[Dnsmasq-discuss] NXDOMAIN is sent instead of NODATA when querying for non-existent AAAA records
Simon Kelley
simon at thekelleys.org.uk
Thu Aug 5 17:41:04 UTC 2021
OK. The problem is here: using local addresses only for domain swtk.info
That's an easy spot because I just fixed this particular combination.
I guess you have something like
local=/swtk.info/
and dnsmasq is using this to return NXDOMAIN without checking that it
has more specific data for the query in other types.
As a workaround, removing that configuration should make things work, at
the expense of extra trips to the upstream servers.
This should already be fixed in the development code: if it's possible
for you to run
https://thekelleys.org.uk/dnsmasq/test-releases/dnsmasq-2.86test6.tar.gz
that should fix things, and doing so would be a useful test for me.
Cheers,
Simon.
On 05/08/2021 17:01, Wojtek Swiatek wrote:
> Thank you Simon for the follow-up.
>
> I use dnsmasq on a Ubiquity Edge router (ER-4), the version is
>
> root at ubnt:~# dnsmasq --version
> Dnsmasq version 2.78-23-g9e09429 Copyright (c) 2000-2017 Simon Kelley
> Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua
> TFTP conntrack ipset auth DNSSEC loop-detect inotify
>
> I tried to query the A and AAAA record for a host which is part of my
> internal domain, defined though a wildcard:
> address=/swtk.info/192.168.10.2 <http://swtk.info/192.168.10.2>
>
> The requests are
>
> root at srv ~# dig -t A mqtt.swtk.info <http://mqtt.swtk.info>
>
> ; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> -t A mqtt.swtk.info
> <http://mqtt.swtk.info>
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56145
> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;mqtt.swtk.info <http://mqtt.swtk.info>. IN A
>
> ;; ANSWER SECTION:
> mqtt.swtk.info <http://mqtt.swtk.info>. 0 IN A
> 192.168.10.2
>
> ;; Query time: 0 msec
> ;; SERVER: 192.168.10.1#53(192.168.10.1)
> ;; WHEN: Thu Aug 05 17:53:12 CEST 2021
> ;; MSG SIZE rcvd: 48
>
> → this is a correct answer, A is present and status is NOERROR
>
> root at srv ~# dig -t AAAA mqtt.swtk.info <http://mqtt.swtk.info>
>
> ; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> -t AAAA mqtt.swtk.info
> <http://mqtt.swtk.info>
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15102
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;mqtt.swtk.info <http://mqtt.swtk.info>. IN AAAA
>
> ;; Query time: 0 msec
> ;; SERVER: 192.168.10.1#53(192.168.10.1)
> ;; WHEN: Thu Aug 05 17:53:17 CEST 2021
> ;; MSG SIZE rcvd: 32
>
> This is an incorrect answer: the AAAA record does not exist and the
> status is NXDOMAIN instead of NODATA
>
> The relevant logs are:
>
> Aug 5 17:52:24 dnsmasq[1007]: started, version 2.78-23-g9e09429
> cachesize 150
> Aug 5 17:52:24 dnsmasq[1007]: compile time options: IPv6 GNU-getopt
> DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC
> loop-detect inotify
> Aug 5 17:52:24 dnsmasq-dhcp[1007]: DHCP, IP range 192.168.2.30 --
> 192.168.2.50, lease time 1d
> Aug 5 17:52:24 dnsmasq-dhcp[1007]: DHCP, IP range 192.168.10.50 --
> 192.168.10.254, lease time 1d
> Aug 5 17:52:24 dnsmasq[1007]: using nameserver 1.1.1.1#53 for domain
> orange.fr <http://orange.fr>
> Aug 5 17:52:24 dnsmasq[1007]: using nameserver 8.8.4.4#53
> Aug 5 17:52:24 dnsmasq[1007]: using nameserver 1.1.1.1#53
> Aug 5 17:52:24 dnsmasq[1007]: using nameserver 1.0.0.1#53
> Aug 5 17:52:24 dnsmasq[1007]: using local addresses only for domain
> swtk.info <http://swtk.info>
> Aug 5 17:52:24 dnsmasq[1007]: using local addresses only for domain
> 10.168.192.in-addr.arpa
> Aug 5 17:52:24 dnsmasq[1007]: read /etc/hosts - 8 addresses
> Aug 5 17:52:32 dnsmasq[1007]: query[AAAA] mqtt.swtk.info
> <http://mqtt.swtk.info> from 192.168.10.2
> Aug 5 17:52:32 dnsmasq[1007]: config mqtt.swtk.info
> <http://mqtt.swtk.info> is NXDOMAIN
> Aug 5 17:52:32 dnsmasq[1007]: query[A] mqtt.swtk.info
> <http://mqtt.swtk.info> from 192.168.10.2
> Aug 5 17:52:32 dnsmasq[1007]: config mqtt.swtk.info
