Start out with the following /etc/dnsmasq.conf, replacing «wlp2s0» as 


Start Dnsmasq and send it a TCP query:

$ src/dnsmasq -d -p 5333
dnsmasq: started, version 2.80-72-ge24abf2 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN 
DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth DNSSEC loop-detect inotify 
dnsmasq: using nameserver wlp2s0)
dnsmasq: cleared cache

$ dig @ -p 5333 A +vc | grep HEADER
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 2916

Output from Dnsmasq following the above query:

dnsmasq: query[A] from
dnsmasq: config error is REFUSED

It makes no attempt to contact the upstream server.

If I remove «@wlp2s0» from the server config, it works fine.

A practical consequence of this bug is that I cannot resolve any domain names 
under *.org with DNSSEC enabled. The initial UDP query results in a truncated 
answer, so libc/dig retries in TCP mode and fails.

Note that NetworkManager automatically configures the upstream DNS servers with 
a specific interface via D-Bus, this behaviour appears hard-coded.


Dnsmasq-discuss mailing list

Reply via email to