Hi, We recently upgraded a relatively old dnsmasq server from 2.80 to 2.90 (the versions available in Ubuntu 18.04 and 22.04, respectively), and ran into an issue where clients asking for nonexistent AAAA records now receive NXDOMAIN instead of NODATA.
Clients typically do both A and AAAA lookups, sometimes simultaneously, and when the AAAA query 'wins' the clients report DNS errors when NXDOMAIN is received, instead of ignoring the result. That could be fixed on all of the clients, but we have many random boxes in our network that are crufty and hard to configure. :) In particular, this happens when dnsmasq serves a --local domain, and 'fixed' hosts are defined with --address entries having _only_ an IPv4 address. For example, if dnsmasq.conf contains: no-daemon log-queries domain=example.com interface=eth0 server=1.1.1.1 local=/example.com/ address=/foo.example.com/10.1.2.3 address=/bar.example.com/10.1.2.3 Then using the older dnsmasq, you could do: $ host foo.example.com foo.example.com has address 10.1.2.3 and dnsmasq 2.80 would output: dnsmasq: using only locally-known addresses for domain example.com dnsmasq: using nameserver 1.1.1.1#53 dnsmasq: reading /etc/resolv.conf dnsmasq: using only locally-known addresses for domain example.com dnsmasq: using nameserver 1.1.1.1#53 dnsmasq: using nameserver 127.0.0.53#53 dnsmasq: read /etc/hosts - 5 addresses dnsmasq: query[A] foo.example.com from 127.0.0.1 dnsmasq: config foo.example.com is 10.1.2.3 dnsmasq: query[AAAA] foo.example.com from 127.0.0.1 dnsmasq: config foo.example.com is NODATA-IPv6 dnsmasq: query[MX] foo.example.com from 127.0.0.1 dnsmasq: config foo.example.com is NODATA while with dnsmasq 2.90, you would get: $ host foo.example.com foo.example.com has address 10.1.2.3 Host foo.example.com not found: 3(NXDOMAIN) Host foo.example.com not found: 3(NXDOMAIN) and it outputs: dnsmasq: using nameserver 1.1.1.1#53 dnsmasq: using only locally-known addresses for example.com dnsmasq: reading /etc/resolv.conf dnsmasq: using nameserver 1.1.1.1#53 dnsmasq: using nameserver 127.0.0.53#53 dnsmasq: using only locally-known addresses for example.com dnsmasq: read /etc/hosts - 5 addresses dnsmasq: query[A] foo.example.com from 127.0.0.1 dnsmasq: config foo.example.com is 10.1.2.3 dnsmasq: query[AAAA] foo.example.com from 127.0.0.1 dnsmasq: config foo.example.com is NXDOMAIN dnsmasq: query[MX] foo.example.com from 127.0.0.1 dnsmasq: config foo.example.com is NXDOMAIN This behavior changed with <https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=12a9aa7> ("Major rewrite of the DNS server and domain handling code"), so it may have been an unintended side effect, or maybe it is working as designed? The most recent manpage does appear to have an entry on this, reading: Note that the behaviour for queries which don't match the specified address literal changed in version 2.86. Previous versions, configured with (eg) --address=/example.com/1.2.3.4 and then queried for a RR type other than A would return a NoData answer. From 2.86, the query is sent upstream. To restore the pre-2.86 behaviour, use the configuration --address=/example.com/1.2.3.4 --local=/example.com/ But as far as I can see, that does not work, in the sense that it still returns NXDOMAIN instead of NODATA? The only syntax that does appear to work, is the following: no-daemon log-queries domain=example.com interface=eth0 server=1.1.1.1 local=/example.com/ address=/foo.example.com/10.1.2.3 address=/foo.example.com/ address=/bar.example.com/10.1.2.3 address=/bar.example.com/ However, it also requires a version after 12a9aa7. It might have been <https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=b6f926f>, but at least it is in 2.90. In any case, is the syntax I am describing above the correct way to define hosts that do have an IPv4 address but not an IPv6 address? And to ensure these result in NODATA for any AAAA queries? -Dimitry _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
