[Dnsmasq-discuss] Problems with dnsmasq + authentication with AD

Simon Kelley simon at thekelleys.org.uk
Sun Mar 29 22:43:30 BST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A reply with 36 addresses may well exceed the maximum UDP packet size,
and force the query to move to using TCP instead. It's worth checking
that you don't have any sort of firewall rule that could intercept DNS
queries happening over TCP.

Cheers,

Simon.



On 25/03/15 08:54, Erling Ringen Elvsrud wrote:
> Thanks for your reply, I have tested further and it certainly looks
> like dnsmasq does not handle multiple A records with the same name
> like domaindnszones.mydomain.foo (resolves to 36 ip-adresses) and
> forestdnszones.mydomain.foo (resolves to 36 ip-adresses) that good
> 
> We use dnsmasq 2.48 (RHEL 6.6).
> 
> I have tested like this (hostnames and ip-adresses anonymized):
> 
> #!/usr/bin/env python
> 
> import socket
> 
> for n in range(5): print
> socket.gethostbyname('DomainDnsZones.mydomain.foo');
> 
> with dnsmasq disabled:
> 
> [root at myhost ~]# time ./dns-test.py 10.68.62.31 10.67.2.31 
> 10.68.133.36 10.68.130.31 10.35.27.32
> 
> real 0m0.048s user 0m0.009s sys 0m0.009s
> 
> with dnsmasq enabled:
> 
> [root at b27wasl00148 ~]# time ./dns-test.py 10.68.62.31 10.67.2.31 
> 10.68.133.36 10.68.130.31 10.35.27.32
> 
> real 0m1.105s user 0m0.013s sys 0m0.007s
> 
> 48 milliseconds without dnsmasq and 1105 milliseconds with dnsmasq
> is a very large difference. On ordinary dns-entries dnsmasq
> performs good and caching improves the speed of dns-queries.
> 
> My motivation to use dnsmasq  is to improve robustness and
> performance by running dnsmasq on every host ("Enterprise
> environment" with about 3000 hosts in total) as a workaround of
> missing functionality in the resolver in Glibc like max 3
> dns-servers, 1 sec timeout if a dns-server is misbehaving (rotate
> option + timeout 1 + attempts 1 improves this but dns issues is 
> still a large problem) and no caching. Do you have experience with
> such use of dnsmasq?
> 
> Thanks,
> 
> Erling
> 
> 
> On Tue, Mar 17, 2015 at 10:57 PM, Simon Kelley
> <simon at thekelleys.org.uk> wrote:
> 
> There's an option to dnsmasq called --filterwin2k which was an 
> ill-concieved attempt to modify this sort of query. Check that you 
> don't have that enabled. Apart from that, I'm not aware of anything
> in dnsmasq that could cause this.
> 
> Cheers,
> 
> Simon.
> 
> 
> On 17/03/15 09:03, Erling Ringen Elvsrud wrote:
>>>> Hi,
>>>> 
>>>> We use AD to authenticate users for our Linux-servers.
>>>> Recently we started to try out dnsmasq in order to get better
>>>> dns-request performance, better resiliance (more dns-servers,
>>>> avoid timeout:1, etc with the standard glibc resolver).
>>>> 
>>>> Today I noticed that about every fifth logon attempt is a
>>>> lot slower than normal (10x the time). If I stop dnsmasq the
>>>> slowdowns seems to dissapear.
>>>> 
>>>> I can see with many ad-related dns-queries with wireshark
>>>> when logon is slow like ForestDnsZones.mydomain  and 
>>>> DomainDnsZones.mydomain. The replies are large (tcp-based)
>>>> these queries returns 20-30 A-records for many
>>>> domain-controllers.
>>>> 
>>>> Are you aware of similar problems with the dnsmasq / 
>>>> ad-integration combination?
>>>> 
>>>> Thanks,
>>>> 
>>>> Erling
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Dnsmasq-discuss mailing list
>>>> Dnsmasq-discuss at lists.thekelleys.org.uk 
>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>>
>>
>>
>>>> 
_______________________________________________
>> Dnsmasq-discuss mailing list 
>> Dnsmasq-discuss at lists.thekelleys.org.uk 
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>> 
> 
> 
> 
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk 
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlUYcgIACgkQKPyGmiibgrcvtgCfekCcLLctnP6wSxjguGRjroMe
ppYAoKUq7mpWtGGUukbJDA8HAKbotT40
=TvN5
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list