[Dnsmasq-discuss] 2.85: .. cache refresh problems?
Matthias Andree
matthias.andree at gmx.de
Sun Apr 25 08:02:34 UTC 2021
Am 25.04.21 um 00:29 schrieb Steffen Nurpmeso via Dnsmasq-discuss:
> Steffen Nurpmeso wrote in
> <20210422212628.eSXGa%steffen at sdaoden.eu>:
> |Since a few weeks ago i sometimes see mail delivery from a few
> |domains (most often: mx2.freebsd.org, lesser so netbsd.org,
> |ietf.org, crux.nu) being blocked by a simple-minded postfix
> |log parser on my side (that i finally started using some months
> |ago). Since i realized what was going on i (1) changed the
> |upstream DNS server=s of dnsmasq, (2) changed neg-ttl and
> |increased cache-size to lower impact, finally started verifying
> |postfix DNS reports which until now avoids blocking precious
> |upstream servers:
> ...
> |What _is_ new on my side is that i have "dnssec" enabled now.
>
> So before changing back to dnssec-less (because i mysteriously
> even saw failures for wikipedia etc. coming up since yesterday)
> a USR1 dump:
>
> cache size 10000, 0/13855 cache insertions re-used unexpired cache entries.
> queries forwarded 11524, queries answered locally 4083
> queries for authoritative zones 0
> pool memory in use 36336, max 47808, allocated 480000
> server 8.8.8.8#53: queries sent 8107, retried or failed 218
> server 217.160.188.24#53: queries sent 10416, retried or failed 775
>
> Now
>
> cache size 10000, 0/1188 cache insertions re-used unexpired cache entries.
> queries forwarded 817, queries answered locally 888
> queries for authoritative zones 0
> pool memory in use 48, max 48, allocated 2400
> server 8.8.8.8#53: queries sent 418, retried or failed 10
> [to be removed again, leftover]
> server 217.160.188.24#53: queries sent 194, retried or failed 3
> server 217.144.128.34#53: queries sent 569, retried or failed 8
>
> |What seems to happen is that the dnsmasq cache entry expires, and
> |a following DNS lookup fails, so that negative cache entries are
> |delivered for a while. For example
>
> Well, whatever. A pity, EDNS sometimes, others want TCP, i do not
> know. I suspend delivery again :), it was just a thought that
> this possibly is a regression, i have not used dnssec before,
> i just wonder why the picture is so bad ... and maybe other people
> would have found surprises in logs, too. Whatever.
Steffen,
what do you use for your resolver, what is the interface between your
applications and dnsmasq - which library, which software, what is your
/etc/resolv.conf?
Do you by chance use systemd-resolved? Does resolv.conf show the
127.0.0.53 stub provided by systemd-resolved?
There is a long stream of DNSSEC issues with systemd...
https://github.com/systemd/systemd/issues?q=is%3Aissue+is%3Aopen+dnssec
Regards,
Matthias
More information about the Dnsmasq-discuss
mailing list