[Dnsmasq-discuss] Feature request: delay negative upstream answers

Basin Ilya basinilya at gmail.com
Mon Jun 28 15:33:52 UTC 2021


Hi.
There's a number of internal DNS records in our corporate network and I also use a VPN connection through wich the other set of internal DNS records is available.
>From each network I dynamically receive a search suffix and a pair of DNS server addresses and add them to /etc/resolv.conf:

    nameserver 127.0.0.1
    search domain1.com domain2.com
    nameserver 10.14.33.139
    nameserver 10.14.33.140
    nameserver 192.168.149.11
    nameserver 192.168.110.11

There are three problems with that:

Not all possible internal search suffixes are received via DHCP. It means that I cannot configure dnsmasq to use a specific upstream server for certain unknown suffixes. And I have to enable in dnsmasq.conf:

    # To use all 4 servers
    all-servers

After receiving NXDOMAIN from one of the servers Dnsmasq immediately returns this reply to the client without waiting for other servers to reply.

Even if I drop incoming NXDOMAIN packets with an iptables rule there's a problem when a client program tries to resolve an unqualified domain name from the second network.
Libc tries the first search suffix from the list and due to the fact that for net2-host.domain1.com all four upstream servers return NXDOMAIN (that gets dropped) the library waits until it times out and never tries net1-host.domain1.com

I found that delaying NXDOMAIN packets with iproute2 solves the 3 problems above: https://serverfault.com/a/1067189/149828

However, it seems to me that waiting a little bit more for a positive answer should be part of Dnsmasq.



More information about the Dnsmasq-discuss mailing list