Re: [Dnsmasq-discuss] Make dnsmasq distinguish local IPs
Yes, basically this is what's happening. The amount of addresses vary on the lo0 interface, depending on how many jails are fired up with a respective IP address, so I can't tell. Right now I have around 30 of them, but since I manage them with the aforementioned ansible scripts, they can be more or less, depending on the current situation. Adjusting the config with every jail redeployment seems overkill to me, to be honest. I'd be glad if an option that tells dnsmasq it's allowed to use a specific IP existed, against the wildcard listening socket. Cheers, -- László Károlyi http://linkedin.com/in/karolyi On 2020-07-22 14:01, Simon Kelley wrote: > I think this is the crux. > > dnsmasq is listening on the wildcard address and accepting packets which > arrive from lo. lo has address 127.0.0.20 (amongst others) and > therefore dnsmasq is deciding that queries is sends to 127.0.0.20 will > end up back at itself, and refusing to do that because it's a bad thing > to do. It doesn't know that you are gaming obscure kernel behaviour to > send 127.0.0.20 somewhere else. > > How many addresses are on lo? If it's a reasonable number, can you just > enumerate all of them _apart_ from 127.0.0.20 as listen_address configs, > and miss out the interface=lo from the config. That should do what you > want. Failing that, an except-address config, analogous to > except-interface would do the trick, but doesn't exist. :( > > Cheers, > > Simon. > > > > > On 21/07/2020 18:15, László Károlyi wrote: >> dnsmasq needs to listen on all IPs on the lo0 interface _except_ for the >> one unbound also listens on (in this case, 127.0.0.20), so that the >> jailed processes have dnsmasq to communicate with, and then dnsmasq can >> query unbound for 'outside' DNS resolution on its own jail IP. The >> latter happens via IPv6 only now, as dnsmasq refuses to use 127.0.0.20 >> with its current config, however according to sockstat, it listens on >> the wildcard interface despite its log message: >> >> USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS >> nobody dnsmasq 99396 4 udp4 *:53 *:* >> nobody dnsmasq 99396 5 tcp4 *:53 *:* >> nobody dnsmasq 99396 6 udp6 *:53 *:* >> nobody dnsmasq 99396 7 tcp6 *:53 *:* >> nobody dnsmasq 99396 10 dgram (not connected) >> >> Unbound listens on 127.0.0.20: >> >> USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS >> unbound unbound 29892 3 udp6 2a01:4f8:241:15df::32:53 *:* >> unbound unbound 29892 4 tcp6 2a01:4f8:241:15df::32:53 *:* >> unbound unbound 29892 5 udp4 127.0.0.20:53 *:* >> unbound unbound 29892 6 tcp4 127.0.0.20:53 *:* >> >> When testing, dnsmasq responds to all internal hostname queries on >> 127.0.0.x except for 127.0.0.20, so it seems to listen on all >> interfaces. FreeBSD kernel gives preference to the IP-bound >> (non-wildcard) socket when connecting to that socket for querying, see >> querying an inner jail name, jail-mariadb: >> >> # host jail-mariadb 127.0.0.1 >> Using domain server: >> Name: 127.0.0.1 >> Address: 127.0.0.1#53 >> Aliases: >> >> jail-mariadb has address 127.0.0.24 >> jail-mariadb has IPv6 address 2a01:4f8:241:15df::21 >> >> # host jail-mariadb 127.0.0.5 >> Using domain server: >> Name: 127.0.0.5 >> Address: 127.0.0.5#53 >> Aliases: >> >> jail-mariadb has address 127.0.0.24 >> jail-mariadb has IPv6 address 2a01:4f8:241:15df::21 >> >> # host jail-mariadb 127.0.0.20 >> Using domain server: >> Name: 127.0.0.20 >> Address: 127.0.0.20#53 >> Aliases: >> >> Host jail-mariadb not found: 3(NXDOMAIN) >> >> Both 127.0.0.1 and 127.0.0.5 is a response from dnsmasq, but 127.0.0.20 >> is a response from unbound. This is desired, in order for the jailed >> processes to be able to use DNS resolution from within. >> >> What I'm trying to achieve is to make dnsmasq query 127.0.0.20 knowing >> the facts above, as specified in the /usr/local/etc/dnsmasq-resolv.conf: >> >> nameserver 127.0.0.20 >> nameserver 2a01:4f8:241:15df::32 >> >> Basically, the jails talk to their own assigned internal IPs when >> querying (not 127.0.0.1, that won't work because the DNS response gets >> dropped as the response comes from the jail's internal IP and not >> 127.0.0.1), it's why dnsmasq has to listen on them. Then dnsmasq will >> talk to the unbound jail's IP address (127.0.0.20), when querying for >> outside DNS. >> >> Sounds complicated, but this is what I'd like to get done, so it would >> work with both IPv6 AND IPv4. >> >> Cheers, >> -- >> László Károlyi >> http://linkedin.com/in/karolyi >> >> On 2020-07-21 17:00, Petr Menšík wrote: >>> How should unbound listen on lo0 if dnsmasq is already listening there? >>> I do not know BSD. Linux would not permit dnsmasq listening on wildcard >>> socket and unbound listening on the same port. >>> >>> I think listen-address would listen just on 127.0.0.1. interface=lo0 >>>
Re: [Dnsmasq-discuss] Make dnsmasq distinguish local IPs
I think this is the crux. dnsmasq is listening on the wildcard address and accepting packets which arrive from lo. lo has address 127.0.0.20 (amongst others) and therefore dnsmasq is deciding that queries is sends to 127.0.0.20 will end up back at itself, and refusing to do that because it's a bad thing to do. It doesn't know that you are gaming obscure kernel behaviour to send 127.0.0.20 somewhere else. How many addresses are on lo? If it's a reasonable number, can you just enumerate all of them _apart_ from 127.0.0.20 as listen_address configs, and miss out the interface=lo from the config. That should do what you want. Failing that, an except-address config, analogous to except-interface would do the trick, but doesn't exist. :( Cheers, Simon. On 21/07/2020 18:15, László Károlyi wrote: > dnsmasq needs to listen on all IPs on the lo0 interface _except_ for the > one unbound also listens on (in this case, 127.0.0.20), so that the > jailed processes have dnsmasq to communicate with, and then dnsmasq can > query unbound for 'outside' DNS resolution on its own jail IP. The > latter happens via IPv6 only now, as dnsmasq refuses to use 127.0.0.20 > with its current config, however according to sockstat, it listens on > the wildcard interface despite its log message: > > USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS > nobody dnsmasq 99396 4 udp4 *:53 *:* > nobody dnsmasq 99396 5 tcp4 *:53 *:* > nobody dnsmasq 99396 6 udp6 *:53 *:* > nobody dnsmasq 99396 7 tcp6 *:53 *:* > nobody dnsmasq 99396 10 dgram (not connected) > > Unbound listens on 127.0.0.20: > > USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS > unbound unbound 29892 3 udp6 2a01:4f8:241:15df::32:53 *:* > unbound unbound 29892 4 tcp6 2a01:4f8:241:15df::32:53 *:* > unbound unbound 29892 5 udp4 127.0.0.20:53 *:* > unbound unbound 29892 6 tcp4 127.0.0.20:53 *:* > > When testing, dnsmasq responds to all internal hostname queries on > 127.0.0.x except for 127.0.0.20, so it seems to listen on all > interfaces. FreeBSD kernel gives preference to the IP-bound > (non-wildcard) socket when connecting to that socket for querying, see > querying an inner jail name, jail-mariadb: > > # host jail-mariadb 127.0.0.1 > Using domain server: > Name: 127.0.0.1 > Address: 127.0.0.1#53 > Aliases: > > jail-mariadb has address 127.0.0.24 > jail-mariadb has IPv6 address 2a01:4f8:241:15df::21 > > # host jail-mariadb 127.0.0.5 > Using domain server: > Name: 127.0.0.5 > Address: 127.0.0.5#53 > Aliases: > > jail-mariadb has address 127.0.0.24 > jail-mariadb has IPv6 address 2a01:4f8:241:15df::21 > > # host jail-mariadb 127.0.0.20 > Using domain server: > Name: 127.0.0.20 > Address: 127.0.0.20#53 > Aliases: > > Host jail-mariadb not found: 3(NXDOMAIN) > > Both 127.0.0.1 and 127.0.0.5 is a response from dnsmasq, but 127.0.0.20 > is a response from unbound. This is desired, in order for the jailed > processes to be able to use DNS resolution from within. > > What I'm trying to achieve is to make dnsmasq query 127.0.0.20 knowing > the facts above, as specified in the /usr/local/etc/dnsmasq-resolv.conf: > > nameserver 127.0.0.20 > nameserver 2a01:4f8:241:15df::32 > > Basically, the jails talk to their own assigned internal IPs when > querying (not 127.0.0.1, that won't work because the DNS response gets > dropped as the response comes from the jail's internal IP and not > 127.0.0.1), it's why dnsmasq has to listen on them. Then dnsmasq will > talk to the unbound jail's IP address (127.0.0.20), when querying for > outside DNS. > > Sounds complicated, but this is what I'd like to get done, so it would > work with both IPv6 AND IPv4. > > Cheers, > -- > László Károlyi > http://linkedin.com/in/karolyi > > On 2020-07-21 17:00, Petr Menšík wrote: >> How should unbound listen on lo0 if dnsmasq is already listening there? >> I do not know BSD. Linux would not permit dnsmasq listening on wildcard >> socket and unbound listening on the same port. >> >> I think listen-address would listen just on 127.0.0.1. interface=lo0 >> should not be necessary. At least on Linux kernel, it means listening on >> ANY IPv4/IPv6 address assigned to lo0. That would mean unbound needs >> different port to listen on or different interface. I think that is not >> what you want. >> >> What is contents of /usr/local/etc/dnsmasq-resolv.conf? >> I think no-resolv should be used as well to prevent reading >> /etc/resolv.conf. > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Make dnsmasq distinguish local IPs
I think easiest solution would be listening of dnsmasq on all addresses and putting unbound on different port. Forward to it by server=127.0.0.20#1053. It would require dnsmasq to proxy all requests to unbound, but that should not hurt. IPv6 still can be used to reach unbound, custom port would be also available. Most of tools can specify also DNS port, stub resolvers should work fine on dnsmasq. You would need except-listen-address statement, but it is not supported. Or list all jail addresses except 127.0.0.20 in listen-address explicitly. On 7/21/20 7:15 PM, László Károlyi wrote: > dnsmasq needs to listen on all IPs on the lo0 interface _except_ for the > one unbound also listens on (in this case, 127.0.0.20), so that the > jailed processes have dnsmasq to communicate with, and then dnsmasq can > query unbound for 'outside' DNS resolution on its own jail IP. The > latter happens via IPv6 only now, as dnsmasq refuses to use 127.0.0.20 > with its current config, however according to sockstat, it listens on > the wildcard interface despite its log message: > > USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS > nobody dnsmasq 99396 4 udp4 *:53 *:* > nobody dnsmasq 99396 5 tcp4 *:53 *:* > nobody dnsmasq 99396 6 udp6 *:53 *:* > nobody dnsmasq 99396 7 tcp6 *:53 *:* > nobody dnsmasq 99396 10 dgram (not connected) > > Unbound listens on 127.0.0.20: > > USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS > unbound unbound 29892 3 udp6 2a01:4f8:241:15df::32:53 *:* > unbound unbound 29892 4 tcp6 2a01:4f8:241:15df::32:53 *:* > unbound unbound 29892 5 udp4 127.0.0.20:53 *:* > unbound unbound 29892 6 tcp4 127.0.0.20:53 *:* > > When testing, dnsmasq responds to all internal hostname queries on > 127.0.0.x except for 127.0.0.20, so it seems to listen on all > interfaces. FreeBSD kernel gives preference to the IP-bound > (non-wildcard) socket when connecting to that socket for querying, see > querying an inner jail name, jail-mariadb: > > # host jail-mariadb 127.0.0.1 > Using domain server: > Name: 127.0.0.1 > Address: 127.0.0.1#53 > Aliases: > > jail-mariadb has address 127.0.0.24 > jail-mariadb has IPv6 address 2a01:4f8:241:15df::21 > > # host jail-mariadb 127.0.0.5 > Using domain server: > Name: 127.0.0.5 > Address: 127.0.0.5#53 > Aliases: > > jail-mariadb has address 127.0.0.24 > jail-mariadb has IPv6 address 2a01:4f8:241:15df::21 > > # host jail-mariadb 