Re: [Dnsmasq-discuss] Query on "strict-order"

[Simon Kelley]

On 23/02/2023 13:58, Gomathi Shankar P S wrote:

Hi Simon,
Thanks for the response.

We have updated resolv.dnsmasq file with couple of false nameservers 
(just to experiment) at the top. With pinging /google.com 
/, we could observe that the dnsmasq (with 
*strict-order*) is reaching out to first nameserver and then to next 
nameserver and it gives up as both nameservers failed to respond.
With the immediate ping again, dnsmasq reached to third nameserver this 
time which resolved /google.com /.
We have tested the same with *dnsmasq* *v2.86* and we could see the same 
behavior.


Could you please confirm that dnsmasq (with *strict-order*) reaches out 
only to the top two nameservers one by one and gives up if both fail to 
respond? We are expecting dnsmasq to reach all the nameservers one by 
one until it gets the response.


Unfortunately, exactly what happens depends on how the client behaves. 
The first attempt at the query by the client gets sent to the first 
server, the second attempt goes to the second server, and so on. Most 
clients give up after one retry, so only the first two servers get 
queries. If you configure your clients to make more retries you'll see 
more upstream servers get hit.


There's a fundamental limitation of the DNS UDP protocol: there's 
nothing that dnsmasq can send to the client which means "I'm still 
working, please wait". If the client doesn't see an answer during its 
timeout period, it will give up and it makes no difference if dnsmasq is 
still working down a long list of servers.


This is why strict-order is generally a bad idea: without strict order 
dnsmasq can send the query to all available servers in parallel, and it 
does much better at finding one which works.


Cheers,

Simon.



I agree that having unreliable upstream servers are not recommended but 
sometimes our nameservers fail to respond due to other issues.


Thanks
Gomathi Shankar P S


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Query on "strict-order"

[Gomathi Shankar P S]

Hi Simon,
Thanks for the response.

We have updated resolv.dnsmasq file with couple of false nameservers (just
to experiment) at the top. With pinging *google.com *,
we could observe that the dnsmasq (with *strict-order*) is reaching out to
first nameserver and then to next nameserver and it gives up as both
nameservers failed to respond.
With the immediate ping again, dnsmasq reached to third nameserver this
time which resolved *google.com *.
We have tested the same with *dnsmasq* *v2.86* and we could see the same
behavior.

Could you please confirm that dnsmasq (with *strict-order*) reaches out
only to the top two nameservers one by one and gives up if both fail to
respond? We are expecting dnsmasq to reach all the nameservers one by one
until it gets the response.

I agree that having unreliable upstream servers are not recommended but
sometimes our nameservers fail to respond due to other issues.

Thanks
Gomathi Shankar P S
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Query on "strict-order"

[Simon Kelley]

OK, I can belive that behaves in the way you've seen, and there's not 
way to alter that.


You should try the latest release, and also configure fast-retry, that 
might give your better behaviour. It's still the case that 
"strict-order" is not really compatible with dealing with unreliable 
upstream servers. Dnsmasq does much better at that when it can try for 
an answer from any server.


Simon.


On 22/02/2023 03:38, Gomathi Shankar P S wrote:

Hi Simon,

We are using Dnsmasq v2.83

Thanks
Gomathi Shankar P S


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Query on "strict-order"

[Gomathi Shankar P S]

Hi Simon,

We are using Dnsmasq v2.83

Thanks
Gomathi Shankar P S
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Query on "strict-order"

[Simon Kelley]

What release of dnsmasq are you using? The behaviour around SERVFAIL has 
changed several times over the years.


Simon.



On 21/02/2023 10:39, Gomathi Shankar P S wrote:

Hello,

Sorry for asking a basic question.

I was experimenting with "strict-order" and I could see that dnsmasq 
reaches out only top two nameservers in resolv.dnsmasq in the order. 
When both nameservers at top order fails with SERVFAIL , dnsmasq is 
giving up. Do we have any options to configure the number of nameservers 
it should try with "strict-order" enabled?


Appreciate your help.

Regards,
Gomathi Shankar P S

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] Query on "strict-order"

[Gomathi Shankar P S]

Hello,

Sorry for asking a basic question.

I was experimenting with "strict-order" and I could see that dnsmasq
reaches out only top two nameservers in resolv.dnsmasq in the order. When
both nameservers at top order fails with SERVFAIL , dnsmasq is giving up.
Do we have any options to configure the number of nameservers it should try
with "strict-order" enabled?

Appreciate your help.

Regards,
Gomathi Shankar P S
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss