[Dnsmasq-discuss] dns-loop-detect doesn't appear to be working
Jonathan Knoll
jonathan.knoll at oracle.com
Fri Oct 18 13:57:01 BST 2019
In digging into the source, it looks like loop detect was purposefully
coded to only detect loops on upstream servers and not any servers that
are for a specific domain. I'm curious why that is, and would it be
acceptable to remove the SERV_HAS_DOMAIN in the relevant sections of
*src/loop.c*?
Line 33:
/* Loop through all upstream servers not for particular domains,
and send a query to that server which is
identifiable, via the uid. If we see that query back again,
then the server is looping, and we should not use it. */
for (serv = daemon->servers; serv; serv = serv->next)
if (!(serv->flags &
(SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV |
SERV_NO_REBIND | *SERV_HAS_DOMAIN* | SERV_FOR_NODOTS | SERV_LOOP)))
Line 106:
for (serv = daemon->servers; serv; serv = serv->next)
if (!(serv->flags &
(SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV |
SERV_NO_REBIND | *SERV_HAS_DOMAIN* | SERV_FOR_NODOTS | SERV_LOOP)) &&
uid == serv->uid)
Thanks,
Jon
On 10/16/2019 10:23 AM, Jonathan Knoll wrote:
>
> Hey all,
>
> Hopefully I am just misconfiguring something, but when I try to test
> out the dns-loop-detect feature and configure two instances of dnsmasq
> to forward to each other a loop is formed but is never stopped.
>
> Steps to reproduce:
> Prerequisites:
> * Two VM based servers on the same network
> * Both running dnsmasq as a container using the host network.
> * Each has a configuration line to forward "my.fun.domain" to the other
> Procedure:
> * Run the two containers with the described configuration WITHOUT the dns-loop-detect flag.
> The following startup logs were observed:
> dnsmasq[10]: started, version 2.80 cachesize 150
> dnsmasq[10]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify dumpfile
> dnsmasq[10]: using nameserver <other server IP>#53 for domain my.fun.domain
> dnsmasq[10]: cleared cache
> * From one of the servers, query using nslookup:
> "nslookup some.my.fun.domain 127.0.0.1"
> * Observe both servers forward to each other repeatedly and immediately reach the connection limit.
> Truncated logs from one server:
> dnsmasq[9]: query[A] some.my.fun.domain from 10.19.166.12
> dnsmasq[9]: forwarded some.my.fun.domain to 10.19.166.12
> parsed: ['query[A]', 'some.my.fun.domain', 'from', '10.19.166.12']
> dnsmasq[9]: query[A] some.my.fun.domain from 10.19.166.12
> dnsmasq[9]: forwarded some.my.fun.domain to 10.19.166.12
> dnsmasq[9]: Maximum number of concurrent DNS queries reached (max: 150)
> Logs from the other server are identical but instead have the opposite server's IP address.
> -----
> * Stop the two containers, and run again WITH the dns-loop-detect flag in the configuration
> The same exact startup logs are observed as before.
> * Perform the same nslookup query from one of the servers
> "nslookup some.my.fun.domain 127.0.0.1"
> * Observe both servers show the exact same behavior as before.
> The configuration used:
> ```
> no-resolv
> no-hosts
> dns-loop-detect
> server=/my.fun.domain/<IP of other server>#53
> user=root
> conf-dir=/etc/dnsmasq.d
> ```
>
> Any suggestions?
>
> Thanks,
> Jon
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.thekelleys.org.uk_mailman_listinfo_dnsmasq-2Ddiscuss&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=p0-OZ-Makpysak8_95uldC4NnpiabeIz_6fATzQwXi8&m=OMQ4X-iUReOJ_tBBMvbO6bq15DXB4IjyZ45RIEVigt4&s=Rur3NBhXRlZUdF5pLkTrUf2G3izQsaCnIO67kKfLPhU&e=
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20191018/ee93eb03/attachment-0001.html>
More information about the Dnsmasq-discuss
mailing list