[Dnsmasq-discuss] Avoid conflicts between dnsmasq and systemd-resolved.

Hongyi Zhao hongyi.zhao at gmail.com
Tue Sep 15 01:03:09 BST 2020


On Mon, Sep 14, 2020 at 10:45 PM Dominick C. Pastore
<dominickpastore at dcpx.org> wrote:
>
> > > Personally, I am not a fan of Netplan for reasons like this. It's supposed to abstract away the details of NetworkManager or systemd-networkd, but it doesn't do a great job of it. You end up having to refer to the NetworkManager or systemd-networkd documentation anyway, and having Netplan on top muddies the water.
> > >
> > > Anyway: Those address lines in the Netplan yaml are used to tell systemd-resolved which upstream DNS server to use, so it is using your Dnsmasq server. Then, /etc/resolv.conf specifies what DNS server other programs on the system will use (not all programs use that mechanism, but many do), and by default, it points to 127.0.0.53 so everything else will go through systemd-resolved. This includes Dnsmasq unless you configure it to do otherwise!
> > >
> > > The net result is most likely that Dnsmasq and systemd-resolved are each trying to use the other as their upstream server, so neither can resolve anything.
> > >
> > > If you really want to keep using both systemd-resolved and Dnsmasq, you need to pick one to be "upstream" from the other, as Geert and Neal said.
> > >
> > > If you want Dnsmasq to query the upstream servers, systemd-resolved to query Dnsmasq, and everything else on the host to query systemd-resolved:
> > > Then you need to edit the Dnsmasq configuration to quit using /etc/resolv.conf. This probably means you want to manually specify DNS servers in /etc/dnsmasq.conf with the "server=W.X.Y.Z" and "no-resolv" options. That does assume you know what DNS server you want to use.
> >
> > Very strange, for my case, I've already set the following options in
> > my dnsmasq.conf:
> >
> > no-resolv
> > no-poll
> >
> > and keep /etc/resolv.conf as the symlink to
> > /run/systemd/resolve/stub-resolv.conf
>
> Did you specify a server for Dnsmasq some other way? E.g. the "server=W.X.Y.Z" option? Or, better yet, can you share your Dnsmasq config?

I run dnsmasq as following:

$ /usr/local/sbin/dnsmasq --port=53 -c10240 --server=127.0.0.1#6053
--conf-dir=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/conf-dir,*.conf
-C /home/werner/Public/anti-gfw/dns/dnsmasq/conf/dnsmasq.conf

The 127.0.0.1#6053 is a DNS proxy based on dnsproxy which has with
DoH, DoT, DoQ and DNSCrypt support.
The conf files here:
/home/werner/Public/anti-gfw/dns/dnsmasq/conf/conf-dir,*.conf, are for
China domains which using China's mainland DNS servers.

And the main dnsmasq.conf file has the following options enabled:

$ egrep -v '^([[:blank:]]*#|$)'
/home/werner/Public/anti-gfw/dns/dnsmasq/conf/dnsmasq.conf
dns-forward-max=10000
no-negcache
min-cache-ttl=3600
all-servers
domain-needed
bogus-priv
filterwin2k
no-resolv
no-poll
interface=lo
bind-interfaces


>
> > >
> > > Alternatively, if you want systemd-resolved to query the upstream servers and Dnsmasq to query systemd-resolved:
> > > Then you need to remove the "use-dns: false" and "nameservers" directives from Netplan so systemd-resolved stops trying to query Dnsmasq and uses the proper upstream servers instead. Dnsmasq will continue to use systemd-resolved, since /etc/resolv.conf will point it there. Note that programs on the same host will still use systemd-resolved and not Dnsmasq at all.
> >
> > Why?
>
> Why what? Why won't other programs on the host use Dnsmasq? That's the way systems with systemd-resolved work by default. Generally, programs on the host will query /etc/resolv.conf to determine which DNS servers to use (though the manpage for systemd-resolved.service(8) suggests that some programs do not use /etc/resolv.conf and connect to systemd-resolved though other means. To be honest, that part is a little unclear to me). By default, it's a symlink to a file that direct clients to systemd-resolved (127.0.0.53).
>
> The trouble is, systemd-resolved also uses resolv.conf to determine its own behavior. The moment you delete the symlink and replace it with your own file pointing to Dnsmasq (127.0.0.1), two things will happen:

This is exactly my situation, see following for more detail info:

werner at X10DAi-01:~$ cat /etc/resolv.conf
nameserver 127.0.0.1
werner at X10DAi-01:~$ realpath -e /etc/resolv.conf
/etc/resolv.conf

> 1.) systemd-resolved will itself add Dnsmasq to its list of nameservers. This probably won't break systemd-resolved entirely, but it will potentially cause lots of retries and slowdowns.

Seems so complicated and still can't figure out a perfect solution for
the coexistence of dnsmasq and systemd-resolved.

> 2.) Unless you've manually configured a nameserver in /etc/dnsmasq.conf, Dnsmasq will not have anywhere to send queries. This *will* break some things. It's smart enough to know that it shouldn't use itself as the upstream server, but neither /etc/resolv.conf nor /etc/dnsmasq.conf gives it other options, so it fails.

As you can see, I've set upstream nameservers for my dnsmasq, so this
shouldn't be the culprit for my case.

>
> If you want other programs on the same host to go through Dnsmasq, you should use the first option I suggested.

Do you mean the following thing you have told:

    If you want Dnsmasq to query the upstream servers,
systemd-resolved to query Dnsmasq,
    and everything else on the host to query systemd-resolved:


>
> > > Only other hosts on the same network will be able to use Dnsmasq.
> >
> > Seems this is not my purpose.
> >
> > >
> > > Regards,
> > > Dominick
> > >
> > > _______________________________________________
> > > Dnsmasq-discuss mailing list
> > > Dnsmasq-discuss at lists.thekelleys.org.uk
> > > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
> >
> >
> > --
> > Hongyi Zhao <hongyi.zhao at gmail.com>
> >
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss



-- 
Hongyi Zhao <hongyi.zhao at gmail.com>



More information about the Dnsmasq-discuss mailing list