Discussion:
[Dnsmasq-discuss] No caching unless recursion enabled?
bob tatus
2016-01-21 23:16:35 UTC
Permalink
Hi there,

I've been using Dnsmasq for a few days now with no problems, it was caching well and helping a lot.

Yesterday I disabled recursive DNS queries on my DNS server (Bind 9) as this is not required within the environment, since doing this it appears that the caching is no longer working correctly.

To test I enabled recursion once more and the cache hit rate started climbing again and I saw significantly less queries being logged on the bind server, confirming that this was the issue.

I've checked the man page but have not found anything about this? I need to have recursive DNS queries disabled on the DNS server and still have the clients that use this DNS server cache the queries received with Dnsmasq.

The DNS server in question is authoritative for the queries that I want to cache so there should not be any need for recursive DNS.

Thanks, Robert.
Matthias Andree
2016-01-23 02:03:21 UTC
Permalink
Am 22.01.2016 um 00:16 schrieb bob tatus:
>
> Hi there,
>
> I've been using Dnsmasq for a few days now with no problems, it was
> caching well and helping a lot.
>
> Yesterday I disabled recursive DNS queries on my DNS server (Bind 9) as
> this is not required within the environment, since doing this it appears
> that the caching is no longer working correctly.

Which version of dnsmasq are you using?
bob tatus
2016-01-24 22:11:27 UTC
Permalink
The current package installed lists as 2.66-14.el7_1, which I believe is latest for CentOS 7.

I'm using this via NetworkManager, that is I've enabled dnsmasq via the /etc/NetworkManager/NetworkManager.conf file, not sure if this matters much compared to using the stand alone service.

> To: dnsmasq-***@lists.thekelleys.org.uk
> From: ***@gmx.de
> Date: Sat, 23 Jan 2016 03:03:21 +0100
> Subject: Re: [Dnsmasq-discuss] No caching unless recursion enabled?
>
> Am 22.01.2016 um 00:16 schrieb bob tatus:
> >
> > Hi there,
> >
> > I've been using Dnsmasq for a few days now with no problems, it was
> > caching well and helping a lot.
> >
> > Yesterday I disabled recursive DNS queries on my DNS server (Bind 9) as
> > this is not required within the environment, since doing this it appears
> > that the caching is no longer working correctly.
>
> Which version of dnsmasq are you using?
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-***@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Matthias Andree
2016-01-25 00:20:11 UTC
Permalink
Am 24.01.2016 um 23:11 schrieb bob tatus:
> The current package installed lists as 2.66-14.el7_1, which I believe is
> latest for CentOS 7.
>
> I'm using this via NetworkManager, that is I've enabled dnsmasq via the
> /etc/NetworkManager/NetworkManager.conf file, not sure if this matters
> much compared to using the stand alone service.
>

Even if it's the "latest [package] for CentOS 7", it appears to be a
quite dated version. This isn't surprising for enterprise-like distros
with long-term "support", but see for yourself if the changelog (link
below) contains anything that might have to do with your problem. If it
does, you may want to try building the latest version from source and
give that a spin.

<http://thekelleys.org.uk/dnsmasq/CHANGELOG>
bob tatus
2016-01-25 01:39:58 UTC
Permalink
Interesting, it looks like as of 2.61 this was added:

"Don't cache data from non-recursive nameservers, since it
may erroneously look like a valid CNAME to a non-exitant
name."

So it seems like this may be intended behaviour? If this is the case is there any possible option to allow caching from a non-recursive nameserver, as this is desirable behaviour in our environment.

> To: dnsmasq-***@lists.thekelleys.org.uk
> From: ***@gmx.de
> Date: Mon, 25 Jan 2016 01:20:11 +0100
> Subject: Re: [Dnsmasq-discuss] No caching unless recursion enabled?
>
> Am 24.01.2016 um 23:11 schrieb bob tatus:
> > The current package installed lists as 2.66-14.el7_1, which I believe is
> > latest for CentOS 7.
> >
> > I'm using this via NetworkManager, that is I've enabled dnsmasq via the
> > /etc/NetworkManager/NetworkManager.conf file, not sure if this matters
> > much compared to using the stand alone service.
> >
>
> Even if it's the "latest [package] for CentOS 7", it appears to be a
> quite dated version. This isn't surprising for enterprise-like distros
> with long-term "support", but see for yourself if the changelog (link
> below) contains anything that might have to do with your problem. If it
> does, you may want to try building the latest version from source and
> give that a spin.
>
> <http://thekelleys.org.uk/dnsmasq/CHANGELOG>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-***@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Simon Kelley
2016-01-23 09:24:08 UTC
Permalink
On 21/01/16 23:16, bob tatus wrote:
>
> Hi there,
>
> I've been using Dnsmasq for a few days now with no problems, it
> was caching well and helping a lot.
>
> Yesterday I disabled recursive DNS queries on my DNS server (Bind
> 9) as this is not required within the environment, since doing this
> it appears that the caching is no longer working correctly.
>
> To test I enabled recursion once more and the cache hit rate
> started climbing again and I saw significantly less queries being
> logged on the bind server, confirming that this was the issue.
>
> I've checked the man page but have not found anything about this?
> I need to have recursive DNS queries disabled on the DNS server
> and still have the clients that use this DNS server cache the
> queries received with Dnsmasq.
>
> The DNS server in question is authoritative for the queries that I
> want to cache so there should not be any need for recursive DNS.
>
> Thanks, Robert.

