Node-local DNS resolver often responds extremely slowly

[RalfJung]

Bug report

What is the problem?

DNS queries to the DNS resolver on the node are often taking a long while to be answered.

I am repeatedly executing the following on a client connected to the node:

dig @fd4e:f2d7:88d2:ffff::1 ralfj.de

where fd4e:f2d7:88d2:ffff::1 is the "next node" anycast IP. This command sometimes comes back immediately, sometimes it comes back after several seconds, and sometimes it times out after several seconds (all of these cases seem very roughly equally likely).
After the initial query, even when the answer takes several seconds, there is no DNS traffic on the tunnel between the node and the gateway. The link between the client and the node is a Linux bridge; both of these are just VMs on the same host and hence there should be 0 packet loss. I see the same behavior when talking to a real node over a WiFi link.

When I do nslookup ralfj.de on the node locally, the answer always comes back immediately. Also when I do dig @fd4e:f2d7:88d2:ffff::101 ralfj.de, which sends the query to one of our gateways, the answer comes back immediately -- so the network connection(s) all seem fine.

What is the expected behaviour?

The DNS reply should come back with decent latency (<50ms, say).

Gluon Version:

v2018.2

Site Configuration:

https://git.hacksaar.de/FreifunkSaar/gluon-site/blob/e2a66b1a461f95a80ee9483c9dfca96fe6fb2b36/site.conf

Custom patches:

None.

[mweinelt]

I don't seem to be able to reproduce this, but I'm testing against a TL-WR4900v1, so my milage may vary. What devices have you been experiencing this on?

[RalfJung]

I have experienced this on a TL-WDR4300 v1, as well as an x86 VM running on my laptop.

[RalfJung]

It might be reproducible for you with this VM image? https://mgmt.saar.freifunk.net/firmware/stable/factory/gluon-ffsaar-1.7.2-x86-64.img.gz

[RalfJung]

FWIW, I installed tcpdump on my virtual node, and I can see the DNS packets arriving locally -- and no answer being sent.

Is it possible that there is some kind of rate limiting in effect? The first query pretty much always works, so it feels a bit like very aggressive rate limiting.

[mweinelt]

Just tried and I can reproduce the issue with your image. This is something I don't see on our routers running Gluon master or next. The upstream nameservers do reply consistently. The dnsmasq config does not differ between your image and ours.

[rubo77]

@RalfJung on which gluonSource your firmware is built? can you build an ffsaar firmware on master and reproduce it there?

[RalfJung]

That firmware is built with Gluon v2018.2. I tried master, but the problem remains.

[rubo77]

So it must be related to some packages you use in ffsaar. Which is the exact site Configuration you used?

[neocturne]

@RalfJung Do all 4 upstream servers work fine? In the description you only mention the first one.

[mweinelt]

@RalfJung Do all 4 upstream servers work fine? In the description you only mention the first one.

I checked all upstream nameservers multiple times and they looked fine.

[RalfJung]

Also from what I see in the Wireshark log, the node will actually send out queries to all 4 upstream name servers in parallel and then use whatever answer comes back first.

[RalfJung]

I tried disabling a bunch of packages, down to:

GLUON_FEATURES := \
	autoupdater \
	mesh-batman-adv-15 \
	mesh-vpn-tunneldigger \
	radvd

That does not fix the problem. I feel the rate of successful queries increased a bit, but there's certainly still tons of failing queries.

[csamsel]

Also from what I see in the Wireshark log, the node will actually send out queries to all 4 upstream name servers in parallel and then use whatever answer comes back first.

this behavior is activated by --all-servers (or all-servers in dnsmasq.conf) which isnt present on my v2018.2 node.

[RalfJung]

this behavior is activated by --all-servers (or all-servers in dnsmasq.conf) which isnt present on my v2018.2 node.

Where would I check this?