[Dnsmasq-discuss] Different behaviour with "interface=" on two almost identical systems

Chris Green cl at isbd.net
Thu Mar 28 15:57:47 UTC 2024 

On Thu, Mar 28, 2024 at 03:50:57PM +0100, Buck Horn via Dnsmasq-discuss wrote:
> On 28.03.24 14:28, Chris Green wrote:
> > ... and another system, also running dnsmasq version 2.90:-
> >
> >      chris at t470$ nmap 192.168.1.128 | grep 53
> >      53/tcp    open  domain
> >      chris at t470
> >
> >
> > So why are they acting differently and, possibly more to the point,
> > how do I make dnsmasq listen only on the loopback address?
> 
> 
> Hi Chris,
> 
> you are just probing for port 53, without information about the process
> handling that port, so it could be another resolver on the same machine
> (e.g. systemd-resolved, or a dnsmasq instance controlled by
> NetworkManager) that hogs port 53.
> 
> 
> You may want to consider using something like sudo ss -tulpn sport = 53
> to see what is actually listening.
> 
I did try stopping dnsmasq and then nothing was listening on port 53.
However, just to prove it:-
root at backup:~# ss -tulpn sport = 53

    Netid State  Recv-Q Send-Q Local Address:Port  Peer Address:Port Process                            
    udp   UNCONN 0      0            0.0.0.0:53         0.0.0.0:*     users:(("dnsmasq",pid=1826,fd=4)) 
    udp   UNCONN 0      0               [::]:53            [::]:*     users:(("dnsmasq",pid=1826,fd=6)) 
    tcp   LISTEN 0      32           0.0.0.0:53         0.0.0.0:*     users:(("dnsmasq",pid=1826,fd=5)) 
    tcp   LISTEN 0      32              [::]:53            [::]:*     users:(("dnsmasq",pid=1826,fd=7))
> 
> For listening on 127.0.0.1 only, you probably should consider to
> explicitly state that as listen-address:
> (quoting https://dnsmasq.org/docs/dnsmasq-man.html)
> 
> -a, --listen-address=<ipaddr>
> 
> Listen on the given IP address(es). Both --interface and
> --listen-address options may be given, in which case the set of both
> interfaces and addresses is used. Note that if no --interface option is
> given, but --listen-address is, dnsmasq will not automatically listen on
> the loopback interface. To achieve this, its IP address, 127.0.0.1, must
> be explicitly given as a --listen-address option.
> 
That doesn't work!  /etc/dnsmasq.conf is now:-

    #
    #
    # Default dnsmasq configuration file, with this configuration file dnsmasq
    # provides only local DNS caching and no DHCP.  This file is used on nearly
    # all my systems which are ever on the home LAN.
    #
    #
    # Set to listen only on the loopback address.
    #
    listen-address=127.0.0.1
    #
    #
    # This sets the upstream server[s] to the one[s] set by Network Manager,
    # usually automatically using DHCP from the ISP's (or my) DHCP/DNS server.
    # If we're on the home LAN the resolv-file will set the nameserver to
    # 192.168.1.1, if away from home it will be the ISP's nameserver[s].
    # 
    resolv-file=/run/NetworkManager/no-stub-resolv.conf

... and, after restarting dnsmasq:-

    chris$ nmap 192.168.1.4 | grep 53
    53/tcp  open  domain
    chris$ 

Plus, why does it work (as the dnsmasq man page entry for listen says it should)
on one system but not on another almost identical system?

-- 
Chris Green

More information about the Dnsmasq-discuss mailing list