[Dnsmasq-discuss] possible bug in dnsmasq 2.22

Simon Kelley simon@thekelleys.org.uk
Sat, 14 May 2005 13:22:56 +0100 

Jim Faulkner wrote:
> Hello,
> 
> I think I may have found a problem with dnsmasq 2.22.  I am using the
> Gentoo ebuild.
> 
> I am always on the lookout for DNS servers that are a small number of hops
> away from me.  Currently I have this in my /etc/resolv.conf:
> nameserver 204.60.0.2
> nameserver 204.60.203.179
> nameserver 204.60.0.3
> nameserver 66.73.20.40
> nameserver 204.60.203.190
> 
> Last weekend I found another, and added this to /etc/resolv.conf:
> nameserver 66.10.48.206
> 
> After adding that nameserver, dnsmasq would stop resolving hostnames after
> being up for a few hours.  Restarting the daemon seemed to be the only way
> to get dnsmasq to resolve hostnames again.  This happened at least 4 or 5
> times over the course of the weekend, so it was not a rarity.
> 
> The problem dissappeared after removing 66.10.48.206 from
> /etc/resolv.conf.
> 
> The only error messages I saw from dnsmasq was this in my
> /var/log/messages:
> May  8 06:34:20 gateway dnsmasq[5202]: nameserver 66.10.48.206 refused to
> do a recursive query
> 
> So it looks like dnsmasq will stop resolving hostnames when one of the DNS
> servers is bad.


Did DNS queries time out, or just return empty answers?

I think what happened each time you saw a problem is that dnsmasq had 
selected the new nameserver (which nameserver is currently in use 
changes slowly over time). The new nameserver is not replying correctly 
to arbitrary queries, since it's not configured to "recurse" (delegate 
queries for which it doesn't know the answer to other servers). Instead 
it returns empty answers for domains it doesn't directly know about. 
Such answers are perfectly legitimate, so dnsmasq sends them back to the 
original requestor, and the effect is that domains no longer resolve 
correctly.

This is as designed, if you point dnsmasq at a dodgy nameserver, you'll 
get dodgy results. Dnsmasq is kind enough to warn you that this might be 
the case. The only possible change might be for dnsmasq to avoid using 
servers which refuse to do recursion, but that breaks valid use cases 
where you want dnsmasq to talk to non-recursive servers (think direcing 
queries for a local private domain to a local private server).

HTH

Simon.