On Thu, Sep 17, 2020 at 6:28 AM Hongyi Zhao <hongyi.z...@gmail.com> wrote:
>
> On Wed, Sep 16, 2020 at 9:31 PM Hongyi Zhao <hongyi.z...@gmail.com> wrote:
> >
> > On Tue, Sep 15, 2020 at 9:47 PM Hongyi Zhao <hongyi.z...@gmail.com> wrote:
> > >
> > > On Tue, Sep 15, 2020 at 11:09 AM Dominick C. Pastore
> > > <dominickpast...@dcpx.org> wrote:
> > > >
> > > > On Mon, Sep 14, 2020, at 8:03 PM, Hongyi Zhao wrote:
> > > > > I run dnsmasq as following:
> > > > >
> > > > > $ /usr/local/sbin/dnsmasq --port=53 -c10240 --server=127.0.0.1#6053
> > > > > --conf-dir=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/conf-dir,*.conf
> > > > > -C /home/werner/Public/anti-gfw/dns/dnsmasq/conf/dnsmasq.conf
> > > > >
> > > > > The 127.0.0.1#6053 is a DNS proxy based on dnsproxy which has with
> > > > > DoH, DoT, DoQ and DNSCrypt support.
> > > > > The conf files here:
> > > > > /home/werner/Public/anti-gfw/dns/dnsmasq/conf/conf-dir,*.conf, are for
> > > > > China domains which using China's mainland DNS servers.
> > > > >
> > > > > And the main dnsmasq.conf file has the following options enabled:
> > > > >
> > > > > $ egrep -v '^([[:blank:]]*#|$)'
> > > > > /home/werner/Public/anti-gfw/dns/dnsmasq/conf/dnsmasq.conf
> > > > > dns-forward-max=10000
> > > > > no-negcache
> > > > > min-cache-ttl=3600
> > > > > all-servers
> > > > > domain-needed
> > > > > bogus-priv
> > > > > filterwin2k
> > > > > no-resolv
> > > > > no-poll
> > > > > interface=lo
> > > > > bind-interfaces
> > > >
> > > > I see. This is making more sense now.
> > > >
> > > > > > Why what? Why won't other programs on the host use Dnsmasq? That's
> > > > > > the way systems with systemd-resolved work by default. Generally,
> > > > > > programs on the host will query /etc/resolv.conf to determine which
> > > > > > DNS servers to use (though the manpage for
> > > > > > systemd-resolved.service(8) suggests that some programs do not use
> > > > > > /etc/resolv.conf and connect to systemd-resolved though other
> > > > > > means. To be honest, that part is a little unclear to me). By
> > > > > > default, it's a symlink to a file that direct clients to
> > > > > > systemd-resolved (127.0.0.53).
> > > > > >
> > > > > > The trouble is, systemd-resolved also uses resolv.conf to determine
> > > > > > its own behavior. The moment you delete the symlink and replace it
> > > > > > with your own file pointing to Dnsmasq (127.0.0.1), two things will
> > > > > > happen:
> > > > >
> > > > > This is exactly my situation, see following for more detail info:
> > > > >
> > > > > werner@X10DAi-01:~$ cat /etc/resolv.conf
> > > > > nameserver 127.0.0.1
> > > > > werner@X10DAi-01:~$ realpath -e /etc/resolv.conf
> > > > > /etc/resolv.conf
> > > > >
> > > > > > 1.) systemd-resolved will itself add Dnsmasq to its list of
> > > > > > nameservers. This probably won't break systemd-resolved entirely,
> > > > > > but it will potentially cause lots of retries and slowdowns.
> > > > >
> > > > > Seems so complicated and still can't figure out a perfect solution for
> > > > > the coexistence of dnsmasq and systemd-resolved.
> > > >
> > > > Running both on the same system is compicated, and systemd-resolved
> > > > adds little value when you already have Dnsmasq running. That is is why
> > > > it's usually not recommended, though I'm reasonably confident it can be
> > > > done if you really want to.
> > > >
> > > > > > 2.) Unless you've manually configured a nameserver in
> > > > > > /etc/dnsmasq.conf, Dnsmasq will not have anywhere to send queries.
> > > > > > This *will* break some things. It's smart enough to know that it
> > > > > > shouldn't use itself as the upstream server, but neither
> > > > > > /etc/resolv.conf nor /etc/dnsmasq.conf gives it other options, so
> > > > > > it fails.
> > > > >
> > > > > As you can see, I've set upstream nameservers for my dnsmasq, so this
> > > > > shouldn't be the culprit for my case.
> > > >
> > > > Agreed.
> > > >
> > > > > >
> > > > > > If you want other programs on the same host to go through Dnsmasq,
> > > > > > you should use the first option I suggested.
