[Dnsmasq-discuss] Solution: failed DNS queries succeed on retry
Grant
grant_nospam@dodo.com.au
Mon, 24 Jan 2005 11:04:03 +1100
Hi there,
Interaction of dnsmasq, linux 2.4 iptables and slow nameservers.
I'm running slackware-current with dnsmasq 2.20.
The problem: failed lookups while browsing the 'net succeed on
retry in the browser.
Solution the first: find a couple extra nameservers. Didn't
really fix anything, just confused the issue for some weeks. :)
Current solution: Use dnsmasq "query-port=<query_port>" option
to pin the port number, and add a rule to iptables to let 'NEW'
UDP packets into the firewall box on that port. I picked a >1024
port number that was not in '/etc/services'.
What was happening? Iptables default settings remember a single
outgoing UDP event for only 30 seconds, the setting is here:
/proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout
Therefore my old firewall settings saw DNS query replies delayed
by more than 30 seconds as unwanted 'NEW' connection attempts and
dropped them.
The DNS query succeeds on retry as the nameservers already hold the
cached response, thus responding much faster to the retry query.
Now I'm back to my ISP's two nameservers and the system is working
fine.
Thanks to Simon for being responsive to private email and for his
clear explanations on how the DNS process works.
Cheers,
Grant.