Re: [Dnsmasq-discuss] dig +trace failing

[Simon Kelley]

The change in question causes dnsmasq to always return SERVFAIL for
queries without the "use recursion" bit set.


The relevant quote in the reference

http://cs.unc.edu/~fabian/course_papers/cache_snooping.pdf

is this:

Recommendation 2: secondly, and most importantly, non-authoritative
requests to DNS caches should not be allowed. For instance dnscache, a
popular caching-only DNS implementation, tries to prevent cache
snooping by refusing to answer non-recursive queries [3]. Another option
is to never consult the cache when responding to non-RD queries.

So dnsmasq could adopt the alternative: when rd is not set, never answer
from the cache, but always forward the query. That would allow dig
+trace to work.

Does hat seem sensible?


Cheers,

Simon.



On 19/09/18 11:16, Dominik DL6ER wrote:
> Dear list members,
> 
> I expect "dig +trace" to show a trace of the delegation path from the
> root name servers for the name being looked up. This behavior is broken
> since commit 087eb76140725f8f1892ba6f251ea052d3440966
> 
> and is not fixed until now (I compiled and tested the most recent
> "master" branch of dnsmasq).
> 
> 
> 
> With dnsmasq v2.80test6, and v2.79, I see:
> 
> $ dig +trace www.example.com
> ; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace www.example.com
> ;; global options: +cmd
> ;; Received 17 bytes from 192.168.2.11#53(pi.hole) in 76 ms
> 
> With dnsmasq v2.78 (and previously), I see:
> 
> $ dig +trace www.example.com
> ; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace www.example.com
> ;; global options: +cmd
> .            42569    IN    NS    l.root-servers.net.
> .            42569    IN    NS    k.root-servers.net.
> .            42569    IN    NS    e.root-servers.net.
> .            42569    IN    NS    h.root-servers.net.
> .            42569    IN    NS    j.root-servers.net.
> .            42569    IN    NS    i.root-servers.net.
> .            42569    IN    NS    g.root-servers.net.
> .            42569    IN    NS    a.root-servers.net.
> .            42569    IN    NS    b.root-servers.net.
> .            42569    IN    NS    m.root-servers.net.
> .            42569    IN    NS    c.root-servers.net.
> .            42569    IN    NS    f.root-servers.net.
> .            42569    IN    NS    d.root-servers.net.
> ;; Received 241 bytes from 192.168.2.11#53(pi.hole) in 115 ms
> 
> 
> Best regards,
> Dominik
> 
> 
> 
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] dig +trace failing

[Dominik DL6ER]

Dear list members,

I expect "dig +trace" to show a trace of the delegation path from the
root name servers for the name being looked up. This behavior is broken
since commit 087eb76140725f8f1892ba6f251ea052d3440966

and is not fixed until now (I compiled and tested the most recent
"master" branch of dnsmasq).



With dnsmasq v2.80test6, and v2.79, I see:

$ dig +trace www.example.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace www.example.com
;; global options: +cmd
;; Received 17 bytes from 192.168.2.11#53(pi.hole) in 76 ms

With dnsmasq v2.78 (and previously), I see:

$ dig +trace www.example.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace www.example.com
;; global options: +cmd
.            42569    IN    NS    l.root-servers.net.
.            42569    IN    NS    k.root-servers.net.
.            42569    IN    NS    e.root-servers.net.
.            42569    IN    NS    h.root-servers.net.
.            42569    IN    NS    j.root-servers.net.
.            42569    IN    NS    i.root-servers.net.
.            42569    IN    NS    g.root-servers.net.
.            42569    IN    NS    a.root-servers.net.
.            42569    IN    NS    b.root-servers.net.
.            42569    IN    NS    m.root-servers.net.
.            42569    IN    NS    c.root-servers.net.
.            42569    IN    NS    f.root-servers.net.
.            42569    IN    NS    d.root-servers.net.
;; Received 241 bytes from 192.168.2.11#53(pi.hole) in 115 ms


Best regards,
Dominik

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss