Server Fault Asked by Collin Barrett on November 29, 2021
I use a public DNS provider (nextdns.io) that blocks some domains. These blocked domains return a response like this when dig
-ed:
; <<>> DiG 9.16.1-Ubuntu <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63541
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;example.com. IN A
;; Query time: 66 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Jul 22 12:03:25 CDT 2020
;; MSG SIZE rcvd: 33
I use dnsmasq on a DD-WRT router to handle all DNS queries from devices on the local network. Is there a way to configure dnsmasq to cache these NOERROR
results with 0 ANSWER
/AUTHORITY
?
Viewing logs, I can tell that my upstream DNS provider continues to get hammered by a client on my network trying to access some blocked domains frequently.
I explored the dnsmasq manpage, but the cache/ttl flags I see do not seem to have an effect on these types of responses since they are not negative (e.g. NXDOMAIN
) cacheable but are just no answer at all. I know that I could explicitly handle certain domains in my dnsmasq config by adding records like address=/.example.com/::
, but I’d prefer to add a cache/ttl at my dnsmasq to cache no answers for something like 300 seconds before trying to query for an answer from upstream again.
The main problem in terms of caching is that this some form of a broken response (I would think broken NODATA
based on the suggested intent).
DNS caching is done based on some TTL, for positive responses the RRSet TTL and for negative responses the cache TTL is based on the SOA
record in the AUTHORITY
section (specifically the TTL used is MIN(SOA TTL, SOA.MINIMUM)
).
Whether a negative response is NXDOMAIN
or NODATA
(NOERROR
with empty ANSWER
), these response types always have the relevant SOA
record in the AUTHORITY
section.
It would of course be better if the filtering DNS provider would serve valid responses also for filtered domains (ie, a proper NXDOMAIN
or NODATA
response).
Working around the problem is not necessarily straightforward as this is not a type of response that is supposed to exist, and there is not necessarily an option to catch this case.
However, you are using dnsmasq
, which according to the dnsmasq manual has a setting which would appear to deal with this situation:
--neg-ttl=<time>
Negative replies from upstream servers normally contain time-to-live information in SOA records which dnsmasq uses for caching. If the replies from upstream servers omit this information, dnsmasq does not cache the reply. This option gives a default value for time-to-live (in seconds) which dnsmasq uses to cache negative replies even in the absence of an SOA record.
Answered by Håkan Lindqvist on November 29, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP