Hi, We use dnsmasq as a DNS filter in a chain of forwarders (multiple bind servers forward to dnsmasq which in turn forwards to a bind (cache) server which forwards to multiple TSIG enabled DNS servers on the internet).
The bind servers report 'bad cookies' and/or 'missing cookies' from time to time. This can happen due to an optimization in dnsmasq to reuse the same forwarder for multiple sources. These sources all have a unique client cookie, that is forwarded as-is by dnsmasq to the bind cache server which responds with a server cookie that is passed back to the originating server. However due to the reuse of the forwarder, the one-to-one relationship between client and (cache) server is lost, which may result in a cookie incorrectly passed to an origin server (the client cookie, as part of the DNS cookie, originated from another client server). One (work-around) solution to this problem is to avoid the optimization in dnsmasq (reuse). We used the 'add-subnet=1,1' as a workaround, so that queries are treated as "not cacheable", avoiding the above. A better solution to this problem is for dnsmasq to not forward the DNS client cookie altogether, so that the bind cache server never returns a DNS cookie and so the problem disappears. We achieved this by patching dnsmasq in the 'add_edns0_config' function, removing the EDNS0_OPTION_COOKIE option, if any. These solutions avoid the "bad cookie", but not yet the "missing cookies". For this we added support for DNS cookies in dnsmasq for local and forwarded queries for both UDP and TCP protocols, as described in rfc7873 and 9018 - see https://github.com/axsguard/dnsmasq/tree/support_dns_cookies. We are currently running this version in the described scenario without issues. There are still some things missing, for which we may need some input/advice. * Bad cookie retry in TCP mode when UDP retry failed * Regularly changing the server and/or cilent secrets (e.g. once a month/year) We would like to request more reviews/comments/suggestions and some plan forward to have this included on master. If not, to at least consider the change to 'add_edns0_config' as to remove any cookie from forwarded queries. # dnsmasq --version Dnsmasq version 2.91test1 Copyright (c) 2000-2024 Simon Kelley Compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n IDN2 no-DHCP no-scripts no-TFTP no-conntrack ipset no-nftset no-auth no-cryptohash no-DNSSEC Cookie no-loop-detect inotify no-dumpfile # dig thekelleys.org.uk ;; BADCOOKIE, retrying. ; <<>> DiG 9.18.15 <<>> thekelleys.org.uk ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64892 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 0298755806e389e70100000065f2f100a7431d9cc031584a (good) ;; QUESTION SECTION: ;thekelleys.org.uk. IN A ;; ANSWER SECTION: thekelleys.org.uk. 900 IN A 85.119.82.65 ;; Query time: 39 msec ;; SERVER: 192.168.10.2#53(192.168.10.2) (UDP) ;; WHEN: Thu Mar 14 13:43:44 CET 2024 ;; MSG SIZE rcvd: 90 # dig +cookie=0298755806e389e70100000065f2f100a7431d9cc031584a thekelleys.org.uk ; <<>> DiG 9.18.15 <<>> +cookie thekelleys.org.uk ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36828 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 0298755806e389e70100000065f2f100a7431d9cc031584a (good) ;; QUESTION SECTION: ;thekelleys.org.uk. IN A ;; ANSWER SECTION: thekelleys.org.uk. 859 IN A 85.119.82.65 ;; Query time: 0 msec ;; SERVER: 192.168.10.2#53(192.168.10.2) (UDP) ;; WHEN: Thu Mar 14 13:44:25 CET 2024 ;; MSG SIZE rcvd: 90 # dig +cookie=0298755806e389e70100000065f2f100a7431d9cc031584a thekelleys.org.uk @127.0.0.2 ;; BADCOOKIE, retrying. ; <<>> DiG 9.18.15 <<>> +cookie thekelleys.org.uk @127.0.0.2 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37824 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 0298755806e389e70100000065f2f13eee4760ca63aa7570 (good) ;; QUESTION SECTION: ;thekelleys.org.uk. IN A ;; ANSWER SECTION: thekelleys.org.uk. 838 IN A 85.119.82.65 ;; Query time: 0 msec ;; SERVER: 127.0.0.2#53(127.0.0.2) (UDP) ;; WHEN: Thu Mar 14 13:44:46 CET 2024 ;; MSG SIZE rcvd: 90 Regards, Tijs Van Buggenhout
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
