[Dnsmasq-discuss] all-servers option not working for dnssec-query queries

Geert Stappers stappers at stappers.nl
Sun Aug 18 11:49:36 UTC 2024 

On Wed, Aug 14, 2024 at 11:42:15AM +0200, Niels Hendriks wrote:
> Hello,
> 
> We are using dnsmasq with the all-servers option enabled in order
> to prevent issues with DNS resolution when a single resolver is not
> working properly.
> We have noticed that sometimes when a single resolver is unreachable
> we still have issues with DNS resolution. It appears this is related
> to dnssec-query[DS] performed by dnsmasq:
> 
> For example the following query gives us a timeout:
> 
> $ dig nu.nl DS @127.0.0.1
> 
> ; <<>> DiG 9.16.48-Debian <<>> nu.nl DS @127.0.0.1
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
> 
> In the dnsmasq logs, we see:
> Aug 14 11:11:18 srv01 dnsmasq[1808159]: query[DS] nu.nl from 127.0.0.1
> Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 1.1.1.1
> Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 1.0.0.1
> Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 8.8.8.8
> Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 8.8.4.4
> Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 2606:4700:4700::1111
> Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 2606:4700:4700::1001
> Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 2001:4860:4860::8888
> Aug 14 11:11:18 srv01 dnsmasq[1808159]: forwarded nu.nl to 2001:4860:4860::8844
> Aug 14 11:11:18 srv01 dnsmasq[1808159]: dnssec-query[DS] nl to 2001:4860:4860::8844
> Aug 14 11:11:23 srv01 dnsmasq[1808159]: query[DS] nu.nl from 127.0.0.1
> Aug 14 11:11:23 srv01 dnsmasq[1808159]: dnssec retry to 2001:4860:4860::8844
> Aug 14 11:11:28 srv01 dnsmasq[1808159]: query[DS] nu.nl from 127.0.0.1
> Aug 14 11:11:28 srv01 dnsmasq[1808159]: dnssec retry to 2001:4860:4860::8844
> 
> And in a tcpdump we see the following (I have replaced source IPs with a dummy):
> 
> 11:11:18.223473 lo    In  IP 127.0.0.1.37864 > 127.0.0.1.53: 12671+ [1au] DS? nu.nl. (46)
> 11:11:18.223595 eth0  Out IP 1.2.3.4.53036 > 1.1.1.1.53: 49121+ [1au] DS? nu.nl. (46)
> 11:11:18.223618 eth0  Out IP 1.2.3.4.53036 > 1.0.0.1.53: 49121+ [1au] DS? nu.nl. (46)
> 11:11:18.223634 eth0  Out IP 1.2.3.4.53036 > 8.8.8.8.53: 49121+ [1au] DS? nu.nl. (46)
> 11:11:18.223650 eth0  Out IP 1.2.3.4.53036 > 8.8.4.4.53: 49121+ [1au] DS? nu.nl. (46)
> 11:11:18.223690 eth0  Out IP6 2001::100.49508 > 2606:4700:4700::1111.53: 49121+ [1au] DS? nu.nl. (46)
> 11:11:18.223710 eth0  Out IP6 2001::100.49508 > 2606:4700:4700::1001.53: 49121+ [1au] DS? nu.nl. (46)
> 11:11:18.223733 eth0  Out IP6 2001::100.49508 > 2001:4860:4860::8888.53: 49121+ [1au] DS? nu.nl. (46)
> 11:11:18.223749 eth0  Out IP6 2001::100.49508 > 2001:4860:4860::8844.53: 49121+ [1au] DS? nu.nl. (46)
> 11:11:18.225023 eth0  In  IP 8.8.8.8.53 > 1.2.3.4.53036: 49121$ 0/4/1 (375)
> 11:11:18.225122 eth0  Out IP6 2001::100.49142 > 2001:4860:4860::8844.53: 4797+ [1au] DS? nl. (31)

I wonder where the 4797 comes from. Because I was expecting 49121.


> 11:11:18.226018 eth0  In  IP6 2606:4700:4700::1001.53 > 2001::100.49508: 49121$ 0/4/1 (375)
> 11:11:18.226051 eth0  In  IP 1.0.0.1.53 > 1.2.3.4.53036: 49121$ 0/4/1 (375)
> 11:11:18.226070 eth0  In  IP6 2606:4700:4700::1111.53 > 2001::100.49508: 49121$ 0/4/1 (375)
> 11:11:18.226146 eth0  In  IP 1.1.1.1.53 > 1.2.3.4.53036: 49121$ 0/4/1 (375)
> 11:11:18.228253 eth0  In  IP 8.8.4.4.53 > 1.2.3.4.53036: 49121$ 0/4/1 (375)
> 11:11:18.228416 eth0  In  IP6 2001:4860:4860::8844.53 > 2001::100.49508: 49121$ 0/4/1 (375)
> 11:11:23.221313 lo    In  IP 127.0.0.1.37864 > 127.0.0.1.53: 12671+ [1au] DS? nu.nl. (46)

`dig nu.nl DS @127.0.0.1` executed again or the original 11:11:18 dig
command doing a new attempt?


> 11:11:23.221463 eth0  Out IP6 2001::100.49142 > 2001:4860:4860::8844.53: 4797+ [1au] DS? nl. (31)
> 11:11:28.221184 lo    In  IP 127.0.0.1.37864 > 127.0.0.1.53: 12671+ [1au] DS? nu.nl. (46)
> 11:11:28.221347 eth0  Out IP6 2001::100.49142 > 2001:4860:4860::8844.53: 4797+ [1au] DS? nl. (31)
> 
> Now, it appears that initially the query is sent out to all configured
> DNS servers. 
> After that, there is a response and dnsmasq will then attempt to
> perform a `DS? nl.` query.

I doubt it is dnsmasq attempting the query. Both the dnsmasq logging and
the tcpdump tell the request is coming from 127.0.0.1.  ( There is no
reason for dnsmasq to ask it to itself )

> This query is however only sent out to a
> single server (2001:4860:4860::8844). A retry is sent out twice, both
> to the same IP.  Because this fails, our DNS lookup also gets a timeout.

I think we are seeing two things: A timeout and a yet unexplainable
query.
 
> We would like for this `DS? nl.` call caused by dnssec-query[DS] to
> also utilize all configured backend servers, so the query succeeds
> instead of fails like it does now.

For what it is worth: My gut feeling says the problem description is
incomplete.

 
> This is our dnsmasq.conf:
> 
> all-servers
> clear-on-reload
> bind-interfaces
> cache-size=1500
> dnssec
> interface=lo
> max-cache-ttl=3600
> neg-ttl=20
> resolv-file=/etc/resolv.dnsmasq
> log-queries

And what is the content of /etc/resolv.dnsmasq ?

 
> Can my desired behaviour be achieved?
>

[1]

 
> Thank you!

Oops

 
> Niels Hendriks


Groeten
Geert Stappers

Foot note [1]:  The yes-no-question is left unanswered
-- 
Silence is hard to parse

More information about the Dnsmasq-discuss mailing list