[Dnsmasq-discuss] server forwarding all traffic to parents after a successful PTR query of itself

Simon Kelley simon at thekelleys.org.uk
Wed Feb 17 10:04:26 GMT 2010


Alberto Cuesta-Canada wrote:
> Hi guys,
>  
> I saw a weird scenario in one of our dnsmasq servers yesterday. As the 
> logs below show, the server was all happy doing its thing, until a set 
> of PTR queries came from normal servers in our network. The last of it 
> would ask for the hostname of the dns server giving the IP, and from 
> that point dnsmasq would route all traffic to the parents. Restarting 
> the dnsmasq service would restore the server to normal operations. This 
> has happened 4 times in the last 10 days, always with the same pattern.
>  
> 
> Feb 17 01:35:51 dnsmasq[28538]: query[A] grdvpm3.dselgrid.local from 
> 172.30.158.98
> 
> Feb 17 01:35:51 dnsmasq[28538]: /etc/hosts grdvpm3.dselgrid.local is 
> 172.30.158.93
> 
> Feb 17 01:35:51 dnsmasq[28538]: query[PTR] 93.158.30.172.in-addr.arpa 
> from 172.30.158.98
> 
> Feb 17 01:35:51 dnsmasq[28538]: /etc/hosts 172.30.158.93 is 
> grdvpm3.dselgrid.local
> 
> Feb 17 01:35:51 dnsmasq[28538]: query[A] grdvpm3.dselgrid.local from 
> 172.30.158.98
> 
> Feb 17 01:35:51 dnsmasq[28538]: /etc/hosts grdvpm3.dselgrid.local is 
> 172.30.158.93
> 
> Feb 17 01:37:16 dnsmasq[28538]: query[MX] smtpmail.daiwaeurope.local 
> from 127.0.0.1
> 
> Feb 17 01:37:16 dnsmasq[28538]: forwarded smtpmail.daiwaeurope.local to 
> 172.30.48.192
> 
> Feb 17 01:37:16 dnsmasq[28538]: query[MX] vsmtpmail.daiwaeurope.local 
> from 127.0.0.1
> 
> Feb 17 01:37:16 dnsmasq[28538]: forwarded vsmtpmail.daiwaeurope.local to 
> 172.30.48.192
> 
> Feb 17 01:37:16 dnsmasq[28538]: query[A] smtpmail.daiwaeurope.local from 
> 127.0.0.1
> 
> Feb 17 01:37:16 dnsmasq[28538]: forwarded smtpmail.daiwaeurope.local to 
> 172.30.48.192
> 
> Feb 17 01:37:16 dnsmasq[28538]: reply smtpmail.daiwaeurope.local is <CNAME>
> 
> Feb 17 01:37:16 dnsmasq[28538]: reply vsmtpmail.daiwaeurope.local is 
> 172.30.19.221
> 
> Feb 17 01:37:52 dnsmasq[28538]: query[PTR] 250.158.30.172.in-addr.arpa 
> from 172.30.158.94
> 
> Feb 17 01:37:52 dnsmasq[28538]: /etc/hosts 172.30.158.250 is 
> grdxk-mgmt1.dselgrid.local
> 
> Feb 17 01:37:52 dnsmasq[28538]: forwarded query to 172.30.48.192
> 
> Feb 17 01:37:52 dnsmasq[28538]: forwarded query to 172.30.48.192
> 
> Feb 17 01:37:52 dnsmasq[28538]: forwarded query to 172.30.48.192
> 
> Feb 17 01:37:52 dnsmasq[28538]: forwarded query to 172.30.48.192
> 
> Feb 17 01:37:52 dnsmasq[28538]: forwarded query to 172.30.48.192
> 
> Any idea what would be going on? Is that PTR query a signal that some 
> other service could be asking the DNS server to stop reading the hosts file?
>  
>

It's not clear to me what is going on here. How does the pattern 
continue? Do you just see  "forwarded query to 172.30.48.192" from now 
on until the server is restarted, or do you still see "query[A]...." and 
"query[PTR}...." lines?

Do queries which get pushed upstream continue to work? How about queries 
which should be answered locally?

What is 172.30.158.94? Is it running anything that may generate "odd" 
DNS queries? The holy grail would be to able prod that machine to 
reproduce this at will.

What sort of machine are you running dnsmasq on? Does it have a 
reasonable amount of spare storage so that you could tcpdump all traffic 
to/from port 53,UDP for offline analysis?


Simon.



More information about the Dnsmasq-discuss mailing list