[Dnsmasq-discuss] filter-AAAA is breaking dnsmasq

E encoding at riseup.net
Mon Oct 11 09:53:40 UTC 2021

> Advice: Go for a good walk
> Then, at a healthy stress level,

I _am_ fine. I just getting tired of unusable DNS service.

> answer to https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q4/015815.html

I did that already, didn't I? Please elaborate.

> Karma bonus points for using an email programm that adds 'In-Reply-To: ' header.

This is webmail, not a client.
Many email clients such as Mozilla Thunderbird are spying nowadays.
Mozilla telemetry, Windows 10 spying, you name it.


> Your output included “which” not “where” (whereis?).

Sorry, I just not aware of the difference of "which" and "where"

# where dnsmasq
-bash: where: command not found

# whereis dnsmasq
dnsmasq: /usr/sbin/dnsmasq /etc/dnsmasq.d /etc/dnsmasq.conf
/usr/local/sbin/dnsmasq /usr/share/dnsmasq

> Where is the results of renaming /usr/sbin/dnsmasq and using the service script afterward?

I didn't rename anything.
I just run git, make, make install and that's it. I did not modify any
system config or anything, except /etc/dnsmasq.conf.

> “dnssec-check-unsigned=no”.  Referring to dnsmasq.conf.example from the source repository, the option is just set not “=no” or yes

Interesting - because this my handwritten config file is working for
many years now.
What is "not "=no"? Is it "yes" or yes?

> I also wonder if simply commenting out the offending line

# vi /etc/dnsmasq.conf
(change dnssec-check-unsigned=no and dnssec-no-timecheck to
#dnssec-check-unsigned=no and #dnssec-no-timecheck)

# dnsmasq

# ps aux|grep dnsmasq
nobody 0:00 dnsmasq

Yes it worked, but I'd like to keep above 2 options active so this is
not an option to me. Also, the service still fail to startup:

# service dnsmasq restart
Job for dnsmasq.service failed because the control process exited with
error code

> “=path-to/“ entries that I suspect don’t exist in a directory called “path-to”

You mean these? Those are my personal blackhole.


> I do wonder why your --version output doesn’t show the compile time options

Here's full:

# dnsmasq --version
Dnsmasq version 2.87test4-1-g37a70d3  Copyright (c) 2000-2021 Simon
Compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN
DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset auth no-cryptohash
no-DNSSEC loop-detect inotify dumpfile

This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.

If this is the problem of installing process, what _exactly_ is the

override git version(unstable latest which has AAAA option) onto the
Debian 11's stable channel version of dnsmasq?

(just my opinion: I just want to block some AAAA results
if the response-IPv6 is in CIDRv6 O, P, Q, R, S, T, U, V, W, X, Y or Z.
However the dnsmasq only support IPv4-blocking-by-CIDRv4 and not v6)

More information about the Dnsmasq-discuss mailing list