[Dnsmasq-discuss] multiple upstream servers from behind NAT

Jeff jwamsc at gmail.com
Thu Sep 28 17:35:56 BST 2017 

I have a server my.natted.server NAT'ed behind a public firewall, with
config lines for both of my upstream ISP nameservers:
server=<ip address for ns01.my-isp.com>
server=<ip address for ns02.my-isp.com>

I chose to use both ISP nameservers for redundancy, but this is not a
requirement.

I see dnsmasq query either upstream server, without issue. Here are 2
successful examples:

successful example:
15:41:50.958340 IP my.natted.server.54406 > ns01.my-isp.com.domain:
21145+ A? www.apple.com. (31)
15:41:50.987324 IP ns01.my-isp.com.domain > my.natted.server.54406:
21145 4/0/0 CNAME www.apple.com.edgekey.net., CNAME
www.apple.com.edgekey.net.globalredir.akadns.net., CNAME
e6858.dsce9.akamaiedge.net., A 23.36.67.187 (182)

successful example:
15:44:04.098088 IP my.natted.server.41451 > ns02.my-isp.com.domain:
30158+ A? www.apple.com. (31)
15:44:04.125471 IP ns02.my-isp.com.domain > my.natted.server.41451:
30158 4/0/0 CNAME www.apple.com.edgekey.net., CNAME
www.apple.com.edgekey.net.globalredir.akadns.net., CNAME
e6858.dsce9.akamaiedge.net., A 23.222.204.41 (182)

Occasionally I see a failure where dnsmasq sends out queries to both
upstream ISP nameservers, instructing each to reply to the same port.
The first one to reply "wins" and the 2nd to replay elicits an ICMP
"port unreachable". Here are 2 failure examples:

failure example:
15:36:49.835378 IP my.natted.server.17990 > ns01.my-isp.com.domain:
65330+ A? ns01.my-isp.com. (35)
15:36:49.835391 IP my.natted.server.17990 > ns02.my-isp.com.domain:
65330+ A? ns01.my-isp.com. (35)
15:36:49.863241 IP ns02.my-isp.com.domain > my.natted.server.17990:
65330 1/0/0 A 71.10.216.1 (51)
15:36:49.867784 IP ns01.my-isp.com.domain > my.natted.server.17990:
65330 1/0/0 A 71.10.216.1 (51)
15:36:49.867804 IP my.natted.server > ns01.my-isp.com: ICMP
my.natted.server udp port 17990 unreachable, length 87

failure example:
15:37:32.910884 IP my.natted.server.48523 > ns01.my-isp.com.domain:
51470+ A? ns02.my-isp.com. (35)
15:37:32.910915 IP my.natted.server.48523 > ns02.my-isp.com.domain:
51470+ A? ns02.my-isp.com. (35)
15:37:32.938315 IP ns01.my-isp.com.domain > my.natted.server.48523:
51470 1/0/0 A 71.10.216.2 (51)
15:37:32.942897 IP ns02.my-isp.com.domain > my.natted.server.48523:
51470 1/0/0 A 71.10.216.2 (51)
15:37:32.942930 IP my.natted.server > ns02.my-isp.com: ICMP
my.natted.server udp port 48523 unreachable, length 87

Question:
Is this an issue with:
1) My dnsmasq configuration?
2) dnsmasq?
3) my NAT'ing firewall?

Question:
For the failure examples above, is the DNS client successfully
resolving the query?
(implies the ICMP responses can be safely ignored)

I am running dnsmasq-2.66 on CentOS-7 Linux.

TIA,
Jeff

More information about the Dnsmasq-discuss mailing list