Discussion:
[Dnsmasq-discuss] multiple upstream servers from behind NAT
Jeff
2017-09-28 16:35:56 UTC
Permalink
I have a server my.natted.server NAT'ed behind a public firewall, with
config lines for both of my upstream ISP nameservers:
server=<ip address for ns01.my-isp.com>
server=<ip address for ns02.my-isp.com>

I chose to use both ISP nameservers for redundancy, but this is not a
requirement.

I see dnsmasq query either upstream server, without issue. Here are 2
successful examples:

successful example:
15:41:50.958340 IP my.natted.server.54406 > ns01.my-isp.com.domain:
21145+ A? www.apple.com. (31)
15:41:50.987324 IP ns01.my-isp.com.domain > my.natted.server.54406:
21145 4/0/0 CNAME www.apple.com.edgekey.net., CNAME
www.apple.com.edgekey.net.globalredir.akadns.net., CNAME
e6858.dsce9.akamaiedge.net., A 23.36.67.187 (182)

successful example:
15:44:04.098088 IP my.natted.server.41451 > ns02.my-isp.com.domain:
30158+ A? www.apple.com. (31)
15:44:04.125471 IP ns02.my-isp.com.domain > my.natted.server.41451:
30158 4/0/0 CNAME www.apple.com.edgekey.net., CNAME
www.apple.com.edgekey.net.globalredir.akadns.net., CNAME
e6858.dsce9.akamaiedge.net., A 23.222.204.41 (182)

Occasionally I see a failure where dnsmasq sends out queries to both
upstream ISP nameservers, instructing each to reply to the same port.
The first one to reply "wins" and the 2nd to replay elicits an ICMP
"port unreachable". Here are 2 failure examples:

failure example:
15:36:49.835378 IP my.natted.server.17990 > ns01.my-isp.com.domain:
65330+ A? ns01.my-isp.com. (35)
15:36:49.835391 IP my.natted.server.17990 > ns02.my-isp.com.domain:
65330+ A? ns01.my-isp.com. (35)
15:36:49.863241 IP ns02.my-isp.com.domain > my.natted.server.17990:
65330 1/0/0 A 71.10.216.1 (51)
15:36:49.867784 IP ns01.my-isp.com.domain > my.natted.server.17990:
65330 1/0/0 A 71.10.216.1 (51)
15:36:49.867804 IP my.natted.server > ns01.my-isp.com: ICMP
my.natted.server udp port 17990 unreachable, length 87

failure example:
15:37:32.910884 IP my.natted.server.48523 > ns01.my-isp.com.domain:
51470+ A? ns02.my-isp.com. (35)
15:37:32.910915 IP my.natted.server.48523 > ns02.my-isp.com.domain:
51470+ A? ns02.my-isp.com. (35)
15:37:32.938315 IP ns01.my-isp.com.domain > my.natted.server.48523:
51470 1/0/0 A 71.10.216.2 (51)
15:37:32.942897 IP ns02.my-isp.com.domain > my.natted.server.48523:
51470 1/0/0 A 71.10.216.2 (51)
15:37:32.942930 IP my.natted.server > ns02.my-isp.com: ICMP
my.natted.server udp port 48523 unreachable, length 87

Question:
Is this an issue with:
1) My dnsmasq configuration?
2) dnsmasq?
3) my NAT'ing firewall?

Question:
For the failure examples above, is the DNS client successfully
resolving the query?
(implies the ICMP responses can be safely ignored)

I am running dnsmasq-2.66 on CentOS-7 Linux.

TIA,
Jeff
Simon Kelley
2017-09-29 15:29:00 UTC
Permalink
Post by Jeff
I have a server my.natted.server NAT'ed behind a public firewall, with
server=<ip address for ns01.my-isp.com>
server=<ip address for ns02.my-isp.com>
I chose to use both ISP nameservers for redundancy, but this is not a
requirement.
I see dnsmasq query either upstream server, without issue. Here are 2
21145+ A? www.apple.com. (31)
21145 4/0/0 CNAME www.apple.com.edgekey.net., CNAME
www.apple.com.edgekey.net.globalredir.akadns.net., CNAME
e6858.dsce9.akamaiedge.net., A 23.36.67.187 (182)
30158+ A? www.apple.com. (31)
30158 4/0/0 CNAME www.apple.com.edgekey.net., CNAME
www.apple.com.edgekey.net.globalredir.akadns.net., CNAME
e6858.dsce9.akamaiedge.net., A 23.222.204.41 (182)
Occasionally I see a failure where dnsmasq sends out queries to both
upstream ISP nameservers, instructing each to reply to the same port.
The first one to reply "wins" and the 2nd to replay elicits an ICMP
65330+ A? ns01.my-isp.com. (35)
65330+ A? ns01.my-isp.com. (35)
65330 1/0/0 A 71.10.216.1 (51)
65330 1/0/0 A 71.10.216.1 (51)
15:36:49.867804 IP my.natted.server > ns01.my-isp.com: ICMP
my.natted.server udp port 17990 unreachable, length 87
51470+ A? ns02.my-isp.com. (35)
51470+ A? ns02.my-isp.com. (35)
51470 1/0/0 A 71.10.216.2 (51)
51470 1/0/0 A 71.10.216.2 (51)
15:37:32.942930 IP my.natted.server > ns02.my-isp.com: ICMP
my.natted.server udp port 48523 unreachable, length 87
1) My dnsmasq configuration?
2) dnsmasq?
3) my NAT'ing firewall?
For the failure examples above, is the DNS client successfully
resolving the query?
(implies the ICMP responses can be safely ignored)
Yes. Every so often, dnsmasq send the query to both servers, to see
which one is fastest (that server then becomes preferred until it's time
to run the race again.). Once the first server replies, dnsmasq sends
the reply back to the original requestor, and closes the port it was
listening on. When the second, slow, server's reply arrives, it gets
ICMP port unreachable because the port is already closed.

It's nothing to do with NAT, and it's not a problem.


Cheers,

Simon.
Post by Jeff
I am running dnsmasq-2.66 on CentOS-7 Linux.
TIA,
Jeff
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Loading...