[Dnsmasq-discuss] Re: can't resolve irc.freenode.org

Simon Kelley simon at thekelleys.org.uk
Sun Apr 19 13:46:22 BST 2009 

Jon Nelson wrote:
> On Thu, Apr 16, 2009 at 10:55 AM, Chris G <cl at isbd.net> wrote:
> 
>> On Thu, Apr 16, 2009 at 09:42:00AM -0500, Jon Nelson wrote:
>>> I ran into a wacky problem today, and it *seems* to be dnsmasq's fault.
>>>
>>> Assume (at least) 2 machines:  a firewall (running dnsmasq) and any other
>>> machine in the network (pointed at the firewall for name resolution).
>>>
>>> On the firewall, 'host -v irc.freenode.org' results thusly:
>>>
>> [snip result data from two machines]
>>
>> I just tried the same here on the machine that runs dnsmasq and then
>> on another machine that uses the first machine as its DNS server.
>> Both machines gave the same (correct) result.
> 
> 
> Some more details:
> 
> a tcpdump on the inside shows the following (from wireshark's text output):
> 
> Domain Name System (response)
>     [Request In: 18]
>     [Time: 0.065557000 seconds]
>     Length: 34
>     Transaction ID: 0xda14
>     Flags: 0x8185 (Standard query response, Refused)
>         1... .... .... .... = Response: Message is a response
>         .000 0... .... .... = Opcode: Standard query (0)
>         .... .0.. .... .... = Authoritative: Server is not an authority for
> domain
>         .... ..0. .... .... = Truncated: Message is not truncated
>         .... ...1 .... .... = Recursion desired: Do query recursively
>         .... .... 1... .... = Recursion available: Server can do recursive
> queries
>         .... .... .0.. .... = Z: reserved (0)
>         .... .... ..0. .... = Answer authenticated: Answer/authority portion
> was not authenticated by the server
>         .... .... .... 0101 = Reply code: Refused (5)
>     Questions: 1
>     Answer RRs: 0
>     Authority RRs: 0
>     Additional RRs: 0
>     Queries
>         irc.freenode.org: type A, class IN
>             Name: irc.freenode.org
>             Type: A (Host address)
>             Class: IN (0x0001)
> 
> 
> 
> Why was it refused?
> I have not generally had trouble resolving irc.freenode.org in the past,
> except for yesterday and today.
> 

Looks like freenode.org ended up with too many hosts in the reply, which
forced the DNS system to use TCP. They probably fixed it when the load
on their DNS servers doubled :-(.

Is it possible that you firewall is blocking TCP on port 53, but
allowing UDP? That would account for the symptoms. You can use "host -T"
to force TCP mode for testing.


Cheers,

Simon.

More information about the Dnsmasq-discuss mailing list