]>
Commit | Line | Data |
---|---|---|
9e4abcb5 SK |
1 | Q: Why does dnsmasq open UDP ports >1024 as well as port 53. |
2 | Is this a security problem/trojan/backdoor? | |
3 | ||
824af85b | 4 | A: The high ports that dnsmasq opens are for replies from the upstream |
9e4abcb5 SK |
5 | nameserver(s). Queries from dnsmasq to upstream nameservers are sent |
6 | from these ports and replies received to them. The reason for doing this is | |
7 | that most firewall setups block incoming packets _to_ port 53, in order | |
8 | to stop DNS queries from the outside world. If dnsmasq sent its queries | |
9 | from port 53 the replies would be _to_ port 53 and get blocked. | |
10 | ||
11 | This is not a security hole since dnsmasq will only accept replies to that | |
12 | port: queries are dropped. The replies must be to oustanding queries | |
13 | which dnsmasq has forwarded, otherwise they are dropped too. | |
14 | ||
15 | Addendum: dnsmasq now has the option "query-port" (-Q), which allows | |
16 | you to specify the UDP port to be used for this purpose. If not | |
17 | specified, the operating system will select an available port number | |
18 | just as it did before. | |
19 | ||
20 | Q: Why doesn't dnsmasq support DNS queries over TCP? Don't the RFC's specify | |
21 | that? | |
22 | ||
feba5c1d | 23 | A: Update: from version 2.10, it does. There are a few limitations: |
0a852541 | 24 | data obtained via TCP is not cached, and source-address |
feba5c1d | 25 | or query-port specifications are ignored for TCP. |
9e4abcb5 SK |
26 | |
27 | Q: When I send SIGUSR1 to dump the contents of the cache, some entries have | |
28 | no IP address and are for names like mymachine.mydomain.com.mydomain.com. | |
29 | What are these? | |
30 | ||
31 | A: They are negative entries: that's what the N flag means. Dnsmasq asked | |
32 | an upstream nameserver to resolve that address and it replied "doesn't | |
33 | exist, and won't exist for <n> hours" so dnsmasq saved that information so | |
34 | that if _it_ gets asked the same question it can answer directly without | |
35 | having to go back to the upstream server again. The strange repeated domains | |
36 | result from the way resolvers search short names. See "man resolv.conf" for | |
37 | details. | |
38 | ||
39 | ||
40 | Q: Will dnsmasq compile/run on non-Linux systems? | |
41 | ||
824af85b SK |
42 | A: Yes, there is explicit support for *BSD and MacOS X and Solaris. |
43 | There are start-up scripts for MacOS X Tiger and Panther | |
44 | in /contrib. Dnsmasq will link with uclibc to provide small | |
3d8df260 SK |
45 | binaries suitable for use in embedded systems such as |
46 | routers. (There's special code to support machines with flash | |
47 | filesystems and no battery-backed RTC.) | |
208b65c5 SK |
48 | If you encounter make errors with *BSD, try installing gmake from |
49 | ports and building dnsmasq with "make MAKE=gmake" | |
9e4abcb5 | 50 | For other systems, try altering the settings in config.h. |
3d8df260 | 51 | |
824af85b | 52 | Q: My company's nameserver knows about some names which aren't in the |
9e4abcb5 SK |
53 | public DNS. Even though I put it first in /etc/resolv.conf, it |
54 | dosen't work: dnsmasq seems not to use the nameservers in the order | |
55 | given. What am I doing wrong? | |
56 | ||
57 | A: By default, dnsmasq treats all the nameservers it knows about as | |
58 | equal: it picks the one to use using an algorithm designed to avoid | |
59 | nameservers which aren't responding. To make dnsmasq use the | |
60 | servers in order, give it the -o flag. If you want some queries | |
61 | sent to a special server, think about using the -S flag to give the | |
62 | IP address of that server, and telling dnsmasq exactly which | |
63 | domains to use the server for. | |
64 | ||
65 | Q: OK, I've got queries to a private nameserver working, now how about | |
66 | reverse queries for a range of IP addresses? | |
67 | ||
68 | A: Use the standard DNS convention of <reversed address>.in-addr.arpa. | |
69 | For instance to send reverse queries on the range 192.168.0.0 to | |
70 | 192.168.0.255 to a nameserver at 10.0.0.1 do | |
71 | server=/0.168.192.in-addr.arpa/10.0.0.1 | |
feba5c1d SK |
72 | Note that the "bogus-priv" option take priority over this option, |
73 | so the above will not work when the bogus-priv option is set. | |
9e4abcb5 SK |
74 | |
75 | Q: Dnsmasq fails to start with an error like this: "dnsmasq: bind | |
76 | failed: Cannot assign requested address". What's the problem? | |
77 | ||
78 | A: This has been seen when a system is bringing up a PPP interface at | |
79 | boot time: by the time dnsmasq start the interface has been | |
80 | created, but not brought up and assigned an address. The easiest | |
81 | solution is to use --interface flags to specify which interfaces | |
82 | dnsmasq should listen on. Since you are unlikely to want dnsmasq to | |
83 | listen on a PPP interface and offer DNS service to the world, the | |
84 | problem is solved. | |
85 | ||
86 | Q: I'm running on BSD and dnsmasq won't accept long options on the | |
87 | command line. | |
88 | ||
3d8df260 | 89 | A: Dnsmasq when built on some BSD systems doesn't use GNU getopt by |
9e4abcb5 SK |
90 | default. You can either just use the single-letter options or |
91 | change config.h and the Makefile to use getopt-long. Note that | |
92 | options in /etc/dnsmasq.conf must always be the long form, | |
93 | on all platforms. | |
94 | ||
95 | Q: Names on the internet are working fine, but looking up local names | |
96 | from /etc/hosts or DHCP doesn't seem to work. | |
97 | ||
98 | A: Resolver code sometime does strange things when given names without | |
99 | any dots in. Win2k and WinXP may not use the DNS at all and just | |
100 | try and look up the name using WINS. On unix look at "options ndots:" | |
101 | in "man resolv.conf" for details on this topic. Testing lookups | |
102 | using "nslookup" or "dig" will work, but then attempting to run | |
103 | "ping" will get a lookup failure, appending a dot to the end of the | |
104 | hostname will fix things. (ie "ping myhost" fails, but "ping | |
105 | myhost." works. The solution is to make sure that all your hosts | |
3d8df260 SK |
106 | have a domain set ("domain" in resolv.conf, or set a domain in |
107 | your DHCP server, see below fr Windows XP and Mac OS X). | |
108 | Any domain will do, but "localnet" is traditional. Now when you | |
109 | resolve "myhost" the resolver will attempt to look up | |
110 | "myhost.localnet" so you need to have dnsmasq reply to that name. | |
111 | The way to do that is to include the domain in each name on | |
112 | /etc/hosts and/or to use the --expand-hosts and --domain options. | |
113 | ||
114 | Q: How do I set the DNS domain in Windows XP or MacOS X (ref: previous | |
115 | question)? | |
116 | ||
117 | A: for XP, Control Panel > Network Connections > { Connection to gateway / | |
118 | DNS } > Properties > { Highlight TCP/IP } > Properties > Advanced > | |
119 | DNS Tab > DNS suffix for this connection: | |
120 | ||
121 | A: for OS X, System Preferences > Network > {Connection to gateway / DNS } > | |
122 | Search domains: | |
9e4abcb5 SK |
123 | |
124 | Q: Can I get dnsmasq to save the contents of its cache to disk when | |
bb01cb96 | 125 | I shut my machine down and re-load when it starts again? |
9e4abcb5 SK |
126 | |
127 | A: No, that facility is not provided. Very few names in the DNS have | |
128 | their time-to-live set for longer than a few hours so most of the | |
129 | cache entries would have expired after a shutdown. For longer-lived | |
130 | names it's much cheaper to just reload them from the upstream | |
131 | server. Note that dnsmasq is not shut down between PPP sessions so | |
132 | go off-line and then on-line again will not lose the contents of | |
133 | the cache. | |
134 | ||
135 | Q: Who are Verisign, what do they have to do with the bogus-nxdomain | |
136 | option in dnsmasq and why should I wory about it? | |
137 | ||
138 | A: [note: this was written in September 2003, things may well change.] | |
139 | Versign run the .com and .net top-level-domains. They have just | |
140 | changed the configuration of their servers so that unknown .com and | |
141 | .net domains, instead of returning an error code NXDOMAIN, (no such | |
142 | domain) return the address of a host at Versign which runs a web | |
143 | server showing a search page. Most right-thinking people regard | |
144 | this new behaviour as broken :-). You can test to see if you are | |
145 | suffering Versign brokeness by run a command like | |
146 | ||
147 | host jlsdajkdalld.com | |
148 | ||
149 | If you get "jlsdajkdalld.com" does not exist, then all is fine, if | |
