In digging into the source, it looks like loop detect was purposefully coded to only detect loops on upstream servers and not any servers that are for a specific domain.  I'm curious why that is, and would it be acceptable to remove the SERV_HAS_DOMAIN in the relevant sections of *src/loop.c*?

Line 33:

       /* Loop through all upstream servers not for particular domains,
   and send a query to that server which is
          identifiable, via the uid. If we see that query back again,
   then the server is looping, and we should not use it. */
       for (serv = daemon->servers; serv; serv = serv->next)
         if (!(serv->flags &
           (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV |
   SERV_NO_REBIND | *SERV_HAS_DOMAIN* | SERV_FOR_NODOTS | SERV_LOOP)))

Line 106:

     for (serv = daemon->servers; serv; serv = serv->next)
         if (!(serv->flags &
           (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV |
   SERV_NO_REBIND | *SERV_HAS_DOMAIN* | SERV_FOR_NODOTS | SERV_LOOP)) &&
         uid == serv->uid)

Thanks,

Jon

On 10/16/2019 10:23 AM, Jonathan Knoll wrote:

Hey all,

Hopefully I am just misconfiguring something, but when I try to test out the dns-loop-detect feature and configure two instances of dnsmasq to forward to each other a loop is formed but is never stopped.

Steps to reproduce:
Prerequisites:
   * Two VM based servers on the same network
   * Both running dnsmasq as a container using the host network.
   * Each has a configuration line to forward "my.fun.domain" to the other
Procedure:
   * Run the two containers with the described configuration WITHOUT the 
dns-loop-detect flag.
     The following startup logs were observed:
         dnsmasq[10]: started, version 2.80 cachesize 150
         dnsmasq[10]: compile time options: IPv6 GNU-getopt no-DBus no-i18n 
no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect 
inotify dumpfile
         dnsmasq[10]: using nameserver <other server IP>#53 for domain 
my.fun.domain
         dnsmasq[10]: cleared cache
   * From one of the servers, query using nslookup:
     "nslookup some.my.fun.domain 127.0.0.1"
   * Observe both servers forward to each other repeatedly and immediately 
reach the connection limit.
     Truncated logs from one server:
           dnsmasq[9]: query[A] some.my.fun.domain from 10.19.166.12
           dnsmasq[9]: forwarded some.my.fun.domain to 10.19.166.12
           parsed: ['query[A]', 'some.my.fun.domain', 'from', '10.19.166.12']
           dnsmasq[9]: query[A] some.my.fun.domain from 10.19.166.12
           dnsmasq[9]: forwarded some.my.fun.domain to 10.19.166.12
           dnsmasq[9]: Maximum number of concurrent DNS queries reached (max: 
150)
     Logs from the other server are identical but instead have the opposite 
server's IP address.
  -----
   * Stop the two containers, and run again WITH the dns-loop-detect flag in 
the configuration
     The same exact startup logs are observed as before.
   * Perform the same nslookup query from one of the servers
     "nslookup some.my.fun.domain 127.0.0.1"
   * Observe both servers show the exact same behavior as before.
   The configuration used:
       ```
       no-resolv
       no-hosts
       dns-loop-detect
       server=/my.fun.domain/<IP of other server>#53
       user=root
       conf-dir=/etc/dnsmasq.d
       ```

Any suggestions?

Thanks,
Jon


_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.thekelleys.org.uk_mailman_listinfo_dnsmasq-2Ddiscuss&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=p0-OZ-Makpysak8_95uldC4NnpiabeIz_6fATzQwXi8&m=OMQ4X-iUReOJ_tBBMvbO6bq15DXB4IjyZ45RIEVigt4&s=Rur3NBhXRlZUdF5pLkTrUf2G3izQsaCnIO67kKfLPhU&e=
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to