[Dnsmasq-discuss] proper https/svcb configurations?
Buck Horn
buckhorn at weibsvolk.org
Sun Jun 22 07:44:25 UTC 2025
On 22.06.25 06:18, WJ Park wrote:
> I found https/svcb response is missing answer. is there anything I
> could do make this right?
>
> ```dnsmasq.conf
> domain-needed
> bogus-priv
> dnssec
> dnssec-check-unsigned
> filterwin2k
> strict-order
> no-resolv
> no-poll
> conf-file=/etc/dnsmasq.d/trust-anchors.conf
> server=127.0.0.1
> listen-address=127.0.0.1
> interface=lo
> bind-interfaces
> no-hosts
> dhcp-range=interface:lo,127.0.0.1,127.0.0.1,12h
> dhcp-leasefile=/var/lib/misc/dnsmasq.leases
> cache-size=1000
> cache-rr=ANY
> no-negcache
> conf-dir=/etc/dnsmasq.d/,*.conf
> strip-mac
> strip-subnet
> local-service
> dns-loop-detect
> log-queries
> log-dhcp
> ```
I'm going to assume that you've shared your configuration in full, i.e.
there aren't any additional conf files under /etc/dnsmasq.d/.
Your configuration doesn't make sense, like using 'strict-order' when
there's only one upstream server, or defining 'dhcp-range' for just the
loopback address.
Your main fault is providing the loopback address as the only server,
thus instructing dnsmasq to forward DNS requests to itself, closing a
DNS loop:
> server=127.0.0.1
Apart from DNS records you may have defined locally, this will prevent
dnsmasq from resolving anything: Your current configuration will always
result in REFUSED replies (not only for HTTPS or SVCB type requests).
You should point dnsmasq to at least one public DNS resolver, e.g.
server=1.1.1.1
Kind regards,
Buck
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20250622/dbab4f1d/attachment-0001.htm>
More information about the Dnsmasq-discuss
mailing list