Alberto Cuesta-Canada wrote:
Hi guys,
I saw a weird scenario in one of our dnsmasq servers yesterday. As the
logs below show, the server was all happy doing its thing, until a set
of PTR queries came from normal servers in our network. The last of it
would ask for the hostname of the dns server giving the IP, and from
that point dnsmasq would route all traffic to the parents. Restarting
the dnsmasq service would restore the server to normal operations. This
has happened 4 times in the last 10 days, always with the same pattern.
Feb 17 01:35:51 dnsmasq[28538]: query[A] grdvpm3.dselgrid.local from
172.30.158.98
Feb 17 01:35:51 dnsmasq[28538]: /etc/hosts grdvpm3.dselgrid.local is
172.30.158.93
Feb 17 01:35:51 dnsmasq[28538]: query[PTR] 93.158.30.172.in-addr.arpa
from 172.30.158.98
Feb 17 01:35:51 dnsmasq[28538]: /etc/hosts 172.30.158.93 is
grdvpm3.dselgrid.local
Feb 17 01:35:51 dnsmasq[28538]: query[A] grdvpm3.dselgrid.local from
172.30.158.98
Feb 17 01:35:51 dnsmasq[28538]: /etc/hosts grdvpm3.dselgrid.local is
172.30.158.93
Feb 17 01:37:16 dnsmasq[28538]: query[MX] smtpmail.daiwaeurope.local
from 127.0.0.1
Feb 17 01:37:16 dnsmasq[28538]: forwarded smtpmail.daiwaeurope.local to
172.30.48.192
Feb 17 01:37:16 dnsmasq[28538]: query[MX] vsmtpmail.daiwaeurope.local
from 127.0.0.1
Feb 17 01:37:16 dnsmasq[28538]: forwarded vsmtpmail.daiwaeurope.local to
172.30.48.192
Feb 17 01:37:16 dnsmasq[28538]: query[A] smtpmail.daiwaeurope.local from
127.0.0.1
Feb 17 01:37:16 dnsmasq[28538]: forwarded smtpmail.daiwaeurope.local to
172.30.48.192
Feb 17 01:37:16 dnsmasq[28538]: reply smtpmail.daiwaeurope.local is <CNAME>
Feb 17 01:37:16 dnsmasq[28538]: reply vsmtpmail.daiwaeurope.local is
172.30.19.221
Feb 17 01:37:52 dnsmasq[28538]: query[PTR] 250.158.30.172.in-addr.arpa
from 172.30.158.94
Feb 17 01:37:52 dnsmasq[28538]: /etc/hosts 172.30.158.250 is
grdxk-mgmt1.dselgrid.local
Feb 17 01:37:52 dnsmasq[28538]: forwarded query to 172.30.48.192
Feb 17 01:37:52 dnsmasq[28538]: forwarded query to 172.30.48.192
Feb 17 01:37:52 dnsmasq[28538]: forwarded query to 172.30.48.192
Feb 17 01:37:52 dnsmasq[28538]: forwarded query to 172.30.48.192
Feb 17 01:37:52 dnsmasq[28538]: forwarded query to 172.30.48.192
Any idea what would be going on? Is that PTR query a signal that some
other service could be asking the DNS server to stop reading the hosts file?
It's not clear to me what is going on here. How does the pattern
continue? Do you just see "forwarded query to 172.30.48.192" from now
on until the server is restarted, or do you still see "query[A]...." and
"query[PTR}...." lines?
Do queries which get pushed upstream continue to work? How about queries
which should be answered locally?
What is 172.30.158.94? Is it running anything that may generate "odd"
DNS queries? The holy grail would be to able prod that machine to
reproduce this at will.
What sort of machine are you running dnsmasq on? Does it have a
reasonable amount of spare storage so that you could tcpdump all traffic
to/from port 53,UDP for offline analysis?
Simon.