Re: [Dnsmasq-discuss] uh, domain concats unwanted...

[AJ Weber]

I just found that it does have a blacklisting function, but not for 
advertisement sites (or there seems to be a user-promoted-list, where the 
community votes on hosts, but I can't seem to add it to my setup...it doesn't 
appear as a valid "category").

But like I said in a previous reply (probably passed yours in the ether!), it 
doesn't explain why it would try and resolve the host by upstream DNS in the 
first-place.  If it's in an addn-hosts file, it should never have proceeded to 
ask opendns for an address, right?

And I'm having MORE trouble when I add that file (as you can see in my previous 
reply), in that it doesn't even resolve the name of my dnsmasq server, much 
less anything else!  I'm starting to wonder if there's a limitation to the 
number of lines in the hosts-files that dnsmasq can handle???

Thanks for the reply and the useful info!

-AJ
  - Original Message - 
  From: Paul Chambers 
  To: dnsmasq-discuss@lists.thekelleys.org.uk 
  Sent: Thursday, May 01, 2008 1:53 PM
  Subject: Re: [Dnsmasq-discuss] uh, domain concats unwanted...


  As an aside, if you're using OpenDNS upstream, for lookups that fail it'll 
respond with the IP address of an OpenDNS server (rather than NXDOMAIN), which 
will redirect you to guide.opendns.com. You'll need to use 'bogus-nxdomain=' 
lines in your dnsmasq configuration for the IP addresses of those 'special' 
servers if you want lookups to fail if the domain is not found. Specifically, 
add 'bogus-nxdomain=208.67.219.132' to dnsmasq.conf and restart dnsmasq. Note 
that this IP address has changed at least once since I started using OpenDNS.

  Doesn't explain why your resolver is looking for view.atdmt.com.nn.com in 
the first place, but does explain why you're getting an answer. I think the 
resolver re-attempts a lookup that fails by appending the domain to the 
original lookup, IIRC. Try adding a 'domain something.bogus' line to your 
resolv.conf and see if you get 'view.atdmt.com.something.bogus' instead. 

  Paul

  p.s. By the way, you do know that OpenDNS offers domain blacklisting by 
category automatically? just have to create an account and turn it on.

  /dev/rob0 wrote: 
On Thu May 1 2008 10:34:05 AJ Weber wrote:
  OK, I'm looking thru my dnsmasq.conf, but can't justify why this is
happening...nor how it's eventually coming-up with a valid IP
address.

ValidHowever, it didn't block an advert site on my first test, and so I
did a nslookup from my laptop...this was the output...
Just Say No to nslookup. dig(1) is the preferred toolServer:   
broh.nn.com
Address:  192.168.1.128

Non-authoritative answer:
Name:view.atdmt.com.nn.com
Address:  208.67.217.132
132.217.67.208.in-addr.arpa. 86400 IN   PTR hit-nxdomain.opendns.com.
  The "nn.com" is set in my "domain=" option in my config. 
However, as I read it, it should only be used to decorate simple
names from the hosts-file.  Why is it being appended to FQDNs? 

Maybe broken or misconfigured system resolver? See, dig(1) will only
use DNS, and only with the name it is given (exception, see +search.)
  Furthermore, how the heck did that name then resolve from the
upstream DNS server???

Um, maybe a broken upstream nameserver? [1



--


  ___
  Dnsmasq-discuss mailing list
  Dnsmasq-discuss@lists.thekelleys.org.uk
  http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] uh, domain concats unwanted...

[Paul Chambers]

As an aside, if you're using OpenDNS upstream, for lookups that fail 
it'll respond with the IP address of an OpenDNS server (rather than 
NXDOMAIN), which will redirect you to guide.opendns.com. You'll need to 
use 'bogus-nxdomain=' lines in your dnsmasq configuration for the IP 
addresses of those 'special' servers if you want lookups to fail if the 
domain is not found. Specifically, add 'bogus-nxdomain=208.67.219.132' 
to dnsmasq.conf and restart dnsmasq. Note that this IP address has 
changed at least once since I started using OpenDNS.


Doesn't explain why your resolver is looking for 
view.atdmt.com.nn.com in the first place, but does explain why 
you're getting an answer. I think the resolver re-attempts a lookup that 
fails by appending the domain to the original lookup, IIRC. Try adding a 
'domain something.bogus' line to your resolv.conf and see if you get 
'view.atdmt.com.something.bogus' instead.


Paul

p.s. By the way, you do know that OpenDNS offers domain blacklisting by 
category automatically? just have to create an account and turn it on.


/dev/rob0 wrote:

On Thu May 1 2008 10:34:05 AJ Weber wrote:
  

OK, I'm looking thru my dnsmasq.conf, but can't justify why this is
happening...nor how it's eventually coming-up with a valid IP
address.



Valid

However, it didn't block an advert site on my first test, and so I
did a nslookup from my laptop...this was the output...


Just Say No to nslookup. dig(1) is the preferred tool

Server:   broh.nn.com
Address:  192.168.1.128

Non-authoritative answer:
Name:view.atdmt.com.nn.com
Address:  208.67.217.132


132.217.67.208.in-addr.arpa. 86400 IN   PTR hit-nxdomain.opendns.com.
  
The "nn.com" is set in my "domain=" option in my config. 
However, as I read it, it should only be used to decorate simple
names from the hosts-file.  Why is it being appended to FQDNs? 



Maybe broken or misconfigured system resolver? See, dig(1) will only
use DNS, and only with the name it is given (exception, see +search.)
  

Furthermore, how the heck did that name then resolve from the
upstream DNS server???



Um, maybe a broken upstream nameserver? [1

Re: [Dnsmasq-discuss] uh, domain concats unwanted...

