Re: [Dnsmasq-discuss] Odd DNS behaviour for www.freesat.co.uk
On Mon, Feb 17, 2020 at 09:05:34PM +, Simon Kelley wrote: > It's pretty difficult to see what dnsmasq can do here, other than give > up on caching such negative data. Agreed. > A reply _from_a_recursive_server_ which includes a CNAME, but no data > for the target of the CNAME, contains the implication that the target > doesn't exist. Agreed. > Apart from the zone admins, I think the other responsible parties here > may be the recursive server you are using, (cloudflare at 1.1.1.1) By > returning the data they are, they cause the problem. > > Testing here, I see different answers to the query www.freesat.co.uk at > random, > > 1) SERVEFAIL > 2) The four A records > 3) A complete CNAME, including the A record for ghs.googlehosted.com. > 4) Both 2 and 3 combined. > > I've not observed the incomplete CNAME that you saw, so maybe this has > been fixed by Cloudflare? I was seeing this problem earlier (and last week) with several recursive DNS servers, not just Cloudflare, including Google and several ISP DNS servers. A few hours later I can't reproduce it! It looks like something had been broken and may be in the process of being fixed. Thanks for looking. -- Paul Martin ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Odd DNS behaviour for www.freesat.co.uk
On 17/02/2020 18:19, Paul Martin wrote: > dnsmasq 2.80 (Debian). > > Performing an "A" query against www.freesat.co.uk returns the expected > response on the first query. > > However, the target of the CNAME is cached as a negative response, > even though it was never looked up. This could be considered a form > of cache poisoning. > > The problem could be that both A and CNAME records are returned by the > domain's authoritative server and this is confusing dnsmasq's cache. > > The DNS zone configuration here is definitely incorrect, but dnsmasq's > behaviour in this instance is a concern. > > Setting "no-negcache" in dnsmasq.conf works around this problem. > > > > Feb 17 18:03:15 thinkpad dnsmasq[10582]: query[A] www.freesat.co.uk from > 127.0.0.1 > Feb 17 18:03:15 thinkpad dnsmasq[10582]: forwarded www.freesat.co.uk to > 1.1.1.1 > Feb 17 18:03:15 thinkpad dnsmasq[10582]: reply www.freesat.co.uk is > Feb 17 18:03:15 thinkpad dnsmasq[10582]: reply ghs.googlehosted.com is > NODATA-IPv4 > > Feb 17 18:05:51 thinkpad dnsmasq[10582]: query[A] www.freesat.co.uk from > 127.0.0.1 > Feb 17 18:05:51 thinkpad dnsmasq[10582]: cached www.freesat.co.uk is > Feb 17 18:05:51 thinkpad dnsmasq[10582]: cached ghs.googlehosted.com is > NODATA-IPv4 > > Feb 17 18:06:12 thinkpad dnsmasq[10582]: query[A] ghs.googlehosted.com from > 127.0.0.1 > Feb 17 18:06:12 thinkpad dnsmasq[10582]: cached ghs.googlehosted.com is > NODATA-IPv4 > > > > $ dig www.freesat.co.uk @ns1.peer1.net > > ; <<>> DiG 9.11.14-3-Debian <<>> www.freesat.co.uk @ns1.peer1.net > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22745 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2 > ;; WARNING: recursion requested but not available > > ;; QUESTION SECTION: > ;www.freesat.co.uk. IN A > > h;; ANSWER SECTION: > www.freesat.co.uk. 300 IN CNAME ghs.googlehosted.com. > www.freesat.co.uk. 300 IN A 216.239.34.21 > www.freesat.co.uk. 300 IN A 216.239.32.21 > www.freesat.co.uk. 300 IN A 216.239.36.21 > www.freesat.co.uk. 300 IN A 216.239.38.21 > > ;; AUTHORITY SECTION: > freesat.co.uk. 259200 IN NS ns1.peer1.net. > freesat.co.uk. 259200 IN NS ns2.peer1.net. > > ;; ADDITIONAL SECTION: > ns1.peer1.net. 21600 IN A 69.90.13.5 > ns2.peer1.net. 21600 IN A 69.90.13.6 > > ;; Query time: 12 msec > ;; SERVER: 69.90.13.5#53(69.90.13.5) > ;; WHEN: Mon Feb 17 17:42:57 GMT 2020 > ;; MSG SIZE rcvd: 210 > > $ dig www.freesat.co.uk a > > ; <<>> DiG 9.11.14-3-Debian <<>> www.freesat.co.uk a > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51256 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;www.freesat.co.uk. IN A > > ;; ANSWER SECTION: > www.freesat.co.uk. 300 IN CNAME ghs.googlehosted.com. > www.freesat.co.uk. 300 IN A 216.239.36.21 > www.freesat.co.uk. 300 IN A 216.239.34.21 > www.freesat.co.uk. 300 IN A 216.239.38.21 > www.freesat.co.uk. 300 IN A 216.239.32.21 > > ;; Query time: 14 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Mon Feb 17 18:03:15 GMT 2020 > ;; MSG SIZE rcvd: 144 > > $ dig www.freesat.co.uk a > > ; <<>> DiG 9.11.14-3-Debian <<>> www.freesat.co.uk a > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24120 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;www.freesat.co.uk. IN A > > ;; ANSWER SECTION: > www.freesat.co.uk. 144 IN CNAME ghs.googlehosted.com. > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Mon Feb 17 18:05:51 GMT 2020 > ;; MSG SIZE rcvd: 80 > > $ dig ghs.googlehosted.com a > > ; <<>> DiG 9.11.14-3-Debian <<>> ghs.googlehosted.com a > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9646 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;ghs.googlehosted.com. IN A > > ;; Query time: 0 msec > ;; SERVER: 127.0.0.1#53(127.0.0.1) > ;; WHEN: Mon Feb 17 18:06:12 GMT 2020 > ;; MSG SIZE rcvd: 49 > > > > (I have already sent an email trying to get freesat.co.uk to fix their > zone but suspect that it will fall on deaf ears.) > It's pretty difficult to see what dnsmasq can do here, other than give up on caching such negative data. A reply _from_a_recursive_server_ which includes a CNAME, but
[Dnsmasq-discuss] Odd DNS behaviour for www.freesat.co.uk
dnsmasq 2.80 (Debian). Performing an "A" query against www.freesat.co.uk returns the expected response on the first query. However, the target of the CNAME is cached as a negative response, even though it was never looked up. This could be considered a form of cache poisoning. The problem could be that both A and CNAME records are returned by the domain's authoritative server and this is confusing dnsmasq's cache. The DNS zone configuration here is definitely incorrect, but dnsmasq's behaviour in this instance is a concern. Setting "no-negcache" in dnsmasq.conf works around this problem. Feb 17 18:03:15 thinkpad dnsmasq[10582]: query[A] www.freesat.co.uk from 127.0.0.1 Feb 17 18:03:15 thinkpad dnsmasq[10582]: forwarded www.freesat.co.uk to 1.1.1.1 Feb 17 18:03:15 thinkpad dnsmasq[10582]: reply www.freesat.co.uk is Feb 17 18:03:15 thinkpad dnsmasq[10582]: reply ghs.googlehosted.com is NODATA-IPv4 Feb 17 18:05:51 thinkpad dnsmasq[10582]: query[A] www.freesat.co.uk from 127.0.0.1 Feb 17 18:05:51 thinkpad dnsmasq[10582]: cached www.freesat.co.uk is Feb 17 18:05:51 thinkpad dnsmasq[10582]: cached ghs.googlehosted.com is NODATA-IPv4 Feb 17 18:06:12 thinkpad dnsmasq[10582]: query[A] ghs.googlehosted.com from 127.0.0.1 Feb 17 18:06:12 thinkpad dnsmasq[10582]: cached ghs.googlehosted.com is NODATA-IPv4 $ dig www.freesat.co.uk @ns1.peer1.net ; <<>> DiG 9.11.14-3-Debian <<>> www.freesat.co.uk @ns1.peer1.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22745 ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.freesat.co.uk. IN A h;; ANSWER SECTION: www.freesat.co.uk. 300 IN CNAME ghs.googlehosted.com. www.freesat.co.uk. 300 IN A 216.239.34.21 www.freesat.co.uk. 300 IN A 216.239.32.21 www.freesat.co.uk. 300 IN A 216.239.36.21 www.freesat.co.uk. 300 IN A 216.239.38.21 ;; AUTHORITY SECTION: freesat.co.uk. 259200 IN NS ns1.peer1.net. freesat.co.uk. 259200 IN NS ns2.peer1.net. ;; ADDITIONAL SECTION: ns1.peer1.net. 21600 IN A 69.90.13.5 ns2.peer1.net. 21600 IN A 69.90.13.6 ;; Query time: 12 msec ;; SERVER: 69.90.13.5#53(69.90.13.5) ;; WHEN: Mon Feb 17 17:42:57 GMT 2020 ;; MSG SIZE rcvd: 210 $ dig www.freesat.co.uk a ; <<>> DiG 9.11.14-3-Debian <<>> www.freesat.co.uk a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51256 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.freesat.co.uk. IN A ;; ANSWER SECTION: www.freesat.co.uk. 300 IN CNAME ghs.googlehosted.com. www.freesat.co.uk. 300 IN A 216.239.36.21 www.freesat.co.uk. 300 IN A 216.239.34.21 www.freesat.co.uk. 300 IN A 216.239.38.21 www.freesat.co.uk. 300 IN A 216.239.32.21 ;; Query time: 14 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Feb 17 18:03:15 GMT 2020 ;; MSG SIZE rcvd: 144 $ dig www.freesat.co.uk a ; <<>> DiG 9.11.14-3-Debian <<>> www.freesat.co.uk a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24120 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.freesat.co.uk. IN A ;; ANSWER SECTION: www.freesat.co.uk. 144 IN CNAME ghs.googlehosted.com. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Feb 17 18:05:51 GMT 2020 ;; MSG SIZE rcvd: 80 $ dig ghs.googlehosted.com a ; <<>> DiG 9.11.14-3-Debian <<>> ghs.googlehosted.com a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9646 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ghs.googlehosted.com. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Feb 17 18:06:12 GMT 2020 ;; MSG SIZE rcvd: 49 (I have already sent an email trying to get freesat.co.uk to fix their zone but suspect that it will fall on deaf ears.) -- Paul Martin ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss