[Dnsmasq-discuss] Solution: failed DNS queries succeed on retry

[Grant]

Hi there,

Interaction of dnsmasq, linux 2.4 iptables and slow nameservers.

I'm running slackware-current with dnsmasq 2.20.

The problem: failed lookups while browsing the 'net succeed on 
retry in the browser.

Solution the first: find a couple extra nameservers.  Didn't 
really fix anything, just confused the issue for some weeks. :)

Current solution: Use dnsmasq "query-port=<query_port>" option 
to pin the port number, and add a rule to iptables to let 'NEW' 
UDP packets into the firewall box on that port.  I picked a >1024 
port number that was not in '/etc/services'.

What was happening?  Iptables default settings remember a single 
outgoing UDP event for only 30 seconds, the setting is here:

  /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout

Therefore my old firewall settings saw DNS query replies delayed 
by more than 30 seconds as unwanted 'NEW' connection attempts and 
dropped them.

The DNS query succeeds on retry as the nameservers already hold the 
cached response, thus responding much faster to the retry query.

Now I'm back to my ISP's two nameservers and the system is working 
fine.

Thanks to Simon for being responsive to private email and for his
clear explanations on how the DNS process works.  

Cheers,
Grant.