# Baby step beyond DNS Masq

## Philippe23

I run a small server with a handful of vanity domains with it's own mail and webserver.  I let my registration provider do DNS for me, so I don't have to worry about DNS redundancy, etc.  (And I have no dynamic records.)

I've started running into issues with the mail part of it that a log of spam filtering software uses DNS as a querying mechanism.  However, a lot of these services get cranky when large numbers of DNS requests come from the same DNS servers (meaning when those big upstream servers make the queries to the spam service's DNS servers on my behalf, like they do for a million other users of their DNS servers), so they start returning failure codes.  Being in a large virtual hosting environment, all the DNS servers available to me fall into this pitfall.  (As do 8.8.8.8, 1.1.1.1, 4.2.2.1, etc)

So, it's starting to feel like I can no longer run DNS Masq, since it will only query a handful of DNS servers (from what I can tell) -- ie, it won't query directly.

BIND feels like overkill, especially since I don't want to server and DNS zones authoritatively.  But I imaging BIND is the most well documented DNS server ever.

1.)  Am I wrong, is there a way to configure DNS Masq to query authoritative servers?  (Or am I missing another setup?)

2.)  Is there any software better suited to this poser configuration, I'm heading towards where I ask questions of authoritative servers, but don't have any zones of my own?Last edited by Philippe23 on Tue Oct 05, 2021 2:58 pm; edited 2 times in total

----------

## cboldt

dnsmasq will read resolv.conf (or a different file or files, if you prefer) for nameservers, I don't know of any limit to the number of nameservers listed there.

You can also reduce the load on external nameservers by caching the data a little longer ... --min-cache-ttl=<time> can be up to one hour.

----------

## pingtoo

You can try pdnsd. I used in few production environments it work just fine. it use a simple /etc/hosts file a like syntax to serve authoritative records.

----------

## alamahant

Bind can also be used as a cache and forward-only server.

It comes down to

named.conf

config.

You dont need your own zones to run named.

Also with bind you can config external(ie internet) and internal (ie lan) views.

----------

## Philippe23

 *pingtoo wrote:*   

> You can try pdnsd. I used in few production environments it work just fine. it use a simple /etc/hosts file a like syntax to serve authoritative records.

 

"pdnsd needs to know the address of at least one DNS server to collect DNS information from [...]" (from the Arch Linux Wiki).

That sounds like it'll have the same issue as DNS Masq -- I need to to ask root servers for name servers for domains and go ask those name servers directly -- not ask my upstream ISP's DNS servers (nor 8.8.8.8, etc) for the answers and just cache them.  If I ask the upstream DNS servers, they're the IP's the DNS-hosted spam blacklists will see, and I'll be denied with everyone else that uses those big DNS servers.

----------

## cboldt

Direct the output of your query of root servers for nameserver IPs to a file of your choice, /etc/resolv.conf is the prototypical location, and dnsmasq will rotate through that list of nameservers.  If there are particular nameservers that you want dnsmasq to ignore (but your external nameserver list building tool may access), just exclude those IPs from the list the dnsmasq will use.

dnsmasq will re-read this list if/when it changes.  Search for "resolv.conf" in the dnsmasq man page for the various related config settings.

If you are roughly familiar with dnsmasq, might as well stick with it.  Took me quite a few hours to get a handle on much of the power, but baked into that was also learning about DNS (and DHCP) in general.

Use of DHCP on the LAN is instrumental too, as it keeps the client machines "in line," asking dnsmasq machine for DNS and keeping those clients from hitting the nameservers you want to avoid.

----------

## pingtoo

 *Philippe23 wrote:*   

>  *pingtoo wrote:*   You can try pdnsd. I used in few production environments it work just fine. it use a simple /etc/hosts file a like syntax to serve authoritative records. 
> 
> "pdnsd needs to know the address of at least one DNS server to collect DNS information from [...]" (from the Arch Linux Wiki).
> 
> That sounds like it'll have the same issue as DNS Masq -- I need to to ask root servers for name servers for domains and go ask those name servers directly -- not ask my upstream ISP's DNS servers (nor 8.8.8.8, etc) for the answers and just cache them.  If I ask the upstream DNS servers, they're the IP's the DNS-hosted spam blacklists will see, and I'll be denied with everyone else that uses those big DNS servers.

 

pdnsd is both cache dns server and recursive. your can turn on paranoid to make it go to authoritative server for answer. You also make pdnsd cache large amount of records and for long time so it will not go out to query as frequent.

I never research in detail if Google DNS or OpenDNS will answer query with authoritative flag. I assume they don't because that will make them responsible for many Internet hacking. so I think pdnsd will go to authoritative servers for answer.

