On Sun, Oct 09, 2022 at 06:21:53PM -0500, Christopher J. Madsen wrote: > I have configured dnsmasq and openresolv as described in > https://unix.stackexchange.com/a/575449/2421 so that the DNS servers > provided by the VPN are only used for the domains on that network. > > With dnsmasq 2.86 and openresolv 3.12.0 this was working great, but I was > setting up a new computer the same way and discovered that DNS lookups broke > when I disconnected from the VPN (causing resolvconf to remove the private > DNS servers). I soon realized that the new machine had gotten dnsmasq 2.87, > which I hadn't yet upgraded to on the old machine (it had dnsmasq 2.86). > > The symptom is that all DNS requests (except those for other machines on my > LAN) are refused by dnsmasq: > > $ nslookup www.google.com > Server: ::1 > Address: ::1#53 > > ** server can't find www.google.com: REFUSED > > Restarting dnsmasq fixes the problem until the next time I disconnect the > VPN. > > I installed dnsmasq 2.86 on the new machine and the problem went away. If I > put 2.87 back, the problem also comes back. It seems that something in 2.87 > breaks with my setup.
Interresting ... > BTW, openresolv 3.12.0 uses DBus to add/remove nameservers instead of > editing the dnsmasq config files. > > I turned on debug logging. When I connect the VPN, I see this in the log: > > Oct 9 16:40:15 dnsmasq[105349]: setting upstream servers from DBus > Oct 9 16:40:15 dnsmasq[105349]: using nameserver 192.168.1.1#53 > Oct 9 16:40:15 dnsmasq[105349]: using nameserver fd...::1#53 > Oct 9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.24#53 for domain > example.com > Oct 9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.26#53 for domain > example.com > Oct 9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.25#53 for domain > example.com > Oct 9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.24#53 for domain > example.org > Oct 9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.26#53 for domain > example.org > Oct 9 16:40:15 dnsmasq[105349]: using nameserver 10.3.10.25#53 for domain > example.org > Oct 9 16:40:15 dnsmasq[105349]: using nameserver 192.168.1.1#53 for domain > lan.example.net > Oct 9 16:40:15 dnsmasq[105349]: using nameserver fd...::1#53 for domain > lan.example.net > Oct 9 16:40:15 dnsmasq[105349]: read /etc/hosts - 0 addresses > > I have redacted the IPv6 address, but it is exactly the same in all log > entries. I have also redacted the domains. The VPN provides example.com > and example.org, and lan.example.net is my LAN. This part of the log looks > exactly the same in 2.86 and 2.87; only the timestamps change. > > Here is what dnsmasq 2.86 reports when I disconnect the VPN: > > Oct 9 16:40:43 dnsmasq[105349]: setting upstream servers from DBus > Oct 9 16:40:43 dnsmasq[105349]: using nameserver 192.168.1.1#53 > Oct 9 16:40:43 dnsmasq[105349]: using nameserver fd...::1#53 > Oct 9 16:40:43 dnsmasq[105349]: using nameserver 192.168.1.1#53 for domain > lan.example.net > Oct 9 16:40:43 dnsmasq[105349]: using nameserver fd...::1#53 for domain > lan.example.net > Oct 9 16:40:43 dnsmasq[105349]: read /etc/hosts - 0 addresses > > Here is what dnsmasq 2.87 reports when I disconnect the VPN: > > Oct 9 16:46:21 dnsmasq[105730]: setting upstream servers from DBus > Oct 9 16:46:21 dnsmasq[105730]: using nameserver 192.168.1.1#53 for domain > lan.example.net > Oct 9 16:46:21 dnsmasq[105730]: using nameserver fd...::1#53 for domain > lan.example.net > Oct 9 16:46:21 dnsmasq[105730]: read /etc/hosts - 0 addresses > Oct 9 16:46:22 dnsmasq[105730]: query[A] ipv4only.arpa from ::1 > Oct 9 16:46:22 dnsmasq[105730]: config error is REFUSED (EDE: not ready) > > Notice that 2.87 does not show any "using nameserver" lines that don't also > say "for domain". As a result, I can only look up hosts under the > lan.example.net domain. Everything else is refused. > > I don't know how to see the DBus messages that openresolv is sending to > dnsmasq, but I would assume they're the same in both cases. The only thing > that changed is the version of dnsmasq. But for whatever reason, dnsmasq > 2.87 isn't setting up generic nameservers when the VPN disconnects, but 2.86 > is. Possible direction for further hunting: interfaces. Yeah, that is somewhat vague, it is because "gut feeling". The (wired?) idea is upon shutdown of the VPN is an interface gone. And the gone I/F was the one with access to upstream DNS. Groeten Geert Stappers P.S. It will be a good thing that follow-up message provides a completer picture of the setup. -- Silence is hard to parse _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
