[Dnsmasq-discuss] REFUSED after dropped packets
Johannes Stezenbach
js at sig21.net
Tue Sep 21 05:50:07 UTC 2021
On Mon, Sep 20, 2021 at 11:16:09PM +0100, Simon Kelley wrote:
> On 20/09/2021 20:49, Johannes Stezenbach wrote:
> >
> > after recent update to 2.86 on Debian sid I'm seeing
> > failures in name resolution. I think the issue is that
> > my Wifi connection is currently flaky (another problem
> > to solve...) and the DNS reply gets lost. After that
> > dnsmasq reports REFUSED, e.g.:
> >
> > Sep 20 21:06:38 dnsmasq[18805]: 55 127.0.0.1/33372 query[A] m.heise.de from 127.0.0.1
> > Sep 20 21:06:38 dnsmasq[18805]: 55 127.0.0.1/33372 forwarded m.heise.de to 192.168.178.1
> > Sep 20 21:06:38 dnsmasq[18805]: 56 127.0.0.1/33372 query[AAAA] m.heise.de from 127.0.0.1
> > Sep 20 21:06:38 dnsmasq[18805]: 56 127.0.0.1/33372 forwarded m.heise.de to 192.168.178.1
> > Sep 20 21:06:43 dnsmasq[18805]: 57 127.0.0.1/33372 query[A] m.heise.de from 127.0.0.1
> > Sep 20 21:06:43 dnsmasq[18805]: 57 127.0.0.1/33372 config error is REFUSED
> > Sep 20 21:06:43 dnsmasq[18805]: 58 127.0.0.1/33372 query[AAAA] m.heise.de from 127.0.0.1
> > Sep 20 21:06:43 dnsmasq[18805]: 58 127.0.0.1/33372 config error is REFUSED
> >
> > Some time later:
> >
> > Sep 20 21:13:51 dnsmasq[18805]: 171 127.0.0.1/45279 query[A] m.heise.de from 127.0.0.1
> > Sep 20 21:13:51 dnsmasq[18805]: 171 127.0.0.1/45279 forwarded m.heise.de to 192.168.178.1
> > Sep 20 21:13:51 dnsmasq[18805]: 172 127.0.0.1/45279 query[AAAA] m.heise.de from 127.0.0.1
> > Sep 20 21:13:51 dnsmasq[18805]: 172 127.0.0.1/45279 forwarded m.heise.de to 192.168.178.1
> > Sep 20 21:13:51 dnsmasq[18805]: 171 127.0.0.1/45279 reply m.heise.de is 193.99.144.88
> > Sep 20 21:13:51 dnsmasq[18805]: 172 127.0.0.1/45279 reply m.heise.de is 2a02:2e0:3fe:1001:7777:772e:0:88
> >
> >
> > Shouldn't dnsmasq retry the query?
>
> Dnsmasq relies on the client to do retries.
As you can see the client retried (numer 57 and 58), but dnsmasq
REFUSED instead of forwarding.
> Please could you post you configuration? I think the only way to get
>
> config error is REFUSED
>
> logged is to the new --connmark-allowlist feature. Are you using that?
/etc/dnsmasq.conf is Debian's default (identical to
dnsmasq.conf.example from git). There are small additions
in /etc/dnsmasq.d:
address=/double-click.net/127.0.0.1
address=/google-analyticts.com/127.0.0.1
strict-order ## this is needed for work VPN
bogus-nxdomain=80.156.86.78
bogus-nxdomain=62.157.140.133
bogus-nxdomain=62.138.239.45
bogus-nxdomain=62.138.238.45
Also I'm using resolvconf.
Thanks,
Johannes
More information about the Dnsmasq-discuss
mailing list