Re: [Dnsmasq-discuss] Format Errors using add-subnet
Albert, First let me be clear - I don't believe this is a DNSMasq issue since I can reproduce it with dig. I was just hoping with all the DNS experts on this forum that someone would have seen this issue with the Windows Server and give me some pointers on possible solutions. Second, here is an example trace of the error. No. Time SourceDestination Protocol Length Info 1 0.00 172.19.9.210 65.153.116.46 DNS 97 Standard query 0x7613 A www.google.com OPT Frame 1: 97 bytes on wire (776 bits), 97 bytes captured (776 bits) Ethernet II, Src: Shuttle_97:5f:7c (80:ee:73:97:5f:7c), Dst: JuniperN_b1:4a:e0 (0c:86:10:b1:4a:e0) Internet Protocol Version 4, Src: 172.19.9.210, Dst: 65.153.116.46 User Datagram Protocol, Src Port: 54012, Dst Port: 53 Domain Name System (query) [Response In: 2] Transaction ID: 0x7613 Flags: 0x0120 Standard query 0... = Response: Message is a query .000 0... = Opcode: Standard query (0) ..0. = Truncated: Message is not truncated ...1 = Recursion desired: Do query recursively .0.. = Z: reserved (0) ..1. = AD bit: Set ...0 = Non-authenticated data: Unacceptable Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 1 Queries www.google.com: type A, class IN Name: www.google.com [Name Length: 14] [Label Count: 3] Type: A (Host Address) (1) Class: IN (0x0001) Additional records : type OPT Name: Type: OPT (41) UDP payload size: 4096 Higher bits in extended RCODE: 0x00 EDNS0 version: 0 Z: 0x 0... = DO bit: Cannot handle DNSSEC security RRs .000 = Reserved: 0x Data length: 12 Option: CSUBNET - Client subnet Option Code: CSUBNET - Client subnet (8) Option Length: 8 Option Data: 00012000ac1309d2 Family: IPv4 (1) Source Netmask: 32 Scope Netmask: 0 Client Subnet: 172.19.9.210 No. Time SourceDestination Protocol Length Info 2 0.025748 65.153.116.46 172.19.9.210 DNS 97 Standard query response 0x7613 Format error A www.google.com OPT Frame 2: 97 bytes on wire (776 bits), 97 bytes captured (776 bits) Ethernet II, Src: JuniperN_b1:4a:e0 (0c:86:10:b1:4a:e0), Dst: Shuttle_97:5f:7c (80:ee:73:97:5f:7c) Internet Protocol Version 4, Src: 65.153.116.46, Dst: 172.19.9.210 User Datagram Protocol, Src Port: 53, Dst Port: 54012 Domain Name System (response) [Request In: 1] [Time: 0.025748000 seconds] Transaction ID: 0x7613 Flags: 0x8101 Standard query response, Format error 1... = Response: Message is a response .000 0... = Opcode: Standard query (0) .0.. = Authoritative: Server is not an authority for domain ..0. = Truncated: Message is not truncated ...1 = Recursion desired: Do query recursively 0... = Recursion available: Server can't do recursive queries .0.. = Z: reserved (0) ..0. = Answer authenticated: Answer/authority portion was not authenticated by the server ...0 = Non-authenticated data: Unacceptable 0001 = Reply code: Format error (1) Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 1 Queries www.google.com: type A, class IN Name: www.google.com [Name Length: 14] [Label Count: 3] Type: A (Host Address) (1) Class: IN (0x0001) Additional records : type OPT Name: Type: OPT (41) UDP payload size: 4096 Higher bits in extended RCODE: 0x00 EDNS0 version: 0 Z: 0x 0... = DO bit: Cannot handle DNSSEC security RRs .000 = Reserved: 0x Data length: 12 Option: CSUBNET - Client subnet Option Code: CSUBNET - Client subnet (8) Option Length: 8 Option Data: 00012000ac1309d2 Family: IPv4 (1) Source Netmask: 32 Scope Netmask: 0 Client Subnet: 172.19.9.210 From: Albert ARIBAUDSent: Wednesday, December 7, 2016 6:20:32 AM To: Scott Bonar Cc: dnsmasq-discuss@lists.thekelleys.org.uk Subject: Re: [Dnsmasq-discuss] Format Errors
