Hi,
I've got some network devices(wifi extenders) that run dnsmasq. Some
specific urls AAAA records returns as REFUSED from GWs dns proxy(I have no
info about GWs internals).
I've realized that some of my curl commands hang for 15 secs and timeout.
curl -6 --dns-servers 127.0.0.1 -v <refused-url> (HANGS)
curl --dns-servers 127.0.0.1 -v <refused-url> (HANGS)
curl -4 --dns-servers 127.0.0.1 -v <refused-url> (RESOLVES INSTANTLY)
curl -6 --dns-servers 192.168.1.1 -v <refused-url> (RESOLVES INSTANTLY))
curl --dns-servers 192.168.1.1 -v <refused-url> (RESOLVES INSTANTLY))
curl -4 --dns-servers 192.168.1.1 -v <refused-url> (RESOLVES INSTANTLY)
Packets from curl -6 --dns-servers 127.0.0.1 and 1curl -6 --dns-servers
192.168.1.1 looks exactly same
-------------------------
NOT HANG packets
-------------------------
12:55:28.120426 a0:2d:13:a9:03:44 (oui Unknown) > 10:50:72:a1:b9:40 (oui
Unknown), ethertype IPv4 (0x0800), length 122: AW2842301000274.40021 >
192.168.1.1.domain: 26821+ AAAA? xxxxxx.s3.amazonaws.com. (80)
0x0000: 4500 006c 8c65 4000 4011 2ac8 c0a8 0102 E..l.e@.@.*.....
0x0010: c0a8 0101 9c55 0035 0058 83bd 68c5 0100 .....U.5.X..h...
0x0020: 0001 0000 0000 0000 xxxx xxxx xxxx xxxx ........-xxxx
0x0030: xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx-
0x0040: 3239 3130 3433 3732 3635 3537 2d65 752d 291043726557-eu-
0x0050: 7765 7374 2d31 0273 3309 616d 617a 6f6e west-1.s3.amazon
0x0060: 6177 7303 636f 6d00 001c 0001 aws.com.....
12:55:28.127647 10:50:72:a1:b9:40 (oui Unknown) > a0:2d:13:a9:03:44 (oui
Unknown), ethertype IPv4 (0x0800), length 323: 192.168.1.1.domain >
AW2842301000274.40021: 26821 Refused 0/1/0 (281)
0x0000: 4500 0135 f9bb 4000 4011 bca8 c0a8 0101 E..5..@.@.......
0x0010: c0a8 0102 0035 9c55 0121 6977 68c5 8185 .....5.U.!iwh...
0x0020: 0001 0000 0001 0000 xxxx xxxx xxxx xxxx ........-xxxx
0x0030: xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx-
....
....
0x00b0: 0000 1b44 0016 0673 332d 332d 7709 616d ...D...s3-3-w.am
0x00c0: 417a 6f6e 6177 7303 636f 6d00 0673 332d Azonaws.com..s3-
0x00d0: 332d 7709 616d 617a 6f6e 6177 7303 636f 3-w.amazonaws.co
0x00e0: 6d00 0006 0001 0000 26c8 0049 076e 732d m.......&..I.ns-
0x00f0: 3134 3235 0961 7773 646e 732d 3530 036f 1425.awsdns-50.o
0x0100: 7267 0011 6177 7364 6e73 2d68 6f73 746d rg..awsdns-hostm
0x0110: 6173 7465 7206 616d 617a 6f6e 0363 6f6d aster.amazon.com
0x0120: 0000 0000 0100 001c 2000 0003 8400 1275 ...............u
0x0130: 0000 0001 25 ....%
--------------------------
HANG packets
--------------------------
12:46:06.257257 a0:2d:13:a9:03:44 (oui Unknown) > 10:50:72:a1:b9:40 (oui
Unknown), ethertype IPv4 (0x0800), length 122: AW2842301000274.39664 >
192.168.1.1.domain: 35290+ AAAA? xxxxxx.s3.amazonaws.com. (80)
0x0000: 4500 006c c5da 4000 4011 f152 c0a8 0102 E..l..@.@..R....
0x0010: c0a8 0101 9af0 0035 0058 83bd 89da 0100 .......5.X......
0x0020: 0001 0000 0000 0000 2d61 xxxx xxxx xxxx ........-xxxx
0x0030: xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx-
....
12:46:06.296674 10:50:72:a1:b9:40 (oui Unknown) > a0:2d:13:a9:03:44 (oui
Unknown), ethertype IPv4 (0x0800), length 261: 192.168.1.1.domain >
AW2842301000274.39664: 35290 Refused 0/1/0 (219)
0x0000: 4500 00f7 978c 4000 4011 1f16 c0a8 0101 E.....@.@.......
0x0010: c0a8 0102 0035 9af0 00e3 c902 89da 8185 .....5..........
0x0020: 0001 0000 0000 0000 2d61 xxxx xxxx xxxx ........-xxxx
0x0020: 0001 0000 0000 0000 2d61 xxxx xxxx xxxx ........-xxxx
0x0030: xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx-
....
0x0070: 0001 0000 a745 0016 0673 332d 332d 7709 .....E...s3-3-w.
0x0080: 616d 415a 4f6e 6177 7303 636f 6d00 0673 amAZOnaws.com..s
0x0090: 332d 332d 7709 616d 617a 6f6e 6177 7303 3-3-w.amazonaws.
0x00a0: 636f 6d00 0006 0001 0000 144c 0049 076e com........L.I.n
0x00b0: 732d 3134 3235 0961 7773 646e 732d 3530 s-1425.awsdns-50
0x00c0: 036f 7267 0011 6177 7364 6e73 2d68 6f73 .org..awsdns-hos
0x00d0: 746d 6173 7465 7206 616d 617a 6f6e 0363 tmaster.amazon.c
0x00e0: 6f6d 0000 0000 0100 001c 2000 0003 8400 om..............
0x00f0: 1275 0000 0001 25 .u....%
-----------------------
packets are almost identical but dnsmasq having problems to process these
replies with below resolv.conf
# cat /var/resolv.dnsmasq.conf
nameserver 192.168.1.1
nameserver 192.168.1.1
as you see there is two recurring nameserver address. Both resolves to
REFUSED.
I've mentioned the issue as loop because it seems that dnsmasq keeps
resolving and does not forward refused answer to client(curl). It keeps
returning from
https://github.com/imp/dnsmasq/blob/master/src/forward.c#L1132 while
keeping forward->forwardall = 3 as value.
I am not sure if this a kind of bug, because when I removed the recurring
nameserver address from resolv.conf, my curl commands does not hang.
I'm very sorry that I need to xxxx out the packet info and url , I am not
authorized to share that info it is a standard s3 amazon aws bucket. but
I'm sure it can be reproduced any server that refuses AAAA CNAME records.
# cat /var/dnsmasq.conf
# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv
# Don't store in cache the invalid resolutions
no-negcache
# resolv file to specify upstream servers
resolv-file=/var/resolv.dnsmasq.conf
# Set the cachesize here.
cache-size=200
# forces dnsmasq to try each query with each server strictly
# in the order they appear in resolv file
strict-order # Note : I've tried removing strict-order, doesn't fix the
issue
no-hosts
addn-hosts=/var/hosts
conf-dir=/var/dnsmasq.d/,*.cfg
local=/Home/
# dnsmasq -v
Dnsmasq version 2.89 Copyright (c) 2000-2022 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN
no-DHCP no-scripts no-TFTP no-conntrack no-ipset no-nftset auth
no-cryptohash no-DNSSEC loop-detect inote
This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.
dig output from another machine that returns no data for AAAA.
# dig xxxx.s3.amazonaws.com
; <<>> DiG 9.16.1-Ubuntu <<>> xxxx.s3.amazonaws.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4430
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;xxxx.s3.amazonaws.com. IN A
;; ANSWER SECTION:
xxxx.s3.amazonaws.com. 42821 IN CNAME s3-3-w.amazonaws.com.
s3-3-w.amazonaws.com. 4 IN A 52.92.0.169
s3-3-w.amazonaws.com. 4 IN A 52.218.25.170
s3-3-w.amazonaws.com. 4 IN A 52.92.32.169
s3-3-w.amazonaws.com. 4 IN A 52.92.36.249
s3-3-w.amazonaws.com. 4 IN A 52.218.118.9
s3-3-w.amazonaws.com. 4 IN A 52.218.45.161
s3-3-w.amazonaws.com. 4 IN A 52.92.4.33
s3-3-w.amazonaws.com. 4 IN A 52.92.17.121
;; Query time: 68 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sal Ara 12 11:07:21 +03 2023
;; MSG SIZE rcvd: 240
Some other cases of resolv,conf
(NOT HANGS)
# cat /var/resolv.dnsmasq.conf
nameserver 192.168.1.1
(HANGS)
# cat /var/resolv.dnsmasq.conf
nameserver 192.168.1.1
nameserver 192.168.1.1
nameserver <any-invalid-addres>
(NOT HANGS)
# cat /var/resolv.dnsmasq.conf
nameserver 192.168.1.1
nameserver 192.168.1.1
nameserver 8.8.8.8
Regards,
Berkan
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
