On 28/09/17 17:35, Jeff wrote: > I have a server my.natted.server NAT'ed behind a public firewall, with > config lines for both of my upstream ISP nameservers: > server=<ip address for ns01.my-isp.com> > server=<ip address for ns02.my-isp.com> > > I chose to use both ISP nameservers for redundancy, but this is not a > requirement. > > I see dnsmasq query either upstream server, without issue. Here are 2 > successful examples: > > successful example: > 15:41:50.958340 IP my.natted.server.54406 > ns01.my-isp.com.domain: > 21145+ A? www.apple.com. (31) > 15:41:50.987324 IP ns01.my-isp.com.domain > my.natted.server.54406: > 21145 4/0/0 CNAME www.apple.com.edgekey.net., CNAME > www.apple.com.edgekey.net.globalredir.akadns.net., CNAME > e6858.dsce9.akamaiedge.net., A 23.36.67.187 (182) > > successful example: > 15:44:04.098088 IP my.natted.server.41451 > ns02.my-isp.com.domain: > 30158+ A? www.apple.com. (31) > 15:44:04.125471 IP ns02.my-isp.com.domain > my.natted.server.41451: > 30158 4/0/0 CNAME www.apple.com.edgekey.net., CNAME > www.apple.com.edgekey.net.globalredir.akadns.net., CNAME > e6858.dsce9.akamaiedge.net., A 23.222.204.41 (182) > > Occasionally I see a failure where dnsmasq sends out queries to both > upstream ISP nameservers, instructing each to reply to the same port. > The first one to reply "wins" and the 2nd to replay elicits an ICMP > "port unreachable". Here are 2 failure examples: > > failure example: > 15:36:49.835378 IP my.natted.server.17990 > ns01.my-isp.com.domain: > 65330+ A? ns01.my-isp.com. (35) > 15:36:49.835391 IP my.natted.server.17990 > ns02.my-isp.com.domain: > 65330+ A? ns01.my-isp.com. (35) > 15:36:49.863241 IP ns02.my-isp.com.domain > my.natted.server.17990: > 65330 1/0/0 A 71.10.216.1 (51) > 15:36:49.867784 IP ns01.my-isp.com.domain > my.natted.server.17990: > 65330 1/0/0 A 71.10.216.1 (51) > 15:36:49.867804 IP my.natted.server > ns01.my-isp.com: ICMP > my.natted.server udp port 17990 unreachable, length 87 > > failure example: > 15:37:32.910884 IP my.natted.server.48523 > ns01.my-isp.com.domain: > 51470+ A? ns02.my-isp.com. (35) > 15:37:32.910915 IP my.natted.server.48523 > ns02.my-isp.com.domain: > 51470+ A? ns02.my-isp.com. (35) > 15:37:32.938315 IP ns01.my-isp.com.domain > my.natted.server.48523: > 51470 1/0/0 A 71.10.216.2 (51) > 15:37:32.942897 IP ns02.my-isp.com.domain > my.natted.server.48523: > 51470 1/0/0 A 71.10.216.2 (51) > 15:37:32.942930 IP my.natted.server > ns02.my-isp.com: ICMP > my.natted.server udp port 48523 unreachable, length 87 > > Question: > Is this an issue with: > 1) My dnsmasq configuration? > 2) dnsmasq? > 3) my NAT'ing firewall? > > Question: > For the failure examples above, is the DNS client successfully > resolving the query? > (implies the ICMP responses can be safely ignored)
Yes. Every so often, dnsmasq send the query to both servers, to see which one is fastest (that server then becomes preferred until it's time to run the race again.). Once the first server replies, dnsmasq sends the reply back to the original requestor, and closes the port it was listening on. When the second, slow, server's reply arrives, it gets ICMP port unreachable because the port is already closed. It's nothing to do with NAT, and it's not a problem. Cheers, Simon. > > I am running dnsmasq-2.66 on CentOS-7 Linux. > > TIA, > Jeff > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
