The change in question causes dnsmasq to always return SERVFAIL for queries without the "use recursion" bit set.
The relevant quote in the reference http://cs.unc.edu/~fabian/course_papers/cache_snooping.pdf is this: Recommendation 2: secondly, and most importantly, non-authoritative requests to DNS caches should not be allowed. For instance dnscache, a popular caching-only DNS implementation, tries to prevent cache snooping by refusing to answer non-recursive queries [3]. Another option is to never consult the cache when responding to non-RD queries. So dnsmasq could adopt the alternative: when rd is not set, never answer from the cache, but always forward the query. That would allow dig +trace to work. Does hat seem sensible? Cheers, Simon. On 19/09/18 11:16, Dominik DL6ER wrote: > Dear list members, > > I expect "dig +trace" to show a trace of the delegation path from the > root name servers for the name being looked up. This behavior is broken > since commit 087eb76140725f8f1892ba6f251ea052d3440966 > <http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=087eb76140725f8f1892ba6f251ea052d3440966> > and is not fixed until now (I compiled and tested the most recent > "master" branch of dnsmasq). > > > > With dnsmasq v2.80test6, and v2.79, I see: > > $ dig +trace www.example.com > ; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace www.example.com > ;; global options: +cmd > ;; Received 17 bytes from 192.168.2.11#53(pi.hole) in 76 ms > > With dnsmasq v2.78 (and previously), I see: > > $ dig +trace www.example.com > ; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace www.example.com > ;; global options: +cmd > . 42569 IN NS l.root-servers.net. > . 42569 IN NS k.root-servers.net. > . 42569 IN NS e.root-servers.net. > . 42569 IN NS h.root-servers.net. > . 42569 IN NS j.root-servers.net. > . 42569 IN NS i.root-servers.net. > . 42569 IN NS g.root-servers.net. > . 42569 IN NS a.root-servers.net. > . 42569 IN NS b.root-servers.net. > . 42569 IN NS m.root-servers.net. > . 42569 IN NS c.root-servers.net. > . 42569 IN NS f.root-servers.net. > . 42569 IN NS d.root-servers.net. > ;; Received 241 bytes from 192.168.2.11#53(pi.hole) in 115 ms > > > Best regards, > Dominik > > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss