Re: [Dnsmasq-discuss] returns REFUSED when first response comes from non-recursive server
On Mon, Feb 27, 2017 at 04:40:14PM +0100, Daniel Pocock wrote: > On 27/02/17 13:31, Chris Novakovic wrote: > > On 27/02/17 10:04, Daniel Pocock wrote: > >> > >> I've observed the following problem: > >> > >> - dnsmasq is sending queries to 5 servers, one of them is not > >> recursive and only answers for a private domain > >> > >> - if the first response dnsmasq receives comes from the > >> non-recursive server (REFUSED), then dnsmasq is sending a > >> REFUSED response to the client > >> > >> - dnsmasq subsequently receives a response from one of the > >> recursive servers > > > > This is expected behaviour. One possibility is to configure > > dnsmasq to forward requests to the non-recursive server only > > for the private domain, e.g.: > > > > --server=/private.domain/non.recursive.server.ip > > > > and a matching --rev-server directive if appropriate. > > The router is running OpenWRT, I could make that change manually > but then I wouldn't be able to fully manage it with the GUI any > more. > > Can you confirm if this is the only way it can work according to > the DNS spec, or is it a dnsmasq design decision? --server without the domain specified MUST be a recursive server, willing to resolve your queries for any names. --server/domain.example/ip.add.re.ss will only send queries for domain.example (and *.domain.example) to ip.add.re.ss. > Could a software approach be taken by default, waiting to see > if any resolver provides a positive response before sending > back REFUSED to the client? I don't see a valid use case for this. You have a configuration error, by listing a non-recursive server among your upstream recursive servers. Perhaps the OpenWRT people didn't know enough about dnsmasq to support this situation, or perhaps they didn't care. But dnsmasq documentation of --server is clear enough about it. Another problem you will have is when one of the actual upstream recursive servers replies for "domain.example" with incorrect data. (Side note: simple is good; listing more recursive servers will generally not improve performance. If some of the servers you're listing are not reliable enough, try one of the Google Public DNS addresses, or run your own recursive resolver.) -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] returns REFUSED when first response comes from non-recursive server
On 27/02/17 13:31, Chris Novakovic wrote: > On 27/02/17 10:04, Daniel Pocock wrote: >> >> I've observed the following problem: >> >> - dnsmasq is sending queries to 5 servers, one of them is not recursive >> and only answers for a private domain >> >> - if the first response dnsmasq receives comes from the non-recursive >> server (REFUSED), then dnsmasq is sending a REFUSED response to the client >> >> - dnsmasq subsequently receives a response from one of the recursive servers > > This is expected behaviour. One possibility is to configure dnsmasq to > forward requests to the non-recursive server only for the private > domain, e.g.: > > --server=/private.domain/non.recursive.server.ip > > and a matching --rev-server directive if appropriate. > The router is running OpenWRT, I could make that change manually but then I wouldn't be able to fully manage it with the GUI any more. Can you confirm if this is the only way it can work according to the DNS spec, or is it a dnsmasq design decision? Could a software approach be taken by default, waiting to see if any resolver provides a positive response before sending back REFUSED to the client? Regards, Daniel ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] returns REFUSED when first response comes from non-recursive server
On 27/02/17 10:04, Daniel Pocock wrote: > > I've observed the following problem: > > - dnsmasq is sending queries to 5 servers, one of them is not recursive > and only answers for a private domain > > - if the first response dnsmasq receives comes from the non-recursive > server (REFUSED), then dnsmasq is sending a REFUSED response to the client > > - dnsmasq subsequently receives a response from one of the recursive servers This is expected behaviour. One possibility is to configure dnsmasq to forward requests to the non-recursive server only for the private domain, e.g.: --server=/private.domain/non.recursive.server.ip and a matching --rev-server directive if appropriate. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] returns REFUSED when first response comes from non-recursive server
I've observed the following problem: - dnsmasq is sending queries to 5 servers, one of them is not recursive and only answers for a private domain - if the first response dnsmasq receives comes from the non-recursive server (REFUSED), then dnsmasq is sending a REFUSED response to the client - dnsmasq subsequently receives a response from one of the recursive servers ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss