[Dnsmasq-discuss] TCP queries are refused if upstream server is specified with interface
Tore Anderson
tore at fud.no
Sun Sep 15 08:00:18 BST 2019
* Simon Kelley
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=90d7c6b97dbae2c913e7bb7af9c6c0f874493092
>
> should fix this, if I've understood it right.
Hi Simon,
Not quite. With this patch, Dnsmasq does refuse to start as non-root:
$ src/dnsmasq
dnsmasq: process is missing required capability NET_ADMIN
However, when started as root, it still answers REFUSED:
$ sudo src/dnsmasq & sleep 1; dig @127.0.0.1 -p 5353 fud.no A +vc +short
[1] 14179
dnsmasq[14181]: started, version 2.80-73-g90d7c6b cachesize 150
dnsmasq[14181]: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify dumpfile
dnsmasq[14181]: using nameserver 1.1.1.1#53(via wlp2s0)
dnsmasq[14181]: cleared cache
dnsmasq[14186]: query[A] fud.no from 127.0.0.1
dnsmasq[14186]: config error is REFUSED
It is clearly related to privileges, because if I add «-d» to the Dnsmasq command line, it works:
$ sudo src/dnsmasq -d & sleep 1; dig @127.0.0.1 -p 5353 fud.no A +vc +short
[1] 15333
dnsmasq[15335]: started, version 2.80-73-g90d7c6b cachesize 150
dnsmasq[15335]: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify dumpfile
dnsmasq[15335]: using nameserver 1.1.1.1#53(via wlp2s0)
dnsmasq[15335]: cleared cache
dnsmasq[15335]: query[A] fud.no from 127.0.0.1
dnsmasq[15335]: forwarded fud.no to 1.1.1.1
dnsmasq[15335]: reply fud.no is 87.238.59.19
87.238.59.19
/etc/dnsmasq.conf contains:
keep-in-foreground
log-facility=-
log-queries
no-hosts
no-resolv
port=5353
server=1.1.1.1 at wlp2s0
Tore
More information about the Dnsmasq-discuss
mailing list