0

I use a public DNS provider (nextdns.io) that blocks some domains. These blocked domains return a response like this when dig-ed:

; <<>> DiG 9.16.1-Ubuntu <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63541
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;example.com.               IN      A

;; Query time: 66 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Jul 22 12:03:25 CDT 2020
;; MSG SIZE  rcvd: 33

I use dnsmasq on a DD-WRT router to handle all DNS queries from devices on the local network. Is there a way to configure dnsmasq to cache these NOERROR results with 0 ANSWER/AUTHORITY?

Viewing logs, I can tell that my upstream DNS provider continues to get hammered by a client on my network trying to access some blocked domains frequently.

I explored the dnsmasq manpage, but the cache/ttl flags I see do not seem to have an effect on these types of responses since they are not negative (e.g. NXDOMAIN) cacheable but are just no answer at all. I know that I could explicitly handle certain domains in my dnsmasq config by adding records like address=/.example.com/::, but I'd prefer to add a cache/ttl at my dnsmasq to cache no answers for something like 300 seconds before trying to query for an answer from upstream again.

Collin Barrett
  • 115
  • 1
  • 7

1 Answers1

3

The main problem in terms of caching is that this some form of a broken response (I would think broken NODATA based on the suggested intent).

DNS caching is done based on some TTL, for positive responses the RRSet TTL and for negative responses the cache TTL is based on the SOA record in the AUTHORITY section (specifically the TTL used is MIN(SOA TTL, SOA.MINIMUM)).

Whether a negative response is NXDOMAIN or NODATA (NOERROR with empty ANSWER), these response types always have the relevant SOA record in the AUTHORITY section.

It would of course be better if the filtering DNS provider would serve valid responses also for filtered domains (ie, a proper NXDOMAIN or NODATA response).

Working around the problem is not necessarily straightforward as this is not a type of response that is supposed to exist, and there is not necessarily an option to catch this case.

However, you are using dnsmasq, which according to the dnsmasq manual has a setting which would appear to deal with this situation:

--neg-ttl=<time>
Negative replies from upstream servers normally contain time-to-live information in SOA records which dnsmasq uses for caching. If the replies from upstream servers omit this information, dnsmasq does not cache the reply. This option gives a default value for time-to-live (in seconds) which dnsmasq uses to cache negative replies even in the absence of an SOA record.

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
  • Thanks, that's helpful information. I had tried using `neg-ttl=300`, however, but it didn't seem to have an effect. I may need to open a ticket to the DNS provider (nextdns.io) to see about changing their response to blocked domains. I see that pi-hole, a similar service, [returns NXDOMAIN or NODATA](https://docs.pi-hole.net/ftldns/blockingmode/#pi-holes-nxdomain-blocking). – Collin Barrett Jul 22 '20 at 18:46
  • 1
    @CollinM.Barrett Ok, interesting. Maybe it doesn't recognize the "partial `NODATA`" as a case where it can apply `neg-ttl`, then. Maybe it works with "partial `NXDOMAIN`" only. – Håkan Lindqvist Jul 22 '20 at 20:04