[Dnsmasq-discuss] dnsmasq to provide public DNS service
albert.aribaud at free.fr
Sat Jul 9 11:30:26 BST 2016
Le Sat, 9 Jul 2016 02:08:36 +0000 (UTC)
T o n g <mlist4suntong at yahoo.com> a écrit:
> On Fri, 08 Jul 2016 18:49:53 +0200, Albert ARIBAUD wrote:
> >> > Once we have netcat available on both ends, we will be able to
> >> > mimic DNS exchanges between the machines but without dnsmasq
> >> > being involved;
> >> The connect is not the problem. I've stopped dnsmasq temporarily
> >> and start SSH listening to port 53 and I was able to connect from
> >> home.
> > The SSH test only proves you can access the box on TCP port 22
> > (assuming you're usign the defaults) from your home; this does not
> > prove anything regarding TCP port 53 or UDP port 53, which are what
> > DNS uses.
> > So:
> > 1. Open a terminal and start an SSH session to your box. In this
> > session, disable dnsmasq then run
> > netcat -u -l -p 53
> > 3. On your home machine open one terminal and run
> > netcat -u xyz 53
> > where xyz should be replaced with the public IP of your box.
> > 4. Type some text then hit the Enter key on your home machine.
> > Does your box display the text?
> > 5. Type some other text then hit the Enter key in the shell to your
> > box. Does the netcat running locally display the text?
> Sorry for responding late, because I didn't get anything from the
> server, my box. However, I did started a second SSH session before,
> to listen to port 53 instead of 22, and it worked before. Then I
> looked up... Long story short,
> If I start `netcat -t` then it works; if I start `netcat -u` then it
> doesn't work.
... and this shows why it is important to run the tests exactly as
requested, rather than assume result from other tests...
> I.e., the hosting company is blocking the UDP accesses.
... but again, do not jump to conclusions, t least not without further
testing: yes, it could be your hosting company dropping any UDP traffic
incoming on your box, *but* it could also be your own box settings, or
your ISP dropping UDP port 53 going out of your access except for a
given set of source addresses, or your home machine dropping it
The proven point is: right now, your box does not seem to receive UDP
port 53 traffic from your home machine. What you can look into now is
whether your box and home machine have any network filtering in place
(iptable-save should show that). This, at least, will take the machines
out of the suspect list and that will narrow it down to your ISP and
your hosting provider.
> But my dnsmasq does listen to TCP port as well though:
> $ netstat -lnp | grep :53
> (Not all processes could be identified, non-owned process info
> will not be shown, you would have to be root to see it all.)
> tcp 0 0 0.0.0.0:53 0.0.0.0:*
> LISTEN -
> tcp6 0 0 :::53 :::*
> LISTEN -
> udp 0 0 0.0.0.0:53
> 0.0.0.0:* -
> udp6 0
> 0 :::53 :::*
> Will TCP only without UDP not OK?
(someone correct me if I'm inexact here) DNS uses UDP port 53 as long
as the request and response can fit in a single UDP datagram (packet),
and will switch to TCP if a single UDP datagram is not big enough. I do
not know, and do not think, that you can run a DNS server over a TCP
> I tried,
> dig +tcp +short cnn.com @mybox, and will get:
> ;; communications error to mybox_ip#53: connection reset
> from my home or,
> ;; communications error to mybox_ip#53: end of file
> if trying from within my box.
> Why is that?
Let's first tackle the second one (box to box), as it does not involve
your ISP and hosting provider networks, and therefore points at a
purely local (configuration?) problem on your box.
1. Preamble: make sure dnsmasq is running.
2. Run a default (UDP) dig request. What does it output? Please do not
describe it, copy-paste it.
3. What does iptables-save display? Again, please do not describe it,
More information about the Dnsmasq-discuss