[Dnsmasq-discuss] --server=/example/8.8.8.8 --server=/example/9.9.9.9 behaviour

Matthias May matthias.may at westermo.com
Sat Apr 17 18:49:57 UTC 2021


On 16/04/2021 18:26, Petr Menšík wrote:
> Hi all,
> 
> I am trying to improve dnsmasq to handle better redirections of some
> given domains to multiple servers. Current implementation allows
> specifying multiple domains in single --server= statement, but only one
> server. It can be specified by multiple --server statements.
> 
> But some people would like domain specific forwards to choose outgoing
> forwarders in similar way to common forwarders. By common forwarders I
> mean multiple --server=<ip> without any domain specification, the same
> way /etc/resolv.conf parsing with at least two nameservers works.
> Current implementation chooses the best responding server (last_server)
> and only sometime tries also other servers.
> 
> I would like to implement similar logic not only for global forwarders,
> but also for any domain specific forwarders, where multiple forwarders
> are configured. Current behavior is to send queries to all
> domain-specific forwarders used for the domain. Even if three forwarders
> are configured and all are perfectly working, requests would be
> forwarded to all of them for every single query. It is bombarding all of
> them, but just the first reply would be forwarded back to client and be
> used. Is there a good reason for such behaviour? Are multiple servers
> for a domain considered exceptional?
> 
> --rev-server for example allows only single target IP specified, even if
> syntax would allow more easily. In DNS world a zone usually requires at
> least two servers handling it.
> 
> Current code walks multiple times daemon->servers list. First it finds
> longest domain match in search_servers() function.
> All servers are checked, when FORWARD_TEST queries were sent or
> FORWARD_TIME elapsed since last all servers check, whichever is sooner.
> Also on error responses. Then it walks the same list again, starting on
> daemon->last_server, sending forwarded queries. Unless
> forward->forwardall is set, only last_server is used. For domain
> specific forwarders, forwardall is always set.
> 
> It seems to me each domain should have at least a structure:
> struct server_domain {
>   char *domain;
>   struct server *last_server;
>   time_t forwardtime;
>   int forwardcount;
>   struct server_domain *next;
> };
> 
> Where it could store forwardcount, forwardtime and last_server for each
> different domain. I think it would make sense to add struct server
> *servers and int flags and iterate only servers for given domain on each
> forwarded query. But required changes for that seem to be huge, I failed
> to prepare working patch yet. Minimal change would use domain found by
> search_servers and just find server_domain structure with matching domain.
> 
> What do you think? Do you use multiple servers for custom domains?
> 
> Cheers,
> Petr
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://urldefense.com/v3/__https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss__;!!I9LPvj3b!SlgQep4bh2EVpX31u9KhZJQNCn5pG5ZUn3K8ZoLa0KoP8y42RtAgSotQ3doBcJFXnKc$ 
> 


Hi Petr
The behaviour you describe is not how i experience it.
When i set multiple servers via server= entries
(e.g
server=10.0.8.1
server=10.0.11.1
)
Then the order/number of queries is according to usage of --strict-order and --all-servers.
The default behaviour is to query "any" server that is thought to be up.

Test-setup:
* My PC: 10.0.11.178
* Test-server: 10.0.11.8
* Actual server 1: 10.0.11.1
* Actual server 2: 10.0.8.1

tcpdumps of the behaviour:

* any (default):
20:36:07.156749 IP 10.0.11.179.58175 > 10.0.11.8.53: 41165+ A? may.nu. (24)
20:36:07.157293 IP 10.0.11.8.62864 > 10.0.11.1.53: 41689+ A? may.nu. (24)
20:36:07.157374 IP 10.0.11.8.62864 > 10.0.8.1.53: 41689+ A? may.nu. (24)
20:36:07.160694 IP 10.0.11.1.53 > 10.0.11.8.62864: 41689 1/0/0 A 82.220.39.200 (40)
20:36:07.160982 IP 10.0.11.8.53 > 10.0.11.179.58175: 41165 1/0/0 A 82.220.39.200 (40)
20:36:07.183031 IP 10.0.8.1.53 > 10.0.11.8.62864: 41689 1/0/0 A 82.220.39.200 (40)

