[Dnsmasq-discuss] using dnsmasq with 4 upstream servers

[Daniel Steglich]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Am 2016-09-02 18:39, schrieb /dev/rob0:
> On Fri, Sep 02, 2016 at 01:23:44PM +0200, Daniel Steglich wrote:
>> I've got 4 upstream DNS Servers from my ISP (2 IPv4, 2 IPv6) and
>> use all of them in /etc/resolv.conf.
>
> I think you'd be better off to simplify this.  Furthermore I am
> always leery of trusting ISP nameservers.  Sooner or later the ISP
> bosses get the idea to increase revenue with NXDOMAIN redirection.
> Really, I'd trust Google before an ISP (but my own solution is to
> point dnsmasq at my own local caching resolver.)
>
>> I start sending DNS SRV querys from a client to dnsmasq DNS relay
>> every 5 seconds.
>>
>> Each request is sent to four DNS upstream servers (primary DNS v4,
>> secondary DNS v4, primary DNS v6, secondary DNS v6). The answer
>> from the fastest server is used.
>> As the requests are DNS SRV records, the reply is not cached by
>> dnsmasq.
>
> What?  Why not?  Caching is done based on TTL, not based on the
> RRtype.  If the upstream server gives you a zero TTL, then that
> record is not cached ... regardless of RRtype.

See a statement from the author:
http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg777379.html

>
>> During my tests the first IPv6 DNS server was always the fastest
>> replying server and for this reason the answer from this server
>> is passed to the client always,
>
> Do the answers from other upstream servers differ?

Yes they do. I know, they shouldn't, but it's not under my control.

>
>> After some time the dnsmasq relay is not forwarding the requests to
>> the four known DNS servers any more but only sends out the requests
>> to either the first IPv4 DNS server or the first IPv6 DNS server.
>> So only one server is used. After about 20 seconds (4 requests
>> later) the dnsmasq process falls back to the expected behaviour of
>> sending the request to all known DNS Servers.
>
> I guess there is an implied "but the server fails to answer" in this,
> and it presents yet another reason why you might want to consider
> these ISP nameservers unreliable.

No, there is no implied "but the server fails to answer". All servers 
are answering all the time.

>
>> does anybody knows the reason for this?
>
> See --all-servers and --server in the manual.
I know the "--all-servers" option and I tried with this option. But the 
described behaviour keeps the same.

One more thing:
* the described behaviour is gone if I add "-q" for debugging reasons
* also the described behaviour is gone if I attach a strace to dnsmasq 
process

- --
Mit freundlichen Grüßen

Daniel Steglich
-----BEGIN PGP SIGNATURE-----
Version: Mailvelope v1.5.1
Comment: https://www.mailvelope.com

wsFcBAEBCAAQBQJXzX1nCRCe/ByBcnU4rwAACmEP/RApVIjZzmt06GuCqDWp
jOr2eJzkO5cSzmoxKNvzKPlhuYpcF2XHJBWgdExSWE/zsVIfWZXV6yRgRNj4
QGGtHaJCySvrSmPjCMrxGftdbzux0LCjEQSYGPqm7UZN7fae3m6is00CU1rR
OUnW6EUZxHUjX5zwIYU1HzUnfyoYO0yzKXNApMu7L4smke14tjzL96egX4zH
+99ye73jZ+DZA6eT2B08kr0RtwZpp6MGzRynn+ztQKcisn+FvvsgseaDVouG
6R7rVdvG7OTg6HRuS2pU4tTm3tx++MKoSt8HjIOZV8EGHnPQT6vwzPU9ekSo
EXqLcudSoCQV2SmWE7qJeJihGiokMpG11qIiK3IPV70JK8iQy5YFStIOpMzK
Txs1gYbGJVjjRqACZ9UT/Tu54wz/F0e48d1bsdbTP8ywQx5FBAMZ1k5yGMq5
Jz2VMoKIPcWbAFDlo6taS4Dq4ycDLc0ZNLwQAz1vCUQl2qikqgQysGCIHAxR
nt1v7m1yGwA/T0HAca9FcoTwnSUC6lBg+PMELsCVaAINxDMpObAOYahIK2qq
8HoWUg5796YlS/y0lzty/JTzL/KPK53cw8bogbNxCdxo/Y9lRUglc0rRj+5U
14D67EM58/zbLz/uiCzvjuezPbbpwB75fjhJ+WAMboujaUrCRBFuvPZVWM2A
iiDM
=YjHq
-----END PGP SIGNATURE-----