[Dnsmasq-discuss] Problem with dynamic upstream nameservers in dnsmasq 2.87

Geert Stappers stappers at stappers.nl
Mon Oct 10 19:58:36 UTC 2022 

On Sun, Oct 09, 2022 at 06:21:53PM -0500, Christopher J. Madsen wrote:
> I have configured dnsmasq and openresolv as described in
> https://unix.stackexchange.com/a/575449/2421 so that the DNS servers
> provided by the VPN are only used for the domains on that network.
> 
> With dnsmasq 2.86 and openresolv 3.12.0 this was working great, but I was
> setting up a new computer the same way and discovered that DNS lookups broke
> when I disconnected from the VPN (causing resolvconf to remove the private
> DNS servers).  I soon realized that the new machine had gotten dnsmasq 2.87,
> which I hadn't yet upgraded to on the old machine (it had dnsmasq 2.86).
> 
> The symptom is that all DNS requests (except those for other machines on my
> LAN) are refused by dnsmasq:
> 
>     $ nslookup www.google.com
>     Server:        ::1
>     Address:    ::1#53
> 
>     ** server can't find www.google.com: REFUSED
> 
> Restarting dnsmasq fixes the problem until the next time I disconnect the
> VPN.
> 
> I installed dnsmasq 2.86 on the new machine and the problem went away.  If I
> put 2.87 back, the problem also comes back.  It seems that something in 2.87
> breaks with my setup.

Interresting ...


> BTW, openresolv 3.12.0 uses DBus to add/remove nameservers instead of
> editing the dnsmasq config files.
> 
> I turned on debug logging.  When I connect the VPN, I see this in the log:
> 
> Oct  9 16:40:15 dnsmasq[105349]: setting upstream servers from DBus
> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 192.168.1.1#53
> Oct  9 16:40:15 dnsmasq[105349]: using nameserver fd...::1#53
> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.24#53 for domain example.com
> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.26#53 for domain example.com
> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.25#53 for domain example.com
> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.24#53 for domain example.org
> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.26#53 for domain example.org
> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.25#53 for domain example.org
> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 192.168.1.1#53 for domain lan.example.net
> Oct  9 16:40:15 dnsmasq[105349]: using nameserver fd...::1#53 for domain lan.example.net
> Oct  9 16:40:15 dnsmasq[105349]: read /etc/hosts - 0 addresses
> 
> I have redacted the IPv6 address, but it is exactly the same in all log
> entries.  I have also redacted the domains.  The VPN provides example.com
> and example.org, and lan.example.net is my LAN.  This part of the log looks
> exactly the same in 2.86 and 2.87; only the timestamps change.
> 
> Here is what dnsmasq 2.86 reports when I disconnect the VPN:
> 
> Oct  9 16:40:43 dnsmasq[105349]: setting upstream servers from DBus
> Oct  9 16:40:43 dnsmasq[105349]: using nameserver 192.168.1.1#53
> Oct  9 16:40:43 dnsmasq[105349]: using nameserver fd...::1#53
> Oct  9 16:40:43 dnsmasq[105349]: using nameserver 192.168.1.1#53 for domain lan.example.net
> Oct  9 16:40:43 dnsmasq[105349]: using nameserver fd...::1#53 for domain lan.example.net
> Oct  9 16:40:43 dnsmasq[105349]: read /etc/hosts - 0 addresses
> 
> Here is what dnsmasq 2.87 reports when I disconnect the VPN:
> 
> Oct  9 16:46:21 dnsmasq[105730]: setting upstream servers from DBus
> Oct  9 16:46:21 dnsmasq[105730]: using nameserver 192.168.1.1#53 for domain lan.example.net
> Oct  9 16:46:21 dnsmasq[105730]: using nameserver fd...::1#53 for domain lan.example.net
> Oct  9 16:46:21 dnsmasq[105730]: read /etc/hosts - 0 addresses
> Oct  9 16:46:22 dnsmasq[105730]: query[A] ipv4only.arpa from ::1
> Oct  9 16:46:22 dnsmasq[105730]: config error is REFUSED (EDE: not ready)
> 
> Notice that 2.87 does not show any "using nameserver" lines that don't also
> say "for domain".  As a result, I can only look up hosts under the
> lan.example.net domain.  Everything else is refused.
> 
> I don't know how to see the DBus messages that openresolv is sending to
> dnsmasq, but I would assume they're the same in both cases.  The only thing
> that changed is the version of dnsmasq. But for whatever reason, dnsmasq
> 2.87 isn't setting up generic nameservers when the VPN disconnects, but 2.86
> is.

Possible direction for further hunting:  interfaces.


Yeah, that is somewhat vague, it is because "gut feeling".
The (wired?) idea is upon shutdown of the VPN is an interface gone.
And the gone I/F was the one with access to upstream DNS.


Groeten
Geert Stappers

P.S.
It will be a good thing that follow-up message provides
a completer picture of the setup.
-- 
Silence is hard to parse

More information about the Dnsmasq-discuss mailing list