[Dnsmasq-discuss] all-servers option not working for dnssec-query queries

Niels Hendriks niels at rootnet.nl
Wed Aug 14 09:42:15 UTC 2024 

Hello,

We are using dnsmasq with the all-servers option enabled in order to prevent issues with DNS resolution when a single resolver is not working properly.
We have noticed that sometimes when a single resolver is unreachable we still have issues with DNS resolution. It appears this is related to dnssec-query[DS] performed by dnsmasq:

For example the following query gives us a timeout:

```
dig nu.nl DS @127.0.0.1

; <<>> DiG 9.16.48-Debian <<>> nu.nl DS @127.0.0.1
;; global options: +cmd
;; connection timed out; no servers could be reached
```

In the dnsmasq logs, we see:

```
Aug 14 11:11:18 srv01 dnsmasq[1808159]: query[DS] nu.nl from 127.0.0.1
Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 1.1.1.1
Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 1.0.0.1
Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 8.8.8.8
Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 8.8.4.4
Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 2606:4700:4700::1111
Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 2606:4700:4700::1001
Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 2001:4860:4860::8888
Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 2001:4860:4860::8844
Aug 14 11:11:18 srv01 dnsmasq[1808159]: dnssec-query[DS] nl to 2001:4860:4860::8844
Aug 14 11:11:23 srv01 dnsmasq[1808159]: query[DS] nu.nl from 127.0.0.1
Aug 14 11:11:23 srv01 dnsmasq[1808159]: dnssec retry to 2001:4860:4860::8844
Aug 14 11:11:28 srv01 dnsmasq[1808159]: query[DS] nu.nl from 127.0.0.1
Aug 14 11:11:28 srv01 dnsmasq[1808159]: dnssec retry to 2001:4860:4860::8844
```

And in a tcpdump we see the following (I have replaced source IPs with a dummy):

```
11:11:18.223473 lo    In  IP 127.0.0.1.37864 > 127.0.0.1.53: 12671+ [1au] DS? nu.nl. (46)
11:11:18.223595 eth0  Out IP 1.2.3.4.53036 > 1.1.1.1.53: 49121+ [1au] DS? nu.nl. (46)
11:11:18.223618 eth0  Out IP 1.2.3.4.53036 > 1.0.0.1.53: 49121+ [1au] DS? nu.nl. (46)
11:11:18.223634 eth0  Out IP 1.2.3.4.53036 > 8.8.8.8.53: 49121+ [1au] DS? nu.nl. (46)
11:11:18.223650 eth0  Out IP 1.2.3.4.53036 > 8.8.4.4.53: 49121+ [1au] DS? nu.nl. (46)
11:11:18.223690 eth0  Out IP6 2001::100.49508 > 2606:4700:4700::1111.53: 49121+ [1au] DS? nu.nl. (46)
11:11:18.223710 eth0  Out IP6 2001::100.49508 > 2606:4700:4700::1001.53: 49121+ [1au] DS? nu.nl. (46)
11:11:18.223733 eth0  Out IP6 2001::100.49508 > 2001:4860:4860::8888.53: 49121+ [1au] DS? nu.nl. (46)
11:11:18.223749 eth0  Out IP6 2001::100.49508 > 2001:4860:4860::8844.53: 49121+ [1au] DS? nu.nl. (46)
11:11:18.225023 eth0  In  IP 8.8.8.8.53 > 1.2.3.4.53036: 49121$ 0/4/1 (375)
11:11:18.225122 eth0  Out IP6 2001::100.49142 > 2001:4860:4860::8844.53: 4797+ [1au] DS? nl. (31)
11:11:18.226018 eth0  In  IP6 2606:4700:4700::1001.53 > 2001::100.49508: 49121$ 0/4/1 (375)
11:11:18.226051 eth0  In  IP 1.0.0.1.53 > 1.2.3.4.53036: 49121$ 0/4/1 (375)
11:11:18.226070 eth0  In  IP6 2606:4700:4700::1111.53 > 2001::100.49508: 49121$ 0/4/1 (375)
11:11:18.226146 eth0  In  IP 1.1.1.1.53 > 1.2.3.4.53036: 49121$ 0/4/1 (375)
11:11:18.228253 eth0  In  IP 8.8.4.4.53 > 1.2.3.4.53036: 49121$ 0/4/1 (375)
11:11:18.228416 eth0  In  IP6 2001:4860:4860::8844.53 > 2001::100.49508: 49121$ 0/4/1 (375)
11:11:23.221313 lo    In  IP 127.0.0.1.37864 > 127.0.0.1.53: 12671+ [1au] DS? nu.nl. (46)
11:11:23.221463 eth0  Out IP6 2001::100.49142 > 2001:4860:4860::8844.53: 4797+ [1au] DS? nl. (31)
11:11:28.221184 lo    In  IP 127.0.0.1.37864 > 127.0.0.1.53: 12671+ [1au] DS? nu.nl. (46)
11:11:28.221347 eth0  Out IP6 2001::100.49142 > 2001:4860:4860::8844.53: 4797+ [1au] DS? nl. (31)
```

Now, it appears that initially the query is sent out to all configured DNS servers. 
After that, there is a response and dnsmasq will then attempt to perform a `DS? nl.` query. This query is however only sent out to a single server (2001:4860:4860::8844). A retry is sent out twice, both to the same IP.
Because this fails, our DNS lookup also gets a timeout.

We would like for this `DS? nl.` call caused by dnssec-query[DS] to also utilize all configured backend servers, so the query succeeds instead of fails like it does now.

This is our dnsmasq.conf:

```
all-servers
clear-on-reload
bind-interfaces
cache-size=1500
dnssec
interface=lo
max-cache-ttl=3600
neg-ttl=20
resolv-file=/etc/resolv.dnsmasq
log-queries
```

Can my desired behaviour be achieved?

Thank you!

Niels Hendriks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20240814/6c626be3/attachment.htm>

More information about the Dnsmasq-discuss mailing list