Re: [Dnsmasq-discuss] Multicast Netlink Crash on gVisor Kernel
Re-sending previous email with HTML formatting disabled, my apologies.
Control and standard test cases for issue reproduction listed below:
A 'control' test case for the issue would be to launch dnsmasq in a typical
Docker container. The program should launch normally and begin parsing the
config, etc. The `docker run` statement should contain --privileged and
--cap-add=NET_ADMIN for the sole purpose of testing. (Any non-dev reading this,
please do not use --privileged in prod!).
A standard test case to reproduce this issue would be to launch the exact same
Docker container, using the gVisor runtime. Then the crash is reproduced.
gVisor can be installed quickly using an apt repo & a modification of
/etc/docker/daemon.json to permit use of the new runtime:
https://gvisor.dev/docs/user_guide/install/
gVisor can then be launched for any container using `docker run
--runtime=runsc`, combined with any other necessary Docker args:
https://gvisor.dev/docs/user_guide/quick_start/docker/
Further information regarding this runtime:
Overview: https://gvisor.dev/docs/
Syscall compatibility docs:
https://gvisor.dev/docs/user_guide/compatibility/linux/amd64/
On Saturday, March 16th, 2024 at 5:49 AM, Geert Stappers - stappers at
stappers.nl wrote:
>
>
> On Sat, Mar 16, 2024 at 09:09:16AM +, shamrock_sesame214--- via
> Dnsmasq-discuss wrote:
>
> > Hello,
> >
> > I am attempting to run dnsmasq DNS resolver in gVisor. gVisor is
> > a hardened userspace kernel compatible with Kubernetes and Docker
> > containers. At the moment, gVisor does not seem to support some routing
> > features such as those found in linux/rtnetlink.h, including multicast
> > related netlink subscriptions.
> >
> > When I run dnsmasq in gVisor, I get this crash on startup:
> >
> > cannot create netlink socket: Permission denied
> >
> > Checking strace debugger, this was the attempted call made:
> >
> > dnsmasq X bind(0x3 socket:[1], 0x7ee5d298ca58 {Family: AF_NETLINK, PortID:
> > 0, Groups: 1360}, 0xc) = 0 (0x0) errno=13 (permission denied) (19.017µs)
> >
> > The next call writes an error message to the terminal and
> > begins exiting the program. I believe this to be caused by
> > multicast route subscription near this line 73 in src/netlink.c:
> > https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/netlink.c;h=ef4b5fec3197ec1a855fca3bcf8d86eaa29ca479;hb=HEAD#l73
> >
> > I noticed the comment in the code:
> >
> > /* May not be able to have permission to set multicast groups don't die in
> > that case */
> >
> > I am unsure if line 79 will trigger this error anyway, and if this is
> > intended behavior, as the program seems to crash anyway.
> >
> > I also found in the source code that Netlink multicast subscription
> > is added to prevent routing race conditions when routes update, and
> > of course for DHCP/RA support. If Dnsmasq is running as a stub DNS
> > resolver inside a network namespace with one default gateway, is a
> > feature considerable to disable multicast Netlink subscriptions? In
> > this condition I do not anticipate routing updates to be frequent.
> >
> > For additional debugging notes, the dnsmasq container functions outside
> > of gVisor. The Docker --user root, --privileged, and --cap-add=NET_ADMIN
> > did not resolve the issue, as it appears to be gVisor compatibility
> > limitation.
>
>
> Advice: Do a follow-up which aims for much more common interest. Like
> explaining how cool gVisor is and where to find more information about it.
>
>
> Groeten
> Geert Stappers
> --
> Silence is hard to parse
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Multicast Netlink Crash on gVisor Kernel
Control and standard test cases for issue reproduction listed below:
A 'control' test case for the issue would be to launch dnsmasq in a typical
Docker container. The program should launch normally and begin parsing the
config, etc. The `docker run` statement should contain --privileged and
--cap-add=NET_ADMIN for the sole purpose of testing. (Any non-dev reading this,
please do not use --privileged in prod!).
