Re: [Bug 1003842] Re: dnsmasq sometimes fails to resolve private names in networks with non-equivalent nameservers
On 06/02/13 09:18, Thomas Hood wrote: > [...cont'd after "in order to fix"...] bug #1072899, dnsmasq will > have to be enhanced such that proposition #1 is true. But we can > discuss the details of that in bug #1072899. > > There is a close analogy between the problem here (bug > #1003842) and a problem we have with avahi. Avahi resolves names in > the domain ".local". Networks should not use this TLD, but many do > and at least in the past Microsoft actually recommended doing so. > When users connect to such networks with avahi enabled the result is > malfunction. Upstream purisitically says[*] "If you come across a > network where .local is a unicast DNS domain, please contact the > local administrator and ask him to move his DNS zone to a different > domain. If this is not possible, we recommend not to use Avahi in > such a network at all." In practice avahi attempts to detect "bad" > networks and disables itself if it thinks it is on a bad network, > subject unfortunately both to false positives (bug #327362) and false > negatives (bug #80900). > > We aren't yet doing even that well. We say that networks ought to > have equivalent nameservers and we make no attempt to detect networks > that have non-equivalent nameservers, of which there are very many. > > [*]http://avahi.org/wiki/AvahiAndUnicastDotLocal > Detect non-equivalent servers is hard. I'm very much in favour of doing it, if a way can be found. Simon. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/1003842 Title: dnsmasq sometimes fails to resolve private names in networks with non- equivalent nameservers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1003842/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1003842] Re: dnsmasq sometimes fails to resolve private names in networks with non-equivalent nameservers
On 06/02/13 08:59, Thomas Hood wrote: > Hi Simon. > > Before I forget to ask: can you please update dnsmasq(8) to include > under "--strict-order" a description of what happens when nameserver > addresses are passed in via D-Bus instead of via a file? > > You wrote, >> you can very easily provide the same behaviour - only pass the first >> nameserver to dnsmasq > > Because NM doesn't use dnsmasq to cache, if NM were to give dnsmasq only > one address then I guess the only service that dnsmasq would still > provide is that of name-to-server mapping. > > And it turns out that the way NM currently uses dnsmasq to do this is > seriously flawed. So I conclude that it's better for NM not to use > dnsmasq at all until these problems are solved. > >> [That NM only supplies one nameserver address per domain name] >> is a different problem, and could be solved. > >>From the man page it's not completely clear how to solve it. Can you > confirm (1) that it's possible to give multiple server options as > follows > > server=/google.com/1.2.3.4 > server=/google.com/5.6.7.8 > > and that the result will be that 1.2.3.4 and 5.6.7.8 will be treated > equally for the purpose of resolving names in domain google.com? (2) And > likewise via D-Bus? > > (3) What effect does strict-order have on this? > >> Ironically, I think the >> problem arises because for nameservers associated with particular >> domains, the equivalent of --strict-order is always in play. > > What you say here suggests that my proposition #1 above is false. If #1 > is false then it seems that in order to fix > proposition #1 is true, as is #2: you can configure the same thing via DBus. Consider server=1.1.1.1 server=2.2.2.2 server=/google.com/3.3.3.3 server=/google.com/4.4.4.4 Queries not sent to *.google.com will behave in the normal dnsmasq manner, sent non-deterministically to 1.1.1.1 and/or 2.2.2.2 in a way which tries to favour the fastest/most up server. Queries sent to *google.com will be sent 3.3.3.3 or 4.4.4.4 in the same way as if strict order was set, ie, to 3.3.3.3 first, and only to 4.4.4.4 if 3.3.3.3 returns a SERVFAIL or REFUSED error, or doesn't reply at all. This should be changed, but the code which implements it is knarly and old, and won't stand more tinkering, it needs rewriting. I've not found the time, as of yet. Cheers, Simon. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/1003842 Title: dnsmasq sometimes fails to resolve private names in networks with non- equivalent nameservers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1003842/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1003842] Re: dnsmasq sometimes fails to resolve private names in networks with non-equivalent nameservers
Belay my previous comment about 1072899, it looks like network manager is losing the second server before it ever gets to dnsmasq. Not a dnsmasq problem. Simon. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/1003842 Title: dnsmasq sometimes fails to resolve private names in networks with non- equivalent nameservers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1003842/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1003842] Re: dnsmasq sometimes fails to resolve private names in networks with non-equivalent nameservers
On 04/02/13 22:05, Thomas Hood wrote: > Simon in #49: >> It doesn't work [...] the order of servers given to the DBus >> interface isn't preserved internally > > Aha, so the answer to my question > >> Will switching on strict-order have the same effect >> now that nameserver addresses are sent over D-Bus? > > (in comment #42) is "No". So switching strict-order back on is no > solution. And solutions depending on strict-order including mine in #28 > also won't work. Unless dnsmasq is somehow changed such that it > remembers the order in which nameserver addresses come in over D-Bus so > that strict-order is useful in the D-Bus case, if we want to avoid > breaking name service on machines connected to NNNs then we have to > disable dnsmasq by default; or disable it initially and only enable it > when we know that we aren't on a NNN. Note that setting --strict-order is pretty much equivalent to telling dnsmasq to use only the first nameserver, so you can very easily provide the same behaviour - only pass the first nameserver to dnsmasq. Maybe provide a button in NM that does this - "press here if you're in a captive portal". > > (NNN = nonequivalent-nameserver network. As discussed in comment #5, > such networks are not properly configured. But as observed several > times, there are many NNNs out there. Which is why *many* people have > been commenting out "dns=dnsmasq".) > > There is another problem with NM-dnsmasq (bug #1072899). Some VPNs have > multiple nameservers. NM uses dnsmasq to direct VPN domain name queries > to the *first* one. But then, if the first one goes down, the second one > is not tried. Once again, for the sake of speed enhancement in the > favorable case, users suffer radical name service failure in the > unfavorable case. This is not a good deal, IMHO. NM-dnsmasq should be > disabled by default until these problems are solved. That's a different problem, and could be solved. Ironically, I think the problem arises because for nameservers associated with particular domains, the equivalent of --strict-order is always in play. Cheers, Simon. > -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/1003842 Title: dnsmasq sometimes fails to resolve private names in networks with non- equivalent nameservers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1003842/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1003842] Re: dnsmasq sometimes fails to resolve private names in networks with non-equivalent nameservers
On 04/02/2013 17:07, Simon Kelley wrote: > On 04/02/13 15:36, Sergio Callegari wrote: >> On 04/02/2013 15:40, Simon Kelley wrote: >>> On 03/02/13 07:48, Thomas Hood wrote: > there's still the unresolved question > of whether re-enabling --strict-order > will suffice as a workaround, since > 12.10 relies on DBus to populate the > nameservers. Is there any extra > information on this? Please try it and report back. :-) (Put "strict-order" in a file in /etc/NetworkManager/dnsmasq.d/; stop network-manager; make sure all dnsmasq processes are dead; start network-manager.) >>> It doesn't work: It will always use the same server first, but the order >>> of servers given to the DBus interface isn't preserved internally, and >>> actually changes each time the DBus interface is used. >>> >>> >>> Cheers, >>> >>> Simon. >> Isn't it possible to change dnsmasq behavior to query the servers in any >> order >> or in parallel and in the case the first server to reply says "I don't know" >> avoid relying on that information, rather wait and see if in a reasonable >> time >> some other server answers "I do"? > You're far from the first person to ask that question. The answer is > that there is no possible response in the DNS protocol which means "I > don't know". NXDOMAIN or NODATA answers _don't_ mean that; they mean "I > know that this domain doesn't exist". They also make up quite a large > proportion of the DNS results returned to the average host, so that all > of those queries would suddenly take much longer. Yes, I realize that the problem is with the setup of the intranet, that should not add names to a domain that is known on the internet or invent a subdomain of something that is on the internet. But as a workaround, having a switch to activate "wait for further answers if you get an 'it does not exist'" would be nice for those willing to pay the price of a longer wait (or possibly even auto-activate it if a dns is detected to be on an intranet). Best regards, Sergio -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/1003842 Title: dnsmasq sometimes fails to resolve private names in networks with non- equivalent nameservers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1003842/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1003842] Re: dnsmasq sometimes fails to resolve private names in networks with non-equivalent nameservers
On 04/02/13 15:36, Sergio Callegari wrote: > On 04/02/2013 15:40, Simon Kelley wrote: >> On 03/02/13 07:48, Thomas Hood wrote: there's still the unresolved question of whether re-enabling --strict-order will suffice as a workaround, since 12.10 relies on DBus to populate the nameservers. Is there any extra information on this? >>> Please try it and report back. :-) >>> >>> (Put "strict-order" in a file in /etc/NetworkManager/dnsmasq.d/; stop >>> network-manager; make sure all dnsmasq processes are dead; start >>> network-manager.) >>> >> It doesn't work: It will always use the same server first, but the order >> of servers given to the DBus interface isn't preserved internally, and >> actually changes each time the DBus interface is used. >> >> >> Cheers, >> >> Simon. > Isn't it possible to change dnsmasq behavior to query the servers in any > order > or in parallel and in the case the first server to reply says "I don't know" > avoid relying on that information, rather wait and see if in a reasonable > time > some other server answers "I do"? You're far from the first person to ask that question. The answer is that there is no possible response in the DNS protocol which means "I don't know". NXDOMAIN or NODATA answers _don't_ mean that; they mean "I know that this domain doesn't exist". They also make up quite a large proportion of the DNS results returned to the average host, so that all of those queries would suddenly take much longer. > > With the current behavior, whenever I need to access a captive portal, I > basically have to press the "reload page" button 50 times until for some > reasons > the order in which the nameservers reply becomes the good one. The fundamental problem lies with the captive portal, and no good solution which can be implemented by dnsmasq has so far been devised. Cheers, Simon. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/1003842 Title: dnsmasq sometimes fails to resolve private names in networks with non- equivalent nameservers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1003842/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1003842] Re: dnsmasq sometimes fails to resolve private names in networks with non-equivalent nameservers
On 04/02/2013 15:40, Simon Kelley wrote: > On 03/02/13 07:48, Thomas Hood wrote: >>> there's still the unresolved question >>> of whether re-enabling --strict-order >>> will suffice as a workaround, since >>> 12.10 relies on DBus to populate the >>> nameservers. Is there any extra >>> information on this? >> Please try it and report back. :-) >> >> (Put "strict-order" in a file in /etc/NetworkManager/dnsmasq.d/; stop >> network-manager; make sure all dnsmasq processes are dead; start >> network-manager.) >> > It doesn't work: It will always use the same server first, but the order > of servers given to the DBus interface isn't preserved internally, and > actually changes each time the DBus interface is used. > > > Cheers, > > Simon. Isn't it possible to change dnsmasq behavior to query the servers in any order or in parallel and in the case the first server to reply says "I don't know" avoid relying on that information, rather wait and see if in a reasonable time some other server answers "I do"? With the current behavior, whenever I need to access a captive portal, I basically have to press the "reload page" button 50 times until for some reasons the order in which the nameservers reply becomes the good one. Cheers, Sergio -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/1003842 Title: dnsmasq sometimes fails to resolve private names in networks with non- equivalent nameservers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1003842/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1003842] Re: dnsmasq sometimes fails to resolve private names in networks with non-equivalent nameservers
On 03/02/13 07:48, Thomas Hood wrote: >> there's still the unresolved question >> of whether re-enabling --strict-order >> will suffice as a workaround, since >> 12.10 relies on DBus to populate the >> nameservers. Is there any extra >> information on this? > > Please try it and report back. :-) > > (Put "strict-order" in a file in /etc/NetworkManager/dnsmasq.d/; stop > network-manager; make sure all dnsmasq processes are dead; start > network-manager.) > It doesn't work: It will always use the same server first, but the order of servers given to the DBus interface isn't preserved internally, and actually changes each time the DBus interface is used. Cheers, Simon. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to dnsmasq in Ubuntu. https://bugs.launchpad.net/bugs/1003842 Title: dnsmasq sometimes fails to resolve private names in networks with non- equivalent nameservers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1003842/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
