[Dnsmasq-discuss] Problem with dynamic upstream nameservers in dnsmasq 2.87

Christopher J. Madsen cjm-dnsmasq at cjmweb.net
Tue Oct 18 01:06:51 UTC 2022 

Thank you for dnsmasq.  I'm just happy I was able to come up with a 
fairly simple way to reproduce the bug.

I applied the change in commit 930428fb970 as a patch to dnsmasq 2.87, 
and that fixes the problem for me as well.

Thanks again for all your hard work.

On 10/17/22 15:26, Simon Kelley wrote:
> Thank you very much for the information below. Having that saved me a 
> load of time.
>
> The problem, as ever, is linked lists and
>
> https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=930428fb970f4991e5c2933fd5a5d2504c18a551 
>
>
> fixes things for me.
>
> To preempt the next question, I intend to make a 2.88 release fairly 
> soon. I'm working through a backlog of patches from before 2.87, and 
> once they are done in week or so, 2.88 will go into the release 
> sausage-grinder.
>
> Cheers,
>
> Simon.
>
>
> On 16/10/2022 22:25, Christopher J. Madsen wrote:
>> I tried building dnsmasq 2.87 with a patch that reverts commit 
>> 553c4c99, and that does seem to fix the problem.
>>
>> Using dbus-monitor (thanks, I hadn't been aware of that), I was able 
>> to create 2 dbus-send commands that reproduce the problem without 
>> having to set up a VPN or openresolv:
>>
>> dbus-send --system --dest=uk.org.thekelleys.dnsmasq 
>> /uk/org/thekelleys/dnsmasq uk.org.thekelleys.SetDomainServers 
>> array:string:"/example.com/10.3.10.24","/example.com/10.3.10.26","/example.com/10.3.10.25","/example.org/10.3.10.24","/example.org/10.3.10.26","/example.org/10.3.10.25","/lan.example.net/192.168.1.1","/lan.example.net/fd00::1"
>>
>> dbus-send --system --dest=uk.org.thekelleys.dnsmasq 
>> /uk/org/thekelleys/dnsmasq uk.org.thekelleys.SetDomainServers 
>> array:string:"/lan.example.net/192.168.1.1","/lan.example.net/fd00::1"
>>
>> (Yes, I did use example domains when running the commands.  It breaks 
>> lookups for those domains, since those nameservers don't exist, but 
>> other domains still work fine.)
>>
>> If I start dnsmasq 2.87 and watch the debug log, the first command 
>> just adds the domain-specific nameservers to the global ones, but the 
>> second command sets only domain-specific nameservers and removes the 
>> global ones.  The same commands on 2.86 (or the patched 2.87) work fine.
>>
>> However, If I remove ',"/lan.example.net/fd00::1"' from the end of 
>> each dbus-send command, then I don't see the problem.  I'm not sure 
>> if it's the IPv6 address or the number of nameservers, but the 
>> problem only happens when lan.example.net has both IPv4 and IPv6 
>> nameservers.
>>
>> Hopefully, this will help you track down the issue.  Thanks for your 
>> help.
>>
>> On 10/13/22 09:36, Simon Kelley wrote:
>>> On 10/10/2022 00:21, Christopher J. Madsen wrote:
>>>> I have configured dnsmasq and openresolv as described in 
>>>> https://unix.stackexchange.com/a/575449/2421 so that the DNS 
>>>> servers provided by the VPN are only used for the domains on that 
>>>> network.
>>>>
>>>> With dnsmasq 2.86 and openresolv 3.12.0 this was working great, but 
>>>> I was setting up a new computer the same way and discovered that 
>>>> DNS lookups broke when I disconnected from the VPN (causing 
>>>> resolvconf to remove the private DNS servers).  I soon realized 
>>>> that the new machine had gotten dnsmasq 2.87, which I hadn't yet 
>>>> upgraded to on the old machine (it had dnsmasq 2.86).
>>>>
>>>> The symptom is that all DNS requests (except those for other 
>>>> machines on my LAN) are refused by dnsmasq:
>>>>
>>>>      $ nslookup www.google.com
>>>>      Server:        ::1
>>>>      Address:    ::1#53
>>>>
>>>>      ** server can't find www.google.com: REFUSED
>>>>
>>>> Restarting dnsmasq fixes the problem until the next time I 
>>>> disconnect the VPN.
>>>>
>>>> I installed dnsmasq 2.86 on the new machine and the problem went 
>>>> away. If I put 2.87 back, the problem also comes back. It seems 
>>>> that something in 2.87 breaks with my setup.  BTW, openresolv 
>>>> 3.12.0 uses DBus to add/remove nameservers instead of editing the 
>>>> dnsmasq config files.
>>>>
>>>> I turned on debug logging.  When I connect the VPN, I see this in 
>>>> the log:
>>>>
>>>> Oct  9 16:40:15 dnsmasq[105349]: setting upstream servers from DBus
>>>> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 192.168.1.1#53
>>>> Oct  9 16:40:15 dnsmasq[105349]: using nameserver fd...::1#53
>>>> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.24#53 for 
>>>> domain example.com
>>>> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.26#53 for 
>>>> domain example.com
>>>> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.25#53 for 
>>>> domain example.com
>>>> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.24#53 for 
>>>> domain example.org
>>>> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.26#53 for 
>>>> domain example.org
>>>> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.25#53 for 
>>>> domain example.org
>>>> Oct  9 16:40:15 dnsmasq[105349]: using nameserver 192.168.1.1#53 
>>>> for domain lan.example.net
>>>> Oct  9 16:40:15 dnsmasq[105349]: using nameserver fd...::1#53 for 
>>>> domain lan.example.net
>>>> Oct  9 16:40:15 dnsmasq[105349]: read /etc/hosts - 0 addresses
>>>>
>>>> I have redacted the IPv6 address, but it is exactly the same in all 
>>>> log entries.  I have also redacted the domains.  The VPN provides 
>>>> example.com and example.org, and lan.example.net is my LAN.  This 
>>>> part of the log looks exactly the same in 2.86 and 2.87; only the 
>>>> timestamps change.
>>>>
>>>> Here is what dnsmasq 2.86 reports when I disconnect the VPN:
>>>>
>>>> Oct  9 16:40:43 dnsmasq[105349]: setting upstream servers from DBus
>>>> Oct  9 16:40:43 dnsmasq[105349]: using nameserver 192.168.1.1#53
>>>> Oct  9 16:40:43 dnsmasq[105349]: using nameserver fd...::1#53
>>>> Oct  9 16:40:43 dnsmasq[105349]: using nameserver 192.168.1.1#53 
>>>> for domain lan.example.net
>>>> Oct  9 16:40:43 dnsmasq[105349]: using nameserver fd...::1#53 for 
>>>> domain lan.example.net
>>>> Oct  9 16:40:43 dnsmasq[105349]: read /etc/hosts - 0 addresses
>>>>
>>>> Here is what dnsmasq 2.87 reports when I disconnect the VPN:
>>>>
>>>> Oct  9 16:46:21 dnsmasq[105730]: setting upstream servers from DBus
>>>> Oct  9 16:46:21 dnsmasq[105730]: using nameserver 192.168.1.1#53 
>>>> for domain lan.example.net
>>>> Oct  9 16:46:21 dnsmasq[105730]: using nameserver fd...::1#53 for 
>>>> domain lan.example.net
>>>> Oct  9 16:46:21 dnsmasq[105730]: read /etc/hosts - 0 addresses
>>>> Oct  9 16:46:22 dnsmasq[105730]: query[A] ipv4only.arpa from ::1
>>>> Oct  9 16:46:22 dnsmasq[105730]: config error is REFUSED (EDE: not 
>>>> ready)
>>>>
>>>> Notice that 2.87 does not show any "using nameserver" lines that 
>>>> don't also say "for domain".  As a result, I can only look up hosts 
>>>> under the lan.example.net domain.  Everything else is refused.
>>>>
>>>> I don't know how to see the DBus messages that openresolv is 
>>>> sending to dnsmasq, but I would assume they're the same in both 
>>>> cases.  The only thing that changed is the version of dnsmasq. But 
>>>> for whatever reason, dnsmasq 2.87 isn't setting up generic 
>>>> nameservers when the VPN disconnects, but 2.86 is.
>>>>
>>>>
>>>
>>> I've stared  at this for a while, but not found an obvious problem 
>>> yet. An obvious commit on 2.87 that should be looked at is
>>>
>>> https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=553c4c99cca173e9964d0edbd0676ed96c30f62b 
>>>
>>>
>>> Maybe the massive confusion is not as resolved as we thought, if you 
>>> can build a test binary which reverts that change, and see if it 
>>> fixes things, that would be very useful.
>>>
>>> Another useful bit of data would be to see the DBUS messages being 
>>> sent by openresolv. dbus-monitor should enable you to get that.
>>>
>>>
>>> Cheers,
>>>
>>> Simon.
>>>
>>>
>>>> _______________________________________________
>>>> Dnsmasq-discuss mailing list
>>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss 
>>>>
>>>
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss 
>>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

More information about the Dnsmasq-discuss mailing list