A standard test case to reproduce this issue would be to launch the exact same
Docker container, using the gVisor runtime. Then the crash is reproduced.
gVisor can be installed quickly using an apt repo & a modification of
/etc/docker/daemon.json to permit use of the new runtime:
[https://gvisor.dev/docs/](https://gvisor.dev/docs/user_guide/install/
gVisor can then be launched for any container using `docker run
--runtime=runsc`, combined with any other necessary Docker args:
[https://gvisor.dev/docs/](https://gvisor.dev/docs/user_guide/quick_start/docker/
Further information regarding this runtime:
Overview: https://gvisor.dev/docs/
Syscall compatibility docs:
https://gvisor.dev/docs/user_guide/compatibility/linux/amd64/
gVisor is owned by Google and used Google Cloud Platform's container related
services, so looking into this issue may improve GCP compatibility, although I
have not personally tested this against Google's online container services at
this time.
Original Message
On Mar 16, 2024, 5:49 AM, Geert Stappers - stappers at stappers.nl wrote:
> On Sat, Mar 16, 2024 at 09:09:16AM +, shamrock_sesame214--- via
> Dnsmasq-discuss wrote: > Hello, > > I am attempting to run dnsmasq DNS
> resolver in gVisor. gVisor is > a hardened userspace kernel compatible with
> Kubernetes and Docker > containers. At the moment, gVisor does not seem to
> support some routing > features such as those found in linux/rtnetlink.h,
> including multicast > related netlink subscriptions. > > When I run dnsmasq
> in gVisor, I get this crash on startup: > > cannot create netlink socket:
> Permission denied > > Checking strace debugger, this was the attempted call
> made: > > dnsmasq X bind(0x3 socket:[1], 0x7ee5d298ca58 {Family: AF_NETLINK,
> PortID: 0, Groups: 1360}, 0xc) = 0 (0x0) errno=13 (permission denied)
> (19.017µs) > > The next call writes an error message to the terminal and >
> begins exiting the program. I believe this to be caused by > multicast route
> subscription near this line 73 in src/netlink.c: >
> https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=src/netlink.c;h=ef4b5fec3197ec1a855fca3bcf8d86eaa29ca479;hb=HEAD#l73
> > > I noticed the comment in the code: > > /* May not be able to have
> permission to set multicast groups don't die in that case */ > > I am unsure
> if line 79 will trigger this error anyway, and if this is > intended
> behavior, as the program seems to crash anyway. > > I also found in the
> source code that Netlink multicast subscription > is added to prevent routing
> race conditions when routes update, and > of course for DHCP/RA support. If
> Dnsmasq is running as a stub DNS > resolver inside a network namespace with
> one default gateway, is a > feature considerable to disable multicast Netlink
> subscriptions? In > this condition I do not anticipate routing updates to be
> frequent. > > For additional debugging notes, the dnsmasq container functions
> outside > of gVisor. The Docker --user root, --privileged, and
> --cap-add=NET_ADMIN > did not resolve the issue, as it appears to be gVisor
> compatibility > limitation. Advice: Do a follow-up which aims for much more
> common interest. Like explaining how cool gVisor is and where to find more
> information about it. Groeten Geert Stappers -- Silence is hard to parse
> ___ Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [PATCH] Fix potential memory leak
On Sun, Mar 17, 2024 at 01:09:36PM -0400, Brian Haley wrote: > Nak. Acknowledge -- Silence is hard to parse ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [PATCH] Fix potential memory leak
-- Original Message -- From "Brian Haley" To "Geert Stappers" ; dnsmasq-discuss@lists.thekelleys.org.uk Date 3/18/2024 6:59:21 AM Subject Re: [Dnsmasq-discuss] [PATCH] Fix potential memory leak As an attempt to express that proposed patches get human attention. I'm not sure what that means... It means Geert doesn't think Simon is running `dnsmasq` to his (Geert's) liking so Geert is doing yet another passive aggressive attack on the list. You'll notice how Geert likes to change the email address he sends from with what he thinks are witty and creative names, like his monthly rules to post reminders. Would be nice to just blanket ban anything from @stappers.nl but until then it's easier to just set a rule to send anything from that address to spam. Geert has no authority to do anything in the `dnsmasq` project and this latest game with him setting up a patch repository is just a game. Simon is the sole gateway to getting any code in, much to Geert's dismay. Best, Dan ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Question about behaviour of '#' symbol