I am not sure how your current setup lead to a deny DNS service call. I have done mail server for financial company with pdnsd which will do some filtering by DNS have not seen DNS query denial before. Are your current setting will send very very large amount of DNS query in very short time?

----------

## pa4wdh

I'm a BIND fan, so i'll recommend that.

Function wise it might be a bit overkill for you, but you don't have to use it all. If you want it to be just a resolver, it will just be a resolver.

Extra benefits will be:

1) You'll learn new stuff, and since BIND is very common that might be useful

2) If your needs grow and you need more functionality there is a good chance BIND will be able to provide that

----------

## Philippe23

 *pingtoo wrote:*   

> pdnsd is both cache dns server and recursive. your can turn on paranoid to make it go to authoritative server for answer. You also make pdnsd cache large amount of records and for long time so it will not go out to query as frequent.

 

Reading some more, and it sounds like pdns-recursor does not require an upstream provider, but it makes requests of the authoritative servers directly.  So that sounds like exactly what I need.  (I don't even need pdnsd, actually, since I don't have any zones to serve.)

I'm going to try pdns-recursor out.  So far it just seems like emerge and start it.

If I run into trouble, I'll probably bite the bullet and switch to BIND.

 *pingtoo wrote:*   

> I am not sure how your current setup lead to a deny DNS service call. I have done mail server for financial company with pdnsd which will do some filtering by DNS have not seen DNS query denial before. Are your current setting will send very very large amount of DNS query in very short time?

 

What's happening is, say ... I request a DNS-based spam check against some-rbl.com.  In my pre-existing setup, that would go to my local DNS Masq process, which would then go and ask Google's 8.8.8.8 (for example).  8.8.8.8 would then figure out who is authoritative for the query some-rbl.com, and make it's request to that DNS server.  Meanwhile, 20 thousand other people are doing the same thing (x all the spam those other people are process) around the same time  -- they're also asking 8.8.8.8 to ask some-rbl.com similar questions.  some-rbl.com has decided that it wants to rate limit queries per IP to 5k/minute.  8.8.8.8 blows past that limit, and some-rbl.com basically either (A) temp blacklists 8.8.8.8 or (B) starts returning an error that indicates "you're a high query user, you should pay us for the resources your consuming -- we're good guys, but we don't want to be suckers."

It doesn't matter if I switch to 1.1.1.1 or my [large] data center's provided DNS server -- the same issue is going to happen at each of them.

So making my own queries, will make the requests to some-rbl.com come from my assigned IP, and not get thrown in those other 20 thousand people making queries via 8.8.8.8 (or whatever).

----------

## pingtoo

 *Philippe23 wrote:*   

> What's happening is, say ... I request a DNS-based spam check against some-rbl.com.  In my pre-existing setup, that would go to my local DNS Masq process, which would then go and ask Google's 8.8.8.8 (for example).  8.8.8.8 would then figure out who is authoritative for the query some-rbl.com, and make it's request to that DNS server.  Meanwhile, 20 thousand other people are doing the same thing (x all the spam those other people are process) around the same time  -- they're also asking 8.8.8.8 to ask some-rbl.com similar questions.  some-rbl.com has decided that it wants to rate limit queries per IP to 5k/minute.  8.8.8.8 blows past that limit, and some-rbl.com basically either (A) temp blacklists 8.8.8.8 or (B) starts returning an error that indicates "you're a high query user, you should pay us for the resources your consuming -- we're good guys, but we don't want to be suckers."
> 
> It doesn't matter if I switch to 1.1.1.1 or my [large] data center's provided DNS server -- the same issue is going to happen at each of them.
> 
> So making my own queries, will make the requests to some-rbl.com come from my assigned IP, and not get thrown in those other 20 thousand people making queries via 8.8.8.8 (or whatever).

 

Thanks for clarification.

Just my simple logic mind thinking  :Embarassed:   if some-rbl.com start DNS RBL maybe it is mistake in some-rbl.com DNS service defined a TTL too short for its DNS records. if a popular service from some-rbl.com its DNS record expired cause many around the world wants to get it at same time it should have a longer TTL to allow down stream to cache longer so not everyone will want to ask for it in very short time spend, afterall any one of the downstream cache DNS server(for example 8.8.8. :Cool:  once got answer it will not query some-rbl.com DNS server again until TTL expire again.

Anyway, powerdns-recursor maybe a better choice for you, Since it is maintained up to day, whereas pdnsd no longer being maintained. I just thought for a simple internal DNS server pdnsd would be quicker to setup.

----------

## szatox

 *Quote:*   

> afterall any one of the downstream cache DNS server(for example 8.8.8. once got answer it will not query some-rbl.com DNS server again until TTL expire again. 

 The practical difference between theory and practice is that they are only the same in theory.

Google's DNS for example, 8.8.8.8, along with a few other big players ignore upstream's TTL

Not to mention that the OP is not in position to change someone else's settings.

