[Dnsmasq-discuss] dns-loop-detect doesn't appear to be working

Simon Kelley simon at thekelleys.org.uk
Tue Oct 22 18:09:44 BST 2019 

Good question. This code happened five years ago, and has not been
touched since. Looking back at the changelog and through my old email
doesn't provide any inspiration. My feeling is that the reason is that
you can't necessarily expect to get back sensible answers from such
servers to queries which are not to the configured domain (and the loop
probes are not - they use the .test domain.)

To extend this, you'd probably want to use the configured domain, rather
than .test for such servers.


Simon.



On 18/10/2019 13:57, Jonathan Knoll wrote:
> In digging into the source, it looks like loop detect was purposefully
> coded to only detect loops on upstream servers and not any servers that
> are for a specific domain.  I'm curious why that is, and would it be
> acceptable to remove the SERV_HAS_DOMAIN in the relevant sections of
> *src/loop.c*?
> 
> Line 33:
> 
>        /* Loop through all upstream servers not for particular domains,
>     and send a query to that server which is
>           identifiable, via the uid. If we see that query back again,
>     then the server is looping, and we should not use it. */
>        for (serv = daemon->servers; serv; serv = serv->next)
>          if (!(serv->flags &
>            (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV |
>     SERV_NO_REBIND | *SERV_HAS_DOMAIN* | SERV_FOR_NODOTS | SERV_LOOP)))
> 
> Line 106:
> 
>      for (serv = daemon->servers; serv; serv = serv->next)
>          if (!(serv->flags &
>            (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV |
>     SERV_NO_REBIND | *SERV_HAS_DOMAIN* | SERV_FOR_NODOTS | SERV_LOOP)) &&
>          uid == serv->uid)
> 
> Thanks,
> 
> Jon
> 
> On 10/16/2019 10:23 AM, Jonathan Knoll wrote:
>>
>> Hey all,
>>
>> Hopefully I am just misconfiguring something, but when I try to test
>> out the dns-loop-detect feature and configure two instances of dnsmasq
>> to forward to each other a loop is formed but is never stopped.
>>
>> Steps to reproduce:
>> Prerequisites:
>>   * Two VM based servers on the same network
>>   * Both running dnsmasq as a container using the host network.
>>   * Each has a configuration line to forward "my.fun.domain" to the other
>> Procedure:
>>   * Run the two containers with the described configuration WITHOUT the dns-loop-detect flag.
>>     The following startup logs were observed:
>>         dnsmasq[10]: started, version 2.80 cachesize 150
>>         dnsmasq[10]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify dumpfile
>>         dnsmasq[10]: using nameserver <other server IP>#53 for domain my.fun.domain
>>         dnsmasq[10]: cleared cache
>>   * From one of the servers, query using nslookup:
>>     "nslookup some.my.fun.domain 127.0.0.1"
>>   * Observe both servers forward to each other repeatedly and immediately reach the connection limit.
>>     Truncated logs from one server:
>>           dnsmasq[9]: query[A] some.my.fun.domain from 10.19.166.12
>>           dnsmasq[9]: forwarded some.my.fun.domain to 10.19.166.12
>>           parsed: ['query[A]', 'some.my.fun.domain', 'from', '10.19.166.12']
>>           dnsmasq[9]: query[A] some.my.fun.domain from 10.19.166.12
>>           dnsmasq[9]: forwarded some.my.fun.domain to 10.19.166.12
>>           dnsmasq[9]: Maximum number of concurrent DNS queries reached (max: 150)
>>     Logs from the other server are identical but instead have the opposite server's IP address.
>>  -----
>>   * Stop the two containers, and run again WITH the dns-loop-detect flag in the configuration
>>     The same exact startup logs are observed as before.
>>   * Perform the same nslookup query from one of the servers
>>     "nslookup some.my.fun.domain 127.0.0.1"
>>   * Observe both servers show the exact same behavior as before.
>>   The configuration used:
>>       ```
>>       no-resolv
>>       no-hosts
>>       dns-loop-detect
>>       server=/my.fun.domain/<IP of other server>#53
>>       user=root
>>       conf-dir=/etc/dnsmasq.d
>>       ```
>>
>> Any suggestions?
>>
>> Thanks,
>> Jon
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.thekelleys.org.uk_mailman_listinfo_dnsmasq-2Ddiscuss&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=p0-OZ-Makpysak8_95uldC4NnpiabeIz_6fATzQwXi8&m=OMQ4X-iUReOJ_tBBMvbO6bq15DXB4IjyZ45RIEVigt4&s=Rur3NBhXRlZUdF5pLkTrUf2G3izQsaCnIO67kKfLPhU&e= 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>

More information about the Dnsmasq-discuss mailing list