[Dnsmasq-discuss] SERVFAIL and all-servers

Matus UHLAR - fantomas uhlar at fantomas.sk
Sun Mar 6 15:16:01 UTC 2022 

On 02.03.22 19:24, Simon Kelley wrote:
>The behaviour on this alternated between what you observed and what 
>you advocate a few times before settling.
>
>The problem with waiting for all replies is that a common source of 
>SERVFAIL returns is domains with broken DNSSEC. In that case all the 
>servers will return SERVFAIL, which is a bit of a pain if you have to 
>wait for the slowest one, but a disaster if one server is not 
>responding: in that case all you can do is wait for the timeout.
>
>Defining SERVFAIL as the response to DNSSEC validation failure has 
>always seemed odd to me.
>
>all-servers is not necessarily more reliable: the default dnsmasq 
>behaviour does a reasonably good job in most circumstances.

I would expect a bit more reliability in this case just as the OP.

How does dnsmasq reply if all-servers is not set and first server returns 
SERVFAIL?

Could retrying with another server with timeout shorter than standard could 
increase reliability?

>On 28/02/2022 22:38, Tobias via Dnsmasq-discuss wrote:
>>when using multiple upstream servers with "all-servers", and one
>>upstream is sending SERVFAIL very fast (e.g. because the upstream has a
>>dead upstream itself), dnsmasq uses this SERVFAIL as answer, probably
>>because it's the fastest one. This breaks the intended redundancy, but
>>is even worse, as other working upstreams are effectively not used
>>anymore. (Tested with v2.85 and v2.86.)
>>
>>I'm not sure if that behavior has a valid use case, but at least for my
>>case it seems much better to only give a SERVFAIL if all upstream
>>servers answer with SERVFAIL.
>>
>>Together with the other "all-servers" issue I reported ("DNSSEC and
>>all-servers"), the "all-servers" setup unfortunately is much less
>>reliable than I was hoping.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.

More information about the Dnsmasq-discuss mailing list