Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 4 Oct 2017 19:18:10 +0530
From: Srinivasa Raghavan <raghav135@...il.com>
To: musl@...ts.openwall.com, dalias@...c.org
Subject: Re: DNS resolution happenning only after timeout

Hi Rich,

Thanks for the reply.

Some updates:
1. Our DNS server is "Infoblox appliance".
2. When we had a delay, we found that there was a "AAAA" query along with
"A" query.

I did further debugging with "tcpdump" and able to narrow down on the
difference in behavior between "debian" and "alpine" images.

In debian:
If ipv6 is disabled (net.ipv6.conf.default.disable_ipv6 = 1)
Then the "nslookup" (or name resolution) does *not* do a "AAAA" query

In alpine:
If ipv6 is disabled (net.ipv6.conf.default.disable_ipv6 = 1)
Then the "nslookup" (or name resolution) does an "AAAA" query along with
"A" query

Is this intentional?

Also, I was wondering if there was any way to disable AAAA query in name
resolution?

Kind Regards,
Srinivasa Raghavan.

On Thu, Sep 28, 2017 at 10:25 PM, Rich Felker <dalias@...c.org> wrote:

> On Thu, Sep 28, 2017 at 12:28:55PM +0200, Szabolcs Nagy wrote:
> > * Srinivasa Raghavan <raghav135@...il.com> [2017-09-28 15:45:28 +0530]:
> > > When using "Alpine" docker image which uses musl-libc, we are facing
> delay
> > > when we do operations like below in our production environment,
> > > 1. ping <name>
> > > 2. nslookup <name>
> > > 3. traceroute <name>
> > > 4. http request from node.js
> > >
> >
> > this bug may be related:
> > https://github.com/rancher/rancher/issues/9961
>
> Yes, I just filed it after reading the discussion on IRC and this bug
> report that was linked as describing similar behavior:
>
> https://github.com/rancher/rancher/issues/4177#issuecomment-332571951
>
> This really requires a fix on the rancher-dns side. I'm not sure
> exactly what glibc is doing, but it couldn't be giving the behavior
> you want without doing something wrong: it's falling back and trying
> different search domains when it hasn't been told that the first one
> doesn't exist, only that the nameserver is experiencing a problem.
>
> Rich
>

Content of type "text/html" skipped

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