[Dnsmasq-discuss] dnsmasq dies after about 20 minutes
I am running dnsmasq on the lastest stretch on a rpi. For some reason dnsmasq dies after about 20 minutes, I can restart it and it will last another 20 minutes. Any insight on how to fix this would be much appreciated. Here is the status after it dies, followed by the resolvconf.conf *systemctl status dnsmasq* â dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled) Active: failed (Result: signal) since Tue 2019-05-14 03:45:22 UTC; 1min 0s ago Process: 4488 ExecStop=/etc/init.d/dnsmasq systemd-stop-resolvconf (code=exited, status=0/SUCCESS) Process: 2448 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf (code=exited, status=0/SUCCESS) Process: 2439 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited, status=0/SUCCESS) Process: 2436 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited, status=0/SUCCESS) Main PID: 2447 (code=killed, signal=SEGV) May 14 03:45:22 nifd.local systemd[1]: dnsmasq.service: Main process exited, code=killed, status=11/SEGV May 14 03:45:22 nifd.local dnsmasq[4488]: /sbin/resolvconf: 7: /etc/resolvconf.conf: 208.67.222.123: not found May 14 03:45:22 nifd.local dnsmasq[4488]: /sbin/resolvconf: 7: /etc/resolvconf.conf: 208.67.222.123: not found May 14 03:45:22 nifd.local dnsmasq[4488]: /sbin/resolvconf: 7: /etc/resolvconf.conf: 208.67.222.123: not found May 14 03:45:22 nifd.local dnsmasq[4488]: Too few arguments. May 14 03:45:22 nifd.local dnsmasq[4488]: /sbin/resolvconf: 7: /etc/resolvconf.conf: 208.67.222.123: not found May 14 03:45:22 nifd.local dnsmasq[4488]: /sbin/resolvconf: 7: /etc/resolvconf.conf: 208.67.222.123: not found May 14 03:45:22 nifd.local dnsmasq[4488]: /sbin/resolvconf: 7: /etc/resolvconf.conf: 208.67.222.123: not found May 14 03:45:22 nifd.local systemd[1]: dnsmasq.service: Unit entered failed state. May 14 03:45:22 nifd.local systemd[1]: dnsmasq.service: Failed with result 'signal'. *HERE IS MY resolvconf.conf file* # Configuration for resolvconf(8) # See resolvconf.conf(5) for details resolv_conf=/etc/resolv.conf # If you run a local name server, you should uncomment the below line and # configure your subscribers configuration files below. name_servers=10.0.1.81 208.67.222.123 208.67.220.123 185.228.168.10 185.228.169.11 # Mirror the Debian package defaults for the below resolvers # so that resolvconf integrates seemlessly. dnsmasq_resolv=/var/run/dnsmasq/resolv.conf pdnsd_conf=/etc/pdnsd.conf unbound_conf=/var/cache/unbound/resolvconf_resolvers.conf ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Starting as non-root just works
On Mon, May 13, 2019 at 12:51:09PM +0200, Kristoffel Pirard wrote: > On Mon, 13 May 2019, 12:36 Geert Stappers wrote: > > On 13-05-2019 11:02, Roy Marples wrote: > > > On 13/05/2019 09:31, Kristoffel Pirard wrote: > > >> The dnsmasq man page for the --user parameter says that "Dnsmasq must > > >> _normally_ be started as root". We tested starting as non-root user, > > >> but with capabilities cap_net_bind_service, cap_net_admin, > > >> cap_net_raw. It currently seems to work, but I'm debating if we > > >> should actually use this 'hack'. > > >> > > >> So should the ambiguous adverb 'normally' be removed from the > > >> documentation? If not, what are the circumstances in which it is > > >> allowed to not start as root? > > > > > > The whole world is not Linux. Most other OS's don't have these caps. > > > > > > > > In other words:The _normally_ in 'Dnsmasq must normally be started > > as root' is correct. > > > So I should interpret it as 'unless you have a really good reason and you > know what you're doing'? (Which I answer 'no' to twice) ] 'Dnsmasq must normally be started as root' Read that as "Dnsmasq listens on ports 53, 67 and 69. That requires root privilege." Running a process as root does get that privilege. Yes we did that all the time in days before the fear. Avoiding to run Dnsmasq as root can be done with "net capabilities" > > >> We tested starting as non-root user, but with capabilities > > >> cap_net_bind_service, cap_net_admin, cap_net_raw. :-) > > >> It currently seems to work, I do read that as "Confirming that cap_net_*** works" > > >> but I'm debating if we should actually use this 'hack'. Groeten Geert Stappers -- Leven en laten leven ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Starting as non-root
So I should interpret it as 'unless you have a really good reason and you know what you're doing'? (Which I answer 'no' to twice) On Mon, 13 May 2019, 12:36 Geert Stappers, wrote: > > On 13-05-2019 11:02, Roy Marples wrote: > > On 13/05/2019 09:31, Kristoffel Pirard wrote: > >> The dnsmasq man page for the --user parameter says that "Dnsmasq must > >> _normally_ be started as root". We tested starting as non-root user, > >> but with capabilities cap_net_bind_service, cap_net_admin, > >> cap_net_raw. It currently seems to work, but I'm debating if we > >> should actually use this 'hack'. > >> > >> So should the ambiguous adverb 'normally' be removed from the > >> documentation? If not, what are the circumstances in which it is > >> allowed to not start as root? > > > > The whole world is not Linux. Most other OS's don't have these caps. > > > > > In other words:The _normally_ in 'Dnsmasq must normally be started > as root' is correct. > > > Cheers > > Geert Stappers > > > > > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Starting as non-root
On 13-05-2019 11:02, Roy Marples wrote: > On 13/05/2019 09:31, Kristoffel Pirard wrote: >> The dnsmasq man page for the --user parameter says that "Dnsmasq must >> _normally_ be started as root". We tested starting as non-root user, >> but with capabilities cap_net_bind_service, cap_net_admin, >> cap_net_raw. It currently seems to work, but I'm debating if we >> should actually use this 'hack'. >> >> So should the ambiguous adverb 'normally' be removed from the >> documentation? If not, what are the circumstances in which it is >> allowed to not start as root? > > The whole world is not Linux. Most other OS's don't have these caps. > > In other words: The _normally_ in 'Dnsmasq must normally be started as root' is correct. Cheers Geert Stappers ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Insecure DS reply warning - false positives?
Hi All, Part of the reason for submitting http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2019q2/013026.html "[PATCH] dnssec: add hostname info to insecure DS warning” was to easily find out what domain was prompting the warning. Some of my mystery ‘Insecure DS reply’ turns out to be this: Mon May 13 09:57:27 2019 daemon.warn dnsmasq[20911]: Insecure DS reply received for 168.192.in-addr.arpa, check domain configuration and upstream DNS server DNSSEC support Mon May 13 09:57:27 2019 daemon.warn dnsmasq[20911]: Insecure DS reply received for 168.192.in-addr.arpa, check domain configuration and upstream DNS server DNSSEC support Mon May 13 09:57:27 2019 daemon.warn dnsmasq[20911]: Insecure DS reply received for 168.192.in-addr.arpa, check domain configuration and upstream DNS server DNSSEC support Mon May 13 09:58:57 2019 daemon.warn dnsmasq[20911]: Insecure DS reply received for 168.192.in-addr.arpa, check domain configuration and upstream DNS server DNSSEC support Mon May 13 09:58:57 2019 daemon.warn dnsmasq[20911]: Insecure DS reply received for 168.192.in-addr.arpa, check domain configuration and upstream DNS server DNSSEC support Mon May 13 09:58:57 2019 daemon.warn dnsmasq[20911]: Insecure DS reply received for 168.192.in-addr.arpa, check domain configuration and upstream DNS server DNSSEC support Is this a genuine configuration error on my/upstream’s part or is it false positive log spam? (I think) The relevant bits from dnsmasq config: dnssec dnssec-check-unsigned Upstream servers are Google’s 8.8.8.8 & friends. Trust anchors: trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D Cheers, Kevin D-B gpg: 012C ACB2 28C6 C53E 9775 9123 B3A2 389B 9DE2 334A ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Starting as non-root
On 13/05/2019 09:31, Kristoffel Pirard wrote: The dnsmasq man page for the --user parameter says that "Dnsmasq must _normally_ be started as root". We tested starting as non-root user, but with capabilities cap_net_bind_service, cap_net_admin, cap_net_raw. It currently seems to work, but I'm debating if we should actually use this 'hack'. So should the ambiguous adverb 'normally' be removed from the documentation? If not, what are the circumstances in which it is allowed to not start as root? The whole world is not Linux. Most other OS's don't have these caps. Roy ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Starting as non-root
Hi there, The dnsmasq man page for the --user parameter says that "Dnsmasq must _normally_ be started as root". We tested starting as non-root user, but with capabilities cap_net_bind_service, cap_net_admin, cap_net_raw. It currently seems to work, but I'm debating if we should actually use this 'hack'. So should the ambiguous adverb 'normally' be removed from the documentation? If not, what are the circumstances in which it is allowed to not start as root? Kind regards, Kristoffel ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss