Yes, basically this is what's happening. The amount of addresses vary on the lo0 interface, depending on how many jails are fired up with a respective IP address, so I can't tell. Right now I have around 30 of them, but since I manage them with the aforementioned ansible scripts, they can be more or less, depending on the current situation. Adjusting the config with every jail redeployment seems overkill to me, to be honest.
I'd be glad if an option that tells dnsmasq it's allowed to use a specific IP existed, against the wildcard listening socket. Cheers, -- László Károlyi http://linkedin.com/in/karolyi On 2020-07-22 14:01, Simon Kelley wrote: > I think this is the crux. > > dnsmasq is listening on the wildcard address and accepting packets which > arrive from lo. lo has address 127.0.0.20 (amongst others) and > therefore dnsmasq is deciding that queries is sends to 127.0.0.20 will > end up back at itself, and refusing to do that because it's a bad thing > to do. It doesn't know that you are gaming obscure kernel behaviour to > send 127.0.0.20 somewhere else. > > How many addresses are on lo? If it's a reasonable number, can you just > enumerate all of them _apart_ from 127.0.0.20 as listen_address configs, > and miss out the interface=lo from the config. That should do what you > want. Failing that, an except-address config, analogous to > except-interface would do the trick, but doesn't exist. :( > > Cheers, > > Simon. > > > > > On 21/07/2020 18:15, László Károlyi wrote: >> dnsmasq needs to listen on all IPs on the lo0 interface _except_ for the >> one unbound also listens on (in this case, 127.0.0.20), so that the >> jailed processes have dnsmasq to communicate with, and then dnsmasq can >> query unbound for 'outside' DNS resolution on its own jail IP. The >> latter happens via IPv6 only now, as dnsmasq refuses to use 127.0.0.20 >> with its current config, however according to sockstat, it listens on >> the wildcard interface despite its log message: >> >> USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS >> nobody dnsmasq 99396 4 udp4 *:53 *:* >> nobody dnsmasq 99396 5 tcp4 *:53 *:* >> nobody dnsmasq 99396 6 udp6 *:53 *:* >> nobody dnsmasq 99396 7 tcp6 *:53 *:* >> nobody dnsmasq 99396 10 dgram (not connected) >> >> Unbound listens on 127.0.0.20: >> >> USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS >> unbound unbound 29892 3 udp6 2a01:4f8:241:15df::32:53 *:* >> unbound unbound 29892 4 tcp6 2a01:4f8:241:15df::32:53 *:* >> unbound unbound 29892 5 udp4 127.0.0.20:53 *:* >> unbound unbound 29892 6 tcp4 127.0.0.20:53 *:* >> >> When testing, dnsmasq responds to all internal hostname queries on >> 127.0.0.x except for 127.0.0.20, so it seems to listen on all >> interfaces. FreeBSD kernel gives preference to the IP-bound >> (non-wildcard) socket when connecting to that socket for querying, see >> querying an inner jail name, jail-mariadb: >> >> # host jail-mariadb 127.0.0.1 >> Using domain server: >> Name: 127.0.0.1 >> Address: 127.0.0.1#53 >> Aliases: >> >> jail-mariadb has address 127.0.0.24 >> jail-mariadb has IPv6 address 2a01:4f8:241:15df::21 >> >> # host jail-mariadb 127.0.0.5 >> Using domain server: >> Name: 127.0.0.5 >> Address: 127.0.0.5#53 >> Aliases: >> >> jail-mariadb has address 127.0.0.24 >> jail-mariadb has IPv6 address 2a01:4f8:241:15df::21 >> >> # host jail-mariadb 127.0.0.20 >> Using domain server: >> Name: 127.0.0.20 >> Address: 127.0.0.20#53 >> Aliases: >> >> Host jail-mariadb not found: 3(NXDOMAIN) >> >> Both 127.0.0.1 and 127.0.0.5 is a response from dnsmasq, but 127.0.0.20 >> is a response from unbound. This is desired, in order for the jailed >> processes to be able to use DNS resolution from within. >> >> What I'm trying to achieve is to make dnsmasq query 127.0.0.20 knowing >> the facts above, as specified in the /usr/local/etc/dnsmasq-resolv.conf: >> >> nameserver 127.0.0.20 >> nameserver 2a01:4f8:241:15df::32 >> >> Basically, the jails talk to their own assigned internal IPs when >> querying (not 127.0.0.1, that won't work because the DNS response gets >> dropped as the response comes from the jail's internal IP and not >> 127.0.0.1), it's why dnsmasq has to listen on them. Then dnsmasq will >> talk to the unbound jail's IP address (127.0.0.20), when querying for >> outside DNS. >> >> Sounds complicated, but this is what I'd like to get done, so it would >> work with both IPv6 AND IPv4. >> >> Cheers, >> -- >> László Károlyi >> http://linkedin.com/in/karolyi >> >> On 2020-07-21 17:00, Petr Menšík wrote: >>> How should unbound listen on lo0 if dnsmasq is already listening there? >>> I do not know BSD. Linux would not permit dnsmasq listening on wildcard >>> socket and unbound listening on the same port. >>> >>> I think listen-address would listen just on 127.0.0.1. interface=lo0 >>> should not be necessary. At least on Linux kernel, it means listening on >>> ANY IPv4/IPv6 address assigned to lo0. That would mean unbound needs >>> different port to listen on or different interface. I think that is not >>> what you want. >>> >>> What is contents of /usr/local/etc/dnsmasq-resolv.conf? >>> I think no-resolv should be used as well to prevent reading >>> /etc/resolv.conf. >> _______________________________________________ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >> > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss