Re: [Dnsmasq-discuss] uh, domain concats unwanted...
I just found that it does have a blacklisting function, but not for advertisement sites (or there seems to be a user-promoted-list, where the community votes on hosts, but I can't seem to add it to my setup...it doesn't appear as a valid "category"). But like I said in a previous reply (probably passed yours in the ether!), it doesn't explain why it would try and resolve the host by upstream DNS in the first-place. If it's in an addn-hosts file, it should never have proceeded to ask opendns for an address, right? And I'm having MORE trouble when I add that file (as you can see in my previous reply), in that it doesn't even resolve the name of my dnsmasq server, much less anything else! I'm starting to wonder if there's a limitation to the number of lines in the hosts-files that dnsmasq can handle??? Thanks for the reply and the useful info! -AJ - Original Message - From: Paul Chambers To: dnsmasq-discuss@lists.thekelleys.org.uk Sent: Thursday, May 01, 2008 1:53 PM Subject: Re: [Dnsmasq-discuss] uh, domain concats unwanted... As an aside, if you're using OpenDNS upstream, for lookups that fail it'll respond with the IP address of an OpenDNS server (rather than NXDOMAIN), which will redirect you to guide.opendns.com. You'll need to use 'bogus-nxdomain=' lines in your dnsmasq configuration for the IP addresses of those 'special' servers if you want lookups to fail if the domain is not found. Specifically, add 'bogus-nxdomain=208.67.219.132' to dnsmasq.conf and restart dnsmasq. Note that this IP address has changed at least once since I started using OpenDNS. Doesn't explain why your resolver is looking for view.atdmt.com.nn.com in the first place, but does explain why you're getting an answer. I think the resolver re-attempts a lookup that fails by appending the domain to the original lookup, IIRC. Try adding a 'domain something.bogus' line to your resolv.conf and see if you get 'view.atdmt.com.something.bogus' instead. Paul p.s. By the way, you do know that OpenDNS offers domain blacklisting by category automatically? just have to create an account and turn it on. /dev/rob0 wrote: On Thu May 1 2008 10:34:05 AJ Weber wrote: OK, I'm looking thru my dnsmasq.conf, but can't justify why this is happening...nor how it's eventually coming-up with a valid IP address. ValidHowever, it didn't block an advert site on my first test, and so I did a nslookup from my laptop...this was the output... Just Say No to nslookup. dig(1) is the preferred toolServer: broh.nn.com Address: 192.168.1.128 Non-authoritative answer: Name:view.atdmt.com.nn.com Address: 208.67.217.132 132.217.67.208.in-addr.arpa. 86400 IN PTR hit-nxdomain.opendns.com. The "nn.com" is set in my "domain=" option in my config. However, as I read it, it should only be used to decorate simple names from the hosts-file. Why is it being appended to FQDNs? Maybe broken or misconfigured system resolver? See, dig(1) will only use DNS, and only with the name it is given (exception, see +search.) Furthermore, how the heck did that name then resolve from the upstream DNS server??? Um, maybe a broken upstream nameserver? [1 -- ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] uh, domain concats unwanted...
As an aside, if you're using OpenDNS upstream, for lookups that fail it'll respond with the IP address of an OpenDNS server (rather than NXDOMAIN), which will redirect you to guide.opendns.com. You'll need to use 'bogus-nxdomain=' lines in your dnsmasq configuration for the IP addresses of those 'special' servers if you want lookups to fail if the domain is not found. Specifically, add 'bogus-nxdomain=208.67.219.132' to dnsmasq.conf and restart dnsmasq. Note that this IP address has changed at least once since I started using OpenDNS. Doesn't explain why your resolver is looking for view.atdmt.com.nn.com in the first place, but does explain why you're getting an answer. I think the resolver re-attempts a lookup that fails by appending the domain to the original lookup, IIRC. Try adding a 'domain something.bogus' line to your resolv.conf and see if you get 'view.atdmt.com.something.bogus' instead. Paul p.s. By the way, you do know that OpenDNS offers domain blacklisting by category automatically? just have to create an account and turn it on. /dev/rob0 wrote: On Thu May 1 2008 10:34:05 AJ Weber wrote: OK, I'm looking thru my dnsmasq.conf, but can't justify why this is happening...nor how it's eventually coming-up with a valid IP address. Valid However, it didn't block an advert site on my first test, and so I did a nslookup from my laptop...this was the output... Just Say No to nslookup. dig(1) is the preferred tool Server: broh.nn.com Address: 192.168.1.128 Non-authoritative answer: Name:view.atdmt.com.nn.com Address: 208.67.217.132 132.217.67.208.in-addr.arpa. 86400 IN PTR hit-nxdomain.opendns.com. The "nn.com" is set in my "domain=" option in my config. However, as I read it, it should only be used to decorate simple names from the hosts-file. Why is it being appended to FQDNs? Maybe broken or misconfigured system resolver? See, dig(1) will only use DNS, and only with the name it is given (exception, see +search.) Furthermore, how the heck did that name then resolve from the upstream DNS server??? Um, maybe a broken upstream nameserver? [1
Re: [Dnsmasq-discuss] uh, domain concats unwanted...
