<div dir="ltr"><div>Yes, the lxc scripts are starting dnsmasq to a) provide dhcp and name resolution for the vms, and b) proxy vms' DNS traffic to the host's dns servers. The full command (without config file) is below.</div><div><br></div>--log-queries has got me further. It appears that dnsmasq is caching the AAAA NXDOMAIN for the hostname past when the A record exists, such as when the machine booted after dnsmasq started.<div><br></div><div>Is this expected behaviour?<br><div><br></div><div>Example logs; annotations surrounded by "****":<br></div><div><br></div><div><div><div>ubuntu@wolf ~$ sudo dnsmasq -u lxc-dnsmasq --strict-order --bind-interfaces --pid-file=/run/lxc/dnsmasq.pid --conf-file= --listen-address 10.0.3.1 --dhcp-range 10.0.3.2,10.0.3.254 --dhcp-lease-m=253 --dhcp-no-override --except-interface=lo --interface=lxcbr0 --dhcp-leasefile=/var/lib/misc/dnsmasq.lxcbr0.leases --dhcp-authoritative --log-queries -k --log-facility=/dev/stdout<br></div></div><div><div><br></div><div>Sep 25 16:40:45 dnsmasq[24567]: started, version 2.72 cachesize 150</div><div>Sep 25 16:40:45 dnsmasq[24567]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect</div><div>Sep 25 16:40:45 dnsmasq-dhcp[24567]: DHCP, IP range 10.0.3.2 -- 10.0.3.254, lease time 1h</div><div>Sep 25 16:40:45 dnsmasq-dhcp[24567]: DHCP, sockets bound exclusively to interface lxcbr0</div><div>Sep 25 16:40:45 dnsmasq[24567]: reading /etc/resolv.conf</div><div>Sep 25 16:40:45 dnsmasq[24567]: ignoring nameserver 10.0.3.1 - local interface</div><div>Sep 25 16:40:45 dnsmasq[24567]: using nameserver 213.186.33.99#53</div><div>Sep 25 16:40:45 dnsmasq[24567]: read /etc/hosts - 9 addresses</div><div><br></div><div>**** poison the caches with some dig -t A test-foo; dig -t AAAA test-foo: ****</div><div><br></div><div>Sep 25 16:40:54 dnsmasq[24567]: query[A] test-foo from 10.0.3.1</div><div>Sep 25 16:40:54 dnsmasq[24567]: forwarded test-foo to 213.186.33.99</div><div>Sep 25 16:40:54 dnsmasq[24567]: reply test-foo is NXDOMAIN</div><div>Sep 25 16:41:00 dnsmasq[24567]: query[AAAA] test-foo from 10.0.3.1</div><div>Sep 25 16:41:00 dnsmasq[24567]: forwarded test-foo to 213.186.33.99</div><div>Sep 25 16:41:00 dnsmasq[24567]: reply test-foo is NXDOMAIN</div><div><br></div><div>**** here I start the machine test-foo, and it gets its dhcp lease: ****</div><div><br></div><div>Sep 25 16:41:08 dnsmasq-dhcp[24567]: DHCPDISCOVER(lxcbr0) 10.0.3.123 9a:8b:50:fb:4c:a0 </div><div>Sep 25 16:41:08 dnsmasq-dhcp[24567]: DHCPOFFER(lxcbr0) 10.0.3.123 9a:8b:50:fb:4c:a0 </div><div>Sep 25 16:41:08 dnsmasq-dhcp[24567]: DHCPREQUEST(lxcbr0) 10.0.3.123 9a:8b:50:fb:4c:a0 </div><div>Sep 25 16:41:08 dnsmasq-dhcp[24567]: DHCPACK(lxcbr0) 10.0.3.123 9a:8b:50:fb:4c:a0 test-foo</div><div><br></div><div>**** and does some bootup nonsense: ****<br></div><div><br></div><div>Sep 25 16:41:08 dnsmasq[24567]: query[A] <a href="http://ntp.ubuntu.com">ntp.ubuntu.com</a> from 10.0.3.123</div><div>Sep 25 16:41:08 dnsmasq[24567]: forwarded <a href="http://ntp.ubuntu.com">ntp.ubuntu.com</a> to 213.186.33.99</div><div>Sep 25 16:41:08 dnsmasq[24567]: query[AAAA] <a href="http://ntp.ubuntu.com">ntp.ubuntu.com</a> from 10.0.3.123</div><div>Sep 25 16:41:08 dnsmasq[24567]: forwarded <a href="http://ntp.ubuntu.com">ntp.ubuntu.com</a> to 213.186.33.99</div><div>Sep 25 16:41:08 dnsmasq[24567]: reply <a href="http://ntp.ubuntu.com">ntp.ubuntu.com</a> is NODATA-IPv6</div><div>Sep 25 16:41:08 dnsmasq[24567]: reply <a href="http://ntp.ubuntu.com">ntp.ubuntu.com</a> is 91.189.89.199</div><div>Sep 25 16:41:08 dnsmasq[24567]: reply <a href="http://ntp.ubuntu.com">ntp.ubuntu.com</a> is 91.189.94.4</div><div><br></div><div>**** now I can re-run my dig -t A test-foo: ****<br></div><div><br></div><div>Sep 25 16:41:15 dnsmasq[24567]: query[A] test-foo from 10.0.3.1</div><div>Sep 25 16:41:15 dnsmasq[24567]: DHCP test-foo is 10.0.3.123</div><div><br></div><div>**** ... which works fine, and my dig -t AAAA test-foo: ****</div><div><br></div><div>Sep 25 16:41:18 dnsmasq[24567]: query[AAAA] test-foo from 10.0.3.1</div><div>Sep 25 16:41:18 dnsmasq[24567]: cached test-foo is NXDOMAIN</div><div><br></div></div><div>....and get the NXDOMAIN.</div><div><br></div><div><br></div><div><br></div><div>If I restart dnsmasq after all the machines are started:</div><div><br></div><div><div>Sep 25 16:46:08 dnsmasq[25559]: started, version 2.72 cachesize 150</div><div>Sep 25 16:46:08 dnsmasq[25559]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect</div><div>Sep 25 16:46:08 dnsmasq-dhcp[25559]: DHCP, IP range 10.0.3.2 -- 10.0.3.254, lease time 1h</div><div>Sep 25 16:46:08 dnsmasq-dhcp[25559]: DHCP, sockets bound exclusively to interface lxcbr0</div><div>Sep 25 16:46:08 dnsmasq[25559]: reading /etc/resolv.conf</div><div>Sep 25 16:46:08 dnsmasq[25559]: ignoring nameserver 10.0.3.1 - local interface</div><div>Sep 25 16:46:08 dnsmasq[25559]: using nameserver 213.186.33.99#53</div><div>Sep 25 16:46:08 dnsmasq[25559]: read /etc/hosts - 9 addresses</div><div><br></div><div>**** querying returns NODATA (NOERROR in dig terminology), as I would expect ****</div><div><br></div><div>Sep 25 16:46:19 dnsmasq[25559]: query[AAAA] test-foo from 10.0.3.1</div><div>Sep 25 16:46:19 dnsmasq[25559]: forwarded test-foo to 213.186.33.99</div><div>Sep 25 16:46:19 dnsmasq[25559]: reply test-foo is NODATA-IPv6</div><div>Sep 25 16:46:36 dnsmasq[25559]: query[A] test-foo from 10.0.3.1</div><div>Sep 25 16:46:36 dnsmasq[25559]: DHCP test-foo is 10.0.3.123</div></div><div><br></div></div></div><div>End.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 24 September 2014 20:38, Simon Kelley <span dir="ltr"><<a href="mailto:simon@thekelleys.org.uk" target="_blank">simon@thekelleys.org.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">The problem for people on this list is that we don't (or, at least, I<br>
don't) have any knowledge about lxc. If you can give us information<br>
about the dnsmasq configuration that's being generated by lxc, then we<br>
stand a better chance of diagnosing the problem.<br>
<br>
I'm assuming that the VMs are getting addresses by DHCP, and therefore<br>
the names test-dove and test-harp are names that derive from DHCP leases.<br>
<br>
Can you enable the dnsmasq option --log-queries, and find the logs<br>
associated with your test DNS queries? That should give us some<br>
