[Dnsmasq-discuss] TCP DNS requests fail with "communications error" / "end of file"

Jinn Ko dnsmasq-discuss at mx.ixido.net
Thu Jul 23 12:29:12 BST 2020


On 22/07/2020 12:46, Simon Kelley wrote:
> On 20/07/2020 14:11, Jinn Ko wrote:
>> Hi,
>>
>> While using dnsmasq as embedded in the pi-hole project I came across an issue with how TCP
>> DNS requests are handled over Wireguard interfaces.
>>
>> A ticket was raised in the FTL project (https://github.com/pi-hole/FTL/issues/824) and the
>> conclusion was that the issue is in dnsmasq.  It seems the logic of determining the incoming
>> interface fails and the connection is closed and reset before FTL can handle it, which seems
>> to put the issue in the dnsmasq codebase.
>>
>> A key detail is that the Wireguard interface is configured with the same IP as the default
>> interface, but with a more specific subnet mask.  For example where eth0 has the default
>> route it may be configured with 10.3.2.1/24, while the Wireguard interface would have the
>> address 10.3.2.1/32.  Having a different IP on the two interfaces does not cause any issues.
> 
> Is this something as simple as needing to have dnsmasq listening on both
> eth0 and the wireguard interface?

The process is listening on all interfaces:

# ss -plntu | grep -E ':53\W'
udp  UNCONN   0  0   0.0.0.0:53  0.0.0.0:*   users:(("pihole-FTL",pid=770,fd=4))

udp  UNCONN   0  0   *:53        *:*         users:(("pihole-FTL",pid=770,fd=6))

tcp  LISTEN   0  32  0.0.0.0:53  0.0.0.0:*   users:(("pihole-FTL",pid=770,fd=5))

tcp  LISTEN   0  32  [::]:53     [::]:*      users:(("pihole-FTL",pid=770,fd=7))

So I don't think it's as simple as adjusting the listening interfaces :/

> 
> Can you describe exactly what's going on around dnsmasq.c line 1815 and
> in the loopback_exception() function, to cause client_ok to be set to
> zero? 

Line 1815 on the branch that created the log output is here:
https://github.com/pi-hole/FTL/blob/fix/jjnnko/src/dnsmasq/dnsmasq.c#L1815

.. on this btranch I suspect you're referring to line 1850, but I'm afraid I'm not sure what
the logic is exactly about there.  @DL6ER mentioned he'd try to chime in about this,
hopefully by early next week.

> I can't easily access your logging patches, and I don't have a
> pihole installation, so I can't easily reproduce this or understand
> exactly what the logging means.

These were the changes to introduce the logging:
https://github.com/pi-hole/FTL/commit/df647e81df860ac2a6247817fbaab16cea776817

> I'm interested in what interface_index
> is returned from  tcp_interface(), what interface name that translates
> to, what interface indexes are in the daemon->interfaces linked list
> that gets tested against, and if that test fails, what happens in
> loopback_exception()

Seems like we can introduce some more logging and I'd be happy to test again.

Thanks,
Jinn



More information about the Dnsmasq-discuss mailing list