[Dnsmasq-discuss] 2.85: .. cache refresh problems?

Thu Apr 22 21:26:28 UTC 2021

Hello.

Since a few weeks ago i sometimes see mail delivery from a few
domains (most often: mx2.freebsd.org, lesser so netbsd.org,
ietf.org, crux.nu) being blocked by a simple-minded postfix
log parser on my side (that i finally started using some months
ago).  Since i realized what was going on i (1) changed the
upstream DNS server=s of dnsmasq, (2) changed neg-ttl and
increased cache-size to lower impact, finally started verifying
postfix DNS reports which until now avoids blocking precious
upstream servers:

            # Could be local resolver error, try this first
            es = system("{ command -v host && \
                  host " j " 8.8.8.8 || \
                  nslookup " j " 8.8.8.8; } >/dev/null 2>&1")
            if(es == 0){
              # ok..

But the problem is new, i use dnsmasq and postfix on the server
since i have it (~6 years), and the script for several months.

What _is_ new on my side is that i have "dnssec" enabled now.

What seems to happen is that the dnsmasq cache entry expires, and
a following DNS lookup fails, so that negative cache entries are
delivered for a while.  For example

  Apr 22 20:15:47 postfix/smtpd[7035]: 6E86816059:
    client=mx2.freebsd.org[96.47.72.81]

All fine.

  Apr 22 20:20:46 postfix/smtpd[7044]: connect from
    unknown[96.47.72.81]

  Apr 22 20:20:47 postfix/smtpd[7044]: NOQUEUE: reject: RCPT from
    unknown[96.47.72.81]: 450 4.7.1 Client host rejected: cannot
    find your reverse hostname, [96.47.72.81];
    from=<owner-freebsd-hackers at freebsd.org> to=<steffen at sdaoden.eu>
    proto=ESMTP helo=<mx2.freebsd.org>
  Apr 22 20:20:48 postfix/smtpd[7044]: too many errors after RCPT
    from unknown[96.47.72.81]

Luckily the mail protocol is error resistant and they try again,
but my script would have caused blocking due to this error.

  Apr 22 20:27:01 postfix/anvil[6952]: statistics: max connection
    rate 2/60s for (smtp:96.47.72.81) at Apr 22 20:15:45

  Apr 22 20:30:45 postfix/smtpd[7127]: connect from
    mx2.freebsd.org[96.47.72.81]

All fine again.  Here is the used dnsmasq.conf:

  #@ hosts/sdaoden.eu/dnsmasq.conf
  #log-queries=extra
  #log-dhcp

  #conf-dir=/etc/dnsmasq.d/,*.conf
  no-poll
  bogus-priv
  selfmx

  addn-hosts=/etc/hosts.local

  dnssec
          conf-file=/usr/share/dnsmasq/trust-anchors.conf

  # no-resolv,server= <- this is cool and can kind of split-DNS
  no-resolv
  #server=217.144.128.34

I was using this server for six years as it is provided by the
hoster and sits very nearby.  Removed it for testing whether it
was the culprit.

  server=217.160.188.24

'Was searching for something nearby, non-Google.

  server=8.8.8.8

  cache-size=10000
  neg-ttl=30
  min-cache-ttl=30
  stop-dns-rebind

  interface=boxircp
          no-dhcp-interface=boxircp
  interface=lo
          no-dhcp-interface=lo
  interface=wgppp
          no-dhcp-interface=wgppp

I thought i report it, though i do not have logs enabled, after
finding

  cron-parse-mail.awk: 2 aliens; local DNS error: 96.47.72.81

in the log.  (Note 8.8.8.8 worked in the re-check.)
I also see

  Apr 22 22:30:57 dnsmasq[14328]: reducing DNS packet size for
    nameserver 217.160.188.24 to 1280
  Apr 22 22:31:10 dnsmasq[14328]: reducing DNS packet size for
    nameserver 8.8.8.8 to 1280
  ...
  Apr 22 22:41:27 dnsmasq[14328]: reducing DNS packet size for
    nameserver 217.160.188.24 to 1280
  ...
  Apr 22 22:46:42 dnsmasq[14328]: reducing DNS packet size for
    nameserver 8.8.8.8 to 1280

Ciao,

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)