[Dnsmasq-discuss] Problems with dnsmasq + authentication with AD

Erling Ringen Elvsrud erlingre.lists at gmail.com
Wed Mar 25 08:54:06 GMT 2015


Thanks for your reply, I have tested further and
it certainly looks like dnsmasq does not handle multiple A records with the
same name like domaindnszones.mydomain.foo (resolves to 36 ip-adresses)
and forestdnszones.mydomain.foo (resolves to 36 ip-adresses) that good

We use dnsmasq 2.48 (RHEL 6.6).

I have tested like this (hostnames and ip-adresses anonymized):

#!/usr/bin/env python

import socket

 for n in range(5):
print socket.gethostbyname('DomainDnsZones.mydomain.foo');

with dnsmasq disabled:

[root at myhost ~]# time ./dns-test.py
10.68.62.31
10.67.2.31
10.68.133.36
10.68.130.31
10.35.27.32

real 0m0.048s user 0m0.009s sys 0m0.009s

with dnsmasq enabled:

[root at b27wasl00148 ~]# time ./dns-test.py
10.68.62.31
10.67.2.31
10.68.133.36
10.68.130.31
10.35.27.32

real 0m1.105s user 0m0.013s sys 0m0.007s

48 milliseconds without dnsmasq and 1105 milliseconds with dnsmasq is a
very large
difference. On ordinary dns-entries dnsmasq performs good and caching
improves
the speed of dns-queries.

My motivation to use dnsmasq  is to improve robustness and performance by
running dnsmasq on every host ("Enterprise environment" with about 3000
hosts in total) as a workaround of missing functionality in the resolver in
Glibc like max 3 dns-servers, 1 sec timeout if a dns-server is misbehaving
(rotate option + timeout 1 + attempts 1 improves this but dns issues is
still a large problem) and no caching.
Do you have experience with such use of dnsmasq?

Thanks,

Erling


On Tue, Mar 17, 2015 at 10:57 PM, Simon Kelley <simon at thekelleys.org.uk>
wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> There's an option to dnsmasq called --filterwin2k which was an
> ill-concieved attempt to modify this sort of query. Check that you
> don't have that enabled. Apart from that, I'm not aware of anything in
> dnsmasq that could cause this.
>
> Cheers,
>
> Simon.
>
>
> On 17/03/15 09:03, Erling Ringen Elvsrud wrote:
> > Hi,
> >
> > We use AD to authenticate users for our Linux-servers. Recently we
> > started to try out dnsmasq in order to get better dns-request
> > performance, better resiliance (more dns-servers, avoid timeout:1,
> > etc with the standard glibc resolver).
> >
> > Today I noticed that about every fifth logon attempt is a lot
> > slower than normal (10x the time). If I stop dnsmasq the slowdowns
> > seems to dissapear.
> >
> > I can see with many ad-related dns-queries with wireshark when
> > logon is slow like ForestDnsZones.mydomain  and
> > DomainDnsZones.mydomain. The replies are large (tcp-based) these
> > queries returns 20-30 A-records for many domain-controllers.
> >
> > Are you aware of similar problems with the dnsmasq /
> > ad-integration combination?
> >
> > Thanks,
> >
> > Erling
> >
> >
> >
> > _______________________________________________ Dnsmasq-discuss
> > mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBCAAGBQJVCKNEAAoJEBXN2mrhkTWiTksP/0czuFYsKvU9oCz6FBMFQivW
> tbgATUXAMxDT4PwMZVPVdhcNQiNkspO0fYf7eoLSRpdwLjw0Qcm2uHpoPREFZPVE
> LXI+KSTc1qv2/Z3spAHiOLM1cF/8ERKlYwn3dlFbFTTW63XV53IRKsK1150uDqgH
> WvAwdLAvXuaXrZt9HDt6Aqef+r6KnqGAkcfNIwwyLv7qTWDeT+xFcJ5qhfO+hFm9
> LnZtEDs/r7rbTG8L3E2oyRl2eunWeyE9iYHqo2PEVLDur5QaAqxUbFmu1rYFPRIV
> wCuMXz/n69Fwj6LMPlSQ2h/vl6SMYF2IXS0OnBeMVucuejWafJEguQFXMTCgPUuV
> AjJXq8gl6NAtxW7JjvvxWJkDeSvUTHoZpHPHFa8Ioxvuzaoj1+OBaatwWyg4HtQf
> V3KQSfduC1L+h3Xr7F3vHuGKr3kXT977QSdwb/VMXlay4ekQtpywNJga+vGhS/G1
> 2VWl0NxsIa2RxC+58m5qCBRP73Yz6JWYoDNr3sE6SRP5M0442SP518/SzMz//d8f
> Fb6RzMdgqnWXHG1BbPYz7KfmnVdb15LJP7k6KsxWCDmHSpNSKlUwNxe0s5N+C9bv
> 5a0PlsbjnMn9iA6hGS125cbGsCU8h496BCFdKcbT4BQES9BcgYsPMwXiPAZ7h8lg
> uwiUd71aUaOz0wPV9V46
> =E5QU
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150325/6094b902/attachment.html>


More information about the Dnsmasq-discuss mailing list