On Sun 2022-02-06 18:25 Simon Kelley wrote: > Note that we cache SRV records, so they are detected and decoded in > extract_addresses() which is the function that calls add_to_nftset(). > I'm not sure that helps though: the result of the SRV query is > debian.map.fastlydns.net and I can't see a mechanism to associate the > debian.org SRV query with the subsequent A query.
So at least apt's behavior can be changed: man apt.conf # searched: SRV # (as root) line below will disable apt SRV lookups: echo 'Acquire::EnableSrvRecords "false";' > /etc/apt/apt.conf.d/00noSRVlookups After that allowlisting apt works fine. ...and so far with lots more testing it's becoming apparent that my "race condition" may be due to application caching issues. :-/ An example: systemd-timesyncd allowlist outbound connections would often fail because apparently systemd-timesyncd caches its IP addresses. So despite clearing/restarting nftables and dnsmasq, systemd-timesyncd would attempt its cached IP addresses and fail before trying the url. I resolve to rebooting the system with all rules loaded and active (nftables and dnsmasq) before testing anything from now on. It appears to be all working rather well now. :} Closing issue. Sorry for the trouble. Thanks for all the pointers and dnsmasq! _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss