[Dnsmasq-discuss] Potential privacy issue: filter-rr inefficiency
yow1210 at riseup.net
yow1210 at riseup.net
Fri Feb 27 02:44:49 UTC 2026
I'm using the following configuration with dnsmasq to drop specific
types of DNS requests:
filter-rr=NS,MX,TXT,HTTPS,PTR
However, I have noticed that dnsmasq still sends these requests to the
upstream DNS server before filtering them out.
For example:
dnsmasq[830633]: query[TXT] nsa.gov from 127.0.0.1
dnsmasq[830633]: forwarded nsa.gov to 127.0.0.1#5353 <--
dnsmasq[830633]: config nsa.gov is NODATA
dnsmasq[830633]: config nsa.gov is NODATA
dnsmasq[830633]: query[HTTPS] nsa.gov from 127.0.0.1
dnsmasq[830633]: forwarded nsa.gov to 127.0.0.1#5353 <--
dnsmasq[830633]: reply nsa.gov is NODATA
The lines that state "forwarded" indicate that dnsmasq is querying the
upstream DNS server despite already knowing that the answer will
ultimately be dropped.
This behavior contradicts your documentation, which states: "Remove
records of the specified type(s) from answers."
Thus my Proposal:
If the query type is already listed in `filter-rr`, I suggest that
dnsmasq should do:
- Drop the request immediately without forwarding.
- Provide an immediate response stating like "config nsa.gov is NODATA."
This change would enhance efficiency by eliminating unnecessary queries
to the upstream server
as well as preventing unnecessary leaks to adversary.
Thank you for considering this suggestion.
More information about the Dnsmasq-discuss
mailing list