127.0.0.20 > Using domain server: > Name: 127.0.0.20 > Address: 127.0.0.20#53 > Aliases: > > Host jail-mariadb not found: 3(NXDOMAIN) > > Both 127.0.0.1 and 127.0.0.5 is a response from dnsmasq, but 127.0.0.20 > is a response from unbound. This is desired, in order for the jailed > processes to be able to use DNS resolution from within. > > What I'm trying to achieve is to make dnsmasq query 127.0.0.20 knowing > the facts above, as specified in the /usr/local/etc/dnsmasq-resolv.conf: > > nameserver 127.0.0.20 > nameserver 2a01:4f8:241:15df::32 Because you have probably specified it manually in unbound configuration, I think you may specify it manually also for dnsmasq. If you choose to use: server=127.0.0.20 server=2a01:4f8:241:15df::32 It should work the same. But it allows you to specify also custom port of unbound, so they do not have to clash for port 53 on the same interface. It would be easier to manage server=127.0.0.20#1053 > > Basically, the jails talk to their own assigned internal IPs when > querying (not 127.0.0.1, that won't work because the DNS response gets > dropped as the response comes from the jail's internal IP and not > 127.0.0.1), it's why dnsmasq has to listen on them. Then dnsmasq will > talk to the unbound jail's IP address (127.0.0.20), when querying for > outside DNS. On linux, I can "dig @127.0.0.1 -b 127.0.0.153 localhost" without any issues. What is dropping responses? Would firewall tweak allow it without extra configuration? > > Sounds complicated, but this is what I'd like to get done, so it would > work with both IPv6 AND IPv4. > > Cheers, > -- > László Károlyi > http://linkedin.com/in/karolyi > > On 2020-07-21 17:00, Petr Menšík wrote: >> How should unbound listen on lo0 if dnsmasq is already listening there? >> I do not know BSD. Linux would not permit dnsmasq listening on wildcard >> socket and unbound listening on the same port. >> >> I think listen-address would listen just on 127.0.0.1. interface=lo0 >> should not be necessary. At least on Linux kernel, it means listening on >> ANY IPv4/IPv6 address assigned to lo0. That would mean unbound needs >> different port to listen on or different interface. I think that is not >> what you want. >> >> What is contents of /usr/local/etc/dnsmasq-resolv.conf? >> I think no-resolv should be used as well to prevent reading >> /etc/resolv.conf. > > > __
Re: [Dnsmasq-discuss] Make dnsmasq distinguish local IPs
dnsmasq needs to listen on all IPs on the lo0 interface _except_ for the one unbound also listens on (in this case, 127.0.0.20), so that the jailed processes have dnsmasq to communicate with, and then dnsmasq can query unbound for 'outside' DNS resolution on its own jail IP. The latter happens via IPv6 only now, as dnsmasq refuses to use 127.0.0.20 with its current config, however according to sockstat, it listens on the wildcard interface despite its log message: USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS nobody dnsmasq 99396 4 udp4 *:53 *:* nobody dnsmasq 99396 5 tcp4 *:53 *:* nobody dnsmasq 99396 6 udp6 *:53 *:* nobody dnsmasq 99396 7 tcp6 *:53 *:* nobody dnsmasq 99396 10 dgram (not connected) Unbound listens on 127.0.0.20: USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS unbound unbound 29892 3 udp6 2a01:4f8:241:15df::32:53 *:* unbound unbound 29892 4 tcp6 2a01:4f8:241:15df::32:53 *:* unbound unbound 29892 5 udp4 127.0.0.20:53 *:* unbound unbound 29892 6 tcp4 127.0.0.20:53 *:* When testing, dnsmasq responds to all internal hostname queries on 127.0.0.x except for 127.0.0.20, so it seems to listen on all interfaces. FreeBSD kernel gives preference to the IP-bound (non-wildcard) socket when connecting to that socket for querying, see querying an inner jail name, jail-mariadb: # host jail-mariadb 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: jail-mariadb has address 127.0.0.24 jail-mariadb has IPv6 address 2a01:4f8:241:15df::21 # host jail-mariadb 127.0.0.5 