[Dnsmasq-discuss] Feature request: delay negative upstream answers
Basin Ilya
basinilya at gmail.com
Mon Jun 28 15:33:52 UTC 2021
Hi.
There's a number of internal DNS records in our corporate network and I also use a VPN connection through wich the other set of internal DNS records is available.
>From each network I dynamically receive a search suffix and a pair of DNS server addresses and add them to /etc/resolv.conf:
nameserver 127.0.0.1
search domain1.com domain2.com
nameserver 10.14.33.139
nameserver 10.14.33.140
nameserver 192.168.149.11
nameserver 192.168.110.11
There are three problems with that:
Not all possible internal search suffixes are received via DHCP. It means that I cannot configure dnsmasq to use a specific upstream server for certain unknown suffixes. And I have to enable in dnsmasq.conf:
# To use all 4 servers
all-servers
After receiving NXDOMAIN from one of the servers Dnsmasq immediately returns this reply to the client without waiting for other servers to reply.
Even if I drop incoming NXDOMAIN packets with an iptables rule there's a problem when a client program tries to resolve an unqualified domain name from the second network.
Libc tries the first search suffix from the list and due to the fact that for net2-host.domain1.com all four upstream servers return NXDOMAIN (that gets dropped) the library waits until it times out and never tries net1-host.domain1.com
I found that delaying NXDOMAIN packets with iproute2 solves the 3 problems above: https://serverfault.com/a/1067189/149828
However, it seems to me that waiting a little bit more for a positive answer should be part of Dnsmasq.
More information about the Dnsmasq-discuss
mailing list