On 05/02/2022 23:16, Alain Ducharme wrote:
Another problem appears to be software like apt doing SRV queries, effectively resolving CNAMES themselves. Can't see a fix for that... $ apt uddate Err:1 http://deb.debian.org/debian bullseye InRelease Could not connect to debian.map.fastlydns.net:80 (151.101.126.132). - connect (111: Connection refused) Unable to connect to deb.debian.org:http: Err:2 http://deb.debian.org/debian bullseye-updates InRelease Unable to connect to deb.debian.org:http: ...because query #3 is not in my nftset: Feb 5 17:29:07 dnsmasq[8068]: 1 127.0.0.1/41766 query[SRV] _http._tcp.security.debian.org from 127.0.0.1 Feb 5 17:29:07 dnsmasq[8068]: 1 127.0.0.1/41766 forwarded _http._tcp.security.debian.org to 192.168.1.1 Feb 5 17:29:07 dnsmasq[8068]: 2 127.0.0.1/60606 query[SRV] _http._tcp.deb.debian.org from 127.0.0.1 Feb 5 17:29:07 dnsmasq[8068]: 2 127.0.0.1/60606 forwarded _http._tcp.deb.debian.org to 192.168.1.1 Feb 5 17:29:07 dnsmasq[8068]: 1 127.0.0.1/41766 reply _http._tcp.security.debian.org is <SRV> Feb 5 17:29:07 dnsmasq[8068]: 3 127.0.0.1/49100 query[A] debian.map.fastlydns.net from 127.0.0.1 Feb 5 17:29:07 dnsmasq[8068]: 3 127.0.0.1/49100 forwarded debian.map.fastlydns.net to 192.168.1.1 Feb 5 17:29:07 dnsmasq[8068]: 2 127.0.0.1/60606 reply _http._tcp.deb.debian.org is <SRV> Feb 5 17:29:07 dnsmasq[8068]: 4 127.0.0.1/52591 query[A] debian.map.fastlydns.net from 127.0.0.1 Feb 5 17:29:07 dnsmasq[8068]: 3 127.0.0.1/49100 reply debian.map.fastlydns.net is 151.101.126.132 Feb 5 17:29:07 dnsmasq[8068]: 4 127.0.0.1/52591 reply query is duplicate Feb 5 17:29:07 dnsmasq[8068]: 5 127.0.0.1/37265 query[A] security.debian.org from 127.0.0.1 Feb 5 17:29:07 dnsmasq[8068]: 5 127.0.0.1/37265 forwarded security.debian.org to 192.168.1.1 Feb 5 17:29:07 dnsmasq[8068]: 6 127.0.0.1/58615 query[A] deb.debian.org from 127.0.0.1 Feb 5 17:29:07 dnsmasq[8068]: 6 127.0.0.1/58615 forwarded deb.debian.org to 192.168.1.1 Feb 5 17:29:07 dnsmasq[8068]: 5 127.0.0.1/37265 nftset add 4 inet filter _apt_4 151.101.130.132 security.debian.org Feb 5 17:29:07 dnsmasq[8068]: 5 127.0.0.1/37265 reply security.debian.org is 151.101.130.132 Feb 5 17:29:07 dnsmasq[8068]: 5 127.0.0.1/37265 nftset add 4 inet filter _apt_4 151.101.194.132 security.debian.org Feb 5 17:29:07 dnsmasq[8068]: 5 127.0.0.1/37265 reply security.debian.org is 151.101.194.132 Feb 5 17:29:07 dnsmasq[8068]: 5 127.0.0.1/37265 nftset add 4 inet filter _apt_4 151.101.2.132 security.debian.org Feb 5 17:29:07 dnsmasq[8068]: 5 127.0.0.1/37265 reply security.debian.org is 151.101.2.132 Feb 5 17:29:07 dnsmasq[8068]: 5 127.0.0.1/37265 nftset add 4 inet filter _apt_4 151.101.66.132 security.debian.org Feb 5 17:29:07 dnsmasq[8068]: 5 127.0.0.1/37265 reply security.debian.org is 151.101.66.132 Feb 5 17:29:07 dnsmasq[8068]: 6 127.0.0.1/58615 reply deb.debian.org is <CNAME> Feb 5 17:29:07 dnsmasq[8068]: 6 127.0.0.1/58615 nftset add 4 inet filter _apt_4 151.101.126.132 deb.debian.org Feb 5 17:29:07 dnsmasq[8068]: 6 127.0.0.1/58615 reply debian.map.fastlydns.net is 151.101.126.132
Note that we cache SRV records, so they are detected and decoded in extract_addresses() which is the function that calls add_to_nftset(). I'm not sure that helps though: the result of the SRV query is debian.map.fastlydns.net and I can't see a mechanism to associate the debian.org SRV query with the subsequent A query.
Cheers, Simon.
Thanks for your time, much appreciated! _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss