← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #51363

[Bug 1414887] Re: dns query from localnetwork ignored

  Thread PreviousDate PreviousThread Next 
Ah, thanks Thomas. You lead me to the right direction.

As Simon Kelley, the author of dnsmasq said in the new dnsmasq manpag,
`local-service` is intended to be set as a default on installation, to
allow unconfigured installations to be useful...  it will have no
effect, but for otherwise-unconfigured installations, it stops dnsmasq
from being vulnerable to DNS-reflection attacks, I'm changing this bug
report to bear the purpose to have dnsmasq better configured out of box
for Ubuntu (14.10+).

- First, as suggested by the author of dnsmasq, the  `local-service`
should be in the default configuration. However, Ubuntu 14.10 doesn't
have that:

% cat /etc/dnsmasq.conf /etc/dnsmasq.d/network-manager | sed '/^$/d; /^#/d'
bind-interfaces

- Second, unlike its previous version, Ubuntu 14.10 now starts dnsmasq
in a very restricted way. Here is what I found out how dnsmasq is
started in Ubuntu 14.10:

 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-
interfaces --pid-file=/run/sendsigs.omit.d/network-manager.dnsmasq.pid
--listen-address=127.0.1.1 --conf-
file=/var/run/NetworkManager/dnsmasq.conf --cache-size=0 --proxy-dnssec
--enable-dbus=org.freedesktop.NetworkManager.dnsmasq --conf-
dir=/etc/NetworkManager/dnsmasq.d

I.e., that ` --listen-address=127.0.1.1` will willfully ignore any dns
queries from localnetwork. This is the exact reason causing the symptom
that I reported.

I believe this setting should not be there, because

1. for people that need the setting, it is very easy to put it into a conf file under /etc/dnsmasq.d/; 
2. however, it will make it very very difficult for people who don't need it to get rid of it unless altering the package installation.
3. Ubuntu should really ship the default setting of `local-service` instead of `listen-address`, because it is a safer default and not invasive in the meantime.  it will "have no effect" but for an otherwise-unconfigured installation. 

Please consider.

Meanwhile, is there any better way to get rid of  that ` --listen-
address=127.0.1.1`? The least that I want is to altering the package
installation.

Thanks


** Changed in: dnsmasq (Ubuntu)
       Status: Incomplete => New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dnsmasq in Ubuntu.
https://bugs.launchpad.net/bugs/1414887

Title:
  dns query from localnetwork ignored

Status in dnsmasq package in Ubuntu:
  New

Bug description:
  Hi,

  I followed the following to config dnsmasq as DHCP and DNS server
  http://sfxpt.wordpress.com/2013/11/30/dnsmasq-installation-
  configuration-5/

  It works well till Ubuntu 13.10. However, with Ubuntu 14.10, the dns
  query from localnetwork will always timeout. The configurations are
  exactly the same, What could be the problem?

  From within localnetwork:

  ~~~
  $ dig google.ca

  ; <<>> DiG 9.9.5-4.3-Ubuntu <<>> google.ca
  ;; global options: +cmd
  ;; connection timed out; no servers could be reached

  dig @192.168.2.100 maroon

  ; <<>> DiG 9.9.5-4.3-Ubuntu <<>> @192.168.2.100 maroon
  ; (1 server found)
  ;; global options: +cmd
  ;; connection timed out; no servers could be reached
  ~~~

  On the DNS sever itself:

  ~~~
  $ dig google.ca @127.0.0.1
  ...
  ;; ANSWER SECTION:
  google.ca.              299     IN      A       173.194.43.111
  ...
  ;; Query time: 50 msec
  ;; SERVER: 127.0.0.1#53(127.0.0.1)

  $ dig @192.168.2.100 maroon
  ...
  ;; ANSWER SECTION:
  maroon.                 0       IN      A       192.168.2.100

  ;; Query time: 1 msec
  ;; SERVER: 192.168.2.100#53(192.168.2.100)
  ...
  ~~~

  This is the debug output from dnsmasq log:

  ~~~
  Jan  1 13:26:10 maroon dnsmasq[2833]: reply google.ca is 173.194.43.119
  Jan  1 13:26:10 maroon dnsmasq[2833]: reply google.ca is 173.194.43.120
      *** DEBUG 2015-01-01 13:26:21-05:00 DEBUG ***
  Jan  1 13:27:42 maroon dnsmasq[2833]: query[A] maroon from 192.168.2.100
  Jan  1 13:27:42 maroon dnsmasq[2833]: /etc/dnsmasq.hosts maroon is
  192.168.2.100
      *** DEBUG 2015-01-01 13:28:19-05:00 DEBUG ***
  ~~~

  All other dns queries from localnetwork did not generate any log entries.
  So, because the local dns query work, I think something is blocking the dnsmasq
   from sending the dns query results back to localnetwork. What could it
  be?

  I didn't limit the dnsmasq listen address:

  ~~~
  $ grep listen-address /etc/dnsmasq.conf /etc/dnsmasq.d/*
  /etc/dnsmasq.conf:#listen-address=
  ~~~

  My /etc/hosts.deny and hosts.allow files are untouched either, and I can
  ping my DNS server, and ssh into its IP address as well. So I think the
  blocking is only at the DNS level since other access are just fine. It is
  not because of iptables rules either:

  $ sudo iptables-save | wc
        0       0       0

  I've installed dnsmasq on two different machines, one being freshly
  installed today, and both of them are showing exactly the  same
  symptom. Again, it only happens to Ubuntu 14.10. It was working well
  till Ubuntu 13.10 before.

  I've run out of all the possibilities.
  What could be the problem?

  Thanks

  $ lsb_release -a
  No LSB modules are available.
  Distributor ID: Ubuntu
  Description:    Ubuntu 14.10
  Release:        14.10
  Codename:       utopic

  $ apt-cache policy dnsmasq
  dnsmasq:
    Installed: 2.71-1
    Candidate: 2.71-1
    Version table:
   *** 2.71-1 0
          500 http://us.archive.ubuntu.com/ubuntu/ utopic/universe amd64 Packages
          100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dnsmasq/+bug/1414887/+subscriptions

References

  Thread PreviousDate PreviousThread Next