[Dnsmasq-discuss] NXDOMAIN is sent instead of NODATA when querying for non-existent AAAA records

Wojtek Swiatek w at swtk.info
Thu Aug 5 18:24:41 UTC 2021


Le jeu. 5 août 2021 à 19:41, Simon Kelley <simon at thekelleys.org.uk> a
écrit :

> OK. The problem is here: using local addresses only for domain swtk.info
>
> That's an easy spot because I just fixed this particular combination.
>
> I guess you have something like
>
> local=/swtk.info/
>
> and dnsmasq is using this to return NXDOMAIN without checking that it
> has more specific data for the query in other  types.
>
> As a workaround, removing that configuration should make things work, at
> the expense of extra trips to the upstream servers.
>

Thank you. The problem is that swtk.info is also declared on .info so (if I
understand local= correctly), it would attempt to resolve mqtt.swtk.info on
Internet. Which would fail.

The local=/swtk.info/ and address=/swtk.info/192.168.10.2 combo fixes this.


>
> This should already be fixed in the development code: if it's possible
> for you to run
> https://thekelleys.org.uk/dnsmasq/test-releases/dnsmasq-2.86test6.tar.gz
> that should fix things, and doing so would be a useful test for me.
>

Unfortunately, since the dnsmasq binary I use is part of a router, I have
no way to use another version. Which, as I realize now, will be a major
problem anyway since the issue is not a matter of configuration.


>
>
> Cheers,
>
>
> Simon.
>
>
> On 05/08/2021 17:01, Wojtek Swiatek wrote:
> > Thank you Simon for the follow-up.
> >
> > I use dnsmasq on a Ubiquity Edge router (ER-4), the version is
> >
> > root at ubnt:~# dnsmasq --version
> > Dnsmasq version 2.78-23-g9e09429  Copyright (c) 2000-2017 Simon Kelley
> > Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua
> > TFTP conntrack ipset auth DNSSEC loop-detect inotify
> >
> > I tried to query the A and AAAA record for a host which is part of my
> > internal domain, defined though a wildcard:
> > address=/swtk.info/192.168.10.2 <http://swtk.info/192.168.10.2>
> >
> > The requests are
> >
> > root at srv ~# dig -t A mqtt.swtk.info <http://mqtt.swtk.info>
> >
> > ; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> -t A mqtt.swtk.info
> > <http://mqtt.swtk.info>
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56145
> > ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:
> 0
> >
> > ;; QUESTION SECTION:
> > ;mqtt.swtk.info <http://mqtt.swtk.info>.                        IN
>  A
> >
> > ;; ANSWER SECTION:
> > mqtt.swtk.info <http://mqtt.swtk.info>.         0       IN      A
> > 192.168.10.2
> >
> > ;; Query time: 0 msec
> > ;; SERVER: 192.168.10.1#53(192.168.10.1)
> > ;; WHEN: Thu Aug 05 17:53:12 CEST 2021
> > ;; MSG SIZE  rcvd: 48
> >
> > → this is a correct answer, A is present and status is NOERROR
> >
> > root at srv ~# dig -t AAAA mqtt.swtk.info <http://mqtt.swtk.info>
> >
> > ; <<>> DiG 9.11.3-1ubuntu1.15-Ubuntu <<>> -t AAAA mqtt.swtk.info
> > <http://mqtt.swtk.info>
> > ;; global options: +cmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15102
> > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;mqtt.swtk.info <http://mqtt.swtk.info>.                        IN
>  AAAA
> >
> > ;; Query time: 0 msec
> > ;; SERVER: 192.168.10.1#53(192.168.10.1)
> > ;; WHEN: Thu Aug 05 17:53:17 CEST 2021
> > ;; MSG SIZE  rcvd: 32
> >
> > This is an incorrect answer: the AAAA record does not exist and the
> > status is NXDOMAIN instead of NODATA
> >
> > The relevant logs are:
> >
> > Aug  5 17:52:24 dnsmasq[1007]: started, version 2.78-23-g9e09429
> > cachesize 150
> > Aug  5 17:52:24 dnsmasq[1007]: compile time options: IPv6 GNU-getopt
> > DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC
> > loop-detect inotify
> > Aug  5 17:52:24 dnsmasq-dhcp[1007]: DHCP, IP range 192.168.2.30 --
> > 192.168.2.50, lease time 1d
> > Aug  5 17:52:24 dnsmasq-dhcp[1007]: DHCP, IP range 192.168.10.50 --
> > 192.168.10.254, lease time 1d
> > Aug  5 17:52:24 dnsmasq[1007]: using nameserver 1.1.1.1#53 for domain
> > orange.fr <http://orange.fr>
> > Aug  5 17:52:24 dnsmasq[1007]: using nameserver 8.8.4.4#53
> > Aug  5 17:52:24 dnsmasq[1007]: using nameserver 1.1.1.1#53
> > Aug  5 17:52:24 dnsmasq[1007]: using nameserver 1.0.0.1#53
> > Aug  5 17:52:24 dnsmasq[1007]: using local addresses only for domain
> > swtk.info <http://swtk.info>
> > Aug  5 17:52:24 dnsmasq[1007]: using local addresses only for domain
> > 10.168.192.in-addr.arpa
> > Aug  5 17:52:24 dnsmasq[1007]: read /etc/hosts - 8 addresses
> > Aug  5 17:52:32 dnsmasq[1007]: query[AAAA] mqtt.swtk.info
> > <http://mqtt.swtk.info> from 192.168.10.2
> > Aug  5 17:52:32 dnsmasq[1007]: config mqtt.swtk.info
> > <http://mqtt.swtk.info> is NXDOMAIN
> > Aug  5 17:52:32 dnsmasq[1007]: query[A] mqtt.swtk.info
> > <http://mqtt.swtk.info> from 192.168.10.2
> > Aug  5 17:52:32 dnsmasq[1007]: config mqtt.swtk.info
> > <http://mqtt.swtk.info> is 192.168.10.2
> > Aug  5 17:52:32 dnsmasq[1007]: query[AAAA] mqtt.swtk.info
> > <http://mqtt.swtk.info> from 192.168.10.2
> > Aug  5 17:52:32 dnsmasq[1007]: config mqtt.swtk.info
> > <http://mqtt.swtk.info> is NXDOMAIN
> > Aug  5 17:52:32 dnsmasq[1007]: query[A] mqtt.swtk.info
> > <http://mqtt.swtk.info> from 192.168.10.2
> > Aug  5 17:52:32 dnsmasq[1007]: config mqtt.swtk.info
> > <http://mqtt.swtk.info> is 192.168.10.2
> > Aug  5 17:52:33 dnsmasq[1007]: query[A] mqtt.swtk.info
> > <http://mqtt.swtk.info> from 192.168.10.2
> > Aug  5 17:52:33 dnsmasq[1007]: config mqtt.swtk.info
> > <http://mqtt.swtk.info> is 192.168.10.2
> > Aug  5 17:52:33 dnsmasq[1007]: query[AAAA] mqtt.swtk.info
> > <http://mqtt.swtk.info> from 192.168.10.2
> > Aug  5 17:52:33 dnsmasq[1007]: config mqtt.swtk.info
> > <http://mqtt.swtk.info> is NXDOMAIN
> > Aug  5 17:52:33 dnsmasq[1007]: query[AAAA] mqtt.swtk.info
> > <http://mqtt.swtk.info> from 192.168.10.2
> > Aug  5 17:52:33 dnsmasq[1007]: config mqtt.swtk.info
> > <http://mqtt.swtk.info> is NXDOMAIN
> > Aug  5 17:52:33 dnsmasq[1007]: query[A] mqtt.swtk.info
> > <http://mqtt.swtk.info> from 192.168.10.2
> > Aug  5 17:52:33 dnsmasq[1007]: config mqtt.swtk.info
> > <http://mqtt.swtk.info> is 192.168.10.2
> > Aug  5 17:52:33 dnsmasq[1007]: query[AAAA] mqtt.swtk.info
> > <http://mqtt.swtk.info> from 192.168.10.2
> > Aug  5 17:52:33 dnsmasq[1007]: config mqtt.swtk.info
> > <http://mqtt.swtk.info> is NXDOMAIN
> > Aug  5 17:52:33 dnsmasq[1007]: query[A] mqtt.swtk.info
> > <http://mqtt.swtk.info> from 192.168.10.2
> > Aug  5 17:52:33 dnsmasq[1007]: config mqtt.swtk.info
> > <http://mqtt.swtk.info> is 192.168.10.2
> >
> >
> > Would anything else be of interest?
> >
> > Thank you!
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Le jeu. 5 août 2021 à 17:09, Simon Kelley <simon at thekelleys.org.uk
> > <mailto:simon at thekelleys.org.uk>> a écrit :
> >
> >     There's lots of code in dnsmasq which tries to get this right.
> >
> >     eg.
> >
> >     forward AAAA upstream
> >     upstream replies with NXDOMAIN
> >     dnsmasq checks if it knows data for other record types like A and if
> so
> >     rewrites NXDOMAIN to NODATA.
> >
> >     TLDR; We though of this, and we think it works correctly. If you've
> >     found a specific case where it isn't working, we'll need more
> >     information on exactly what that case is, and what version of dnsmasq
> >     you're running.
> >
> >     Setting --log-queries, demonstrating the problem, then sending the
> logs,
> >     would be a good start.
> >
> >
> >     cheers,
> >
> >     Simon.
> >
> >
> >     On 04/08/2021 20:42, Wojtek Swiatek wrote:
> >     > Hello everyone
> >     >
> >     > I noticed that my dnsmasq server is sending an NXDOMAIN instead of
> >     > a NODATA when I query it for AAAA records it does not have.
> >     >
> >     > This is, I believe, not the correct behaviour
> >     > (https://datatracker.ietf.org/doc/html/rfc2308
> >     <https://datatracker.ietf.org/doc/html/rfc2308>
> >     > <https://datatracker.ietf.org/doc/html/rfc2308
> >     <https://datatracker.ietf.org/doc/html/rfc2308>> - see 1
> Terminology →
> >     > NODATA) and that response breaks queries that otherwise would have
> >     tried
> >     > the A record. See for
> >     >
> >     instance
> https://kc.mcafee.com/corporate/index?page=content&id=KB73433&actp=LIST
> >     <
> https://kc.mcafee.com/corporate/index?page=content&id=KB73433&actp=LIST>
> >     >
> >     <
> https://kc.mcafee.com/corporate/index?page=content&id=KB73433&actp=LIST
> >     <
> https://kc.mcafee.com/corporate/index?page=content&id=KB73433&actp=LIST>>
> >     >
> >     > As a workaround: is there a way to automatically populate AAAA
> >     > records together with the A ones (from DHCP)?
> >     >
> >     > _______________________________________________
> >     > Dnsmasq-discuss mailing list
> >     > Dnsmasq-discuss at lists.thekelleys.org.uk
> >     <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk>
> >     >
> >
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
> >     <
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss>
> >     >
> >
> >     _______________________________________________
> >     Dnsmasq-discuss mailing list
> >     Dnsmasq-discuss at lists.thekelleys.org.uk
> >     <mailto:Dnsmasq-discuss at lists.thekelleys.org.uk>
> >
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
> >     <
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss>
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20210805/03c082de/attachment-0001.htm>


More information about the Dnsmasq-discuss mailing list