I just looked in the current code, and there's nothing obvious that
would account for this effect.

I would note that not having recursion available on _any_ server used
by dnsmasq as an upstream is unwise. It may work but it will be
fragile. The most obvious case is if you add a CNAME to the
authoritative zone which points outside it. Dnsmasq will not look up
the target of the CNAME, it relies on the upstream server to do that,
and if the upstream server doesn't (because recursion is disabled)
then you'll get a valid but wrong answer.

Cheers,

Simon.

>
>
>
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-***@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
bob tatus
2016-01-24 22:25:51 UTC
Permalink
Hi Simon,

The records that I am looking up are all A records, no CNAMEs in use here, I've confirmed this by performing a dig against the Bind server for queries that were missing the cache with recursion disabled. Additionally if I perform a tcpdump I can see the requests listing as "A?" and "AAAA?", while on the named logs show "A +" and "AAAA +" in the query logs.

Technically the Bind server does have recursion enabled, however it is only allowed from a single IP address, that is the IP address of a Squid proxy server.

This allows clients in the network to browse the Internet via the Squid proxy, as the Squid proxy server will still be able to perform recursive DNS queries for random domains on the Internet. The point of this configuration is to prevent all other client systems in the network from otherwise resolving external DNS, which has been done as a security measure.

On the Bind server as soon as I put in the "allow-recursion { Squid-IP; };" value, the query log on this Bind server gets absolutely smashed due to the amount of DNS queries coming in that are no longer being cached. These queries are all for A records of other internal systems on the local network, so prime candidates for caching.

As soon as I comment this out and restart the named service (thereby allowing recursion from any host), the DNS query logs drop off completely, as does the tcpdump port 53 traffic, and I can see the cache hits of dnsmasq rising quickly.

Thanks.

> To: dnsmasq-***@lists.thekelleys.org.uk
> From: ***@thekelleys.org.uk
> Date: Sat, 23 Jan 2016 09:24:08 +0000
> Subject: Re: [Dnsmasq-discuss] No caching unless recursion enabled?
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>
>
> On 21/01/16 23:16, bob tatus wrote:
> >
> > Hi there,
> >
> > I've been using Dnsmasq for a few days now with no problems, it
> > was caching well and helping a lot.
> >
> > Yesterday I disabled recursive DNS queries on my DNS server (Bind
> > 9) as this is not required within the environment, since doing this
> > it appears that the caching is no longer working correctly.
> >
> > To test I enabled recursion once more and the cache hit rate
> > started climbing again and I saw significantly less queries being
> > logged on the bind server, confirming that this was the issue.
> >
> > I've checked the man page but have not found anything about this?
> > I need to have recursive DNS queries disabled on the DNS server
> > and still have the clients that use this DNS server cache the
> > queries received with Dnsmasq.
> >
> > The DNS server in question is authoritative for the queries that I
> > want to cache so there should not be any need for recursive DNS.
> >
> > Thanks, Robert.
>
> I just looked in the current code, and there's nothing obvious that
> would account for this effect.
>
> I would note that not having recursion available on _any_ server used
> by dnsmasq as an upstream is unwise. It may work but it will be
> fragile. The most obvious case is if you add a CNAME to the
> authoritative zone which points outside it. Dnsmasq will not look up
> the target of the CNAME, it relies on the upstream server to do that,
> and if the upstream server doesn't (because recursion is disabled)
> then you'll get a valid but wrong answer.
>
> Cheers,
>
> Simon.
>
> >
> >
> >
> > _______________________________________________ Dnsmasq-discuss
> > mailing list Dnsmasq-***@lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQIcBAEBCAAGBQJWo0a4AAoJEBXN2mrhkTWifXUP/i11BrFvf/XSj3oPYfsrbEES
> ZQ4TgyaZN0SWOZjUkFNkXMIMvcBBJsnEpKI2num2wb7ZDSnUAvBAVRpiLmqFwNWz
> HhEEIKE1PGfIO8BJXgbt8kHlRW4dfHJybGoUAI8xiJxmrv607OU/6LdD9kpW+FGN
> npgvH8RCCJDmr0KkjnCqoIWaB22mMUYlwX5QGktUZsxrvhA1KZ1lmA34/JSTH8Ey
> +93fKjIN7vzOXJzr52YBoprQLNK1ngRf7uABF1DSaxpxMWdS4oPjGiW6AXRDy9Gg
> IHae1hxH6rAbQ2J9dGYz2zPLY9An/+4VClki3YFUB/waAMPU6njFFpVR6ExRo04s
> vu79zn6/SvQlP32Xg1LYT94JFpk+xNkycr4ETP3VNrl6Os36rj6Yw8QbILcm4EzX
> OCb28tOD6lRBKvXaM8Qrs8xF++Jlea7e39AueMUORX7OCC27L5VLn5B83noMWJBb
> b1c8NxCy0BfB2d1DE6LH+JAx7XjRKiWiQpxGTonYDIyZeIvvQhZyDatq3fsSOgct
> t1tWL7NT/rhWL/5G2mDM1WofhSkH/XTb1FUlanyJf3p1qiiFcvMxlqpiT4WYLy5P
> p5lhbnIxLF6w6zL9o0PfeXmt4Lm/RWbQMnyPm00e577bzTbWpPg9qgTdH92iRnMR
> obOjWAwKOKVRNnApyGHo
> =viMc
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-***@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Simon Kelley
2016-01-25 22:02:43 UTC
Permalink
The no-caching behaviour is provided by this code, at the end of
extract_addresses() in rfc1035.c


/* Don't put stuff from a truncated packet into the cache.
Don't cache replies from non-recursive nameservers, since we may
get a
reply containing a CNAME but not its target, even though the target
does exist. */
if (!(header->hb3 & HB3_TC) &&
!(header->hb4 & HB4_CD) &&
(header->hb4 & HB4_RA) &&
!no_cache_dnssec)
cache_end_insert();



Removing the

(header->hb4 & HB4_RA) &&

line will provide the behaviour you're seeking. I don't propose to
make this change in the distributed dnsmasq code.



Cheers,

Simon.


On 24/01/16 22:25, bob tatus wrote:
> Hi Simon,
>
> The records that I am looking up are all A records, no CNAMEs in
> use here, I've confirmed this by performing a dig against the Bind
> server for queries that were missing the cache with recursion
> disabled. Additionally if I perform a tcpdump I can see the
> requests listing as "A?" and "AAAA?", while on the named logs show
> "A +" and "AAAA +" in the query logs.
>
> Technically the Bind server does have recursion enabled, however
> it is only allowed from a single IP address, that is the IP address
> of a Squid proxy server.
>
> This allows clients in the network to browse the Internet via the
> Squid proxy, as the Squid proxy server will still be able to
> perform recursive DNS queries for random domains on the Internet.
> The point of this configuration is to prevent all other client
> systems in the network from otherwise resolving external DNS, which
> has been done as a security measure.
>
> On the Bind server as soon as I put in the "allow-recursion {
> Squid-IP; };" value, the query log on this Bind server gets
> absolutely smashed due to the amount of DNS queries coming in that
> are no longer being cached. These queries are all for A records of
> other internal systems on the local network, so prime candidates
> for caching.
>
> As soon as I comment this out and restart the named service
> (thereby allowing recursion from any host), the DNS query logs drop
> off completely, as does the tcpdump port 53 traffic, and I can see
> the cache hits of dnsmasq rising quickly.
>
> Thanks.
>
>> To: dnsmasq-***@lists.thekelleys.org.uk From:
>> ***@thekelleys.org.uk Date: Sat, 23 Jan 2016 09:24:08 +0000
>> Subject: Re: [Dnsmasq-discuss] No caching unless recursion
>> enabled?
>>
>
>
> On 21/01/16 23:16, bob tatus wrote:
>>>>
>>>> Hi there,
>>>>
>>>> I've been using Dnsmasq for a few days now with no problems,
>>>> it was caching well and helping a lot.
>>>>
>>>> Yesterday I disabled recursive DNS queries on my DNS server
>>>> (Bind 9) as this is not required within the environment,
>>>> since doing this it appears that the caching is no longer
>>>> working correctly.
>>>>
>>>> To test I enabled recursion once more and the cache hit rate
>>>> started climbing again and I saw significantly less queries
>>>> being logged on the bind server, confirming that this was
>>>> the issue.
>>>>
>>>> I've checked the man page but have not found anything about
>>>> this? I need to have recursive DNS queries disabled on the
>>>> DNS server and still have the clients that use this DNS
>>>> server cache the queries received with Dnsmasq.
>>>>
>>>> The DNS server in question is authoritative for the queries
>>>> that I want to cache so there should not be any need for
>>>> recursive DNS.
>>>>
>>>> Thanks, Robert.
>
> I just looked in the current code, and there's nothing obvious that
> would account for this effect.
>
> I would note that not having recursion available on _any_ server
> used by dnsmasq as an upstream is unwise. It may work but it will
> be fragile. The most obvious case is if you add a CNAME to the
> authoritative zone which points outside it. Dnsmasq will not look
> up the target of the CNAME, it relies on the upstream server to do
> that, and if the upstream server doesn't (because recursion is
> disabled) then you'll get a valid but wrong answer.
>
> Cheers,
>
> Simon.
>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Dnsmasq-discuss mailing list
>>>> Dnsmasq-***@lists.thekelleys.org.uk
>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>>
>>
>>
>>>>
>>>>
_______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-***@lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
>
Brad Morgan
2016-01-25 23:01:54 UTC
Permalink
> /* Don't put stuff from a truncated packet into the cache.
> Don't cache replies from non-recursive nameservers, since we may get a
> reply containing a CNAME but not its target, even though the target
> does exist. */
> if (!(header->hb3 & HB3_TC) &&
> !(header->hb4 & HB4_CD) &&
> (header->hb4 & HB4_RA) &&
> !no_cache_dnssec)
> cache_end_insert();

