Padající dnsmasq v Debianu

Padající dnsmasq v Debianu
« kdy: 03. 09. 2016, 10:59:25 »
Ahoj,
mam problem s padajicim dnsmasq na Debian 8.5 jessie. Dela mi DNS a DHCP pro asi 10 zarizeni v LAN.

Nekdy jede 2 dny v kuse, jindy 3x za den spadne.

Na hlidani pouzivam monit, takze mi vzdy prijde info mail o padu:
Kód: [Vybrat]
# cat /etc/monit/monitrc
check process dnsmasq with pidfile /var/run/dnsmasq.pid
       start program = "/usr/sbin/dnsmasq --conf-dir=/etc/dnsmasq.d"
       stop  program = "/usr/bin/killall dnsmasq"
       if failed
                host 127.0.0.1
                port 53 use type udp
                protocol dns
                with timeout 10 seconds
       then alert

Z monitu pak prijde mail a dnsmasq se znova nahodi:
Kód: [Vybrat]
Connection failed Service dnsmasq

        Date:        Sat, 03 Sep 2016 09:12:24
        Action:      alert
        Host:        localhost
        Description: failed protocol test [DNS] at INET[127.0.0.1:53] via UDP -- DNS: error receiving response -- Resource temporarily unavailable

Your faithful employee,
Monit

Otazka zni, proc se to deje. Zkousel jsem v dnsmasq zapnout co nejvice logovani:
Kód: [Vybrat]
log-dhcp
log-queries
log-facility=/var/log/dnsmasq
ale, v dobe padu jsou jen bezne DNS dotazy:
Kód: [Vybrat]
Sep  3 09:11:31 dnsmasq[19979]: forwarded play.googleapis.com to 8.8.8.8
Sep  3 09:11:31 dnsmasq[19979]: dnssec-query[DS] play.googleapis.com to 8.8.8.8
Sep  3 09:11:31 dnsmasq[19979]: dnssec-query[DS] googleapis.com to 8.8.8.8
Sep  3 09:11:31 dnsmasq[19979]: validation result is INSECURE
Sep  3 09:11:31 dnsmasq[19979]: reply play.googleapis.com is <CNAME>
Sep  3 09:11:31 dnsmasq[19979]: reply googleapis.l.google.com is 216.58.214.202
Sep  3 09:11:31 dnsmasq[19979]: reply googleapis.l.google.com is 216.58.214.234
Sep  3 09:11:31 dnsmasq[19979]: reply googleapis.l.google.com is 216.58.209.170
Sep  3 09:11:32 dnsmasq[19979]: query[A] www.google.cz from 10.123.1.103
Sep  3 09:11:32 dnsmasq[19979]: forwarded www.google.cz to 8.8.8.8
Sep  3 09:11:32 dnsmasq[19979]: dnssec-query[DS] www.google.cz to 8.8.8.8
Sep  3 09:11:32 dnsmasq[19979]: dnssec-query[DS] google.cz to 8.8.8.8
Sep  3 09:11:32 dnsmasq[19979]: dnssec-query[DS] baidu.com to 8.8.8.8
Sep  3 09:11:32 dnsmasq[19979]: validation result is INSECURE
Sep  3 09:11:32 dnsmasq[19979]: reply dxp.baidu.com is <CNAME>
Sep  3 09:11:32 dnsmasq[19979]: reply dxp.e.shifen.com is 202.108.23.24
Sep  3 09:11:32 dnsmasq[19979]: validation result is INSECURE
Sep  3 09:11:32 dnsmasq[19979]: reply www.google.cz is 172.217.18.67
Sep  3 09:11:34 dnsmasq[19979]: query[A] android.googleapis.com from 10.123.1.103
Sep  3 09:11:34 dnsmasq[19979]: forwarded android.googleapis.com to 8.8.8.8
Sep  3 09:11:35 dnsmasq[19979]: dnssec-query[DS] android.googleapis.com to 8.8.8.8
Sep  3 09:11:35 dnsmasq[19979]: dnssec-query[DS] googleapis.com to 8.8.8.8
Sep  3 09:11:35 dnsmasq[19979]: validation result is INSECURE
Sep  3 09:11:35 dnsmasq[19979]: reply android.googleapis.com is <CNAME>
Sep  3 09:11:35 dnsmasq[19979]: reply googleapis.l.google.com is 216.58.209.202
Sep  3 09:11:35 dnsmasq[19979]: reply googleapis.l.google.com is 216.58.214.202
