[Dnsmasq-discuss] Large AXFR through dnsmasq causes dig to hang with partial results

Simon Kelley simon at thekelleys.org.uk
Wed Oct 10 21:48:55 BST 2018



On 10/10/18 11:02, Connor Bell wrote:
> Hi everyone,
> 
>  
> 
> I’ve had a strange issue I’ve been trying to resolve over the past few
> days where dnsmasq seems to only be allowing part of a zone transfer
> through, causing dig to hang.
> 
>  
> 
> I opened a Stackoverflow post to track it with most of the information
> I’ve found.
> 
> https://serverfault.com/questions/933956/large-axfr-through-dnsmasq-causes-dig-to-hang-with-partial-results
> 
> 
>  
> 
> With a tcpdump comparing a request with dnsmasq acting as forwarder and
> without, I can see in both cases that the upstream bind server replies
> with two packets, 2521 bytes and 189 bytes. When digging dnsmasq, the
> first packet is read out correctly and dig sits and waits for the second
> packet, which for some reason it never seems to receive.
> 
>  

A single packet of 2521 bytes doesn't seem to correspond with the
transfer hanging after 700 lines - it's pretty difficult to get 700
lines of output from one 2500 bytes packet, I think.

I suspect that what's happening is that the zone transfer exceeds 65536
bytes,
which is the limit for a single mesage over TCP. AXFR have special-case
continuation methods to push the transfer into multiple messages. (if
the message doesn't end with a repeat of the SOA record at the start of
the transfer, then expect further messages)

Dnsmasq, forwarding replies in TCP mode, was never really designed with
AXFR in mind, and doesn't implement this function.

Does it really make sense to do AXFR through dnsmasq: surely you'd talk
directly to the authoritative sever for the domain of interest?


Cheers,

Simon.

> When digging bind directly, dig receives both packets and reads out the
> answer correctly. I’m guessing I’m hitting a packet size limit causing
> it to split the response, but why does dig not receive the second packet
> from dnsmasq?
> 
>  
> 
> Kind regards,
> 
> Connor Bell
> 
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 



More information about the Dnsmasq-discuss mailing list