[Feature Request] Disable IXFR

[passibe15]

Would it be possible to add an option to disable making IXFR requests for secondary zones?

For some zones, I am using dnsmasq as the primary server (not ideal, but that's life) and it doesn't support IXFR, thus the log sometimes reports DNS Server received a zone transfer response (RCODE=Refused) for '<zone>' secondary zone from: <dnsmasq-ip>. It would be nice if I could simply set a toggle in this zone's options to disable IXFR/only use AXFR.

Thanks in advance!

[ShreyasZare]

Thanks for the request. Its strange that they are responding with RCODE=Refused instead of RCODE=NotImplemented which would have got detected and the DNS server would follow up with AXFR request.

I will get a check added for RCODE=Refused too and make it retry with AXFR. This should fix the issue you have without need for any configuration.

[passibe15]

Perfect, thank you!

[passibe15]

Sorry to reopen this, but I have investigated further and dnsmasq seems to simply forward the IXFR to the upstream server and that is the one that replies with RCODE=Refused (dnscrypt-proxy in my case).

I simply tested with dig ixfr=0 <zone> @<dnsmasq-ip> and got this in the dnsmasq log:

forwarded <zone> to <upstream-ip>#53
reply error is REFUSED

Your solution is still valid, of course, I just wanted to let you know that dnsmasq itself isn't responsible for returning RCODE=Refused, but seems to simply forward any not-implemented query types.

[ShreyasZare]

Oh. That's really concerning considering that IXFR is like 28 years old standard. I would suggest that you use a proper DNS server since dnsmasq is really just a stub resolver.

[ShreyasZare]

Technitium DNS Server v12.1 is now available that fixes this issue. Do update and let me know your feedback.