I want to disable dnsmasq since it appears to stop answering DNS requests while unbound is continuing.
How can I disable dnsmasq and use unbound instead? (on port 53).
I changed the settings manually with a little hack but I prefer the right way
@filippo_carletti other firewall distros (like IPFire) provides both dhcpd and unbound as DNS proxy.
Which also seems to allow use of DNSSEC. https://wiki.ipfire.org/dns/dnssec/start
As far as I remember, NethServer rely quite a lot on dnsmasq…
@filippo_carletti
I have investigated this issue in the past 5 years.
There are more then one router out there which uses dnsmasq that stops resolving every once in a while.
I like it as a dns forwarder and as a DHCP server so it’s fine most of the time.
There are times which it returns blank responses.
Since it starts at startup I had to change the binary to “true” and then change the local unbound port to 53.
If there would be a way to set the listening port of dnsmasq DNS to 5353 in the config then I can change it to whatever I want and it won’t change the default DNS in the resolv.conf.
I did it manually so I do not know how to implement it using the “config” tools.
Any ideas are more then welcome.
@pike
I do like dnsmasq but if for any reason it stops responding the next step I would try is to use an alternative service to DNSMASQ.
I can add the next to the dnsmasq.conf port=5353 and it will resolve the issue but I didn’t managed to make it permanent.
-p, --port=<port>
Listen on <port> instead of the standard DNS port (53). Setting this to zero completely disables DNS function,
leaving only DHCP and/or TFTP.
What I did was:
db configuration setprop dnsmasq DNSPort 0
and added the next to /etc/e-smith/templates/etc/dnsmasq.conf/20dns:
{
my $dnsport = $dnsmasq{‘DNSPort’};
if ($dnsport <= 0 || $dnsport > 65534) {
$dnsport = 0;
}
$OUT.=“port=$dnsport”;
}
It stays persistent and configurable via standard channels.
Also to configure unbound to listen on port 53 I used :
db configuration setprop unbound UDPPort 53
I plan to work on disabling dnsmasq dns server. It involves a few other components and it will disable some features.
I’ll need time. I’ll keep you updated.
@filippo_carletti OK I found the root cause of the issue.
However I am not sure what might be the right way to handle this.
To debug the issue I consulted the dnsmasq mailing list and I turned ON debug log queries.
What happens is that dnsmasq has 2 name servers ie(example!!!):
server=1.1.1.1
server=8.8.8.8
Due to a network issue the route to the first DNS server ie 1.1.1.1 was fine but from it to the Internet no.
So dnsmsq queires 1.1.1.1 first which is unbonud and recieves a response that the A record is blank…
It should have been a nxdomain or similar errror(this needs to be dealt withing unbound and not here)
So dnsmasq thinks he got a “good” A response but it was an empty one.
Due to this it didn’t continued to run a query against 8.8.8.8.
The real solution is to fix the unbound dns routes towards the root DNS servers but…
DNSMasq needs to be configured in such a way that if there are two DNS servers and a response is not a “valid” one it should run queries against the next server which is 8.8.8.8.
My conclusion is that a similar issue exists in other scenarios around the globe and dnsmasq logging queries property is necessary.
To turn it on I used:
cat /etc/e-smith/templates/etc/dnsmasq.conf/25NameServers |grep strict
# with each server strictly in the order they appear in
strict-order
Which makes it’s different then the default /etc/resolv.conf behavier.
Running the next will force dnsmasq to work as expected from the OS and to run queries against all DNS servers even if one fails.
I don’t know. Let’s see on what we agree If we do not change the default, probably we don’t even need to expose the prop on the UI, otherwise I’d say yes.
I guess that any sysadmin puts the “local” dns as primary.
I think that a “local” dns server will always answer queries faster, so it’s really primary.
Nobody should notice the change.
Is this why my nethserver won’t see outside dns or ping back from your servers on the collectd graphs? It seems to see everything inside my network just fine…
No do not think this applies to your setup.
This issue is fixed on 15 feb 2019.
Advise you to open a new post and describe the issue and your network setup
(Is the nethserver your gateway? or does it have just one green interface? What/Who is the DHCP/DNS server in your LAN? etc…)