[dnsdist] dnsdist using loopback address as source address for queries
Remi Gacogne
remi.gacogne at powerdns.com
Mon Sep 13 12:31:25 UTC 2021
Hi Adam,
On 9/10/21 00:50, Adam Bishop via dnsdist wrote:
> After running for some amount of time (seems to be days), our dnsdist
> instances suddenly start trying to talk to the backends using the
> loopback address as the source:
>
> # tcpdump -i ens192 -nn port 53 dropped privs to tcpdump tcpdump:
> verbose output suppressed, use -v or -vv for full protocol decode
> listening on ens192, link-type EN10MB (Ethernet), capture size 262144
> bytes 22:39:07.014963 IP6 <snip>:ac10:0:ac10:2e.64975 >
> <snip>::197.53: 35980+ [1au] SOA? lbdn.domain. (45) 22:39:07.015390
> IP6 ::1.38717 > <snip>::195.53: 43034 [1au] SOA? lbdn.domain. (69)
>
> Note this is not the loopback interface - packets are being placed on
> the wire and fired off into the network with ::1 as the source
> address. This is affecting all our instances, but they don't fail
> simultaneously.
>
> Bizarrely, this only affects queries made by clients - the backend
> health check still uses the correct source address while this is
> going on. Restarting dnsdist brings them back into service.
>
> I think I can work around this by setting an explicit source IP for
> each backend - I'm suspecting that trying to talk to backends with
> the return address set to ::1 is probably a bug though!
That's very weird, I don't have any clue to what might be happening.
Would you mind sharing the whole configuration? In particular, do you
set the source interface? I would also be very interested in seeing a
strace of the process while the issue is happening.
I was initially thinking we might be getting some sort of error (perhaps
ENODEV, but that would require the network configuration being updated
under our feet) and reconnecting our sockets without updating the source
interface ID, but at a glance the health check code uses the same
interface ID.
Best regards,
--
Remi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20210913/0ba76ebd/attachment.sig>
More information about the dnsdist
mailing list