[Dnsmasq-discuss] REFUSED PTR queries without recursion desired

Petr Mensik pemensik at redhat.com
Wed Jul 10 10:15:49 BST 2019


Hi Chiang,

I discovered the same issue and even posted patch on 2019-04-12 [1].
Queries without RD flag are always forwarded to "upstream" server, not
answered locally. REFUSED is usually given by server dnsmasq points to,
dnsmasq is just passing it to you. It should be fixed, but no reply for
it yet.

But I think it should work on authoritative interface, but it has to be
different interface used for normal dns cache.

1.
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q2/013013.html

On 7/9/19 12:24 PM, Chiang Fong Lee wrote:
> Hello,
> 
> I’m having some trouble getting dnsmasq to respond to PTR queries without recursion desired, even when authoritative mode is enabled.
> 
> Given the following config:
> domain-needed
> bogus-priv
> no-resolv
> no-hosts
> port=10053
> server=/example.com/
> log-queries
> host-record=host1.example.com,10.2.3.4
> 
> Observed results:
> Query host1.example.com A (with recursion) - NOERROR, returns answer
> Query host1.example.com A (without recursion) - REFUSED
> Query 4.3.2.10.in-addr.arpa PTR (with recursion) - NOERROR, returns answer
> Query 4.3.2.10.in-addr.arpa PTR (without recursion) - REFUSED
> 
> Given the above config, plus the following two lines to enable authoritative mode:
> auth-server=ns1.example.com
> auth-zone=example.com,10.0.0.0/8
> 
> Observed results:
> Query host1.example.com A (with recursion) - NOERROR, returns answer
> Query host1.example.com A (without recursion) - NOERROR, returns answer
> Query 4.3.2.10.in-addr.arpa PTR (with recursion) - NOERROR, returns answer
> Query 4.3.2.10.in-addr.arpa PTR (without recursion) - REFUSED
> 
> Expected results:
> Enabling auth mode for the zone, and specifying the subnet, would result in the last PTR query being accepted instead of refused.
> 
> The log lines seen when the REFUSED occurs are:
> dnsmasq_1  | Jul  9 09:42:06 dnsmasq[1]: query[PTR] 4.3.2.10.in-addr.arpa from 172.19.0.1
> dnsmasq_1  | Jul  9 09:42:06 dnsmasq[1]: config error is REFUSED
> 
> Version info:
> Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
> Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify dumpfile
> 
> I was looking through the source and I’m guessing that PTR queries don’t ever trigger the auth zone path, since the query ends in “in-addr.arpa” instead of the auth-zone domain like “example.com”. Once it reaches the regular answer_request path, it immediately returns since the RD flag is not set, without checking host-records, and proceeds to forward the query instead.
> 
> Is this intended behaviour? The 2.79 CHANGELOG states that this always-SERVFAIL (or forward, in 2.80) behaviour for queries without recursion desired should always happen “UNLESS acting as an authoritative DNS server”, without a caveat that it only works for non-reverse DNS queries.
> 
> Thanks,
> Chiang Fong
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com  PGP: 65C6C973



More information about the Dnsmasq-discuss mailing list