<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
<html><body>
<p>Hello Erling,<br /><br />2.48 is getting quite old, and i remember having encountered issues when first deploying the EL6 version.<br />I've moved to newer versions long time ago and use dnsmasq in production in front of AD servers. I definitely can't reproduce that behaviour on 2.70, see below:<br /><br /># dig mydomain.domain<br /><br />; <<>> DiG 9.5.0-P2 <<>> mydomain.domain<br />;; global options: printcmd<br />;; Got answer:<br />;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45<br />;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0<br /><br />;; QUESTION SECTION:<br />;mydomain.domain. IN A<br /><br />;; ANSWER SECTION:<br />mydomain.domain. 455 IN A 10.0.0.16<br />mydomain.domain. 455 IN A 10.0.0.11<br />mydomain.domain. 455 IN A 10.0.0.14<br />mydomain.domain. 455 IN A 10.0.0.12<br />mydomain.domain. 455 IN A 10.0.0.13<br /><br />;; Query time: 1 msec<br />;; SERVER: 10.0.0.180#53(10.0.0.180)<br />;; WHEN: Wed Mar 25 13:54:25 2015<br />;; MSG SIZE rcvd: 119<br /><br /></p>
<p> </p>
<p>-O.</p>
<p>On 2015-03-25 10:54, Erling Ringen Elvsrud wrote:</p>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px; width:100%"><!-- html ignored --><!-- head ignored --><!-- meta ignored -->
<div dir="ltr">
<div>Thanks for your reply, I have tested further and</div>
it certainly looks like dnsmasq does not handle multiple A records with the same name like domaindnszones.mydomain.foo (resolves to 36 ip-adresses)<br />
<div>and forestdnszones.mydomain.foo (resolves to 36 ip-adresses) that good<br /><br /></div>
<div>We use dnsmasq 2.48 (RHEL 6.6).</div>
<div>I have tested like this (hostnames and ip-adresses anonymized):<br /><br /></div>
<div>
<div>
<div>#!/usr/bin/env python</div>
<div> </div>
<div>import socket</div>
<div> </div>
<div>for n in range(5):</div>
<div style="text-indent: 35pt;">print socket.gethostbyname('DomainDnsZones.mydomain.foo');</div>
<div> </div>
<div>with dnsmasq disabled:</div>
<div> </div>
<div>[root@myhost ~]# time ./dns-test.py</div>
<div>10.68.62.31</div>
<div>10.67.2.31</div>
<div>10.68.133.36</div>
<div>10.68.130.31</div>
<div>10.35.27.32</div>
<div> </div>
<div>real 0m0.048s user 0m0.009s sys 0m0.009s</div>
<div> </div>
<div>with dnsmasq enabled:</div>
<div> </div>
<div>[root@b27wasl00148 ~]# time ./dns-test.py</div>
<div>10.68.62.31</div>
<div>10.67.2.31</div>
<div>10.68.133.36</div>
<div>10.68.130.31</div>
<div>10.35.27.32</div>
<div> </div>
<div>real 0m1.105s user 0m0.013s sys 0m0.007s</div>
<div>48 milliseconds without dnsmasq and 1105 milliseconds with dnsmasq is a very large</div>
<div>difference. On ordinary dns-entries dnsmasq performs good and caching improves</div>
<div>the speed of dns-queries.<br /><br /></div>
<div>My motivation to use dnsmasq is to improve robustness and performance by running dnsmasq on every host ("Enterprise environment" with about 3000 hosts in total) as a workaround of missing functionality in the resolver in Glibc like max 3 dns-servers, 1 sec timeout if a dns-server is misbehaving (rotate option + timeout 1 + attempts 1 improves this but dns issues is still a large problem) and no caching.</div>
