[Dnsmasq-discuss] Problems with dnsmasq + authentication with AD

Olivier Mauras olivier at core-hosting.net
Wed Mar 25 13:11:09 GMT 2015 

 

Hello Erling,

2.48 is getting quite old, and i remember having
encountered issues when first deploying the EL6 version.
I've moved to
newer versions long time ago and use dnsmasq in production in front of
AD servers. I definitely can't reproduce that behaviour on 2.70, see
below:

# dig mydomain.domain

; <<>> DiG 9.5.0-P2 <<>>
mydomain.domain
;; global options: printcmd
;; Got answer:
;;
->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45
;; flags: qr rd ra;
QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION
SECTION:
;mydomain.domain. IN A

;; ANSWER SECTION:
mydomain.domain. 455
IN A 10.0.0.16
mydomain.domain. 455 IN A 10.0.0.11
mydomain.domain. 455
IN A 10.0.0.14
mydomain.domain. 455 IN A 10.0.0.12
mydomain.domain. 455
IN A 10.0.0.13

;; Query time: 1 msec
;; SERVER:
10.0.0.180#53(10.0.0.180)
;; WHEN: Wed Mar 25 13:54:25 2015
;; MSG SIZE
rcvd: 119

-O. 

On 2015-03-25 10:54, Erling Ringen Elvsrud wrote: 

>
Thanks for your reply, I have tested further and it certainly looks like
dnsmasq does not handle multiple A records with the same name like
domaindnszones.mydomain.foo (resolves to 36 ip-adresses)
> 
> and
forestdnszones.mydomain.foo (resolves to 36 ip-adresses) that good
> 
>
We use dnsmasq 2.48 (RHEL 6.6). 
> I have tested like this (hostnames
and ip-adresses anonymized):
> 
> #!/usr/bin/env python 
> 
> import
socket 
> 
> for n in range(5): 
> print
socket.gethostbyname('DomainDnsZones.mydomain.foo'); 
> 
> with dnsmasq
disabled: 
> 
> [root at myhost ~]# time ./dns-test.py 
> 10.68.62.31 
>
10.67.2.31 
> 10.68.133.36 
> 10.68.130.31 
> 10.35.27.32 
> 
> real
0m0.048s user 0m0.009s sys 0m0.009s 
> 
> with dnsmasq enabled: 
> 
>
[root at b27wasl00148 ~]# time ./dns-test.py 
> 10.68.62.31 
> 10.67.2.31

> 10.68.133.36 
> 10.68.130.31 
> 10.35.27.32 
> 
> real 0m1.105s user
0m0.013s sys 0m0.007s 
> 48 milliseconds without dnsmasq and 1105
milliseconds with dnsmasq is a very large 
> difference. On ordinary
dns-entries dnsmasq performs good and caching improves 
> the speed of
dns-queries.
> 
> My motivation to use dnsmasq is to improve robustness
and performance by running dnsmasq on every host ("Enterprise
environment" with about 3000 hosts in total) as a workaround of missing
functionality in the resolver in Glibc like max 3 dns-servers, 1 sec
timeout if a dns-server is misbehaving (rotate option + timeout 1 +
attempts 1 improves this but dns issues is still a large problem) and no
caching. 
> Do you have experience with such use of dnsmasq?
> 
>
Thanks,
> 
> Erling 
> 
> On Tue, Mar 17, 2015 at 10:57 PM, Simon Kelley
<simon at thekelleys.org.uk [5]> wrote:
> 
>> -----BEGIN PGP SIGNED
MESSAGE-----
>> Hash: SHA256
>> 
>> There's an option to dnsmasq called
--filterwin2k which was an
>> ill-concieved attempt to modify this sort
of query. Check that you
>> don't have that enabled. Apart from that,
I'm not aware of anything in
>> dnsmasq that could cause this.
>> 
>>
Cheers,
>> 
>> Simon.
>> 
>> On 17/03/15 09:03, Erling Ringen Elvsrud
wrote:
>> > Hi,
>> >
>> > We use AD to authenticate users for our
Linux-servers. Recently we
>> > started to try out dnsmasq in order to
get better dns-request
>> > performance, better resiliance (more
dns-servers, avoid timeout:1,
>> > etc with the standard glibc
resolver).
>> >
>> > Today I noticed that about every fifth logon
attempt is a lot
>> > slower than normal (10x the time). If I stop
dnsmasq the slowdowns
>> > seems to dissapear.
>> >
>> > I can see with
many ad-related dns-queries with wireshark when
>> > logon is slow like
ForestDnsZones.mydomain and
>> > DomainDnsZones.mydomain. The replies
are large (tcp-based) these
>> > queries returns 20-30 A-records for
many domain-controllers.
>> >
>> > Are you aware of similar problems
with the dnsmasq /
>> > ad-integration combination?
>> >
>> > Thanks,
>>
>
>> > Erling
>> >
>> >
>> > >
_______________________________________________ Dnsmasq-discuss
>> >
mailing list Dnsmasq-discuss at lists.thekelleys.org.uk [1]
>> >
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss [2]
>>
>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>> 
>>
iQIcBAEBCAAGBQJVCKNEAAoJEBXN2mrhkTWiTksP/0czuFYsKvU9oCz6FBMFQivW
>>
tbgATUXAMxDT4PwMZVPVdhcNQiNkspO0fYf7eoLSRpdwLjw0Qcm2uHpoPREFZPVE
>>
LXI+KSTc1qv2/Z3spAHiOLM1cF/8ERKlYwn3dlFbFTTW63XV53IRKsK1150uDqgH
>>
WvAwdLAvXuaXrZt9HDt6Aqef+r6KnqGAkcfNIwwyLv7qTWDeT+xFcJ5qhfO+hFm9
>>
LnZtEDs/r7rbTG8L3E2oyRl2eunWeyE9iYHqo2PEVLDur5QaAqxUbFmu1rYFPRIV
>>
wCuMXz/n69Fwj6LMPlSQ2h/vl6SMYF2IXS0OnBeMVucuejWafJEguQFXMTCgPUuV
>>
AjJXq8gl6NAtxW7JjvvxWJkDeSvUTHoZpHPHFa8Ioxvuzaoj1+OBaatwWyg4HtQf
>>
V3KQSfduC1L+h3Xr7F3vHuGKr3kXT977QSdwb/VMXlay4ekQtpywNJga+vGhS/G1
>>
2VWl0NxsIa2RxC+58m5qCBRP73Yz6JWYoDNr3sE6SRP5M0442SP518/SzMz//d8f
>>
Fb6RzMdgqnWXHG1BbPYz7KfmnVdb15LJP7k6KsxWCDmHSpNSKlUwNxe0s5N+C9bv
>>
5a0PlsbjnMn9iA6hGS125cbGsCU8h496BCFdKcbT4BQES9BcgYsPMwXiPAZ7h8lg
>>
uwiUd71aUaOz0wPV9V46
>> =E5QU
>> -----END PGP SIGNATURE-----
>> 
>>
_______________________________________________
>> Dnsmasq-discuss
mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk [3]
>>
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss [4]




Links:
------
[1] mailto:Dnsmasq-discuss at lists.thekelleys.org.uk
[2]
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[3]
mailto:Dnsmasq-discuss at lists.thekelleys.org.uk
[4]
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[5]
mailto:simon at thekelleys.org.uk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150325/fcbf6f3f/attachment.html>

More information about the Dnsmasq-discuss mailing list