Dave Ewart wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I've now worked out exactly what DNS request 'poisons' the dnsmasq
cache. (This appears to be completely reproducible, although it is
possible there are other, related queries which might have the same
effect.)
After doing a tcpdump, it became clear that the cache became poisoned
after dnsmasq received an 'ANY' request for the system with the
split-horizon setup.
i.e.
$ host apollo
apollo.ceu.ox.ac.uk has address 10.99.0.2
$ host -t any apollo
apollo.ceu.ox.ac.uk has address 163.1.168.2
$ host apollo
apollo.ceu.ox.ac.uk has address 10.99.0.2
apollo.ceu.ox.ac.uk has address 163.1.168.2
etc.
The tcpdump shows that during the 'any' request, the dnsmasq host cannot
serve it (presumably because it only has an 'A' record?) and the request
is forwarded to the upstream DNS server, which returns the public IP,
which then gets included in the cache.
Is this the expected behaviour of dnsmasq in these circumstances?
Did we ever establish which version you are using? ISTR that you are
using Debian "woody", and maybe therefore the very old 1.4 dnsmasq
release. If that's the case, then yes, I would expect that behaviour,
and the fix it to upgrade to dnsmasq 2.22 in "sarge". If you are using
dnsmasq 2.22 then I'm very interested, since this problem was long ago
thought to be fixed in the 2.x series.
If needs be the Debian dnsmasq-2.22_2 package will build from source and
run quite successfully on a Woody system.
HTH
Simon.
