Hi Chiang, I discovered the same issue and even posted patch on 2019-04-12 . Queries without RD flag are always forwarded to "upstream" server, not answered locally. REFUSED is usually given by server dnsmasq points to, dnsmasq is just passing it to you. It should be fixed, but no reply for it yet.
But I think it should work on authoritative interface, but it has to be different interface used for normal dns cache. 1. http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q2/013013.html On 7/9/19 12:24 PM, Chiang Fong Lee wrote: > Hello, > > I’m having some trouble getting dnsmasq to respond to PTR queries without > recursion desired, even when authoritative mode is enabled. > > Given the following config: > domain-needed > bogus-priv > no-resolv > no-hosts > port=10053 > server=/example.com/ > log-queries > host-record=host1.example.com,10.2.3.4 > > Observed results: > Query host1.example.com A (with recursion) - NOERROR, returns answer > Query host1.example.com A (without recursion) - REFUSED > Query 188.8.131.52.in-addr.arpa PTR (with recursion) - NOERROR, returns answer > Query 184.108.40.206.in-addr.arpa PTR (without recursion) - REFUSED > > Given the above config, plus the following two lines to enable authoritative > mode: > auth-server=ns1.example.com > auth-zone=example.com,10.0.0.0/8 > > Observed results: > Query host1.example.com A (with recursion) - NOERROR, returns answer > Query host1.example.com A (without recursion) - NOERROR, returns answer > Query 220.127.116.11.in-addr.arpa PTR (with recursion) - NOERROR, returns answer > Query 18.104.22.168.in-addr.arpa PTR (without recursion) - REFUSED > > Expected results: > Enabling auth mode for the zone, and specifying the subnet, would result in > the last PTR query being accepted instead of refused. > > The log lines seen when the REFUSED occurs are: > dnsmasq_1 | Jul 9 09:42:06 dnsmasq: query[PTR] 22.214.171.124.in-addr.arpa > from 172.19.0.1 > dnsmasq_1 | Jul 9 09:42:06 dnsmasq: config error is REFUSED > > Version info: > Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley > Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 > no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify dumpfile > > I was looking through the source and I’m guessing that PTR queries don’t ever > trigger the auth zone path, since the query ends in “in-addr.arpa” instead of > the auth-zone domain like “example.com”. Once it reaches the regular > answer_request path, it immediately returns since the RD flag is not set, > without checking host-records, and proceeds to forward the query instead. > > Is this intended behaviour? The 2.79 CHANGELOG states that this > always-SERVFAIL (or forward, in 2.80) behaviour for queries without recursion > desired should always happen “UNLESS acting as an authoritative DNS server”, > without a caveat that it only works for non-reverse DNS queries. > > Thanks, > Chiang Fong > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasqfirstname.lastname@example.org > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: 65C6C973 _______________________________________________ Dnsmasq-discuss mailing list Dnsmasqemail@example.com http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss