[Dnsmasq-discuss] [PATCH] Fix local host records being overridden by upstream NXDOMAIN

Dominik Derigs dl6er at dl6er.de
Sat May 16 07:50:57 UTC 2026 

Hi Simon,

we've found a bug where locally-configured hostnames (from /etc/hosts, 
DHCP leases, or host-record) can return NXDOMAIN to clients instead of 
the expected local answer. The attached patch fixes this.

The problem has two parts:

1) When a client queries a local hostname for a record type that has no 
local answer (e.g. AAAA when only an A record exists in /etc/hosts), 
answer_request() returns 0 and the query is forwarded upstream. Since 
the domain only exists locally, upstream returns NXDOMAIN. The correct 
response would be NODATA -- the domain exists, it just doesn't have a 
record of the requested type.

This is particularly visible with modern Linux resolvers like 
systemd-resolved as they routinely send AAAA and A queries independently 
at the same time. Most often, modern versions also issue HTTPS queries. 
The NXDOMAIN response to the AAAA/HTTPS query can cause the client to 
treat the entire domain as non-existent, even though the A answer comes 
back correctly.

2) There is already a safety net in process_reply() that converts 
upstream NXDOMAIN to NODATA for locally-known domains. However, this 
conversion is inside the !bogusanswer gate (line 793 on current master), 
so it is skipped when DNSSEC validation fails. For local hostnames under 
publicly-signed domains, the upstream NXDOMAIN proof can fail 
validation, bypassing the safety net.

The fix:

- In answer_request(): before the final `return 0`, check whether the 
domain has any local record with F_HOSTS/F_DHCP/F_CONFIG. If so, return 
NODATA instead of forwarding. This prevents the upstream query entirely.

- In process_reply(): move the NXDOMAIN-to-NODATA conversion for 
locally-known domains before the bogusanswer check, so it applies 
regardless of DNSSEC validation status. Local host records are 
authoritative for domain existence.

Originally reported and investigated by me in 
https://github.com/pi-hole/FTL/issues/2841


Cheers,
Dominik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-local-host-records-being-overridden-by-upstream-.patch
Type: text/x-patch
Size: 3865 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20260516/c7fab45d/attachment.bin>

More information about the Dnsmasq-discuss mailing list