[Dnsmasq-discuss] NXDOMAIN on AAAA with Debian LXC

Chris West chris.west at logicalglue.com
Thu Sep 25 16:49:13 BST 2014


Yes, the lxc scripts are starting dnsmasq to a) provide dhcp and name
resolution for the vms, and b) proxy vms' DNS traffic to the host's dns
servers.  The full command (without config file) is below.

--log-queries has got me further.  It appears that dnsmasq is caching the
AAAA NXDOMAIN for the hostname past when the A record exists, such as when
the machine booted after dnsmasq started.

Is this expected behaviour?

Example logs; annotations surrounded by "****":

ubuntu at wolf ~$ sudo dnsmasq -u lxc-dnsmasq --strict-order --bind-interfaces
--pid-file=/run/lxc/dnsmasq.pid --conf-file= --listen-address 10.0.3.1
--dhcp-range 10.0.3.2,10.0.3.254 --dhcp-lease-m=253 --dhcp-no-override
--except-interface=lo --interface=lxcbr0
--dhcp-leasefile=/var/lib/misc/dnsmasq.lxcbr0.leases --dhcp-authoritative
--log-queries -k --log-facility=/dev/stdout

Sep 25 16:40:45 dnsmasq[24567]: started, version 2.72 cachesize 150
Sep 25 16:40:45 dnsmasq[24567]: compile time options: IPv6 GNU-getopt DBus
i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect
Sep 25 16:40:45 dnsmasq-dhcp[24567]: DHCP, IP range 10.0.3.2 -- 10.0.3.254,
lease time 1h
Sep 25 16:40:45 dnsmasq-dhcp[24567]: DHCP, sockets bound exclusively to
interface lxcbr0
Sep 25 16:40:45 dnsmasq[24567]: reading /etc/resolv.conf
Sep 25 16:40:45 dnsmasq[24567]: ignoring nameserver 10.0.3.1 - local
interface
Sep 25 16:40:45 dnsmasq[24567]: using nameserver 213.186.33.99#53
Sep 25 16:40:45 dnsmasq[24567]: read /etc/hosts - 9 addresses

**** poison the caches with some dig -t A test-foo; dig -t AAAA test-foo:
****

Sep 25 16:40:54 dnsmasq[24567]: query[A] test-foo from 10.0.3.1
Sep 25 16:40:54 dnsmasq[24567]: forwarded test-foo to 213.186.33.99
Sep 25 16:40:54 dnsmasq[24567]: reply test-foo is NXDOMAIN
Sep 25 16:41:00 dnsmasq[24567]: query[AAAA] test-foo from 10.0.3.1
Sep 25 16:41:00 dnsmasq[24567]: forwarded test-foo to 213.186.33.99
Sep 25 16:41:00 dnsmasq[24567]: reply test-foo is NXDOMAIN

**** here I start the machine test-foo, and it gets its dhcp lease: ****

Sep 25 16:41:08 dnsmasq-dhcp[24567]: DHCPDISCOVER(lxcbr0) 10.0.3.123
9a:8b:50:fb:4c:a0
Sep 25 16:41:08 dnsmasq-dhcp[24567]: DHCPOFFER(lxcbr0) 10.0.3.123
9a:8b:50:fb:4c:a0
Sep 25 16:41:08 dnsmasq-dhcp[24567]: DHCPREQUEST(lxcbr0) 10.0.3.123
9a:8b:50:fb:4c:a0
Sep 25 16:41:08 dnsmasq-dhcp[24567]: DHCPACK(lxcbr0) 10.0.3.123
9a:8b:50:fb:4c:a0 test-foo

**** and does some bootup nonsense: ****

Sep 25 16:41:08 dnsmasq[24567]: query[A] ntp.ubuntu.com from 10.0.3.123
Sep 25 16:41:08 dnsmasq[24567]: forwarded ntp.ubuntu.com to 213.186.33.99
Sep 25 16:41:08 dnsmasq[24567]: query[AAAA] ntp.ubuntu.com from 10.0.3.123
Sep 25 16:41:08 dnsmasq[24567]: forwarded ntp.ubuntu.com to 213.186.33.99
Sep 25 16:41:08 dnsmasq[24567]: reply ntp.ubuntu.com is NODATA-IPv6
Sep 25 16:41:08 dnsmasq[24567]: reply ntp.ubuntu.com is 91.189.89.199
Sep 25 16:41:08 dnsmasq[24567]: reply ntp.ubuntu.com is 91.189.94.4

**** now I can re-run my dig -t A test-foo: ****

Sep 25 16:41:15 dnsmasq[24567]: query[A] test-foo from 10.0.3.1
Sep 25 16:41:15 dnsmasq[24567]: DHCP test-foo is 10.0.3.123

**** ... which works fine, and my dig -t AAAA test-foo: ****

Sep 25 16:41:18 dnsmasq[24567]: query[AAAA] test-foo from 10.0.3.1
Sep 25 16:41:18 dnsmasq[24567]: cached test-foo is NXDOMAIN

....and get the NXDOMAIN.



If I restart dnsmasq after all the machines are started:

Sep 25 16:46:08 dnsmasq[25559]: started, version 2.72 cachesize 150
Sep 25 16:46:08 dnsmasq[25559]: compile time options: IPv6 GNU-getopt DBus
i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect
Sep 25 16:46:08 dnsmasq-dhcp[25559]: DHCP, IP range 10.0.3.2 -- 10.0.3.254,
lease time 1h
Sep 25 16:46:08 dnsmasq-dhcp[25559]: DHCP, sockets bound exclusively to
interface lxcbr0
Sep 25 16:46:08 dnsmasq[25559]: reading /etc/resolv.conf
Sep 25 16:46:08 dnsmasq[25559]: ignoring nameserver 10.0.3.1 - local
interface
Sep 25 16:46:08 dnsmasq[25559]: using nameserver 213.186.33.99#53
Sep 25 16:46:08 dnsmasq[25559]: read /etc/hosts - 9 addresses

**** querying returns NODATA (NOERROR in dig terminology), as I would
expect ****

Sep 25 16:46:19 dnsmasq[25559]: query[AAAA] test-foo from 10.0.3.1
Sep 25 16:46:19 dnsmasq[25559]: forwarded test-foo to 213.186.33.99
Sep 25 16:46:19 dnsmasq[25559]: reply test-foo is NODATA-IPv6
Sep 25 16:46:36 dnsmasq[25559]: query[A] test-foo from 10.0.3.1
Sep 25 16:46:36 dnsmasq[25559]: DHCP test-foo is 10.0.3.123

End.

On 24 September 2014 20:38, Simon Kelley <simon at thekelleys.org.uk> wrote:

> The problem for people on this list is that we don't (or, at least, I
> don't) have any knowledge about lxc. If you can give us information
> about the dnsmasq configuration that's being generated by lxc, then we
> stand a better chance of diagnosing the problem.
>
> I'm assuming that the VMs are getting addresses by DHCP, and therefore
> the names test-dove and test-harp are names that derive from DHCP leases.
>
> Can you enable the dnsmasq option --log-queries, and find the logs
> associated with your test DNS queries? That should give us some
> information about where dnsmasq is getting the information from.
>
>
> Cheers,
>
>
> Simon.
>
>
>
>
> On 24/09/14 15:01, Chris West wrote:
> > I've re-tested this with the 2.72 release (I'm pretty sure!) and I'm
> still
> > seeing the same intermittent behaviour.
> >
> > On 23 September 2014 10:37, Chris West <chris.west at logicalglue.com>
> wrote:
> >
> >> dnsmasq is being run by the Debian (well, Ubuntu) lxc scripts.  I am
> >> proxying to lxc vms (by name) with nginx (so using the nginx built-in
> >> resolver, which seems more sensitive than normal resolvers).
> >>
> >> On an Ubuntu Trusty machine (dnsmasq 2.68), everything works fine.
> >>
> >> On an Ubuntu Utopic machine (dnsmasq 2.71), proxying always fails with
> >> "..foo could not be resolved (3: Host not found)".
> >>
> >> I thought for a while that this might have been:
> >> * 288df49 - Fix bug when resulted in NXDOMAIN answers instead of NODATA.
> >> (5 days ago) <Simon Kelley>
> >>
> >> ...so I rolled the Utopic machine back to the 2.68 package.  (I'm not
> >> confident with building a replacement dnsmasq given how complex the
> debian
> >> LXC stuff is.)  However, now this still fails intermittently, and I'm
> at a
> >> loss.
> >>
> >> Currently I have two running machines, named "test-dove" and
> "test-harp".
> >>  "harp" was started after "dove".  Both resolve fine for A records:
> >> ubuntu at wolf ~$ dig -t A test-dove @10.0.3.1 | egrep 'status:|IN'
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65076
> >> ;test-dove. IN A
> >> test-dove. 0 IN A 10.0.3.168
> >> ubuntu at wolf ~$ dig -t A test-harp @10.0.3.1 | egrep 'status:|IN'
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35736
> >> test-harp. 0 IN A 10.0.3.34
> >>
> >> However, only "dove" gets a correct answer for AAAA records:
> >> ubuntu at wolf ~$ dig -t AAAA test-dove @10.0.3.1 | egrep 'status:|IN'
> >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57038
> >> ;test-dove. IN AAAA
> >> ubuntu at wolf ~$ dig -t AAAA test-harp @10.0.3.1 | egrep 'status:|IN'
> >> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14476
> >> ;test-harp. IN AAAA
> >>
> >> Is this likely to be fixed by that patch, or can anyone else guess
> what's
> >> up with the system?
> >>
> >>
> >
> >
> >
> > _______________________________________________
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss at lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140925/c9b21bea/attachment.html>


More information about the Dnsmasq-discuss mailing list