-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DNS - wrong "No such name" answer #202
Comments
Thanks for the report! I think the high-level sequence is:
The detailed trace is: VM sends query
Host forwards query
Host receives response for earlier AAAA IPv6 query (packet 876)
The Host sends the query again, 1 time every second. It looks like the upstream server isn't responding.
The no such name response is sent after 5s of failure. At this point the VM's resolver would probably have given up
Since the upstream resolver has failed to respond it has now been marked offline. This is to fix the scenario where the priority 1 server is offline (e.g. the VPN is down) but the priority 2 server is online and every lookup takes 5s. The next query arrives and fails immediately. Note however we do send a request to the upstream server, and if it ever responds we will mark the server as online again.
The VM's resolver has now given up and is trying to use other search domains:
We start receiving responses from the upstream 1s later:
So I think in this case there was a period of time from 378.78s - 384.79s (6s) where the upstream server didn't respond. A Linux resolver will often timeout after about 5s anyway, and we see the queries for the I think this glitch was genuinely caused by the upstream DNS server failing. We normally try to suppress these errors by caching, but the TTLs on the records is only 45s so the caching isn't very effective. |
Shouldn't we behave like a timeouting dns server on this case ? Instead of failing to resolve ? |
Yeah I agree - it would probably be better to send no reply in this case. I'll take a look at the DNS forwarding code. |
This restores the previous behaviour of sending no response rather than NXDomain by default. Fixes moby#202 Signed-off-by: David Scott <dave.scott@docker.com>
dns.zip
Attached is a vpnkit capture/dns.pcap file when a dns request has failed.
By analyzing the logs, you'll se that query with 0x8f82 (message number 878) is answered with
No such name
on message 888 and 889 before the upstream dns server has had any chance to answer that (on message 913 - with correct records).The text was updated successfully, but these errors were encountered: