[Dnsmasq-discuss] When HTTPS is added to rr-types of --cache-rr and --nonegcache is active non-HTTPS responses to HTTPS queries are not cached
Geert Stappers
stappers at stappers.nl
Wed Jul 9 08:24:27 UTC 2025
On Wed, Jul 09, 2025 at 12:19:35AM -0400, Jay Guerette wrote:
> Running dnsmasq 2.90 on Fedora 42.
>
> To reproduce:
> - verify caching is active and working
> - add cache-rr=HTTPS to your conf
> - verify no-negcache is NOT active in your conf
> - reload or restart dnsmasq
> - do _two_ digs for ietf.org: dig -t HTTPS @127.0.0.1 www.ietf.org
> - verify the 2nd IN HTTPS response is served from cache
> - do _two_ digs to example.com: dig -t HTTPS @127.0.0.1 www.example.com
> - verify the 2nd IN CNAME response is served from cache
> - enable no-negcache in your conf
> - reload or restart dnsmasq
> - do _two_ digs for ietf.org: dig -t HTTPS @127.0.0.1 www.ietf.org
> - verify the 2nd IN HTTPS response is served from cache
> - do _two_ digs to example.com: dig -t HTTPS @127.0.0.1 www.example.com
> - observe the 2nd IN CNAME response is *NOT* served from cache
Quoting manual page of dnsmasq
-N, --no-negcache
Disable negative caching. Negative caching
allows dnsmasq to remember "no such domain"
answers from upstream nameservers and answer
identical queries without forwarding them
again.
> Firefox is requesting an HTTPS record for every host name and almost all
> return IN CNAME instead of IN HTTPS so almost none are cached.
>
> I don't think that a CNAME response to an HTTPS request is a negative
> response and expect that it would be cached.
I think that dnsmasq works as designed.
Groeten
Geert Stappers
--
Silence is hard to parse
More information about the Dnsmasq-discuss
mailing list