I Confirm it is broken, even in v2.87test4 release. The wrong use case is special domain, which provides internal VPN only name for kerberos.
It seems it forwards correctly to domain-specific forwarder. But during that the case of original query is lowered, according to log-queries. Then response is truncated from domain-specific forwarder. Interesting enough query is then forwarded to resolvers without a domain. This time response is accepted. But because it was a VPN forwarding site-specific domain to internal-only servers, it only responds with NXDOMAIN. This bug was reported in our bugzilla too [1]. Found it happens because our VPN has quite long list of SRV records for kerberos. So much it makes truncated reply and re-requests it via TCP. However TCP is for some reason a bit different. There is one important issue: a) query search does not end on domain-specific resolvers, but continues to general resolvers without domain. One less important issue too: b) response does not keep original case of the query Found simple way to reproduce it: dnsmasq -d --conf-file=/dev/null --port 2053 --server=127.0.0.1 --no-resolv --server='/test/::1' --log-queries & dig +tcp @localhost -p 2053 srv _tcp.TEST dig @localhost -p 2053 srv _udp.TEST Results in log: dnsmasq: started, version 2.87test4-11-g80fae3c cachesize 150 dnsmasq: compile time options: IPv6 GNU-getopt DBus no-UBus no-i18n IDN2 DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset auth cryptohash DNSSEC loop-detect inotify dumpfile dnsmasq: using nameserver 127.0.0.1#53 dnsmasq: using nameserver ::1#53 for domain test dnsmasq: read /etc/hosts - 16 addresses dnsmasq: query[SRV] _udp.TEST from ::1 dnsmasq: forwarded _udp.test to ::1 dnsmasq: reply _udp.TEST is NXDOMAIN dnsmasq: query[SRV] _tcp.TEST from ::1 dnsmasq: forwarded _tcp.TEST to ::1 dnsmasq: reply _tcp.TEST is NXDOMAIN Note forwarded name differs in case, UDP is forwarded lowercase. But TCP query is forwarded as received without modified case. It then requires case insensitive comparison strcasecmp in order() function in domain-match.c, where strcmp is used now. Without a patch, previous version would forward it to 127.0.0.1. It seems strange to lowercase forwarded UDP queries. I think they should remain as received on client. If there is a good reason for it, it should be applied to TCP queries similar way. Proposed change attached. Though I remember code in dnsmasq mentions it does not like changes in locale and does case comparison custom way in few places. Would it make issues here? I guess it would be safe for all encodings containing ASCII subset. Are other encodings still in use? Cheers, Petr 1. https://bugzilla.redhat.com/show_bug.cgi?id=2014019 On 10/13/21 21:58, Aleksandar Kostadinov wrote: > Hi, > > I observe a very strange occasion in a split dns setup. It seems like > between 2.85 and 2.86 the match for domain name became case sensitive > or something. After upgrade to 2.86 I still see in log: > >> using nameserver 10.8.5.26#53 for domain example.com > then this DNS query returns no results: > >> dig srv _kerberos._tcp.EXAMPLE.COM > But these two queries return proper results: > >> dig srv _kerberos._tcp.example.com >> dig srv _kerberos._tcp.EXAMPLE.COM @10.8.5.26 > With 2.85 all queries are returning the records. > > Any idea what's going on? -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
From 70fb3063051bfbe3b5d2e3dbd2e2ab22c71809ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemen...@redhat.com> Date: Thu, 14 Oct 2021 20:56:17 +0200 Subject: [PATCH] Compare order case insensitive MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit DNS labels are defined case insensitive. When queried over TCP, query name is not put to lower case. Make it match even when domain differs only by used case. Signed-off-by: Petr Menšík <pemen...@redhat.com> --- src/domain-match.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/domain-match.c b/src/domain-match.c index 98a5493..548496f 100644 --- a/src/domain-match.c +++ b/src/domain-match.c @@ -496,7 +496,7 @@ static int order(char *qdomain, size_t qlen, struct serv_local *serv) if (qlen > dlen) return -1; - return strcmp(qdomain, serv->domain); + return strcasecmp(qdomain, serv->domain); } static int order_servers(struct serv_local *s1, struct serv_local *s2) -- 2.31.1
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss