Hello,

I’m having some trouble getting dnsmasq to respond to PTR queries without 
recursion desired, even when authoritative mode is enabled.

Given the following config:
domain-needed
bogus-priv
no-resolv
no-hosts
port=10053
server=/example.com/
log-queries
host-record=host1.example.com,10.2.3.4

Observed results:
Query host1.example.com A (with recursion) - NOERROR, returns answer
Query host1.example.com A (without recursion) - REFUSED
Query 4.3.2.10.in-addr.arpa PTR (with recursion) - NOERROR, returns answer
Query 4.3.2.10.in-addr.arpa PTR (without recursion) - REFUSED

Given the above config, plus the following two lines to enable authoritative 
mode:
auth-server=ns1.example.com
auth-zone=example.com,10.0.0.0/8

Observed results:
Query host1.example.com A (with recursion) - NOERROR, returns answer
Query host1.example.com A (without recursion) - NOERROR, returns answer
Query 4.3.2.10.in-addr.arpa PTR (with recursion) - NOERROR, returns answer
Query 4.3.2.10.in-addr.arpa PTR (without recursion) - REFUSED

Expected results:
Enabling auth mode for the zone, and specifying the subnet, would result in the 
last PTR query being accepted instead of refused.

The log lines seen when the REFUSED occurs are:
dnsmasq_1  | Jul  9 09:42:06 dnsmasq[1]: query[PTR] 4.3.2.10.in-addr.arpa from 
172.19.0.1
dnsmasq_1  | Jul  9 09:42:06 dnsmasq[1]: config error is REFUSED

Version info:
Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua 
TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify dumpfile

I was looking through the source and I’m guessing that PTR queries don’t ever 
trigger the auth zone path, since the query ends in “in-addr.arpa” instead of 
the auth-zone domain like “example.com”. Once it reaches the regular 
answer_request path, it immediately returns since the RD flag is not set, 
without checking host-records, and proceeds to forward the query instead.

Is this intended behaviour? The 2.79 CHANGELOG states that this always-SERVFAIL 
(or forward, in 2.80) behaviour for queries without recursion desired should 
always happen “UNLESS acting as an authoritative DNS server”, without a caveat 
that it only works for non-reverse DNS queries.

Thanks,
Chiang Fong


_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to