> > > > >
> > > > > Do you mean the following thing you have told:
> > > > >
> > > > > If you want Dnsmasq to query the upstream servers,
> > > > > systemd-resolved to query Dnsmasq,
> > > > > and everything else on the host to query systemd-resolved:
> > > >
> > > > Yes, that is what I meant. That said, based on everything you just
> > > > sent, it sounds like that's how you currently have things configured:
> > > >
> > > > 1.) Your Dnsmasq is configured to ignore /etc/resolv.conf and has
> > > > manually configured servers for upstream. Dnsmasq should be working
> > > > fine, as long as there isn't anything in
> > > > /home/werner/Public/anti-gfw/dns/dnsmasq/conf/conf-dir causing
> > > > problems. (But make sure you are escaping the asterisk for that option
> > > > if you are running dnsmasq in a shell.)
> > > >
> > > > 2.) systemd-resolved should be working well. It gets its upstream
> > > > servers from your network config. Since you have Netplan configured for
> > > > 127.0.0.1, it should be using Dnsmasq as its upstream server. You also
> > > > have a regular file for /etc/resolv.conf, so systemd-resolved will use
> > > > the nameserver there as upstream too, but it's the same one, so there
> > > > is no change.
> > > >
> > > > 3.) Other programs on your system will either use systemd-networkd or
> > > > Dnsmasq for DNS, depending on whether they obey /etc/resolv.conf or
> > > > not. Either way, since systemd-resolved is forwarding all queries to
> > > > Dnsmasq, every request should eventually end up going through Dnsmasq.
> > > > (By the way, you should safely be able to restore /etc/resolv.conf to
> > > > its original symlink to /run/systemd/resolve/stub-resolv.conf since you
> > > > don't have Dnsmasq reading from it.)
> > > >
> > > > So, at this point, I'm not quite sure what the problem is. You
> > > > mentioned using dig earlier, so I'm not sure if you already tried this,
> > > > but you can try connecting to each server directly to pinpoint which
> > > > step in the chain is causing issues:
> > >
> > > For simplicity, I previously only told you partial local DNS
> > > resolution topology used by me. From now on, considering that you've
> > > known some ideas of the DNS settings for my case, I'll tell you the
> > > complete DNS resolution topology/scheme on my Ubuntu 20.04 box. I
> > > describe the full DNS configurations as following:
> > >
> > > As you have seen, I use dnsmasq and dnsproxy to do the DNS resolution.
> > > In detail, I run two dnsmasq instances and one dnsproxy instance for
> > > the job. And all the following commands are issued from bash script,
> > > so I don't need to escape the * character which otherwise should be
> > > escaped if issued directly from within terminal.
> > >
> > > The dnsproxy is started by this way:
> > >
> > > $ dnsproxy -v -l 127.0.0.1 --port=6053 --all-servers -u tls://8.8.4.4
> > > -u tls://8.8.8.8 -u tls://1.0.0.1 -u tls://1.1.1.1 -u tls://9.9.9.9 -u
> > > tls://9.9.9.10 -u tls://149.112.112.10
> > >
> > > It listens on 127.0.0.1:6053 and forwards the query to several DoT DNS
> > > upstream servers.
> > >
> > > The two dnsmasq instances are shown as following:
> > >
> > > $ /usr/local/sbin/dnsmasq --port=6054
> > > --servers-file=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/servers-file/cn
> > > -C /home/werner/Public/anti-gfw/dns/dnsmasq/conf/cn-dns.conf
> > >
> > > This dnsmasq instance listens on 127.0.0.1:6054 and use the following
> > > upstreams which locate in China mainland:
> > >
> > > $ egrep -v '^[[:blank:]]*(#|$)'
> > > /home/werner/Public/anti-gfw/dns/dnsmasq/conf/servers-file/cn
> > > server=114.114.114.114
> > > server=114.114.115.115
> > > server=114.114.114.119
> > > server=114.114.115.119
> > > server=114.114.114.110
> > > server=114.114.115.110
> > > server=223.5.5.5
> > > server=223.6.6.6
> > > server=180.76.76.76
> > > server=112.124.47.27
> > > server=114.215.126.16
> > >
> > > And the content of the main config file is shown as follows:
> > >
> > > $ egrep -v '^[[:blank:]]*(#|$)'
> > > /home/werner/Public/anti-gfw/dns/dnsmasq/conf/cn-dns.conf
> > > dns-forward-max=10000
> > > cache-size=0
> > > all-servers
> > > domain-needed
> > > bogus-priv
> > > filterwin2k
> > > no-resolv
> > > no-poll
> > > interface=lo
> > > bind-interfaces
> > > no-hosts
> > >
> > > $ /usr/local/sbin/dnsmasq --port=53 -c10240 --server=127.0.0.1#6053
> > > --conf-dir=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/conf-dir,*.conf
> > > -C /home/werner/Public/anti-gfw/dns/dnsmasq/conf/dnsmasq.conf
> > >
> > > This dnsmasq instance listens on 127.0.0.1:53 and use two previously
> > > set upstreams: 127.0.0.1#6053 and 127.0.0.1#6054. The former is used
> > > to resolve the DNS queries for hostname no belong to China mainland,
> > > and the latter is for China mainland.
