[Dnsmasq-discuss] Potential privacy issue: filter-rr inefficiency
Simon Kelley
simon at thekelleys.org.uk
Tue Mar 17 21:42:16 UTC 2026
There's a reason it's done this way.
Unless you do the upstream query, you can't, in general, know if the
answer should be NODATA or NXDOMAIN.
Guessing wrong NXDOMAIN is really bad; you'll lose answers for other
RRtypes.
Guessing wrong NODATA isn't so bad, you might make unnecessary queries
for other RRtypes. It's also lying to downstream, and that might come
back to bite you in unexpected ways.
Cheers,
Simon.
On 27.02.2026 02:44, yow1210 at riseup.net wrote:
> I'm using the following configuration with dnsmasq to drop specific
> types of DNS requests:
>
> filter-rr=NS,MX,TXT,HTTPS,PTR
>
> However, I have noticed that dnsmasq still sends these requests to the
> upstream DNS server before filtering them out.
> For example:
>
> dnsmasq[830633]: query[TXT] nsa.gov from 127.0.0.1
> dnsmasq[830633]: forwarded nsa.gov to 127.0.0.1#5353 <--
> dnsmasq[830633]: config nsa.gov is NODATA
> dnsmasq[830633]: config nsa.gov is NODATA
> dnsmasq[830633]: query[HTTPS] nsa.gov from 127.0.0.1
> dnsmasq[830633]: forwarded nsa.gov to 127.0.0.1#5353 <--
> dnsmasq[830633]: reply nsa.gov is NODATA
>
>
> The lines that state "forwarded" indicate that dnsmasq is querying the
> upstream DNS server despite already knowing that the answer will
> ultimately be dropped.
> This behavior contradicts your documentation, which states: "Remove
> records of the specified type(s) from answers."
>
> Thus my Proposal:
>
> If the query type is already listed in `filter-rr`, I suggest that
> dnsmasq should do:
> - Drop the request immediately without forwarding.
> - Provide an immediate response stating like "config nsa.gov is NODATA."
>
> This change would enhance efficiency by eliminating unnecessary queries
> to the upstream server
> as well as preventing unnecessary leaks to adversary.
>
> Thank you for considering this suggestion.
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list