Hello Martin, or anyone else affected, Accepted dnsmasq into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dnsmasq/2.76-5ubuntu0.2 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: dnsmasq (Ubuntu Zesty) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-zesty -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/1726017 Title: dnsmasq prematurely returns REFUSED, breaking resolver Status in dnsmasq package in Ubuntu: Fix Released Status in dnsmasq source package in Xenial: In Progress Status in dnsmasq source package in Zesty: Fix Committed Bug description: [Impact] * DNS name resolution fails in certain network configurations, where different DNS servers are responsible for different domains and one or more servers reply REFUSED to queries that regard other domains than their own. Without the patch, dnsmasq returns a negative reply to if only one such negative answer is received from a forwarder, even if other forwarders return valid responses. This breaks the resolver and practically all internet connectivity, including web browsing, email, and receiving updates. * This should be backported to stable to fix internet connectivity for users. * The patch fixes the problem by querying all servers and only returning a negative reply to the requestor only if *all* forwarders return negative responses. [Test Case] * It should be possible to test this in a virtual network. One DNS server should be responsible for queries to the outside world, and the other one could be a DHCP/DNS instance (perhaps dnsmasq, also) that handles internal IP addresses and names. It's important that at least one of these servers return REFUSED to queries that don't belong into its realm (assuming the domain name is "my.net", the server for "my.net" would reply REFUSED to "ubuntu.com" and every other domain. I am not sure if this is normally the case, all I can say is that my Linux-based ASUS router does it. Connect an Ubuntu VM to this network. To aggravate the problem, the DHCP server would put the internal DNS server first in the nameservers field. If that's the case, the problem would also occur if the client used "strict-order" in dnsmasq.conf. [Regression Potential] * I don't see any. Would there be networks where admins rely upon getting NXDOMAIN back if just one server fails for a DNS query? I don't know. * [racb] As the behaviour in the area of REFUSED and SERVFAIL is being changed, it's probably worth checking during SRU verification that dnsmasq correctly passes back successful, REFUSED, SERVFAIL, zero-answer and 1+ answer responses in the simple, single upstream DNS server case. If there is a regression introduced by these patches, it is likely to be in the area of handling SERVFAIL, REFUSED and successful replies. [Other Info] Original bug description follows. Seen with dnsmasq 2.75-1ubuntu0.16.04.3, after Trusty->Xenial update. In my local network, I have two DNS servers; 192.168.1.1 is the local DHCP/DNS server configured to reply to queries inside the local network, and 192.168.1.4 is the forwarder in my DSL Router, responsible to answer queries about the outside world. THe DHCP server returns these in the order 192.168.1.4,192.168.1.1. The internal server replies REFUSED to queries about external domains. This configuration has worked well with Ubuntu 14.04 and other Linux Distros (using Fedora and OpenSUSE internally here), as well as various other OSes. It does not work with Ubuntu 16.04. NetworkManager's dnsmasq instance pushes the REFUSED reply from 192.168.1.1 to applications and ignores the successful reply from 2.168.1.4. This causes all DNS queries to external servers to fail. I believe this is fixed in dnsmasq 2.76 and related to http://lists.thekelleys.org.uk/pipermail/dnsmasq- discuss/2016q1/010263.html http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=68f6312d4bae30b78daafcd6f51dc441b8685b1e http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=object;h=4ace25c5d6 According to these sources, the bug was introduced with http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=object;h=51967f9807665dae403f1497b827165c5fa1084b In my local setup at least, I can work around the problem by using the "strict-order" option to dnsmasq. echo strict-order >/etc/NetworkManager/dnsmasq.d/order.conf But that's not a general solution. If dnsmasq has several forwarders, and some return SERVFAIL or REFUSED and others return SUCCESS, the successful answer should be returned to clients, independent of the strict-order setting. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1726017/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
