[pihole] [unbound] [DNSMASQ] validation failed: resource limit exeeded

DL6ER · February 18, 2024, 7:21pm

Okay, so the warning is indeed a bug and shouldn't be printed at all. I will contact the dnsmasq maintainer to check what the best solution should look like and keep you updated!

Pi-hole will then likely push out an FTL v5.25.1 soon after. Thank you all for helping characterizing and confirming this bug! At this point I don't need anything more from you.

Summary: you can ignore the warning for now as it printed due to an inaccurate condition.

edit For the curious: this is how the bug is triggered in the code:

github.com/pi-hole/FTL

src/dnsmasq/forward.c

4f92b48ff


      
          /* If all replies to a query are REFUSED, give up. */
          if (RCODE(header) == REFUSED)
            status = STAT_ABANDONED;

github.com/pi-hole/FTL

src/dnsmasq/forward.c

4f92b48ff


      
          if (STAT_ISEQUAL(status, STAT_ABANDONED))
            log_resource = 1;

github.com/pi-hole/FTL

src/dnsmasq/forward.c

4f92b48ff


      
            if (log_resource)
              {
                /* Log the actual validation that made us barf. */
                unsigned char *p = (unsigned char *)(header+1);
                if  (extract_name(header, plen, &p, daemon->namebuff, 0, 4) == 1)
          	my_syslog(LOG_WARNING, _("validation of %s failed: resource limit exceeded."),
          		  daemon->namebuff[0] ? daemon->namebuff : ".");
              }

It is unclear at this point how to fix this best, but we will probably change the second quoted code block to not set log_resource in the REFUSED case.

RMerlin · February 19, 2024, 3:34am

Been troubleshooting the same thing yesterday but in a different context (router firmware that I maintain). What I've found is that if a DNSSEC validation fails, then dnsmasq returns a SERVFAIL, and that would trigger the incorrect log entry.

I spent some time on that code trying to better handle those SERVFAIL results, but it turned out to require more work than I was willing to put into, so for now I've simply moved that log entry to DEBUG priority instead of WARNING. Simon would probably be able to properly address this much faster than I could.

DL6ER · February 19, 2024, 1:02pm

The fix issued by dnsmasq is now available via

pihole checkout ftl release/v5.25.1

github.com/pi-hole/FTL

Fix spurious "resource limit exceeded" messages (v5 backport)

master ← release/v5.25.1

opened 01:06PM - 19 Feb 24 UTC

DL6ER

+4 -4

# What does this implement/fix? Backports https://github.com/pi-hole/FTL/pull…/1892 to FTL v5.25 - aiming straight for a bugfix release. --- **Related issue or feature (if applicable):** https://discourse.pi-hole.net/t/pihole-unbound-dnsmasq-validation-failed-resource-limit-exeeded/68388 **Pull request in [docs](https://github.com/pi-hole/docs) with documentation (if applicable):** N/A --- **By submitting this pull request, I confirm the following:** 1. I have read and understood the [contributors guide](https://docs.pi-hole.net/guides/github/contributing/), as well as this entire template. I understand which branch to base my commits and Pull Requests against. 2. I have commented my proposed changes within the code. 3. I am willing to help maintain this change if there are issues with it later. 4. It is compatible with the [EUPL 1.2 license](https://opensource.org/licenses/EUPL-1.1) 5. I have squashed any insignificant commits. ([`git rebase`](http://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html)) ## Checklist: - [x] The code change is tested and works locally. - [x] I based my code and PRs against the repositories `developmental` branch. - [x] I [signed off](https://docs.pi-hole.net/guides/github/how-to-signoff/) all commits. Pi-hole enforces the [DCO](https://docs.pi-hole.net/guides/github/dco/) for all contributions - [x] I [signed](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits) all my commits. Pi-hole requires signatures to verify authorship - [x] I have read the above and my PR is ready for review.

for the Pi-hole FTL v5.25 users, and

pihole checkout ftl fix/dnsmasq_resource_warning

github.com/pi-hole/FTL

Fix spurious "resource limit exceeded" messages

development-v6 ← fix/dnsmasq_resource_warning

opened 01:05PM - 19 Feb 24 UTC

DL6ER

+4 -4

# What does this implement/fix? This PR imports https://thekelleys.org.uk/git…web/?p=dnsmasq.git;a=commitdiff;h=1ed783b8d7343c42910a61f12a8fc6237eb80417: > Replies from upstream with a REFUSED rcode can result in log messages stating that a resource limit has been exceeded, which is not the case. and updates the version of the embedded `dnsmasq` server. --- **Related issue or feature (if applicable):** https://discourse.pi-hole.net/t/pihole-unbound-dnsmasq-validation-failed-resource-limit-exeeded/68388 **Pull request in [docs](https://github.com/pi-hole/docs) with documentation (if applicable):** N/A --- **By submitting this pull request, I confirm the following:** 1. I have read and understood the [contributors guide](https://docs.pi-hole.net/guides/github/contributing/), as well as this entire template. I understand which branch to base my commits and Pull Requests against. 2. I have commented my proposed changes within the code. 3. I am willing to help maintain this change if there are issues with it later. 4. It is compatible with the [EUPL 1.2 license](https://opensource.org/licenses/EUPL-1.1) 5. I have squashed any insignificant commits. ([`git rebase`](http://gitready.com/advanced/2009/02/10/squashing-commits-with-rebase.html)) ## Checklist: - [x] The code change is tested and works locally. - [x] I based my code and PRs against the repositories `developmental` branch. - [x] I [signed off](https://docs.pi-hole.net/guides/github/how-to-signoff/) all commits. Pi-hole enforces the [DCO](https://docs.pi-hole.net/guides/github/dco/) for all contributions - [x] I [signed](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits) all my commits. Pi-hole requires signatures to verify authorship - [x] I have read the above and my PR is ready for review.

for the v6.0 beta users.

Please test and verify the warning does not show up again.

edit You should also remove the custom file we created during testing using

sudo rm /etc/dnsmasq.d/99-dnssec-limits.conf
sudo service pihole-FTL restart

Karlo3000 · February 19, 2024, 7:55pm

I think it means pihole checkout ftl release/v5.25.1

I was able to reproduce the error every time and can confirm that it no longer occurs with this version.
In this case you can see in the ftl.log:

Thank you very much!

DL6ER · February 19, 2024, 8:04pm

Thanks for confirming the fix - and you are right concerning the checkout command, I edited this above.

Adding support for TRUNCATED in v5.25 would have been too much work - it is properly supported in v6.

the-piholer · February 20, 2024, 5:20am

Hello DL6ER

with your latest pihole checkout command, i only get an error.

Now it works

DL6ER · February 20, 2024, 7:01pm

It seems your Pi-hole didn't have Internet access at that time - or name resolution was unavailable by other means. Your error message clearly states that this was a local problem.

The changes have already been merged into the beta codebase this morning (= ~ 15h ago). Everyone on fix/dnsmasq_resource_warning please checkout development-v6 to keep getting future updates. The v5.25.1 release is still awaiting further approvals before it can go live.

DL6ER · February 20, 2024, 7:29pm

The bugfix has also been released as FTL v5.25.1 - please everyone who participated testing here - get back on track!

Use pihole checkout ftl master to receive the new update if you are still using Pi-hole v5.
Use pihole checkout ftl development-v6 if you are participating the the public v6 beta.

system · March 12, 2024, 7:30pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.