Dns cache working in haproxy 22.2.20-6e457a2?

f1outsourcing · February 2, 2022, 8:00pm

I was getting some quota exceeded from the dns server, and noticed that this was probably the haproxy. It looks like that the server from the backend is queried around 4 times per second. I would expect only to see this once every 20 seconds.

I grab traffic like this

tcpdump -A -qq -nn -i eth1 port 53 and net x.x.x.x | grep servername

I have a backend configured with

default-server check resolvers dnssvrs1

and a resolvers configured as

78
79 resolvers dnssvrs1
80 parse-resolv-conf
81 #nameserver dns1
82 #nameserver dns2
83 #nameserver dns3
84 #nameserver dns4
85 timeout resolve 1s
86 timeout retry 1s
87 hold valid 20s

f1outsourcing · February 2, 2022, 9:47pm

Even adding to the server config inter 30s does not change anything

f1outsourcing · February 2, 2022, 10:06pm

these two suggestions also do not have any effect.

adding
timeout resolve 10s

or changing

init-addr last,libc,none
to

init-addr last,none

f1outsourcing · February 2, 2022, 10:10pm

Also what is annoying that there are AAAA lookups while ipv6 is disabled on the host. So at least half the requests are useless any way.

f1outsourcing · February 2, 2022, 10:17pm

github.com/haproxy/haproxy

resolver defaults to ipv6 even if local ipv6 not available in network stack

opened 02:42AM - 18 Feb 20 UTC

alexf101

type: bug status: needs-triage

## Output of `haproxy -vv` and `uname -a` ``` $ haproxy -vv HA-Proxy version 1.8.12-8a200c7 2018/06/27 Copyright 2000-2018 Willy Tarreau <willy@haproxy.org> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -fno-strict-overflow -Wno-format-truncation -Wno-null-dereference -Wno-unused-label OPTIONS = USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with OpenSSL version : OpenSSL 1.1.1c FIPS 28 May 2019 Running on OpenSSL version : OpenSSL 1.1.1c FIPS 28 May 2019 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Encrypted password support via crypt(3): yes Built with multi-threading support. Built with PCRE version : 8.42 2018-03-20 Running on PCRE version : 8.42 2018-03-20 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built without compression support (neither USE_ZLIB nor USE_SLZ are set). Compression algorithms supported : identity("identity") Built with network namespace support. Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available filters : [SPOE] spoe [COMP] compression [TRACE] trace $ uname -a Linux 9f9febb8f3d7 4.15.0-1058-aws #60-Ubuntu SMP Wed Jan 15 22:35:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux ``` ## What's the configuration? ``` resolvers dns nameserver public-0 8.8.8.8:53 nameserver public-1 8.8.4.4:53 backend public_uploads_cloudfront server uploads d724jat9k2oaz.cloudfront.net:80 resolvers dns check inter 60s ``` ## Steps to reproduce the behavior 1. Configure a DNS resolver (as shown above) for any backend that supports IPv6, e.g. AWS CloudFront, from an AWS EC2 instance. ## Actual behavior Observe the following log line indicating that on server boot, an IPv4 record is used for the backend, but it changes to an IPv6 record on first DNS query: `public_uploads_cloudfront/uploads changed its IP from 13.224.180.141 to 2600:9000:2083:7a00:1d:8223:e2c0:21 by DNS cache.` From this point, all subsequent queries to this backend fail with the following error: `Connect() failed for backend public_uploads_cloudfront: no free ports.` Remember that AWS data centers don't provide an IPv6 stack, and slap your forehead in disgust. ## Expected behavior 1. Haproxy should not default to using IPv6 if such a record is found, i.e. change the default on the 'resolve-prefer' flag. As web services migrate from IPv4 to IPv6, they will begin to offer both addresses. This causes a dangerous and unpredictable change of behaviour as haproxy will pick up the new IPv6 record and immediately start using it. 2. At the least, haproxy should check once at start-up whether it is capable of making an IPv6 connection before choosing to use an IPv6 address. ## Do you have any idea what may have caused this? Yes, haproxy defaults to using IPv6 addresses if it can find them - this can be changed using the 'resolve-prefer' option. This happens even if the host it's running on isn't capable of making IPv6 connections. ## Do you have an idea how to solve the issue? Either: 1. Check whether the host has an IPv6 address, and if so use IPv6 for backend connections. 2. Change the default for 'resolve-prefer' to be 'ipv4'.

resolve-prefer ipv4

does not change anything

f1outsourcing · February 2, 2022, 10:27pm

same

https://www.mail-archive.com/haproxy@formilux.org/msg36373.html

f1outsourcing · February 3, 2022, 11:27am

Hmmmm, checking again, and totally different request pattern. Maybe these caches are not being used during x minutes after reload?

Topic		Replies	Views
DNS Resolution Sigh v1.7.1 Help!	6	2269	January 31, 2017
DNS reslving inetrval Help!	0	443	August 8, 2017
Haproxy1.8.3 dynamic dns resolvers problem Help!	16	8127	February 13, 2018
Server is going DOWN for maintenance (DNS timeout status) Help!	3	3385	October 23, 2018
Strange timeout behavior during load testing Help!	7	1317	October 5, 2017

Dns cache working in haproxy 22.2.20-6e457a2?

Related Topics