[Dnsmasq-discuss] !strict-order and SERVFAIL

Simon Kelley simon at thekelleys.org.uk
Wed Jan 5 21:11:49 GMT 2011


Alexander Clouter wrote:
> Hi,
> 
> Being the holiday season and all, I got around to finding out why 
> ssh'ing into hosts on my LAN is slow.  Stepped through everything that 
> could be at fault and tracked it down to dnsmasq[1].
> 
> All the hosts in my LAN are v6 enabled and it is all linked to that I 
> have not done anything to provide valid PTR records for my entire 
> allocation 2a01:348:45::/48; SERVFAIL is returned to all queries.
> 
> Turns out when strict-order is set, there are no problems, but if you 
> have more than one upstream resolver and strict-order is off, then when 
> SERVFAIL is returned from the upstream resolvers then querier (the host 
> I am trying to SSH into) never gets a reply.
> 
> I am guessing the same applies in the v4 case (does not seem to be 
> anything special treatment given for v6 lookups and SERVFAILing), I just 
> I cannot find an IP that returns SERVFAIL to test the hypothesis with.
> 
> If this is expected behaviour, any chance that a note be added to 
> 'strict-order' to refer to this?
> 
> Cheers
> 
> [1] at a glance it looks like the logic in src/forward.c:reply_query() 
> 	that works around broken servers does not recover properly.  A 
> 	packet capture shows[2] repeated queries and the same SERVFAIL 
> 	response
> [2] http://stuff.digriz.org.uk/dnsmasq.pcap
> 


What is supposed to happen in response to a SERVFAIL is that the query
gets sent, again, to all available servers. If all those servers in turn
return SERVFAIL then the error gets propagated back to the original
querier.

I'm not quite sure what's going on in your packet capture: there seems
to be four possible upstream servers, so the query gets sent to all four
after the first one returns SERVFAIL. Not all the servers are replying,
which explains why nothing goes back to the original requestor.

I have a suspicion that there may be a problem with the second round of
requests generating a third round, and so on, but I can't work out
exactly which server is which. Could you provide a list of IP addresses
for the various actors and some idea which upstream servers are configured?

Cheers,

Simon.




More information about the Dnsmasq-discuss mailing list