Yes, basically this is what's happening.
The amount of addresses vary on the lo0 interface, depending on how many
jails are fired up with a respective IP address, so I can't tell. Right
now I have around 30 of them, but since I manage them with the
aforementioned ansible scripts, they can be more
I think this is the crux.
dnsmasq is listening on the wildcard address and accepting packets which
arrive from lo. lo has address 127.0.0.20 (amongst others) and
therefore dnsmasq is deciding that queries is sends to 127.0.0.20 will
end up back at itself, and refusing to do that because it's a
I think easiest solution would be listening of dnsmasq on all addresses
and putting unbound on different port. Forward to it by
server=127.0.0.20#1053. It would require dnsmasq to proxy all requests
to unbound, but that should not hurt. IPv6 still can be used to reach
unbound, custom port would be
dnsmasq needs to listen on all IPs on the lo0 interface _except_ for the
one unbound also listens on (in this case, 127.0.0.20), so that the
jailed processes have dnsmasq to communicate with, and then dnsmasq can
query unbound for 'outside' DNS resolution on its own jail IP. The
latter happens via
How should unbound listen on lo0 if dnsmasq is already listening there?
I do not know BSD. Linux would not permit dnsmasq listening on wildcard
socket and unbound listening on the same port.
I think listen-address would listen just on 127.0.0.1. interface=lo0
should not be necessary. At least on
I've already added listen-address=127.0.0.1 to it, as it's the host
env's IP address.
bind-interfaces has to be commented out, otherwise the jails will have
problems resolving (it's a FreeBSD host-jail resolution specific thing)
Why would you want me to use except-interface=lo0? I _want_ it to
I would check what addresses it is listening on. I think it considers
all loopback addresses its own. Probably because it would accept queries
to that address if you stop unbound.
It might help, if you configured it with this:
bind-interfaces
except-interface=lo0
listen-address=127.0.0.21
It
Hi Petr,
as you have seen in the original email, it is dnsmasq that refuses to
use the lo0 interface to communicate with the IP 127.0.0.20:
Jul 20 13:33:23 ksol dnsmasq[99396]: ignoring nameserver 127.0.0.20 -
local interface
When querying manually from the host env to the jailed unbound, I get
Hi László,
are you sure it is dnsmasq, who is rejecting the communication?
Unbound has by default disabled commuinication on localhost. If you have
any other servers running along it, you have to use:
do-not-query-localhost: no
to override defaults. But that has to be done on unbound side.
