On Wed, Aug 14, 2024 at 11:42:15AM +0200, Niels Hendriks wrote: > Hello, > > We are using dnsmasq with the all-servers option enabled in order > to prevent issues with DNS resolution when a single resolver is not > working properly. > We have noticed that sometimes when a single resolver is unreachable > we still have issues with DNS resolution. It appears this is related > to dnssec-query[DS] performed by dnsmasq: > > For example the following query gives us a timeout: > > $ dig nu.nl DS @127.0.0.1 > > ; <<>> DiG 9.16.48-Debian <<>> nu.nl DS @127.0.0.1 > ;; global options: +cmd > ;; connection timed out; no servers could be reached > > In the dnsmasq logs, we see: > Aug 14 11:11:18 srv01 dnsmasq[1808159]: query[DS] nu.nl from 127.0.0.1 > Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 1.1.1.1 > Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 1.0.0.1 > Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 8.8.8.8 > Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 8.8.4.4 > Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to > 2606:4700:4700::1111 > Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to > 2606:4700:4700::1001 > Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to > 2001:4860:4860::8888 > Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to > 2001:4860:4860::8844 > Aug 14 11:11:18 srv01 dnsmasq[1808159]: dnssec-query[DS] nl to > 2001:4860:4860::8844 > Aug 14 11:11:23 srv01 dnsmasq[1808159]: query[DS] nu.nl from 127.0.0.1 > Aug 14 11:11:23 srv01 dnsmasq[1808159]: dnssec retry to 2001:4860:4860::8844 > Aug 14 11:11:28 srv01 dnsmasq[1808159]: query[DS] nu.nl from 127.0.0.1 > Aug 14 11:11:28 srv01 dnsmasq[1808159]: dnssec retry to 2001:4860:4860::8844 > > And in a tcpdump we see the following (I have replaced source IPs with a > dummy): > > 11:11:18.223473 lo In IP 127.0.0.1.37864 > 127.0.0.1.53: 12671+ [1au] DS? > nu.nl. (46) > 11:11:18.223595 eth0 Out IP 1.2.3.4.53036 > 1.1.1.1.53: 49121+ [1au] DS? > nu.nl. (46) > 11:11:18.223618 eth0 Out IP 1.2.3.4.53036 > 1.0.0.1.53: 49121+ [1au] DS? > nu.nl. (46) > 11:11:18.223634 eth0 Out IP 1.2.3.4.53036 > 8.8.8.8.53: 49121+ [1au] DS? > nu.nl. (46) > 11:11:18.223650 eth0 Out IP 1.2.3.4.53036 > 8.8.4.4.53: 49121+ [1au] DS? > nu.nl. (46) > 11:11:18.223690 eth0 Out IP6 2001::100.49508 > 2606:4700:4700::1111.53: > 49121+ [1au] DS? nu.nl. (46) > 11:11:18.223710 eth0 Out IP6 2001::100.49508 > 2606:4700:4700::1001.53: > 49121+ [1au] DS? nu.nl. (46) > 11:11:18.223733 eth0 Out IP6 2001::100.49508 > 2001:4860:4860::8888.53: > 49121+ [1au] DS? nu.nl. (46) > 11:11:18.223749 eth0 Out IP6 2001::100.49508 > 2001:4860:4860::8844.53: > 49121+ [1au] DS? nu.nl. (46) > 11:11:18.225023 eth0 In IP 8.8.8.8.53 > 1.2.3.4.53036: 49121$ 0/4/1 (375) > 11:11:18.225122 eth0 Out IP6 2001::100.49142 > 2001:4860:4860::8844.53: > 4797+ [1au] DS? nl. (31)
I wonder where the 4797 comes from. Because I was expecting 49121. > 11:11:18.226018 eth0 In IP6 2606:4700:4700::1001.53 > 2001::100.49508: > 49121$ 0/4/1 (375) > 11:11:18.226051 eth0 In IP 1.0.0.1.53 > 1.2.3.4.53036: 49121$ 0/4/1 (375) > 11:11:18.226070 eth0 In IP6 2606:4700:4700::1111.53 > 2001::100.49508: > 49121$ 0/4/1 (375) > 11:11:18.226146 eth0 In IP 1.1.1.1.53 > 1.2.3.4.53036: 49121$ 0/4/1 (375) > 11:11:18.228253 eth0 In IP 8.8.4.4.53 > 1.2.3.4.53036: 49121$ 0/4/1 (375) > 11:11:18.228416 eth0 In IP6 2001:4860:4860::8844.53 > 2001::100.49508: > 49121$ 0/4/1 (375) > 11:11:23.221313 lo In IP 127.0.0.1.37864 > 127.0.0.1.53: 12671+ [1au] DS? > nu.nl. (46) `dig nu.nl DS @127.0.0.1` executed again or the original 11:11:18 dig command doing a new attempt? > 11:11:23.221463 eth0 Out IP6 2001::100.49142 > 2001:4860:4860::8844.53: > 4797+ [1au] DS? nl. (31) > 11:11:28.221184 lo In IP 127.0.0.1.37864 > 127.0.0.1.53: 12671+ [1au] DS? > nu.nl. (46) > 11:11:28.221347 eth0 Out IP6 2001::100.49142 > 2001:4860:4860::8844.53: > 4797+ [1au] DS? nl. (31) > > Now, it appears that initially the query is sent out to all configured > DNS servers. > After that, there is a response and dnsmasq will then attempt to > perform a `DS? nl.` query. I doubt it is dnsmasq attempting the query. Both the dnsmasq logging and the tcpdump tell the request is coming from 127.0.0.1. ( There is no reason for dnsmasq to ask it to itself ) > This query is however only sent out to a > single server (2001:4860:4860::8844). A retry is sent out twice, both > to the same IP. Because this fails, our DNS lookup also gets a timeout. I think we are seeing two things: A timeout and a yet unexplainable query. > We would like for this `DS? nl.` call caused by dnssec-query[DS] to > also utilize all configured backend servers, so the query succeeds > instead of fails like it does now. For what it is worth: My gut feeling says the problem description is incomplete. > This is our dnsmasq.conf: > > all-servers > clear-on-reload > bind-interfaces > cache-size=1500 > dnssec > interface=lo > max-cache-ttl=3600 > neg-ttl=20 > resolv-file=/etc/resolv.dnsmasq > log-queries And what is the content of /etc/resolv.dnsmasq ? > Can my desired behaviour be achieved? > [1] > Thank you! Oops > Niels Hendriks Groeten Geert Stappers Foot note [1]: The yes-no-question is left unanswered -- Silence is hard to parse _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
