> I believe the 192.168.122.1 comes first due to the /etc/dhcp/dhclient.conf configuration Doh — yes, of course. I overlooked the following bit. >> Put a line into /etc/dhcp/dhclient.conf like so: >> prepend domain-name-servers 192.168.122.1; >> Disable the system dnsmasq to prevent it from looping with libvirt's dnsmasq by modifying >> /etc/NetworkManager/NetworkManager.conf to comment out the following line: >> #dns=dnsmasq Note that in connection with my comment #12 you should remove the "prepend domain-name-servers 192.168.122.1;" from dhclient.conf. The "resolvconf -a" command takes its place. If things are set up properly then it won't be necessary to comment out "dns=dnsmasq" in NetworkManager.conf. Everything should work either with dns=dnsmasq or without dns=dnsmasq. For clarity I will describe both cases in detail. Note that in what follows I have replaced the string "dnsmasq" (which I used in comment #12) with "dnsmasq-libvirt", this in order to avoid conflicting with the dnsmasq package; this with an eye to inclusion of this feature in libvirt and, in so doing, avoiding conflict with the dnsmasq package. :) Because of this change you will also have to add a line to /etc/resolvconf/interface-order: just above "lo.dnsmasq" add a line "lo.dnsmasq-libvirt". Also you will have to do echo "nameserver 127.0.3.1" | resolvconf -a lo.dnsmasq-libvirt and resolvconf -d lo.dnsmasq-libvirt Why have I used the address 127.0.3.1 here? Because dnsmasq listens at 127.0.0.1; dnsmasq-NM listens at 127.0.1.1; and dnscrypt-proxy listens at 127.0.2.1. Also you will have to create a directory /var/run/dnsmasq-libvirt/ and modify the hook script to write /var/run/dnsmasq-libvirt/resolv.conf instead of /var/run/dnsmasq/resolv.conf. OK. Assume that your ISP has a nameserver NI which resolves Internet names. Assume your router's nameserver NR resolves your LAN names and forwards queries for other names to NI. Assume machines on your LAN have a resolv.conf containing "nameserver addrR" where addrR is the address of the router. 1. Consider the case where you have "dns=dnsmasq" in NetworkManager.conf on your laptop which runs NetworkManager (NM). Assume NM gets the laptop's IP address and nameserver address addrR via DHCP from the DHCP server running on the router. NM starts a local dnsmasq instance (dnsmasq-NM) and passes addrR to dnsmasq-NM. dnsmasq-NM then listens locally at 127.0.1.1 and forwards all queries to addrR. NM adds a record called "NetworkManager" to resolvconf's database containing "nameserver 127.0.1.1". Now you start libvirt. Libvirt starts a dnsmasq instance, dnsmasq-libvirt, and adds a record called "lo.dnsmasq-libvirt" to resolvconf's database by means of the command 'echo "nameserver 127.0.3.1" | resolvconf -a lo.dnsmasq-libvirt'. When the database is updated the resolvconf update hook scripts are run. dnsmasq-libvirt has such a hook script which reads in the database records in the order determined by /etc/resolvconf/interface-order, excludes the one called 'lo.dnsmasq-libvirt' and generates /var/run/dnsmasq-libvirt/resolv.conf containing "nameserver 127.0.1.1". When the latter file changes, the dnsmasq-libvirt process notices this and reads the file and is thereby configured to forward queries that it can't itself answer to 127.0.1.1. Another resolvconf update hook script called 'libc' generates a new resolv.conf file containing "nameserver 127.0.3.1". Resolver clients on the laptop thus query dnsmasq-libvirt which queries dnsmasq-NM which queries NR which queries NI. 2. Consider now the case where you have "#dns=dnsmasq". NM gets the laptop's IP address and addrR via DHCP. NM adds a record called "NetworkManager" to resolvconf's database containing "nameserver addrR". Now you start libvirt. Libvirt starts dnsmasq-libvirt and adds a record called "lo.dnsmasq-libvirt" to resolvconf's database. When the database is updated, dnsmasq-libvirt's resolvconf-update hook script is run and generates /var/run/dnsmasq-libvirt/resolv.conf containing "nameserver addrR". dnsmasq-libvirt is thus configured to forward queries to addrR. The libc hook script generates resolv.conf containing "nameserver 127.0.3.1". Resolver clients on the laptop thus query dnsmasq-libvirt which queries NR which queries NI. 3. Consider now case #1 where you add dnsmasq-server (from the "dnsmasq" package) into the mix. Dnsmasq-server forwards to dnsmasq-NM — this already works. Dnsmasq-libvirt should forward to dnsmasq-server. If you have set things up as decribed above then this should happen. > I've made some changes to my /etc/init/lxc-net script, stolen the dnsmasq package's > resolvconf hook script -- I'll test it shortly. Thanks! Cool! Once this is working it should be considered for incorporation into libvirt.