-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 The behaviour of believing the first REFUSED answer has been changed for the forthcoming release.
There's a couple of long discussions about this on here. Cheers, Simon. On 27/02/17 16:42, /dev/rob0 wrote: > On Mon, Feb 27, 2017 at 04:40:14PM +0100, Daniel Pocock wrote: >> On 27/02/17 13:31, Chris Novakovic wrote: >>> On 27/02/17 10:04, Daniel Pocock wrote: >>>> >>>> I've observed the following problem: >>>> >>>> - dnsmasq is sending queries to 5 servers, one of them is not >>>> recursive and only answers for a private domain >>>> >>>> - if the first response dnsmasq receives comes from the >>>> non-recursive server (REFUSED), then dnsmasq is sending a >>>> REFUSED response to the client >>>> >>>> - dnsmasq subsequently receives a response from one of the >>>> recursive servers >>> >>> This is expected behaviour. One possibility is to configure >>> dnsmasq to forward requests to the non-recursive server only >>> for the private domain, e.g.: >>> >>> --server=/private.domain/non.recursive.server.ip >>> >>> and a matching --rev-server directive if appropriate. >> >> The router is running OpenWRT, I could make that change manually >> but then I wouldn't be able to fully manage it with the GUI any >> more. >> >> Can you confirm if this is the only way it can work according to >> the DNS spec, or is it a dnsmasq design decision? > > --server without the domain specified MUST be a recursive server, > willing to resolve your queries for any names. > > --server/domain.example/ip.add.re.ss will only send queries for > domain.example (and *.domain.example) to ip.add.re.ss. > >> Could a software approach be taken by default, waiting to see if >> any resolver provides a positive response before sending back >> REFUSED to the client? > > I don't see a valid use case for this. You have a configuration > error, by listing a non-recursive server among your upstream > recursive servers. > > Perhaps the OpenWRT people didn't know enough about dnsmasq to > support this situation, or perhaps they didn't care. But dnsmasq > documentation of --server is clear enough about it. > > Another problem you will have is when one of the actual upstream > recursive servers replies for "domain.example" with incorrect > data. > > (Side note: simple is good; listing more recursive servers will > generally not improve performance. If some of the servers you're > listing are not reliable enough, try one of the Google Public DNS > addresses, or run your own recursive resolver.) > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCAAGBQJYtJ+aAAoJEBXN2mrhkTWiRp4P/3B+B6+g4K6zDOd71J6oA5gM Ap33LcRHWAwBWwMz7NVIrvjTSSQ06r301h7vS5xs3jFSm2j6onvft9cpz4OhkUpq 9h0t8xuNpA/4Tyhr0/f3w+qrrZe85IOOKnVfk2tRoWr3p7+u0yYYJ6+aFom/n4me F3hBYK95fBGwk9n1dTLt0/a+KEjZA4Z9+aCx0YXpBhnjM15dfkrIyTyBI1FORmQ4 /WHJQiDbqeZ7IFpKQDt5LMhbgxe7a1zMrUbQ/+AJhvHCd04pw79xUvJdM5LEjQT3 r3tmirmdKCyQsdZsjUQTzxjaKu9uC25j8vT5KHrFwS3Qq5vucZ26uM/6FdwiIRBr TvwNh5ccnlPz/Z3eZ/vZa/hmWcA6/Arfwas5knfhOpeyyYn7D0jC7cDs0WFySlha 9BdmZScxQtPzXoPk/bZg7BHp2N2uhk3zVwOMBVYYVTtmNL9DHQLJgktJ+0Ni16/W YDVQQKD0LstDnGDh5AeFCNa1gBhrEkIW071IhEMQ1N5sGTml0NM0PXEVL35/sX58 oZGWj5UwVOM+TKK7q++zFCwTQES/SzJrTqlQ5rVlmk5S6b++vcfm7HABnUNXep1z 7fV1qxvChiayYBQjZc1j2TeTbDk7WAsKPXictlMwOfxqp/nTpF5nMaV+Jr+30Ned HX3wzkH+rk1OdlkigpfD =YTU9 -----END PGP SIGNATURE----- _______________________________________________ Dnsmasq-discuss mailing list Dnsmasqemail@example.com http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss