Thank you for this suggestion. I missed this note in the documentation.
Placing my domain in the Local Server section does prevent the DNS query[type=65] from resolving upstream. However, it responds with NODATA rather than an actual IP address. Unfortunately, I think this brings me to my initial problem where a NODATA response may return to the iOS device "first". Right now everything has been resolving properly so it is hard to test if this condition will ever be reached. Please correct me if I am wrong about this.
For reference, here are the dnsmasq logs I see now that I have added a Local Server entry.
Fri Jan 26 03:20:51 2024 daemon.info dnsmasq[1]: 1253 192.168.1.241/61654 query[A] sub.mydomain.com from 192.168.1.241
Fri Jan 26 03:20:51 2024 daemon.info dnsmasq[1]: 1253 192.168.1.241/61654 config sub.mydomain.com is 192.168.69.69
Fri Jan 26 03:20:51 2024 daemon.info dnsmasq[1]: 1254 192.168.1.241/59707 query[AAAA] sub.mydomain.com from 192.168.1.241
Fri Jan 26 03:20:51 2024 daemon.info dnsmasq[1]: 1254 192.168.1.241/59707 config sub.mydomain.com is fd17:b6b2:88cd::42b
Fri Jan 26 03:20:51 2024 daemon.info dnsmasq[1]: 1255 192.168.1.241/56265 query[type=65] sub.mydomain.com from 192.168.1.241
Fri Jan 26 03:20:51 2024 daemon.info dnsmasq[1]: 1255 192.168.1.241/56265 config sub.mydomain.com is NODATA
Yes, I know exactly what you mean. I had the same issue with Apple devices until I found this solution.
I'm not sure why Dnsmasq 2.86+ decided not to respect the address forward for all types of queries and not just for A and AAAA. Perhaps this wouldn't be an issue if Apple devices sent standard DNS queries and not type 65 randomly.
Anyway, this local server workaround seems to solve it and there doesn't seem to be any issues with failed queries. They revert to the A reply immediately.
Some good news and update regarding the TYPE=65 [HTTPS] DNS queries.
According to the latest changelog of Dnsmasq, in version 2.90 there is a new option added called --filter-rr
If it's implemented in a future release of OpenWrt, we might be able to add this line: filter-rr=ANY
in /etc/dnsmasq.conf (or preferably an option in luci if available) and it will filter out any DNS types from the replies except for A, AAAA, MX and CNAME.
This should finally solve the issue if it works properly.
There seems to be a pull request already, but it needs to be approved by 6 reviewers. You can check it here: Adding Dnsmasq 2.90 - #2 by egc
I would be happy to see this approved for the next release, or even as an update package that would be available in Luci > System > Software (opkg) if possible.
I'm happy to say that the Dnsmasq 2.90 update was approved and it's now available on OpenWrt 23.05.2 through Luci > System > Software > Updates as well!
Hello @GetVladimir - yes, 2.90 landed, and if I do say so, relatively quickly. Most of the devs know what dnsmasq is and generally understand it.
The PR I added for DNS-RR is still hanging out on github.
For those of you with a GH account, you can head over and approve it ( files changed -> review changes -> approve ), to show your support for the feature.
How long that will take - who knows. But once the feature is in, it will arrive relatively quickly in master, and maybe 23.
In the meantime, to make your instructions easier:
-7, --conf-dir=<directory>[,<file-extension>......],
Read all the files in the given directory as configuration files. If extension(s) are given, any files which end in those extensions are skipped. Any files whose names end in ~ or start with . or start and end with # are always skipped. If the extension starts with * then only files which have that extension are loaded. So --conf-dir=/path/to/dir,*.conf loads all files with the suffix .conf in /path/to/dir. This flag may be given on the command line or in a configuration file. If giving it on the command line, be sure to escape * characters. Files are loaded in alphabetical order of filename.
This option in openwrt is confdir. Which defaults to "/tmp/dnsmasq.d" - so what you can do is make a new file e.g. dnsrr.conf with the options you wrote above, and put that either in "/tmp/dnsmasq.d" (lost at reboot) or elsewhere on your file-system, so no matter what you do, that is always included in your config.
You might want to check what happens to your config file when you restart dnsmasq with /etc/init.d/dnsmasq restart.
I've used the one in /etc/dnsmasq.conf in the guide above because it's already there and seems to survive a reboot, but your suggestion to create a new directory specific for this, perhaps in /etc/config/dnsmasq-custom-config/ would be an even better solution.
Regarding the dns-rr, I thought that feature was already added in OpenWrt with the previous versions of Dnsmasq. Now it makes sense why it didn't work for the people that used it in the first comments of this post. I've reviewed the 2 files in the PR that you've linked and I've approved them.
If filter-rr=HTTPS fixes the iOS client issue, isn't that a much safer 'default' fix to recommend than filter-rr=ANY? Blocking everything other than A, AAAA, MX and CNAME records might have a lot of unforeseen consequences.
E.g. may break email security features SPF/DMARC/DKIM (relies on TXT records), certificate renewal (relies on CAA records), SIP/VoIP (relies on SRV records), autodiscover (relies on TXT records), etc.
Yes, for the HTTPS (TYPE65) DNS queries specifically, that would be the better default fix.
For the other amplification DNS vulnerability issues, it might need the ANY to be effective against.
Regarding the email clients, that's a good point. Does the email service provider usually check for the SPF/DMARC/DKIM or the end-user's client app? If it's the service provider, then it might not be an issue
If you use webbased email (Gmail, Outlook, etc) or simple POP3 with a local client (Outlook, Thunderbird) it's not an issue. But that's kinda the point... You don't know what you'll break because many of this DNS stuff happens below the surface.
@GetVladimirit's ready for testing. Grab the init file and replace your /etc/init.d/dnsmasq. See commit example config for your filters. Leave instance empty to apply to the default dnsmasq.
This is great, thank you so much for creating this!
Just to be clear that I'm making everything correctly:
Login to OpenWrt via SSH and replace the existing /etc/init.d/dnsmasq file with the dnsmasq.init raw file from the commit (I've compared the file with the existing one and see the changes, so it does seem like it would work as a replacement)
After replacing the init file, I should use this configuration for example:
uci set dhcp.@dnsmasq[0].rr_csv='AAAA,HTTPS,65'
uci commit dhcp
/etc/init.d/dnsmasq restart
That would be an extra few commits. Possible. But PR 'subjects' tend to be one thing only. But the absolutely glacial pace that things get merged at, it's a good idea to try.
I re-used the machinery for various other types of records for filter-rr, and didn't put the filters into the main dnsmasq[0] entry. The way I did it means it can apply globally, to all dnsmasq instances, but in a GUI it would probably fit better under each dnsmasq entry anyway (in which case this code and PR will change)...
I distinctly remember asking the RFC authors early in the spec creation about having HTTP in there. No was the answer (but not because they did not want to).
Edit: it's unclear whether you meant HTTP or HTTPS without TLS (in which case, yes, it should work?)