Discussion:
[Dnsmasq-discuss] domain-needed is ignored
Spon Spon
2018-06-21 06:15:30 UTC
Permalink
Hi,
I have following configuration of dnsmasq:
log-facility=/var/log/dnsmasq.log
interface=switch0
cache-size=1024
domain-needed
no-negcache
expand-hosts
domain=b
bogus-nxdomain=86.35.3.192
bogus-nxdomain=86.35.3.193
stop-dns-rebind
rebind-domain-ok=c
log-queries
localise-queries
bogus-priv
local=/b/
server=192.168.2.1

Because of domain-needed option I expected that host only lookup, without domain part will not forwarded to upstream servers (in my case 192.168.2.1, but this seems it is not the case.The dnsmasq run on an EdgeRouter and has following version:
***@bucuresti:/etc# /usr/sbin/dnsmasq --version
Dnsmasq version 2.78-20-geaeda96  Copyright (c) 2000-2017 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify

This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.

If I lookup a host with local domain, then the request is not going to upstream server.  Please see below the logged queries:

Jun 21 09:13:31 dnsmasq[21398]: query[A] rrr from 127.0.0.1
Jun 21 09:13:31 dnsmasq[21398]: config rrr is NODATA-IPv4
Jun 21 09:13:31 dnsmasq[21398]: query[AAAA] rrr from 127.0.0.1
Jun 21 09:13:31 dnsmasq[21398]: config rrr is NODATA-IPv6
Jun 21 09:13:31 dnsmasq[21398]: query[MX] rrr from 127.0.0.1
Jun 21 09:13:31 dnsmasq[21398]: forwarded rrr to 192.168.2.1
Jun 21 09:13:38 dnsmasq[21398]: query[A] rrr.b from 127.0.0.1
Jun 21 09:13:38 dnsmasq[21398]: config rrr.b is NXDOMAIN
Jun 21 09:13:38 dnsmasq[21398]: query[A] rrr.b from 127.0.0.1
Jun 21 09:13:38 dnsmasq[21398]: config rrr.b is NXDOMAIN

Is this a bug? Is there any configuration missing?  I expected that rrr lookup wil not be forwarded to upstream server (192.168.2.1)

Thanks,Spon
Geert Stappers
2018-06-21 07:51:59 UTC
Permalink
Post by Spon Spon
Hi,
...
Post by Spon Spon
domain-needed
...
Post by Spon Spon
Because of domain-needed option I expected that host only lookup,
without domain part will not forwarded to upstream servers (in my case
192.168.2.1, but this seems it is not the case.
Please elaborate "seems"
Is it being polite or only having "forwarded" in logging and no further proof?
Post by Spon Spon
Dnsmasq version 2.78-20-geaeda96  Copyright (c) 2000-2017 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.
If I lookup a host with local domain, then the request is not going
Jun 21 09:13:31 dnsmasq[21398]: query[A] rrr from 127.0.0.1
Jun 21 09:13:31 dnsmasq[21398]: config rrr is NODATA-IPv4
Jun 21 09:13:31 dnsmasq[21398]: query[AAAA] rrr from 127.0.0.1
Jun 21 09:13:31 dnsmasq[21398]: config rrr is NODATA-IPv6
Jun 21 09:13:31 dnsmasq[21398]: query[MX] rrr from 127.0.0.1
Jun 21 09:13:31 dnsmasq[21398]: forwarded rrr to 192.168.2.1
Jun 21 09:13:38 dnsmasq[21398]: query[A] rrr.b from 127.0.0.1
Jun 21 09:13:38 dnsmasq[21398]: config rrr.b is NXDOMAIN
Jun 21 09:13:38 dnsmasq[21398]: query[A] rrr.b from 127.0.0.1
Jun 21 09:13:38 dnsmasq[21398]: config rrr.b is NXDOMAIN
Is this a bug? Is there any configuration missing? I expected that
rrr lookup wil not be forwarded to upstream server (192.168.2.1)
Dnsmasq manual pages says

-D, --domain-needed
Tells dnsmasq to never forward A or AAAA queries for plain names,
without dots or domain parts, to upstream nameservers. If
the name is not known from /etc/hosts or DHCP then a "not found"
answer is returned.

