[Dnsmasq-discuss] 2.85: .. cache refresh problems?
Steffen Nurpmeso
steffen at sdaoden.eu
Thu Apr 22 21:26:28 UTC 2021
Hello.
Since a few weeks ago i sometimes see mail delivery from a few
domains (most often: mx2.freebsd.org, lesser so netbsd.org,
ietf.org, crux.nu) being blocked by a simple-minded postfix
log parser on my side (that i finally started using some months
ago). Since i realized what was going on i (1) changed the
upstream DNS server=s of dnsmasq, (2) changed neg-ttl and
increased cache-size to lower impact, finally started verifying
postfix DNS reports which until now avoids blocking precious
upstream servers:
# Could be local resolver error, try this first
es = system("{ command -v host && \
host " j " 8.8.8.8 || \
nslookup " j " 8.8.8.8; } >/dev/null 2>&1")
if(es == 0){
# ok..
But the problem is new, i use dnsmasq and postfix on the server
since i have it (~6 years), and the script for several months.
What _is_ new on my side is that i have "dnssec" enabled now.
What seems to happen is that the dnsmasq cache entry expires, and
a following DNS lookup fails, so that negative cache entries are
delivered for a while. For example
Apr 22 20:15:47 postfix/smtpd[7035]: 6E86816059:
client=mx2.freebsd.org[96.47.72.81]
All fine.
Apr 22 20:20:46 postfix/smtpd[7044]: connect from
unknown[96.47.72.81]
Apr 22 20:20:47 postfix/smtpd[7044]: NOQUEUE: reject: RCPT from
unknown[96.47.72.81]: 450 4.7.1 Client host rejected: cannot
find your reverse hostname, [96.47.72.81];
from=<owner-freebsd-hackers at freebsd.org> to=<steffen at sdaoden.eu>
proto=ESMTP helo=<mx2.freebsd.org>
Apr 22 20:20:48 postfix/smtpd[7044]: too many errors after RCPT
from unknown[96.47.72.81]
Luckily the mail protocol is error resistant and they try again,
but my script would have caused blocking due to this error.
Apr 22 20:27:01 postfix/anvil[6952]: statistics: max connection
rate 2/60s for (smtp:96.47.72.81) at Apr 22 20:15:45
Apr 22 20:30:45 postfix/smtpd[7127]: connect from
mx2.freebsd.org[96.47.72.81]
All fine again. Here is the used dnsmasq.conf:
#@ hosts/sdaoden.eu/dnsmasq.conf
#log-queries=extra
#log-dhcp
#conf-dir=/etc/dnsmasq.d/,*.conf
no-poll
bogus-priv
selfmx
addn-hosts=/etc/hosts.local
dnssec
conf-file=/usr/share/dnsmasq/trust-anchors.conf
# no-resolv,server= <- this is cool and can kind of split-DNS
no-resolv
#server=217.144.128.34
I was using this server for six years as it is provided by the
hoster and sits very nearby. Removed it for testing whether it
was the culprit.
server=217.160.188.24
'Was searching for something nearby, non-Google.
server=8.8.8.8
cache-size=10000
neg-ttl=30
min-cache-ttl=30
stop-dns-rebind
interface=boxircp
no-dhcp-interface=boxircp
interface=lo
no-dhcp-interface=lo
interface=wgppp
no-dhcp-interface=wgppp
I thought i report it, though i do not have logs enabled, after
finding
cron-parse-mail.awk: 2 aliens; local DNS error: 96.47.72.81
in the log. (Note 8.8.8.8 worked in the re-check.)
I also see
Apr 22 22:30:57 dnsmasq[14328]: reducing DNS packet size for
nameserver 217.160.188.24 to 1280
Apr 22 22:31:10 dnsmasq[14328]: reducing DNS packet size for
nameserver 8.8.8.8 to 1280
...
Apr 22 22:41:27 dnsmasq[14328]: reducing DNS packet size for
nameserver 217.160.188.24 to 1280
...
Apr 22 22:46:42 dnsmasq[14328]: reducing DNS packet size for
nameserver 8.8.8.8 to 1280
Ciao,
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
More information about the Dnsmasq-discuss
mailing list