Bug #12901
closed
DNS Forwarder refuses valid retries from clients in certain cases
Added by Flole Systems over 2 years ago.
Updated about 2 years ago.
Plus Target Version:
23.01
Description
Since upgrading to 22.02 I noticed that some Windows clients are sometimes refusing to load websites. Looking at the traffic with wireshark shows, that there is a duplicate DNS request sent (with the exact same transaction ID) which then immediately gets a "Refused" answer back, while the original request gets answered later. So the correct response arrives later on, but windows already took the "Refused" (there is no way to distinguish those because they have the same Transaction ID) and so assumes there is no IP associated with that domain. I think a better way would be to silently drop the request so the correct answer later on is picked up as response. I am not sure if dnsmasq was updated or why this suddenly started to become a problem.
- Status changed from New to Needs Patch
That does sound like a problem inside dnsmasq itself. When they put that into a release and that release gets into ports, we'll get that fix naturally. It doesn't look like they have put out a release with that particular patch in it yet, since the commit was after they put out v2.86.
The upstream patch has landed in the latest release 2.87 from a few days ago. Does pfsense need to manually pull in the port for it or does that all happen automatically? Aka is this resolved or does it need another manual step to update dnsmasq?
- Status changed from Needs Patch to New
- Target version set to 2.7.0
- Plus Target Version set to 22.11
We'll pick it up the next time we sync our ports tree with main on the dev snapshot branches. It's a manually process but we do it periodically. We can pick back changes one by one if need be closer to a release but we'll likely do a couple more synchronizations before the next Plus release.
- Plus Target Version changed from 22.11 to 23.01
- Subject changed from DNS Forwarder is refusing duplicate packets like Windows is sometimes sending them to DNS Forwarder refuses valid retries from clients in certain cases
- Status changed from New to Resolved
Current dev snapshots have dnsmasq-2.87,1 so this should be resolved.
Also available in: Atom
PDF