So it would prevent the cost of a dail-out connection.


..... local testing .....


Jun 21 09:41:14 weiss dnsmasq[24942]: query[MX] inertia from 172.24.0.36
Jun 21 09:41:14 weiss dnsmasq[24942]: forwarded inertia to 172.24.0.10

That un-expected, due 'domain-needed', forward is visible with tcpdump
at my upstream DNS :-(


Groeten
Geert Stappers
--
Leven en laten leven
Spon Spon
2018-06-21 09:34:54 UTC
Permalink
The lookup is forwarded to upstream DNS server.  This can be seen in log and also through tcpdump. So even domain-needed is used the lookup leaks to upstream server, and as per this settings it should not.


From: Geert Stappers <***@stappers.nl>
To: dnsmasq-***@lists.thekelleys.org.uk
Sent: Thursday, June 21, 2018 11:20 AM
Subject: Re: [Dnsmasq-discuss] domain-needed is ignored
Post by Spon Spon
Hi,
    ...
Post by Spon Spon
domain-needed
    ...
Post by Spon Spon
Because of domain-needed option I expected that host only lookup,
without domain part will not forwarded to upstream servers (in my case
192.168.2.1, but this seems it is not the case.
Please elaborate "seems"
Is it being polite or only having "forwarded" in logging and no further proof?
Post by Spon Spon
Dnsmasq version 2.78-20-geaeda96  Copyright (c) 2000-2017 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.
If I lookup a host with local domain, then the request is not going
Jun 21 09:13:31 dnsmasq[21398]: query[A] rrr from 127.0.0.1
Jun 21 09:13:31 dnsmasq[21398]: config rrr is NODATA-IPv4
Jun 21 09:13:31 dnsmasq[21398]: query[AAAA] rrr from 127.0.0.1
Jun 21 09:13:31 dnsmasq[21398]: config rrr is NODATA-IPv6
Jun 21 09:13:31 dnsmasq[21398]: query[MX] rrr from 127.0.0.1
Jun 21 09:13:31 dnsmasq[21398]: forwarded rrr to 192.168.2.1
Jun 21 09:13:38 dnsmasq[21398]: query[A] rrr.b from 127.0.0.1
Jun 21 09:13:38 dnsmasq[21398]: config rrr.b is NXDOMAIN
Jun 21 09:13:38 dnsmasq[21398]: query[A] rrr.b from 127.0.0.1
Jun 21 09:13:38 dnsmasq[21398]: config rrr.b is NXDOMAIN
Is this a bug? Is there any configuration missing? I expected that
rrr lookup wil not be forwarded to upstream server (192.168.2.1)
Dnsmasq manual pages says

  -D, --domain-needed
      Tells dnsmasq to never forward A or AAAA queries for plain names,
      without dots or domain  parts,  to upstream  nameservers. If
      the name is not known from /etc/hosts or DHCP then a "not found"
      answer is returned.

So it would prevent the cost of a dail-out connection.


  .....  local testing .....


Jun 21 09:41:14 weiss dnsmasq[24942]: query[MX] inertia from 172.24.0.36
Jun 21 09:41:14 weiss dnsmasq[24942]: forwarded inertia to 172.24.0.10

That un-expected, due 'domain-needed', forward is visible with tcpdump
at my upstream DNS    :-(


