-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simon,
I've now worked out exactly what DNS request 'poisons' the dnsmasq cache. (This appears to be completely reproducible, although it is possible there are other, related queries which might have the same effect.) After doing a tcpdump, it became clear that the cache became poisoned after dnsmasq received an 'ANY' request for the system with the split-horizon setup. i.e. $ host apollo apollo.ceu.ox.ac.uk has address 10.99.0.2 $ host -t any apollo apollo.ceu.ox.ac.uk has address 163.1.168.2 $ host apollo apollo.ceu.ox.ac.uk has address 10.99.0.2 apollo.ceu.ox.ac.uk has address 163.1.168.2 etc. The tcpdump shows that during the 'any' request, the dnsmasq host cannot serve it (presumably because it only has an 'A' record?) and the request is forwarded to the upstream DNS server, which returns the public IP, which then gets included in the cache. Is this the expected behaviour of dnsmasq in these circumstances? Dave. - -- Dave Ewart da...@ceu.ox.ac.uk Computing Manager, Cancer Epidemiology Unit Cancer Research UK / Oxford University PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370 N 51.7518, W 1.2016 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDAx0wbpQs/WlN43ARApNsAJ9rJFnmTX1fOFlrNdx0aKVpMiJoyACeJ4V6 o14T4LzzSq0Hma9gYPEwD1o= =+RR/ -----END PGP SIGNATURE-----