Hello, We are using dnsmasq with the all-servers option enabled in order to prevent issues with DNS resolution when a single resolver is not working properly. We have noticed that sometimes when a single resolver is unreachable we still have issues with DNS resolution. It appears this is related to dnssec-query[DS] performed by dnsmasq:
For example the following query gives us a timeout: ``` dig nu.nl DS @127.0.0.1 ; <<>> DiG 9.16.48-Debian <<>> nu.nl DS @127.0.0.1 ;; global options: +cmd ;; connection timed out; no servers could be reached ``` In the dnsmasq logs, we see: ``` Aug 14 11:11:18 srv01 dnsmasq[1808159]: query[DS] nu.nl from 127.0.0.1 Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 1.1.1.1 Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 1.0.0.1 Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 8.8.8.8 Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 8.8.4.4 Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 2606:4700:4700::1111 Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 2606:4700:4700::1001 Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 2001:4860:4860::8888 Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 2001:4860:4860::8844 Aug 14 11:11:18 srv01 dnsmasq[1808159]: dnssec-query[DS] nl to 2001:4860:4860::8844 Aug 14 11:11:23 srv01 dnsmasq[1808159]: query[DS] nu.nl from 127.0.0.1 Aug 14 11:11:23 srv01 dnsmasq[1808159]: dnssec retry to 2001:4860:4860::8844 Aug 14 11:11:28 srv01 dnsmasq[1808159]: query[DS] nu.nl from 127.0.0.1 Aug 14 11:11:28 srv01 dnsmasq[1808159]: dnssec retry to 2001:4860:4860::8844 ``` And in a tcpdump we see the following (I have replaced source IPs with a dummy): ``` 11:11:18.223473 lo In IP 127.0.0.1.37864 > 127.0.0.1.53: 12671+ [1au] DS? nu.nl. (46) 11:11:18.223595 eth0 Out IP 1.2.3.4.53036 > 1.1.1.1.53: 49121+ [1au] DS? nu.nl. (46) 11:11:18.223618 eth0 Out IP 1.2.3.4.53036 > 1.0.0.1.53: 49121+ [1au] DS? nu.nl. (46) 11:11:18.223634 eth0 Out IP 1.2.3.4.53036 > 8.8.8.8.53: 49121+ [1au] DS? nu.nl. (46) 11:11:18.223650 eth0 Out IP 1.2.3.4.53036 > 8.8.4.4.53: 49121+ [1au] DS? nu.nl. (46) 11:11:18.223690 eth0 Out IP6 2001::100.49508 > 2606:4700:4700::1111.53: 49121+ [1au] DS? nu.nl. (46) 11:11:18.223710 eth0 Out IP6 2001::100.49508 > 2606:4700:4700::1001.53: 49121+ [1au] DS? nu.nl. (46) 11:11:18.223733 eth0 Out IP6 2001::100.49508 > 2001:4860:4860::8888.53: 49121+ [1au] DS? nu.nl. (46) 11:11:18.223749 eth0 Out IP6 2001::100.49508 > 2001:4860:4860::8844.53: 49121+ [1au] DS? nu.nl. (46) 11:11:18.225023 eth0 In IP 8.8.8.8.53 > 1.2.3.4.53036: 49121$ 0/4/1 (375) 11:11:18.225122 eth0 Out IP6 2001::100.49142 > 2001:4860:4860::8844.53: 4797+ [1au] DS? nl. (31) 11:11:18.226018 eth0 In IP6 2606:4700:4700::1001.53 > 2001::100.49508: 49121$ 0/4/1 (375) 11:11:18.226051 eth0 In IP 1.0.0.1.53 > 1.2.3.4.53036: 49121$ 0/4/1 (375) 11:11:18.226070 eth0 In IP6 2606:4700:4700::1111.53 > 2001::100.49508: 49121$ 0/4/1 (375) 11:11:18.226146 eth0 In IP 1.1.1.1.53 > 1.2.3.4.53036: 49121$ 0/4/1 (375) 11:11:18.228253 eth0 In IP 8.8.4.4.53 > 1.2.3.4.53036: 49121$ 0/4/1 (375) 11:11:18.228416 eth0 In IP6 2001:4860:4860::8844.53 > 2001::100.49508: 49121$ 0/4/1 (375) 11:11:23.221313 lo In IP 127.0.0.1.37864 > 127.0.0.1.53: 12671+ [1au] DS? nu.nl. (46) 11:11:23.221463 eth0 Out IP6 2001::100.49142 > 2001:4860:4860::8844.53: 4797+ [1au] DS? nl. (31) 11:11:28.221184 lo In IP 127.0.0.1.37864 > 127.0.0.1.53: 12671+ [1au] DS? nu.nl. (46) 11:11:28.221347 eth0 Out IP6 2001::100.49142 > 2001:4860:4860::8844.53: 4797+ [1au] DS? nl. (31) ``` Now, it appears that initially the query is sent out to all configured DNS servers. After that, there is a response and dnsmasq will then attempt to perform a `DS? nl.` query. This query is however only sent out to a single server (2001:4860:4860::8844). A retry is sent out twice, both to the same IP. Because this fails, our DNS lookup also gets a timeout. We would like for this `DS? nl.` call caused by dnssec-query[DS] to also utilize all configured backend servers, so the query succeeds instead of fails like it does now. This is our dnsmasq.conf: ``` all-servers clear-on-reload bind-interfaces cache-size=1500 dnssec interface=lo max-cache-ttl=3600 neg-ttl=20 resolv-file=/etc/resolv.dnsmasq log-queries ``` Can my desired behaviour be achieved? Thank you! Niels Hendriks
_______________________________________________ Dnsmasq-discuss mailing list [email protected] https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