----------

## cboldt

Depends on the setting and what is meant by not changing somebody else's.  dnsmasq enables settling TTL on material locally cached, so even though an original TTL is set (and not changed by originator), the TTL locally propagated can differ from TTL set by originator.

----------

## pingtoo

 *szatox wrote:*   

> The practical difference between theory and practice is that they are only the same in theory.

 Agree totally.

 *szatox wrote:*   

> Google's DNS for example, 8.8.8.8, along with a few other big players ignore upstream's TTL

 I am not sure I understand how this "ignore" work, care to explain?

I would image Google got a DNS record with 5 minutes TTL, it will between the moment it got to 300 seconds later it will continue reply the record in cache, Only at 301 seconds afterward if a new query come in it will query upstream again for update. in the duration it will reply a record with 5 minutes TTL, so if you got a record at 299 second and if you have another layer that cache the record for another 5 minutes you could get a staled record. In this case I think Google did not ignore the TTL.

 *szatox wrote:*   

> Not to mention that the OP is not in position to change someone else's settings.

 I reviewed my post a few mote times, I don't think I suggested OP to expect change from the other. I merely stated that if source making mistake there is little chance one can change on its own and expect that can be corrected.

----------

## szatox

 *pingtoo wrote:*   

>  *szatox wrote:*   The practical difference between theory and practice is that they are only the same in theory. Agree totally.
> 
>  *szatox wrote:*   Google's DNS for example, 8.8.8.8, along with a few other big players ignore upstream's TTL I am not sure I understand how this "ignore" work, care to explain?
> 
> I would image Google got a DNS record with 5 minutes TTL, it will between the moment it got to 300 seconds later it will continue reply the record in cache, Only at 301 seconds afterward if a new query come in it will query upstream again for update.
> ...

  Yup. That's the theory.

They don't wait this long though. I can't tell how often exactly they update, but they don't wait for TTL to expire. Unless I've been getting really lucky anycast rolls, hitting another server every time I checked.

I've seen caches with retention times as long as a week too. These would store origin's TTL and forward it to the requester, but never update themselves until that local retention was exceeded (or the cache was manually dropped - e.g. by restarting the server) 

 *Quote:*   

> 
> 
>  *szatox wrote:*   Not to mention that the OP is not in position to change someone else's settings. I reviewed my post a few mote times, I don't think I suggested OP to expect change from the other. I merely stated that if source making mistake there is little chance one can change on its own and expect that can be corrected.

 

 *Quote:*   

> maybe it is mistake in some-rbl.com DNS service defined a TTL too short for its DNS records.

 

Dude, relax.

Maybe you're right about their TTL, maybe google doesn't care, or maybe there are so many addresses to check that caching simply doesn't cut it.

Either way it is out of scope, and having one's own DNS recursor should actually do the trick.

----------

## pingtoo

 *szatox wrote:*   

> I've seen caches with retention times as long as a week too. These would store origin's TTL and forward it to the requester, but never update themselves until that local retention was exceeded (or the cache was manually dropped - e.g. by restarting the server)

 Now I understand what you mean by ignore. the local retention times are longer than origin TTL therefor over extend origin's TTL. Learn something new everyday. Thanks.

I don't familiar dnsmasq but I assume it should function like DNS recursor, I wonder why it did not work in first place.

----------

## szatox

Google's DNS doesn't overextend TTL, it flushes every few  seconds (at most). Read: heavy traffic.

And why didn't dnsmasq work? I think it's because it's just a cache and not a recursor. Recursor hits root servers, then TLD, then second level and so on until the question is answered. AFAIK dnsmasq simply uses whatever dns you have configured as your upstream. So the dnsmasq's upsteam (and the actual recursor DNS) was hammering the RBL's DNS with total volume of traffic combined from multiple users, and got rejected for nagging.

----------

## pingtoo

 *szatox wrote:*   

> Google's DNS doesn't overextend TTL, it flushes every few  seconds (at most). Read: heavy traffic.
> 
> And why didn't dnsmasq work? I think it's because it's just a cache and not a recursor. Recursor hits root servers, then TLD, then second level and so on until the question is answered. AFAIK dnsmasq simply uses whatever dns you have configured as your upstream. So the dnsmasq's upsteam (and the actual recursor DNS) was hammering the RBL's DNS with total volume of traffic combined from multiple users, and got rejected for nagging.

 

@szatox, Thank you very much for the explanation.

----------

## Anon-E-moose

I used bind for many years, but a year ago I swapped to unbound (in portage), and I don't miss bind at all.

----------

## toralf

I switched from dnsmasq to unbound 2 yrs ago both at my desktop and at my server - and never took a look back.

Just emerge unbound and add it to the default runlevel - that's all.

----------

