[Dnsmasq-discuss] AAAA requests: long delay or SERVFAIL

martin f krafft madduck at madduck.net
Tue Dec 23 19:59:15 GMT 2014


also sprach Simon Kelley <simon at thekelleys.org.uk> [2014-12-23 18:14 +0100]:
> My guess is that the SERVFAIL is coming from a server upstream of
> dnsmasq. Unless told to, dnsmasq "overlays" the DNS information is
> has locally onto the global DNS a record-at-a-time, not
> a domain-name at a time.

Yeah, that could be. tcpdump seems to think you're right. Thank you!

> or even better, modify the domain definition to something like
> domain=virt,192.168.122.0/24, local

Unfortunately, I am seeing absolutely no difference with this
setting.

  % sudo grep domain /var/lib/libvirt/dnsmasq/default.conf
  domain=virt,192.168.122.0/24,local

  % dig @192.168.122.1 mx red.virt
  […]
  ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29678
  […]

And according to tcpdump, this SERVFAIL comes from upstream (see
below).

This (disabling any forwarding of *.virt) would be a really useful
setting for my case because I would also like to delegate the
resolution of *.virt to dnsmasq from my loopback resolver. At the
moment, this is the cause of the frequent timeouts: dnsmasq sends
a query upstream, which is configured to send queries for *.virt
downstream, which…

Am I doing something wrong still?

Btw, I managed to fix SERVFAIL upstream, using these instructions:

  http://utcc.utoronto.ca/~cks/space/blog/linux/UnboundDNSforVPN

tl;dr: DNSSEC is preventing me from using the zone *.virt unless
I declare it private and insecure.

-- 
@martinkrafft | http://madduck.net/ | http://two.sentenc.es/
 
"den stil verbessern, das heißt den gedanken verbessern."
                                                 - friedrich nietzsche
 
spamtraps: madduck.bogus at madduck.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: digital_signature_gpg.asc
Type: application/pgp-signature
Size: 1107 bytes
Desc: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20141223/ac00339f/attachment.sig>


More information about the Dnsmasq-discuss mailing list