[Dnsmasq-discuss] AAAA requests: long delay or SERVFAIL

Simon Kelley simon at thekelleys.org.uk
Tue Dec 23 21:00:29 GMT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Try

local=/virt/

the extended domain=.... syntax is broken in some recent dnsmasq releases.


Cheers,

Simon.


On 23/12/14 19:59, martin f krafft wrote:
> also sprach Simon Kelley <simon at thekelleys.org.uk> [2014-12-23
> 18:14 +0100]:
>> My guess is that the SERVFAIL is coming from a server upstream
>> of dnsmasq. Unless told to, dnsmasq "overlays" the DNS
>> information is has locally onto the global DNS a
>> record-at-a-time, not a domain-name at a time.
> 
> Yeah, that could be. tcpdump seems to think you're right. Thank
> you!
> 
>> or even better, modify the domain definition to something like 
>> domain=virt,192.168.122.0/24, local
> 
> Unfortunately, I am seeing absolutely no difference with this 
> setting.
> 
> % sudo grep domain /var/lib/libvirt/dnsmasq/default.conf 
> domain=virt,192.168.122.0/24,local
> 
> % dig @192.168.122.1 mx red.virt […] ;; ->>HEADER<<- opcode: QUERY,
> status: SERVFAIL, id: 29678 […]
> 
> And according to tcpdump, this SERVFAIL comes from upstream (see 
> below).
> 
> This (disabling any forwarding of *.virt) would be a really useful 
> setting for my case because I would also like to delegate the 
> resolution of *.virt to dnsmasq from my loopback resolver. At the 
> moment, this is the cause of the frequent timeouts: dnsmasq sends a
> query upstream, which is configured to send queries for *.virt 
> downstream, which…
> 
> Am I doing something wrong still?
> 
> Btw, I managed to fix SERVFAIL upstream, using these instructions:
> 
> http://utcc.utoronto.ca/~cks/space/blog/linux/UnboundDNSforVPN
> 
> tl;dr: DNSSEC is preventing me from using the zone *.virt unless I
> declare it private and insecure.
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUmdfsAAoJEBXN2mrhkTWio4AP/0K4V4fe7dwo3mnrcGvBSPVQ
ZhG6sHFTCotU/p7bipRrQ47/cxcK7PvapKFJ8aacjTPlwpZI/VZNn+iI3bcS+5rZ
QFGAZwD3JGFX4d26kE0Gok0gAFNRL9a6OiMHBxw6qsg3yU1RbaL5ZgbhifHbkFw2
8AemXUc4GP+x3G9tqFfGA/Vg2e3DSuJzD0toj4VoBao3FUXTE0JAK1kRIJjX9cd/
G4A+3cLSRRcKEMQNqyqDRe53Io9bbgUakHkVm0HF2MjWWN1BPURruG+/0m4ddYwQ
s3FT4OOUdmUzY0pvqHTSUO16OpmTctOd4zOwW7TzZ+jo9sO1R6dLX5lgYXpFmptp
Wm/4FYUj/9zOptMTxk84njtJXki1QNs458x+9AwMpE4K/hG5TFxxmzKJt9cmQiiN
qwtkBampB1zukQ5hjMZ5iwN7tx76sAosoj7rNvTaRFOefsHlqQmZCvNPwn7u5/5A
u0XngmLkp6m/7RcvhTIHwsknfGgekzPsW5c8eRGxwRJRenUIVpPeOHLWNGXubFLA
mmstt9RO5b3/Rrn00WMJnGxfvEUnY/dd65Vhds5xdJbKxfUcneKCFQgJLsmVUAEB
izihVAcn7kYpoU6tiJHy1ganfDmUnRWX8BqANf5HHjSkR41kicEtTVTT+AtXsPA6
Rq6PR0SGqkNfngDu2V1/
=Ul6r
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list