On 18.03.24 14:21, Elias LA via Dnsmasq-discuss wrote: Thanks. I see. So the rule `server=/firebaseio.com/#` is sent to local server 127.0.0.1 which then blocks it because it has the rule `address=/*.firebaseio.com/` I don't think the request is sent anywhere, why would dnsmasq send it to itself? Since you used no-resolv, I guess the request is handled locally according to docs: Also permitted is a -S flag which gives a domain but no IP ad‐ dress; this tells dnsmasq that a domain is local and it may an‐ swer queries from /etc/hosts or DHCP but should never forward queries on that domain to any upstream servers. --local is a synonym for --server to make configuration files clearer in this case. perhaps guys can correct me. A rephrase of my question is: How can I route `firebaseio.com` to resolve using default address (the standard server defined by `server=8.8.8.8`) without having to write `server=/firebaseio.com/8.8.8.8` (with keeping the second following rule `address=/*.firebaseio.com/`). I have said it already: since you send everything to 8.8.8.8 why do you need explicitly configure any domain to query 8.8.8.8 ? Why did you specify that domain at all? Why did you set server= and address= with firebaseio.com? > > On 18.03.24 09:41, Elias LA via Dnsmasq-discuss wrote: > > > > > In mydnsmasq.conffile, I have either one of two sets of rules: > > > > > > # Set 1: > > > > > > no-resolv > > > server=8.8.8.8 > > > > > > server=/firebaseio.com/# > > > address=/*.firebaseio.com/ > > > > > > # Set 2: > > > > > > no-resolv > > > server=8.8.8.8 > > > > > > server=/firebaseio.com/8.8.8.8 > > > address=/*.firebaseio.com/ > > > > > > Running `dig firebaseio.com` using Set 1 gives local address, but using > > > `Set 2` give a valid server IP address. Why does not the first set give a > > > valid IP? Is not the rule `server=/firebaseio.com/#`supposed to fetch the > > > IP address from the "the standard servers" defined by `server=8.8.8.8`? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I intend to live forever - so far so good. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Question about behaviour of '#' symbol
Thanks. I see. So the rule `server=/firebaseio.com/#` is sent to local server 127.0.0.1 which then blocks it because it has the rule `address=/*.firebaseio.com/` A rephrase of my question is: How can I route `firebaseio.com` to resolve using default address (the standard server defined by `server=8.8.8.8`) without having to write `server=/firebaseio.com/8.8.8.8` (with keeping the second following rule `address=/*.firebaseio.com/`). Apologies for the multiple enquiries and thanks very much. Elias. Sent with Proton Mail secure email. On Monday, 18 March 2024 at 13:11, Matus UHLAR - fantomas wrote: > On 18.03.24 12:29, Elias LA via Dnsmasq-discuss wrote: > > > Yes, I am aware about the documentation which you quoted (and which I > > quoted). But how do you explain that the domain `firebaseio.com` is being > > blocked by set 1 and NOT by set 2? > > > > As you mentioned, we should expect `server=/firebaseio.com/#` to lookup the > > domain from `8.8.8.8`. > > > 1. since you already have "server=8.8.8.8", why do you explicitly set > "server=/firebaseio.com/8.8.8.8" ? > > - What is the point of resolving specific domain through a server, when you > already resolve everything through the same server? > > > But it is not happening, and the domain is being blocked! > > > 2. You have not said anything about it being blocked, you said it's > resolving to local address. That is different issue. > > And that is issue what server=/domain/# supposed to do - > > 3. you already set .firebaseio.com not to resolve: > address=/.firebaseio.com/ > > > So why exactly you are complaining it's not resolving when you set it not to > resolve? > > > On Monday, 18 March 2024 at 11:12, Matus UHLAR - fantomas uh...@fantomas.sk > > wrote: > > > > > On 18.03.24 09:41, Elias LA via Dnsmasq-discuss wrote: > > > > > > > In mydnsmasq.conffile, I have either one of two sets of rules: > > > > > > > > # Set 1: > > > > > > > > no-resolv > > > > server=8.8.8.8 > > > > > > > > server=/firebaseio.com/# > > > > address=/*.firebaseio.com/ > > > > > > > > # Set 2: > > > > > > > > no-resolv > > > > server=8.8.8.8 > > > > > > > > server=/firebaseio.com/8.8.8.8 > > > > address=/*.firebaseio.com/ > > > > > > > > Running `dig firebaseio.com` using Set 1 gives local address, but using > > > > `Set 2` give a valid server IP address. Why does not the first set give > > > > a > > > > valid IP? Is not the rule `server=/firebaseio.com/#`supposed to fetch > > > > the > > > > IP address from the "the standard servers" defined by `server=8.8.8.8`? > > > > > > the dnsmasq documentation says in the "-S --local --server=" docs: > > > > > > The special server address '#' means, "use the standard servers", so > > > --server=/google.com/1.2.3.4 --server=/www.google.com/# will send queries > > > for google.com and its subdomains to 1.2.3.4, except www.google.com (and > > > its subdo‐ mains) which will be forwarded as usual. > > > > > > which usually means, use servers mentioned in /etc/resolv.conf for that > > > domain. > > > > > > note that when you already have: > > > > > > server=8.8.8.8 > > > > > > it's useless to specify any domains to the same server > > > > > > > server=/firebaseio.com/8.8.8.8 > > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > "The box said 'Requires Windows 95 or better', so I bought a Macintosh". > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [PATCH] Fix potential memory leak
Hi,
On 3/16/24 6:07 AM, Geert Stappers wrote:
On Sat, Mar 02, 2024 at 05:03:01PM +0100, Geert Stappers wrote:
On Fri, Mar 01, 2024 at 04:43:20PM -0500, Brian Haley wrote:
When a new IPv6 address is being added to a dhcp_config
struct, if there is anything invalid regarding the prefix
it looks like there is a potential memory leak.
