[Dnsmasq-discuss] Connection: REFUSED when attempting lookup.

Sun Oct 16 09:30:15 BST 2005

Paul Randle wrote:
> Hi,
> 
> 
> 
> I’m new to dnsmasq and am in the initial stages of trying to set-up
> the following scenario:
> 
> 
> 
> RH 9 with 2xNIC, 1^st IP 10.x.y.212(eth0), 2^nd IP 10.x.y.213(eth1)
> 
> 
> 
> BIND is set-up as a cacheing-only NS bound to 127.0.0.1 only
> (named.conf has listen-on {127.0.0.1;}; in the options section) all
> recursive look-ups are made through 10.x.y.213
> 
> 
> 
> Dnsmasq.conf:
> 
> points to dnsmasq.resolv (containing nameserver 127.0.0.1),
> 
> except-interface=lo,
> 
> listen-address=10.x.y.212,
> 
> no-dhcp-interface=eth0
> 
> bind-interfaces (uncommented).
> 
> 
> 
> Lookups performed locally on the machine resolve names fine, when I 
> attempt the same look-ups from a second machine set with the NS to be
>  10.x.y.212, I receive the message ‘connection: REFUSED’
> 
> 
> 
> Ps shows both named and dnsmasq started (confirmed in
> /var/log/messages)
> 
> 
> 
> Netstat –a shows:
> 
> 
> 
> Proto    recv-Q   send-Q  local Address                foreign
> Address State
> 
> 
> 
> tcp        0          0          10.x.y.212:domain         *:*
>  LISTEN
> 
> tcp        0          0          localhost:domain            *:*
>  LISTEN
> 
> udp       0          0          10.x.y.212:domain         *:*
> 
> udp       0          0          localhost:domain            *:*
> 
> 
> 
> Would anyone be able to tell me why in this scenario, when it would 
> appear that dnsmasq is listening correctly, that the connection would
> be refused?
> 
> 
> 

The first thing to realise is that there's two different REFUSED error 
conditions that might be happening here, there's ICMP connection 
refused, which normally happens when trying to connect to a port which 
has nothing listening on it or is filewalled. You seem to be working on 
the principle that's the problem, but I think it might not be. There's 
also a return code in the DNS protocol of REFUSED, meaning the DNS 
server has got the query, and is refusing to answer it. I think that's 
what you are seeing.

The only circumstance in which dnsmasq will generate a REFUSED reply is 
when it has no upstream server available to forward a query to, but it's 
worth bearing in mind that if dnsmasq _does_ forward the a query, then 
the upstream nameserver could also return a REFUSED reply, and dnsmasq 
would send that back to the original requester.

The next thing to do is to look in your log files, dnsmasq logs stuff 
about it's configuration  at startup, and if you add "log-queries" to 
/etc/dnsmasq.conf it will also log information about queries as it 
forwards them. That information should have some clues about what's 
going on.

(Also try running "netstat -ap" as root, that will tell you which of 
dnsmasq and bind is listening on those ports.)

HTH
Simon.