[Dnsmasq-discuss] Make dnsmasq distinguish local IPs

László Károlyi laszlo at karolyi.hu
Tue Jul 21 14:18:12 BST 2020


I've already added listen-address=127.0.0.1 to it, as it's the host
env's IP address.

bind-interfaces has to be commented out, otherwise the jails will have
problems resolving (it's a FreeBSD host-jail resolution specific thing)

Why would you want me to use except-interface=lo0? I _want_ it to listen
on lo0.

For the sake of clarity, here't my cleaned dnsmasq.conf:

domain-needed
conf-file=/usr/local/share/dnsmasq/trust-anchors.conf
dnssec
dnssec-check-unsigned
resolv-file=/usr/local/etc/dnsmasq-resolv.conf
interface=lo0
listen-address=127.0.0.1
no-dhcp-interface=lo0
local-ttl=5
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
rebind-domain-ok=/rfc-ignorant.org/sorbs.net/uribl.com/surbl.org/dnswl.org/njabl.org/spamhaus.org/spamcop.net/barracudacentral.org/

Cheers,
--
László Károlyi
http://linkedin.com/in/karolyi

On 2020-07-21 14:42, Petr Menšík wrote:
> I would check what addresses it is listening on. I think it considers
> all loopback addresses its own. Probably because it would accept queries
> to that address if you stop unbound.
>
> It might help, if you configured it with this:
> bind-interfaces
> except-interface=lo0
> listen-address=127.0.0.21
>
> It would listen only on 127.0.0.21 and consider all other addresses not
> its own. I think it should send queries there. It should then accept:
> server=127.0.0.20
> without ignoring it this way.
>
> On 7/20/20 4:35 PM, László Károlyi wrote:
>> Hi Petr,
>>
>> as you have seen in the original email, it is dnsmasq that refuses to
>> use the lo0 interface to communicate with the IP 127.0.0.20:
>>
>> Jul 20 13:33:23 ksol dnsmasq[99396]: ignoring nameserver 127.0.0.20 -
>> local interface
>>
>> When querying manually from the host env to the jailed unbound, I get
>> proper DNS responses. This was something I did pay extra attention to
>> get it working from the get-go. See:
>>
>> Citing my configs here makes no sense as you can see it's working already.
>>
>> Cheers,
>> --
>> László Károlyi
>> http://linkedin.com/in/karolyi
>>
>> On 2020-07-20 16:12, Petr Menšík wrote:
>>> Hi László,
>>>
>>> are you sure it is dnsmasq, who is rejecting the communication?
>>> Unbound has by default disabled commuinication on localhost. If you have
>>> any other servers running along it, you have to use:
>>>
>>> do-not-query-localhost: no
>>>
>>> to override defaults. But that has to be done on unbound side. AFAIK
>>> dnsmasq does not have any such limitation. It does limit only
>>> per-interface, all required is to configure interface=lo, which is
>>> enabled by default.
>>>
>>> How many interface= statements do you have in configuration? Is
>>> localhost included?
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200721/04442fae/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200721/04442fae/attachment-0001.sig>


More information about the Dnsmasq-discuss mailing list