Hi Jukka, >> If domain_append is set and forward_dns_reply() processes the response >> for query without the domain name earlier than the response for one >> with the domain name set we need to make sure that the response is >> not sent back to the client if rcode and ancount are zero until the >> last nameserver response is processed. >This use case is not handled properly: > >- there are multiple DNS servers defined, some of them from ISP, user >has also set his own DNS server that responds to some internal data >- user queries a host without domain name that is only found in his own >network >- all the ISP name servers return "not found" >- user's own dns server does not respond for some reason or the dns >reply is lost > >What now happens is that the request timeouts and the user is given an >error instead of more proper "not found" result.
My initial analysis on this bug was bit wrong. This patch does not change the current way of connman dnsproxy timeouting if the user's own nameserver reply gets lost or does not respond and other servers will send NXDomain-reply. However my patch resolves an issue when dnsproxy query is a valid domain tld. eg. com, bz, net, org or any other valid tld. Example: User wants to resolve A/AAAA-record for bz.domain.tld therefore connman queries first for bz and then for bz.domain.tld and it should prefer bz.domain.tld answer over the bz if domain.tld is set as a search path. However currently on 99% certainty the reply for bz will come earlier than bz.domain.tld and as it is rcode=0 and most probably with ancount=0 (tld's don't usually have A or AAAA-record) it will be sent to the client which is not what user probably wanted. My patch makes sure that on those cases the reply will not be sent to the client as it does not provide any valid records. Br, Pasi _______________________________________________ connman mailing list connman@connman.net https://lists.connman.net/mailman/listinfo/connman
