[Dnsmasq-discuss] 2.85: .. cache refresh problems?

Matthias Andree matthias.andree at gmx.de
Sun Apr 25 08:02:34 UTC 2021


Am 25.04.21 um 00:29 schrieb Steffen Nurpmeso via Dnsmasq-discuss:
> Steffen Nurpmeso wrote in
>  <20210422212628.eSXGa%steffen at sdaoden.eu>:
>  |Since a few weeks ago i sometimes see mail delivery from a few
>  |domains (most often: mx2.freebsd.org, lesser so netbsd.org,
>  |ietf.org, crux.nu) being blocked by a simple-minded postfix
>  |log parser on my side (that i finally started using some months
>  |ago).  Since i realized what was going on i (1) changed the
>  |upstream DNS server=s of dnsmasq, (2) changed neg-ttl and
>  |increased cache-size to lower impact, finally started verifying
>  |postfix DNS reports which until now avoids blocking precious
>  |upstream servers:
>  ...
>  |What _is_ new on my side is that i have "dnssec" enabled now.
>
> So before changing back to dnssec-less (because i mysteriously
> even saw failures for wikipedia etc. coming up since yesterday)
> a USR1 dump:
>
>   cache size 10000, 0/13855 cache insertions re-used unexpired cache entries.
>   queries forwarded 11524, queries answered locally 4083
>   queries for authoritative zones 0
>   pool memory in use 36336, max 47808, allocated 480000
>   server 8.8.8.8#53: queries sent 8107, retried or failed 218
>   server 217.160.188.24#53: queries sent 10416, retried or failed 775
>
> Now
>
>   cache size 10000, 0/1188 cache insertions re-used unexpired cache entries.
>   queries forwarded 817, queries answered locally 888
>   queries for authoritative zones 0
>   pool memory in use 48, max 48, allocated 2400
>   server 8.8.8.8#53: queries sent 418, retried or failed 10
> [to be removed again, leftover]
>   server 217.160.188.24#53: queries sent 194, retried or failed 3
>   server 217.144.128.34#53: queries sent 569, retried or failed 8
>
>  |What seems to happen is that the dnsmasq cache entry expires, and
>  |a following DNS lookup fails, so that negative cache entries are
>  |delivered for a while.  For example
>
> Well, whatever.  A pity, EDNS sometimes, others want TCP, i do not
> know.  I suspend delivery again :), it was just a thought that
> this possibly is a regression, i have not used dnssec before,
> i just wonder why the picture is so bad ... and maybe other people
> would have found surprises in logs, too.  Whatever.

Steffen,

what do you use for your resolver, what is the interface between your
applications and dnsmasq - which library, which software, what is your
/etc/resolv.conf?
Do you by chance use systemd-resolved? Does resolv.conf show the
127.0.0.53 stub provided by systemd-resolved?
There is a long stream of DNSSEC issues with systemd...
https://github.com/systemd/systemd/issues?q=is%3Aissue+is%3Aopen+dnssec

Regards,
Matthias





More information about the Dnsmasq-discuss mailing list