<div dir="ltr"><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Ok, got the output of log-queries=extra. It is indeed the bind at program start:</span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">reading /run/dnsmasq/resolv.conf</span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">ignoring nameserver 8.8.8.8 - cannot make/bind socket: Address already in use</span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">ignoring nameserver 8.8.4.4 - cannot make/bind socket: Address already in use</span><br></span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">That's query-port!=0. With =0 or unset, you get</span></span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">reading /run/dnsmasq/resolv.conf</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">using nameserver 8.8.8.8#53</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">using nameserver 8.8.4.4#53</span></div></span></span></div><div><br></div><span style="text-align:start;text-indent:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-transform:none;white-space:normal;word-spacing:0px">"ignoring nameserver - cannot make/bind" is printed when the allocate_sfd function fails to allocate a socket set. allocate_sfd returns null early when !daemon->osport, which I guess is why query-port=0 sees the same good behavior as query-port unset. So, I would guess the problem is in <span style="font-size:12.8px">allocate_sfd.</span></div></span><div><br></div>dnsmasq does not exit after that error happens, and I assume sees itself as not having access to any resolvers, causing the REFUSEDs.<br><br><div class="gmail_quote"><div dir="ltr">On Sat, Apr 7, 2018 at 6:45 PM Simon Kelley <<a href="mailto:simon@thekelleys.org.uk">simon@thekelleys.org.uk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 07/04/18 14:47, Fred Douglas wrote:<br>
> Thanks for the explanation of REFUSED's meaning! I bet it's that the UDP sends are outright failing; I suspect that something is going wrong with the bind at program start. I'll take a look at the logs and report back on Monday.<br>
<br>
When using port-randomisation, dnsmasq has to create and bind sockets<br>
for each upstream interaction. Once you nail the port number using<br>
query-port, it doesn't need to do that and will create and  bind a<br>
single socket at startup which it uses thereafter. A failure of that<br>
process should cause a fatal error and abort at start-up.<br>
<br>
><br>
><br>
> For now, though, I can pretty confidently say I'm not accidentally blocking the packets. All of my iptables rules are either for TCP, not for the interface that goes to the internet (eth0), or are matching UDP ports that these experiments aren't using.<br>
><br>
><br>
> I used query-port=0, observed the unchanging source port of the (successful) resolutions, restarted dnsmasq with query-port=that_port - and got the error. Even if I was getting unlucky, and that attempt and my other attempts in the ephemeral range were failing because the port happened to be in use when dnsmasq tried to bind it, that shouldn't be the case for the lower numbered ports I was trying. (I'm not making any other changes in between these experiments, either, just changing query-port in dnsmasq.conf to commented, 0, or non-0, and then `service dnsmasq restart`.)<br>
<br>
<br>
running dnsmasq under strace (run dnsmasq with the -d option) would be<br>
useful, to see exactly what system calls it's making.<br>
<br>
You have used --log-queries to make sure this REFUSED return code isn't<br>
coming from usptream, haven't you?<br>
<br>
<br>
Cheers,<br>
<br>
Simon.<br>
<br>
<br>
><br>
>> Just tried a simple test, and didn't see the same behaviour.<br>
>><br>
>> Use log-queries to check that the process is really failing in dnsmasq,<br>
>> ie the problem is not REFUSED answers from upstream. A REFUSED answer<br>
>> from dnsmasq only occurs if either there are no possible upstream server<br>
>> to forward to, or if attempts to send UDP packets to all upstream<br>
>> servers fail immediately, at kernel level. You're not accidentally<br>
>> blocking packets from you special port, are you?<br>
>><br>
>><br>
>> Cheers,<br>
>><br>
>> Simon.<br>
>><br>
>>On 06/04/18 21:08, Fred Douglas wrote:<br>
>>>/I would like dnsmasq to stick to a single source port for its requests, />>/so that I can differentiate them from other DNS requests going out the />>/same interface. />>//>>/The query-port option works as advertised when set to 0 (i.e. picks a />>/single random port and sticks to it). Any other value, however - below />>/1024, a little above 1024, way up in the 50000s - causes dnsmasq to />>/respond to all queries with a "REFUSED" (DNS error code 5). />>//>>/My dnsmasq.conf is empty other than query-port, and I haven't made any />>/other weird changes to the system that should be relevant. This is />>/Debian's current [2.76+whatever security patches] version of dnsmasq. />>//>>/Does anyone else get this behavior? />>//>>/Fred />>//>>//>>/_______________________________________________ />>/Dnsmasq-discuss mailing list />>/Dnsmasq-discuss at <a href="http://lists.thekelleys.org.uk" rel="noreferrer" target="_blank">lists.thekelleys.org.uk</a><br>
> <<a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss" rel="noreferrer" target="_blank">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</a>> />>/<a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss" rel="noreferrer" target="_blank">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</a> />><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Dnsmasq-discuss mailing list<br>
> <a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
> <a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss" rel="noreferrer" target="_blank">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</a><br>
><br>
<br>
<br>
_______________________________________________<br>
Dnsmasq-discuss mailing list<br>
<a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
<a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss" rel="noreferrer" target="_blank">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</a><br>
</blockquote></div></div>