On 26/10/2019 03:47, Dominick C. Pastore wrote: > On Fri, Oct 25, 2019, at 4:48 PM, Simon Kelley wrote: >> On 20/10/2019 17:55, Dominick C. Pastore wrote: >>> I apologize for continuing the discussion on this. The patch (applied on >>> top of 2.80-1 provided by Debian Buster) completely solved the issues I was >>> having, but I did notice a couple other things. >>> >>> First, locally configured CNAMEs and records other than A or AAAA do not >>> seem to play well together. For example, MX and TXT requests still get >>> forwarded upstream, even after the patch. I played around with this a bit >>> and discovered: >>> >>> 1. Unlike "host-record", "txt-record" and "mx-host" on the target are not >>> enough to keep Dnsmasq from ignoring a locally defined CNAME. (I did not >>> try others, like "srv-host".) >> >> This is true, and difficult to fix for very obscure reasons. It should >> be more explicitly documented, or better, fixed. > > To be fair, the man page doesn't say that this should work. Although I > suppose it also doesn't say that "host-record" should work and that one does. > If it would be helpful, I don't mind contributing documentation updates, > although I'm not sure what Dnsmasq's conventions are for external > contributions.
We bite the hand of anyone who improves docs...... > >>> 2. In fact, Dnsmasq never follows a CNAME for MX or TXT requests, even when >>> the CNAME does point to a host Dnsmasq knows locally. (I assume this is the >>> reason for #1.) >>> >> Actually it's not, it just that the CNAME code was never generalised to >> handle stuff not in the cache. I've spent an enjoyable afternoon down >> the rabbit-hole testing and rewriting, and this should be fixed now. The >> prohibition on mixing local and upstream continues, but you can now >> define a TXT/MX/SRV locally and a local CNAME pointing to it, and as >> long as you define an A or AAAA record of the same name, all will be fine. >> >>> Second, it seems that when Dnsmasq caches a NXDOMAIN response from >>> upstream, it starts giving a NODATA response for other request types on the >>> same name. Strangely, log-queries indicates the requests are forwarded, but >>> right after a SIGHUP to clear the cache, sending one of the NODATA queries >>> results in NXDOMAIN. >> >> I can't reproduce this. Could you provide a simple example? > > Here is how I am able to reproduce it: > > 1. Query Dnsmasq for type A on a nonexistent domain (using dig). Get NXDOMAIN. > 2. Query Dnsmasq for type AAAA on the same domain. Get NODATA. > 3. Send SIGHUP to Dnsmasq to clear cache. > 4. Query Dnsmasq for type AAAA on the same domain again. This time, get > NXDOMAIN. > > Here are the actual commands and output pasted from the shell: > > dominickpastore@platinum:~$ dig @127.0.0.1 +nocmd +nostats +noquestion > vlvtdnpxed.com A > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46341 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 512 > ;; AUTHORITY SECTION: > com. 899 IN SOA a.gtld-servers.net. > nstld.verisign-grs.com. 1572043374 1800 900 604800 86400 > dominickpastore@platinum:~$ dig @127.0.0.1 +nocmd +nostats +noquestion > vlvtdnpxed.com AAAA > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40388 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 512 > dominickpastore@platinum:~$ sudo killall -HUP dnsmasq > [sudo] password for dominickpastore: > dominickpastore@platinum:~$ dig @127.0.0.1 +nocmd +nostats +noquestion > vlvtdnpxed.com AAAA > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31058 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 512 > ;; AUTHORITY SECTION: > com. 899 IN SOA a.gtld-servers.net. > nstld.verisign-grs.com. 1572043429 1800 900 604800 86400 > > Querying the upstream server directly always results in NXDOMAIN. > > The other thing I noticed is that only an A or AAAA request triggers this. > SRV, TXT, and MX requests do not. But once an A or AAAA request is made for a > nonexistent domain, all other request types for that domain result in NODATA > until the cache is flushed. To demonstrate what I mean: > > sudo killall -HUP dnsmasq > dig @127.0.0.1 vlvtdnpxed.com TXT # gives NXDOMAIN > dig @127.0.0.1 vlvtdnpxed.com SRV # gives NXDOMAIN > dig @127.0.0.1 vlvtdnpxed.com AAAA # gives NXDOMAIN > dig @127.0.0.1 vlvtdnpxed.com TXT # gives NODATA > dig @127.0.0.1 vlvtdnpxed.com SRV # gives NODATA > dig @127.0.0.1 vlvtdnpxed.com A # gives NODATA > dig @127.0.0.1 vlvtdnpxed.com AAAA # gives NXDOMAIN > You're running 2.80, right? I think we (not me) nailed this one already http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=162e5e0062ce923c494cc64282f293f0ed64fc10 Cheers, Simon. > Thanks, > Nick > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss