[Dnsmasq-discuss] Make dnsmasq distinguish local IPs

Petr Menšík pemensik at redhat.com
Tue Jul 21 16:00:30 BST 2020


How should unbound listen on lo0 if dnsmasq is already listening there?
I do not know BSD. Linux would not permit dnsmasq listening on wildcard
socket and unbound listening on the same port.

I think listen-address would listen just on 127.0.0.1. interface=lo0
should not be necessary. At least on Linux kernel, it means listening on
ANY IPv4/IPv6 address assigned to lo0. That would mean unbound needs
different port to listen on or different interface. I think that is not
what you want.

What is contents of /usr/local/etc/dnsmasq-resolv.conf?
I think no-resolv should be used as well to prevent reading
/etc/resolv.conf.

On 7/21/20 3:18 PM, László Károlyi wrote:
> I've already added listen-address=127.0.0.1 to it, as it's the host
> env's IP address.
> 
> bind-interfaces has to be commented out, otherwise the jails will have
> problems resolving (it's a FreeBSD host-jail resolution specific thing)
Is there good explanation how this should work? How exactly are
configured addresses on loopback device? Is unbound listening on lo1?
> 
> Why would you want me to use except-interface=lo0? I _want_ it to listen
> on lo0.
How does ifconfig lo0 look like? Do you want to listen on all its addresses?

> 
> For the sake of clarity, here't my cleaned dnsmasq.conf:
> 
> domain-needed
> conf-file=/usr/local/share/dnsmasq/trust-anchors.conf
> dnssec
> dnssec-check-unsigned
> resolv-file=/usr/local/etc/dnsmasq-resolv.conf
> interface=lo0
> listen-address=127.0.0.1
> no-dhcp-interface=lo0
> local-ttl=5
> dhcp-name-match=set:wpad-ignore,wpad
> dhcp-ignore-names=tag:wpad-ignore
> rebind-domain-ok=/rfc-ignorant.org/sorbs.net/uribl.com/surbl.org/dnswl.org/njabl.org/spamhaus.org/spamcop.net/barracudacentral.org/
> 
> Cheers,
> --
> László Károlyi
> http://linkedin.com/in/karolyi
> 
> On 2020-07-21 14:42, Petr Menšík wrote:
>> I would check what addresses it is listening on. I think it considers
>> all loopback addresses its own. Probably because it would accept queries
>> to that address if you stop unbound.
>>
>> It might help, if you configured it with this:
>> bind-interfaces
>> except-interface=lo0
>> listen-address=127.0.0.21
>>
>> It would listen only on 127.0.0.21 and consider all other addresses not
>> its own. I think it should send queries there. It should then accept:
>> server=127.0.0.20
>> without ignoring it this way.
>>
>> On 7/20/20 4:35 PM, László Károlyi wrote:
>>> Hi Petr,
>>>
>>> as you have seen in the original email, it is dnsmasq that refuses to
>>> use the lo0 interface to communicate with the IP 127.0.0.20:
>>>
>>> Jul 20 13:33:23 ksol dnsmasq[99396]: ignoring nameserver 127.0.0.20 -
>>> local interface
>>>
>>> When querying manually from the host env to the jailed unbound, I get
>>> proper DNS responses. This was something I did pay extra attention to
>>> get it working from the get-go. See:
>>>
>>> Citing my configs here makes no sense as you can see it's working already.
>>>
>>> Cheers,
>>> --
>>> László Károlyi
>>> http://linkedin.com/in/karolyi
>>>
>>> On 2020-07-20 16:12, Petr Menšík wrote:
>>>> Hi László,
>>>>
>>>> are you sure it is dnsmasq, who is rejecting the communication?
>>>> Unbound has by default disabled commuinication on localhost. If you have
>>>> any other servers running along it, you have to use:
>>>>
>>>> do-not-query-localhost: no
>>>>
>>>> to override defaults. But that has to be done on unbound side. AFAIK
>>>> dnsmasq does not have any such limitation. It does limit only
>>>> per-interface, all required is to configure interface=lo, which is
>>>> enabled by default.
>>>>
>>>> How many interface= statements do you have in configuration? Is
>>>> localhost included?
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20200721/123e05eb/attachment.sig>


More information about the Dnsmasq-discuss mailing list