[AJ Weber]

Yeah, it seems that opendns.com is messing with the resolution of that FQDN in 
the lookup, but that doesn't explain how it got to the upstream DNS server in 
the first-place.  With it explicitly listed in my addn-hosts file, it should 
never have been requested from them.

NOW, for whatever reason, my PC can't resolve anything when I add that 
addn-hosts file.  It doesn't even know the name of "broh" when it goes to 
lookup.  I've verified that nothing but "external" hosts/domains are in that 
file, etc.  Is there a limit to the size of a hosts file that dnsmasq can 
handle???  Are there any debugging params I should include in dig or nslookup 
to see where we're getting off-track?

Thanks again,
AJ

  - Original Message - 
  From: /dev/rob0 
  To: dnsmasq-discuss@lists.thekelleys.org.uk 
  Sent: Thursday, May 01, 2008 12:10 PM
  Subject: Re: [Dnsmasq-discuss] uh, domain concats unwanted...


  On Thu May 1 2008 10:34:05 AJ Weber wrote:
  > OK, I'm looking thru my dnsmasq.conf, but can't justify why this is
  > happening...nor how it's eventually coming-up with a valid IP
  > address.

  Valid?

  > However, it didn't block an advert site on my first test, and so I
  > did a nslookup from my laptop...this was the output...

  Just Say No to nslookup. dig(1) is the preferred tool.

  > Server:   broh.nn.com
  > Address:  192.168.1.128
  >
  > Non-authoritative answer:
  > Name:view.atdmt.com.nn.com
  > Address:  208.67.217.132

  132.217.67.208.in-addr.arpa. 86400 IN   PTR hit-nxdomain.opendns.com.

  > The "nn.com" is set in my "domain=" option in my config. 
  > However, as I read it, it should only be used to decorate simple
  > names from the hosts-file.  Why is it being appended to FQDNs? 

  Maybe broken or misconfigured system resolver? See, dig(1) will only
  use DNS, and only with the name it is given (exception, see +search.)

  > Furthermore, how the heck did that name then resolve from the
  > upstream DNS server???

  Um, maybe a broken upstream nameserver? [1]

  > view.atdmt.com IS in the black-hole-hosts file that I added using

  view.atdmt.com. 240 IN  A   206.16.21.31

  > addn-hosts, but again, it's a FQDN, so it shouldn't be getting the
  > domain appended.
  >
  > Can anyone help me explain where my config might be wrong?

  Munging makes DNS problems especially difficult to ... resolve.


  [1] I know this goes against the spirit of simplicity which is
  dnsmasq, but I always run my own named backend for recursion. It
  binds on port 35, which is used as such in dnsmasq.conf :
  server=127.0.0.1#35
  -- 
  Offlist mail to this address is discarded unless
  "/dev/rob0" or "not-spam" is in Subject: header

  ___
  Dnsmasq-discuss mailing list
  Dnsmasq-discuss@lists.thekelleys.org.uk
  http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] uh, domain concats unwanted...

[/dev/rob0]

On Thu May 1 2008 10:34:05 AJ Weber wrote:
> OK, I'm looking thru my dnsmasq.conf, but can't justify why this is
> happening...nor how it's eventually coming-up with a valid IP
> address.

Valid?

> However, it didn't block an advert site on my first test, and so I
> did a nslookup from my laptop...this was the output...

Just Say No to nslookup. dig(1) is the preferred tool.

> Server:   broh.nn.com
> Address:  192.168.1.128
>
> Non-authoritative answer:
> Name:view.atdmt.com.nn.com
> Address:  208.67.217.132

132.217.67.208.in-addr.arpa. 86400 IN   PTR hit-nxdomain.opendns.com.

> The "nn.com" is set in my "domain=" option in my config. 
> However, as I read it, it should only be used to decorate simple
> names from the hosts-file.  Why is it being appended to FQDNs? 

Maybe broken or misconfigured system resolver? See, dig(1) will only
use DNS, and only with the name it is given (exception, see +search.)

> Furthermore, how the heck did that name then resolve from the
> upstream DNS server???

Um, maybe a broken upstream nameserver? [1]

> view.atdmt.com IS in the black-hole-hosts file that I added using

view.atdmt.com. 240 IN  A   206.16.21.31

> addn-hosts, but again, it's a FQDN, so it shouldn't be getting the
> domain appended.
>
> Can anyone help me explain where my config might be wrong?

Munging makes DNS problems especially difficult to ... resolve.


[1] I know this goes against the spirit of simplicity which is
dnsmasq, but I always run my own named backend for recursion. It
binds on port 35, which is used as such in dnsmasq.conf :
server=127.0.0.1#35
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

[Dnsmasq-discuss] uh, domain concats unwanted...

[AJ Weber]

OK, I'm looking thru my dnsmasq.conf, but can't justify why this is 
happening...nor how it's eventually coming-up with a valid IP address.

I think this has been happening for some-time now, but only recently started 
looking-into it, because I'm trying to add a "hosts blacklist" to the config.  
To do this, I added the hosts-formatted file to "addn-hosts=" in the config 
file.

However, it didn't block an advert site on my first test, and so I did a 
nslookup from my laptop...this was the output...
Server:  broh.nn.com
Address:  192.168.1.128

Non-authoritative answer:
Name:view.atdmt.com.nn.com
Address:  208.67.217.132

The "nn.com" is set in my "domain=" option in my config.  However, as I 
read it, it should only be used to decorate simple names from the hosts-file.  
Why is it being appended to FQDNs?  Furthermore, how the heck did that name 
then resolve from the upstream DNS server???

view.atdmt.com IS in the black-hole-hosts file that I added using addn-hosts, 
but again, it's a FQDN, so it shouldn't be getting the domain appended.

Can anyone help me explain where my config might be wrong?

Thanks!
-AJ