How to disable dnsmasq

elico · January 16, 2019, 2:45pm

NethServer Version: 7.5
Module: dns ?

I want to disable dnsmasq since it appears to stop answering DNS requests while unbound is continuing.
How can I disable dnsmasq and use unbound instead? (on port 53).

I changed the settings manually with a little hack but I prefer the right way

filippo_carletti · January 16, 2019, 3:51pm

We never heard of dnsmasq stopping to resolve names. It’s a widely used software, I’d investigate a bit before deciding to dismiss it.

However, if you show us the hack (a diff of the configuration files) we could help converting it to custom templates.

Dismissing dnsmasq would also remove the dhcp server feature.

pike · January 16, 2019, 4:00pm

@filippo_carletti other firewall distros (like IPFire) provides both dhcpd and unbound as DNS proxy.
Which also seems to allow use of DNSSEC.
https://wiki.ipfire.org/dns/dnssec/start
As far as I remember, NethServer rely quite a lot on dnsmasq…

elico · January 16, 2019, 4:39pm

@filippo_carletti
I have investigated this issue in the past 5 years.
There are more then one router out there which uses dnsmasq that stops resolving every once in a while.
I like it as a dns forwarder and as a DHCP server so it’s fine most of the time.
There are times which it returns blank responses.

Since it starts at startup I had to change the binary to “true” and then change the local unbound port to 53.
If there would be a way to set the listening port of dnsmasq DNS to 5353 in the config then I can change it to whatever I want and it won’t change the default DNS in the resolv.conf.
I did it manually so I do not know how to implement it using the “config” tools.
Any ideas are more then welcome.

@pike
I do like dnsmasq but if for any reason it stops responding the next step I would try is to use an alternative service to DNSMASQ.

I can add the next to the dnsmasq.conf port=5353 and it will resolve the issue but I didn’t managed to make it permanent.

filippo_carletti · January 16, 2019, 10:40pm

From dnsmasq man:

   -p, --port=<port>
          Listen on <port> instead of the standard DNS port (53). Setting this to zero  completely  disables  DNS  function,
          leaving only DHCP and/or TFTP.

I’d do:

mkdir -p /etc/e-smith/templates-custom/etc/dnsmasq.conf
echo "port=0" >/etc/e-smith/templates-custom/etc/dnsmasq.conf/90disable_dns
signal-event nethserver-dnsmasq-update

elico · January 16, 2019, 10:54pm

Nice.
Thanks.

What I did was:
db configuration setprop dnsmasq DNSPort 0

and added the next to /etc/e-smith/templates/etc/dnsmasq.conf/20dns:

{
my $dnsport = $dnsmasq{‘DNSPort’};
if ($dnsport <= 0 || $dnsport > 65534) {
$dnsport = 0;
}
$OUT.=“port=$dnsport”;
}

It stays persistent and configurable via standard channels.
Also to configure unbound to listen on port 53 I used :
db configuration setprop unbound UDPPort 53

I also added to the unbound defaults the next:

{
$address = $unbound{InterfaceAddress} || “127.0.0.1”;
return " interface: $address";
}

So not the only missing feature is to put the unbound acls that will allow clients to use the service.

filippo_carletti · January 17, 2019, 4:28pm

I plan to work on disabling dnsmasq dns server. It involves a few other components and it will disable some features.
I’ll need time. I’ll keep you updated.

elico · January 20, 2019, 11:40am

@filippo_carletti OK I found the root cause of the issue.
However I am not sure what might be the right way to handle this.
To debug the issue I consulted the dnsmasq mailing list and I turned ON debug log queries.

What happens is that dnsmasq has 2 name servers ie(example!!!):
server=1.1.1.1
server=8.8.8.8

Due to a network issue the route to the first DNS server ie 1.1.1.1 was fine but from it to the Internet no.
So dnsmsq queires 1.1.1.1 first which is unbonud and recieves a response that the A record is blank…
It should have been a nxdomain or similar errror(this needs to be dealt withing unbound and not here)

So dnsmasq thinks he got a “good” A response but it was an empty one.
Due to this it didn’t continued to run a query against 8.8.8.8.
The real solution is to fix the unbound dns routes towards the root DNS servers but…
DNSMasq needs to be configured in such a way that if there are two DNS servers and a response is not a “valid” one it should run queries against the next server which is 8.8.8.8.

My conclusion is that a similar issue exists in other scenarios around the globe and dnsmasq logging queries property is necessary.
To turn it on I used:

mkdir /etc/e-smith/templates-custom/etc/dnsmasq.conf/ -p
echo "log-queries=extra" > /etc/e-smith/templates-custom/etc/dnsmasq.conf/90log_queries
signal-event nethserver-dnsmasq-update

What do you think @pike, @filippo_carletti ?

elico · January 23, 2019, 4:03am

@filippo_carletti I found the culprit!!!
In redhat the next bug report describes the issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1400909

dnsmasq in nethaserver uses:

cat /etc/e-smith/templates/etc/dnsmasq.conf/25NameServers |grep strict
# with  each  server  strictly  in  the  order  they   appear   in
strict-order

Which makes it’s different then the default /etc/resolv.conf behavier.
Running the next will force dnsmasq to work as expected from the OS and to run queries against all DNS servers even if one fails.

echo "all-servers" > /etc/e-smith/templates-custom/etc/dnsmasq.conf/91_all-server
signal-event nethserver-dnsmasq-update
systemctl restart dnsmasq

It appears that also in other routers and devices this same config makes this issue a major one.

How do I mark it as resolved?
Also can we make a change from “strict-order” to “all-servers” as default to ovoid such issues in the future?

Thanks,
Eliezer

giacomo · January 23, 2019, 10:51am

There is a button on the bottom-right corner of the post.

I don’t see any drawback on changing the default, but maybe a prop is more safe.

@dev_team what do you think?

pike · January 23, 2019, 11:01am

Do the prop will have a GUI trigger/setting?

giacomo · January 23, 2019, 11:19am

I don’t know. Let’s see on what we agree If we do not change the default, probably we don’t even need to expose the prop on the UI, otherwise I’d say yes.

dnutan · January 23, 2019, 11:28am

Related to strict-order and worth reading:

filippo_carletti · January 24, 2019, 5:35pm

After reviewing my notes about dnsmasq, I also found more reasons to remove strict-order and enable all-servers by default, without providing any switch to have back the current behavior.
More info about removing strict-order:
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2009q3/003295.html
Pros of enabling all-servers:
https://wiki.musl-libc.org/functional-differences-from-glibc.html#Name-Resolver/DNS

I guess that any sysadmin puts the “local” dns as primary.
I think that a “local” dns server will always answer queries faster, so it’s really primary.
Nobody should notice the change.

filippo_carletti · January 30, 2019, 4:20pm

I filed a bug:

lorentedford · February 24, 2021, 1:30am

Is this why my nethserver won’t see outside dns or ping back from your servers on the collectd graphs? It seems to see everything inside my network just fine…

mark_nl · February 24, 2021, 12:41pm

Hi @lorentedford,

No do not think this applies to your setup.
This issue is fixed on 15 feb 2019.

Advise you to open a new post and describe the issue and your network setup
(Is the nethserver your gateway? or does it have just one green interface? What/Who is the DHCP/DNS server in your LAN? etc…)