DNS Forwarder refuses valid retries from clients in certain cases
Since upgrading to 22.02 I noticed that some Windows clients are sometimes refusing to load websites. Looking at the traffic with wireshark shows, that there is a duplicate DNS request sent (with the exact same transaction ID) which then immediately gets a "Refused" answer back, while the original request gets answered later. So the correct response arrives later on, but windows already took the "Refused" (there is no way to distinguish those because they have the same Transaction ID) and so assumes there is no IP associated with that domain. I think a better way would be to silently drop the request so the correct answer later on is picked up as response. I am not sure if dnsmasq was updated or why this suddenly started to become a problem.
Updated by Flole Systems 9 months ago
I believe the fix for this could be this patch which seems to be already merged upstream: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=2561f9fe0eb9c0be1df48da1e2bd3d3feaa138c2
Is there any chance we can pull that one in somehow?
Updated by Jim Pingle 9 months ago
- Status changed from New to Needs Patch
That does sound like a problem inside dnsmasq itself. When they put that into a release and that release gets into ports, we'll get that fix naturally. It doesn't look like they have put out a release with that particular patch in it yet, since the commit was after they put out v2.86.
Updated by Flole Systems 2 months ago
The upstream patch has landed in the latest release 2.87 from a few days ago. Does pfsense need to manually pull in the port for it or does that all happen automatically? Aka is this resolved or does it need another manual step to update dnsmasq?
Updated by Jim Pingle 2 months ago
- Status changed from Needs Patch to New
- Target version set to 2.7.0
- Plus Target Version set to 22.11
We'll pick it up the next time we sync our ports tree with main on the dev snapshot branches. It's a manually process but we do it periodically. We can pick back changes one by one if need be closer to a release but we'll likely do a couple more synchronizations before the next Plus release.
Updated by Jim Pingle 16 days ago
- Subject changed from DNS Forwarder is refusing duplicate packets like Windows is sometimes sending them to DNS Forwarder refuses valid retries from clients in certain cases
- Status changed from New to Resolved
Current dev snapshots have dnsmasq-2.87,1 so this should be resolved.