DNS Proxy/cache that query multiple DNS, ignore NXDOMAIN

Tiller

7/13/24, 2:39 PM

The question is as follow: how can I set up a DNS proxy/cache that queries in a strict order a series of DNS servers (of which some might be unavailable), and that does not stop on the first NXDOMAIN answers.

Context:

The place I work for has a main domain: company.com, and 2 VPNs: vpn1 and vpn2. They are not identical: vpn2 allows you to connect to more services than vpn1. vpn1 is not needed when connected to vpn2 basically.

Some sub-domains are available from the internet: open.company.com Some are only available from vpn1 and vpn2: internal.company.com Some are only available from vpn2: private.company.com

Now, vpn1 has a DNS server: dns1 and vpn2 has a different DNS server: dns2; each with its own configuration.

The issue is: some services that are accessible from VPN1 (and therefore VPN2) are configured in dns1, but not in dns2.

And the bigger problem is that when dns2 is asked, it answers with NXDOMAIN.

So I'm looking for a way to ask the DNS in this specific order: dns2, dns1, 8.8.8.8, but without stopping on the first NXDOMAIN answer.

I tried with DNSMasq and the "all-servers" parameter, it has 2 issues:

I think (I haven't tested) that if the NXDOMAIN from dns2 arrives before the answer from dns1, the query will fail
Some sub domain are resolved by both dns1 and dns2, but when connected to vpn2, the IP configured in DNS2 should be used.

I've looked at dnsmasq, bind, and other random DNS proxies, but without any luck so far.

Note: obviously, I can't update the configuration of DNS1/DNS2. I'm looking for a solution that would run on my laptop (ubuntu)

Any idea? Thanks

1 + 0

domain-name-system

bind

internal-dns

dnsmasq

Score:2

Server

eltrai

7/15/24, 8:40 PM

I don't think you can natively get this behaviour from any dns proxy, as it goes agains the spirit of DNS (a DNS server is not supposed to lie using a NXDOMAIN).

My advice would therefore be to actively filter out those false answers from DNS2 so that your proxy only sees the ones from DNS1 and has no ambiguity.

This can be done by adding a rule in the firewall, filtering on only DNS answer paquets that contain the NXDOMAIN flag (and come from DNS1). Then keep your dnsmasq configuration with the all-servers parameter.

See iptables drop negative DNS responses for a way to filter the DNS answers.

Note that if you have the reverse issue (DNS1 answering first with NXDOMAIN for something that exists in DNS2), you can also filter out those answers. However, this would mean that in case of a real non-existent domain, you'll get no answer from any DNS and likely timeout. I'm guessing from your context it's not a big issue but, if so, you'd better only delay the NXDOMAIN answers, as was also done in the linked post, though it is a more complex setup.

Good luck.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: DNS Proxy/cache that query multiple DNS, ignore NXDOMAIN

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.