Comment 52 for bug 1003842

Revision history for this message
Sergio Callegari (callegar) wrote : Re: [Bug 1003842] Re: dnsmasq sometimes fails to resolve private names in networks with non-equivalent nameservers

On 04/02/2013 17:07, Simon Kelley wrote:
> On 04/02/13 15:36, Sergio Callegari wrote:
>> On 04/02/2013 15:40, Simon Kelley wrote:
>>> On 03/02/13 07:48, Thomas Hood wrote:
>>>>> there's still the unresolved question
>>>>> of whether re-enabling --strict-order
>>>>> will suffice as a workaround, since
>>>>> 12.10 relies on DBus to populate the
>>>>> nameservers. Is there any extra
>>>>> information on this?
>>>> Please try it and report back. :-)
>>>>
>>>> (Put "strict-order" in a file in /etc/NetworkManager/dnsmasq.d/; stop
>>>> network-manager; make sure all dnsmasq processes are dead; start
>>>> network-manager.)
>>>>
>>> It doesn't work: It will always use the same server first, but the order
>>> of servers given to the DBus interface isn't preserved internally, and
>>> actually changes each time the DBus interface is used.
>>>
>>>
>>> Cheers,
>>>
>>> Simon.
>> Isn't it possible to change dnsmasq behavior to query the servers in any order
>> or in parallel and in the case the first server to reply says "I don't know"
>> avoid relying on that information, rather wait and see if in a reasonable time
>> some other server answers "I do"?
> You're far from the first person to ask that question. The answer is
> that there is no possible response in the DNS protocol which means "I
> don't know". NXDOMAIN or NODATA answers _don't_ mean that; they mean "I
> know that this domain doesn't exist". They also make up quite a large
> proportion of the DNS results returned to the average host, so that all
> of those queries would suddenly take much longer.

Yes, I realize that the problem is with the setup of the intranet, that should
not add names to a domain that is known on the internet or invent a subdomain of
something that is on the internet.

But as a workaround, having a switch to activate "wait for further answers if
you get an 'it does not exist'" would be nice for those willing to pay the price
of a longer wait (or possibly even auto-activate it if a dns is detected to be
on an intranet).

Best regards,

Sergio