information about where dnsmasq is getting the information from.<br>
<br>
<br>
Cheers,<br>
<br>
<br>
Simon.<br>
<div><div class="h5"><br>
<br>
<br>
<br>
On 24/09/14 15:01, Chris West wrote:<br>
> I've re-tested this with the 2.72 release (I'm pretty sure!) and I'm still<br>
> seeing the same intermittent behaviour.<br>
><br>
> On 23 September 2014 10:37, Chris West <<a href="mailto:chris.west@logicalglue.com">chris.west@logicalglue.com</a>> wrote:<br>
><br>
>> dnsmasq is being run by the Debian (well, Ubuntu) lxc scripts. I am<br>
>> proxying to lxc vms (by name) with nginx (so using the nginx built-in<br>
>> resolver, which seems more sensitive than normal resolvers).<br>
>><br>
>> On an Ubuntu Trusty machine (dnsmasq 2.68), everything works fine.<br>
>><br>
>> On an Ubuntu Utopic machine (dnsmasq 2.71), proxying always fails with<br>
>> "..foo could not be resolved (3: Host not found)".<br>
>><br>
>> I thought for a while that this might have been:<br>
>> * 288df49 - Fix bug when resulted in NXDOMAIN answers instead of NODATA.<br>
>> (5 days ago) <Simon Kelley><br>
>><br>
>> ...so I rolled the Utopic machine back to the 2.68 package. (I'm not<br>
>> confident with building a replacement dnsmasq given how complex the debian<br>
>> LXC stuff is.) However, now this still fails intermittently, and I'm at a<br>
>> loss.<br>
>><br>
>> Currently I have two running machines, named "test-dove" and "test-harp".<br>
>> "harp" was started after "dove". Both resolve fine for A records:<br>
>> ubuntu@wolf ~$ dig -t A test-dove @<a href="http://10.0.3.1" target="_blank">10.0.3.1</a> | egrep 'status:|IN'<br>
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65076<br>
>> ;test-dove. IN A<br>
>> test-dove. 0 IN A 10.0.3.168<br>
>> ubuntu@wolf ~$ dig -t A test-harp @<a href="http://10.0.3.1" target="_blank">10.0.3.1</a> | egrep 'status:|IN'<br>
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35736<br>
>> test-harp. 0 IN A 10.0.3.34<br>
>><br>
>> However, only "dove" gets a correct answer for AAAA records:<br>
>> ubuntu@wolf ~$ dig -t AAAA test-dove @<a href="http://10.0.3.1" target="_blank">10.0.3.1</a> | egrep 'status:|IN'<br>
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57038<br>
>> ;test-dove. IN AAAA<br>
>> ubuntu@wolf ~$ dig -t AAAA test-harp @<a href="http://10.0.3.1" target="_blank">10.0.3.1</a> | egrep 'status:|IN'<br>
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14476<br>
>> ;test-harp. IN AAAA<br>
>><br>
>> Is this likely to be fixed by that patch, or can anyone else guess what's<br>
>> up with the system?<br>
>><br>
>><br>
><br>
><br>
><br>
</div></div>> _______________________________________________<br>
> Dnsmasq-discuss mailing list<br>
> <a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
> <a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss" target="_blank">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</a><br>
><br>
<br>
<br>
_______________________________________________<br>
Dnsmasq-discuss mailing list<br>
<a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
<a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss" target="_blank">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</a><br>
</blockquote></div><br></div>