150 | host returns an IP address, then the DNS is broken. (Try a few | |
151 | different unlikely domains, just in case you picked a wierd one | |
152 | which really _is_ registered.) | |
153 | ||
154 | Assuming that your DNS is broken, and you want to fix it, simply | |
155 | note the IP address being returned and pass it to dnsmasq using the | |
156 | --bogus-nxdomain flag. Dnsmasq will check for results returning | |
157 | that address and substitute an NXDOMAIN instead. | |
158 | ||
159 | As of writing, the IP address in question for the .com and .net | |
160 | domains is is 64.94.110.11. Various other, less prominent, | |
161 | registries pull the same stunt; there is a list of them all, and | |
162 | the addresses to block, at http://winware.org/bogus-domains.txt | |
163 | ||
1ab84e2f SK |
164 | Q: This new DHCP server is well and good, but it doesn't work for me. |
165 | What's the problem? | |
166 | ||
167 | A: There are a couple of configuration gotchas which have been | |
168 | encountered by people moving from the ISC dhcpd to the dnsmasq | |
169 | integrated DHCP daemon. Both are related to differences in | |
170 | in the way the two daemons bypass the IP stack to do "ground up" | |
171 | IP configuration and can lead to the dnsmasq daemon failing | |
172 | whilst the ISC one works. | |
173 | ||
174 | The first thing to check is the broadcast address set for the | |
175 | ethernet interface. This is normally the adddress on the connected | |
176 | network with all ones in the host part. For instance if the | |
177 | address of the ethernet interface is 192.168.55.7 and the netmask | |
178 | is 255.255.255.0 then the broadcast address should be | |
179 | 192.168.55.255. Having a broadcast address which is not on the | |
180 | network to which the interface is connected kills things stone | |
181 | dead. | |
182 | ||
183 | The second potential problem relates to firewall rules: since the ISC | |
184 | daemon in some configurations bypasses the kernel firewall rules | |
185 | entirely, the ability to run the ISC daemon does not indicate | |
186 | that the current configuration is OK for the dnsmasq daemon. | |
187 | For the dnsmasq daemon to operate it's vital that UDP packets to | |
188 | and from ports 67 and 68 and broadcast packets with source | |
189 | address 0.0.0.0 and destination address 255.255.255.255 are not | |
190 | dropped by iptables/ipchains. | |
33820b7e SK |
191 | |
192 | Q: I'm running Debian, and my machines get an address fine with DHCP, | |
193 | but their names are not appearing in the DNS. | |
194 | ||
195 | A: By default, none of the DHCP clients send the host-name when asking | |
196 | for a lease. For most of the clients, you can set the host-name to | |
197 | send with the "hostname" keyword in /etc/network/interfaces. (See | |
198 | "man interfaces" for details.) That doesn't work for dhclient, were | |
199 | you have to add something like "send host-name daisy" to | |
3be34541 SK |
200 | /etc/dhclient.conf [Update: the lastest dhcpcd packages _do_ send |
201 | the hostname by default. | |
33820b7e SK |
202 | |
203 | Q: I'm network booting my machines, and trying to give them static | |
204 | DHCP-assigned addresses. The machine gets its correct address | |
205 | whilst booting, but then the OS starts and it seems to get | |
206 | allocated a different address. | |
207 | ||
208 | A: What is happening is this: The boot process sends a DHCP | |
209 | request and gets allocated the static address corresponding to its | |
210 | MAC address. The boot loader does not send a client-id. Then the OS | |
211 | starts and repeats the DHCP process, but it it does send a | |
212 | client-id. Dnsmasq cannot assume that the two requests are from the | |
213 | same machine (since the client ID's don't match) and even though | |
214 | the MAC address has a static allocation, that address is still in | |
215 | use by the first incarnation of the machine (the one from the boot, | |
216 | without a client ID.) dnsmasq therefore has to give the machine a | |
de37951c | 217 | dynamic address from its pool. There are three ways to solve this: |
33820b7e SK |
218 | (1) persuade your DHCP client not to send a client ID, or (2) set up |
219 | the static assignment to the client ID, not the MAC address. The | |
220 | default client-id will be 01:<MAC address>, so change the dhcp-host | |
221 | line from "dhcp-host=11:22:33:44:55:66,1.2.3.4" to | |
de37951c SK |
222 | "dhcp-host=id:01:11:22:33:44:55:66,1.2.3.4" or (3) tell dnsmasq to |
223 | ignore client IDs for a particular MAC address, like this: | |
224 | dhcp-host=11:22:33:44:55:66,id:* | |
33820b7e SK |
225 | |
226 | Q: What network types are supported by the DHCP server? | |
1ab84e2f | 227 | |
33820b7e | 228 | A: Ethernet (and 802.11 wireless) are supported on all platforms. On |
9e038946 | 229 | Linux all network types (including FireWire) are supported. |
9e4abcb5 | 230 | |
de37951c SK |
231 | Q: What is this strange "bind-interface" option? |
232 | ||
233 | A: The DNS spec says that the reply to a DNS query must come from the | |
234 | same address it was sent to. The traditional way to write an UDP | |
235 | server to do this is to find all of the addresses belonging to the | |
236 | machine (ie all the interfaces on the machine) and then create a | |
237 | socket for each interface which is bound to the address of the | |
238 | interface. Then when a packet is sent to address A, it is received | |
239 | on the socket bound to address A and when the reply is also sent | |
240 | via that socket, the source address is set to A by the kernel and | |
241 | everything works. This is the how dnsmasq works when | |
242 | "bind-interfaces" is set, with the obvious extension that is misses | |
243 | out creating sockets for some interfaces depending on the | |
244 | --interface, --address and --except-interface flags. The | |
245 | disadvantage of this approach is that it breaks if interfaces don't | |
246 | exist or are not configured when the daemon starts and does the | |
247 | socket creation step. In a hotplug-aware world this is a real | |
248 | problem. | |
249 | ||
250 | The alternative approach is to have only one socket, which is bound | |
251 | to the correct port and the wildcard IP address (0.0.0.0). That | |
252 | socket will receive _all_ packets sent to port 53, no matter what | |
253 | destination address they have. This solves the problem of | |
254 | interfaces which are created or reconfigured after daemon | |
255 | start-up. To make this work is more complicated because of the | |
256 | "reply source address" problem. When a UDP packet is sent by a | |
257 | socket bound to 0.0.0.0 its source address will be set to the | |
258 | address of one of the machine's interfaces, but which one is not | |
259 | determined and can vary depending on the OS being run. To get round | |
260 | this it is neccessary to use a scary advanced API to determine the | |
261 | address to which a query was sent, and force that to be the source | |
262 | address in the reply. For IPv4 this stuff in non-portable and quite | |
263 | often not even available (It's different between FreeBSD 5.x and | |
264 | Linux, for instance, and FreeBSD 4.x, Linux 2.0.x and OpenBSD don't | |
265 | have it at all.) Hence "bind-interfaces" has to always be available | |
266 | as a fall back. For IPv6 the API is standard and universally | |
267 | available. | |
268 | ||
269 | It could be argued that if the --interface or --address flags are | |
270 | used then binding interfaces is more appropriate, but using | |
271 | wildcard binding means that dnsmasq will quite happily start up | |
272 | after being told to use interfaces which don't exist, but which are | |
273 | created later. Wildcard binding breaks the scenario when dnsmasq is | |
274 | listening on one interface and another server (most probably BIND) | |
275 | is listening on another. It's not possible for BIND to bind to an | |
276 | (address,port) pair when dnsmasq has bound (wildcard,port), hence | |
277 | the ability to explicitly turn off wildcard binding. | |
9e4abcb5 | 278 | |
c1bb8504 SK |
279 | Q: Why doesn't Kerberos work/why can't I get sensible answers to |
280 | queries for SRV records. | |
9e4abcb5 | 281 | |
c1bb8504 SK |
282 | A: Probably because you have the "filterwin2k" option set. Note that |
283 | it was on by default in example configuration files included in | |
284 | versions before 2.12, so you might have it set on without | |
285 | realising. | |
286 | ||
3be34541 SK |
287 | Q: Can I get email notification when a new version of dnsmasq is |
288 | released? | |
289 | ||
290 | A: Yes, new releases of dnsmasq are always announced through | |
291 | freshmeat.net, and they allow you to subcribe to email alerts when | |
3d8df260 SK |
292 | new versions of particular projects are released. New releases are |
293 | also announced in the dnsmasq-discuss mailing list, subscribe at | |
294 | http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss | |
3be34541 | 295 | |
fd9fa481 SK |
296 | Q: What does the dhcp-authoritative option do? |
297 | ||
298 | A: See http://www.isc.org/index.pl?/sw/dhcp/authoritative.php - that's | |
299 | for the ISC daemon, but the same applies to dnsmasq. | |
300 | ||
301 | Q: Why does my Gentoo box pause for a minute before getting a new | |
302 | lease? | |
303 | ||
304 | A: Because when a Gentoo box shuts down, it releases its lease with | |
305 | the server but remembers it on the client; this seems to be a | |
306 | Gentoo-specific patch to dhcpcd. On restart it tries to renew | |
307 | a lease which is long gone, as far as dnsmasq is concerned, and | |
308 | dnsmasq ignores it until is times out and restarts the process. | |
309 | To fix this, set the dhcp-authoritative flag in dnsmasq. | |
310 | ||
bb01cb96 SK |
311 | Q: My laptop has two network interfaces, a wired one and a wireless |
312 | one. I never use both interfaces at the same time, and I'd like the | |
832af0ba | 313 | same IP and configuration to be used irrespective of which |
3d8df260 | 314 | interface is in use. How can I do that? |
bb01cb96 SK |
315 | |
316 | A: By default, the identity of a machine is determined by using the | |
317 | MAC address, which is associated with interface hardware. Once an | |
318 | IP is bound to the MAC address of one interface, it cannot be | |
319 | associated with another MAC address until after the DHCP lease | |
320 | expires. The solution to this is to use a client-id as the machine | |
321 | identity rather than the MAC address. If you arrange for the same | |
322 | client-id to sent when either interface is in use, the DHCP server | |
323 | will recognise the same machine, and use the same address. The | |
324 | method for setting the client-id varies with DHCP client software, | |
325 | dhcpcd uses the "-I" flag. Windows uses a registry setting, | |
326 | see http://www.jsiinc.com/SUBF/TIP2800/rh2845.htm | |
3be34541 | 327 | |
0a852541 SK |
328 | Q: Can dnsmasq do DHCP on IP-alias interfaces? |
329 | ||
330 | A: Yes, from version-2.21. The support is only available running under | |
331 | Linux, on a kernel which provides the RT-netlink facility. All 2.4 | |
332 | and 2.6 kernels provide RT-netlink and it's an option in 2.2 | |
3d8df260 | 333 | kernels. |
0a852541 SK |
334 | |
335 | If a physical interface has more than one IP address or aliases | |
336 | with extra IP addresses, then any dhcp-ranges corresponding to | |
3d8df260 | 337 | these addresses can be used for address allocation. So if an |
0a852541 SK |
338 | interface has addresses 192.168.1.0/24 and 192.68.2.0/24 and there |
339 | are DHCP ranges 192.168.1.100-192.168.1.200 and | |
340 | 192.168.2.100-192.168.2.200 then both ranges would be used for host | |
341 | connected to the physical interface. A more typical use might be to | |
342 | have one of the address-ranges as static-only, and have known | |
343 | hosts allocated addresses on that subnet using dhcp-host options, | |
344 | while anonymous hosts go on the other. | |
345 | ||
3d8df260 SK |
346 | |
347 | Q: Dnsmasq sometimes logs "nameserver xxx.xxx.xxx.xxx refused | |
348 | to do a recursive query" and DNS stops working. What's going on? | |
349 | ||
350 | A: Probably the nameserver is an authoritative nameserver for a | |
351 | particular domain, but is not configured to answer general DNS | |
352 | queries for an arbitrary domain. It is not suitable for use by | |
353 | dnsmasq as an upstream server and should be removed from the | |
354 | configuration. Note that if you have more than one upstream | |
355 | nameserver configured dnsmasq will load-balance across them and | |
356 | it may be some time before dnsmasq gets around to using a | |
357 | particular nameserver. This means that a particular configuration | |
358 | may work for sometime with a broken upstream nameserver | |
359 | configuration. | |
360 | ||
e17fb629 SK |
361 | |
362 | Q: Does the dnsmasq DHCP server probe addresses before allocating | |
363 | them, as recommended in RFC2131? | |
