dns query from localnetwork ignored

Bug #1414887 reported by Tong Sun
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dnsmasq (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

Hi,

I followed the following to config dnsmasq as DHCP and DNS server
http://sfxpt.wordpress.com/2013/11/30/dnsmasq-installation-
configuration-5/

It works well till Ubuntu 13.10. However, with Ubuntu 14.10, the dns
query from localnetwork will always timeout. The configurations are
exactly the same, What could be the problem?

From within localnetwork:

~~~
$ dig google.ca

; <<>> DiG 9.9.5-4.3-Ubuntu <<>> google.ca
;; global options: +cmd
;; connection timed out; no servers could be reached

dig @192.168.2.100 maroon

; <<>> DiG 9.9.5-4.3-Ubuntu <<>> @192.168.2.100 maroon
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
~~~

On the DNS sever itself:

~~~
$ dig google.ca @127.0.0.1
...
;; ANSWER SECTION:
google.ca. 299 IN A 173.194.43.111
...
;; Query time: 50 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)

$ dig @192.168.2.100 maroon
...
;; ANSWER SECTION:
maroon. 0 IN A 192.168.2.100

;; Query time: 1 msec
;; SERVER: 192.168.2.100#53(192.168.2.100)
...
~~~

This is the debug output from dnsmasq log:

~~~
Jan 1 13:26:10 maroon dnsmasq[2833]: reply google.ca is 173.194.43.119
Jan 1 13:26:10 maroon dnsmasq[2833]: reply google.ca is 173.194.43.120
    *** DEBUG 2015-01-01 13:26:21-05:00 DEBUG ***
Jan 1 13:27:42 maroon dnsmasq[2833]: query[A] maroon from 192.168.2.100
Jan 1 13:27:42 maroon dnsmasq[2833]: /etc/dnsmasq.hosts maroon is
192.168.2.100
    *** DEBUG 2015-01-01 13:28:19-05:00 DEBUG ***
~~~

All other dns queries from localnetwork did not generate any log entries.
So, because the local dns query work, I think something is blocking the dnsmasq
 from sending the dns query results back to localnetwork. What could it
be?

I didn't limit the dnsmasq listen address:

~~~
$ grep listen-address /etc/dnsmasq.conf /etc/dnsmasq.d/*
/etc/dnsmasq.conf:#listen-address=
~~~

My /etc/hosts.deny and hosts.allow files are untouched either, and I can
ping my DNS server, and ssh into its IP address as well. So I think the
blocking is only at the DNS level since other access are just fine. It is
not because of iptables rules either:

$ sudo iptables-save | wc
      0 0 0

I've installed dnsmasq on two different machines, one being freshly installed today, and both of them are showing exactly the same symptom. Again, it only happens to Ubuntu 14.10. It was working well till Ubuntu 13.10 before.

I've run out of all the possibilities.
What could be the problem?

Thanks

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.10
Release: 14.10
Codename: utopic

$ apt-cache policy dnsmasq
dnsmasq:
  Installed: 2.71-1
  Candidate: 2.71-1
  Version table:
 *** 2.71-1 0
        500 http://us.archive.ubuntu.com/ubuntu/ utopic/universe amd64 Packages
        100 /var/lib/dpkg/status

Tong Sun (suntong001)
description: updated
Revision history for this message
Thomas Hood (jdthood) wrote :

Ubuntu 13.10 (Saucy) included dnsmasq 2.66 or so. In dnsmasq 2.69 an important change was made which may be the cause of your problem. This change affects Ubuntu 14.10 and later, but not Ubuntu 14.04LTS (Trusty) which shipped with dnsmasq 2.68-1. The change is mentioned in the changelog (quoted below) and it should be obvious how this might be affecting you. Read the new dnsmasq manpage for a longer description of the "local-service" option.

dnsmasq (2.69-1) unstable; urgency=low

   * New upstream.
   * Set --local-service. (closes: #732610)
     This tells dnsmasq to ignore DNS requests that don't come
     from a local network. It's automatically ignored if
     --interface --except-interface, --listen-address or
     --auth-server exist in the configuration, so for most
     installations, it will have no effect, but for
     otherwise-unconfigured installations, it stops dnsmasq
     from being vulnerable to DNS-reflection attacks.

 -- Simon Kelley <email address hidden> Tue, 4 Feb 2014 16:28:12 +0000

Changed in dnsmasq (Ubuntu):
status: New → Incomplete
Tong Sun (suntong001)
summary: - dns query from localnetwork are blocked
+ dns query from localnetwork ignored
Revision history for this message
Tong Sun (suntong001) wrote :

Ah, thanks Thomas. You lead me to the right direction.

As Simon Kelley, the author of dnsmasq said in the new dnsmasq manpag, `local-service` is intended to be set as a default on installation, to allow unconfigured installations to be useful... it will have no effect, but for otherwise-unconfigured installations, it stops dnsmasq from being vulnerable to DNS-reflection attacks, I'm changing this bug report to bear the purpose to have dnsmasq better configured out of box for Ubuntu (14.10+).

- First, as suggested by the author of dnsmasq, the `local-service` should be in the default configuration. However, Ubuntu 14.10 doesn't have that:

% cat /etc/dnsmasq.conf /etc/dnsmasq.d/network-manager | sed '/^$/d; /^#/d'
bind-interfaces

- Second, unlike its previous version, Ubuntu 14.10 now starts dnsmasq in a very restricted way. Here is what I found out how dnsmasq is started in Ubuntu 14.10:

 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/run/sendsigs.omit.d/network-manager.dnsmasq.pid --listen-address=127.0.1.1 --conf-file=/var/run/NetworkManager/dnsmasq.conf --cache-size=0 --proxy-dnssec --enable-dbus=org.freedesktop.NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d

I.e., that ` --listen-address=127.0.1.1` will willfully ignore any dns queries from localnetwork. This is the exact reason causing the symptom that I reported.

I believe this setting should not be there, because

1. for people that need the setting, it is very easy to put it into a conf file under /etc/dnsmasq.d/;
2. however, it will make it very very difficult for people who don't need it to get rid of it unless altering the package installation.
3. Ubuntu should really ship the default setting of `local-service` instead of `listen-address`, because it is a safer default and not invasive in the meantime. it will "have no effect" but for an otherwise-unconfigured installation.

Please consider.

Meanwhile, is there any better way to get rid of that ` --listen-address=127.0.1.1`? The least that I want is to altering the package installation.

Thanks

Changed in dnsmasq (Ubuntu):
status: Incomplete → New
Revision history for this message
Thomas Hood (jdthood) wrote :

> First, as suggested by the author of dnsmasq, the `local-service`
> should be in the default configuration. However, Ubuntu 14.10
> doesn't have that

What the man page exactly says is that local-service "only has effect i[f] there are no --interface --except-interface, --listen-address or --auth-server options".

> Here is what I found out how dnsmasq is started in Ubuntu 14.10:
> /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/run/sendsigs.omit.d/network-manager.dnsmasq.pid --listen-address=127.0.1.1 [...]

This is not the dnsmasq process started by the dnsmasq package. It is the local forwarding dnsmasq process started by NetworkManager. If your complaint is that the local forwarding dnsmasq process started by NetworkManager doesn't respond to queries coming from the network then the answer is that this process is not supposed to do that. But I don't think that this is your complaint because you said that you didn't have the problem in Ubuntu 13.10.

On my machine, the dnsmasq process started by the dnsmasq package looks like this in ps -elf output

    /usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -r /var/run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service

As no --interface --except-interface, --listen-address or --auth-server option is given, the --local-service option is active.

In order to deactivate the local-service feature, I suggest you configure dnsmasq with one of the above mentioned options.

Changed in dnsmasq (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for dnsmasq (Ubuntu) because there has been no activity for 60 days.]

Changed in dnsmasq (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.