Using domain server: Name: 127.0.0.5 Address: 127.0.0.5#53 Aliases: jail-mariadb has address 127.0.0.24 jail-mariadb has IPv6 address 2a01:4f8:241:15df::21 # host jail-mariadb 127.0.0.20 Using domain server: Name: 127.0.0.20 Address: 127.0.0.20#53 Aliases: Host jail-mariadb not found: 3(NXDOMAIN) Both 127.0.0.1 and 127.0.0.5 is a response from dnsmasq, but 127.0.0.20 is a response from unbound. This is desired, in order for the jailed processes to be able to use DNS resolution from within. What I'm trying to achieve is to make dnsmasq query 127.0.0.20 knowing the facts above, as specified in the /usr/local/etc/dnsmasq-resolv.conf: nameserver 127.0.0.20 nameserver 2a01:4f8:241:15df::32 Basically, the jails talk to their own assigned internal IPs when querying (not 127.0.0.1, that won't work because the DNS response gets dropped as the response comes from the jail's internal IP and not 127.0.0.1), it's why dnsmasq has to listen on them. Then dnsmasq will talk to the unbound jail's IP address (127.0.0.20), when querying for outside DNS. Sounds complicated, but this is what I'd like to get done, so it would work with both IPv6 AND IPv4. Cheers, -- László Károlyi http://linkedin.com/in/karolyi On 2020-07-21 17:00, Petr Menšík wrote: > How should unbound listen on lo0 if dnsmasq is already listening there? > I do not know BSD. Linux would not permit dnsmasq listening on wildcard > socket and unbound listening on the same port. > > I think listen-address would listen just on 127.0.0.1. interface=lo0 > should not be necessary. At least on Linux kernel, it means listening on > ANY IPv4/IPv6 address assigned to lo0. That would mean unbound needs > different port to listen on or different interface. I think that is not > what you want. > > What is contents of /usr/local/etc/dnsmasq-resolv.conf? > I think no-resolv should be used as well to prevent reading > /etc/resolv.conf. signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Make dnsmasq distinguish local IPs
How should unbound listen on lo0 if dnsmasq is already listening there? I do not know BSD. Linux would not permit dnsmasq listening on wildcard socket and unbound listening on the same port. I think listen-address would listen just on 127.0.0.1. interface=lo0 should not be necessary. At least on Linux kernel, it means listening on ANY IPv4/IPv6 address assigned to lo0. That would mean unbound needs different port to listen on or different interface. I think that is not what you want. What is contents of /usr/local/etc/dnsmasq-resolv.conf? I think no-resolv should be used as well to prevent reading /etc/resolv.conf. On 7/21/20 3:18 PM, László Károlyi wrote: > I've already added listen-address=127.0.0.1 to it, as it's the host > env's IP address. > > bind-interfaces has to be commented out, otherwise the jails will have > problems resolving (it's a FreeBSD host-jail resolution specific thing) Is there good explanation how this should work? How exactly are configured addresses on loopback device? Is unbound listening on lo1? > > Why would you want me to use except-interface=lo0? I _want_ it to listen > on lo0. How does ifconfig lo0 look like? Do you want to listen on all its addresses? > > For the sake of clarity, here't my cleaned dnsmasq.conf: > > domain-needed > conf-file=/usr/local/share/dnsmasq/trust-anchors.conf > dnssec > dnssec-check-unsigned > resolv-file=/usr/local/etc/dnsmasq-resolv.conf > interface=lo0 > listen-address=127.0.0.1 > no-dhcp-interface=lo0 > local-ttl=5 > dhcp-name-match=set:wpad-ignore,wpad > dhcp-ignore-names=tag:wpad-ignore > rebind-domain-ok=/rfc-ignorant.org/sorbs.net/uribl.com/surbl.org/dnswl.org/njabl.org/spamhaus.org/spamcop.net/barracudacentral.org/ > > Cheers, > -- > László Károlyi > http://linkedin.com/in/karolyi > > On 2020-07-21 14:42, Petr Menšík wrote: >> I would check what addresses it is listening on. I think it considers >> all loopback addresses its own. Probably because it