On 15/11/12 20:08, Andrew Elwell wrote:
Hi Folks
(warning, this is behaviour noticed with the version of dnsmasq on my router -
version.bind. 0 CH TXT dnsmasq-2.61
apologies if fixed in a newer version)
I've been using OpenDNS with nxdomain to filter out their annoying
brain-dead NXDOMAIN mangling. however If I do this, it breaks on IPv6
addresses
ie - an expected result
$ host indicodev2.ipv6.cern.ch 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
indicodev2.ipv6.cern.ch has IPv6 address 2001:1458:201:b5b9::100:10
-- there's an IPv6 record, but no A record for this machine
howver if I use opendns I get
$ host indicodev2.ipv6.cern.ch 208.67.222.222
Using domain server:
Name: 208.67.222.222
Address: 208.67.222.222#53
Aliases:
indicodev2.ipv6.cern.ch has address 67.215.65.132 BOGUS
indicodev2.ipv6.cern.ch has IPv6 address 2001:1458:201:b5b9::100:10
and with bogus-nxdomain 67.215.65.132 it bails after the A record and
doesn't try unless specifically asked
$ host indicodev2.ipv6.cern.ch
Host indicodev2.ipv6.cern.ch not found: 3(NXDOMAIN)
$ host -t indicodev2.ipv6.cern.ch
indicodev2.ipv6.cern.ch has IPv6 address 2001:1458:201:b5b9::100:10
Any ideas if I can work around this via configuration or do I have to
give up with opendns
Many thanks
Andrew
And the nasty hacks will come back and bite you. It might take 10 years,
but they will bite you.
What's happening is that dnsmasq is re-writing the reply
indicodev2.ipv6.cern.ch has address 67.215.65.132 BOGUS
as indicodev2.ipv6.cern.ch is no-such-domain. Note that it's _not_
asserting indicodev2.ipv6.cern.ch has no IPv4 address, it's asserting
indicodev2.ipv6.cern.ch does not exist. So the host command is quite
right not to even try and find the IPv6 address for that domain, since
it's already been told that it doesn't exist.
This might not bite you in real life, if whatever is looking up that
domain does the A and lookups separately, and isn't bright enough
to make the inference that host does.
This could be fixed in dnsmasq by re-writing to a NODATA reply instead
of NXDOMAIN. but I'm worried about doing that in case it finds a
different set of problems: now you're starting to assert that lots of
domains which DON'T exist do.
Cheers,
Simon.
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss