I'm using the following configuration with dnsmasq to drop specific types of DNS requests:
filter-rr=NS,MX,TXT,HTTPS,PTR However, I have noticed that dnsmasq still sends these requests to the upstream DNS server before filtering them out. For example: dnsmasq[830633]: query[TXT] nsa.gov from 127.0.0.1 dnsmasq[830633]: forwarded nsa.gov to 127.0.0.1#5353 <-- dnsmasq[830633]: config nsa.gov is NODATA dnsmasq[830633]: config nsa.gov is NODATA dnsmasq[830633]: query[HTTPS] nsa.gov from 127.0.0.1 dnsmasq[830633]: forwarded nsa.gov to 127.0.0.1#5353 <-- dnsmasq[830633]: reply nsa.gov is NODATA The lines that state "forwarded" indicate that dnsmasq is querying the upstream DNS server despite already knowing that the answer will ultimately be dropped. This behavior contradicts your documentation, which states: "Remove records of the specified type(s) from answers." Thus my Proposal: If the query type is already listed in `filter-rr`, I suggest that dnsmasq should do: - Drop the request immediately without forwarding. - Provide an immediate response stating like "config nsa.gov is NODATA." This change would enhance efficiency by eliminating unnecessary queries to the upstream server as well as preventing unnecessary leaks to adversary. Thank you for considering this suggestion. _______________________________________________ Dnsmasq-discuss mailing list [email protected] https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
