Todo #8411

dnsmasq configuration needs changes for 2.79

Added by Jim Pingle almost 2 years ago. Updated over 1 year ago.

DNS Forwarder
Target version:
Start date:
Due date:
% Done:


Estimated time:


Looks like host overrides might need some adjustments with dnsmasq 2.79. It is not in builds yet but once master switches to the new quarterly branch it will be there.

From the Change Log

Always return a SERVFAIL answer to DNS queries without the
recursion desired bit set, UNLESS acting as an authoritative
DNS server. This avoids a potential route to cache snooping.

And from FreeBSD-ports UPDATING:

AFFECTS: users of dns/dnsmasq

Note that with dnsmasq 2.79, some parts of the interface have changed in an
incompatible way versus previous versions. This comprises changed recursion
behaviour, signature support, a change for SIGINT (vs. SIGHUP) behaviour.

Note especially that dnsmasq will no longer answer non-recursive queries
unless it is marked authoritative! Be sure to see the manual page for the
various --auth-* options, such as --auth-zone.

Please see the CHANGELOG that ships with dnsmasq for details.


#1 Updated by Jim Pingle over 1 year ago

  • Status changed from New to Feedback

Existing behavior in the DNS Forwarder all appears to function as expected. Could use some additional confirmation but I don't think there is anything that needs adjusting based on how this is used in pfSense in a recursive resolver mode, even with host overrides.

#2 Updated by James Dekker over 1 year ago

On 2.4.4.a.20180705.0032 the host override resolves successfully, but the domain override does not.

#3 Updated by Jim Pingle over 1 year ago

I can't replicate any problem here. Domain overrides work on the latest snapshot, no changes made. Queries are forwarded to the specified upstream server and the client receives the response.

#4 Updated by Jim Pingle over 1 year ago

  • Status changed from Feedback to Resolved

Confirmed working now.

Also available in: Atom PDF