Groeten
Geert Stappers
--
Leven en laten leven
Daryl Richards
2018-06-21 10:52:16 UTC
Permalink
The manual states that A and AAAA records won't be forwarded. Both of
your examples were forwarding MX record requests.
Post by Spon Spon
The lookup is forwarded to upstream DNS server.  This can be seen in
log and also through tcpdump. So even domain-needed is used the lookup
leaks to upstream server, and as per this settings it should not.
------------------------------------------------------------------------
*Sent:* Thursday, June 21, 2018 11:20 AM
*Subject:* Re: [Dnsmasq-discuss] domain-needed is ignored
Post by Spon Spon
Hi,
    ...
Post by Spon Spon
domain-needed
    ...
Post by Spon Spon
Because of domain-needed option I expected that host only lookup,
without domain part will not forwarded to upstream servers (in my case
192.168.2.1, but this seems it is not the case.
Please elaborate "seems"
Is it being polite or only having "forwarded" in logging and no further proof?
Post by Spon Spon
Dnsmasq version 2.78-20-geaeda96  Copyright (c) 2000-2017 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6
no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
Post by Spon Spon
This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.
If I lookup a host with local domain, then the request is not going
Jun 21 09:13:31 dnsmasq[21398]: query[A] rrr from 127.0.0.1
Jun 21 09:13:31 dnsmasq[21398]: config rrr is NODATA-IPv4
Jun 21 09:13:31 dnsmasq[21398]: query[AAAA] rrr from 127.0.0.1
Jun 21 09:13:31 dnsmasq[21398]: config rrr is NODATA-IPv6
Jun 21 09:13:31 dnsmasq[21398]: query[MX] rrr from 127.0.0.1
Jun 21 09:13:31 dnsmasq[21398]: forwarded rrr to 192.168.2.1
Jun 21 09:13:38 dnsmasq[21398]: query[A] rrr.b from 127.0.0.1
Jun 21 09:13:38 dnsmasq[21398]: config rrr.b is NXDOMAIN
Jun 21 09:13:38 dnsmasq[21398]: query[A] rrr.b from 127.0.0.1
Jun 21 09:13:38 dnsmasq[21398]: config rrr.b is NXDOMAIN
Is this a bug? Is there any configuration missing? I expected that
rrr lookup wil not be forwarded to upstream server (192.168.2.1)
Dnsmasq manual pages says
  -D, --domain-needed
      Tells dnsmasq to never forward A or AAAA queries for plain names,
      without dots or domain  parts,  to upstream nameservers. If
      the name is not known from /etc/hosts or DHCP then a "not found"
      answer is returned.
So it would prevent the cost of a dail-out connection.
  .....  local testing .....
Jun 21 09:41:14 weiss dnsmasq[24942]: query[MX] inertia from 172.24.0.36
Jun 21 09:41:14 weiss dnsmasq[24942]: forwarded inertia to 172.24.0.10
That un-expected, due 'domain-needed', forward is visible with tcpdump
at my upstream DNS    :-(
Groeten
Geert Stappers
--
Leven en laten leven
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
--
Daryl Richards
Isle Technical Services Inc.
Spon Spon
2018-06-21 10:54:10 UTC
Permalink
Post by Spon Spon
Post by Spon Spon
Hi,
    ...
Post by Spon Spon
domain-needed
    ...
Post by Spon Spon
Because of domain-needed option I expected that host only lookup,
without domain part will not forwarded to upstream servers (in my case
192.168.2.1, but this seems it is not the case.
Please elaborate "seems"
Is it being polite or only having "forwarded" in logging and no further proof?>
Post by Spon Spon
Dnsmasq version 2.78-20-geaeda96  Copyright (c) 2000-2017 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect >inotify
This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.
If I lookup a host with local domain, then the request is not going
Jun 21 09:13:31 dnsmasq[21398]: query[A] rrr from 127.0.0.1
Jun 21 09:13:31 dnsmasq[21398]: config rrr is NODATA-IPv4
Jun 21 09:13:31 dnsmasq[21398]: query[AAAA] rrr from 127.0.0.1
Jun 21 09:13:31 dnsmasq[21398]: config rrr is NODATA-IPv6
Jun 21 09:13:31 dnsmasq[21398]: query[MX] rrr from 127.0.0.1
Jun 21 09:13:31 dnsmasq[21398]: forwarded rrr to 192.168.2.1
Jun 21 09:13:38 dnsmasq[21398]: query[A] rrr.b from 127.0.0.1
Jun 21 09:13:38 dnsmasq[21398]: config rrr.b is NXDOMAIN
Jun 21 09:13:38 dnsmasq[21398]: query[A] rrr.b from 127.0.0.1
Jun 21 09:13:38 dnsmasq[21398]: config rrr.b is NXDOMAIN
Is this a bug? Is there any configuration missing? I expected that
rrr lookup wil not be forwarded to upstream server (192.168.2.1)>
Dnsmasq manual pages says
  -D, --domain-needed
      Tells dnsmasq to never forward A or AAAA queries for plain names,
      without dots or domain  parts,  to upstream  nameservers. If
      the name is not known from /etc/hosts or DHCP then a "not found"
      answer is returned.
So it would prevent the cost of a dail-out connection.
  .....  local testing .....
Jun 21 09:41:14 weiss dnsmasq[24942]: query[MX] inertia from 172.24.0.36
Jun 21 09:41:14 weiss dnsmasq[24942]: forwarded inertia to 172.24.0.10
That un-expected, due 'domain-needed', forward is visible with tcpdump
at my upstream DNS    :-(
Groeten
Geert Stappers
--
Leven en laten leven
Through testing I discovered following:If I issue host rrrr then the request is forwarded to upstream server and is should not
If I issue ping kkkk then the request is NOT forwarded to upstream server as expected.(I put rrrr and kkkk, just to be sure cache is not involved)

