[Dnsmasq-discuss] Nonexistent AAAA records return NXDOMAIN instead of NODATA

Fri Jun 28 15:17:20 UTC 2024

Hi Dimitry,

On Fri, 2024-06-28 at 15:38 +0200, Dimitry Andric wrote:
> On 28 Jun 2024, at 00:02, Buck Horn via Dnsmasq-discuss
> <dnsmasq-discuss at lists.thekelleys.org.uk> wrote:
> > 
> > On 27.06.24 22:13, Dimitry Andric wrote:
> > > In particular, this happens when dnsmasq serves a --local domain,
> > > and
> > > 'fixed' hosts are defined with --address entries having _only_ an
> > > IPv4
> > > address.
> > > 
> > > For example, if dnsmasq.conf contains:
> > > 
> > >   no-daemon
> > >   log-queries
> > > 
> > >   domain=example.com
> > >   interface=eth0
> > >   server=1.1.1.1
> > >   local=/example.com/
> > > 
> > >   address=/foo.example.com/10.1.2.3
> > >   address=/bar.example.com/10.1.2.3
> > 
> > 
> > Your address literals are more specific than your 'local='
> > declarations.
> > 
> > Did you try to actually '...match the specified address literal...'
> > yet?
> > 
> >  local=/foo.example.com/
> >  local=/bar.example.com/
> > 
> >  address=/foo.example.com/10.1.2.3
> >  address=/bar.example.com/10.1.2.3
> 
> Sure, that also appears to work. I just don't know what the preferred
> syntax is for declaring hosts that have fixed IP addresses, as
> opposed
> to hosts that get addresses dynamically via DHCP.
> 
> I.e. the original dnsmasq config file was written by someone who was
> convinced that the way to serve up an internal company domain (which
> uses DHCP for most hosts, fixed addresses for some other hosts) was
> something like:
> 
>   dhcp-host=foo,10.1.2.3
>   dhcp-host=bar,10.1.2.4
>   dhcp-host=baz,10.1.2.5
>   dhcp-option=eth0,3,10.1.2.1
>   dhcp-range=eth0,10.1.2.50,10.1.2.254,255.255.255.0
>   domain=internal.example.com
>   interface=eth0
>   local=/internal.example.com/
>   server=1.1.1.1
>   address=/foo.internal.example.com/10.1.2.3
>   address=/bar.internal.example.com/10.1.2.4
>   address=/baz.internal.example.com/10.1.2.5
> 
> That used to work fine with dnsmasq 2.80, but with 2.90 it started
> returning NXDOMAINs.
> 
> -Dimitry

Please (re-)read the manual page:

[...]
  -A, --address=/<domain>[/<domain>...]/[<ipaddr>]
     Specify an IP address to return for any host  in  the  given  do‐ 
     mains.   A  (or  AAAA) queries in the domains are never forwarded
     and always replied to with the specified IP address which may  be
     IPv4  or  IPv6.  To give multiple addresses or both IPv4 and IPv6
     addresses for a domain, use repeated --address flags.  Note  that
     /etc/hosts  and DHCP leases override this for individual names. A
     common use of this is to redirect the entire doubleclick.net  do‐ 
     main  to  some friendly local web server to avoid banner ads. The 
     domain specification works in the same way as for --server,  with
     the  additional  facility that /#/ matches any domain. Thus --ad‐
     dress=/#/1.2.3.4 will always return 1.2.3.4 for any query not an‐ 
     swered from /etc/hosts or DHCP and not sent to an upstream  name‐
     server  by  a  more specific --server directive. As for --server,
     one or more domains with no address returns a no-such-domain  an‐ 
     swer, so --address=/example.com/ is equivalent to --server=/exam‐
     ple.com/  and returns NXDOMAIN for example.com and all its subdo‐
     mains. An address specified as '#' translates to the NULL address
     of 0.0.0.0 and its IPv6  equivalent  of  ::  so  --address=/exam‐
     ple.com/# will return NULL addresses for example.com and its sub‐
     domains.  This  is  partly  syntactic  sugar for --address=/exam‐
     ple.com/0.0.0.0 and --address=/example.com/:: but  is  also  more
     efficient  than  including  both as separate configuration lines.
     Note that NULL addresses normally work in the same way as  local‐
     host, so beware that clients looking up these names are likely to
     end up talking to themselves.

     Note  that the behaviour for queries which don't match the speci‐
     fied address literal changed in version 2.86.  Previous versions,
     configured  with  (eg)  --address=/example.com/1.2.3.4  and  then
     queried  for a RR type other than A would return a NoData answer.
     From  2.86, the query is sent upstream. To restore  the  pre-2.86
     behaviour,  use  the configuration --address=/example.com/1.2.3.4
     --local=/example.com/
[...]

Regards,
Sven

-- 
GPG Fingerprint
3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 854 bytes
Desc: This is a digitally signed message part
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20240628/c2751dbb/attachment-0001.sig>