[Dnsmasq-discuss] Problem with dynamic upstream nameservers in dnsmasq 2.87

Sun Oct 9 23:21:53 UTC 2022

I have configured dnsmasq and openresolv as described in 
https://unix.stackexchange.com/a/575449/2421 so that the DNS servers 
provided by the VPN are only used for the domains on that network.

With dnsmasq 2.86 and openresolv 3.12.0 this was working great, but I 
was setting up a new computer the same way and discovered that DNS 
lookups broke when I disconnected from the VPN (causing resolvconf to 
remove the private DNS servers).  I soon realized that the new machine 
had gotten dnsmasq 2.87, which I hadn't yet upgraded to on the old 
machine (it had dnsmasq 2.86).

The symptom is that all DNS requests (except those for other machines on 
my LAN) are refused by dnsmasq:

     $ nslookup www.google.com
     Server:        ::1
     Address:    ::1#53

     ** server can't find www.google.com: REFUSED

Restarting dnsmasq fixes the problem until the next time I disconnect 
the VPN.

I installed dnsmasq 2.86 on the new machine and the problem went away.  
If I put 2.87 back, the problem also comes back.  It seems that 
something in 2.87 breaks with my setup.  BTW, openresolv 3.12.0 uses 
DBus to add/remove nameservers instead of editing the dnsmasq config files.

I turned on debug logging.  When I connect the VPN, I see this in the log:

Oct  9 16:40:15 dnsmasq[105349]: setting upstream servers from DBus
Oct  9 16:40:15 dnsmasq[105349]: using nameserver 192.168.1.1#53
Oct  9 16:40:15 dnsmasq[105349]: using nameserver fd...::1#53
Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.24#53 for 
domain example.com
Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.26#53 for 
domain example.com
Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.25#53 for 
domain example.com
Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.24#53 for 
domain example.org
Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.26#53 for 
domain example.org
Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.25#53 for 
domain example.org
Oct  9 16:40:15 dnsmasq[105349]: using nameserver 192.168.1.1#53 for 
domain lan.example.net
Oct  9 16:40:15 dnsmasq[105349]: using nameserver fd...::1#53 for domain 
lan.example.net
Oct  9 16:40:15 dnsmasq[105349]: read /etc/hosts - 0 addresses

I have redacted the IPv6 address, but it is exactly the same in all log 
entries.  I have also redacted the domains.  The VPN provides 
example.com and example.org, and lan.example.net is my LAN.  This part 
of the log looks exactly the same in 2.86 and 2.87; only the timestamps 
change.

Here is what dnsmasq 2.86 reports when I disconnect the VPN:

Oct  9 16:40:43 dnsmasq[105349]: setting upstream servers from DBus
Oct  9 16:40:43 dnsmasq[105349]: using nameserver 192.168.1.1#53
Oct  9 16:40:43 dnsmasq[105349]: using nameserver fd...::1#53
Oct  9 16:40:43 dnsmasq[105349]: using nameserver 192.168.1.1#53 for 
domain lan.example.net
Oct  9 16:40:43 dnsmasq[105349]: using nameserver fd...::1#53 for domain 
lan.example.net
Oct  9 16:40:43 dnsmasq[105349]: read /etc/hosts - 0 addresses

Here is what dnsmasq 2.87 reports when I disconnect the VPN:

Oct  9 16:46:21 dnsmasq[105730]: setting upstream servers from DBus
Oct  9 16:46:21 dnsmasq[105730]: using nameserver 192.168.1.1#53 for 
domain lan.example.net
Oct  9 16:46:21 dnsmasq[105730]: using nameserver fd...::1#53 for domain 
lan.example.net
Oct  9 16:46:21 dnsmasq[105730]: read /etc/hosts - 0 addresses
Oct  9 16:46:22 dnsmasq[105730]: query[A] ipv4only.arpa from ::1
Oct  9 16:46:22 dnsmasq[105730]: config error is REFUSED (EDE: not ready)

Notice that 2.87 does not show any "using nameserver" lines that don't 
also say "for domain".  As a result, I can only look up hosts under the 
lan.example.net domain.  Everything else is refused.

I don't know how to see the DBus messages that openresolv is sending to 
dnsmasq, but I would assume they're the same in both cases.  The only 
thing that changed is the version of dnsmasq. But for whatever reason, 
dnsmasq 2.87 isn't setting up generic nameservers when the VPN 
disconnects, but 2.86 is.