Re: Orphaning dnsmasq

Daniel P. Berrange Thu, 25 Aug 2011 07:58:05 -0700

On Thu, Aug 25, 2011 at 04:37:26PM +0200, Thomas Moschny wrote:
> 2011/8/25 Paul Wouters <p...@xelerance.com>:
> > Again, this is based on f14, not f15/f16. I am not sure how much this has 
> > been
> > addressed. But if we want DNSSEC validation on the endnode, at the very 
> > least
> > 127.0.0.1:53 needs to be left free.
> 
> Are you sure the dnsmasq instance started by libvirt is really
> grabbing 127.0.0.1:53?


libvirt's dnsmasq will never be grabbing any 127.0.0.1 address. It is
configured to only bind to the IP addresses directly associated with
the bridge of the virtual network.

# netstat  -a -n -p | grep dnsmasq
tcp        0      0 192.168.123.1:53            0.0.0.0:*                   
LISTEN      14230/dnsmasq       
tcp        0      0 192.168.124.1:53            0.0.0.0:*                   
LISTEN      14208/dnsmasq       
tcp        0      0 192.168.122.1:53            0.0.0.0:*                   
LISTEN      14007/dnsmasq       
udp        0      0 192.168.123.1:53            0.0.0.0:*                       
        14230/dnsmasq       
udp        0      0 192.168.124.1:53            0.0.0.0:*                       
        14208/dnsmasq       
udp        0      0 192.168.122.1:53            0.0.0.0:*                       
        14007/dnsmasq       
udp        0      0 0.0.0.0:67                  0.0.0.0:*                       
        14230/dnsmasq       
udp        0      0 0.0.0.0:67                  0.0.0.0:*                       
        14208/dnsmasq       
udp        0      0 0.0.0.0:67                  0.0.0.0:*                       
        14007/dnsmasq       

# ip addr  | grep 192
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
    inet 192.168.124.1/24 brd 192.168.124.255 scope global virbr2
    inet 192.168.123.1/24 brd 192.168.123.255 scope global virbr1

The wildcard bind on the UDP port number 67 there is not a problem
because dnsmasq will only reply to requests coming in on the interface
that it is configured to use.

> In my experiments it did not, and the issue instead was that the other
> DNS server [1] wanted to grab port 53 on *all* interfaces.

Yeah, that is the normal problem people see. The default dnsmasq
configuration is to bind to all interfaces, which obviously blocks
libvirt. other DNS local servers may also exhibit the same problem
of binding to all interfaces, and need to be configured to only
bind to specific ones.

> [1] In my case that was a second instance of dnsmasq, and I had to set
> --interface=lo and --bind-interfaces.

For interoperability with libvirt, any dnsmasq instance *must* use the
--bind-interfaces argumement, in combination with either '--interface=XXX'
or '--listen-address=XX.XX.XX.XX'

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Orphaning dnsmasq

Reply via email to