Discussion:
[Dnsmasq-discuss] Dnsmasq responding with SOA instead of A
Aaron Germuth
2016-07-11 20:20:56 UTC
Permalink
Hey guys,

I'm trying to run my own dnsmasq instance on a computer. I want it to be
authoritative for my domain (local.example.com). However I am getting
different results for the same query from different computers.

dig @100.108.108.176 b.local.example.com. A

When I run this from the dns server itself (100.108.108.176) I get an ip as
a response and the following in the logs:

Jul 11 14:47:53 MY_DNS_SERVER.com dnsmasq[30817]: query[A]
b.local.example.com from 100.108.108.176
Jul 11 14:47:53 MY_DNS_SERVER.com dnsmasq[30817]: /etc/hosts 1.2.3.50 is
b.local.example.com

When I run this from a different computer on a different network I do not
get an IP. Instead dig returns an a SOA pointing to itself
(MY_DNS_SERVER.com). Furthermore, the logs show the following:

Jul 11 14:49:29 MY_DNS_SERVER.com dnsmasq[30817]: auth[A]
b.local.example.com from 172.27.88.26
Jul 11 14:49:29 MY_DNS_SERVER.com dnsmasq[30817]: auth b.local.example.com is
NODATA-IPv4

I'm not sure whats happening. It seems it interprets one as a query[A] and
one auth[A]. It seems in the 2nd response it thinks it doesn't know how to
handle that domain so it returns who it thinks is authoritative for that
domain, which is itself. This is what my dnsmasq.conf looks like:

auth-server=MY_DNS_SERVER.com,eth0
auth-zone=local.example.com,eth0

log-queries

#do not read resolv.conf to find servers where to lookup dns
no-resolv
#do not poll resolve.conf for changes
no-poll

#address to use when address not local
server=8.8.8.8
server=4.4.4.4

local=/local.example.com/
domain=local.example.com

If you need any more information, let me know.

Thanks,

Aaron
Albert ARIBAUD
2016-07-11 21:18:15 UTC
Permalink
Hi Aaron,

Le Mon, 11 Jul 2016 20:20:56 +0000
Post by Aaron Germuth
Hey guys,
I'm trying to run my own dnsmasq instance on a computer. I want it to
be authoritative for my domain (local.example.com). However I am
getting different results for the same query from different computers.
When I run this from the dns server itself (100.108.108.176) I get an
Jul 11 14:47:53 MY_DNS_SERVER.com dnsmasq[30817]: query[A]
b.local.example.com from 100.108.108.176
Jul 11 14:47:53 MY_DNS_SERVER.com dnsmasq[30817]: /etc/hosts 1.2.3.50
is b.local.example.com
When I run this from a different computer on a different network I do
not get an IP. Instead dig returns an a SOA pointing to itself
Jul 11 14:49:29 MY_DNS_SERVER.com dnsmasq[30817]: auth[A]
b.local.example.com from 172.27.88.26
Jul 11 14:49:29 MY_DNS_SERVER.com dnsmasq[30817]: auth
b.local.example.com is NODATA-IPv4
I'm not sure whats happening. It seems it interprets one as a
query[A] and one auth[A]. It seems in the 2nd response it thinks it
doesn't know how to handle that domain so it returns who it thinks is
authoritative for that domain, which is itself. This is what my
auth-server=MY_DNS_SERVER.com,eth0
auth-zone=local.example.com,eth0
log-queries
#do not read resolv.conf to find servers where to lookup dns
no-resolv
#do not poll resolve.conf for changes
no-poll
#address to use when address not local
server=8.8.8.8
server=4.4.4.4
local=/local.example.com/
domain=local.example.com
If you need any more information, let me know.
First thing you should do is not to filter out or explain the dig
commands you use and their results, but instead to just copy-paste the
command and its output. Here, for instance, none of what you provide
allows checking how the request was sent exactly, and what principal
and additional info was returned.
Post by Aaron Germuth
Thanks,
Aaron
Amicalement,
--
Albert.
Aaron Germuth
2016-07-11 21:53:21 UTC
Permalink
Hey Albert,

Thanks for the reply and sorry about that. The dig command used is

dig @100.108.108.176 b.local.example.com A.

100.108.108.176 is the IP of my dns server. This dns server has an entry in
/etc/hosts mapping
b.local.example.com -> 1.2.3.50.

My domain 'example.com' has a RR:
local.example.com NS 3600 MY_DNS_SERVER.com

I'm expecting the following dig response (which i get when running it
locally on my dns server):

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @100.108.108.176 b.local.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24172
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;b.local.example.com. IN A

;; ANSWER SECTION:
b.local.example.com. 600 IN A 1.2.3.50

;; Query time: 0 msec
;; SERVER: 100.108.108.176#53(100.108.108.176)
;; WHEN: Mon Jul 11 17:38:03 EDT 2016
;; MSG SIZE rcvd: 51

The response if ran from the other computer is:

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @100.108.108.176 b.local.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25320
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;b.local.example.com. IN A

;; AUTHORITY SECTION:
local.example.com. 600 IN SOA MY_DNS_SERVER.com.
hostmaster.MY_DNS_SERVER.com
<http://hostmaster.cpe-dynamic-dns.hot.corp.google.com>. 1468262852 1200
180 1209600 600

;; Query time: 60 msec
;; SERVER: 100.108.108.176#53(100.108.108.176)
;; WHEN: Mon Jul 11 14:32:23 PDT 2016
;; MSG SIZE rcvd: 1

The only filtering I've done is changing the domain to example.com and
replacing MY_DNS_SERVER url. Otherwise its copy paste. I don't think the
exact URL should matter?

Let me know if you need anything else.

Thanks,

Aaron
Post by Albert ARIBAUD
Hi Aaron,
Le Mon, 11 Jul 2016 20:20:56 +0000
Post by Aaron Germuth
Hey guys,
I'm trying to run my own dnsmasq instance on a computer. I want it to
be authoritative for my domain (local.example.com). However I am
getting different results for the same query from different computers.
When I run this from the dns server itself (100.108.108.176) I get an
Jul 11 14:47:53 MY_DNS_SERVER.com dnsmasq[30817]: query[A]
b.local.example.com from 100.108.108.176
Jul 11 14:47:53 MY_DNS_SERVER.com dnsmasq[30817]: /etc/hosts 1.2.3.50
is b.local.example.com
When I run this from a different computer on a different network I do
not get an IP. Instead dig returns an a SOA pointing to itself
Jul 11 14:49:29 MY_DNS_SERVER.com dnsmasq[30817]: auth[A]
b.local.example.com from 172.27.88.26
Jul 11 14:49:29 MY_DNS_SERVER.com dnsmasq[30817]: auth
b.local.example.com is NODATA-IPv4
I'm not sure whats happening. It seems it interprets one as a
query[A] and one auth[A]. It seems in the 2nd response it thinks it
doesn't know how to handle that domain so it returns who it thinks is
authoritative for that domain, which is itself. This is what my
auth-server=MY_DNS_SERVER.com,eth0
auth-zone=local.example.com,eth0
log-queries
#do not read resolv.conf to find servers where to lookup dns
no-resolv
#do not poll resolve.conf for changes
no-poll
#address to use when address not local
server=8.8.8.8
server=4.4.4.4
local=/local.example.com/
domain=local.example.com
If you need any more information, let me know.
First thing you should do is not to filter out or explain the dig
commands you use and their results, but instead to just copy-paste the
command and its output. Here, for instance, none of what you provide
allows checking how the request was sent exactly, and what principal
and additional info was returned.
Post by Aaron Germuth
Thanks,
Aaron
Amicalement,
--
Albert.
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Albert ARIBAUD
2016-07-11 22:43:37 UTC
Permalink
Hi again Aaron,

Le Mon, 11 Jul 2016 21:53:21 +0000
Post by Aaron Germuth
Hey Albert,
Thanks for the reply and sorry about that. The dig command used is
100.108.108.176 is the IP of my dns server. This dns server has an
entry in /etc/hosts mapping
b.local.example.com -> 1.2.3.50.
local.example.com NS 3600 MY_DNS_SERVER.com
I'm expecting the following dig response (which i get when running it
b.local.example.com ; (1 server found)
;; global options: +cmd
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24172
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;b.local.example.com. IN A
b.local.example.com. 600 IN A 1.2.3.50
;; Query time: 0 msec
;; SERVER: 100.108.108.176#53(100.108.108.176)
;; WHEN: Mon Jul 11 17:38:03 EDT 2016
;; MSG SIZE rcvd: 51
b.local.example.com ; (1 server found)
;; global options: +cmd
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25320
0 ;; WARNING: recursion requested but not available
;b.local.example.com. IN A
local.example.com. 600 IN SOA MY_DNS_SERVER.com.
hostmaster.MY_DNS_SERVER.com
<http://hostmaster.cpe-dynamic-dns.hot.corp.google.com>. 1468262852
1200 180 1209600 600
;; Query time: 60 msec
;; SERVER: 100.108.108.176#53(100.108.108.176)
;; WHEN: Mon Jul 11 14:32:23 PDT 2016
;; MSG SIZE rcvd: 1
The only filtering I've done is changing the domain to example.com and
replacing MY_DNS_SERVER url. Otherwise its copy paste. I don't think
the exact URL should matter?
I don't think it does, except of course that no one can reproduce your
tests, but I can understand that you don't want to disclose your
domain(s) or IP(s).
Post by Aaron Germuth
Let me know if you need anything else.
I've already got way more info than I can handle -- I'm not DNS guru. :)
What I know is that auth-server should treat *all* requests on eth0 the
same way, so any difference in response is due to queries not being the
same.

The only difference I see is that the second query seems to have
requested recursion but not the first, so they are different somehow.
Maybe some of these differences can explain the different answers?

I suggest you capture DNS traffic on the dnsmasq host using tcpdump, run
both queries, and compare the corresponding captures field by field and
analyze each difference found. Of course, the captures will be full of
sensitive data, so you'll have to do the comparison yourself, but then
you could for instance report here which fields are different.
Post by Aaron Germuth
Thanks,
Aaron
Amicalement,
--
Albert.
Aaron Germuth
2016-07-11 23:59:54 UTC
Permalink
Hello,

I've looked at the messages with Wireshark and found the DNS portions are
byte-identical (other than transaction id). Everything else looks similar
other than source IP. Not sure where to go from here.

Thanks,

Aaron
Post by Albert ARIBAUD
Hi again Aaron,
Le Mon, 11 Jul 2016 21:53:21 +0000
Post by Aaron Germuth
Hey Albert,
Thanks for the reply and sorry about that. The dig command used is
100.108.108.176 is the IP of my dns server. This dns server has an
entry in /etc/hosts mapping
b.local.example.com -> 1.2.3.50.
local.example.com NS 3600 MY_DNS_SERVER.com
I'm expecting the following dig response (which i get when running it
b.local.example.com ; (1 server found)
;; global options: +cmd
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24172
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;b.local.example.com. IN A
b.local.example.com. 600 IN A 1.2.3.50
;; Query time: 0 msec
;; SERVER: 100.108.108.176#53(100.108.108.176)
;; WHEN: Mon Jul 11 17:38:03 EDT 2016
;; MSG SIZE rcvd: 51
b.local.example.com ; (1 server found)
;; global options: +cmd
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25320
0 ;; WARNING: recursion requested but not available
;b.local.example.com. IN A
local.example.com. 600 IN SOA MY_DNS_SERVER.com.
hostmaster.MY_DNS_SERVER.com
<http://hostmaster.cpe-dynamic-dns.hot.corp.google.com>. 1468262852
1200 180 1209600 600
;; Query time: 60 msec
;; SERVER: 100.108.108.176#53(100.108.108.176)
;; WHEN: Mon Jul 11 14:32:23 PDT 2016
;; MSG SIZE rcvd: 1
The only filtering I've done is changing the domain to example.com and
replacing MY_DNS_SERVER url. Otherwise its copy paste. I don't think
the exact URL should matter?
I don't think it does, except of course that no one can reproduce your
tests, but I can understand that you don't want to disclose your
domain(s) or IP(s).
Post by Aaron Germuth
Let me know if you need anything else.
I've already got way more info than I can handle -- I'm not DNS guru. :)
What I know is that auth-server should treat *all* requests on eth0 the
same way, so any difference in response is due to queries not being the
same.
The only difference I see is that the second query seems to have
requested recursion but not the first, so they are different somehow.
Maybe some of these differences can explain the different answers?
I suggest you capture DNS traffic on the dnsmasq host using tcpdump, run
both queries, and compare the corresponding captures field by field and
analyze each difference found. Of course, the captures will be full of
sensitive data, so you'll have to do the comparison yourself, but then
you could for instance report here which fields are different.
Post by Aaron Germuth
Thanks,
Aaron
Amicalement,
--
Albert.
Loading...