Hi.
There's a number of internal DNS records in our corporate network and I also 
use a VPN connection through wich the other set of internal DNS records is 
available.
>From each network I dynamically receive a search suffix and a pair of DNS 
>server addresses and add them to /etc/resolv.conf:

    nameserver 127.0.0.1
    search domain1.com domain2.com
    nameserver 10.14.33.139
    nameserver 10.14.33.140
    nameserver 192.168.149.11
    nameserver 192.168.110.11

There are three problems with that:

Not all possible internal search suffixes are received via DHCP. It means that 
I cannot configure dnsmasq to use a specific upstream server for certain 
unknown suffixes. And I have to enable in dnsmasq.conf:

    # To use all 4 servers
    all-servers

After receiving NXDOMAIN from one of the servers Dnsmasq immediately returns 
this reply to the client without waiting for other servers to reply.

Even if I drop incoming NXDOMAIN packets with an iptables rule there's a 
problem when a client program tries to resolve an unqualified domain name from 
the second network.
Libc tries the first search suffix from the list and due to the fact that for 
net2-host.domain1.com all four upstream servers return NXDOMAIN (that gets 
dropped) the library waits until it times out and never tries 
net1-host.domain1.com

I found that delaying NXDOMAIN packets with iproute2 solves the 3 problems 
above: https://serverfault.com/a/1067189/149828

However, it seems to me that waiting a little bit more for a positive answer 
should be part of Dnsmasq.

_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Reply via email to