On 12/06/12 20:31, Thomas Hood wrote:
> (Executive summary of the following: I think we should fix this by
> making nm-dnsmasq listen at ::1.)
>
> Thanks for your much-needed help, Simon.
>
> It is good to know that the "except-interface" avenue is available. We
> want, however, to be able to enjoy the advantages of non-bind-interfaces
> mode ("unbound mode"??) in standalone dnsmasq insofar as we can.
> Certainly standalone dnsmasq should continue to run in unbound mode when
> n-m is not installed or when nm-dnsmasq is not in use; so ideally we
> would ensure that /etc/NetworkManager/NetworkManager.conf contains
> dns=dnsmasq if and only if /etc/dnsmasq.d/nm-dnsmasq contains "bind-
> interfaces except-interface=lo". I don't see a very easy way to ensure
> this.
>
> In any case it would be better if we never had to force dnsmasq into
> bind-interfaces mode.
>
> So instead of switching the nm-dnsmasq listen address from 127.0.0.1 to
> 127.0.1.1 it seems better to switch that address to ::1: no more
> difficult, yet in the latter case standalone dnsmasq can continue to run
> in unbound mode as it has traditionally done (unless forced into bind-
> interfaces mode by something like libvirt-bin, of course).
I don't think that's true. In unbound mode, the standalone dnsmasq will
bind the IPv6 wildcard address, which will stop the nm-dnsmasq from
binding ::1 There's no escape in IPv6 land. Indeed the situation is
worse, because as far a I know, you can't use any address in the defined
subnet for loopback, it has to be ::1, so except-interface=lo is required.
I think the 127.0.1.1 (or whatever) answer is the best. Unfortunately
there's no way round having to set --bind-interfaces on the standalone
dnsmasq, but except-interface=lo is not required as long as the
127.0.0.0/8 address in use by nm-dnsmasq doesn't appear on the lo interface.
On 12/06/12 20:31, Thomas Hood wrote: ager/NetworkMan ager.conf contains d/nm-dnsmasq contains "bind- interface= lo". I don't see a very easy way to ensure
> (Executive summary of the following: I think we should fix this by
> making nm-dnsmasq listen at ::1.)
>
> Thanks for your much-needed help, Simon.
>
> It is good to know that the "except-interface" avenue is available. We
> want, however, to be able to enjoy the advantages of non-bind-interfaces
> mode ("unbound mode"??) in standalone dnsmasq insofar as we can.
> Certainly standalone dnsmasq should continue to run in unbound mode when
> n-m is not installed or when nm-dnsmasq is not in use; so ideally we
> would ensure that /etc/NetworkMan
> dns=dnsmasq if and only if /etc/dnsmasq.
> interfaces except-
> this.
>
> In any case it would be better if we never had to force dnsmasq into
> bind-interfaces mode.
>
> So instead of switching the nm-dnsmasq listen address from 127.0.0.1 to
> 127.0.1.1 it seems better to switch that address to ::1: no more
> difficult, yet in the latter case standalone dnsmasq can continue to run
> in unbound mode as it has traditionally done (unless forced into bind-
> interfaces mode by something like libvirt-bin, of course).
I don't think that's true. In unbound mode, the standalone dnsmasq will
bind the IPv6 wildcard address, which will stop the nm-dnsmasq from
binding ::1 There's no escape in IPv6 land. Indeed the situation is
worse, because as far a I know, you can't use any address in the defined
subnet for loopback, it has to be ::1, so except-interface=lo is required.
I think the 127.0.1.1 (or whatever) answer is the best. Unfortunately
there's no way round having to set --bind-interfaces on the standalone
dnsmasq, but except-interface=lo is not required as long as the
127.0.0.0/8 address in use by nm-dnsmasq doesn't appear on the lo interface.
Simon.