the tcpdump (first 2 packets (between process to dnsmasq and his reply are below:
In case of host rrr we have:13:40:19.858325 IP localhost.40987 > localhost.domain: 54601+ A? jjjj. (22)
        0x0000:  0000 0304 0006 0000 0000 0000 0000 0800  ................
        0x0010:  4500 0032 2960 0000 4011 5359 7f00 0001  E..2)`***@.SY....
        0x0020:  7f00 0001 a01b 0035 001e fe31 d549 0100  .......5...1.I..
        0x0030:  0001 0000 0000 0000 046a 6a6a 6a00 0001  .........jjjj...
        0x0040:  0001                                     ..
13:40:19.860678 IP localhost.domain > localhost.40987: 54601 0/0/0 (22)
        0x0000:  0000 0304 0006 0000 0000 0000 0000 0800  ................
        0x0010:  4500 0032 2961 4000 4011 1358 7f00 0001  E..2)***@.@..X....
        0x0020:  7f00 0001 0035 a01b 001e fe31 d549 8180  .....5.....1.I..
        0x0030:  0001 0000 0000 0000 046a 6a6a 6a00 0001  .........jjjj...
        0x0040:  0001                                     ..

in case of ping kkkk we have :

13:41:17.232389 IP localhost.58411 > localhost.domain: 1381+ A? kkkk. (22)
        0x0000:  0000 0304 0006 0000 0000 0000 0000 0800  ................
        0x0010:  4500 0032 4d72 4000 4011 ef46 7f00 0001  ***@.@..F....
        0x0020:  7f00 0001 e42b 0035 001e fe31 0565 0100  .....+.5...1.e..
        0x0030:  0001 0000 0000 0000 046b 6b6b 6b00 0001  .........kkkk...
        0x0040:  0001                                     ..
13:41:17.416815 IP localhost.domain > localhost.58411: 1381 0/0/0 (22)
        0x0000:  0000 0304 0006 0000 0000 0000 0000 0800  ................
        0x0010:  4500 0032 4d8c 4000 4011 ef2c 7f00 0001  ***@.@..,....
        0x0020:  7f00 0001 0035 e42b 001e fe31 0565 8180  .....5.+...1.e..
        0x0030:  0001 0000 0000 0000 046b 6b6b 6b00 0001  .........kkkk...
        0x0040:  0001                                     ..
Thanks,Spon
Loading...