Disable DNS Recursion after AA Answer

[js290]

Component

systemd-resolved

Is your feature request related to a problem? Please describe

Resolved (253 on Ubuntu Server 23.10) seems to continue DNS recursion after responding with an authoritative answer. i.e. DNS blacklist is configured in /etc/hosts

0.0.0.0 blocked.example.com

which resolved correctly uses, but then after its AA answer, it recurses for further answers:

# host -v blocked.example.com
Trying "blocked.example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16257
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;blocked.example.com.		IN	A

Received 35 bytes from 127.0.0.53#53 in 0 ms
Trying "blocked.example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59254
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;blocked.example.com.		IN	AAAA

Received 35 bytes from 127.0.0.53#53 in 0 ms
Trying "blocked.example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42496
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;blocked.example.com.		IN	MX

;; ANSWER SECTION:
blocked.example.com.	3600	IN	CNAME	blocked.example.bogus.

;; AUTHORITY SECTION:
example.bogus.		30	IN	SOA	ns1.example.bogus. hostmaster.example.bogus. 2017052201 3600 600 604800 30

Received 130 bytes from 127.0.0.53#53 in 123 ms

Describe the solution you'd like

resolved should not perform DNS recursion after returning authoritative answer, e.g.

Received 35 bytes from 127.0.0.53#53 in 0 ms
Trying "blocked.example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42496
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;blocked.example.com.		IN	MX

;; ANSWER SECTION:
blocked.example.com.	3600	IN	CNAME	blocked.example.bogus.

;; AUTHORITY SECTION:
example.bogus.		30	IN	SOA	ns1.example.bogus. hostmaster.example.bogus. 2017052201 3600 600 604800 30

Received 130 bytes from 127.0.0.53#53 in 123 ms

Describe alternatives you've considered

dnsmasq does not behave this way. Once it returns an authoritative answer, recursion stops... related to #18783?

The systemd version you checked that didn't have the feature you are asking for

253

[pemensik]

I think it does so to get information, whether it should return NOERROR empty answer or NXDOMAIN. Because returning answers like REFUSED would trigger just a new queries.

[js290]

I think it does so to get information, whether it should return NOERROR empty answer or NXDOMAIN. Because returning answers like REFUSED would trigger just a new queries.

NXDOMAIN would be fine.

[pemensik]

Only if it would block all type queries to that name and any subdomains. Somehow I doubt it does have such logic. But it breaks more important queries anyway, so it might not be important.

[js290]

Only if it would block all type queries to that name and any subdomains. Somehow I doubt it does have such logic. But it breaks more important queries anyway, so it might not be important.

when ReadEtcHosts=yes, that would be the expected and desired behavior...