Dnsmasq, DNSSEC and Caching

Hi everyone,

Does anyone know if dnsmasq caches all requests or does it only cache requests with DNSSEC enabled?

The reason why I ask is because AdGuardHome made changes (https://github.com/AdguardTeam/dnsproxy/commit/cff45631257465c5e8fbd8753ab54c692f1fb3e0) (https://github.com/AdguardTeam/AdGuardHome/commit/5604e335748206e493332536682262a0f6465c4e) near the end of 2022 so that AdGuardHome would only cache requests that had DNSSEC enabled and that the web sites supported DNSSEC.

Quoted Link: https://github.com/AdguardTeam/AdGuardHome/issues/5241#issuecomment-1344126299

After a little investigation it turned out that we indeed changed some caching logic in v0.107.17 . Particularly AdGuard Home stopped caching the queries with CD (DNSSEC Checking Disabled) bit set due to possible cache poisoning (#4942).

After that change, a large percentage of caching went down. Much less requests were being cached.

So that is the reason for my question here regarding dnsmasq.

Cheers!

Dnsmasq should cache all. But Openwrt does not use dnssec by default last time I checked because most embedded devices do not of have a real time clock and if you configure ntp to use a domain name you will run into chicken egg issues because you can not validate the signed response because you have no proper time on the device after reboot. I also have not checked yet if the striped down default dnsmasq on Openwrt even has dnssec compiled in or if you would need dnsmasq-full anyway...

That is good information. Thank you for your response.

I have created functionally similar setups with both AdGuardHome and dnsmasq. So right now I am just weighing the pros and cons before I choose which setup to stick with.

I assume that having more caching with dnsmasq would be more performant but with a slight trade off for security against DNS poisoning. I am leaning toward performance though.