[Dnsmasq-discuss] Bug forward upstream SERVFAIL
Martin Wetterwald
martin.wetterwald at corp.ovh.com
Tue Nov 22 15:03:03 GMT 2016
Hello,
At OVH, we use dnsmasq in our product OverTheBox, an OpenWRT based
router.
We found what we think is a bug (at least a not wanted behaviour), but
it seems it's actually a feature, when looking at commits 4ace25c5 and
51967f980 (pasted at the end of this email).
If you have say 4 upstreams, and one of them has a problem: it will
always give SERVFAIL responses back to dnsmasq. The problem is that
dnsmasq will immediately forward the SERVFAIL response back to the
client, even if other upstreams are working (providing the SERVFAIL
answer is the first to arrive).
If dnsmasq has several upstreams, isn't it to make it more robust?
Shouldn't dnsmasq try as much as possible to be independent of upstream
errors?
You will find by Pull Request here:
https://github.com/MartinWetterwald/dnsmasq/pull/1/files
You could cherry-pick my commit if you agree with this behaviour.
Best Regards, Martin Wetterwald
commit 51967f9807665dae403f1497b827165c5fa1084b
Author: Simon Kelley <simon at thekelleys.org.uk>
Date: Tue Mar 25 21:07:00 2014 +0000
SERVFAIL is an expected error return, don't try all servers.
commit 4ace25c5d6c30949be9171ff1c524b2139b989d3
Author: Chris Novakovic <chris at chrisn.me.uk>
Date: Mon Jan 25 21:54:35 2016 +0000
Treat REFUSED (not SERVFAIL) as an unsuccessful upstream response
Commit 51967f9807665dae403f1497b827165c5fa1084b began treating SERVFAIL
as a successful response from an upstream server (thus ignoring future
responses to the query from other upstream servers), but a typo in that
commit means that REFUSED responses are accidentally being treated as
successful instead of SERVFAIL responses.
This commit corrects this typo and provides the behaviour intended by
commit 51967f9: SERVFAIL responses are considered successful (and will
be sent back to the requester), while REFUSED responses are considered
unsuccessful (and dnsmasq will wait for responses from other upstream
servers that haven't responded yet).
More information about the Dnsmasq-discuss
mailing list