[Dnsmasq-discuss] dns-loop-detect doesn't appear to be working

Jonathan Knoll jonathan.knoll at oracle.com
Fri Oct 18 13:57:01 BST 2019


In digging into the source, it looks like loop detect was purposefully 
coded to only detect loops on upstream servers and not any servers that 
are for a specific domain.  I'm curious why that is, and would it be 
acceptable to remove the SERV_HAS_DOMAIN in the relevant sections of 
*src/loop.c*?

Line 33:

        /* Loop through all upstream servers not for particular domains,
    and send a query to that server which is
           identifiable, via the uid. If we see that query back again,
    then the server is looping, and we should not use it. */
        for (serv = daemon->servers; serv; serv = serv->next)
          if (!(serv->flags &
            (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV |
    SERV_NO_REBIND | *SERV_HAS_DOMAIN* | SERV_FOR_NODOTS | SERV_LOOP)))

Line 106:

      for (serv = daemon->servers; serv; serv = serv->next)
          if (!(serv->flags &
            (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV |
    SERV_NO_REBIND | *SERV_HAS_DOMAIN* | SERV_FOR_NODOTS | SERV_LOOP)) &&
          uid == serv->uid)

Thanks,

Jon

On 10/16/2019 10:23 AM, Jonathan Knoll wrote:
>
> Hey all,
>
> Hopefully I am just misconfiguring something, but when I try to test 
> out the dns-loop-detect feature and configure two instances of dnsmasq 
> to forward to each other a loop is formed but is never stopped.
>
> Steps to reproduce:
> Prerequisites:
>    * Two VM based servers on the same network
>    * Both running dnsmasq as a container using the host network.
>    * Each has a configuration line to forward "my.fun.domain" to the other
> Procedure:
>    * Run the two containers with the described configuration WITHOUT the dns-loop-detect flag.
>      The following startup logs were observed:
>          dnsmasq[10]: started, version 2.80 cachesize 150
>          dnsmasq[10]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify dumpfile
>          dnsmasq[10]: using nameserver <other server IP>#53 for domain my.fun.domain
>          dnsmasq[10]: cleared cache
>    * From one of the servers, query using nslookup:
>      "nslookup some.my.fun.domain 127.0.0.1"
>    * Observe both servers forward to each other repeatedly and immediately reach the connection limit.
>      Truncated logs from one server:
>            dnsmasq[9]: query[A] some.my.fun.domain from 10.19.166.12
>            dnsmasq[9]: forwarded some.my.fun.domain to 10.19.166.12
>            parsed: ['query[A]', 'some.my.fun.domain', 'from', '10.19.166.12']
>            dnsmasq[9]: query[A] some.my.fun.domain from 10.19.166.12
>            dnsmasq[9]: forwarded some.my.fun.domain to 10.19.166.12
>            dnsmasq[9]: Maximum number of concurrent DNS queries reached (max: 150)
>      Logs from the other server are identical but instead have the opposite server's IP address.
>   -----
>    * Stop the two containers, and run again WITH the dns-loop-detect flag in the configuration
>      The same exact startup logs are observed as before.
>    * Perform the same nslookup query from one of the servers
>      "nslookup some.my.fun.domain 127.0.0.1"
>    * Observe both servers show the exact same behavior as before.
>    The configuration used:
>        ```
>        no-resolv
>        no-hosts
>        dns-loop-detect
>        server=/my.fun.domain/<IP of other server>#53
>        user=root
>        conf-dir=/etc/dnsmasq.d
>        ```
>
> Any suggestions?
>
> Thanks,
> Jon
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.thekelleys.org.uk_mailman_listinfo_dnsmasq-2Ddiscuss&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=p0-OZ-Makpysak8_95uldC4NnpiabeIz_6fATzQwXi8&m=OMQ4X-iUReOJ_tBBMvbO6bq15DXB4IjyZ45RIEVigt4&s=Rur3NBhXRlZUdF5pLkTrUf2G3izQsaCnIO67kKfLPhU&e=
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20191018/ee93eb03/attachment-0001.html>


More information about the Dnsmasq-discuss mailing list