On Mon, Sep 20, 2021 at 11:16:09PM +0100, Simon Kelley wrote: > On 20/09/2021 20:49, Johannes Stezenbach wrote: > > > > after recent update to 2.86 on Debian sid I'm seeing > > failures in name resolution. I think the issue is that > > my Wifi connection is currently flaky (another problem > > to solve...) and the DNS reply gets lost. After that > > dnsmasq reports REFUSED, e.g.: > > > > Sep 20 21:06:38 dnsmasq[18805]: 55 127.0.0.1/33372 query[A] m.heise.de from > > 127.0.0.1 > > Sep 20 21:06:38 dnsmasq[18805]: 55 127.0.0.1/33372 forwarded m.heise.de to > > 192.168.178.1 > > Sep 20 21:06:38 dnsmasq[18805]: 56 127.0.0.1/33372 query[AAAA] m.heise.de > > from 127.0.0.1 > > Sep 20 21:06:38 dnsmasq[18805]: 56 127.0.0.1/33372 forwarded m.heise.de to > > 192.168.178.1 > > Sep 20 21:06:43 dnsmasq[18805]: 57 127.0.0.1/33372 query[A] m.heise.de from > > 127.0.0.1 > > Sep 20 21:06:43 dnsmasq[18805]: 57 127.0.0.1/33372 config error is REFUSED > > Sep 20 21:06:43 dnsmasq[18805]: 58 127.0.0.1/33372 query[AAAA] m.heise.de > > from 127.0.0.1 > > Sep 20 21:06:43 dnsmasq[18805]: 58 127.0.0.1/33372 config error is REFUSED > > > > Some time later: > > > > Sep 20 21:13:51 dnsmasq[18805]: 171 127.0.0.1/45279 query[A] m.heise.de > > from 127.0.0.1 > > Sep 20 21:13:51 dnsmasq[18805]: 171 127.0.0.1/45279 forwarded m.heise.de to > > 192.168.178.1 > > Sep 20 21:13:51 dnsmasq[18805]: 172 127.0.0.1/45279 query[AAAA] m.heise.de > > from 127.0.0.1 > > Sep 20 21:13:51 dnsmasq[18805]: 172 127.0.0.1/45279 forwarded m.heise.de to > > 192.168.178.1 > > Sep 20 21:13:51 dnsmasq[18805]: 171 127.0.0.1/45279 reply m.heise.de is > > 193.99.144.88 > > Sep 20 21:13:51 dnsmasq[18805]: 172 127.0.0.1/45279 reply m.heise.de is > > 2a02:2e0:3fe:1001:7777:772e:0:88 > > > > > > Shouldn't dnsmasq retry the query? > > Dnsmasq relies on the client to do retries.
As you can see the client retried (numer 57 and 58), but dnsmasq REFUSED instead of forwarding. > Please could you post you configuration? I think the only way to get > > config error is REFUSED > > logged is to the new --connmark-allowlist feature. Are you using that? /etc/dnsmasq.conf is Debian's default (identical to dnsmasq.conf.example from git). There are small additions in /etc/dnsmasq.d: address=/double-click.net/127.0.0.1 address=/google-analyticts.com/127.0.0.1 strict-order ## this is needed for work VPN bogus-nxdomain=80.156.86.78 bogus-nxdomain=62.157.140.133 bogus-nxdomain=62.138.239.45 bogus-nxdomain=62.138.238.45 Also I'm using resolvconf. Thanks, Johannes _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
