Wednesday, December 10, 2014

Oddities of dnsmasq when used with IPv6 resolvers

# dnsmasq --version
Dnsmasq version 2.68  Copyright (c) 2000-2013 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth

# md5sum dnsmasq*
8a704b6aa977df9485b3faf940cc5e35  dnsmasq_2.68-1_all.deb
60bafb9b863671bb02595505a447270c  dnsmasq-base_2.68-1_amd64.deb

There was odd "[icmp6 sum ok] ICMP6, destination unreachable, unreachable port" going out from my server every time DNS reply was received. Turns out it was because dnsmasq IPv6 support is buggy.


I ended up with adding following to /etc/dnsmasq.d/10-custom to get desired functionality.
no-resolv
domain-needed
bogus-priv
filterwin2k
neg-ttl=15
max-ttl=300
all-servers
server=8.8.8.8@eth0
server=2001:4860:4860::8844@eth0
server=74.82.42.42@eth0
server=2001:470:20::2@eth0
server=208.67.222.222@eth0
server=2620:0:ccc::2@eth0
bind-dynamic
except-interface=eth0

Important part is adding "@eth0" after each DNS resolver used. See below for quick testing how different options interact with each other.

No @eth0 suffix after server IP, no query-port.
FAILURE. Sends ICMPv6 destination unreachable reply to every IPv6 DNS reply.
22:46:59.224238 IP (tos 0x0, ttl 64, id 23258, offset 0, flags [DF], proto UDP (17), length 56)
    193.64.26.195.11128 > 8.8.8.8.53: [bad udp cksum 0xbb54 -> 0xad15!] 7568+ A? www.sci.fi. (28)
22:46:59.224286 IP6 (hlim 64, next-header UDP (17) payload length: 36) 2a01:512:53f:ffa1::2.34717 > 2001:4860:4860::8844.53: [udp sum ok] 7568+ A? www.sci.fi. (28)
22:46:59.224296 IP (tos 0x0, ttl 64, id 47919, offset 0, flags [DF], proto UDP (17), length 56)
    193.64.26.195.11128 > 74.82.42.42.53: [bad udp cksum 0x1fc1 -> 0x48a9!] 7568+ A? www.sci.fi. (28)
22:46:59.224308 IP6 (hlim 64, next-header UDP (17) payload length: 36) 2a01:512:53f:ffa1::2.34717 > 2001:470:20::2.53: [udp sum ok] 7568+ A? www.sci.fi. (28)
22:46:59.224316 IP (tos 0x0, ttl 64, id 20055, offset 0, flags [DF], proto UDP (17), length 56)
    193.64.26.195.11128 > 208.67.222.222.53: [bad udp cksum 0x5a67 -> 0x0e03!] 7568+ A? www.sci.fi. (28)
22:46:59.224329 IP6 (hlim 64, next-header UDP (17) payload length: 36) 2a01:512:53f:ffa1::2.34717 > 2620:0:ccc::2.53: [udp sum ok] 7568+ A? www.sci.fi. (28)
22:46:59.229187 IP (tos 0x0, ttl 58, id 29374, offset 0, flags [DF], proto UDP (17), length 72)
    74.82.42.42.53 > 193.64.26.195.11128: [udp sum ok] 7568 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:46:59.229547 IP6 (hlim 58, next-header UDP (17) payload length: 52) 2001:470:20::2.53 > 2a01:512:53f:ffa1::2.34717: [udp sum ok] 7568 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:46:59.229564 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 100) 2a01:512:53f:ffa1::2 > 2001:470:20::2: [icmp6 sum ok] ICMP6, destination unreachable, unreachable port, 2a01:512:53f:ffa1::2 udp port 34717
22:46:59.235430 IP6 (hlim 58, next-header UDP (17) payload length: 52) 2620:0:ccc::2.53 > 2a01:512:53f:ffa1::2.34717: [udp sum ok] 7568 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:46:59.235465 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 100) 2a01:512:53f:ffa1::2 > 2620:0:ccc::2: [icmp6 sum ok] ICMP6, destination unreachable, unreachable port, 2a01:512:53f:ffa1::2 udp port 34717
22:46:59.239554 IP6 (hlim 54, next-header UDP (17) payload length: 52) 2001:4860:4860::8844.53 > 2a01:512:53f:ffa1::2.34717: [udp sum ok] 7568 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:46:59.239588 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 100) 2a01:512:53f:ffa1::2 > 2001:4860:4860::8844: [icmp6 sum ok] ICMP6, destination unreachable, unreachable port, 2a01:512:53f:ffa1::2 udp port 34717
22:46:59.243329 IP (tos 0x0, ttl 54, id 27121, offset 0, flags [none], proto UDP (17), length 72)
    8.8.8.8.53 > 193.64.26.195.11128: [udp sum ok] 7568 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:46:59.243366 IP (tos 0xc0, ttl 64, id 50773, offset 0, flags [none], proto ICMP (1), length 100)
    193.64.26.195 > 8.8.8.8: ICMP 193.64.26.195 udp port 11128 unreachable, length 80
        IP (tos 0x0, ttl 54, id 27121, offset 0, flags [none], proto UDP (17), length 72)
    8.8.8.8.53 > 193.64.26.195.11128: [udp sum ok] 7568 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:46:59.264768 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto UDP (17), length 72)
    208.67.222.222.53 > 193.64.26.195.11128: [udp sum ok] 7568 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:46:59.264802 IP (tos 0xc0, ttl 64, id 14363, offset 0, flags [none], proto ICMP (1), length 100)
    193.64.26.195 > 208.67.222.222: ICMP 193.64.26.195 udp port 11128 unreachable, length 80
        IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto UDP (17), length 72)
    208.67.222.222.53 > 193.64.26.195.11128: [udp sum ok] 7568 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)


No @eth0 suffix after server IP, query-port=5353.
FAILURE. Disables IPv6 completely.
22:47:23.764518 IP (tos 0x0, ttl 64, id 27498, offset 0, flags [DF], proto UDP (17), length 56)
    193.64.26.195.5353 > 8.8.8.8.53: [bad udp cksum 0xbb54 -> 0xccde!] 5206+ A? www.sci.fi. (28)
22:47:23.764530 IP (tos 0x0, ttl 64, id 50557, offset 0, flags [DF], proto UDP (17), length 56)
    193.64.26.195.5353 > 74.82.42.42.53: [bad udp cksum 0x1fc1 -> 0x6872!] 5206+ A? www.sci.fi. (28)
22:47:23.764534 IP (tos 0x0, ttl 64, id 23313, offset 0, flags [DF], proto UDP (17), length 56)
    193.64.26.195.5353 > 208.67.222.222.53: [bad udp cksum 0x5a67 -> 0x2dcc!] 5206+ A? www.sci.fi. (28)
22:47:23.769570 IP (tos 0x0, ttl 58, id 29375, offset 0, flags [DF], proto UDP (17), length 72)
    74.82.42.42.53 > 193.64.26.195.5353: [udp sum ok] 5206 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:47:23.769932 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto UDP (17), length 72)
    208.67.222.222.53 > 193.64.26.195.5353: [udp sum ok] 5206 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:47:23.770630 IP (tos 0x0, ttl 54, id 6705, offset 0, flags [none], proto UDP (17), length 72)
    8.8.8.8.53 > 193.64.26.195.5353: [udp sum ok] 5206 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)


@eth0 suffix after server IP, query-port=5353 (but is ignored).
FAILURE. Ignores query-port parameter.
22:47:55.130396 IP (tos 0x0, ttl 64, id 30110, offset 0, flags [DF], proto UDP (17), length 56)
    193.64.26.195.41960 > 8.8.8.8.53: [bad udp cksum 0xbb54 -> 0x75aa!] 56458+ A? www.sci.fi. (28)
22:47:55.130447 IP6 (hlim 64, next-header UDP (17) payload length: 36) 2a01:512:53f:ffa1::2.37393 > 2001:4860:4860::8844.53: [udp sum ok] 56458+ A? www.sci.fi. (28)
22:47:55.130453 IP (tos 0x0, ttl 64, id 55884, offset 0, flags [DF], proto UDP (17), length 56)
    193.64.26.195.41960 > 74.82.42.42.53: [bad udp cksum 0x1fc1 -> 0x113e!] 56458+ A? www.sci.fi. (28)
22:47:55.130461 IP6 (hlim 64, next-header UDP (17) payload length: 36) 2a01:512:53f:ffa1::2.37393 > 2001:470:20::2.53: [udp sum ok] 56458+ A? www.sci.fi. (28)
22:47:55.130467 IP (tos 0x0, ttl 64, id 25341, offset 0, flags [DF], proto UDP (17), length 56)
    193.64.26.195.41960 > 208.67.222.222.53: [bad udp cksum 0x5a67 -> 0xd697!] 56458+ A? www.sci.fi. (28)
22:47:55.130484 IP6 (hlim 64, next-header UDP (17) payload length: 36) 2a01:512:53f:ffa1::2.37393 > 2620:0:ccc::2.53: [udp sum ok] 56458+ A? www.sci.fi. (28)
22:47:55.135353 IP (tos 0x0, ttl 58, id 29376, offset 0, flags [DF], proto UDP (17), length 72)
    74.82.42.42.53 > 193.64.26.195.41960: [udp sum ok] 56458 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:47:55.135756 IP6 (hlim 58, next-header UDP (17) payload length: 52) 2001:470:20::2.53 > 2a01:512:53f:ffa1::2.37393: [udp sum ok] 56458 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:47:55.136123 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto UDP (17), length 72)
    208.67.222.222.53 > 193.64.26.195.41960: [udp sum ok] 56458 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:47:55.141500 IP6 (hlim 58, next-header UDP (17) payload length: 52) 2620:0:ccc::2.53 > 2a01:512:53f:ffa1::2.37393: [udp sum ok] 56458 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:47:55.145765 IP6 (hlim 54, next-header UDP (17) payload length: 52) 2001:4860:4860::8844.53 > 2a01:512:53f:ffa1::2.37393: [udp sum ok] 56458 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:47:55.149546 IP (tos 0x0, ttl 54, id 30669, offset 0, flags [none], proto UDP (17), length 72)
    8.8.8.8.53 > 193.64.26.195.41960: [udp sum ok] 56458 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)


@eth0 suffix after server IP, no query-port.
SUCCESS.
22:48:14.816804 IP (tos 0x0, ttl 64, id 33758, offset 0, flags [DF], proto UDP (17), length 56)
    193.64.26.195.42019 > 8.8.8.8.53: [bad udp cksum 0xbb54 -> 0x7da2!] 54359+ A? www.sci.fi. (28)
22:48:14.816839 IP6 (hlim 64, next-header UDP (17) payload length: 36) 2a01:512:53f:ffa1::2.49149 > 2001:4860:4860::8844.53: [udp sum ok] 54359+ A? www.sci.fi. (28)
22:48:14.816848 IP (tos 0x0, ttl 64, id 60023, offset 0, flags [DF], proto UDP (17), length 56)
    193.64.26.195.42019 > 74.82.42.42.53: [bad udp cksum 0x1fc1 -> 0x1936!] 54359+ A? www.sci.fi. (28)
22:48:14.816858 IP6 (hlim 64, next-header UDP (17) payload length: 36) 2a01:512:53f:ffa1::2.49149 > 2001:470:20::2.53: [udp sum ok] 54359+ A? www.sci.fi. (28)
22:48:14.816866 IP (tos 0x0, ttl 64, id 28309, offset 0, flags [DF], proto UDP (17), length 56)
    193.64.26.195.42019 > 208.67.222.222.53: [bad udp cksum 0x5a67 -> 0xde8f!] 54359+ A? www.sci.fi. (28)
22:48:14.816875 IP6 (hlim 64, next-header UDP (17) payload length: 36) 2a01:512:53f:ffa1::2.49149 > 2620:0:ccc::2.53: [udp sum ok] 54359+ A? www.sci.fi. (28)
22:48:14.821837 IP (tos 0x0, ttl 58, id 29377, offset 0, flags [DF], proto UDP (17), length 72)
    74.82.42.42.53 > 193.64.26.195.42019: [udp sum ok] 54359 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:48:14.822242 IP6 (hlim 58, next-header UDP (17) payload length: 52) 2001:470:20::2.53 > 2a01:512:53f:ffa1::2.49149: [udp sum ok] 54359 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:48:14.822480 IP (tos 0x0, ttl 58, id 0, offset 0, flags [DF], proto UDP (17), length 72)
    208.67.222.222.53 > 193.64.26.195.42019: [udp sum ok] 54359 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:48:14.827779 IP6 (hlim 58, next-header UDP (17) payload length: 52) 2620:0:ccc::2.53 > 2a01:512:53f:ffa1::2.49149: [udp sum ok] 54359 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:48:14.833073 IP6 (hlim 54, next-header UDP (17) payload length: 52) 2001:4860:4860::8844.53 > 2a01:512:53f:ffa1::2.49149: [udp sum ok] 54359 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:48:14.835383 IP (tos 0x0, ttl 54, id 47595, offset 0, flags [none], proto UDP (17), length 72)
    8.8.8.8.53 > 193.64.26.195.42019: [udp sum ok] 54359 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)


@eth0#5353 suffix after server IP, no query-port.
FAILURE. Disables IPv4 completely.
22:49:45.408290 IP6 (hlim 64, next-header UDP (17) payload length: 36) 2a01:512:53f:ffa1::2.5353 > 2001:4860:4860::8844.53: [udp sum ok] 51290+ A? www.sci.fi. (28)
22:49:45.408303 IP6 (hlim 64, next-header UDP (17) payload length: 36) 2a01:512:53f:ffa1::2.5353 > 2001:470:20::2.53: [udp sum ok] 51290+ A? www.sci.fi. (28)
22:49:45.408308 IP6 (hlim 64, next-header UDP (17) payload length: 36) 2a01:512:53f:ffa1::2.5353 > 2620:0:ccc::2.53: [udp sum ok] 51290+ A? www.sci.fi. (28)
22:49:45.413381 IP6 (hlim 58, next-header UDP (17) payload length: 52) 2001:470:20::2.53 > 2a01:512:53f:ffa1::2.5353: [udp sum ok] 51290 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:49:45.419319 IP6 (hlim 58, next-header UDP (17) payload length: 52) 2620:0:ccc::2.53 > 2a01:512:53f:ffa1::2.5353: [udp sum ok] 51290 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:49:45.423861 IP6 (hlim 54, next-header UDP (17) payload length: 52) 2001:4860:4860::8844.53 > 2a01:512:53f:ffa1::2.5353: [udp sum ok] 51290 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)


@eth0#53535 suffix after IPv4 servers, @eth0#5353 suffix after IPv6 servers, no query-port.
SUCCESS.
22:51:12.724621 IP (tos 0x0, ttl 64, id 449, offset 0, flags [DF], proto UDP (17), length 56)
    193.64.26.195.53535 > 8.8.8.8.53: [bad udp cksum 0xbb54 -> 0xb36a!] 29075+ A? www.sci.fi. (28)
22:51:12.724662 IP6 (hlim 64, next-header UDP (17) payload length: 36) 2a01:512:53f:ffa1::2.5353 > 2001:4860:4860::8844.53: [udp sum ok] 29075+ A? www.sci.fi. (28)
22:51:12.724667 IP (tos 0x0, ttl 64, id 14070, offset 0, flags [DF], proto UDP (17), length 56)
    193.64.26.195.53535 > 74.82.42.42.53: [bad udp cksum 0x1fc1 -> 0x4efe!] 29075+ A? www.sci.fi. (28)
22:51:12.724675 IP6 (hlim 64, next-header UDP (17) payload length: 36) 2a01:512:53f:ffa1::2.5353 > 2001:470:20::2.53: [udp sum ok] 29075+ A? www.sci.fi. (28)
22:51:12.724682 IP6 (hlim 64, next-header UDP (17) payload length: 36) 2a01:512:53f:ffa1::2.5353 > 2620:0:ccc::2.53: [udp sum ok] 29075+ A? www.sci.fi. (28)
22:51:12.729741 IP6 (hlim 58, next-header UDP (17) payload length: 52) 2001:470:20::2.53 > 2a01:512:53f:ffa1::2.5353: [udp sum ok] 29075 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:51:12.729853 IP (tos 0x0, ttl 58, id 29378, offset 0, flags [DF], proto UDP (17), length 72)
    74.82.42.42.53 > 193.64.26.195.53535: [udp sum ok] 29075 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:51:12.736056 IP6 (hlim 58, next-header UDP (17) payload length: 52) 2620:0:ccc::2.53 > 2a01:512:53f:ffa1::2.5353: [udp sum ok] 29075 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:51:12.740655 IP6 (hlim 54, next-header UDP (17) payload length: 52) 2001:4860:4860::8844.53 > 2a01:512:53f:ffa1::2.5353: [udp sum ok] 29075 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)
22:51:12.742652 IP (tos 0x0, ttl 56, id 50993, offset 0, flags [none], proto UDP (17), length 72)
    8.8.8.8.53 > 193.64.26.195.53535: [udp sum ok] 29075 q: A? www.sci.fi. 1/0/0 www.sci.fi. A 62.142.11.7 (44)

No comments:

Post a Comment

Got something to say?!