Re: [Dnsmasq-discuss] returns REFUSED when first response comes from non-recursive server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The behaviour of believing the first REFUSED answer has been changed for the forthcoming release. There's a couple of long discussions about this on here. Cheers, Simon. On 27/02/17 16:42, /dev/rob0 wrote: > On Mon, Feb 27, 2017 at 04:40:14PM +0100, Daniel Pocock wrote: >> On 27/02/17 13:31, Chris Novakovic wrote: >>> On 27/02/17 10:04, Daniel Pocock wrote: I've observed the following problem: - dnsmasq is sending queries to 5 servers, one of them is not recursive and only answers for a private domain - if the first response dnsmasq receives comes from the non-recursive server (REFUSED), then dnsmasq is sending a REFUSED response to the client - dnsmasq subsequently receives a response from one of the recursive servers >>> >>> This is expected behaviour. One possibility is to configure >>> dnsmasq to forward requests to the non-recursive server only >>> for the private domain, e.g.: >>> >>> --server=/private.domain/non.recursive.server.ip >>> >>> and a matching --rev-server directive if appropriate. >> >> The router is running OpenWRT, I could make that change manually >> but then I wouldn't be able to fully manage it with the GUI any >> more. >> >> Can you confirm if this is the only way it can work according to >> the DNS spec, or is it a dnsmasq design decision? > > --server without the domain specified MUST be a recursive server, > willing to resolve your queries for any names. > > --server/domain.example/ip.add.re.ss will only send queries for > domain.example (and *.domain.example) to ip.add.re.ss. > >> Could a software approach be taken by default, waiting to see if >> any resolver provides a positive response before sending back >> REFUSED to the client? > > I don't see a valid use case for this. You have a configuration > error, by listing a non-recursive server among your upstream > recursive servers. > > Perhaps the OpenWRT people didn't know enough about dnsmasq to > support this situation, or perhaps they didn't care. But dnsmasq > documentation of --server is clear enough about it. > > Another problem you will have is when one of the actual upstream > recursive servers replies for "domain.example" with incorrect > data. > > (Side note: simple is good; listing more recursive servers will > generally not improve performance. If some of the servers you're > listing are not reliable enough, try one of the Google Public DNS > addresses, or run your own recursive resolver.) > -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCAAGBQJYtJ+aAAoJEBXN2mrhkTWiRp4P/3B+B6+g4K6zDOd71J6oA5gM Ap33LcRHWAwBWwMz7NVIrvjTSSQ06r301h7vS5xs3jFSm2j6onvft9cpz4OhkUpq 9h0t8xuNpA/4Tyhr0/f3w+qrrZe85IOOKnVfk2tRoWr3p7+u0yYYJ6+aFom/n4me F3hBYK95fBGwk9n1dTLt0/a+KEjZA4Z9+aCx0YXpBhnjM15dfkrIyTyBI1FORmQ4 /WHJQiDbqeZ7IFpKQDt5LMhbgxe7a1zMrUbQ/+AJhvHCd04pw79xUvJdM5LEjQT3 r3tmirmdKCyQsdZsjUQTzxjaKu9uC25j8vT5KHrFwS3Qq5vucZ26uM/6FdwiIRBr TvwNh5ccnlPz/Z3eZ/vZa/hmWcA6/Arfwas5knfhOpeyyYn7D0jC7cDs0WFySlha 9BdmZScxQtPzXoPk/bZg7BHp2N2uhk3zVwOMBVYYVTtmNL9DHQLJgktJ+0Ni16/W YDVQQKD0LstDnGDh5AeFCNa1gBhrEkIW071IhEMQ1N5sGTml0NM0PXEVL35/sX58 oZGWj5UwVOM+TKK7q++zFCwTQES/SzJrTqlQ5rVlmk5S6b++vcfm7HABnUNXep1z 7fV1qxvChiayYBQjZc1j2TeTbDk7WAsKPXictlMwOfxqp/nTpF5nMaV+Jr+30Ned HX3wzkH+rk1OdlkigpfD =YTU9 -END PGP SIGNATURE- ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] returns REFUSED when first response comes from non-recursive server
On Mon, Feb 27, 2017 at 04:40:14PM +0100, Daniel Pocock wrote: > On 27/02/17 13:31, Chris Novakovic wrote: > > On 27/02/17 10:04, Daniel Pocock wrote: > >> > >> I've observed the following problem: > >> > >> - dnsmasq is sending queries to 5 servers, one of them is not > >> recursive and only answers for a private domain > >> > >> - if the first response dnsmasq receives comes from the > >> non-recursive server (REFUSED), then dnsmasq is sending a > >> REFUSED response to the client > >> > >> - dnsmasq subsequently receives a response from one of the > >> recursive servers > > > > This is expected behaviour. One possibility is to configure > > dnsmasq to forward requests to the non-recursive server only > > for the private domain, e.g.: > > > > --server=/private.domain/non.recursive.server.ip > > > > and a matching --rev-server directive if appropriate. > > The router is running OpenWRT, I could make that change manually > but then I wouldn't be able to fully manage it with the GUI any > more. > > Can you confirm if this is the only way it can work according to > the DNS spec, or is it a dnsmasq design decision? --server without the domain specified MUST be a recursive server, willing to resolve your queries for any names. --server/domain.example/ip.add.re.ss will only send queries for domain.example (and *.domain.example) to ip.add.re.ss. > Could a software approach be taken by default, waiting to see > if any resolver provides a positive response before sending > back REFUSED to the client? I don't see a valid use case for this. You have a configuration error, by listing a non-recursive server among your upstream recursive servers. Perhaps the OpenWRT people didn't know enough about dnsmasq to support this situation, or perhaps they didn't care. But dnsmasq documentation of --server is clear enough about it. Another problem you will have is when one of the actual upstream recursive servers replies for "domain.example" with incorrect data. (Side note: simple is good; listing more recursive servers will generally not improve performance. If some of the servers you're listing are not reliable enough, try one of the Google Public DNS addresses, or run your own recursive resolver.) -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] returns REFUSED when first response comes from non-recursive server
On 27/02/17 13:31, Chris Novakovic wrote: > On 27/02/17 10:04, Daniel Pocock wrote: >> >> I've observed the following problem: >> >> - dnsmasq is sending queries to 5 servers, one of them is not recursive >> and only answers for a private domain >> >> - if the first response dnsmasq receives comes from the non-recursive >> server (REFUSED), then dnsmasq is sending a REFUSED response to the client >> >> - dnsmasq subsequently receives a response from one of the recursive servers > > This is expected behaviour. One possibility is to configure dnsmasq to > forward requests to the non-recursive server only for the private > domain, e.g.: > > --server=/private.domain/non.recursive.server.ip > > and a matching --rev-server directive if appropriate. > The router is running OpenWRT, I could make that change manually but then I wouldn't be able to fully manage it with the GUI any more. Can you confirm if this is the only way it can work according to the DNS spec, or is it a dnsmasq design decision? Could a software approach be taken by default, waiting to see if any resolver provides a positive response before sending back REFUSED to the client? Regards, Daniel ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] returns REFUSED when first response comes from non-recursive server
On 27/02/17 10:04, Daniel Pocock wrote: > > I've observed the following problem: > > - dnsmasq is sending queries to 5 servers, one of them is not recursive > and only answers for a private domain > > - if the first response dnsmasq receives comes from the non-recursive > server (REFUSED), then dnsmasq is sending a REFUSED response to the client > > - dnsmasq subsequently receives a response from one of the recursive servers This is expected behaviour. One possibility is to configure dnsmasq to forward requests to the non-recursive server only for the private domain, e.g.: --server=/private.domain/non.recursive.server.ip and a matching --rev-server directive if appropriate. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] returns REFUSED when first response comes from non-recursive server
I've observed the following problem: - dnsmasq is sending queries to 5 servers, one of them is not recursive and only answers for a private domain - if the first response dnsmasq receives comes from the non-recursive server (REFUSED), then dnsmasq is sending a REFUSED response to the client - dnsmasq subsequently receives a response from one of the recursive servers ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss