[Dnsmasq-discuss] TCP queries are refused if upstream server is specified with interface

Tore Anderson tore at fud.no
Fri Sep 13 12:00:40 BST 2019


Start out with the following /etc/dnsmasq.conf, replacing «wlp2s0» as appropriate:

log-queries
no-hosts
no-resolv
server=1.1.1.1 at wlp2s0

Start Dnsmasq and send it a TCP query:

$ src/dnsmasq -d -p 5333
dnsmasq: started, version 2.80-72-ge24abf2 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify dumpfile
dnsmasq: using nameserver 1.1.1.1#53(via wlp2s0)
dnsmasq: cleared cache

$ dig @127.0.0.1 -p 5333 fud.no A +vc | grep HEADER
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 2916

Output from Dnsmasq following the above query:

dnsmasq: query[A] fud.no from 127.0.0.1
dnsmasq: config error is REFUSED

It makes no attempt to contact the upstream server.

If I remove «@wlp2s0» from the server config, it works fine.

A practical consequence of this bug is that I cannot resolve any domain names under *.org with DNSSEC enabled. The initial UDP query results in a truncated answer, so libc/dig retries in TCP mode and fails.

Note that NetworkManager automatically configures the upstream DNS servers with a specific interface via D-Bus, this behaviour appears hard-coded.

Tore




More information about the Dnsmasq-discuss mailing list