Discussion:
[Dnsmasq-discuss] returns REFUSED when first response comes from non-recursive server
Daniel Pocock
2017-02-27 10:04:38 UTC
Permalink
I've observed the following problem:

- dnsmasq is sending queries to 5 servers, one of them is not recursive
and only answers for a private domain

- if the first response dnsmasq receives comes from the non-recursive
server (REFUSED), then dnsmasq is sending a REFUSED response to the client

- dnsmasq subsequently receives a response from one of the recursive servers
Chris Novakovic
2017-02-27 12:31:20 UTC
Permalink
Post by Daniel Pocock
- dnsmasq is sending queries to 5 servers, one of them is not recursive
and only answers for a private domain
- if the first response dnsmasq receives comes from the non-recursive
server (REFUSED), then dnsmasq is sending a REFUSED response to the client
- dnsmasq subsequently receives a response from one of the recursive servers
This is expected behaviour. One possibility is to configure dnsmasq to
forward requests to the non-recursive server only for the private
domain, e.g.:

--server=/private.domain/non.recursive.server.ip

and a matching --rev-server directive if appropriate.
Daniel Pocock
2017-02-27 15:40:14 UTC
Permalink
Post by Chris Novakovic
Post by Daniel Pocock
- dnsmasq is sending queries to 5 servers, one of them is not recursive
and only answers for a private domain
- if the first response dnsmasq receives comes from the non-recursive
server (REFUSED), then dnsmasq is sending a REFUSED response to the client
- dnsmasq subsequently receives a response from one of the recursive servers
This is expected behaviour. One possibility is to configure dnsmasq to
forward requests to the non-recursive server only for the private
--server=/private.domain/non.recursive.server.ip
and a matching --rev-server directive if appropriate.
The router is running OpenWRT, I could make that change manually but
then I wouldn't be able to fully manage it with the GUI any more.

Can you confirm if this is the only way it can work according to the DNS
spec, or is it a dnsmasq design decision?

Could a software approach be taken by default, waiting to see if any
resolver provides a positive response before sending back REFUSED to the
client?

Regards,

Daniel
/dev/rob0
2017-02-27 16:42:02 UTC
Permalink
Post by Daniel Pocock
Post by Chris Novakovic
Post by Daniel Pocock
- dnsmasq is sending queries to 5 servers, one of them is not
recursive and only answers for a private domain
- if the first response dnsmasq receives comes from the
non-recursive server (REFUSED), then dnsmasq is sending a
REFUSED response to the client
- dnsmasq subsequently receives a response from one of the
recursive servers
This is expected behaviour. One possibility is to configure
dnsmasq to forward requests to the non-recursive server only
--server=/private.domain/non.recursive.server.ip
and a matching --rev-server directive if appropriate.
The router is running OpenWRT, I could make that change manually
but then I wouldn't be able to fully manage it with the GUI any
more.
Can you confirm if this is the only way it can work according to
the DNS spec, or is it a dnsmasq design decision?
--server without the domain specified MUST be a recursive server,
willing to resolve your queries for any names.

--server/domain.example/ip.add.re.ss will only send queries for
domain.example (and *.domain.example) to ip.add.re.ss.
Post by Daniel Pocock
Could a software approach be taken by default, waiting to see
if any resolver provides a positive response before sending
back REFUSED to the client?
I don't see a valid use case for this. You have a configuration
error, by listing a non-recursive server among your upstream
recursive servers.

Perhaps the OpenWRT people didn't know enough about dnsmasq to
support this situation, or perhaps they didn't care. But dnsmasq
documentation of --server is clear enough about it.

Another problem you will have is when one of the actual upstream
recursive servers replies for "domain.example" with incorrect data.

(Side note: simple is good; listing more recursive servers will
generally not improve performance. If some of the servers you're
listing are not reliable enough, try one of the Google Public DNS
addresses, or run your own recursive resolver.)
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Simon Kelley
2017-02-27 21:52:27 UTC
Permalink
The behaviour of believing the first REFUSED answer has been changed
for the forthcoming release.


There's a couple of long discussions about this on here.

Cheers,

Simon.
Post by /dev/rob0
Post by Daniel Pocock
Post by Chris Novakovic
Post by Daniel Pocock
- dnsmasq is sending queries to 5 servers, one of them is not
recursive and only answers for a private domain
- if the first response dnsmasq receives comes from the
non-recursive server (REFUSED), then dnsmasq is sending a
REFUSED response to the client
- dnsmasq subsequently receives a response from one of the
recursive servers
This is expected behaviour. One possibility is to configure
dnsmasq to forward requests to the non-recursive server only
--server=/private.domain/non.recursive.server.ip
and a matching --rev-server directive if appropriate.
The router is running OpenWRT, I could make that change manually
but then I wouldn't be able to fully manage it with the GUI any
more.
Can you confirm if this is the only way it can work according to
the DNS spec, or is it a dnsmasq design decision?
--server without the domain specified MUST be a recursive server,
willing to resolve your queries for any names.
--server/domain.example/ip.add.re.ss will only send queries for
domain.example (and *.domain.example) to ip.add.re.ss.
Post by Daniel Pocock
Could a software approach be taken by default, waiting to see if
any resolver provides a positive response before sending back
REFUSED to the client?
I don't see a valid use case for this. You have a configuration
error, by listing a non-recursive server among your upstream
recursive servers.
Perhaps the OpenWRT people didn't know enough about dnsmasq to
support this situation, or perhaps they didn't care. But dnsmasq
documentation of --server is clear enough about it.
Another problem you will have is when one of the actual upstream
recursive servers replies for "domain.example" with incorrect
data.
(Side note: simple is good; listing more recursive servers will
generally not improve performance. If some of the servers you're
listing are not reliable enough, try one of the Google Public DNS
addresses, or run your own recursive resolver.)
Loading...