[Dnsmasq-discuss] Problem with dynamic upstream nameservers in dnsmasq 2.87

Christopher J. Madsen cjm-dnsmasq at cjmweb.net
Mon Oct 10 21:13:35 UTC 2022 

I'm not sure what more details about my setup would be useful. 
https://unix.stackexchange.com/a/575449/2421 explains how dnsmasq and 
openresolv are configured.

There are 2 interfaces involved here: the wired Ethernet connection 
(eth0) and the VPN (tun0).  (Ok, eth0 is really spelled enp3s0f4u1u1 but 
let's keep it simple.)  The wifi interface remains disabled throughout.

eth0 remains active at all times.  tun0 comes and goes.

When connected to VPN, "resolvconf -l" prints:

   # resolv.conf from tun0
   # resolv.conf autogenerated by /etc/openvpn/client/client.up (tun0)
   nameserver 10.3.10.24
   nameserver 10.3.10.26
   nameserver 10.3.10.25
   search example.com example.org

   # resolv.conf from NetworkManager
   # Generated by NetworkManager
   search lan.example.net
   nameserver 192.168.1.1
   nameserver fd...::1

The idea is that I only want to use the tun0 DNS servers for the domains 
in the tun0 search line.  Openresolv's private_interfaces=tun0 config 
takes care of informing dnsmasq about this.  dnsmasq is only providing DNS.

So /etc/resolv.conf contains only lines pointing at dnsmasq:

   nameserver ::1
   nameserver 127.0.0.1

And openresolv tells dnsmasq via DBus which nameservers to use for which 
domains.

192.168.1.1 (aka fd...::1) is my home router, which provides caching 
DNS.  It also gives special responses for certain names, which is why 
it's important that only the VPN domains get looked up on the tun0 
nameservers.

When the VPN disconnects, openresolv is informing dnsmasq to stop using 
the 10.3.10.xx nameservers.  The eth0 interface remains up, and I can 
ping arbitrary hosts by IP, but dnsmasq can't give DNS responses because 
it doesn't think it has an upstream nameserver for anything except 
lan.example.net.  Clearly, the upstream nameserver is reachable, because 
the global one is the exact same nameserver it's successfully using for 
lan.example.net.

But for some reason, dnsmasq 2.86 has a global nameserver after tun0 
goes away, and 2.87 doesn't.  I don't see why the version of dnsmasq 
would affect what messages openresolv is sending; dnsmasq 2.87 must just 
be processing them differently.

On 10/10/22 14:58, Geert Stappers via Dnsmasq-discuss wrote:
> On Sun, Oct 09, 2022 at 06:21:53PM -0500, Christopher J. Madsen wrote:
>> I have configured dnsmasq and openresolv as described in
>> https://unix.stackexchange.com/a/575449/2421 so that the DNS servers
>> provided by the VPN are only used for the domains on that network.
>>
>> With dnsmasq 2.86 and openresolv 3.12.0 this was working great, but I was
>> setting up a new computer the same way and discovered that DNS lookups broke
>> when I disconnected from the VPN (causing resolvconf to remove the private
>> DNS servers).  I soon realized that the new machine had gotten dnsmasq 2.87,
>> which I hadn't yet upgraded to on the old machine (it had dnsmasq 2.86).
>>
>> The symptom is that all DNS requests (except those for other machines on my
>> LAN) are refused by dnsmasq:
>>
>>      $ nslookup www.google.com
>>      Server:        ::1
>>      Address:    ::1#53
>>
>>      ** server can't find www.google.com: REFUSED
>>
>> Restarting dnsmasq fixes the problem until the next time I disconnect the
>> VPN.
>>
>> I installed dnsmasq 2.86 on the new machine and the problem went away.  If I
>> put 2.87 back, the problem also comes back.  It seems that something in 2.87
>> breaks with my setup.
> Interresting ...
>
>
>> BTW, openresolv 3.12.0 uses DBus to add/remove nameservers instead of
>> editing the dnsmasq config files.
>>
>> I turned on debug logging.  When I connect the VPN, I see this in the log:
>>
>> Oct  9 16:40:15 dnsmasq[105349]: setting upstream servers from DBus
>> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 192.168.1.1#53
>> Oct  9 16:40:15 dnsmasq[105349]: using nameserver fd...::1#53
>> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.24#53 for domain example.com
>> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.26#53 for domain example.com
>> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.25#53 for domain example.com
>> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.24#53 for domain example.org
>> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.26#53 for domain example.org
>> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.25#53 for domain example.org
>> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 192.168.1.1#53 for domain lan.example.net
>> Oct  9 16:40:15 dnsmasq[105349]: using nameserver fd...::1#53 for domain lan.example.net
>> Oct  9 16:40:15 dnsmasq[105349]: read /etc/hosts - 0 addresses
>>
>> I have redacted the IPv6 address, but it is exactly the same in all log
>> entries.  I have also redacted the domains.  The VPN provides example.com
>> and example.org, and lan.example.net is my LAN.  This part of the log looks
>> exactly the same in 2.86 and 2.87; only the timestamps change.
>>
>> Here is what dnsmasq 2.86 reports when I disconnect the VPN:
>>
>> Oct  9 16:40:43 dnsmasq[105349]: setting upstream servers from DBus
>> Oct  9 16:40:43 dnsmasq[105349]: using nameserver 192.168.1.1#53
>> Oct  9 16:40:43 dnsmasq[105349]: using nameserver fd...::1#53
>> Oct  9 16:40:43 dnsmasq[105349]: using nameserver 192.168.1.1#53 for domain lan.example.net
>> Oct  9 16:40:43 dnsmasq[105349]: using nameserver fd...::1#53 for domain lan.example.net
>> Oct  9 16:40:43 dnsmasq[105349]: read /etc/hosts - 0 addresses
>>
>> Here is what dnsmasq 2.87 reports when I disconnect the VPN:
>>
>> Oct  9 16:46:21 dnsmasq[105730]: setting upstream servers from DBus
>> Oct  9 16:46:21 dnsmasq[105730]: using nameserver 192.168.1.1#53 for domain lan.example.net
>> Oct  9 16:46:21 dnsmasq[105730]: using nameserver fd...::1#53 for domain lan.example.net
>> Oct  9 16:46:21 dnsmasq[105730]: read /etc/hosts - 0 addresses
>> Oct  9 16:46:22 dnsmasq[105730]: query[A] ipv4only.arpa from ::1
>> Oct  9 16:46:22 dnsmasq[105730]: config error is REFUSED (EDE: not ready)
>>
>> Notice that 2.87 does not show any "using nameserver" lines that don't also
>> say "for domain".  As a result, I can only look up hosts under the
>> lan.example.net domain.  Everything else is refused.
>>
>> I don't know how to see the DBus messages that openresolv is sending to
>> dnsmasq, but I would assume they're the same in both cases.  The only thing
>> that changed is the version of dnsmasq. But for whatever reason, dnsmasq
>> 2.87 isn't setting up generic nameservers when the VPN disconnects, but 2.86
>> is.
> Possible direction for further hunting:  interfaces.
>
>
> Yeah, that is somewhat vague, it is because "gut feeling".
> The (wired?) idea is upon shutdown of the VPN is an interface gone.
> And the gone I/F was the one with access to upstream DNS.
>
>
> Groeten
> Geert Stappers
>
> P.S.
> It will be a good thing that follow-up message provides
> a completer picture of the setup.

More information about the Dnsmasq-discuss mailing list