[Dnsmasq-discuss] When HTTPS is added to rr-types of --cache-rr and --nonegcache is active non-HTTPS responses to HTTPS queries are not cached

Jay Guerette jayguerette at gmail.com
Wed Jul 9 04:19:35 UTC 2025


Running dnsmasq 2.90 on Fedora 42.

To reproduce:
- verify caching is active and working
- add cache-rr=HTTPS to your conf
- verify no-negcache is NOT active in your conf
- reload or restart dnsmasq
- do _two_ digs for ietf.org: dig -t HTTPS @127.0.0.1 www.ietf.org
- verify the 2nd IN HTTPS response is served from cache
- do _two_ digs to example.com: dig -t HTTPS @127.0.0.1 www.example.com
- verify the 2nd IN CNAME response is  served from cache
- enable no-negcache in your conf
- reload or restart dnsmasq
- do _two_ digs for ietf.org: dig -t HTTPS @127.0.0.1 www.ietf.org
- verify the 2nd IN HTTPS response is served from cache
- do _two_ digs to example.com: dig -t HTTPS @127.0.0.1 www.example.com
- observe the 2nd IN CNAME response is *NOT* served from cache

Firefox is requesting an HTTPS record for every host name and almost all 
return IN CNAME instead of IN HTTPS so almost none are cached.

I don't think that a CNAME response to an HTTPS request is a negative 
response and expect that it would be cached.





More information about the Dnsmasq-discuss mailing list