Hello, I’m having some trouble getting dnsmasq to respond to PTR queries without recursion desired, even when authoritative mode is enabled.
Given the following config: domain-needed bogus-priv no-resolv no-hosts port=10053 server=/example.com/ log-queries host-record=host1.example.com,10.2.3.4 Observed results: Query host1.example.com A (with recursion) - NOERROR, returns answer Query host1.example.com A (without recursion) - REFUSED Query 4.3.2.10.in-addr.arpa PTR (with recursion) - NOERROR, returns answer Query 4.3.2.10.in-addr.arpa PTR (without recursion) - REFUSED Given the above config, plus the following two lines to enable authoritative mode: auth-server=ns1.example.com auth-zone=example.com,10.0.0.0/8 Observed results: Query host1.example.com A (with recursion) - NOERROR, returns answer Query host1.example.com A (without recursion) - NOERROR, returns answer Query 4.3.2.10.in-addr.arpa PTR (with recursion) - NOERROR, returns answer Query 4.3.2.10.in-addr.arpa PTR (without recursion) - REFUSED Expected results: Enabling auth mode for the zone, and specifying the subnet, would result in the last PTR query being accepted instead of refused. The log lines seen when the REFUSED occurs are: dnsmasq_1 | Jul 9 09:42:06 dnsmasq[1]: query[PTR] 4.3.2.10.in-addr.arpa from 172.19.0.1 dnsmasq_1 | Jul 9 09:42:06 dnsmasq[1]: config error is REFUSED Version info: Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify dumpfile I was looking through the source and I’m guessing that PTR queries don’t ever trigger the auth zone path, since the query ends in “in-addr.arpa” instead of the auth-zone domain like “example.com”. Once it reaches the regular answer_request path, it immediately returns since the RD flag is not set, without checking host-records, and proceeds to forward the query instead. Is this intended behaviour? The 2.79 CHANGELOG states that this always-SERVFAIL (or forward, in 2.80) behaviour for queries without recursion desired should always happen “UNLESS acting as an authoritative DNS server”, without a caveat that it only works for non-reverse DNS queries. Thanks, Chiang Fong _______________________________________________ Dnsmasq-discuss mailing list [email protected] http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
