3

When I query the ISP's DNS server for foo.example.com, it comes back with something like this:

;; ANSWER SECTION:
foo.example.com. 159 IN A       192.168.40.20

(note that the IP address is a local one)

When I do the same over DNSMasq, the response is empty; the A record is missing. It works fine for every other address I've tried.

What is this, a mis-configuration of DNSMasq, a bug, or expected behaviour?

RomanSt
  • 1,207
  • 1
  • 15
  • 32

2 Answers2

4

You probably have dnsmasq's rebind protection enabled with this option:

   --stop-dns-rebind
          Reject (and log) addresses from upstream nameservers  which  are
          in  the private IP ranges. This blocks an attack where a browser
          behind a firewall  is  used  to  probe  machines  on  the  local
          network.

You can disable this entirely by removing this option, or you can whitelist certain domains using this option:

--rebind-domain-ok=example.com
mgorven
  • 30,615
  • 7
  • 79
  • 122
  • Thanks. Same problem as OP, using public DNS to store internal IPs. Couldn't understand why `dig -t ANY` would give me a proper `A` record, but plain `dig` (e.g. `dig -t A`) would give me nothing. Also couldn't understand why it only was an issue intermittently: it was only when I was connected to a network using dnsmasq. – Jesse Buchanan Apr 04 '14 at 16:03
0

I think it could be Bind9 view feature, especially if your DNSMasq is not in the same ip range as your PC

The view statement is a powerful new feature of BIND 9 that lets a name server answer a DNS query differently depending on who is asking (...) more

klocek
  • 562
  • 5
  • 11