Yeah, it seems that opendns.com is messing with the resolution of that FQDN in the lookup, but that doesn't explain how it got to the upstream DNS server in the first-place. With it explicitly listed in my addn-hosts file, it should never have been requested from them. NOW, for whatever reason, my PC can't resolve anything when I add that addn-hosts file. It doesn't even know the name of "broh" when it goes to lookup. I've verified that nothing but "external" hosts/domains are in that file, etc. Is there a limit to the size of a hosts file that dnsmasq can handle??? Are there any debugging params I should include in dig or nslookup to see where we're getting off-track? Thanks again, AJ - Original Message - From: /dev/rob0 To: dnsmasq-discuss@lists.thekelleys.org.uk Sent: Thursday, May 01, 2008 12:10 PM Subject: Re: [Dnsmasq-discuss] uh, domain concats unwanted... On Thu May 1 2008 10:34:05 AJ Weber wrote: > OK, I'm looking thru my dnsmasq.conf, but can't justify why this is > happening...nor how it's eventually coming-up with a valid IP > address. Valid? > However, it didn't block an advert site on my first test, and so I > did a nslookup from my laptop...this was the output... Just Say No to nslookup. dig(1) is the preferred tool. > Server: broh.nn.com > Address: 192.168.1.128 > > Non-authoritative answer: > Name:view.atdmt.com.nn.com > Address: 208.67.217.132 132.217.67.208.in-addr.arpa. 86400 IN PTR hit-nxdomain.opendns.com. > The "nn.com" is set in my "domain=" option in my config. > However, as I read it, it should only be used to decorate simple > names from the hosts-file. Why is it being appended to FQDNs? Maybe broken or misconfigured system resolver? See, dig(1) will only use DNS, and only with the name it is given (exception, see +search.) > Furthermore, how the heck did that name then resolve from the > upstream DNS server??? Um, maybe a broken upstream nameserver? [1] > view.atdmt.com IS in the black-hole-hosts file that I added using view.atdmt.com. 240 IN A 206.16.21.31 > addn-hosts, but again, it's a FQDN, so it shouldn't be getting the > domain appended. > > Can anyone help me explain where my config might be wrong? Munging makes DNS problems especially difficult to ... resolve. [1] I know this goes against the spirit of simplicity which is dnsmasq, but I always run my own named backend for recursion. It binds on port 35, which is used as such in dnsmasq.conf : server=127.0.0.1#35 -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] uh, domain concats unwanted...
On Thu May 1 2008 10:34:05 AJ Weber wrote: > OK, I'm looking thru my dnsmasq.conf, but can't justify why this is > happening...nor how it's eventually coming-up with a valid IP > address. Valid? > However, it didn't block an advert site on my first test, and so I > did a nslookup from my laptop...this was the output... Just Say No to nslookup. dig(1) is the preferred tool. > Server: broh.nn.com > Address: 192.168.1.128 > > Non-authoritative answer: > Name:view.atdmt.com.nn.com > Address: 208.67.217.132 132.217.67.208.in-addr.arpa. 86400 IN PTR hit-nxdomain.opendns.com. > The "nn.com" is set in my "domain=" option in my config. > However, as I read it, it should only be used to decorate simple > names from the hosts-file. Why is it being appended to FQDNs? Maybe broken or misconfigured system resolver? See, dig(1) will only use DNS, and only with the name it is given (exception, see +search.) > Furthermore, how the heck did that name then resolve from the > upstream DNS server??? Um, maybe a broken upstream nameserver? [1] > view.atdmt.com IS in the black-hole-hosts file that I added using view.atdmt.com. 240 IN A 206.16.21.31 > addn-hosts, but again, it's a FQDN, so it shouldn't be getting the > domain appended. > > Can anyone help me explain where my config might be wrong? Munging makes DNS problems especially difficult to ... resolve. [1] I know this goes against the spirit of simplicity which is dnsmasq, but I always run my own named backend for recursion. It binds on port 35, which is used as such in dnsmasq.conf : server=127.0.0.1#35 -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
[Dnsmasq-discuss] uh, domain concats unwanted...
OK, I'm looking thru my dnsmasq.conf, but can't justify why this is happening...nor how it's eventually coming-up with a valid IP address. I think this has been happening for some-time now, but only recently started looking-into it, because I'm trying to add a "hosts blacklist" to the config. To do this, I added the hosts-formatted file to "addn-hosts=" in the config file. However, it didn't block an advert site on my first test, and so I did a nslookup from my laptop...this was the output... Server: broh.nn.com Address: 192.168.1.128 Non-authoritative answer: Name:view.atdmt.com.nn.com Address: 208.67.217.132 The "nn.com" is set in my "domain=" option in my config. However, as I read it, it should only be used to decorate simple names from the hosts-file. Why is it being appended to FQDNs? Furthermore, how the heck did that name then resolve from the upstream DNS server??? view.atdmt.com IS in the black-hole-hosts file that I added using addn-hosts, but again, it's a FQDN, so it shouldn't be getting the domain appended. Can anyone help me explain where my config might be wrong? Thanks! -AJ