[Dnsmasq-discuss] dnsmasq v2.87 --nftset and DNS reply race condition
Alain Ducharme
alain_ducharme at hotmail.com
Mon Feb 7 00:19:24 UTC 2022
On Sun 2022-02-06 18:25 Simon Kelley wrote:
> Note that we cache SRV records, so they are detected and decoded in
> extract_addresses() which is the function that calls add_to_nftset().
> I'm not sure that helps though: the result of the SRV query is
> debian.map.fastlydns.net and I can't see a mechanism to associate the
> debian.org SRV query with the subsequent A query.
So at least apt's behavior can be changed:
man apt.conf # searched: SRV
# (as root) line below will disable apt SRV lookups:
echo 'Acquire::EnableSrvRecords "false";' > /etc/apt/apt.conf.d/00noSRVlookups
After that allowlisting apt works fine.
...and so far with lots more testing it's becoming apparent that my
"race condition" may be due to application caching issues. :-/
An example: systemd-timesyncd allowlist outbound connections would often fail
because apparently systemd-timesyncd caches its IP addresses.
So despite clearing/restarting nftables and dnsmasq, systemd-timesyncd
would attempt its cached IP addresses and fail before trying the url.
I resolve to rebooting the system with all rules loaded and active
(nftables and dnsmasq) before testing anything from now on.
It appears to be all working rather well now. :}
Closing issue. Sorry for the trouble.
Thanks for all the pointers and dnsmasq!
More information about the Dnsmasq-discuss
mailing list