20:36:21.821553 IP 10.0.11.179.38054 > 10.0.11.8.53: 32025+ A? google.ch. 
(27)
20:36:21.821959 IP 10.0.11.8.54983 > 10.0.11.1.53: 34734+ A? google.ch. (27)
20:36:21.925977 IP 10.0.11.1.53 > 10.0.11.8.54983: 34734 1/0/0 A 74.125.193.94 (43)
20:36:21.926285 IP 10.0.11.8.53 > 10.0.11.179.38054: 32025 1/0/0 A 74.125.193.94 (43)

The very first request is sent to all available server (.11.1 and .8.1) because dnsmasq doesn't know which one is up.
The subsequent request is only sent to 11.1

* --strict-order:
20:39:54.063637 IP 10.0.11.179.48636 > 10.0.11.8.53: 16176+ A? may.nu. (24)
20:39:54.064043 IP 10.0.11.8.14339 > 10.0.11.1.53: 59406+ A? may.nu. (24)
20:39:54.066800 IP 10.0.11.1.53 > 10.0.11.8.14339: 59406 1/0/0 A 82.220.39.200 (40)
20:39:54.067087 IP 10.0.11.8.53 > 10.0.11.179.48636: 16176 1/0/0 A 82.220.39.200 (40)

20:39:59.179804 IP 10.0.11.179.52047 > 10.0.11.8.53: 56006+ A? google.ch. 
(27)
20:39:59.180223 IP 10.0.11.8.1813 > 10.0.11.1.53: 59741+ A? google.ch. (27)
20:39:59.182909 IP 10.0.11.1.53 > 10.0.11.8.1813: 59741 1/0/0 A 74.125.193.94 (43)
20:39:59.183192 IP 10.0.11.8.53 > 10.0.11.179.52047: 56006 1/0/0 A 74.125.193.94 (43)

The first as well as subsequent requests are only sent to the first entry.
The second entry is only tried if the first one fails.
This happens when the requesting client retries because of timeout (usually 5s).

* --all-servers:
20:41:21.072906 IP 10.0.11.179.55776 > 10.0.11.8.53: 5980+ A? may.nu. (24)
20:41:21.073328 IP 10.0.11.8.23993 > 10.0.11.1.53: 32664+ A? may.nu. (24)
20:41:21.073407 IP 10.0.11.8.23993 > 10.0.8.1.53: 32664+ A? may.nu. (24)
20:41:21.076703 IP 10.0.11.1.53 > 10.0.11.8.23993: 32664 1/0/0 A 82.220.39.200 (40)
20:41:21.077016 IP 10.0.11.8.53 > 10.0.11.179.55776: 5980 1/0/0 A 82.220.39.200 (40)
20:41:21.077594 IP 10.0.8.1.53 > 10.0.11.8.23993: 32664 1/0/0 A 82.220.39.200 (40)

20:41:25.416899 IP 10.0.11.179.33855 > 10.0.11.8.53: 22982+ A? google.ch. 
(27)
20:41:25.417295 IP 10.0.11.8.63863 > 10.0.11.1.53: 5183+ A? google.ch. (27)
20:41:25.417375 IP 10.0.11.8.63863 > 10.0.8.1.53: 5183+ A? google.ch. (27)
20:41:25.440520 IP 10.0.8.1.53 > 10.0.11.8.63863: 5183 1/0/0 A 172.217.168.3 (43)
20:41:25.440800 IP 10.0.11.8.53 > 10.0.11.179.33855: 22982 1/0/0 A 172.217.168.3 (43)

The first as well as subsequent requests are sent to both entries.
First response wins.

BR
Matthias

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20210417/7e7e194b/attachment.sig>


More information about the Dnsmasq-discuss mailing list