Hi. There's a number of internal DNS records in our corporate network and I also use a VPN connection through wich the other set of internal DNS records is available. >From each network I dynamically receive a search suffix and a pair of DNS >server addresses and add them to /etc/resolv.conf:
nameserver 127.0.0.1 search domain1.com domain2.com nameserver 10.14.33.139 nameserver 10.14.33.140 nameserver 192.168.149.11 nameserver 192.168.110.11 There are three problems with that: Not all possible internal search suffixes are received via DHCP. It means that I cannot configure dnsmasq to use a specific upstream server for certain unknown suffixes. And I have to enable in dnsmasq.conf: # To use all 4 servers all-servers After receiving NXDOMAIN from one of the servers Dnsmasq immediately returns this reply to the client without waiting for other servers to reply. Even if I drop incoming NXDOMAIN packets with an iptables rule there's a problem when a client program tries to resolve an unqualified domain name from the second network. Libc tries the first search suffix from the list and due to the fact that for net2-host.domain1.com all four upstream servers return NXDOMAIN (that gets dropped) the library waits until it times out and never tries net1-host.domain1.com I found that delaying NXDOMAIN packets with iproute2 solves the 3 problems above: https://serverfault.com/a/1067189/149828 However, it seems to me that waiting a little bit more for a positive answer should be part of Dnsmasq. _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss