# Dnsmasq Refusing to Use Specified Public DNS Servers



## Windows7ge (Mar 2, 2022)

Hello, I've recently started exploring a means to host a DNS server for resolving the IP of local servers to hostnames so I no longer have to try and remember 30-odd IP's. 

Problem. Based on what guides and other information I found for dnsmasq I edited `/usr/local/etc/dnsmasq.conf` to include the DNS servers I wanted it to forward requests to with:

```
server=1.1.1.1
server=1.0.0.1
```
Edited a couple other variables. Restarted the service. Everything is working...except it isn't...?

I did a WhatIsMyDNS lookup and it reported that I'm still using my ISP's provided DNS. Not CloudFlares...

I tried entering CloudFlares DNS directly into my PC. WhatIsMyDNS reported my DNS as CloudFlares...

I setup the FreeBSD server using the ISP DNS. Through a series of other testing and troubleshooting I was able to figure out that for some reason *dnsmasq* is completely ignoring whatever DNS I put into the configuration file. To make matters worse if I try to edit the system DNS (so *dnsmasq* doesn't have a choice) by altering `/etc/resolv.conf` every single reboot makes it fall back on default settings. I believe this is an issue with DHCP?

Some more digging showed me this involves /etc/dhclient.conf but at this point I've tried a couple different things and now I believe I'm just trying to throw a band-aid on-top of a band-aid on-top of what the actual problem is.

Does anybody know what's going on here? Can I force *dnsmasq* to use the DNS I assign it and to ignore the hosts? I already tried the `no-poll` variable in `/usr/local/etc/dnsmasq.conf` so it is supposed to not check `/etc/resolv.conf` but it either still is or is getting the hosts DNS from somewhere else.

Ideas?...I'm fresh out...Thanks.


----------



## diizzy (Mar 2, 2022)

Just to clarify, dnsmasq isn't defined as a DNS "server" rather a forwarder (proxy if you like). It could very well be that your ISP blocks external DNS requests (use host on your FreeBSD box) and rember that you need to define your FreeBSD as DNS server in your DHCP server and *renew* your lease on each client. You might also want to look at dns/blocky in ports as you can use DoT and DoH if you ISP enforces DNS requests.


----------



## Windows7ge (Mar 2, 2022)

diizzy said:


> Just to clarify, dnsmasq isn't defined as a DNS "server" rather a forwarder (proxy if you like). It could very well be that your ISP blocks external DNS requests (use host on your FreeBSD box) and rember that you need to define your FreeBSD as DNS server in your DHCP server and *renew* your lease on each client. You might also want to look at dns/blocky in ports as you can use DoT and DoH if you ISP enforces DNS requests.


That could be a possibility but that would suggest that my ISP/router explicitly doesn't like dnsmasq trying to use a different Public DNS while allows other network clients to use whatever they wish because this is one of the things I tested. I also verified that the clients I used for testing had no internet access while the dnsmasq service was disabled meaning requests from clients were going through the dnsmasq forwarder. Everything I've tried says the issue lies between FreeBSD & dnsmasq.

I could spin-up a VM and setup FreeBSD from scratch with the DNS I intend to use to see if clients still say requests are being resolved by the ISP. If they do. You are probably right about my ISP. If they don't and requests do report as being resolved by CloudFlare then it's an internal issue between FreeBSD & dnsmasq somewhere.


----------



## Windows7ge (Mar 2, 2022)

diizzy I just went ahead and spun up a FreeBSD 13 VM from scratch re-configuring the default DNS with CloundFlares. Re-setup dnsmasq the way i need it which hardly takes any time at all. Verified my host is connecting to the local DNS forwarder and...






So the problem isn't my ISP or their hardware. The problem is something between FreeBSD & dnsmasq.

Now this doesn't magically solve the problem. I need the ability to change public DNS providers when I want to. I'll do more testing and see if I can change the DNS from here. If I'm lucky maybe the previous behavior was a fluke.


----------



## gpw928 (Mar 2, 2022)

Please verify:

1.  Ordinary DNS clients are set up to use your dnsmasq server.  My dnsmasq server in on host pi4, at 192.168.1.254 (my gateway/firewall).  All the internal clients have:
	
	



```
[strand.216] $ cat /etc/resolv.conf
search my.own.domain
nameserver 192.168.1.254
```

2.  The host on which you are running dnsmasq server uses itself as the name server:
	
	



```
[pi4.471] $ cat /etc/resolv.conf
# Generated by resolvconf
nameserver 127.0.0.1
```

3.  A sensible dnsmasq.conf (which is explicitly not listening on the Internet):
	
	



```
[pi4.473] $ sed -e '/^#/d' -e'/^$/d' /usr/local/etc/dnsmasq.conf 
domain-needed
bogus-priv
server=8.8.8.8
local=/my.own.domain/
listen-address=127.0.0.1
listen-address=192.168.1.254
dhcp-range=192.168.1.201,192.168.1.220,255.255.255.0,12h
dhcp-host=00:18:dd:11:01:68,hdhr-1110168b 
dhcp-host=00:18:dd:25:1c:d0,hdhr-1251cd09
cache-size=10000
no-negcache
log-queries
```


----------



## Windows7ge (Mar 2, 2022)

gpw928 said:


> Please verify:
> 
> 1.  Ordinary DNS clients are set up to use your dnsmasq server.  My dnsmasq server in on host pi4, at 192.168.1.254 (my gateway/firewall).  All the internal clients have:
> 
> ...


1. Verified this.

2. Thought about trying this but every time I edit `/etc/resolve.conf` it reverts to what it was before after a system restart and I can't set it to localhost before I download dnsmasq. So that's not an option unless I can figure out how to stop resolv.conf from nuking itself.

3. At the moment this would be the extent of my config:

```
domain-needed
bogus-priv
cache-size=1000
server=1.1.1.1
server=1.0.0.1
```
I've not explored outside of this. Not sure what makes it more or less "sensible".


----------



## Phishfry (Mar 3, 2022)

Windows7ge said:


> by altering `/etc/resolv.conf` every single reboot makes it fall back on default settings. I believe this is an issue with DHCP?


You need to shutdown resolvconf the service. Then settings in /etc/resolv.conf will hold.









						Custom resolv.conf location
					

I'm running FreeBSD 13 as a home router, and I have pf rules, etc running and the network is almost configured the way that I want.  I'm running Dnsmasq for DHCP, DNS, and TFTP support and I'd like the gateway host to use Dnsmasq as the target for dns queries.  Dnsasq is configured to look at an...




					forums.freebsd.org


----------



## gpw928 (Mar 3, 2022)

As observed by Phishfry the correct setting in /etc/resolv.conf is not "an option".


----------



## Phishfry (Mar 3, 2022)

Create /etc/resolvconf.conf then add :

```
resolvconf=NO
```

My conf settings parsed:

```
firewall@x9srl:~ % cat /usr/local/etc/dnsmasq.conf
domain-needed
bogus-priv
strict-order
no-resolv
interface=lagg0
interface=em1
#listen-address=127.0.0.1,192.168.1.1,192.168.2.1
expand-hosts
server=1.1.1.1
server=8.8.4.4
local=/localdomain/
domain=localdomain
dhcp-authoritative
dhcp-range=set:em1,192.168.2.10,192.168.2.20,72h
dhcp-range=set:lagg0,192.168.1.100,192.168.1.140,72h
dhcp-option=em1,option:router,192.168.2.1
dhcp-option=lagg0,option:router,192.168.1.1
dhcp-option=option:dns-server,1.1.1.1,8.8.4.4
dhcp-option=option:domain-search,localdomain
#dhcp-option-force=option:domain-search,internal,localdomain
#log-dhcp
#log-queries
log-facility=/var/log/dnsmasq.log
dhcp-leasefile=/var/db/dnsmasq/dnsmasq.leases
cache-size=150
## conf ###
conf-dir="/usr/local/etc/dnsmasq.d"
# This fixes a security hole. see CERT Vulnerability VU#598349
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
### Static IP ###
dhcp-host=00:0d:b9:36:60:60,APU1,192.168.1.5
dhcp-host=d4:d7:48:d3:4a:aa,SG500X,192.168.1.10
dhcp-host=3c:df:1e:b7:2e:02,SRW2008BENCH,192.168.1.11
dhcp-host=3c:df:1e:b7:2b:56,SRW2008,192.168.1.12
dhcp-host=64:d8:14:5c:ad:98,switch5cad98-9,192.168.1.13
dhcp-host=44:e4:d9:cd:a2:d8,switchcda2d8-9,192.168.1.15
dhcp-host=2c:36:f8:4e:75:90,switch4e7590-9,192.168.1.17
dhcp-host=64:d8:14:5f:a2:cb,switch5fa2cb,192.168.1.18
dhcp-host=84:78:ac:a5:14:6f,switcha5146f,192.168.1.19
{SNIP}
```


----------



## gpw928 (Mar 3, 2022)

Windows7ge said:


> Not sure what makes it more or less "sensible".


The default behaviour of dnsmasq(8) is to listen for queries on all interfaces.

If the host running dnsmasq has a direct connection to the Internet, you don't want to listen for requests on the NIC that connects to the Internet.

I chose to explicitly enumerate the interfaces on which it is allowed to listen (and 127.0.0.1 *must* be in that list).

Alternatively, you also have an option to explicitly enumerate the interfaces in which dnsmasq is not allowed to listen.

Consider setting your local domain name (as I did with "local=/my.own.domain/").

I recommend you set "no-negcache" (don't cache lookup failures).


----------



## Windows7ge (Mar 3, 2022)

Phishfry said:


> You need to shutdown resolvconf the service. Then settings in /etc/resolv.conf will hold.


Actually since I went ahead and spun-up a fresh new VM suddenly I'm able to edit `/etc/resolv.conf` and have the changes persist through restarts. Which is weird.

Additionally taking gpw928's suggestion and changing the nameserver to localhost now the network clients behave more predictably when I make DNS alterations in `/usr/local/etc/dnsmasq.conf`.

So things are starting to make sense and work how I want them to. I still have to add clients to `/etc/hosts` though. Hopefully that doesn't break anything.



gpw928 said:


> The default behaviour of dnsmasq(8) is to listen for queries on all interfaces.
> 
> If the host running dnsmasq has a direct connection to the Internet, you don't want to listen for requests on the NIC that connects to the Internet.
> 
> ...


The dnsmasq host does not act as the gateway or provide DHCP services. My only purposes for it is to resolve hostnames on the LAN because I'm juggling too many IP's in my head & to forward DNS queries to Public DNS providers. That's all this box is going to do.

Added `no-negcache` to the config by the way.


----------



## gpw928 (Mar 3, 2022)

Windows7ge said:


> Actually since I went ahead and spun-up a fresh new VM suddenly I'm able to edit `/etc/resolv.conf` and have the changes persist through restarts. Which is weird.


You need to understand why that is happening.  Because it might come back to bite you.

If the host has a static IP address allocated, the dhcp client won't run at boot time to get an IP lease.  That would explain it.

Otherwise you need to follow Phishfry's advice to disable the dhclient script from running.

Edit: also take a good look at  Phishfry's configuration above.  Each line item is worthy of study.


----------



## Windows7ge (Mar 3, 2022)

gpw928 said:


> You need to understand why that is happening.  Because it might come back to bite you.
> 
> If the host has a static IP address allocated, the dhcp client won't run at boot time to get an IP lease.  That would explain it.
> 
> ...


The server is using a static IP. What's weird is I had it using a static IP before as well so...


----------



## grahamperrin@ (Mar 3, 2022)

Phishfry said:


> Create /etc/resolvconf.conf then add :
> 
> `resolvconf=NO`
> 
> …



Anyone, please: how do effects of the /etc/resolvconf.conf approach differ from effects of the /etc/dhclient-enter-hooks approach? 









						forbid dhclient changing resolv.conf
					

How do i forbid resolv.conf change by dhclient on boot?




					forums.freebsd.org
				




(The /etc/dhclient-enter-hooks approach was recently suggested to me in connection with a problem elsewhere.)


Also, when /etc/rc.conf has `resolv_enable="NO"` and the system is restarted, is it normal for resolvconf(8) to subsequently generate /etc/resolv.conf?

<https://github.com/freebsd/freebsd-...e675d0ae6951fe/libexec/rc/rc.d/resolv#L30-L63>

<https://cgit.freebsd.org/src/commit/?id=4126c2e199d1068692790eb1df424e86576a84eb> – _Fix resolv to run when it should and not when it should not._

I see that 250452 was not a bug, but I don't yet understand the use case for _not_ starting the `resolv` service. 

TIA


----------



## Phishfry (Mar 3, 2022)

grahamperrin said:


> but I don't yet understand the use case for _not_ starting the `resolv` service.


OK here is my example. By default my ISP generated DNS is used.
One way to overide that setting is /etc/resolv.conf but as noted the resolvconf service seems to over-ride your settings by storing its DNS settings in /etc/resolv.conf and overwriting your settings(With ISP DNS).
So optionally you don't want to start resolvconf service but set the resolvers yourself.


----------



## Phishfry (Mar 3, 2022)

```
firewall@x9srl:~ % cat /etc/resolv.conf
# Generated by resolvconf
nameserver 127.0.0.1
nameserver 1.1.1.1
nameserver 8.8.4.4
domain localdomain
search localdomain
#DOMAINS='localdomain:1.1.1.1,8.8.4.4'
#nameserver 68.105.28.11
#nameserver 68.105.29.11
#nameserver 68.105.28.12
```

So here is my resolv.conf. Note the first line really belongs with the last 3 lines.
Those are the ISP generated DNS servers that resolvconf generated before I took over.
As you can see from my settings, it took a while to get local domains working right.


----------



## Phishfry (Mar 3, 2022)

grahamperrin said:


> how do effects of the /etc/resolvconf.conf approach differ from effects of the /etc/dhclient-enter-hooks approach?


I don't know about that one. Maybe older versions. Old post.
Follow the manpage Luke.





						resolvconf.conf
					






					www.freebsd.org


----------



## Phishfry (Mar 3, 2022)

Some of the issue come from not only resolvconf, but whether or not dhclient is in use or local_unbound.
All can affect /etc/resolv.conf









						On dhclient and resolv.conf
					

I just put in /etc/rc.conf the line  local_unbound_enable="YES"  and did service local_unbound start.  This put the local DNS in /etc/resolv.conf.  Nice, that it took the work for me, but I want to be conscious of what I do and do not like that the computer suppose I am stupid (Windows users...




					forums.freebsd.org


----------



## grahamperrin@ (Mar 4, 2022)

Phishfry said:


> … optionally you don't want to start resolvconf resolv service but set the resolvers yourself.



Thanks (edit: mine (see below re: looseness)),



grahamperrin said:


> … when /etc/rc.conf has `resolv_enable="NO"` and the system is restarted, is it normal for resolvconf(8) to subsequently generate /etc/resolv.conf?



I mean: when the OS starts with the service `resolv` *not* enabled, is it ever proper for a manually edited /etc/resolv.conf to be subsequently automatically edited (generated) by resolvconf?


Afterthought: it might help to remind myself that resolv is _not_ the type of thing for which status can be reported with service(8).



grahamperrin said:


> <https://github.com/freebsd/freebsd-...e675d0ae6951fe/libexec/rc/rc.d/resolv#L30-L63>


----------



## gpw928 (Mar 4, 2022)

Setting "resolv_enable=NO" in /etc/rc.conf disables `/etc/rc.d/resolv` -- which does nothing unless `/bin/kenv dhcp.domain-name-servers` enumerates some name servers.  Its description is "Create /etc/resolv.conf from kenv".  It always runs, but does nothing on my FreeBSD systems because the required `/bin/kenv` variables don't exist.

`/sbin/resolvconf` is designed to be the ultimate arbiter in configuring /etc/resolv.conf.  It's designed to take input from all sorts of clients, and sort out the best way to configure /etc/resolv.conf. 

The man page for resolvconf(8) says that setting "resolvconf=NO" in /etc/resolvconf.conf has the same impact as setting the system immutable flag on /etc/resolv.conf.  However, not all agents use `resolvconf` to modify /etc/resolv.conf...

For example, `/sbin/dhclient-script` will run when an interface is configured to use DHCP.  `/sbin/dhclient-script` uses an environment variable called "$resolvconf_enable" which gets set to YES by default (I *think* it's meant to be optionally set in /etc/dhclient-enter-hooks) to determine whether it writes /etc/resolv.conf directly or invokes `/sbin/resolvconf` to do the job.

It's a complex and arcane path to follow, but I think that the prudent course is to assume that `/sbin/resolvconf` is usually in charge of the changes required when dynamic IP allocation occurs.

I can't find a single source of truth for how the ecosystem glues together.

I must admit that in the past I have been known to populate /etc/resolv.conf with what I wanted, and set the system immutable flag on the file.


----------



## Phishfry (Mar 4, 2022)

gpw928 said:


> I can't find a single source of truth for how the ecosystem glues together.


You have done the best job yet in explaining how it works.


----------



## Phishfry (Mar 4, 2022)

gpw928 said:


> but I think that the prudent course is to assume that `/sbin/resolvconf` is usually in charge of the changes required when dynamic IP allocation occurs.


I am glad you pointed to the actual executable. I loosely use the term 'resolvconf service' when its not really a service. Resolv is the actual service.
Very confusing isn't it.


----------



## grahamperrin@ (Mar 4, 2022)

A round of applause for gpw928 – big thanks.

(I'm a step closer to opening what might be an actionable bug report for something. I'll not hijack this topic.)

PS <https://github.com/freebsd/freebsd-src/blob/main/libexec/rc/netstart#L31-L34> _obsolete_, but I might try /etc/netstart in multiuser mode (not single user mode) when I'm next at my wit's end. It's certainly less disruptive than restarting the entire OS. I can't remember who gave me the netstart hint, but I love you.


----------



## Windows7ge (Mar 4, 2022)

grahamperrin said:


> (I'm a step closer to opening what might be an actionable bug report for something. I'll not hijack this topic.)


Eh, I'm easy going. Right now I just don't have the time to get dnsmasq setup all the way on my network so I'll be back on how it's performing in a few days. If you needed help with something by all means.

To keep you involved though I also ran across a thread about how creating `/etc/dhclient-enter-hooks` and writing a particular short script inside is supposed to (if I'm remembering correctly) override or otherwise prevent `dhclient` from re-writing `/etc/resolv.conf` at start-up from DHCP.

I tried this. It did nothing for me. I can just about guarantee it's a PEBCAK error though.


----------



## grahamperrin@ (Mar 4, 2022)

Windows7ge said:


> Eh, I'm easy going. …



:-)



> … override or otherwise prevent `dhclient` from re-writing `/etc/resolv.conf` at start-up from DHCP. …



My problem is more like the opposite … I'll continue where I began (a few hours before you began) and bring discussion to FreeBSD Forums only if necessary.


----------



## Windows7ge (Mar 6, 2022)

Alright, I finished setting up all of my hostnames and everything appears to be working as of right now. I have more than one physical server though so I'm likely going to create a second DNS server for fail-over because as of right now if I restart the service or shutdown the server my clients fall-back on my ISP's DNS and that doesn't do me any good.


----------

