[Dnsmasq-discuss] TCP queries are refused if upstream server is specified with interface
Tore Anderson
tore at fud.no
Fri Sep 13 12:00:40 BST 2019
Start out with the following /etc/dnsmasq.conf, replacing «wlp2s0» as appropriate:
log-queries
no-hosts
no-resolv
server=1.1.1.1 at wlp2s0
Start Dnsmasq and send it a TCP query:
$ src/dnsmasq -d -p 5333
dnsmasq: started, version 2.80-72-ge24abf2 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify dumpfile
dnsmasq: using nameserver 1.1.1.1#53(via wlp2s0)
dnsmasq: cleared cache
$ dig @127.0.0.1 -p 5333 fud.no A +vc | grep HEADER
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 2916
Output from Dnsmasq following the above query:
dnsmasq: query[A] fud.no from 127.0.0.1
dnsmasq: config error is REFUSED
It makes no attempt to contact the upstream server.
If I remove «@wlp2s0» from the server config, it works fine.
A practical consequence of this bug is that I cannot resolve any domain names under *.org with DNSSEC enabled. The initial UDP query results in a truncated answer, so libc/dig retries in TCP mode and fails.
Note that NetworkManager automatically configures the upstream DNS servers with a specific interface via D-Bus, this behaviour appears hard-coded.
Tore
More information about the Dnsmasq-discuss
mailing list