[Dnsmasq-discuss] domain-needed is ignored
Hi, I have following configuration of dnsmasq: log-facility=/var/log/dnsmasq.log interface=switch0 cache-size=1024 domain-needed no-negcache expand-hosts domain=b bogus-nxdomain=86.35.3.192 bogus-nxdomain=86.35.3.193 stop-dns-rebind rebind-domain-ok=c log-queries localise-queries bogus-priv local=/b/ server=192.168.2.1 Because of domain-needed option I expected that host only lookup, without domain part will not forwarded to upstream servers (in my case 192.168.2.1, but this seems it is not the case.The dnsmasq run on an EdgeRouter and has following version: root@bucuresti:/etc# /usr/sbin/dnsmasq --version Dnsmasq version 2.78-20-geaeda96 Copyright (c) 2000-2017 Simon Kelley Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify This software comes with ABSOLUTELY NO WARRANTY. Dnsmasq is free software, and you are welcome to redistribute it under the terms of the GNU General Public License, version 2 or 3. If I lookup a host with local domain, then the request is not going to upstream server. Please see below the logged queries: Jun 21 09:13:31 dnsmasq[21398]: query[A] rrr from 127.0.0.1 Jun 21 09:13:31 dnsmasq[21398]: config rrr is NODATA-IPv4 Jun 21 09:13:31 dnsmasq[21398]: query[] rrr from 127.0.0.1 Jun 21 09:13:31 dnsmasq[21398]: config rrr is NODATA-IPv6 Jun 21 09:13:31 dnsmasq[21398]: query[MX] rrr from 127.0.0.1 Jun 21 09:13:31 dnsmasq[21398]: forwarded rrr to 192.168.2.1 Jun 21 09:13:38 dnsmasq[21398]: query[A] rrr.b from 127.0.0.1 Jun 21 09:13:38 dnsmasq[21398]: config rrr.b is NXDOMAIN Jun 21 09:13:38 dnsmasq[21398]: query[A] rrr.b from 127.0.0.1 Jun 21 09:13:38 dnsmasq[21398]: config rrr.b is NXDOMAIN Is this a bug? Is there any configuration missing? I expected that rrr lookup wil not be forwarded to upstream server (192.168.2.1) Thanks,Spon ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Implementation of DOH in dnsmasq
On Wed, Jun 20, 2018 at 10:11:53AM +0200, Nicolas Cavallari wrote: > On 14/06/2018 22:32, Kurt H Maier wrote: > > On Thu, Jun 14, 2018 at 09:38:42PM +0200, Mateusz Jo??czyk wrote: > >> > >> How difficult would it be to add support to DNS over HTTP/2.0 in dnsmasq, > >> for > >> example in constrained environments like home routers? > >> > > > > This should be handled with a wrapper program. HTTP/2.0 is an enormous > > and ill-defined specification and it would not be appropriate to bolt it > > directly into dnsmasq. A dedicated HTTP/2.0 daemon can talk to dnsmasq > > on the backend to provide this service. Home routers are not > > particularly constrained in this regard, since they generally have web > > services running to begin with. > > It's much more than that. To be secure, TLS requires time, entropy and a CA > list. Many home routers fails at having all three, or require the DNS to get > time and CAs... > > >> Please send any replies to the DoH mailing list at . > > > > Why? > > Because by doing so you will be subjected to the various IETF policies that > applies to anyone participating on the IETF mailing list, which includes > copyright grants, patents disclosure and other things that should be read by a > lawyer. > No new text, just doing the } Please send any replies to the DoH mailing list at . Groeten Geert Stappers Subscriber of mailinglist dnsmasq-discuss@lists.thekelleys.org.uk -- Leven en laten leven ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Implementation of DOH in dnsmasq
On 14/06/2018 22:32, Kurt H Maier wrote: > On Thu, Jun 14, 2018 at 09:38:42PM +0200, Mateusz Jończyk wrote: >> >> How difficult would it be to add support to DNS over HTTP/2.0 in dnsmasq, for >> example in constrained environments like home routers? >> > > This should be handled with a wrapper program. HTTP/2.0 is an enormous > and ill-defined specification and it would not be appropriate to bolt it > directly into dnsmasq. A dedicated HTTP/2.0 daemon can talk to dnsmasq > on the backend to provide this service. Home routers are not > particularly constrained in this regard, since they generally have web > services running to begin with. It's much more than that. To be secure, TLS requires time, entropy and a CA list. Many home routers fails at having all three, or require the DNS to get time and CAs... >> Please send any replies to the DoH mailing list at . > > Why? Because by doing so you will be subjected to the various IETF policies that applies to anyone participating on the IETF mailing list, which includes copyright grants, patents disclosure and other things that should be read by a lawyer. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss