Re: [Dnsmasq-discuss] With --all-servers option enabled, query failed due to first answer with no answer section
On 24/07/14 08:20, 毕勤 wrote: Well,I just figured out that it might due to the DNS Hijack of China's Great Firewall. The GFW hijack the DNS process and return a fake response pacakge,with the response code=0(means no error) but no Answer RRs(Answer RRs=0).It's obviously unlogical but legalized for resolver. So,may be I should not require this problem to be solved by dnsmasq,I can use iptables to drop that kind of fake response. Be careful, that answer is perfectly sensible. It means that there's some data in the DNS for that name, but not of the type you asked for. For instance if a asked for an IPv6 address ( record) for a host which didn't have an IPv6 address, but it did have an IPv4 address (A record) then I'd get an reply with zero answer RRs and zero error code. This sort of reply is called NODATA. In answer to you original question. Dnsmasq always believes answers it gets if the answer is NXDOMAIN or NODATA because they are common and legitimate answers. It's not generally good to go slower by trying another server when you have am answer already. For your application, it would be quite easy to patch dnsmasq to change the behaviour. I think the problem might be that the GW could then start returning a different valid but wrong answer, and you'd be no further forward. Cheers, Simon. I'm sorry if any bother. Bi Qin On Thu, Jul 24, 2014 at 10:01 AM, 毕勤 lea...@gmail.com wrote: Hi List, I have config multiple dns servers in the config file with -all-servers option enabled.The reason why I did this is to get correct answer from foreign DNS(due to the dns poison of China's Great Firewall) without losing the fast query speed from local(China) DNS. The problem is, when I queried some certain domain( scontent-a.cdninstagram.com .eg),the first answer from local DNS has no answer section(still a dns poison issue) then Dnsmasq accept and take this as the final answer, as it's the first answer.This make the queries for that domain from desktop failed. In the meantime,force to dig that domain with google DNS will give me the correct answer with answer section. I understand that's a correct behavior as described in the Dnsmasq's Manpage for --all-servers option.And I can deal with it with the server=/domain/DNS option to use certain DNS for certain domain as a temporary solution. But could it be more intelligent?When --all-server option enabled,force to Dnsmasq to query from other servers configed if the first answer has no answer section. Which means,Dnsmasq will take the first answer with answer section as result ,rather than the first answer just returned. Thank you! Bi Qin ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] With --all-servers option enabled, query failed due to first answer with no answer section
Well,I just figured out that it might due to the DNS Hijack of China's Great Firewall. The GFW hijack the DNS process and return a fake response pacakge,with the response code=0(means no error) but no Answer RRs(Answer RRs=0).It's obviously unlogical but legalized for resolver. So,may be I should not require this problem to be solved by dnsmasq,I can use iptables to drop that kind of fake response. I'm sorry if any bother. Bi Qin On Thu, Jul 24, 2014 at 10:01 AM, 毕勤 lea...@gmail.com wrote: Hi List, I have config multiple dns servers in the config file with -all-servers option enabled.The reason why I did this is to get correct answer from foreign DNS(due to the dns poison of China's Great Firewall) without losing the fast query speed from local(China) DNS. The problem is, when I queried some certain domain( scontent-a.cdninstagram.com .eg),the first answer from local DNS has no answer section(still a dns poison issue) then Dnsmasq accept and take this as the final answer, as it's the first answer.This make the queries for that domain from desktop failed. In the meantime,force to dig that domain with google DNS will give me the correct answer with answer section. I understand that's a correct behavior as described in the Dnsmasq's Manpage for --all-servers option.And I can deal with it with the server=/domain/DNS option to use certain DNS for certain domain as a temporary solution. But could it be more intelligent?When --all-server option enabled,force to Dnsmasq to query from other servers configed if the first answer has no answer section. Which means,Dnsmasq will take the first answer with answer section as result ,rather than the first answer just returned. Thank you! Bi Qin ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] With --all-servers option enabled, query failed due to first answer with no answer section
Hi List, I have config multiple dns servers in the config file with -all-servers option enabled.The reason why I did this is to get correct answer from foreign DNS(due to the dns poison of China's Great Firewall) without losing the fast query speed from local(China) DNS. The problem is, when I queried some certain domain( scontent-a.cdninstagram.com .eg),the first answer from local DNS has no answer section(still a dns poison issue) then Dnsmasq accept and take this as the final answer, as it's the first answer.This make the queries for that domain from desktop failed. In the meantime,force to dig that domain with google DNS will give me the correct answer with answer section. I understand that's a correct behavior as described in the Dnsmasq's Manpage for --all-servers option.And I can deal with it with the server=/domain/DNS option to use certain DNS for certain domain as a temporary solution. But could it be more intelligent?When --all-server option enabled,force to Dnsmasq to query from other servers configed if the first answer has no answer section. Which means,Dnsmasq will take the first answer with answer section as result ,rather than the first answer just returned. Thank you! Bi Qin ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