Sep  3 09:11:35 dnsmasq[19979]: reply googleapis.l.google.com is 216.58.214.234
Sep  3 09:11:46 dnsmasq[19979]: query[A] portal.fb.com from 10.123.1.100
Sep  3 09:11:46 dnsmasq[19979]: cached portal.fb.com is <CNAME>
Sep  3 09:11:46 dnsmasq[19979]: forwarded portal.fb.com to 8.8.8.8
Sep  3 09:11:46 dnsmasq[19979]: validation result is INSECURE
Sep  3 09:11:46 dnsmasq[19979]: reply portal.fb.com is <CNAME>
Sep  3 09:11:46 dnsmasq[19979]: reply star.c10r.facebook.com is 31.13.93.3
Sep  3 09:11:49 dnsmasq[19979]: query[A] data.flurry.com from 10.123.1.103
Sep  3 09:11:49 dnsmasq[19979]: cached data.flurry.com is <CNAME>
Sep  3 09:11:49 dnsmasq[19979]: forwarded data.flurry.com to 8.8.8.8
Sep  3 09:11:49 dnsmasq[19979]: validation result is INSECURE
Sep  3 09:11:49 dnsmasq[19979]: reply data.flurry.com is <CNAME>
Sep  3 09:11:49 dnsmasq[19979]: reply flurry.agentportal.prod.g04.yahoodns.net is 74.6.34.30
Sep  3 09:11:52 dnsmasq[19979]: query[A] www.gstatic.com from 10.123.1.103
Sep  3 09:11:52 dnsmasq[19979]: forwarded www.gstatic.com to 8.8.8.8
Sep  3 09:11:52 dnsmasq[19979]: dnssec-query[DS] www.gstatic.com to 8.8.8.8
Sep  3 09:11:52 dnsmasq[19979]: dnssec-query[DS] gstatic.com to 8.8.8.8
Sep  3 09:11:52 dnsmasq[19979]: validation result is INSECURE
Sep  3 09:11:52 dnsmasq[19979]: reply www.gstatic.com is 172.217.16.99
Sep  3 09:12:04 dnsmasq[19979]: query[A] openrcv.baidu.com from 10.123.1.103
Sep  3 09:12:04 dnsmasq[19979]: forwarded openrcv.baidu.com to 8.8.8.8
Sep  3 09:12:04 dnsmasq[19979]: dnssec-query[DS] openrcv.baidu.com to 8.8.8.8
Sep  3 09:12:05 dnsmasq[19979]: dnssec-query[DS] baidu.com to 8.8.8.8
Sep  3 09:12:05 dnsmasq[19979]: validation result is INSECURE
Sep  3 09:12:05 dnsmasq[19979]: reply openrcv.baidu.com is <CNAME>
Sep  3 09:12:05 dnsmasq[19979]: reply openrcv.e.shifen.com is 111.202.114.38
Sep  3 09:12:21 dnsmasq[19979]: query[A] r4---sn-2gb7ln7e.gvt1.com from 10.123.1.103
Sep  3 09:12:21 dnsmasq[19979]: forwarded r4---sn-2gb7ln7e.gvt1.com to 8.8.8.8
Sep  3 09:12:21 dnsmasq[19979]: dnssec-query[DS] r4---sn-2gb7ln7e.gvt1.com to 8.8.8.8
Sep  3 09:12:21 dnsmasq[19979]: dnssec-query[DS] gvt1.com to 8.8.8.8
Sep  3 09:12:21 dnsmasq[19979]: validation result is INSECURE
Sep  3 09:12:21 dnsmasq[19979]: reply r4---sn-2gb7ln7e.gvt1.com is <CNAME>
Sep  3 09:12:21 dnsmasq[19979]: reply r4.sn-2gb7ln7e.gvt1.com is 173.194.10.9
Sep  3 09:12:23 dnsmasq[19979]: query[NS] . from 127.0.0.1
Sep  3 09:12:23 dnsmasq[19979]: forwarded . to 8.8.8.8

Tady jsou me konfiguraky:
Kód: [Vybrat]
#___________________________________________________________
          # cat dnsmasq.conf
no-resolv
no-hosts
port=53
bind-interfaces
pid-file=/var/run/dnsmasq.pid
no-dhcp-interface=
listen-address=0.0.0.0
server=8.8.8.8

domain=lan
local=/lan/
local=/123.10.in-addr.arpa/
expand-hosts
domain-needed
bogus-priv

addn-hosts=/etc/dnsmasq.d/dnsmasq.hosts
conf-file=/etc/dnsmasq.d/dnsmasq.dns_zaznamy

dnssec
dnssec-check-unsigned
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
# https://blog.nic.cz/2014/05/15/validace-dnssec-pomoci-dnsmasq/


#___________________________________________________________
          # cat /etc/dnsmasq.d/dnsmasq.hosts
#redirect:
#10.123.1.1 server.lan

#___________________________________________________________
          # cat /etc/dnsmasq.d/dnsmasq.dns_zaznamy
#-----------
address=/moje.domena.cz/10.123.1.1

address=/server.lan/10.123.1.1
address=/pc.lan/10.123.1.10
#-----------
cname=*.server,server
cname=*.pc,pc
#-----------

ptr-record=1.1.123.10.in-addr.arpa.,server.lan
ptr-record=10.1.123.10.in-addr.arpa.,pc.lan
#-----------
#___________________________________________________________

Mate nekdo tuseni, co delam spatne? A hlavne jak to spravit. Zkousel jsem googlit, ale asi spatne.
« Poslední změna: 04. 09. 2016, 19:03:29 od Petr Krčmář »
"Kdo v zájmu bezpečí obětuje část své svobody, v konečném důsledku přijde o svobodu i svou bezpečnost."


Re:Padajici dnsmasq
« Odpověď #1 kdy: 03. 09. 2016, 11:15:24 »
Monit vás neinformuje o pád dnsmasq, ale o tom, že od něj nedostal odpověď. Je divné, že dnsmasq zaznamená požadavek v 9:12:23, a Monit už v 9:12:24 hlásí nedostupnost, když je tam limit 10 sekund. Důležité je pokračování v tom logu, zda dnsmasq odpověď od Google dostal a přeposlal jí dál. Pokud ano, je problém jen v monitoringu a ne v dnsmasq.

Re:Padajici dnsmasq
« Odpověď #2 kdy: 03. 09. 2016, 11:56:49 »
Tady je zbyvajici log:
Kód: [Vybrat]
Sep  3 09:12:21 dnsmasq[19979]: dnssec-query[DS] gvt1.com to 8.8.8.8
Sep  3 09:12:21 dnsmasq[19979]: validation result is INSECURE
Sep  3 09:12:21 dnsmasq[19979]: reply r4---sn-2gb7ln7e.gvt1.com is <CNAME>
Sep  3 09:12:21 dnsmasq[19979]: reply r4.sn-2gb7ln7e.gvt1.com is 173.194.10.9
Sep  3 09:12:23 dnsmasq[19979]: query[NS] . from 127.0.0.1
Sep  3 09:12:23 dnsmasq[19979]: forwarded . to 8.8.8.8
Sep  3 09:12:24 dnsmasq[19979]: query[MX] gmail.com from 127.0.0.1
Sep  3 09:12:24 dnsmasq[19979]: forwarded gmail.com to 8.8.8.8
Sep  3 09:12:24 dnsmasq[19979]: dnssec-query[DS] gmail.com to 8.8.8.8
Sep  3 09:12:24 dnsmasq[19979]: validation result is INSECURE
Sep  3 09:12:24 dnsmasq[19979]: query[A] gmail-smtp-in.l.google.com from 127.0.0.1
Sep  3 09:12:24 dnsmasq[19979]: forwarded gmail-smtp-in.l.google.com to 8.8.8.8
Sep  3 09:12:24 dnsmasq[19979]: dnssec-query[DS] gmail-smtp-in.l.google.com to 8.8.8.8
Sep  3 09:12:24 dnsmasq[19979]: dnssec-query[DS] l.google.com to 8.8.8.8
Sep  3 09:12:24 dnsmasq[19979]: dnssec-query[DS] google.com to 8.8.8.8
Sep  3 09:12:24 dnsmasq[19979]: validation result is INSECURE
Sep  3 09:12:24 dnsmasq[19979]: reply gmail-smtp-in.l.google.com is 74.125.136.26
Sep  3 09:12:24 dnsmasq[19979]: query[AAAA] gmail-smtp-in.l.google.com from 127.0.0.1
Sep  3 09:12:24 dnsmasq[19979]: forwarded gmail-smtp-in.l.google.com to 8.8.8.8
Sep  3 09:12:24 dnsmasq[19979]: dnssec-query[DS] l.google.com to 8.8.8.8
Sep  3 09:12:29 dnsmasq[19979]: query[A] alt1.gmail-smtp-in.l.google.com from 127.0.0.1
Sep  3 09:12:29 dnsmasq[19979]: forwarded alt1.gmail-smtp-in.l.google.com to 8.8.8.8
Sep  3 09:12:29 dnsmasq[19979]: dnssec-query[DS] alt1.gmail-smtp-in.l.google.com to 8.8.8.8
Sep  3 09:12:29 dnsmasq[19979]: dnssec-query[DS] gmail-smtp-in.l.google.com to 8.8.8.8
Sep  3 09:12:29 dnsmasq[19979]: dnssec-query[DS] l.google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: dnssec-query[DS] google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: validation result is INSECURE
Sep  3 09:12:30 dnsmasq[19979]: reply alt1.gmail-smtp-in.l.google.com is 74.125.68.27
Sep  3 09:12:30 dnsmasq[19979]: query[AAAA] alt1.gmail-smtp-in.l.google.com from 127.0.0.1
Sep  3 09:12:30 dnsmasq[19979]: forwarded alt1.gmail-smtp-in.l.google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: dnssec-query[DS] l.google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: dnssec-query[DS] google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: validation result is INSECURE
Sep  3 09:12:30 dnsmasq[19979]: reply alt1.gmail-smtp-in.l.google.com is 2404:6800:4003:c02::1a
Sep  3 09:12:30 dnsmasq[19979]: query[A] alt2.gmail-smtp-in.l.google.com from 127.0.0.1
Sep  3 09:12:30 dnsmasq[19979]: forwarded alt2.gmail-smtp-in.l.google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: dnssec-query[DS] alt2.gmail-smtp-in.l.google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: dnssec-query[DS] gmail-smtp-in.l.google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: dnssec-query[DS] l.google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: dnssec-query[DS] google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: validation result is INSECURE
Sep  3 09:12:30 dnsmasq[19979]: reply alt2.gmail-smtp-in.l.google.com is 64.233.189.26
Sep  3 09:12:30 dnsmasq[19979]: query[AAAA] alt2.gmail-smtp-in.l.google.com from 127.0.0.1
Sep  3 09:12:30 dnsmasq[19979]: forwarded alt2.gmail-smtp-in.l.google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: dnssec-query[DS] l.google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: dnssec-query[DS] google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: validation result is INSECURE
Sep  3 09:12:30 dnsmasq[19979]: reply alt2.gmail-smtp-in.l.google.com is 2404:6800:4008:c07::1a
Sep  3 09:12:30 dnsmasq[19979]: query[A] alt3.gmail-smtp-in.l.google.com from 127.0.0.1
Sep  3 09:12:30 dnsmasq[19979]: forwarded alt3.gmail-smtp-in.l.google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: dnssec-query[DS] alt3.gmail-smtp-in.l.google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: dnssec-query[DS] gmail-smtp-in.l.google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: dnssec-query[DS] l.google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: dnssec-query[DS] google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: validation result is INSECURE
Sep  3 09:12:30 dnsmasq[19979]: reply alt3.gmail-smtp-in.l.google.com is 173.194.72.26
Sep  3 09:12:30 dnsmasq[19979]: query[AAAA] alt3.gmail-smtp-in.l.google.com from 127.0.0.1
Sep  3 09:12:30 dnsmasq[19979]: forwarded alt3.gmail-smtp-in.l.google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: dnssec-query[DS] l.google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: dnssec-query[DS] google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: validation result is INSECURE
Sep  3 09:12:30 dnsmasq[19979]: reply alt3.gmail-smtp-in.l.google.com is 2404:6800:4008:c07::1a
Sep  3 09:12:30 dnsmasq[19979]: query[A] alt4.gmail-smtp-in.l.google.com from 127.0.0.1
Sep  3 09:12:30 dnsmasq[19979]: forwarded alt4.gmail-smtp-in.l.google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: dnssec-query[DS] alt4.gmail-smtp-in.l.google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: dnssec-query[DS] gmail-smtp-in.l.google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: dnssec-query[DS] l.google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: dnssec-query[DS] google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: validation result is INSECURE
Sep  3 09:12:30 dnsmasq[19979]: reply alt4.gmail-smtp-in.l.google.com is 74.125.25.26
Sep  3 09:12:30 dnsmasq[19979]: query[AAAA] alt4.gmail-smtp-in.l.google.com from 127.0.0.1
Sep  3 09:12:30 dnsmasq[19979]: forwarded alt4.gmail-smtp-in.l.google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: dnssec-query[DS] l.google.com to 8.8.8.8
Sep  3 09:12:30 dnsmasq[19979]: dnssec-query[DS] google.com to 8.8.8.8
Sep  3 09:12:31 dnsmasq[19979]: validation result is INSECURE

Zkusil jsem prenastavit monit. Treba to bude tim. I kdyz mi prijde divne, ze by se na localhostu nedokazal s 10s timeoutem pripojit.
"Kdo v zájmu bezpečí obětuje část své svobody, v konečném důsledku přijde o svobodu i svou bezpečnost."

Re:Padajici dnsmasq
« Odpověď #3 kdy: 03. 09. 2016, 12:18:15 »
V tom logu nikde nevidím odpověď na dotaz na kořenové servery, který předpokládám pochází od Monitu. Otázka je, kde je problém - zda dnsmasq odpověď opravdu nedostane, nebo zda ji nepošle dál. To zjistíte asi jedině tcpdumpem.