ret_err_free() should be used to free it.
Signed-off-by: Brian Haley
---
src/option.c | 6 +++---
} 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/option.c b/src/option.c
index f4ff7c0..02be995 100644
--- a/src/option.c
+++ b/src/option.c
} @@ -4034,7 +4034,7 @@ static int one_opt(int option, char *arg, char *errstr,
char *gen_err, int comma
u64)1<<(128-new_addr->prefixlen))-1) &
addrpart) != 0)
{
dhcp_config_free(new);
- ret_err(_("bad IPv6 prefix"));
+ ret_err_free(_("bad IPv6 prefix"), new_addr);
}
new_addr->flags |= ADDRLIST_PREFIX;
Looks good to me
New version of the patch is planned.
Again, just wanted to emphasize that I did not agree with the new
version and want this one merged instead.
As an attempt to express that proposed patches get human attention.
I'm not sure what that means...
-Brian
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Question about behaviour of '#' symbol
On 18.03.24 12:29, Elias LA via Dnsmasq-discuss wrote: Yes, I am aware about the documentation which you quoted (and which I quoted). But how do you explain that the domain `firebaseio.com` is being blocked by set 1 and NOT by set 2? As you mentioned, we should expect `server=/firebaseio.com/#` to lookup the domain from `8.8.8.8`. 1. since you already have "server=8.8.8.8", why do you explicitly set "server=/firebaseio.com/8.8.8.8" ? - What is the point of resolving specific domain through a server, when you already resolve everything through the same server? But it is not happening, and the domain is being blocked! 2. You have not said anything about it being blocked, you said it's resolving to local address. That is different issue. And that is issue what server=/domain/# supposed to do - 3. you already set *.firebaseio.com not to resolve: address=/*.firebaseio.com/ So why exactly you are complaining it's not resolving when you set it not to resolve? On Monday, 18 March 2024 at 11:12, Matus UHLAR - fantomas wrote: On 18.03.24 09:41, Elias LA via Dnsmasq-discuss wrote: > In mydnsmasq.conffile, I have either one of two sets of rules: > > # Set 1: > > no-resolv > server=8.8.8.8 > > server=/firebaseio.com/# > address=/*.firebaseio.com/ > > # Set 2: > > no-resolv > server=8.8.8.8 > > server=/firebaseio.com/8.8.8.8 > address=/*.firebaseio.com/ > > Running `dig firebaseio.com` using Set 1 gives local address, but using > `Set 2` give a valid server IP address. Why does not the first set give a > valid IP? Is not the rule `server=/firebaseio.com/#`supposed to fetch the > IP address from the "the standard servers" defined by `server=8.8.8.8`? the dnsmasq documentation says in the "-S --local --server=" docs: The special server address '#' means, "use the standard servers", so --server=/google.com/1.2.3.4 --server=/www.google.com/# will send queries for google.com and its subdomains to 1.2.3.4, except www.google.com (and its subdo‐ mains) which will be forwarded as usual. which usually means, use servers mentioned in /etc/resolv.conf for that domain. note that when you already have: server=8.8.8.8 it's useless to specify any domains to the same server > server=/firebaseio.com/8.8.8.8 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "The box said 'Requires Windows 95 or better', so I bought a Macintosh". ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Question about behaviour of '#' symbol
Thanks Matus. Yes, I am aware about the documentation which you quoted (and which I quoted). But how do you explain that the domain `firebaseio.com` is being blocked by set 1 and NOT by set 2? As you mentioned, we should expect `server=/firebaseio.com/#` to lookup the domain from `8.8.8.8`. But it is not happening, and the domain is being blocked! Sent with Proton Mail secure email. On Monday, 18 March 2024 at 11:12, Matus UHLAR - fantomas wrote: > On 18.03.24 09:41, Elias LA via Dnsmasq-discuss wrote: > > > In mydnsmasq.conffile, I have either one of two sets of rules: > > > > # Set 1: > > > > no-resolv > > server=8.8.8.8 > > > > server=/firebaseio.com/# > > address=/*.firebaseio.com/ > > > > # Set 2: > > > > no-resolv > > server=8.8.8.8 > > > > server=/firebaseio.com/8.8.8.8 > > address=/*.firebaseio.com/ > > > > Running `dig firebaseio.com` using Set 1 gives local address, but using > > `Set 2` give a valid server IP address. Why does not the first set give a > > valid IP? Is not the rule `server=/firebaseio.com/#`supposed to fetch the > > IP address from the "the standard servers" defined by `server=8.8.8.8`? > > > the dnsmasq documentation says in the "-S --local --server=" docs: > > The special server address '#' means, "use the standard servers", so > --server=/google.com/1.2.3.4 --server=/www.google.com/# will send queries > for google.com and its subdomains to 1.2.3.4, except www.google.com (and > its subdo‐ mains) which will be forwarded as usual. > > which usually means, use servers mentioned in /etc/resolv.conf for that > domain. > > note that when you already have: > > server=8.8.8.8 > > it's useless to specify any domains to the same server > > > server=/firebaseio.com/8.8.8.8 > > > you can skip this line. > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > On the other hand, you have different fingers. > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Question about behaviour of '#' symbol
On 18.03.24 09:41, Elias LA via Dnsmasq-discuss wrote: In mydnsmasq.conffile, I have either one of two sets of rules: # Set 1: no-resolv server=8.8.8.8 server=/firebaseio.com/# address=/*.firebaseio.com/ # Set 2: no-resolv server=8.8.8.8 server=/firebaseio.com/8.8.8.8 address=/*.firebaseio.com/ Running `dig firebaseio.com` using Set 1 gives local address, but using `Set 2` give a valid server IP address. Why does not the first set give a valid IP? Is not the rule `server=/firebaseio.com/#`supposed to fetch the IP address from the "the standard servers" defined by `server=8.8.8.8`? the dnsmasq documentation says in the "-S --local --server=" docs: The special server address '#' means, "use the standard servers", so --server=/google.com/1.2.3.4 --server=/www.google.com/# will send queries for google.com and its subdomains to 1.2.3.4, except www.google.com (and its subdo‐ mains) which will be forwarded as usual. which usually means, use servers mentioned in /etc/resolv.conf for that domain. note that when you already have: server=8.8.8.8 it's useless to specify any domains to the same server server=/firebaseio.com/8.8.8.8 you can skip this line. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Question about behaviour of '#' symbol
Dear Dnsmasq team, I have a question which I hope someone can kindly clarify: In mydnsmasq.conffile, I have either one of two sets of rules: # Set 1: no-resolv server=8.8.8.8 server=/firebaseio.com/# address=/*.firebaseio.com/ # Set 2: no-resolv server=8.8.8.8 server=/firebaseio.com/8.8.8.8 address=/*.firebaseio.com/ Running `dig firebaseio.com`usingSet 1gives local address, but using `Set 2`give a valid server IP address. Why does not the first set give a valid IP? Is not the rule `server=/firebaseio.com/#`supposed to fetch the IP address from the "the standard servers" defined by `server=8.8.8.8`? Thank you very much. Elias.___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dnsmasq 2.90 reply truncated
I think I found the change: git diff eb92fb3 efbf80be src/config.h diff --git a/src/config.h b/src/config.h index 37b374e..1e7b30f 100644 --- a/src/config.h +++ b/src/config.h @@ -19,7 +19,7 @@ #define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */ #define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */ #define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */ -#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */ +#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */ #define SAFE_PKTSZ 1232 /* "go anywhere" UDP packet size, see https://dnsflagday.net/2020/ */ #define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */ #define DNSSEC_WORK 50 /* Max number of queries to validate one question */ EDNS packet size was set to 4096, now is set same as SAFE_PKTSZ. I've also read the paper for http://www.dnsflagday.net/2020/ and I may understand the problem - after