> Removing the
> (header->hb4 & HB4_RA) &&
> line will provide the behaviour you're seeking. I don't propose to make
this change in the distributed dnsmasq code.

I'd suggest adding a comment to the end of that line that reminds anyone
what removing it does (and then not removing the line but commenting it
out).

Brad
bob tatus
2016-01-27 03:49:32 UTC
Permalink
Thanks for that, so essentially I need to download the source code, modify and recompile? There is no simple way for me to otherwise do this with my current installation, as that isn't really an option in this environment. A configuration option to enable this would be great, but understand that you don't want to add this.

In that case I may look at placing the top entries I need in /etc/hosts as it will cache these results and that will do what I need as a last resort.

Thanks for the help.

> From: b-***@concentric.net
> To: ***@thekelleys.org.uk; ***@hotmail.com; dnsmasq-***@thekelleys.org.uk
> Subject: RE: [Dnsmasq-discuss] No caching unless recursion enabled?
> Date: Mon, 25 Jan 2016 16:01:54 -0700
>
> > /* Don't put stuff from a truncated packet into the cache.
> > Don't cache replies from non-recursive nameservers, since we may get a
> > reply containing a CNAME but not its target, even though the target
> > does exist. */
> > if (!(header->hb3 & HB3_TC) &&
> > !(header->hb4 & HB4_CD) &&
> > (header->hb4 & HB4_RA) &&
> > !no_cache_dnssec)
> > cache_end_insert();
>
> > Removing the
> > (header->hb4 & HB4_RA) &&
> > line will provide the behaviour you're seeking. I don't propose to make
> this change in the distributed dnsmasq code.
>
> I'd suggest adding a comment to the end of that line that reminds anyone
> what removing it does (and then not removing the line but commenting it
> out).
>
> Brad
>
Simon Kelley
2016-02-03 20:09:06 UTC
Permalink
On 27/01/16 03:49, bob tatus wrote:
> Thanks for that, so essentially I need to download the source code,
> modify and recompile? There is no simple way for me to otherwise do
> this with my current installation, as that isn't really an option in
> this environment. A configuration option to enable this would be
> great, but understand that you don't want to add this.

I don't want to add it, and even if I did that wouldn't help you if you
need to use the existing installation.
>
> In that case I may look at placing the top entries I need in
> /etc/hosts as it will cache these results and that will do what I
> need as a last resort.

Can't you arrange for your authoritative server to set the RA bit in its
answer?

Cheers,

Simon.



>
> Thanks for the help.
>
>> From: b-***@concentric.net To: ***@thekelleys.org.uk;
>> ***@hotmail.com; dnsmasq-***@thekelleys.org.uk
>> Subject: RE: [Dnsmasq-discuss] No caching unless recursion
>> enabled? Date: Mon, 25 Jan 2016 16:01:54 -0700
>>
>>> /* Don't put stuff from a truncated packet into the cache. Don't
>>> cache replies from non-recursive nameservers, since we may get a
>>> reply containing a CNAME but not its target, even though the
>>> target does exist. */ if (!(header->hb3 & HB3_TC) &&
>>> !(header->hb4 & HB4_CD) && (header->hb4 & HB4_RA) &&
>>> !no_cache_dnssec) cache_end_insert();
>>
>>> Removing the (header->hb4 & HB4_RA) && line will provide the
>>> behaviour you're seeking. I don't propose to make
>> this change in the distributed dnsmasq code.
>>
>> I'd suggest adding a comment to the end of that line that reminds
>> anyone what removing it does (and then not removing the line but
>> commenting it out).
>>
>> Brad
>>
>
>
Continue reading on narkive:
Loading...