[Dnsmasq-discuss] dnsmasq does not seem to randomize resolvers

Sun Mar 3 04:31:24 GMT 2013

Hi all,

I've either got a case of some very very bad luck from my RNG, or a bug on my hands. (Or I'm just being an idiot.)

I noticed that one of my upstream DNS servers has an old entry in its cache:

131.174.78.16:        asterix 83904 [...] 2001:610:6d0:75:6c21:5fff:fea1:be1
131.174.78.17:        asterix 47314 [...] 2001:610:6d0::6c21:5fff:fea1:be1
2001:4860:4860::8888: asterix 19742 [...] 2001:610:6d0:75:6c21:5fff:fea1:be1
2001:4860:4860::8888: asterix 19687 [...] 2001:610:6d0:75:6c21:5fff:fea1:be1

The second one from 131.174.78.17 is wrong, and was cached by my local dnsmasq. So I decided to re-start dnsmasq a few times until it had cached the correct response from one of the right nameservers, so I didn't need to hack things together to connect to this server.

However, I restarted dnsmasq a few times, and it kept returning the wrong address. I got interested, and commented out that resolver. This made it return the right address immediately on every try. I started to re-order the four addresses in the dnsmasq configuration file. (The relevant parts are copy-pasted below, but most important is that these four servers are my resolvers, resolv.conf is not read, and strict-ordering is not enabled.) I tried moving .17 to the first, keeping it on the second, moving it to the third and moving it to the fourth position, and did five restarts for each try and two queries per restart. As expected, every second query gave the same results as the first. Only when server .17 was in the third position did dnsmasq provide the IPv6 address with :75: one out of five times.

If I'm correct, the chances of giving the answer without :75: should be 1/4th over a restart. However, it was only 1/20th. When removing the server with the old answer, the chances correctly increased to 1/1 as expected. Is this behaviour extremely bad luck, expected, or a bug? I can reliably reproduce as long as .17 provides the wrong answer; I can probably fabricate the same situation again by exposing some timing skills.

Some other information: servers 131.174.78.1{6,7} both do not respond to ping, but both provide an answer to AAAA asterix.sjorsgielen.nl in 1 msec according to `dig`. The two v6 servers are Google, they respond to ping in about 8 ms, and also respond to the DNS query in about 8 ms.

Thanks,
Sjors

$ cat /etc/dnsmasq.conf
conf-dir=/etc/dnsmasq.d
$ ls /etc/dnsmasq.d
01-basic.conf  02-resolvers.conf  03-dhcp.conf  04-dhcp-devices.conf  README
$ cat /etc/dnsmasq.d/02-resolvers.conf | grep -v '^#' | grep -v '^$'
no-resolv
server=131.174.78.16
server=131.174.78.17
server=2001:4860:4860::8888
server=2001:4860:4860::8844
$ grep strict-order /etc/dnsmasq.d/*
(no output)
$ ps ax | grep dnsmasq
 7700 ?        S      0:00 /usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new
$ dnsmasq -v
Dnsmasq version 2.62  Copyright (c) 2000-2012 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack

This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20130303/acc2ea9a/attachment.pgp>