this "fragmentation" of UDS is more-or-less disabled by setting max EDNS UDS packet size to 1232, it is necessary for the DNS to be enabled over TCP, so the resolving client may switch to TCP DNS resolution. This was not the case for Windows clients. @Petr Menšík: seem your first assumption may be correct. Thanks for this pointer... Let's see if that helps. Adam Pribyl On Mon, 18 Mar 2024, Adam Pribyl wrote: I tried to increase the --edns-packet-max=1450, did not work, set it to 2048 now resolution seems to work. Interestingly only temporarily, because this appears in the dnsmasq log soon reducing DNS packet size for nameserver 10.101.255.253 to 1232 and the resolution is not working again. So it seems this is related to that change in dnsmasq and Windows name resolution as with Linux clients there is no problem, but even using this option does not fix the problem as for some reason dnsmasq decides to override the override.. Still it is not obvious to me, what edns packet size was used in dnsmasq before 2.90 version. Adam Pribyl On Tue, 12 Mar 2024, Adam Pribyl wrote: In this case the query is from Windows 10 machine->dnsmasq server on Fedora 38 forwards to -> bind on debian. The result on Windows nslookup Server: UnKnown Address: 192.168.34.1 *** UnKnown can't find login.microsoftonline.com: Unspecified error In dnsmasq there is this "reply is truncated" for this forwarded query. I do not think the problem is the Windows client, because from the time I downgraded the dnsmasq on Fedora to 2.89, I did not get any "reply is truncated" dnsmasq log message anymore. I can not judge if client should do anything else in this case thou.. Adam Pribyl On Tue, 12 Mar 2024, Petr Menšík wrote: The response seems correct and acceptable in size. It should not truncate, at least what I see. It should also retry with TCP when truncated reply arrives. I have verified even last release works with dig. Dnsmasq does not do tcp query by itself, it expects client to do TCP query. What client do you use? $ dig login.microsoftonline.com a ; <<>> DiG 9.18.24 <<>> login.microsoftonline.com a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20188 ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; EDE: 3 (Stale Answer) ;; QUESTION SECTION: ;login.microsoftonline.com. IN A ;; ANSWER SECTION: login.microsoftonline.com. 10360 IN CNAME login.mso.msidentity.com. login.mso.msidentity.com. 30 IN CNAME ak.privatelink.msidentity.com. ak.privatelink.msidentity.com. 30 IN CNAME www.tm.ak.prd.aadg.trafficmanager.net. www.tm.ak.prd.aadg.trafficmanager.net. 30 IN A 40.126.31.71 www.tm.ak.prd.aadg.trafficmanager.net. 30 IN A 20.190.159.0 www.tm.ak.prd.aadg.trafficmanager.net. 30 IN A 20.190.159.68 www.tm.ak.prd.aadg.trafficmanager.net. 30 IN A 20.190.159.71 www.tm.ak.prd.aadg.trafficmanager.net. 30 IN A 20.190.159.73 www.tm.ak.prd.aadg.trafficmanager.net. 30 IN A 20.190.159.75 www.tm.ak.prd.aadg.trafficmanager.net. 30 IN A 40.126.31.67 www.tm.ak.prd.aadg.trafficmanager.net. 30 IN A 40.126.31.69 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Tue Mar 12 10:07:36 CET 2024 ;; MSG SIZE rcvd: 303 I have tried dig +ignore +noedns -t txt on google.com or cisco.com. If client does not retry, it gets no response. If it does, it does. It seems to work as intended. If might help querying your bind server by dig @10.101.255.253 txt ch version.bind. But I suspect the problem is in client incorrectly omitting TCP query retry. Is it glibc program? Can you tell us more about client program making those queries? Cheers, Petr On 3/11/24 09:27, Adam Pribyl wrote: After upgrade of dnsmasq 2.89 to dnsmasq-2.90-1.fc38.x86_64 I started to notice, that some queries won't resolve when asked
Re: [Dnsmasq-discuss] dnsmasq 2.90 reply truncated
