Dns result rotation

when I request a dns from dnsmasq and the result has more than one answer the answer gets rotated every time I request the dns.
because the result is cached I know that dnsmasq is doing this.
is this a standard dns feature for maybe load balancing or is it just dnsmasq and can I disable it so ?
btw is there something like a dnsclient that does the whole dns chain (I am not a pro so sorry if I use the wrong words here) to get the result from main (dns.example.com) source?
some program that doesnt rotate the results and get the raw unmodified data?

That's right.

You mean to recursively query the root NS and then the secondary level NS. As long as you don't use forwarders, bind can do that, for example. I am not sure about dnsmasq though.
However this rotation is coming from the authoritative NS, so there is no guarantee that you'll get the desired result.


It's best to disable DNS providers which results you don't want to see, such as peer DNS:

However if you use DNS encryption, it's better to utilize split-DNS approach based on DNS forwarding:


thanks for answer.
but I see that dnsmasq cached answers get rotated too. if there a way to disable that?

the issue is not with dns provider I think.
but I will try to use dnscrypt with one provider to see if I can find a "good" one.

btw i have this question about the issue here:

when I want to connect to greasyfork and one of ips wont connect on https (96.. one) . could this not be my government censoring and be one the other side on internet issue? as in maybe that ip blocked iranian ip or the network is configured to only answer to another region request blocked other regions (like mine) .
is the second possibility a practice that anyone have seen (a server only answering to request to specified range and not other.
so basically a whitelist instead of country blacklist?

The resource seems to work.
Your problem is likely the result of L3-filtering by the ISP.
I'm afraid Dnsmasq is not designed to solve this sort of issue.
Your best option is VPN or Tor, optionally with PBR.

1 Like

I understand.
could it be the destionation is blocking me instead of my isp?
usually this is shown by a error (403 html code) so I dont think it is but I ask to see if anyone have seen ip blocking on server for http/s or maybe even geo whitelist instead of blacklist for load balancing maybe?

btw what is PBR?
because in my country filters a lot of website I use an way that set dns for blocked domains to a lan address and then on that lan client I have a proxy that circumvent the block. used to have ipset for proxy use but because of cdn use I would be using proxy for a lot of unintended website and decided to use this instead.

Policy based routing, a way to route packets based on other parameters than destination address, like source address, uplink balancing, service distribution etc.

1 Like

so the PBR is a concept not a program?

btw I tested with dnscrypt on my laptop and I see that it doesnt rotate the answers but dnsmasq on openwrt router.
even though they both cache the answers.

can I disable the dns result rotation in dnsmasq?
again, this is even with cached results.
or do I have to use dnscrypt directly and remove dnsmasq for dns on openwrt?

btw are there more dns server (dnsmasq is a server ??) that can replace dnsmasq and I can play with them on openwrt?

Yes, although there is a package with similar name.

I don't know, better read the manual.

You can do that if you think it works better for you.

Dnsmasq is nameserver and dhcp server. So before you disable it, make sure you understand what you are doing. There is also bind name server available in the packages.

1 Like