On 16/04/2022 18:13, Анна Тихомирова via Dnsmasq-discuss wrote:
Hello.
I'm using dnsmasq version 2.86.
I've found that address option works incorrectly if the target domain is
a cname.
Here is an example:
1) Add a domain to dnsmasq configuration:
address=/api.ott.kinopoisk.ru/::
2) Make a DNS query for this domain. Everything is fine now: dnsmasq
replies with an IPv4 address received from the upstream DNS server and
an IPv6 address from the configuration file
root@veronika:~# nslookup api.ott.kinopoisk.ru
Server: 127.0.0.1
Address: 127.0.0.1:53
Name: api.ott.kinopoisk.ru
Address: ::
Non-authoritative answer:
api.ott.kinopoisk.ru canonical name =
ott-api-production-balancer.ott.yandex.net
Name: ott-api-production-balancer.ott.yandex.net
Address: 93.158.134.102
Sat Apr 16 19:13:20 2022 daemon.info dnsmasq[1]: 419 127.0.0.1/58719
query[A] api.ott.kinopoisk.ru from 127.0.0.1
Sat Apr 16 19:13:20 2022 daemon.info dnsmasq[1]: 419 127.0.0.1/58719
forwarded api.ott.kinopoisk.ru to 213.234.192.7
Sat Apr 16 19:13:20 2022 daemon.info dnsmasq[1]: 420 127.0.0.1/58719
query[AAAA] api.ott.kinopoisk.ru from 127.0.0.1
Sat Apr 16 19:13:20 2022 daemon.info dnsmasq[1]: 420 127.0.0.1/58719
config api.ott.kinopoisk.ru is ::
Sat Apr 16 19:13:20 2022 daemon.info dnsmasq[1]: 419 127.0.0.1/58719
reply api.ott.kinopoisk.ru is <CNAME>
Sat Apr 16 19:13:20 2022 daemon.info dnsmasq[1]: 419 127.0.0.1/58719
reply ott-api-production-balancer.ott.yandex.net is 93.158.134.102
3) You may repeat a query and everything is still fine:
root@veronika:~# nslookup api.ott.kinopoisk.ru
Server: 127.0.0.1
Address: 127.0.0.1:53
Non-authoritative answer:
api.ott.kinopoisk.ru canonical name =
ott-api-production-balancer.ott.yandex.net
Name: ott-api-production-balancer.ott.yandex.net
Address: 93.158.134.102
Name: api.ott.kinopoisk.ru
Address: ::
Sat Apr 16 19:13:26 2022 daemon.info dnsmasq[1]: 431 127.0.0.1/34089
query[A] api.ott.kinopoisk.ru from 127.0.0.1
Sat Apr 16 19:13:26 2022 daemon.info dnsmasq[1]: 431 127.0.0.1/34089
cached api.ott.kinopoisk.ru is <CNAME>
Sat Apr 16 19:13:26 2022 daemon.info dnsmasq[1]: 431 127.0.0.1/34089
cached ott-api-production-balancer.ott.yandex.net is 93.158.134.102
Sat Apr 16 19:13:26 2022 daemon.info dnsmasq[1]: 432 127.0.0.1/34089
query[AAAA] api.ott.kinopoisk.ru from 127.0.0.1
Sat Apr 16 19:13:26 2022 daemon.info dnsmasq[1]: 432 127.0.0.1/34089
cached api.ott.kinopoisk.ru is <CNAME>
Sat Apr 16 19:13:26 2022 daemon.info dnsmasq[1]: 432 127.0.0.1/34089
config api.ott.kinopoisk.ru is ::
4) Now query the original domain to which our configured domain points to:
root@veronika:~# nslookup ott-api-production-balancer.ott.yandex.net
Server: 127.0.0.1
Address: 127.0.0.1:53
Non-authoritative answer:
Name: ott-api-production-balancer.ott.yandex.net
Address: 93.158.134.102
Non-authoritative answer:
Name: ott-api-production-balancer.ott.yandex.net
Address: 2a02:6b8::272
Sat Apr 16 19:13:33 2022 daemon.info dnsmasq[1]: 442 127.0.0.1/51782
query[A] ott-api-production-balancer.ott.yandex.net from 127.0.0.1
Sat Apr 16 19:13:33 2022 daemon.info dnsmasq[1]: 442 127.0.0.1/51782
