[Dnsmasq-discuss] using dnsmasq with 4 upstream servers
daniel at steglich.bz
Mon Sep 5 15:13:15 BST 2016
-----BEGIN PGP SIGNED MESSAGE-----
Am 2016-09-02 18:39, schrieb /dev/rob0:
> On Fri, Sep 02, 2016 at 01:23:44PM +0200, Daniel Steglich wrote:
>> I've got 4 upstream DNS Servers from my ISP (2 IPv4, 2 IPv6) and
>> use all of them in /etc/resolv.conf.
> I think you'd be better off to simplify this. Furthermore I am
> always leery of trusting ISP nameservers. Sooner or later the ISP
> bosses get the idea to increase revenue with NXDOMAIN redirection.
> Really, I'd trust Google before an ISP (but my own solution is to
> point dnsmasq at my own local caching resolver.)
>> I start sending DNS SRV querys from a client to dnsmasq DNS relay
>> every 5 seconds.
>> Each request is sent to four DNS upstream servers (primary DNS v4,
>> secondary DNS v4, primary DNS v6, secondary DNS v6). The answer
>> from the fastest server is used.
>> As the requests are DNS SRV records, the reply is not cached by
> What? Why not? Caching is done based on TTL, not based on the
> RRtype. If the upstream server gives you a zero TTL, then that
> record is not cached ... regardless of RRtype.
See a statement from the author:
>> During my tests the first IPv6 DNS server was always the fastest
>> replying server and for this reason the answer from this server
>> is passed to the client always,
> Do the answers from other upstream servers differ?
Yes they do. I know, they shouldn't, but it's not under my control.
>> After some time the dnsmasq relay is not forwarding the requests to
>> the four known DNS servers any more but only sends out the requests
>> to either the first IPv4 DNS server or the first IPv6 DNS server.
>> So only one server is used. After about 20 seconds (4 requests
>> later) the dnsmasq process falls back to the expected behaviour of
>> sending the request to all known DNS Servers.
> I guess there is an implied "but the server fails to answer" in this,
> and it presents yet another reason why you might want to consider
> these ISP nameservers unreliable.
No, there is no implied "but the server fails to answer". All servers
are answering all the time.
>> does anybody knows the reason for this?
> See --all-servers and --server in the manual.
I know the "--all-servers" option and I tried with this option. But the
described behaviour keeps the same.
One more thing:
* the described behaviour is gone if I add "-q" for debugging reasons
* also the described behaviour is gone if I attach a strace to dnsmasq
Mit freundlichen Grüßen
-----BEGIN PGP SIGNATURE-----
Version: Mailvelope v1.5.1
-----END PGP SIGNATURE-----
More information about the Dnsmasq-discuss