server directive if appropriate.
>> The router is running OpenWRT, I could make that change manually
>> but then I wouldn't be able to fully manage it with the GUI any
>> Can you confirm if this is the only way it can work according to
>> the DNS spec, or is it a dnsmasq design decision?
> --server without the domain specified MUST be a recursive server,
> willing to resolve your queries for any names.
> --server/domain.example/ip.add.re.ss will only send queries for
> domain.example (and *.domain.example) to ip.add.re.ss.
>> Could a software approach be taken by default, waiting to see if
>> any resolver provides a positive response before sending back
>> REFUSED to the client?
> I don't see a valid use case for this. You have a configuration
> error, by listing a non-recursive server among your upstream
> recursive servers.
> Perhaps the OpenWRT people didn't know enough about dnsmasq to
> support this situation, or perhaps they didn't care. But dnsmasq
> documentation of --server is clear enough about it.
> Another problem you will have is when one of the actual upstream
> recursive servers replies for "domain.example" with incorrect
> (Side note: simple is good; listing more recursive servers will
> generally not improve performance. If some of the servers you're
> listing are not reliable enough, try one of the Google Public DNS
> addresses, or run your own recursive resolver.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Dnsmasq-discuss