would accept queries >> to that address if you stop unbound. >> >> It might help, if you configured it with this: >> bind-interfaces >> except-interface=lo0 >> listen-address=127.0.0.21 >> >> It would listen only on 127.0.0.21 and consider all other addresses not >> its own. I think it should send queries there. It should then accept: >> server=127.0.0.20 >> without ignoring it this way. >> >> On 7/20/20 4:35 PM, László Károlyi wrote: >>> Hi Petr, >>> >>> as you have seen in the original email, it is dnsmasq that refuses to >>> use the lo0 interface to communicate with the IP 127.0.0.20: >>> >>> Jul 20 13:33:23 ksol dnsmasq[99396]: ignoring nameserver 127.0.0.20 - >>> local interface >>> >>> When querying manually from the host env to the jailed unbound, I get >>> proper DNS responses. This was something I did pay extra attention to >>> get it working from the get-go. See: >>> >>> Citing my configs here makes no sense as you can see it's working already. >>> >>> Cheers, >>> -- >>> László Károlyi >>> http://linkedin.com/in/karolyi >>> >>> On 2020-07-20 16:12, Petr Menšík wrote: Hi László, are you sure it is dnsmasq, who is rejecting the communication? Unbound has by default disabled commuinication on localhost. If you have any other servers running along it, you have to use: do-not-query-localhost: no to override defaults. But that has to be done on unbound side. AFAIK dnsmasq does not have any such limitation. It does limit only per-interface, all required is to configure interface=lo, which is enabled by default. How many interface= statements do you have in configuration? Is localhost included? >>> ___ >>> Dnsmasq-discuss mailing list >>> Dnsmasq-discuss@lists.thekelleys.org.uk >>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >>> >> >> ___ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Make dnsmasq distinguish local IPs
I've already added listen-address=127.0.0.1 to it, as it's the host env's IP address. bind-interfaces has to be commented out, otherwise the jails will have problems resolving (it's a FreeBSD host-jail resolution specific thing) Why would you want me to use except-interface=lo0? I _want_ it to listen on lo0. For the sake of clarity, here't my cleaned dnsmasq.conf: domain-needed conf-file=/usr/local/share/dnsmasq/trust-anchors.conf dnssec dnssec-check-unsigned resolv-file=/usr/local/etc/dnsmasq-resolv.conf interface=lo0 listen-address=127.0.0.1 no-dhcp-interface=lo0 local-ttl=5 dhcp-name-match=set:wpad-ignore,wpad dhcp-ignore-names=tag:wpad-ignore rebind-domain-ok=/rfc-ignorant.org/sorbs.net/uribl.com/surbl.org/dnswl.org/njabl.org/spamhaus.org/spamcop.net/barracudacentral.org/ Cheers, -- László Károlyi http://linkedin.com/in/karolyi On 2020-07-21 14:42, Petr Menšík wrote: > I would check what addresses it is listening on. I think it considers > all loopback addresses its own. Probably because it would accept queries > to that address if you stop unbound. > > It might help, if you configured it with this: > bind-interfaces > except-interface=lo0 > listen-address=127.0.0.21 > > It would listen only on 127.0.0.21 and consider all other addresses not > its own. I think it should send queries there. It should then accept: > server=127.0.0.20 > without ignoring it this way. > > On 7/20/20 4:35 PM, László Károlyi wrote: >> Hi Petr, >> >> as you have seen in the original email, it is dnsmasq that refuses to >> use the lo0 interface to communicate with the IP 127.0.0.20: >> >> Jul 20 13:33:23 ksol dnsmasq[99396]: ignoring nameserver 127.0.0.20 - >> local interface >> >> When querying manually from the host env to the jailed unbound, I get >> proper DNS responses. This was something I did pay extra attention to >> get it working from the get-go. See: >> >> Citing my configs here makes no sense as you can see it's working already. >> >> Cheers, >> -- >> László Károlyi >> http://linkedin.com/in/karolyi >> >> On 2020-07-20 16:12, Petr Menšík wrote: >>> Hi László, >>> >>> are you sure it is dnsmasq, who is rejecting the communication? >>> Unbound has by default disabled commuinication on localhost. If you have >>> any other servers running along it, you have to use: >>> >>> do-not-query-localhost: no >>> >>> to override defaults. But that has to be done on unbound side. AFAIK >>> dnsmasq does not have any such limitation. It does limit only >>> per-interface, all required is to configure interface=lo, which is >>> enabled by default. >>> >>> How many interface= statements do you have in configuration? Is >>> localhost included? >> ___ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >> > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Make dnsmasq distinguish local IPs
I would check what addresses it is listening on. I think it considers all loopback addresses its own. Probably because it would accept queries to that address if you stop unbound. It might help, if you configured it with this: bind-interfaces except-interface=lo0 listen-address=127.0.0.21 It would listen only on 127.0.0.21 and consider all other addresses not its own. I think it should send queries there. It should then accept: server=127.0.0.20 without ignoring it this way. On 7/20/20 4:35 PM, László Károlyi wrote: > Hi Petr, > > as you have seen in the original email, it is dnsmasq that refuses to > use the lo0 interface to communicate with the IP 127.0.0.20: > > Jul 20 13:33:23 ksol dnsmasq[99396]: ignoring nameserver 127.0.0.20 - > local interface > > When querying manually from the host env to the jailed unbound, I get > proper DNS responses. This was something I did pay extra attention to > get it working from the get-go. See: > > Citing my configs here makes no sense as you can see it's working already. > > Cheers, > -- > László Károlyi > http://linkedin.com/in/karolyi > > On 2020-07-20 16:12, Petr Menšík wrote: >> Hi László, >> >> are you sure it is dnsmasq, who is rejecting the communication? >> Unbound has by default disabled commuinication on localhost. If you have >> any other servers running along it, you have to use: >> >> do-not-query-localhost: no >> >> to override defaults. But that has to be done on unbound side. AFAIK >> dnsmasq does not have any such limitation. It does limit only >> per-interface, all required is to configure interface=lo, which is >> enabled by default. >> >> How many interface= statements do you have in configuration? Is >> localhost included? > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Make dnsmasq distinguish local IPs
Hi Petr, as you have seen in the original email, it is dnsmasq that refuses to use the lo0 interface to communicate with the IP 127.0.0.20: Jul 20 13:33:23 ksol dnsmasq[99396]: ignoring nameserver 127.0.0.20 - local interface When querying manually from the host env to the jailed unbound, I get proper DNS responses. This was something I did pay extra attention to get it working from the get-go. See: Citing my configs here makes no sense as you can see it's working already. Cheers, -- László Károlyi http://linkedin.com/in/karolyi On 2020-07-20 16:12, Petr Menšík wrote: > Hi László, > > are you sure it is dnsmasq, who is rejecting the communication? > Unbound has by default disabled commuinication on localhost. If you have > any other servers running along it, you have to use: > > do-not-query-localhost: no > > to override defaults. But that has to be done on unbound side. AFAIK > dnsmasq does not have any such limitation. It does limit only > per-interface, all required is to configure interface=lo, which is > enabled by default. > > How many interface= statements do you have in configuration? Is > localhost included? signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Make dnsmasq distinguish local IPs
Hi László, are you sure it is dnsmasq, who is rejecting the communication? Unbound has by default disabled commuinication on localhost. If you have any other servers running along it, you have to use: do-not-query-localhost: no to override defaults. But that has to be done on unbound side. AFAIK dnsmasq does not have any such limitation. It does limit only per-interface, all required is to configure interface=lo, which is enabled by default. How many interface= statements do you have in configuration? Is localhost included? On 7/20/20 1:45 PM, László Károlyi wrote: > Hey Simon, > > First of all, thanks again for fixing my DNSSEC issue. So as I said > before, here's my feature request. > > I have a FreeBSD box that has multiple local IP addresses on the local > 'lo0' interface, used by jails as their IPv4 interface address. Those > IPs vary somewhere in the 127.0.0.x range. The jails use those addresses > as their IPv4 addresses to communicate with the outside world, while > being NAT-ed on the only available external IPv4 address. > > IPv6-wise, I have a bridge0 interface that handles the many different > addresses assigned to my box, each assigned to one jail each. > > Unbound runs in a jail and thus I've told dnsmasq to communicate with > either the IPv4 127.0.0.x address, or the IPv6 address of the jail when > looking up DNS records. > > When starting dnsmasq on the 'host' environment (it's the only service > other than syslog I run in the host environment), dnsmasq refuses to > communicate with the IPv4 address of the jailed unbound, claiming it's a > 'local' address: > > Jul 20 13:33:23 ksol dnsmasq[99396]: ignoring nameserver 127.0.0.20 - > local interface > > Whereas it's indeed a 'local' interface, it could be used for IPv4 > communication because of the mentioned reasons above. > > Because of this, dnsmasq is now only able to communicate through IPv6 > with unbound, but should I lose IPv6 support (unlikely but one never > knows), I'd lose dnsmasq and the internal name resolution between the > jails, which now it is able to support. > > So my request would be to fix this functionality and make dnsmasq able > to differentiate between local IPs, in order to be able to use them for > DNS resolution. > > Cheers, > -- > László Károlyi > http://linkedin.com/in/karolyi -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Make dnsmasq distinguish local IPs
Hey Simon, First of all, thanks again for fixing my DNSSEC issue. So as I said before, here's my feature request. I have a FreeBSD box that has multiple local IP addresses on the local 'lo0' interface, used by jails as their IPv4 interface address. Those IPs vary somewhere in the 127.0.0.x range. The jails use those addresses as their IPv4 addresses to communicate with the outside world, while being NAT-ed on the only available external IPv4 address. IPv6-wise, I have a bridge0 interface that handles the many different addresses assigned to my box, each assigned to one jail each. Unbound runs in a jail and thus I've told dnsmasq to communicate with either the IPv4 127.0.0.x address, or the IPv6 address of the jail when looking up DNS records. When starting dnsmasq on the 'host' environment (it's the only service other than syslog I run in the host environment), dnsmasq refuses to communicate with the IPv4 address of the jailed unbound, claiming it's a 'local' address: Jul 20 13:33:23 ksol dnsmasq[99396]: ignoring nameserver 127.0.0.20 - local interface Whereas it's indeed a 'local' interface, it could be used for IPv4 communication because of the mentioned reasons above. Because of this, dnsmasq is now only able to communicate through IPv6 with unbound, but should I lose IPv6 support (unlikely but one never knows), I'd lose dnsmasq and the internal name resolution between the jails, which now it is able to support. So my request would be to fix this functionality and make dnsmasq able to differentiate between local IPs, in order to be able to use them for DNS resolution. Cheers, -- László Károlyi http://linkedin.com/in/karolyi signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss