Re: [Dnsmasq-discuss] uh, domain concats unwanted...
On Thu May 1 2008 10:34:05 AJ Weber wrote: OK, I'm looking thru my dnsmasq.conf, but can't justify why this is happening...nor how it's eventually coming-up with a valid IP address. Valid? However, it didn't block an advert site on my first test, and so I did a nslookup from my laptop...this was the output... Just Say No to nslookup. dig(1) is the preferred tool. Server: broh.nn.com Address: 192.168.1.128 Non-authoritative answer: Name:view.atdmt.com.nn.com Address: 208.67.217.132 132.217.67.208.in-addr.arpa. 86400 IN PTR hit-nxdomain.opendns.com. The nn.com is set in my domain= option in my config. However, as I read it, it should only be used to decorate simple names from the hosts-file. Why is it being appended to FQDNs? Maybe broken or misconfigured system resolver? See, dig(1) will only use DNS, and only with the name it is given (exception, see +search.) Furthermore, how the heck did that name then resolve from the upstream DNS server??? Um, maybe a broken upstream nameserver? [1] view.atdmt.com IS in the black-hole-hosts file that I added using view.atdmt.com. 240 IN A 206.16.21.31 addn-hosts, but again, it's a FQDN, so it shouldn't be getting the domain appended. Can anyone help me explain where my config might be wrong? Munging makes DNS problems especially difficult to ... resolve. [1] I know this goes against the spirit of simplicity which is dnsmasq, but I always run my own named backend for recursion. It binds on port 35, which is used as such in dnsmasq.conf : server=127.0.0.1#35 -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: [Dnsmasq-discuss] uh, domain concats unwanted...
As an aside, if you're using OpenDNS upstream, for lookups that fail it'll respond with the IP address of an OpenDNS server (rather than NXDOMAIN), which will redirect you to guide.opendns.com. You'll need to use 'bogus-nxdomain=' lines in your dnsmasq configuration for the IP addresses of those 'special' servers if you want lookups to fail if the domain is not found. Specifically, add 'bogus-nxdomain=208.67.219.132' to dnsmasq.conf and restart dnsmasq. Note that this IP address has changed at least once since I started using OpenDNS. Doesn't explain why your resolver is looking for view.atdmt.com.nn.com in the first place, but does explain why you're getting an answer. I think the resolver re-attempts a lookup that fails by appending the domain to the original lookup, IIRC. Try adding a 'domain something.bogus' line to your resolv.conf and see if you get 'view.atdmt.com.something.bogus' instead. Paul p.s. By the way, you do know that OpenDNS offers domain blacklisting by category automatically? just have to create an account and turn it on. /dev/rob0 wrote: On Thu May 1 2008 10:34:05 AJ Weber wrote: OK, I'm looking thru my dnsmasq.conf, but can't justify why this is happening...nor how it's eventually coming-up with a valid IP address. Valid However, it didn't block an advert site on my first test, and so I did a nslookup from my laptop...this was the output... Just Say No to nslookup. dig(1) is the preferred tool Server: broh.nn.com Address: 192.168.1.128 Non-authoritative answer: Name:view.atdmt.com.nn.com Address: 208.67.217.132 132.217.67.208.in-addr.arpa. 86400 IN PTR hit-nxdomain.opendns.com. The nn.com is set in my domain= option in my config. However, as I read it, it should only be used to decorate simple names from the hosts-file. Why is it being appended to FQDNs? Maybe broken or misconfigured system resolver? See, dig(1) will only use DNS, and only with the name it is given (exception, see +search.) Furthermore, how the heck did that name then resolve from the upstream DNS server??? Um, maybe a broken upstream nameserver? [1 snip
Re: [Dnsmasq-discuss] uh, domain concats unwanted...
I just found that it does have a blacklisting function, but not for advertisement sites (or there seems to be a user-promoted-list, where the community votes on hosts, but I can't seem to add it to my setup...it doesn't appear as a valid category). But like I said in a previous reply (probably passed yours in the ether!), it doesn't explain why it would try and resolve the host by upstream DNS in the first-place. If it's in an addn-hosts file, it should never have proceeded to ask opendns for an address, right? And I'm having MORE trouble when I add that file (as you can see in my previous reply), in that it doesn't even resolve the name of my dnsmasq server, much less anything else! I'm starting to wonder if there's a limitation to the number of lines in the hosts-files that dnsmasq can handle??? Thanks for the reply and the useful info! -AJ - Original Message - From: Paul Chambers To: dnsmasq-discuss@lists.thekelleys.org.uk Sent: Thursday, May 01, 2008 1:53 PM Subject: Re: [Dnsmasq-discuss] uh, domain concats unwanted... As an aside, if you're using OpenDNS upstream, for lookups that fail it'll respond with the IP address of an OpenDNS server (rather than NXDOMAIN), which will redirect you to guide.opendns.com. You'll need to use 'bogus-nxdomain=' lines in your dnsmasq configuration for the IP addresses of those 'special' servers if you want lookups to fail if the domain is not found. Specifically, add 'bogus-nxdomain=208.67.219.132' to dnsmasq.conf and restart dnsmasq. Note that this IP address has changed at least once since I started using OpenDNS. Doesn't explain why your resolver is looking for view.atdmt.com.nn.com in the first place, but does explain why you're getting an answer. I think the resolver re-attempts a lookup that fails by appending the domain to the original lookup, IIRC. Try adding a 'domain something.bogus' line to your resolv.conf and see if you get 'view.atdmt.com.something.bogus' instead. Paul p.s. By the way, you do know that OpenDNS offers domain blacklisting by category automatically? just have to create an account and turn it on. /dev/rob0 wrote: On Thu May 1 2008 10:34:05 AJ Weber wrote: OK, I'm looking thru my dnsmasq.conf, but can't justify why this is happening...nor how it's eventually coming-up with a valid IP address. ValidHowever, it didn't block an advert site on my first test, and so I did a nslookup from my laptop...this was the output... Just Say No to nslookup. dig(1) is the preferred toolServer: broh.nn.com Address: 192.168.1.128 Non-authoritative answer: Name:view.atdmt.com.nn.com Address: 208.67.217.132 132.217.67.208.in-addr.arpa. 86400 IN PTR hit-nxdomain.opendns.com. The nn.com is set in my domain= option in my config. However, as I read it, it should only be used to decorate simple names from the hosts-file. Why is it being appended to FQDNs? Maybe broken or misconfigured system resolver? See, dig(1) will only use DNS, and only with the name it is given (exception, see +search.) Furthermore, how the heck did that name then resolve from the upstream DNS server??? Um, maybe a broken upstream nameserver? [1snip -- ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
