At Wed, 2 Dec 2009 21:13:19 +0100, Ingolf Steinbach
<ingolf.steinbach%googlemail.com@localhost> wrote:
Subject: Resolver problems
>
> which configuration settings are necessary to avoid AAAA look-ups in
> general? v6 support has already been removed from my kernel -- no
> interface has a v6 address, but still every application which wants to
> resolve a name first asks for a AAAA record and requests the A record
> only after 15 seconds.
You could recompile the whole system without INET6 support, i.e. with
the following in /etc/mk.conf:
MKINET6 = no
USE_INET6 = no
However as others have said something else must be wrong if the AAAA
lookup doesn't immediately fail.
Indeed your trace shows something quite wrong.
> This is a typical situation:
> 20:53:27.056921 IP 192.168.2.5.65266 > 192.168.2.1.53: 21446+ AAAA?
> ftp.fr.netbsd.org. (35)
> 20:53:27.423053 IP 192.168.2.1.3072 > 192.168.2.5.65266: UDP, length 117
What's in the packet above? It would appear to be an answer to the
AAAA query right above it, but your tcpdump didn't decode it.
> 20:53:27.423129 IP 192.168.2.5 > 192.168.2.1: ICMP 192.168.2.5 udp port 65266
> unreachable, length 36
Here it looks like your client rejecting the very same port it sent the
AAAA? query from as unreachable. It should allow an answer back to that
same port.
Do you have a firewall turned on that's not setting up a connection
state entry for the query and then when the reply arrives it's sending
the port unreachable in response instead of allowing it through?
Or maybe the reply to the AAAA query really is garbled and doesn't look
like a DNS packet just as tcpdump suggests (and it also doesn't come
back with a source port of 53), so the firewall rejects it as invalid.
> 20:53:32.064586 IP 192.168.2.5.65266 > 192.168.2.1.53: 21446+ AAAA?
> ftp.fr.netbsd.org. (35)
> 20:53:32.118456 IP 192.168.2.1.3072 > 192.168.2.5.65266: UDP, length 117
> 20:53:32.118509 IP 192.168.2.5 > 192.168.2.1: ICMP 192.168.2.5 udp port 65266
> unreachable, length 36
Maybe your firewall doesn't understand the AAAA query as being a valid
DNS query so it fails to set up a flow state entry which would allow the
reply packet through.
> 20:53:42.073605 IP 192.168.2.5.65265 > 192.168.2.1.53: 21447+ A?
> ftp.fr.netbsd.org. (35)
> 20:53:42.075143 IP 192.168.2.1.53 > 192.168.2.5.65265: 21447- 1/0/0 A
> 132.227.74.11 (51)
>
> What's also unclear: what is the reason for the "port ... unreachable"
> ICMP messages?
>
> 192.168.2.5 is a freshly installed 5.0.1/i386, 192.168.2.1 is a
> (non-NetBSD) router.
Yeah, it probably doesn't understand AAAA DNS queries as valid, and it
sends some garbage error message in reply, i.e. a reply that doesn't
look like a DNS reply, and so your firewall rejects it and forces the
resolver to try again.
Maybe you should run NetBSD on your router too? :-)
Note that when I do a AAAA query to my caching server (which happens to
be "unbound" running on NetBSD-4), I get an immediate reply (within .001
seconds, if you believe the timestamps) saying that there is no such
record:
# tcpdump -vvv -s 1500 host dns2
tcpdump: listening on bge0, link-type EN10MB (Ethernet), capture size 1500 bytes
03:05:27.470777 IP (tos 0x0, ttl 64, id 12738, offset 0, flags [none], length:
60, bad cksum 0 (->b410)!) once.weird.com.62934 > dns2.weird.com.domain: [udp
sum ok] 8766+ AAAA? mail.weird.com. (32)
03:05:27.471117 IP (tos 0x0, ttl 64, id 51103, offset 0, flags [none], length:
110) dns2.weird.com.domain > once.weird.com.62934: [udp sum ok] 8766 q: AAAA?
mail.weird.com. 0/1/0 ns: weird.com. SOA ns.weird.com. hostmaster.weird.com.
2009102616 14400 7200 604800 14400 (82)
--
Greg A. Woods
Planix, Inc.
<woods%planix.com@localhost> +1 416 218 0099 http://www.planix.com/
Attachment:
pgpvN38n2uK_W.pgp
Description: PGP signature