On Fri, Oct 25, 2019, at 4:48 PM, Simon Kelley wrote:
> On 20/10/2019 17:55, Dominick C. Pastore wrote:
> > I apologize for continuing the discussion on this. The patch (applied on 
> > top of 2.80-1 provided by Debian Buster) completely solved the issues I was 
> > having, but I did notice a couple other things.
> > 
> > First, locally configured CNAMEs and records other than A or AAAA do not 
> > seem to play well together. For example, MX and TXT requests still get 
> > forwarded upstream, even after the patch. I played around with this a bit 
> > and discovered:
> > 
> > 1. Unlike "host-record", "txt-record" and "mx-host" on the target are not 
> > enough to keep Dnsmasq from ignoring a locally defined CNAME. (I did not 
> > try others, like "srv-host".)
> 
> This is true, and difficult to fix for very obscure reasons. It should
> be more explicitly documented, or better, fixed.

To be fair, the man page doesn't say that this should work. Although I suppose 
it also doesn't say that "host-record" should work and that one does. If it 
would be helpful, I don't mind contributing documentation updates, although I'm 
not sure what Dnsmasq's conventions are for external contributions.

> > 2. In fact, Dnsmasq never follows a CNAME for MX or TXT requests, even when 
> > the CNAME does point to a host Dnsmasq knows locally. (I assume this is the 
> > reason for #1.)
> > 
> Actually it's not, it just that the CNAME code was never generalised to
> handle stuff not in the cache. I've spent an enjoyable afternoon down
> the rabbit-hole testing and rewriting, and this should be fixed now. The
> prohibition on mixing local and upstream continues, but you can now
> define a TXT/MX/SRV locally and a local CNAME pointing to it, and as
> long as you define an A or AAAA record of the same name, all will be fine.
> 
> > Second, it seems that when Dnsmasq caches a NXDOMAIN response from 
> > upstream, it starts giving a NODATA response for other request types on the 
> > same name. Strangely, log-queries indicates the requests are forwarded, but 
> > right after a SIGHUP to clear the cache, sending one of the NODATA queries 
> > results in NXDOMAIN.
> 
> I can't reproduce this. Could you provide a simple example?

Here is how I am able to reproduce it:

1. Query Dnsmasq for type A on a nonexistent domain (using dig). Get NXDOMAIN.
2. Query Dnsmasq for type AAAA on the same domain. Get NODATA.
3. Send SIGHUP to Dnsmasq to clear cache.
4. Query Dnsmasq for type AAAA on the same domain again. This time, get 
NXDOMAIN.

Here are the actual commands and output pasted from the shell:

dominickpastore@platinum:~$ dig @127.0.0.1 +nocmd +nostats +noquestion 
vlvtdnpxed.com A
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46341
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; AUTHORITY SECTION:
com.                    899     IN      SOA     a.gtld-servers.net. 
nstld.verisign-grs.com. 1572043374 1800 900 604800 86400
dominickpastore@platinum:~$ dig @127.0.0.1 +nocmd +nostats +noquestion 
vlvtdnpxed.com AAAA
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40388
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
dominickpastore@platinum:~$ sudo killall -HUP dnsmasq
[sudo] password for dominickpastore:
dominickpastore@platinum:~$ dig @127.0.0.1 +nocmd +nostats +noquestion 
vlvtdnpxed.com AAAA
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31058
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; AUTHORITY SECTION:
com.                    899     IN      SOA     a.gtld-servers.net. 
nstld.verisign-grs.com. 1572043429 1800 900 604800 86400

Querying the upstream server directly always results in NXDOMAIN.

The other thing I noticed is that only an A or AAAA request triggers this. SRV, 
TXT, and MX requests do not. But once an A or AAAA request is made for a 
nonexistent domain, all other request types for that domain result in NODATA 
until the cache is flushed. To demonstrate what I mean:

sudo killall -HUP dnsmasq
dig @127.0.0.1 vlvtdnpxed.com TXT    # gives NXDOMAIN
dig @127.0.0.1 vlvtdnpxed.com SRV    # gives NXDOMAIN
dig @127.0.0.1 vlvtdnpxed.com AAAA   # gives NXDOMAIN
dig @127.0.0.1 vlvtdnpxed.com TXT    # gives NODATA
dig @127.0.0.1 vlvtdnpxed.com SRV    # gives NODATA
dig @127.0.0.1 vlvtdnpxed.com A      # gives NODATA
dig @127.0.0.1 vlvtdnpxed.com AAAA   # gives NXDOMAIN

Thanks,
Nick

_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to