Re: [Dnsmasq-discuss] listen-backlog option to override default (too small) value
Of course patch is tested ;-) Some output: % ./src/dnsmasq --port 1025 --listen-backlog 100 % ss -ntl sport = :1025 Recv-Q Send-Q Local Address:Port Peer Address:Port 0 100 :::1025 :::* 0 100 *:1025 On Wed, Dec 7, 2016 at 3:28 PM, Albert ARIBAUDwrote: > Hi Donatas, > > Le Wed, 7 Dec 2016 14:43:22 +0200 > Donatas Abraitis a écrit: > > > Hi folks, > > > > for our case at Hostinger, we have a problem while too much > > TcpListenOverflows: > > [root@us-imm-dns1 ~]# nstat -az | grep TcpExtListenOverflows > > TcpExtListenOverflows 2990.0 > > [root@us-imm-dns1 ~]# ss -ntl sport = :53 > > State Recv-Q Send-Q > > Local > > Address:Port > > Peer Address:Port LISTEN 0 > > 5 > > *:53 > > *:* > > LISTEN 0 > > 5 > > :::53 > > :::* > > > > probe kernel.function("tcp_check_req") > > { > > tcphdr = __get_skb_tcphdr($skb); > > dport = __tcp_skb_dport(tcphdr) > > if ($sk->sk_ack_backlog > $sk->sk_max_ack_backlog) > > printf("listen queue for port(%d): %d/%d\n", > > dport, > > $sk->sk_ack_backlog, > > $sk->sk_max_ack_backlog); > > } > > > > [root@us-imm-dns1 ~]# staprun overflow.ko > > listen queue for port(53): 13/5 > > listen queue for port(53): 13/5 > > listen queue for port(53): 14/5 > > > > here is the proposed patch: > > > > commit fa610cd424b905720832afc8636373bb132f49c1 > > Author: Donatas Abraitis > > Date: Sun Dec 9 09:58:51 2012 +0200 > > > > Add `listen-backlog` option to override default 5 (too small) > > > > diff --git a/src/dnsmasq.h b/src/dnsmasq.h > > index 4b55bb5..b717df3 100644 > > --- a/src/dnsmasq.h > > +++ b/src/dnsmasq.h > > @@ -980,6 +980,7 @@ extern struct daemon { > >struct dhcp_netid_list *force_broadcast, *bootp_dynamic; > >struct hostsfile *dhcp_hosts_file, *dhcp_opts_file, *dynamic_dirs; > >int dhcp_max, tftp_max, tftp_mtu; > > + int listen_backlog; > >int dhcp_server_port, dhcp_client_port; > >int start_tftp_port, end_tftp_port; > >unsigned int min_leasetime; > > diff --git a/src/network.c b/src/network.c > > index d87d08f..1e9d188 100644 > > --- a/src/network.c > > +++ b/src/network.c > > @@ -746,7 +746,7 @@ static int make_sock(union mysockaddr *addr, int > > type, int dienow) > > > >if (type == SOCK_STREAM) > > { > > - if (listen(fd, 5) == -1) > > + if (listen(fd, daemon->listen_backlog) == -1) > > goto err; > > } > >else if (family == AF_INET) > > diff --git a/src/option.c b/src/option.c > > index d0d9509..220303e 100644 > > --- a/src/option.c > > +++ b/src/option.c > > @@ -159,6 +159,7 @@ struct myoption { > > #define LOPT_SCRIPT_ARP347 > > #define LOPT_DHCPTTL 348 > > #define LOPT_TFTP_MTU 349 > > +#define LOPT_BACKLOG 350 > > > > #ifdef HAVE_GETOPT_LONG > > static const struct option opts[] = > > @@ -190,6 +191,7 @@ static const struct myoption opts[] = > > { "domain-suffix", 1, 0, 's' }, > > { "interface", 1, 0, 'i' }, > > { "listen-address", 1, 0, 'a' }, > > +{ "listen-backlog", 1, 0, LOPT_BACKLOG }, > > { "local-service", 0, 0, LOPT_LOCAL_SERVICE }, > > { "bogus-priv", 0, 0, 'b' }, > > { "bogus-nxdomain", 1, 0, 'B' }, > > @@ -394,6 +396,7 @@ static struct { > >{ 't', ARG_ONE, "", gettext_noop("Specify default > > target in an MX record."), NULL }, > >{ 'T', ARG_ONE, "", gettext_noop("Specify