cached ott-api-production-balancer.ott.yandex.net is 93.158.134.102
Sat Apr 16 19:13:33 2022 daemon.info dnsmasq[1]: 443 127.0.0.1/51782
query[AAAA] ott-api-production-balancer.ott.yandex.net from 127.0.0.1
Sat Apr 16 19:13:33 2022 daemon.info dnsmasq[1]: 443 127.0.0.1/51782
forwarded ott-api-production-balancer.ott.yandex.net to 213.234.192.7
Sat Apr 16 19:13:33 2022 daemon.info dnsmasq[1]: 443 127.0.0.1/51782
reply ott-api-production-balancer.ott.yandex.net is 2a02:6b8::272
5) Let's query our configured domain again. Now you can see that dnsmasq
starts to reply with IPv6 from upstream server instead of our configured
IPv6:
root@veronika:~# nslookup api.ott.kinopoisk.ru
Server: 127.0.0.1
Address: 127.0.0.1:53
Non-authoritative answer:
api.ott.kinopoisk.ru canonical name =
ott-api-production-balancer.ott.yandex.net
Name: ott-api-production-balancer.ott.yandex.net
Address: 93.158.134.102
Non-authoritative answer:
api.ott.kinopoisk.ru canonical name =
ott-api-production-balancer.ott.yandex.net
Name: ott-api-production-balancer.ott.yandex.net
Address: 2a02:6b8::272
Sat Apr 16 19:13:37 2022 daemon.info dnsmasq[1]: 458 127.0.0.1/35410
query[A] api.ott.kinopoisk.ru from 127.0.0.1
Sat Apr 16 19:13:37 2022 daemon.info dnsmasq[1]: 458 127.0.0.1/35410
cached api.ott.kinopoisk.ru is <CNAME>
Sat Apr 16 19:13:37 2022 daemon.info dnsmasq[1]: 458 127.0.0.1/35410
cached ott-api-production-balancer.ott.yandex.net is 93.158.134.102
Sat Apr 16 19:13:37 2022 daemon.info dnsmasq[1]: 459 127.0.0.1/35410
query[AAAA] api.ott.kinopoisk.ru from 127.0.0.1
Sat Apr 16 19:13:37 2022 daemon.info dnsmasq[1]: 459 127.0.0.1/35410
cached api.ott.kinopoisk.ru is <CNAME>
Sat Apr 16 19:13:37 2022 daemon.info dnsmasq[1]: 459 127.0.0.1/35410
cached ott-api-production-balancer.ott.yandex.net is 2a02:6b8::272
Thanks for the detailed description.
It's kind-off obvious what's going on here: the CNAME gets cached from
the IPv4 lookups and then the AAAA record that the CNAME points to gets
cached when it's looked up directly.
What's not obvious is what to do about it: In versions before 2.86, this
wouldn't be a problem, because
address=/api.ott.kinopoisk.ru/::
would stop any queries for api.ott.kinopoisk.ru, including the IPv4
query, being sent upstream. That means the an A query (or any other
query) would return NODATA, and an AAAA query would return ::, which is
all consistent.
2.86 changed this behaviour, half by accident. (I made assumptions about
what would be sensible, and didn't check exsiting behaviour well enough.
Never make assumptions.)
The 2.86 behaviour is not consistent. api.ott.kinopoisk.ru can't be both
a CNAME and an all-zeros AAAA record. It could be a CNAME pointing to an
all-zeros AAAA record, but then you'd still get a different answer if
you looked up that AAAA record stand-alone.
I'm sort-of persuaded that this is another good argument to return to
the pre-2.86 behaviour, despite the fact that is imposes a second
incompatible change: at least it's only incomptable if you're upgrading
from 2.86.
Opinions, list?
Simon.
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
