[Dnsmasq-discuss] When HTTPS is added to rr-types of --cache-rr and --nonegcache is active non-HTTPS responses to HTTPS queries are not cached

Geert Stappers stappers at stappers.nl
Wed Jul 9 08:24:27 UTC 2025


On Wed, Jul 09, 2025 at 12:19:35AM -0400, Jay Guerette wrote:
> Running dnsmasq 2.90 on Fedora 42.
> 
> To reproduce:
> - verify caching is active and working
> - add cache-rr=HTTPS to your conf
> - verify no-negcache is NOT active in your conf
> - reload or restart dnsmasq
> - do _two_ digs for ietf.org: dig -t HTTPS @127.0.0.1 www.ietf.org
> - verify the 2nd IN HTTPS response is served from cache
> - do _two_ digs to example.com: dig -t HTTPS @127.0.0.1 www.example.com
> - verify the 2nd IN CNAME response is  served from cache
> - enable no-negcache in your conf
> - reload or restart dnsmasq
> - do _two_ digs for ietf.org: dig -t HTTPS @127.0.0.1 www.ietf.org
> - verify the 2nd IN HTTPS response is served from cache
> - do _two_ digs to example.com: dig -t HTTPS @127.0.0.1 www.example.com
> - observe the 2nd IN CNAME response is *NOT* served from cache
 
Quoting manual page of dnsmasq

       -N, --no-negcache
              Disable negative caching.  Negative  caching
              allows  dnsmasq to remember "no such domain"
              answers from upstream nameservers and answer
              identical  queries  without  forwarding them
              again.

> Firefox is requesting an HTTPS record for every host name and almost all
> return IN CNAME instead of IN HTTPS so almost none are cached.
> 
> I don't think that a CNAME response to an HTTPS request is a negative
> response and expect that it would be cached.
 

I think that dnsmasq works as designed.



Groeten
Geert Stappers
-- 
Silence is hard to parse



More information about the Dnsmasq-discuss mailing list