[Dnsmasq-discuss] "random" problem with name resolution

Simon Kelley simon at thekelleys.org.uk
Fri Jul 24 12:12:45 BST 2009


Stefano Bridi wrote:
> Hi all, first of all thanks for the wonderful tool!
> I have a problem with the dns part of dnsmasq: sometimes does not
> resolve hostnames.
> The machine on which dnsmasq run is a Debian Lenny firewall between
> lan,dmz,internet and some other private network with some openVPN
> tunnel on board... version of dnsmasq is 2.45-1
> 
> The firewall itself is configured to resolve the name asking to
> dnsmasq. (127.0.0.1)
> 
> The dnsmasq.conf is:
> ###########################################
> no-resolv
> server=/ctn.mydomain.tld/CTN.MYDOMAIN.TLD DNS SERVER
> server=ISP DNS 1
> server=ISP DNS 2
> server=ISP DNS 3
> no-dhcp-interface=eth2
> no-dhcp-interface=eth3
> no-hosts
> addn-hosts=/etc/hosts.dnsmasq
> expand-hosts
> domain=mydomain.tld
> dhcp-range=..........
> dhcp-host=.............
> dhcp-host=.............
> dhcp-host=.............
> dhcp-host=.............
> dhcp-option=3,0.0.0.0
> dhcp-option=42,0.0.0.0
> dhcp-option=44,LAN WINS SERVER
> dhcp-authoritative
> cache-size=4096
> no-negcache
> log-queries
> log-async
> query-port=0
> ###########################################
> where "CTN.MYDOMAIN.TLD DNS SERVER" "ISP DNS *" "LAN WINS SERVER" are
> the correct value.
> Usually all works fine but sometimes the dnsmasq doesn't resolve some
> hostname and in the logs I find:
> ...
> Jul 20 13:33:14 fw00 dnsmasq[15606]: query[A] pmi.mydomain.tld from 10.x.x.249
> Jul 20 13:33:14 fw00 dnsmasq[15606]: forwarded pmi.mydomain.tld to ISP DNS 1
> Jul 20 13:33:14 fw00 dnsmasq[15606]: forwarded pmi.mydomain.tld to ISP DNS 2
> Jul 20 13:33:14 fw00 dnsmasq[15606]: forwarded pmi.mydomain.tld to ISP DNS 3
> Jul 20 13:33:14 fw00 dnsmasq[15606]: reply pmi.mydomain.tld is <CNAME>
> ...
> while some seconds (in this case minutes) after It works.
> ...
> Jul 20 13:35:07 fw00 dnsmasq[15606]: query[A] pmi.mydomain.tld from 10.x.x.249
> Jul 20 13:35:07 fw00 dnsmasq[15606]: forwarded pmi.mydomain.tld to ISP DNS 1
> Jul 20 13:35:07 fw00 dnsmasq[15606]: reply pmi.mydomain.tld is <CNAME>
> Jul 20 13:35:07 fw00 dnsmasq[15606]: reply web002.mydomain.tld is x.x.x.228
> ...
> 
> Obviously the network connection is always on and there are no other
> known problem.
> 
> The problem seems to manifest only with hostname with
> domain=mydomain.tld or other domain hosted on the same public dns
> server. Checking with dig the server that before had problems I see
> something like this:
> 
> # dig pmi.mydomain.tld
> 
> ; <<>> DiG 9.5.1-P2 <<>> pmi.mydomain.tld
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16903
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
> 
> ;; QUESTION SECTION:
> ;pmi.mydomain.tld.              IN      A
> 
> ;; ANSWER SECTION:
> pmi.mydomain.tld.       3600    IN      CNAME   web002.mydomain.tld.
> web002.mydomain.tld.    86400   IN      A       x.x.x.228
> 
> ;; AUTHORITY SECTION:
> mydomain.tld.           8400    IN      NS      ns00.mydomain.tld.
> mydomain.tld.           8400    IN      NS      ns02.mydomain.tld.
> 
> ;; ADDITIONAL SECTION:
> ns00.mydomain.tld.      86400   IN      A       x.x.x.4
> ns02.mydomain.tld.      8400    IN      A       y.y.y.148
> 
> ;; Query time: 24 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Fri Jul 24 10:21:39 2009
> ;; MSG SIZE  rcvd: 141
> 
> Where SERVER: 127.0.0.1#53(127.0.0.1) is the dnsmasq
> 
> Could be a problem the different TTL ?
> 
> any idea?

My guess is that when it goes wrong, the upstream server is returning 
the CNAME record, but not the A record. That's the most likely 
explanationf for the log messages you are seeing.

I've never found an actual standard that says what the semantics of this 
are, but practically, all resolvers, when they ask for the A record for 
<domain> and get back

<domain>  CNAME <target>

without the corresponding

<target>   A 1.2.3.4

treat this to mean the there is no A record for target, and don't try a 
query for A <target>

Dnsmasq will just be passing this reply straight through, so the 
resolver which made the query will behave in this way.

This looks like an upstream server problem. Making the TTLs equal might 
be enough to solve it.




> P.S.:
> At the moment I'm trying to "patch" with dnsmasq that ask to a
> dedicated pdnsd that act as a recursive dns cache server. In the
> eventuality that this sandwich setup solve the problem... In your
> opinion can I gain other advantage/problem?

Given the above, that may well be a good solution.



Cheers,

Simon.


> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 




More information about the Dnsmasq-discuss mailing list