time-to-live in > > seconds for replies from /etc/hosts."), NULL }, > >{ LOPT_NEGTTL, ARG_ONE, "", gettext_noop("Specify > > time-to-live in seconds for negative caching."), NULL }, > > + { LOPT_BACKLOG, ARG_ONE, "", gettext_noop("Set the backlog > > queue limit."), NULL }, > >{ LOPT_MAXTTL, ARG_ONE, "", gettext_noop("Specify > > time-to-live in seconds for maximum TTL to send to clients."), NULL }, > >{ LOPT_MAXCTTL, ARG_ONE, "", gettext_noop("Specify > > time-to-live ceiling for cache."), NULL }, > >{ LOPT_MINCTTL, ARG_ONE, "", gettext_noop("Specify > > time-to-live floor for cache."), NULL }, > > @@ -2286,7 +2289,11 @@ static int one_opt(int option, char *arg, char > > *errstr, char *gen_err, int comma > > ret_err(gen_err); /* error */ > > break; > >} > > - > > + > > +case LOPT_BACKLOG: /* --listen-backlog */ > > + if (!atoi_check(arg, >listen_backlog)) > > +ret_err(gen_err); > > + break; > > case 'a': /* --listen-address */ > > case LOPT_AUTHPEER: /* --auth-peer */ > >do { > > @@ -4517,6 +4524,7 @@ void read_opts(int argc, char **argv, char > > *compile_opts) > >daemon->cachesize = CACHESIZ; > >daemon->ftabsize = FTABSIZ; > >daemon->port = NAMESERVER_PORT; > > + daemon->listen_backlog = 5; > >daemon->dhcp_client_port = DHCP_CLIENT_PORT; > >daemon->dhcp_server_port = DHCP_SERVER_PORT; > >
Re: [Dnsmasq-discuss] listen-backlog option to override default (too small) value
Hi Donatas, Le Wed, 7 Dec 2016 14:43:22 +0200 Donatas Abraitisa écrit: > Hi folks, > > for our case at Hostinger, we have a problem while too much > TcpListenOverflows: > [root@us-imm-dns1 ~]# nstat -az | grep TcpExtListenOverflows > TcpExtListenOverflows 2990.0 > [root@us-imm-dns1 ~]# ss -ntl sport = :53 > State Recv-Q Send-Q > Local > Address:Port > Peer Address:Port LISTEN 0 > 5 > *:53 > *:* > LISTEN 0 > 5 > :::53 > :::* > > probe kernel.function("tcp_check_req") > { > tcphdr = __get_skb_tcphdr($skb); > dport = __tcp_skb_dport(tcphdr) > if ($sk->sk_ack_backlog > $sk->sk_max_ack_backlog) > printf("listen queue for port(%d): %d/%d\n", > dport, > $sk->sk_ack_backlog, > $sk->sk_max_ack_backlog); > } > > [root@us-imm-dns1 ~]# staprun overflow.ko > listen queue for port(53): 13/5 > listen queue for port(53): 13/5 > listen queue for port(53): 14/5 > > here is the proposed patch: > > commit fa610cd424b905720832afc8636373bb132f49c1 > Author: Donatas Abraitis > Date: Sun Dec 9 09:58:51 2012 +0200 > > Add `listen-backlog` option to override default 5 (too small) > > diff --git a/src/dnsmasq.h b/src/dnsmasq.h > index 4b55bb5..b717df3 100644 > --- a/src/dnsmasq.h > +++ b/src/dnsmasq.h > @@ -980,6 +980,7 @@ extern struct daemon { >struct dhcp_netid_list *force_broadcast, *bootp_dynamic; >struct hostsfile *dhcp_hosts_file, *dhcp_opts_file, *dynamic_dirs; >int dhcp_max, tftp_max, tftp_mtu; > + int listen_backlog; >int dhcp_server_port, dhcp_client_port; >int start_tftp_port, end_tftp_port; >unsigned int min_leasetime; > diff --git a/src/network.c b/src/network.c > index d87d08f..1e9d188 100644 > --- a/src/network.c > +++ b/src/network.c > @@ -746,7 +746,7 @@ static int make_sock(union mysockaddr *addr, int > type, int dienow) > >if (type == SOCK_STREAM) > { > - if (listen(fd, 5) == -1) > + if (listen(fd, daemon->listen_backlog) == -1) > goto err; > } >else if (family == AF_INET) > diff --git a/src/option.c b/src/option.c > index d0d9509..220303e 100644 > --- a/src/option.c > +++ b/src/option.c > @@ -159,6 +159,7 @@ struct myoption { > #define LOPT_SCRIPT_ARP347 > #define LOPT_DHCPTTL 348 > #define LOPT_TFTP_MTU 349 > +#define LOPT_BACKLOG 350 > > #ifdef HAVE_GETOPT_LONG > static const struct option opts[] = > @@ -190,6 +191,7 @@ static const struct myoption opts[] = > { "domain-suffix", 1, 0, 's' }, > { "interface", 1, 0, 'i' }, > { "listen-address", 1, 0, 'a' }, > +{ "listen-backlog", 1, 0, LOPT_BACKLOG }, > { "local-service", 0, 0, LOPT_LOCAL_SERVICE }, > { "bogus-priv", 0, 0, 'b' }, > { "bogus-nxdomain", 1, 0, 'B' }, > @@ -394,6 +396,7 @@ static struct { >{ 't', ARG_ONE, "", gettext_noop("Specify default > target in an MX record."), NULL }, >{ 'T', ARG_ONE, "", gettext_noop("Specify time-to-live in > seconds for replies from /etc/hosts."), NULL }, >{ LOPT_NEGTTL, ARG_ONE, "", gettext_noop("Specify > time-to-live in seconds for negative caching."), NULL }, > + { LOPT_BACKLOG, ARG_ONE, "", gettext_noop("Set the backlog > queue limit."), NULL }, >{ LOPT_MAXTTL, ARG_ONE, "", gettext_noop("Specify > time-to-live in seconds for maximum TTL to send to clients."), NULL }, >{ LOPT_MAXCTTL, ARG_ONE, "", gettext_noop("Specify > time-to-live ceiling for cache."), NULL }, >{ LOPT_MINCTTL, ARG_ONE, "", gettext_noop("Specify > time-to-live floor for cache."), NULL }, > @@ -2286,7 +2289,11 @@ static int one_opt(int option, char *arg, char > *errstr, char *gen_err, int comma > ret_err(gen_err); /* error */ > break; >} > - > + > +case LOPT_BACKLOG: /* --listen-backlog */ > + if (!atoi_check(arg, >listen_backlog)) > +ret_err(gen_err); > + break; > case 'a': /* --listen-address */ > case LOPT_AUTHPEER: /* --auth-peer */ >do { > @@ -4517,6 +4524,7 @@ void read_opts(int argc, char **argv, char > *compile_opts) >daemon->cachesize = CACHESIZ; >daemon->ftabsize = FTABSIZ; >daemon->port = NAMESERVER_PORT; > + daemon->listen_backlog = 5; >daemon->dhcp_client_port = DHCP_CLIENT_PORT; >daemon->dhcp_server_port = DHCP_SERVER_PORT; >daemon->default_resolv.is_default = 1; I am not qualified to determine if your patch is the right solution to your problem, but FWIW, I find this patch clear enough and I assume you have tested it :) and that it actually solves the issue for you. The only two remarks I have are: - it would be nice to also add a description for the option and its rationale to the manpage; - is there a way for dnsmasq to detect excessive backlog and emit a diagnostic message pointing the operator to the existence and use of the listen-backlog
Re: [Dnsmasq-discuss] Format Errors using add-subnet
Hi Scott, Le Mon, 5 Dec 2016 20:10:44 + Scott Bonara écrit: > When using this option (which I really need to do) for DNS queries, I > get Format Errors from the upstream DNS servers if they are Windows > Servers 2008 through at least 2012. Has anyone seen this and is > there a workaround either in DNSMasq or Windows? > > Your help is appreciated. Maybe an actual example (ideally with a Wireshark or tcdump capture) could help pinpoint the issue. > Scott Bonar Amicalement, -- Albert. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] listen-backlog option to override default (too small) value
