How should unbound listen on lo0 if dnsmasq is already listening there? I do not know BSD. Linux would not permit dnsmasq listening on wildcard socket and unbound listening on the same port.
I think listen-address would listen just on 127.0.0.1. interface=lo0 should not be necessary. At least on Linux kernel, it means listening on ANY IPv4/IPv6 address assigned to lo0. That would mean unbound needs different port to listen on or different interface. I think that is not what you want. What is contents of /usr/local/etc/dnsmasq-resolv.conf? I think no-resolv should be used as well to prevent reading /etc/resolv.conf. On 7/21/20 3:18 PM, László Károlyi wrote: > I've already added listen-address=127.0.0.1 to it, as it's the host > env's IP address. > > bind-interfaces has to be commented out, otherwise the jails will have > problems resolving (it's a FreeBSD host-jail resolution specific thing) Is there good explanation how this should work? How exactly are configured addresses on loopback device? Is unbound listening on lo1? > > Why would you want me to use except-interface=lo0? I _want_ it to listen > on lo0. How does ifconfig lo0 look like? Do you want to listen on all its addresses? > > For the sake of clarity, here't my cleaned dnsmasq.conf: > > domain-needed > conf-file=/usr/local/share/dnsmasq/trust-anchors.conf > dnssec > dnssec-check-unsigned > resolv-file=/usr/local/etc/dnsmasq-resolv.conf > interface=lo0 > listen-address=127.0.0.1 > no-dhcp-interface=lo0 > local-ttl=5 > dhcp-name-match=set:wpad-ignore,wpad > dhcp-ignore-names=tag:wpad-ignore > rebind-domain-ok=/rfc-ignorant.org/sorbs.net/uribl.com/surbl.org/dnswl.org/njabl.org/spamhaus.org/spamcop.net/barracudacentral.org/ > > Cheers, > -- > László Károlyi > http://linkedin.com/in/karolyi > > On 2020-07-21 14:42, Petr Menšík wrote: >> I would check what addresses it is listening on. I think it considers >> all loopback addresses its own. Probably because it would accept queries >> to that address if you stop unbound. >> >> It might help, if you configured it with this: >> bind-interfaces >> except-interface=lo0 >> listen-address=127.0.0.21 >> >> It would listen only on 127.0.0.21 and consider all other addresses not >> its own. I think it should send queries there. It should then accept: >> server=127.0.0.20 >> without ignoring it this way. >> >> On 7/20/20 4:35 PM, László Károlyi wrote: >>> Hi Petr, >>> >>> as you have seen in the original email, it is dnsmasq that refuses to >>> use the lo0 interface to communicate with the IP 127.0.0.20: >>> >>> Jul 20 13:33:23 ksol dnsmasq[99396]: ignoring nameserver 127.0.0.20 - >>> local interface >>> >>> When querying manually from the host env to the jailed unbound, I get >>> proper DNS responses. This was something I did pay extra attention to >>> get it working from the get-go. See: >>> >>> Citing my configs here makes no sense as you can see it's working already. >>> >>> Cheers, >>> -- >>> László Károlyi >>> http://linkedin.com/in/karolyi >>> >>> On 2020-07-20 16:12, Petr Menšík wrote: >>>> Hi László, >>>> >>>> are you sure it is dnsmasq, who is rejecting the communication? >>>> Unbound has by default disabled commuinication on localhost. If you have >>>> any other servers running along it, you have to use: >>>> >>>> do-not-query-localhost: no >>>> >>>> to override defaults. But that has to be done on unbound side. AFAIK >>>> dnsmasq does not have any such limitation. It does limit only >>>> per-interface, all required is to configure interface=lo, which is >>>> enabled by default. >>>> >>>> How many interface= statements do you have in configuration? Is >>>> localhost included? >>> _______________________________________________ >>> Dnsmasq-discuss mailing list >>> Dnsmasq-discuss@lists.thekelleys.org.uk >>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >>> >> >> _______________________________________________ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss