[Dnsmasq-discuss] REFUSED after dropped packets
Simon Kelley
simon at thekelleys.org.uk
Tue Sep 21 08:38:41 UTC 2021
The culprit in --strict-order.
Comment from the code to save my re-typing:
/* In strict order mode, there must be a server later in the list
left to send to, otherwise without the forwardall mechanism,
code further on will cycle around the list forwever if they
all return REFUSED. If at the last, give up. */
That's not new in 2.86, but it's possible that the implementation has
changed subtly. There is a couple of obvious improvements to this, but
the work-around for you may be to remove --strict-order and configure
the vpn DNS servers explicitly for the VPN-only domains, which is a much
better way to work.
Simon.
On 21/09/2021 06:50, Johannes Stezenbach wrote:
> On Mon, Sep 20, 2021 at 11:16:09PM +0100, Simon Kelley wrote:
>> On 20/09/2021 20:49, Johannes Stezenbach wrote:
>>>
>>> after recent update to 2.86 on Debian sid I'm seeing
>>> failures in name resolution. I think the issue is that
>>> my Wifi connection is currently flaky (another problem
>>> to solve...) and the DNS reply gets lost. After that
>>> dnsmasq reports REFUSED, e.g.:
>>>
>>> Sep 20 21:06:38 dnsmasq[18805]: 55 127.0.0.1/33372 query[A] m.heise.de from 127.0.0.1
>>> Sep 20 21:06:38 dnsmasq[18805]: 55 127.0.0.1/33372 forwarded m.heise.de to 192.168.178.1
>>> Sep 20 21:06:38 dnsmasq[18805]: 56 127.0.0.1/33372 query[AAAA] m.heise.de from 127.0.0.1
>>> Sep 20 21:06:38 dnsmasq[18805]: 56 127.0.0.1/33372 forwarded m.heise.de to 192.168.178.1
>>> Sep 20 21:06:43 dnsmasq[18805]: 57 127.0.0.1/33372 query[A] m.heise.de from 127.0.0.1
>>> Sep 20 21:06:43 dnsmasq[18805]: 57 127.0.0.1/33372 config error is REFUSED
>>> Sep 20 21:06:43 dnsmasq[18805]: 58 127.0.0.1/33372 query[AAAA] m.heise.de from 127.0.0.1
>>> Sep 20 21:06:43 dnsmasq[18805]: 58 127.0.0.1/33372 config error is REFUSED
>>>
>>> Some time later:
>>>
>>> Sep 20 21:13:51 dnsmasq[18805]: 171 127.0.0.1/45279 query[A] m.heise.de from 127.0.0.1
>>> Sep 20 21:13:51 dnsmasq[18805]: 171 127.0.0.1/45279 forwarded m.heise.de to 192.168.178.1
>>> Sep 20 21:13:51 dnsmasq[18805]: 172 127.0.0.1/45279 query[AAAA] m.heise.de from 127.0.0.1
>>> Sep 20 21:13:51 dnsmasq[18805]: 172 127.0.0.1/45279 forwarded m.heise.de to 192.168.178.1
>>> Sep 20 21:13:51 dnsmasq[18805]: 171 127.0.0.1/45279 reply m.heise.de is 193.99.144.88
>>> Sep 20 21:13:51 dnsmasq[18805]: 172 127.0.0.1/45279 reply m.heise.de is 2a02:2e0:3fe:1001:7777:772e:0:88
>>>
>>>
>>> Shouldn't dnsmasq retry the query?
>>
>> Dnsmasq relies on the client to do retries.
>
> As you can see the client retried (numer 57 and 58), but dnsmasq
> REFUSED instead of forwarding.
>
>> Please could you post you configuration? I think the only way to get
>>
>> config error is REFUSED
>>
>> logged is to the new --connmark-allowlist feature. Are you using that?
>
> /etc/dnsmasq.conf is Debian's default (identical to
> dnsmasq.conf.example from git). There are small additions
> in /etc/dnsmasq.d:
>
> address=/double-click.net/127.0.0.1
> address=/google-analyticts.com/127.0.0.1
>
> strict-order ## this is needed for work VPN
>
> bogus-nxdomain=80.156.86.78
> bogus-nxdomain=62.157.140.133
> bogus-nxdomain=62.138.239.45
> bogus-nxdomain=62.138.238.45
>
>
> Also I'm using resolvconf.
>
>
> Thanks,
> Johannes
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list