Hi Salatiel, Short answer is because the way dnsmasq is implemented.
Primary reason is not security decision, but lightweight implementation in dnsmasq. It relies on recursive upstream servers to deliver complete recursed answer. If it contains CNAME, it has to contain also its target. It might be answer record or negative answer (NXDOMAIN). But dnsmasq cannot process incomplete answers, which would require dependent query to be sent again. If there is cname without anything following, dnsmasq would have to query upstream server again with its target. Because of internal design it is not so easy as it seems. Dnsmasq does not store full names of pending queries, only their hashes. Inability to finish incomplete responses and only then deliver final result to original query is caused by missing code. It is not usually required. There is something similar implemented for dnssec validation, but it requires non-disabled cache for example. Because it cannot finish incomplete responses, it also needs to know final answer for cname in command line. I think it would require multiple improvements in internal code. For example current query retries are driven by clients. They retry only when clients retry query to dnsmasq. For well-working internal retries it would have to stop storing just hash of original query, but full original query itself. While it should not be very hard, it would mean non-trivial code and algorithm changes. With possible regressions caused by such changes. Cheers, Petr On 11/6/21 20:11, Salatiel Filho wrote: > Hi, why does dnsmasq cname require an entry on /etc/hosts? > I would like to override "somedomain.com" to "some-load-balancer.com" > as a CNAME.If I start dnsmasq as: > # dnsmasq -dq -r /etc/resolv.upstream --cname > somedomain.com,some-load-balancer.com > If I try to ping somedomain.com, I will get : > ping: unknown host somedomain.com > If I try to nslookup somedomain.com > Server: 127.0.0.1 > Address: 127.0.0.1#53 > somedomain.com canonical name = some-load-balancer.com. If you query some-load-balancer.com, how does the response looks like? Unlike HTTP protocol, it would not receive name of original query somedomain.com. Would it return always set of addresses not known on configure time? > > So I would expect that to work. Is there a reason for that not being > allowed by dnsmasq? Security reasons somehow ? > I have a scenario where I need to make a container for a legacy > application point somedomain.com ( hardcoded ) to an external > loadbalancer's CNAME whose IP is, of course, dynamic and I can not > add it to /etc/hosts. > > Thanks! > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