<div>Do you have experience with such use of dnsmasq?<br /><br /></div>
<div>Thanks,<br /><br /></div>
<div>Erling</div>
</div>
</div>
</div>
<div class="gmail_extra"><br />
<div class="gmail_quote">On Tue, Mar 17, 2015 at 10:57 PM, Simon Kelley <span><<a href="mailto:simon@thekelleys.org.uk">simon@thekelleys.org.uk</a>></span> wrote:<br />
<blockquote class="gmail_quote" style="margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;">-----BEGIN PGP SIGNED MESSAGE-----<br /> Hash: SHA256<br /><br /> There's an option to dnsmasq called --filterwin2k which was an<br /> ill-concieved attempt to modify this sort of query. Check that you<br /> don't have that enabled. Apart from that, I'm not aware of anything in<br /> dnsmasq that could cause this.<br /><br /> Cheers,<br /><br /> Simon.<br />
<div>
<div class="h5"><br /><br /> On 17/03/15 09:03, Erling Ringen Elvsrud wrote:<br /> > Hi,<br /> ><br /> > We use AD to authenticate users for our Linux-servers. Recently we<br /> > started to try out dnsmasq in order to get better dns-request<br /> > performance, better resiliance (more dns-servers, avoid timeout:1,<br /> > etc with the standard glibc resolver).<br /> ><br /> > Today I noticed that about every fifth logon attempt is a lot<br /> > slower than normal (10x the time). If I stop dnsmasq the slowdowns<br /> > seems to dissapear.<br /> ><br /> > I can see with many ad-related dns-queries with wireshark when<br /> > logon is slow like ForestDnsZones.mydomain and<br /> > DomainDnsZones.mydomain. The replies are large (tcp-based) these<br /> > queries returns 20-30 A-records for many domain-controllers.<br /> ><br /> > Are you aware of similar problems with the dnsmasq /<br /> > ad-integration combination?<br /> ><br /> > Thanks,<br /> ><br /> > Erling<br /> ><br /> ><br /> ></div>
</div>
> _______________________________________________ Dnsmasq-discuss<br /> > mailing list <a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br /> > <a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</a><br /> ><br /> -----BEGIN PGP SIGNATURE-----<br /> Version: GnuPG v1<br /><br /> iQIcBAEBCAAGBQJVCKNEAAoJEBXN2mrhkTWiTksP/0czuFYsKvU9oCz6FBMFQivW<br /> tbgATUXAMxDT4PwMZVPVdhcNQiNkspO0fYf7eoLSRpdwLjw0Qcm2uHpoPREFZPVE<br /> LXI+KSTc1qv2/Z3spAHiOLM1cF/8ERKlYwn3dlFbFTTW63XV53IRKsK1150uDqgH<br /> WvAwdLAvXuaXrZt9HDt6Aqef+r6KnqGAkcfNIwwyLv7qTWDeT+xFcJ5qhfO+hFm9<br /> LnZtEDs/r7rbTG8L3E2oyRl2eunWeyE9iYHqo2PEVLDur5QaAqxUbFmu1rYFPRIV<br /> wCuMXz/n69Fwj6LMPlSQ2h/vl6SMYF2IXS0OnBeMVucuejWafJEguQFXMTCgPUuV<br /> AjJXq8gl6NAtxW7JjvvxWJkDeSvUTHoZpHPHFa8Ioxvuzaoj1+OBaatwWyg4HtQf<br /> V3KQSfduC1L+h3Xr7F3vHuGKr3kXT977QSdwb/VMXlay4ekQtpywNJga+vGhS/G1<br /> 2VWl0NxsIa2RxC+58m5qCBRP73Yz6JWYoDNr3sE6SRP5M0442SP518/SzMz//d8f<br /> Fb6RzMdgqnWXHG1BbPYz7KfmnVdb15LJP7k6KsxWCDmHSpNSKlUwNxe0s5N+C9bv<br /> 5a0PlsbjnMn9iA6hGS125cbGsCU8h496BCFdKcbT4BQES9BcgYsPMwXiPAZ7h8lg<br /> uwiUd71aUaOz0wPV9V46<br /> =E5QU<br /> -----END PGP SIGNATURE-----<br /><br /> _______________________________________________<br /> Dnsmasq-discuss mailing list<br /><a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br /><a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</a></blockquote>
</div>
</div>
</blockquote>
<p> </p>
<div> </div>
</body></html>