> <http://mqtt.swtk.info> is 192.168.10.2
> Aug 5 17:52:32 dnsmasq[1007]: query[AAAA] mqtt.swtk.info
> <http://mqtt.swtk.info> from 192.168.10.2
> Aug 5 17:52:32 dnsmasq[1007]: config mqtt.swtk.info
> <http://mqtt.swtk.info> is NXDOMAIN
> Aug 5 17:52:32 dnsmasq[1007]: query[A] mqtt.swtk.info
> <http://mqtt.swtk.info> from 192.168.10.2
> Aug 5 17:52:32 dnsmasq[1007]: config mqtt.swtk.info
> <http://mqtt.swtk.info> is 192.168.10.2
> Aug 5 17:52:33 dnsmasq[1007]: query[A] mqtt.swtk.info
> <http://mqtt.swtk.info> from 192.168.10.2
> Aug 5 17:52:33 dnsmasq[1007]: config mqtt.swtk.info
> <http://mqtt.swtk.info> is 192.168.10.2
> Aug 5 17:52:33 dnsmasq[1007]: query[AAAA] mqtt.swtk.info
> <http://mqtt.swtk.info> from 192.168.10.2
> Aug 5 17:52:33 dnsmasq[1007]: config mqtt.swtk.info
> <http://mqtt.swtk.info> is NXDOMAIN
> Aug 5 17:52:33 dnsmasq[1007]: query[AAAA] mqtt.swtk.info
> <http://mqtt.swtk.info> from 192.168.10.2
> Aug 5 17:52:33 dnsmasq[1007]: config mqtt.swtk.info
> <http://mqtt.swtk.info> is NXDOMAIN
> Aug 5 17:52:33 dnsmasq[1007]: query[A] mqtt.swtk.info
> <http://mqtt.swtk.info> from 192.168.10.2
> Aug 5 17:52:33 dnsmasq[1007]: config mqtt.swtk.info
> <http://mqtt.swtk.info> is 192.168.10.2
> Aug 5 17:52:33 dnsmasq[1007]: query[AAAA] mqtt.swtk.info
> <http://mqtt.swtk.info> from 192.168.10.2
> Aug 5 17:52:33 dnsmasq[1007]: config mqtt.swtk.info
> <http://mqtt.swtk.info> is NXDOMAIN
> Aug 5 17:52:33 dnsmasq[1007]: query[A] mqtt.swtk.info
> <http://mqtt.swtk.info> from 192.168.10.2
> Aug 5 17:52:33 dnsmasq[1007]: config mqtt.swtk.info
> <http://mqtt.swtk.info> is 192.168.10.2
>
>
> Would anything else be of interest?
>
> Thank you!
>
>
>
>
>
>
>
>
>
> Le jeu. 5 août 2021 à 17:09, Simon Kelley <simon at thekelleys.org.uk
> <mailto:simon at thekelleys.org.uk>> a écrit :
>
> There's lots of code in dnsmasq which tries to get this right.
>
> eg.
>
> forward AAAA upstream
> upstream replies with NXDOMAIN
> dnsmasq checks if it knows data for other record types like A and if so
> rewrites NXDOMAIN to NODATA.
>
> TLDR; We though of this, and we think it works correctly. If you've
> found a specific case where it isn't working, we'll need more
> information on exactly what that case is, and what version of dnsmasq
> you're running.
>
> Setting --log-queries, demonstrating the problem, then sending the logs,
> would be a good start.
>
>
> cheers,
>
> Simon.
>
>
> On 04/08/2021 20:42, Wojtek Swiatek wrote:
> > Hello everyone
> >
> > I noticed that my dnsmasq server is sending an NXDOMAIN instead of
> > a NODATA when I query it for AAAA records it does not have.
> >
> > This is, I believe, not the correct behaviour
> > (https://datatracker.ietf.org/doc/html/rfc2308
> <https://datatracker.ietf.org/doc/html/rfc2308>
> > <https://datatracker.ietf.org/doc/html/rfc2308
> <https://datatracker.ietf.org/doc/html/rfc2308>> - see 1 Terminology →
> > NODATA) and that response breaks queries that otherwise would have
> tried
> > the A record. See for
> >
> instance https://kc.mcafee.com/corporate/index?page=content&id=KB73433&actp=LIST
> <https://kc.mcafee.com/corporate/index?page=content&id=KB73433&actp=LIST>
> >
> <https://kc.mcafee.com/corporate/index?page=content&id=KB73433&actp=LIST
> <https://kc.mcafee.com/corporate/index?page=content&id=KB73433&actp=LIST>>
> >
> > As a workaround: is there a way to automatically populate AAAA
> > records together with the A ones (from DHCP)?
> >
> > _______________________________________________
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss at lists.thekelleys.org.uk
> <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk>
> >
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
> <https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss>
> >
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk>
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
> <https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss>
>
More information about the Dnsmasq-discuss
mailing list