[Dnsmasq-discuss] DNSSEC slow query / TCP/ truncated issue
Dominic Preston
lzqhwo at gmail.com
Thu Aug 15 12:04:41 BST 2019
On Thu, 15 Aug 2019 at 08:29, Geert Stappers <stappers at hendrikx-itc.nl> wrote:
>
> On 14-08-2019 23:09, Dominic Preston wrote:
>
> > On Wed, 14 Aug 2019 at 21:32, Geert Stappers <stappers at stappers.nl> wrote:
> >> On Wed, Aug 14, 2019 at 06:51:52PM +0100, Dominic Preston wrote:
> >>> On Wed, 14 Aug 2019 at 18:43, Simon Kelley <simon at thekelleys.org.uk> wrote:
> >>>> On 11/08/2019 21:01, Dominic Preston wrote:
> >>>>
> >>>>
> >>>> I have a fresh installation of Ubuntu 18.04 on Google Cloud Platform.
> >>>>
> ...
> >>>> It's likely that the MTU for the path from 8.8.8.8 to you it limited,
> >>>> and a reply for one of the queries needed to verify the query is
> >>>> getting dropped. Hence dnsmasq reduces the packet size to the more
> >>>> conservative 1280, and the query has to be done over TCP.
> >>>>
> >>>> It works fast the second time because the information you're asking for
> >>>> is cached by dnsmasq.
> >>>>
> >>>> Cheers,
> >>>>
> >>>> Simon.
> >>>>
> >>> Thanks Simon, that makes sense.
> >>>
> >>> Is there a straightforward (non dnsmasq) network command I can run so
> >>> I can demonstrate this MTU issue to the Google Cloud team?
> >> https://duckduckgo.com/?q=test+MTU+size does hint `ping`
> >>
> >> I don't know how well it goes in this situation.
> >>
> >>
> >> Road that I would explore is how to mimic the dnsmasq request to
> >> upstream DNS with `dig`.
> >>
> >> My attempt with `dig @8.8.8.8 pir.org ANY` returns "MSG SIZE rcvd: 2509",
> >> but no sign of ";; Truncated, retrying in TCP mode."
> >>
> >> Interresting problem.
> >>
> >>
> > Just to check, are you testing on Google Cloud too Geert?
> >
> > `dig @8.8.8.8 pir.org ANY` works fine for me too.
> >
>
> No, I'm not on Google Cloud.
>
>
> Regards
>
> Geert Stappers
>
> DevOps Engineer at Hendrikx-ITC
I can replicate the issue on Google Cloud simply by issuing (dig
@8.8.8.8 +dnssec org DNSKEY) and (dig @1.1.1.1 +dnssec org DNSKEY) so
it's actually nothing to do with Dnsmasq, it's just where I first
realised there's an issue.
Apparently Google Cloud's network breaks EDNS!
Thanks for all the help received,
Dom.
More information about the Dnsmasq-discuss
mailing list