[Dnsmasq-discuss] dig +trace failing

Discussion:

Dominik DL6ER

2018-09-19 10:16:17 UTC

Dear list members,

I expect "dig +trace" to show a trace of the delegation path from the
root name servers for the name being looked up. This behavior is broken
since commit 087eb76140725f8f1892ba6f251ea052d3440966
<http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=087eb76140725f8f1892ba6f251ea052d3440966>
and is not fixed until now (I compiled and tested the most recent
"master" branch of dnsmasq).

With dnsmasq v2.80test6, and v2.79, I see:

$ dig +trace www.example.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace www.example.com
;; global options: +cmd
;; Received 17 bytes from 192.168.2.11#53(pi.hole) in 76 ms

With dnsmasq v2.78 (and previously), I see:

$ dig +trace www.example.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace www.example.com
;; global options: +cmd
.Â Â Â Â Â Â Â Â Â 42569Â Â Â INÂ Â Â NSÂ Â Â l.root-servers.net.
.Â Â Â Â Â Â Â Â Â 42569Â Â Â INÂ Â Â NSÂ Â Â k.root-servers.net.
.Â Â Â Â Â Â Â Â Â 42569Â Â Â INÂ Â Â NSÂ Â Â e.root-servers.net.
.Â Â Â Â Â Â Â Â Â 42569Â Â Â INÂ Â Â NSÂ Â Â h.root-servers.net.
.Â Â Â Â Â Â Â Â Â 42569Â Â Â INÂ Â Â NSÂ Â Â j.root-servers.net.
.Â Â Â Â Â Â Â Â Â 42569Â Â Â INÂ Â Â NSÂ Â Â i.root-servers.net.
.Â Â Â Â Â Â Â Â Â 42569Â Â Â INÂ Â Â NSÂ Â Â g.root-servers.net.
.Â Â Â Â Â Â Â Â Â 42569Â Â Â INÂ Â Â NSÂ Â Â a.root-servers.net.
.Â Â Â Â Â Â Â Â Â 42569Â Â Â INÂ Â Â NSÂ Â Â b.root-servers.net.
.Â Â Â Â Â Â Â Â Â 42569Â Â Â INÂ Â Â NSÂ Â Â m.root-servers.net.
.Â Â Â Â Â Â Â Â Â 42569Â Â Â INÂ Â Â NSÂ Â Â c.root-servers.net.
.Â Â Â Â Â Â Â Â Â 42569Â Â Â INÂ Â Â NSÂ Â Â f.root-servers.net.
.Â Â Â Â Â Â Â Â Â 42569Â Â Â INÂ Â Â NSÂ Â Â d.root-servers.net.
;; Received 241 bytes from 192.168.2.11#53(pi.hole) in 115 ms

Best regards,
Dominik

Simon Kelley

2018-09-19 11:27:12 UTC

Permalink

The change in question causes dnsmasq to always return SERVFAIL for
queries without the "use recursion" bit set.

The relevant quote in the reference

http://cs.unc.edu/~fabian/course_papers/cache_snooping.pdf

is this:

Recommendation 2: secondly, and most importantly, non-authoritative
requests to DNS caches should not be allowed. For instance dnscache, a
popular caching-only DNS implementation, tries to prevent cache
snooping by refusing to answer non-recursive queries [3]. Another option
is to never consult the cache when responding to non-RD queries.

So dnsmasq could adopt the alternative: when rd is not set, never answer
from the cache, but always forward the query. That would allow dig
+trace to work.

Does hat seem sensible?

Cheers,

Simon.

Post by Dominik DL6ER
Dear list members,
I expect "dig +trace" to show a trace of the delegation path from the
root name servers for the name being looked up. This behavior is broken
since commit 087eb76140725f8f1892ba6f251ea052d3440966
<http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=087eb76140725f8f1892ba6f251ea052d3440966>
and is not fixed until now (I compiled and tested the most recent
"master" branch of dnsmasq).
$ dig +trace www.example.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace www.example.com
;; global options: +cmd
;; Received 17 bytes from 192.168.2.11#53(pi.hole) in 76 ms
$ dig +trace www.example.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace www.example.com
;; global options: +cmd
.            42569    IN    NS    l.root-servers.net.
.            42569    IN    NS    k.root-servers.net.
.            42569    IN    NS    e.root-servers.net.
.            42569    IN    NS    h.root-servers.net.
.            42569    IN    NS    j.root-servers.net.
.            42569    IN    NS    i.root-servers.net.
.            42569    IN    NS    g.root-servers.net.
.            42569    IN    NS    a.root-servers.net.
.            42569    IN    NS    b.root-servers.net.
.            42569    IN    NS    m.root-servers.net.
.            42569    IN    NS    c.root-servers.net.
.            42569    IN    NS    f.root-servers.net.
.            42569    IN    NS    d.root-servers.net.
;; Received 241 bytes from 192.168.2.11#53(pi.hole) in 115 ms
Best regards,
Dominik
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Dominik DL6ER

2018-09-19 12:04:07 UTC

Permalink

Hey Simon,

Post by Simon Kelley
when rd is not set, never answer
from the cache, but always forward the query. That would allow dig
+trace to work.
Does hat seem sensible?

Yes, that seems useful.

Best,
Dominik

Simon Kelley

2018-09-19 21:29:36 UTC

Permalink

Post by Dominik DL6ER
Hey Simon,

Post by Simon Kelley
when rd is not set, never answer
from the cache, but always forward the query. That would allow dig
+trace to work.
Does hat seem sensible?

Yes, that seems useful.
Best,
Dominik

Change made in git repo.

Cheers,

Simon.