[Dnsmasq-discuss] 2.85: .. cache refresh problems?

Steffen Nurpmeso steffen at sdaoden.eu
Sat Apr 24 22:29:10 UTC 2021 

Steffen Nurpmeso wrote in
 <20210422212628.eSXGa%steffen at sdaoden.eu>:
 |Since a few weeks ago i sometimes see mail delivery from a few
 |domains (most often: mx2.freebsd.org, lesser so netbsd.org,
 |ietf.org, crux.nu) being blocked by a simple-minded postfix
 |log parser on my side (that i finally started using some months
 |ago).  Since i realized what was going on i (1) changed the
 |upstream DNS server=s of dnsmasq, (2) changed neg-ttl and
 |increased cache-size to lower impact, finally started verifying
 |postfix DNS reports which until now avoids blocking precious
 |upstream servers:
 ...
 |What _is_ new on my side is that i have "dnssec" enabled now.

So before changing back to dnssec-less (because i mysteriously
even saw failures for wikipedia etc. coming up since yesterday)
a USR1 dump:

  cache size 10000, 0/13855 cache insertions re-used unexpired cache entries.
  queries forwarded 11524, queries answered locally 4083
  queries for authoritative zones 0
  pool memory in use 36336, max 47808, allocated 480000
  server 8.8.8.8#53: queries sent 8107, retried or failed 218
  server 217.160.188.24#53: queries sent 10416, retried or failed 775

Now

  cache size 10000, 0/1188 cache insertions re-used unexpired cache entries.
  queries forwarded 817, queries answered locally 888
  queries for authoritative zones 0
  pool memory in use 48, max 48, allocated 2400
  server 8.8.8.8#53: queries sent 418, retried or failed 10
[to be removed again, leftover]
  server 217.160.188.24#53: queries sent 194, retried or failed 3
  server 217.144.128.34#53: queries sent 569, retried or failed 8

 |What seems to happen is that the dnsmasq cache entry expires, and
 |a following DNS lookup fails, so that negative cache entries are
 |delivered for a while.  For example

Well, whatever.  A pity, EDNS sometimes, others want TCP, i do not
know.  I suspend delivery again :), it was just a thought that
this possibly is a regression, i have not used dnssec before,
i just wonder why the picture is so bad ... and maybe other people
would have found surprises in logs, too.  Whatever.

Ciao and a nice Sunday i wish from Germany,

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

More information about the Dnsmasq-discuss mailing list