[Dnsmasq-discuss] DNS refused when internet is down

Sat Dec 5 10:21:19 GMT 2020

On 02/12/2020 15:03, Geert Stappers wrote:
> On Wed, Dec 02, 2020 at 02:45:04PM +0100, Matus UHLAR - fantomas wrote:
>>>>>>> On 11/25/2020 9:31 AM, Duncan Webb wrote:
>>>>>>>> When the internet is down for some external reason
>>>>>>>> nslookup is returning
>>>>>>>> "Connection to DNS 10.0.0.1 was refused" when
>>>>>>>> looking up a host on the
>>>>>>>> LAN that has its IP from DHCP. Both DHCP and DNS are
>>>>>>>> provided by dnsmasq.
>>>>>>>>
>>>>>>>> Is this the expected behaviour or a misconfiguration?
>>>>>> On Wed, Nov 25, 2020 at 10:44:34AM +0100, john doe wrote:
>>>>>>> No, this is not the expected behavior.
>>>>> On 26/11/2020 08:31, Geert Stappers wrote:
>>>>>> Also my first impression, on second thought: "It could be" ...
>>>>>>> We can not say
>>>>>>> where the issue lies with the little information you have provided.
>>>>>> So please make your problem an interesting challenge for the ML ;-)
>>>> On 01.12.20 09:32, Duncan Webb wrote:
>>>>> The problem can be reproduced by disconnecting the cable to the
>>>>> ADSL router. As soon as the cable is removed then a nslookup
>>>>> will return a "Connection to DNS 10.0.0.1 was refused" reply for
>>>>> every query.
>>> On 01/12/2020 10:24, Matus UHLAR - fantomas wrote:
>>>> which server does 10.0.0.1 belong to?  apparently not to your router, as
>>>> I don't see this address as argument to --listen-address.
>> On 01.12.20 10:52, Duncan Webb wrote:
>>> Sorry this was a typo should have been 10.99.0.1 (can't pull that cable
>>> out at the moment to get the exact message)
>> is 10.99.0.1 your external IP address?
>>
>> I guess you'll need the exact error message.
>>
>> Also you should use "host" instead of "nslookup", because there are
>> different nslookup implementations, when some provide non-sensical error
>> messages (might be your case).
>>
>>>>> I would expect that hosts on the LAN that have been provided an
>>>>> IP address from the dnsmasq DHCP server to resolve.
>>>> hosts on the lan should be resolved by dnsmasq, but unreachable address
>>>> can't resolve them.
>>>>
>>>>> The configuration is all on the command line and this is
>>>>>
>>>>> /usr/local/sbin/dnsmasq --all-servers -H /var/etc/dnsmasq-hosts
>>>>> --listen-address=192.168.0.254 --listen-address=10.99.2.1
>>>>> --listen-address=10.99.0.1 --listen-address=10.99.128.1
>>>>> --listen-address=127.0.0.1 --listen-address=::1 --bind-interfaces
>>>>> --server=/example.net/10.99.0.1 --server=/opcase.private/10.99.130.1
>>>>> --server=/130.99.10.in-addr.arpa/10.99.130.1
>>>>> --server=/opcase1.private/10.99.144.1
>>>>> --server=/144.99.10.in-addr.arpa/10.99.144.1 --dns-forward-max=5000
>>>>> --cache-size=10000 --local-ttl=1
>>>>> --conf-dir=/usr/local/etc/dnsmasq.conf.d,*.conf
>>>>>
>>>>> I don't think that the options
>>>>> --server=/opcase.private/10.99.130.1 where the server is offline
>>>>> could be causing this but for completeness both the servers
>>>>> 10.99.130.1 and 10.99.144.1 are offline.
>>>>>
>>>>> The --conf-dir directory has no .conf files.
>>>>>
>>>>> The firewall is OPNsense which based on BSD and I don't think
>>>>> this is relevant to this specific problem.
>> btw,
>> the firewall may cause different behaviour when the external link is down.
>> but for now get proper message from proper command.
>   
> And add information at which network component it is.
What do you mean?
>>>>> example.net is not the real domain. The contents of
>>>>> /var/etc/dnsmasq-hosts contains lines like this:
>>>>>
>>>>> 10.99.0.201 w1.example.net w1
>>>>> 10.99.0.202 w2.example.net w2
>>>>> 10.99.0.203 w3.example.net w3
>>>>>
>>>>> It is these addresses that I would expect to be resolved.
> "Works for me"

Here too today, next is to add some .conf files and see if an option 
causes the refused message. I suspect that it is no-negcache that got 
removed after an upgrade of the firewall software. First is to check the 
syntax of the conf files.

Thanks and kind regards,
Duncan