Hi folks, for our case at Hostinger, we have a problem while too much TcpListenOverflows: [root@us-imm-dns1 ~]# nstat -az | grep TcpExtListenOverflows TcpExtListenOverflows 2990.0 [root@us-imm-dns1 ~]# ss -ntl sport = :53 State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 5 *:53 *:* LISTEN 0 5 :::53 :::* probe kernel.function("tcp_check_req") { tcphdr = __get_skb_tcphdr($skb); dport = __tcp_skb_dport(tcphdr) if ($sk->sk_ack_backlog > $sk->sk_max_ack_backlog) printf("listen queue for port(%d): %d/%d\n", dport, $sk->sk_ack_backlog, $sk->sk_max_ack_backlog); } [root@us-imm-dns1 ~]# staprun overflow.ko listen queue for port(53): 13/5 listen queue for port(53): 13/5 listen queue for port(53): 14/5 here is the proposed patch: commit fa610cd424b905720832afc8636373bb132f49c1 Author: Donatas AbraitisDate: Sun Dec 9 09:58:51 2012 +0200 Add `listen-backlog` option to override default 5 (too small) diff --git a/src/dnsmasq.h b/src/dnsmasq.h index 4b55bb5..b717df3 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -980,6 +980,7 @@ extern struct daemon { struct dhcp_netid_list *force_broadcast, *bootp_dynamic; struct hostsfile *dhcp_hosts_file, *dhcp_opts_file, *dynamic_dirs; int dhcp_max, tftp_max, tftp_mtu; + int listen_backlog; int dhcp_server_port, dhcp_client_port; int start_tftp_port, end_tftp_port; unsigned int min_leasetime; diff --git a/src/network.c b/src/network.c index d87d08f..1e9d188 100644 --- a/src/network.c +++ b/src/network.c @@ -746,7 +746,7 @@ static int make_sock(union mysockaddr *addr, int type, int dienow) if (type == SOCK_STREAM) { - if (listen(fd, 5) == -1) + if (listen(fd, daemon->listen_backlog) == -1) goto err; } else if (family == AF_INET) diff --git a/src/option.c b/src/option.c index d0d9509..220303e 100644 --- a/src/option.c +++ b/src/option.c @@ -159,6 +159,7 @@ struct myoption { #define LOPT_SCRIPT_ARP347 #define LOPT_DHCPTTL 348 #define LOPT_TFTP_MTU 349 +#define LOPT_BACKLOG 350 #ifdef HAVE_GETOPT_LONG static const struct option opts[] = @@ -190,6 +191,7 @@ static const struct myoption opts[] = { "domain-suffix", 1, 0, 's' }, { "interface", 1, 0, 'i' }, { "listen-address", 1, 0, 'a' }, +{ "listen-backlog", 1, 0, LOPT_BACKLOG }, { "local-service", 0, 0, LOPT_LOCAL_SERVICE }, { "bogus-priv", 0, 0, 'b' }, { "bogus-nxdomain", 1, 0, 'B' }, @@ -394,6 +396,7 @@ static struct { { 't', ARG_ONE, "", gettext_noop("Specify default target in an MX record."), NULL }, { 'T', ARG_ONE, "", gettext_noop("Specify time-to-live in seconds for replies from /etc/hosts."), NULL }, { LOPT_NEGTTL, ARG_ONE, "", gettext_noop("Specify time-to-live in seconds for negative caching."), NULL }, + { LOPT_BACKLOG, ARG_ONE, "", gettext_noop("Set the backlog queue limit."), NULL }, { LOPT_MAXTTL, ARG_ONE, "", gettext_noop("Specify time-to-live in seconds for maximum TTL to send to clients."), NULL }, { LOPT_MAXCTTL, ARG_ONE, "", gettext_noop("Specify time-to-live ceiling for cache."), NULL }, { LOPT_MINCTTL, ARG_ONE, "", gettext_noop("Specify time-to-live floor for cache."), NULL }, @@ -2286,7 +2289,11 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma ret_err(gen_err); /* error */ break; } - + +case LOPT_BACKLOG: /* --listen-backlog */ + if (!atoi_check(arg, >listen_backlog)) +ret_err(gen_err); + break; case 'a': /* --listen-address */ case LOPT_AUTHPEER: /* --auth-peer */ do { @@ -4517,6 +4524,7 @@ void read_opts(int argc, char **argv, char *compile_opts) daemon->cachesize = CACHESIZ; daemon->ftabsize = FTABSIZ; daemon->port = NAMESERVER_PORT; + daemon->listen_backlog = 5; daemon->dhcp_client_port = DHCP_CLIENT_PORT; daemon->dhcp_server_port = DHCP_SERVER_PORT; daemon->default_resolv.is_default = 1; -- Donatas ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss