search

getdnsapi / stubby

Stubby is the name given to a mode of using getdns which enables it to act as a local DNS Privacy stub resolver (using DNS-over-TLS).
https://dnsprivacy.org/dns_privacy_daemon_-_stubby/
BSD 3-Clause "New" or "Revised" License
1.2k stars 99 forks source link

reducing DNS packet size for nameserver ::1 to 1280 #284

Open aershey-git opened 3 years ago

aershey-git commented 3 years ago

OpenWrt 19.07.6 stubby 0.3.0-1 dnsmasq-full 2.80-16.3

Dnsmasq reducing DNS packet size when forwarding request to stubby. Mostly with Microsoft domains. Upstream TLS DNS server is 9.9.9.11 eDNS0 enables with ECS. Changing edns_client_subnet_private to 0 from 1 does not change behavior.


dnsmasq[3619]: query[A] login.live.com from 192.168.1.55
dnsmasq[3619]: forwarded login.live.com to ::1
dnsmasq[3619]: reply login.live.com is NODATA-IPv4
dnsmasq[3619]: query[A] displaycatalog.mp.microsoft.com from 192.168.1.55
dnsmasq[3619]: forwarded displaycatalog.mp.microsoft.com to ::1
dnsmasq[3619]: query[A] displaycatalog.mp.microsoft.com from 192.168.1.55
dnsmasq[3619]: forwarded displaycatalog.mp.microsoft.com to ::1
dnsmasq[3619]: reducing DNS packet size for nameserver ::1 to 1280
--
dnsmasq[3619]: forwarded rum14.perf.linkedin.com to ::1
dnsmasq[3619]: reply rum14.perf.linkedin.com is <CNAME>
dnsmasq[3619]: reply www-linkedin-com.l-0005.l-msedge.net is <CNAME>
dnsmasq[3619]: reply l-0005.l-msedge.net is 2620:1ec:21::14
dnsmasq[3619]: query[A] fp-afd.azureedge.net from 192.168.1.90
dnsmasq[3619]: forwarded fp-afd.azureedge.net to ::1
dnsmasq[3619]: query[A] fp-afd.azureedge.net from 192.168.1.90
dnsmasq[3619]: forwarded fp-afd.azureedge.net to ::1
dnsmasq[3619]: reducing DNS packet size for nameserver ::1 to 1280
--
dnsmasq[3619]: reply teams-events-data.trafficmanager.net is <CNAME>
dnsmasq[3619]: reply skypedataprdcoluks01.cloudapp.net is 52.114.88.20
dnsmasq[3619]: query[A] ctldl.windowsupdate.com from 192.168.1.55
dnsmasq[3619]: cached ctldl.windowsupdate.com is <CNAME>
dnsmasq[3619]: forwarded ctldl.windowsupdate.com to ::1
dnsmasq[3619]: query[A] ctldl.windowsupdate.com from 192.168.1.55
dnsmasq[3619]: cached ctldl.windowsupdate.com is <CNAME>
dnsmasq[3619]: forwarded ctldl.windowsupdate.com to ::1
dnsmasq[3619]: reducing DNS packet size for nameserver ::1 to 1280
--
dnsmasq[3619]: forwarded s-ring.msedge.net to ::1
dnsmasq[3619]: reply s-ring.msedge.net is <CNAME>
dnsmasq[3619]: reply s-ring.s-9999.s-msedge.net is <CNAME>
dnsmasq[3619]: reply s-9999.s-msedge.net is NODATA-IPv6
dnsmasq[3619]: query[A] fp-afd-nocache.azureedge.net from 192.168.1.90
dnsmasq[3619]: forwarded fp-afd-nocache.azureedge.net to ::1
dnsmasq[3619]: query[A] fp-afd-nocache.azureedge.net from 192.168.1.90
dnsmasq[3619]: forwarded fp-afd-nocache.azureedge.net to ::1
dnsmasq[3619]: reducing DNS packet size for nameserver ::1 to 1280
--
dnsmasq[3619]: reply fp-afd.azureedge.net is <CNAME>
dnsmasq[3619]: reply fp-afd.afd.azureedge.net is <CNAME>
dnsmasq[3619]: reply star-azureedge-prod.trafficmanager.net is <CNAME>
dnsmasq[3619]: reply dual.t-0009.t-msedge.net is <CNAME>
dnsmasq[3619]: reply t-0009.t-msedge.net is <CNAME>
dnsmasq[3619]: reply Edge-Prod-BL2r3.ctrl.t-0009.t-msedge.net is <CNAME>
dnsmasq[3619]: reply standard.t-0009.t-msedge.net is 2620:1ec:bdf::19
dnsmasq[3619]: reply standard.t-0009.t-msedge.net is 2620:1ec:46::19
dnsmasq[3619]: reducing DNS packet size for nameserver ::1 to 1280
--
dnsmasq[3619]: forwarded r4.res.office365.com to ::1
dnsmasq[3619]: reply r4.res.office365.com is <CNAME>
dnsmasq[3619]: reply r4.res.office365.com.edgekey.net is <CNAME>
dnsmasq[3619]: reply e1875.dscg.akamaiedge.net is 184.28.88.89
dnsmasq[3619]: query[A] fd6a9bc1c3f24664a11f1d7054d75de8.fp.measure.office.com from 192.168.1.55
dnsmasq[3619]: forwarded fd6a9bc1c3f24664a11f1d7054d75de8.fp.measure.office.com to ::1
dnsmasq[3619]: query[A] fd6a9bc1c3f24664a11f1d7054d75de8.fp.measure.office.com from 192.168.1.55
dnsmasq[3619]: forwarded fd6a9bc1c3f24664a11f1d7054d75de8.fp.measure.office.com to ::1
dnsmasq[3619]: reducing DNS packet size for nameserver ::1 to 1280
--
dnsmasq[3619]: forwarded r4.res.office365.com to ::1
dnsmasq[3619]: reply r4.res.office365.com is <CNAME>
dnsmasq[3619]: reply r4.res.office365.com.edgekey.net is <CNAME>
dnsmasq[3619]: reply e1875.dscg.akamaiedge.net is 184.28.88.89
dnsmasq[3619]: query[A] 7023a5ec2b52462c875546e8f5aec477.fp.measure.office.com from 192.168.1.55
dnsmasq[3619]: forwarded 7023a5ec2b52462c875546e8f5aec477.fp.measure.office.com to ::1
dnsmasq[3619]: query[A] 7023a5ec2b52462c875546e8f5aec477.fp.measure.office.com from 192.168.1.55
dnsmasq[3619]: forwarded 7023a5ec2b52462c875546e8f5aec477.fp.measure.office.com to ::1
dnsmasq[3619]: reducing DNS packet size for nameserver ::1 to 1280
--
dnsmasq[3619]: reply a1952.dscq.akamai.net is 2600:1403:2::174a:2f0
dnsmasq[3619]: query[A] ctldl.windowsupdate.com from 192.168.1.90
dnsmasq[3619]: cached ctldl.windowsupdate.com is <CNAME>
dnsmasq[3619]: cached au-bg-shim.trafficmanager.net is <CNAME>
dnsmasq[3619]: forwarded ctldl.windowsupdate.com to ::1
dnsmasq[3619]: query[A] ctldl.windowsupdate.com from 192.168.1.90
dnsmasq[3619]: cached ctldl.windowsupdate.com is <CNAME>
dnsmasq[3619]: forwarded ctldl.windowsupdate.com to ::1
dnsmasq[3619]: reducing DNS packet size for nameserver ::1 to 1280
--
dnsmasq[3619]: query[AAAA] aadcdn.msauth.net from 192.168.1.55
dnsmasq[3619]: forwarded aadcdn.msauth.net to ::1
dnsmasq[3619]: reply aadcdn.msauth.net is NODATA-IPv4
dnsmasq[3619]: query[A] aadcdn.msauth.net from 192.168.1.55
dnsmasq[3619]: forwarded aadcdn.msauth.net to ::1
dnsmasq[3619]: query[AAAA] aadcdn.msauth.net from 192.168.1.55
dnsmasq[3619]: forwarded aadcdn.msauth.net to ::1
dnsmasq[21862]: query[A] aadcdn.msauth.net from 192.168.1.55
dnsmasq[3619]: reducing DNS packet size for nameserver ::1 to 1280
--
dnsmasq[3619]: forwarded ctldl.windowsupdate.com to ::1
dnsmasq[3619]: query[AAAA] ctldl.windowsupdate.com from 192.168.1.138
dnsmasq[3619]: forwarded ctldl.windowsupdate.com to ::1
dnsmasq[3619]: reply ctldl.windowsupdate.com is NODATA-IPv4
dnsmasq[3619]: query[A] ctldl.windowsupdate.com from 192.168.1.138
dnsmasq[3619]: forwarded ctldl.windowsupdate.com to ::1
dnsmasq[3619]: query[AAAA] ctldl.windowsupdate.com from 192.168.1.138
dnsmasq[3619]: forwarded ctldl.windowsupdate.com to ::1
dnsmasq[3619]: reducing DNS packet size for nameserver ::1 to 1280
--
dnsmasq[3619]: query[AAAA] bl6pap004.storage.live.com from 192.168.1.138
dnsmasq[3619]: forwarded bl6pap004.storage.live.com to ::1
dnsmasq[3619]: query[A] bl6pap004.storage.live.com from 192.168.1.138
dnsmasq[3619]: forwarded bl6pap004.storage.live.com to ::1
dnsmasq[3619]: query[AAAA] bl6pap004.storage.live.com from 192.168.1.138
dnsmasq[3619]: forwarded bl6pap004.storage.live.com to ::1
dnsmasq[3619]: query[A] bl6pap004.storage.live.com from 192.168.1.138
dnsmasq[3619]: forwarded bl6pap004.storage.live.com to ::1
dnsmasq[3619]: reducing DNS packet size for nameserver ::1 to 1280
--
dnsmasq[3619]: query[A] ctldl.windowsupdate.com from 192.168.1.138
dnsmasq[3619]: forwarded ctldl.windowsupdate.com to ::1
dnsmasq[3619]: reply ctldl.windowsupdate.com is <CNAME>
dnsmasq[3619]: reply au-bg-shim.trafficmanager.net is <CNAME>
dnsmasq[3619]: reply audownload.windowsupdate.nsatc.net is <CNAME>
dnsmasq[3619]: reply au.download.windowsupdate.com.edgesuite.net is <CNAME>
dnsmasq[3619]: reply a767.dscg3.akamai.net is 2600:1408:8400::173f:f6aa
dnsmasq[3619]: reply a767.dscg3.akamai.net is 2600:1408:8400::173f:f6b3
dnsmasq[3619]: reducing DNS packet size for nameserver ::1 to 1280
--
dnsmasq[3619]: query[A] login.live.com from 192.168.1.138
dnsmasq[3619]: forwarded login.live.com to ::1
dnsmasq[3619]: query[AAAA] login.live.com from 192.168.1.138
dnsmasq[3619]: forwarded login.live.com to ::1
dnsmasq[3619]: query[AAAA] login.live.com from 192.168.1.138
dnsmasq[3619]: forwarded login.live.com to ::1
dnsmasq[3619]: query[A] login.live.com from 192.168.1.138
dnsmasq[3619]: forwarded login.live.com to ::1
dnsmasq[3619]: reducing DNS packet size for nameserver ::1 to 1280
--
dnsmasq[3619]: query[A] bl6pap004.storage.live.com from 192.168.1.138
dnsmasq[3619]: forwarded bl6pap004.storage.live.com to ::1
dnsmasq[3619]: query[AAAA] bl6pap004.storage.live.com from 192.168.1.138
dnsmasq[3619]: forwarded bl6pap004.storage.live.com to ::1
dnsmasq[3619]: query[A] bl6pap004.storage.live.com from 192.168.1.138
dnsmasq[3619]: forwarded bl6pap004.storage.live.com to ::1
dnsmasq[3619]: query[AAAA] bl6pap004.storage.live.com from 192.168.1.138
dnsmasq[3619]: forwarded bl6pap004.storage.live.com to ::1
dnsmasq[3619]: reducing DNS packet size for nameserver ::1 to 1280
--
dnsmasq[3619]: query[A] bl6pap004.storage.live.com from 192.168.1.138
dnsmasq[3619]: forwarded bl6pap004.storage.live.com to ::1
dnsmasq[3619]: query[AAAA] bl6pap004.storage.live.com from 192.168.1.138
dnsmasq[3619]: forwarded bl6pap004.storage.live.com to ::1
dnsmasq[3619]: query[A] bl6pap004.storage.live.com from 192.168.1.138
dnsmasq[3619]: forwarded bl6pap004.storage.live.com to ::1
dnsmasq[3619]: query[AAAA] bl6pap004.storage.live.com from 192.168.1.138
dnsmasq[3619]: forwarded bl6pap004.storage.live.com to ::1
dnsmasq[3619]: reducing DNS packet size for nameserver ::1 to 1280
--
dnsmasq[3619]: query[A] login.live.com from 192.168.1.138
dnsmasq[3619]: forwarded login.live.com to ::1
dnsmasq[3619]: query[AAAA] login.live.com from 192.168.1.138
dnsmasq[3619]: forwarded login.live.com to ::1
dnsmasq[3619]: query[AAAA] login.live.com from 192.168.1.138
dnsmasq[3619]: forwarded login.live.com to ::1
dnsmasq[3619]: query[A] login.live.com from 192.168.1.138
dnsmasq[3619]: forwarded login.live.com to ::1
dnsmasq[3619]: reducing DNS packet size for nameserver ::1 to 1280
--
dnsmasq[3619]: reply ecs.office.trafficmanager.net is <CNAME>
dnsmasq[3619]: reply s-0005-office.config.skype.com is <CNAME>
dnsmasq[3619]: reply ecs-office.s-0005.s-msedge.net is <CNAME>
dnsmasq[3619]: reply s-0005.s-msedge.net is 52.113.194.132
dnsmasq[3619]: query[A] login.live.com from 192.168.1.55
dnsmasq[3619]: forwarded login.live.com to ::1
dnsmasq[3619]: query[A] login.live.com from 192.168.1.55
dnsmasq[3619]: forwarded login.live.com to ::1
dnsmasq[3619]: reducing DNS packet size for nameserver ::1 to 1280
hanvinke commented 3 years ago

The strange thing is that edns-packet-max setting defaults to 4096 in dnsmasq since long. But applying --edns-packet-max=4096 in the configuration of dnsmasq apparently has no effect. I can still see the message " daemon.warn dnsmasq[]: reducing DNS packet size for nameserver 127.0.0.1 to 1280" in my syslog. Maybe there is a difference between activating DNSSEC in dnsmasq or in stubby. According to https://forum.openwrt.org/t/stubby-dns-over-tls-using-dnsmasq-full-for-dnssec-caching/19107 one should enable DNSSEC preferably in dnsmasq. However https://github.com/openwrt/packages/blob/master/net/stubby/files/README.md states it should have the same outcome. I will check that later. BTW, there was a similar issue in DNS behavior with dnscrypt-proxy in the past. See https://github.com/DNSCrypt/dnscrypt-proxy/issues/956 I think this thread is f.i. related to https://github.com/getdnsapi/getdns/issues/495

hanvinke commented 3 years ago

Did not see a change in the syslog when enabling dnssec in Stubby. According to RFC6891 6.2.5. Payload Size Selection : .. A requestor SHOULD choose to use a fallback mechanism that begins with a large size, such as 4096. If that fails, a fallback around the range of 1280-1410 bytes SHOULD be tried, as it has a reasonable chance to fit within a single Ethernet frame. .. Unfortunately I don't know if there was a fallback before with a larger size. I suppose that would have shown in the syslog as well.