[Dnsmasq-discuss] Problem with dynamic upstream nameservers in dnsmasq 2.87

Simon Kelley simon at thekelleys.org.uk
Thu Oct 13 14:36:17 UTC 2022 


On 10/10/2022 00:21, Christopher J. Madsen wrote:
> I have configured dnsmasq and openresolv as described in 
> https://unix.stackexchange.com/a/575449/2421 so that the DNS servers 
> provided by the VPN are only used for the domains on that network.
> 
> With dnsmasq 2.86 and openresolv 3.12.0 this was working great, but I 
> was setting up a new computer the same way and discovered that DNS 
> lookups broke when I disconnected from the VPN (causing resolvconf to 
> remove the private DNS servers).  I soon realized that the new machine 
> had gotten dnsmasq 2.87, which I hadn't yet upgraded to on the old 
> machine (it had dnsmasq 2.86).
> 
> The symptom is that all DNS requests (except those for other machines on 
> my LAN) are refused by dnsmasq:
> 
>      $ nslookup www.google.com
>      Server:        ::1
>      Address:    ::1#53
> 
>      ** server can't find www.google.com: REFUSED
> 
> Restarting dnsmasq fixes the problem until the next time I disconnect 
> the VPN.
> 
> I installed dnsmasq 2.86 on the new machine and the problem went away. 
> If I put 2.87 back, the problem also comes back.  It seems that 
> something in 2.87 breaks with my setup.  BTW, openresolv 3.12.0 uses 
> DBus to add/remove nameservers instead of editing the dnsmasq config files.
> 
> I turned on debug logging.  When I connect the VPN, I see this in the log:
> 
> Oct  9 16:40:15 dnsmasq[105349]: setting upstream servers from DBus
> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 192.168.1.1#53
> Oct  9 16:40:15 dnsmasq[105349]: using nameserver fd...::1#53
> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.24#53 for 
> domain example.com
> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.26#53 for 
> domain example.com
> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.25#53 for 
> domain example.com
> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.24#53 for 
> domain example.org
> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.26#53 for 
> domain example.org
> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.25#53 for 
> domain example.org
> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 192.168.1.1#53 for 
> domain lan.example.net
> Oct  9 16:40:15 dnsmasq[105349]: using nameserver fd...::1#53 for domain 
> lan.example.net
> Oct  9 16:40:15 dnsmasq[105349]: read /etc/hosts - 0 addresses
> 
> I have redacted the IPv6 address, but it is exactly the same in all log 
> entries.  I have also redacted the domains.  The VPN provides 
> example.com and example.org, and lan.example.net is my LAN.  This part 
> of the log looks exactly the same in 2.86 and 2.87; only the timestamps 
> change.
> 
> Here is what dnsmasq 2.86 reports when I disconnect the VPN:
> 
> Oct  9 16:40:43 dnsmasq[105349]: setting upstream servers from DBus
> Oct  9 16:40:43 dnsmasq[105349]: using nameserver 192.168.1.1#53
> Oct  9 16:40:43 dnsmasq[105349]: using nameserver fd...::1#53
> Oct  9 16:40:43 dnsmasq[105349]: using nameserver 192.168.1.1#53 for 
> domain lan.example.net
> Oct  9 16:40:43 dnsmasq[105349]: using nameserver fd...::1#53 for domain 
> lan.example.net
> Oct  9 16:40:43 dnsmasq[105349]: read /etc/hosts - 0 addresses
> 
> Here is what dnsmasq 2.87 reports when I disconnect the VPN:
> 
> Oct  9 16:46:21 dnsmasq[105730]: setting upstream servers from DBus
> Oct  9 16:46:21 dnsmasq[105730]: using nameserver 192.168.1.1#53 for 
> domain lan.example.net
> Oct  9 16:46:21 dnsmasq[105730]: using nameserver fd...::1#53 for domain 
> lan.example.net
> Oct  9 16:46:21 dnsmasq[105730]: read /etc/hosts - 0 addresses
> Oct  9 16:46:22 dnsmasq[105730]: query[A] ipv4only.arpa from ::1
> Oct  9 16:46:22 dnsmasq[105730]: config error is REFUSED (EDE: not ready)
> 
> Notice that 2.87 does not show any "using nameserver" lines that don't 
> also say "for domain".  As a result, I can only look up hosts under the 
> lan.example.net domain.  Everything else is refused.
> 
> I don't know how to see the DBus messages that openresolv is sending to 
> dnsmasq, but I would assume they're the same in both cases.  The only 
> thing that changed is the version of dnsmasq. But for whatever reason, 
> dnsmasq 2.87 isn't setting up generic nameservers when the VPN 
> disconnects, but 2.86 is.
> 
> 

I've stared  at this for a while, but not found an obvious problem yet. 
An obvious commit on 2.87 that should be looked at is

https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=553c4c99cca173e9964d0edbd0676ed96c30f62b

Maybe the massive confusion is not as resolved as we thought, if you can 
build a test binary which reverts that change, and see if it fixes 
things, that would be very useful.

Another useful bit of data would be to see the DBUS messages being sent 
by openresolv. dbus-monitor should enable you to get that.


Cheers,

Simon.


> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

More information about the Dnsmasq-discuss mailing list