[Dnsmasq-discuss] dnsmasq to return NODATA for an A query

Geert Stappers stappers at stappers.nl
Sun Mar 7 08:57:34 UTC 2021 

On Sat, Mar 06, 2021 at 11:12:31PM +0000, Aaron Jones wrote:
> On 06/03/2021 19:22, Geert Stappers via Dnsmasq-discuss wrote:
> > On Thu, Mar 04, 2021 at 06:50:39AM +0000, Aaron Jones wrote,
> > with Subject: dnsmasq's behaviour with configured static hosts is unintuitive:
> > > Hello.
> > > 
> > > I'm trying to force queries for specific names to not be forwarded along
> > > to recursors, and be answered locally. The normal way to do this is to
> > > put such address/name pairs in hosts(5), or you can add a --host-record=
> > > option to the configuration file.
> > > 
> > > That works okay.
> > 
> > Acknowledge
> > 
> >  
> > > However, I'm trying to force a specific address family. Specifically,
> > > these records are for host names on a VPN, and the VPN is IPv6 only. So,
> > > for example, given the following configuration option:
> > > 
> > > --host-record=foo.example.org,fd00::1
> > > 
> > > Or given the following hosts(5) entry:
> > > 
> > > fd00::1 foo.example.org
> > > 
> > > ... will result in an AAAA query for the name returning fd00::1, but an
> > > A query is forwarded along to the configured recursors, instead of
> > > dnsmasq replying with NODATA.
> > > 
> > > This seems wrong.
> > 
> > I don't think so.
> > 
> > Infact it is what dnsmasq does
> >   - reply with what it knows
> >   - otherwise forward the request
> > 
> >  
> > > I tried to explicitly indicate that there is no IPv4 address, but this
> > > option has no effect:
> > > 
> > > --host-record=foo.example.org,,fd00::1
> > > 
> > > ... and this option returns the address exactly as given:
> > > 
> > > --host-record=foo.example.org,0.0.0.0,fd00::1
> > > 
> > > Any pointers?
> > 
> > Share the challenge you are facing with us.
> 
> Put simply, I need dnsmasq to return nothing for an A query, as the VPN
> has no IPv4 routing; I do not wish the query to be forwarded, because
> then it will be answered by the Internet, and applications may then end
> up trying to access the service without using the VPN.

Understood loud and clear

 
> This will not work due to firewalling. The hostname has IPv4 and IPv6
> addresses when queried over the Internet, but the particular service on
> that host that I wish to access is only available over the VPN,
> which is IPv6-only.

And more IPv6 only configurations to come.

 
> It would be nice if there were an explicit way to indicate in a
> --host-record option that it should not forward queries for this name if
> it has not been configured with the respective address, and instead
> reply with nothing (as though the name exists, but the record does not).
> 
> 0.0.0.0 and :: seem as valid a choice as any for a "no address"
> configuration entry. If it ends up being those, I think it should apply
> to hosts(5) entries too.
> 
> This is sort of what I'm achieving right now, with the undesirable side
> effect that dnsmasq returns those addresses literally. Unfortunately,
> this would result in the application attempting to connect to localhost,
> as that's what most operating systems treat 0.0.0.0 / :: as, when used
> as the argument to connect(2).



  --host-record=foo.example.org,NODATA,fd00::1


Says what is wanted.


In `hosts` file

  fd00::1  foo.example.org
  NO4DATA  foo.example.org

and allow

  192.168.0.1  foo.example.org
  NO6DATA      foo.example.org

plus also

  NO4DATA   foo.example.org
  NO6DATA   foo.example.org

to express  "don't go to upstream resolvers for foo.example.org,
return NODATA to the request of the DNS client"


That "hosts file syntax" applied to `host record`
  --host-record=foo.example.org,NODATA,fd00::1
  --host-record=foo.example.org,192.168.0.1,NODATA
  --host-record=foo.example.org,NODATA,NODATA


Please keep dnsmasq's behaviour intuitive:
  --host-record=foo.example.org,,fd00::1
Replies AAAA with fd00:11 and forwards for A
  --host-record=foo.example.org,192.168.0.1
Replies A with 192.168.0.1 and forwards for AAAA



Groeten
Geert Stappers
-- 
Silence is hard to parse
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20210307/c0d35d36/attachment-0001.sig>

More information about the Dnsmasq-discuss mailing list