I tried to increase the --edns-packet-max=1450, did not work, set it to 2048 now resolution seems to work. Interestingly only temporarily, because this appears in the dnsmasq log soon reducing DNS packet size for nameserver 10.101.255.253 to 1232 and the resolution is not working again. So it seems this is related to that change in dnsmasq and Windows name resolution as with Linux clients there is no problem, but even using this option does not fix the problem as for some reason dnsmasq decides to override the override.. Still it is not obvious to me, what edns packet size was used in dnsmasq before 2.90 version. Adam Pribyl On Tue, 12 Mar 2024, Adam Pribyl wrote: In this case the query is from Windows 10 machine->dnsmasq server on Fedora 38 forwards to -> bind on debian. The result on Windows nslookup Server: UnKnown Address: 192.168.34.1 *** UnKnown can't find login.microsoftonline.com: Unspecified error In dnsmasq there is this "reply is truncated" for this forwarded query. I do not think the problem is the Windows client, because from the time I downgraded the dnsmasq on Fedora to 2.89, I did not get any "reply is truncated" dnsmasq log message anymore. I can not judge if client should do anything else in this case thou.. Adam Pribyl On Tue, 12 Mar 2024, Petr Menšík wrote: The response seems correct and acceptable in size. It should not truncate, at least what I see. It should also retry with TCP when truncated reply arrives. I have verified even last release works with dig. Dnsmasq does not do tcp query by itself, it expects client to do TCP query. What client do you use? $ dig login.microsoftonline.com a ; <<>> DiG 9.18.24 <<>> login.microsoftonline.com a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20188 ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; EDE: 3 (Stale Answer) ;; QUESTION SECTION: ;login.microsoftonline.com. IN A ;; ANSWER SECTION: login.microsoftonline.com. 10360 IN CNAME login.mso.msidentity.com. login.mso.msidentity.com. 30 IN CNAME ak.privatelink.msidentity.com. ak.privatelink.msidentity.com. 30 IN CNAME www.tm.ak.prd.aadg.trafficmanager.net. www.tm.ak.prd.aadg.trafficmanager.net. 30 IN A 40.126.31.71 www.tm.ak.prd.aadg.trafficmanager.net. 30 IN A 20.190.159.0 www.tm.ak.prd.aadg.trafficmanager.net. 30 IN A 20.190.159.68 www.tm.ak.prd.aadg.trafficmanager.net. 30 IN A 20.190.159.71 www.tm.ak.prd.aadg.trafficmanager.net. 30 IN A 20.190.159.73 www.tm.ak.prd.aadg.trafficmanager.net. 30 IN A 20.190.159.75 www.tm.ak.prd.aadg.trafficmanager.net. 30 IN A 40.126.31.67 www.tm.ak.prd.aadg.trafficmanager.net. 30 IN A 40.126.31.69 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Tue Mar 12 10:07:36 CET 2024 ;; MSG SIZE rcvd: 303 I have tried dig +ignore +noedns -t txt on google.com or cisco.com. If client does not retry, it gets no response. If it does, it does. It seems to work as intended. If might help querying your bind server by dig @10.101.255.253 txt ch version.bind. But I suspect the problem is in client incorrectly omitting TCP query retry. Is it glibc program? Can you tell us more about client program making those queries? Cheers, Petr On 3/11/24 09:27, Adam Pribyl wrote: After upgrade of dnsmasq 2.89 to dnsmasq-2.90-1.fc38.x86_64 I started to notice, that some queries won't resolve when asked thru dnsmasq, but work asked directly to upstream nameserver. I found that certain queries forwarded to anycast bind nameservers return only a "reply is truncated" message and no record. Mar 11 07:30:05 server dnsmasq[4054056]: query[A] login.microsoftonline.com from 192.168.34.194 Mar 11 07:30:05 server dnsmasq[4054056]: forwarded login.microsoftonline.com to 10.101.255.253 Mar 11 07:30:05 server dnsmasq[4054056]: reply is truncated Downgrading to dnsmasq-2.89-1.fc38.x86_64 seems to solve the problem. The response for login.microsoftonline.com is a long one. In the dnsmasq changelog I found, there were some changes with edns max size, but I can not find the commit to find out what was there before, to set the --edns-packet-max. The general question would be - what is the correct DNS setup then? I probably need to change the bind config, as I do not want to fix every dnsmasq "client" in the network. Thanks Adam Pribyl ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss -- Petr Menšík Software Engineer, RHEL Red Hat, https://www.redhat.com/ PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
