Maik Zumstrull wrote: > Package: unbound > Version: 1.4.10-1 > Severity: normal > > I've noticed this on my home router, which has a fairly fresh dnsmasq. > Apparently, unbound can't resolve through this and just SERVFAILs for > everything. Obviously, this is primarily a problem in dnsmasq (I > assume). But since dnsmasq is in tons of home routers and unbound uses > forwarding by default in Debian, I think it's important to have a > workaround in place.
it would be useful if you could get a packet trace of the failure. run something like: # tcpdump -s1518 -pni any -w dnsmasq-failure.pcap 'tcp port 53 or udp port 53' and send the pcap file to this bug report. (unfortunately that bpf expression will miss non-initial UDP fragments but that's not all that important for tracking this down.) > I think a good solution would be for unbound to detect when it can't > reliably resolve through one of the forwarding hosts and stop using > it, falling back to normal recursion if they all end up being dropped. > Ideally, this would happen before the user experiences lookup failures, > for example by immediately resolving a bunch of well-known hosts after > adding new forwarders, so that they will already be dropped with a high > probability if they are broken. this problem affects not only unbound, so unbound isn't really the right place to implement a hack like that. the reality is that just about every public wifi access point intercepts and mangles DNS packets in some fashion. detecting whether an internet link is safe for full recursive and/or forwarding only DNS/DNSSEC operation is an interesting problem. there has been a little bit of work in this area -- e.g., windows 7's "network awareness" feature does a simple DNS lookup and checks for an expected answer, and there is an "ldns-test-edns" utility in the ldnsutils package which checks if a recursive server is EDNS/DNSSEC transparent. but a more comprehensive, stand-alone test utility/library would be a useful thing to have, and it could hopefully be integrated into resolvconf or the system's network interface manager. -- Robert Edmonds edmo...@debian.org
signature.asc
Description: Digital signature