364 | ||
365 | A: Yes, dynmaically allocated IP addresses are checked by sending an | |
366 | ICMP echo request (ping). If a reply is received, then dnsmasq | |
367 | assumes that the address is in use, and attempts to allocate an | |
368 | different address. The wait for a reply is between two and three | |
369 | seconds. Because the DHCP server is not re-entrant, it cannot serve | |
370 | other DHCP requests during this time. To avoid dropping requests, | |
371 | the address probe may be skipped when dnsmasq is under heavy load. | |
372 | ||
309331f5 | 373 | |
5e9e0efb SK |
374 | Q: I'm using dnsmasq on a machine with the Firestarter firewall, and |
375 | DHCP doesn't work. What's the problem? | |
376 | ||
377 | A: This a variant on the iptables problem. Explicit details on how to | |
378 | proceed can be found at | |
379 | http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2005q3/000431.html | |
e17fb629 | 380 | |
309331f5 | 381 | |
824af85b SK |
382 | Q: I'm using dnsmasq on a machine with the shorewall firewall, and |
383 | DHCP doesn't work. What's the problem? | |
384 | ||
385 | A: This a variant on the iptables problem. Explicit details on how to | |
386 | proceed can be found at | |
387 | http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2007q4/001764.html | |
388 | ||
389 | ||
309331f5 SK |
390 | Q: Dnsmasq logs "running as root because setting capabilities failed" |
391 | when it starts up. Why did that happen and what can do to fix it? | |
392 | ||
393 | A: Change your kernel configuration: either deselect CONFIG_SECURITY | |
394 | _or_ select CONFIG_SECURITY_CAPABILITIES. | |
208b65c5 SK |
395 | |
396 | ||
397 | Q: Where can I get .rpms Suitable for Suse? | |
398 | ||
399 | A: Dnsmasq is in Suse itself, and the latest releases are also | |
400 | available at ftp://ftp.suse.com/pub/people/ug/ | |
401 | ||
402 | ||
832af0ba SK |
403 | Q: Can I run dnsmasq in a Linux vserver? |
404 | ||
405 | A: Yes, as a DNS server, dnsmasq will just work in a vserver. | |
406 | To use dnsmasq's DHCP function you need to give the vserver | |
407 | extra system capabilities. Please note that doing so will lesser | |
408 | the overall security of your system. The capabilities | |
409 | required are NET_ADMIN and NET_RAW. NET_ADMIN is essential, NET_RAW | |
410 | is required to do an ICMP "ping" check on newly allocated | |
411 | addresses. If you don't need this check, you can disable it with | |
412 | --no-ping and omit the NET_RAW capability. | |
413 | Adding the capabilities is done by adding them, one per line, to | |
414 | either /etc/vservers/<vservername>/ccapabilities for a 2.4 kernel or | |
415 | /etc/vservers/<vservername>/bcapabilities for a 2.6 kernel (please | |
416 | refer to the vserver documentation for more information). | |
417 | ||
418 | ||
f2621c7f SK |
419 | Q: What's the problem with syslog and dnsmasq? |
420 | ||
421 | A: In almost all cases: none. If you have the normal arrangement with | |
422 | local daemons logging to a local syslog, which then writes to disk, | |
423 | then there's never a problem. If you use network logging, then | |
424 | there's a potential problem with deadlock: the syslog daemon will | |
425 | do DNS lookups so that it can log the source of log messages, | |
426 | these lookups will (depending on exact configuration) go through | |
427 | dnsmasq, which also sends log messages. With bad timing, you can | |
428 | arrive at a situation where syslog is waiting for dnsmasq, and | |
429 | dnsmasq is waiting for syslog; they will both wait forever. This | |
430 | problem is fixed from dnsmasq-2.39, which introduces asynchronous | |
431 | logging: dnsmasq no longer waits for syslog and the deadlock is | |
432 | broken. There is a remaining problem in 2.39, where "log-queries" | |
433 | is in use. In this case most DNS queries generate two log lines, if | |
434 | these go to a syslog which is doing a DNS lookup for each log line, | |
435 | then those queries will in turn generate two more log lines, and a | |
436 | chain reaction runaway will occur. To avoid this, use syslog-ng | |
437 | and turn on syslog-ng's dns-cache function. | |
438 | ||
832af0ba SK |
439 | |
440 | ||
441 | ||
442 | ||
208b65c5 SK |
443 | |
444 | ||
309331f5 | 445 | |
0a852541 SK |
446 | |
447 | ||
448 | ||
449 | ||
450 | ||
c1bb8504 SK |
451 | |
452 |