> > >
> > > In detail, there are two .conf file under the directory
> > > /home/werner/Public/anti-gfw/dns/dnsmasq/conf/conf-dir, shown as
> > > follows:
> > >
> > > $ ls -1 *.conf
> > > accelerated-domains.china.dnsmasq.conf
> > > bogus-nxdomain.china.conf
> > >
> > > The content of them is in the following form respectively:
> > >
> > > $ head accelerated-domains.china.dnsmasq.conf
> > > server=/0-100.com/127.0.0.1#6054
> > > server=/0-6.com/127.0.0.1#6054
> > > server=/0-gold.net/127.0.0.1#6054
> > > server=/00.net/127.0.0.1#6054
> > > server=/0000go.com/127.0.0.1#6054
> > > server=/00042.com/127.0.0.1#6054
> > > server=/0005pz.com/127.0.0.1#6054
> > > server=/0006266.com/127.0.0.1#6054
> > > server=/0007.net/127.0.0.1#6054
> > > server=/000dn.com/127.0.0.1#6054
> > >
> > > $ egrep -v '^[[:blank:]]*(#|$)' bogus-nxdomain.china.conf | head
> > > bogus-nxdomain=123.125.81.12
> > > bogus-nxdomain=101.226.10.8
> > > bogus-nxdomain=198.105.254.11
> > > bogus-nxdomain=104.239.213.7
> > > bogus-nxdomain=61.191.206.4
> > > bogus-nxdomain=218.30.64.194
> > > bogus-nxdomain=61.139.8.101
> > > bogus-nxdomain=61.139.8.102
> > > bogus-nxdomain=61.139.8.103
> > > bogus-nxdomain=61.139.8.104
> > >
> > > And the content of the main config file is shown as follows:
> > >
> > > $ egrep -v '^[[:blank:]]*(#|$)'
> > > /home/werner/Public/anti-gfw/dns/dnsmasq/conf/dnsmasq.conf
> > > dns-forward-max=10000
> > > no-negcache
> > > min-cache-ttl=3600
> > > all-servers
> > > domain-needed
> > > bogus-priv
> > > filterwin2k
> > > no-resolv
> > > no-poll
> > > interface=lo
> > > bind-interfaces
> > >
> > >
> > > The netplan yaml file is as follows:
> > >
> > > $ cat /etc/netplan/99-networkd-local-dns.yaml
> > > network:
> > > version: 2
> > > renderer: networkd
> > > ethernets:
> > > enp:
> > > match:
> > > name: enp*
> > > dhcp4: true
> > > dhcp4-overrides:
> > > use-dns: false
> > > nameservers:
> > > addresses:
> > > - 127.0.0.1
> > > docker:
> > > match:
> > > name: docker*
> > > dhcp4: true
> > > dhcp4-overrides:
> > > use-dns: false
> > > nameservers:
> > > addresses:
> > > - 127.0.0.1
> > >
> > > The /etc/resolv.conf is as follows:
> > >
> > > $ realpath -e /etc/resolv.conf
> > > /run/systemd/resolve/stub-resolv.conf
> > > $ egrep -v '^[[:blank:]]*(#|$)' /etc/resolv.conf
> > > nameserver 127.0.0.53
> > > options edns0
> > >
> > >
> > > For now, I've told you all the configurations of my local DNS
> > > topology. Next, I'll do the testings told by you shown in the
> > > following.
> > >
> > > First, please notice all of the process info of the mentioned tools above:
> > >
> > > $ pgrep -ax dnsproxy
> > > 21355 ./dnsproxy -v -l 127.0.0.1 --port=6053 --all-servers -u
> > > tls://8.8.4.4 -u tls://8.8.8.8 -u tls://1.0.0.1 -u tls://1.1.1.1 -u
> > > tls://9.9.9.9 -u tls://9.9.9.10 -u tls://149.112.112.10
> > >
> > > $ pgrep -ax dnsmasq
> > > 21369 /usr/local/sbin/dnsmasq --port=6054
> > > --servers-file=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/servers-file/cn
> > > -C /home/werner/Public/anti-gfw/dns/dnsmasq/conf/cn-dns.conf
> > > 21380 /usr/local/sbin/dnsmasq --port=53 -c10240
> > > --server=127.0.0.1#6053
> > > --conf-dir=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/conf-dir,*.conf
> > > -C /home/werner/Public/anti-gfw/dns/dnsmasq/conf/dnsmasq.conf
> > >
> > > As you can see, we have three processed running correctly
> > > corresponding to the situation I described above.
> > >
> > > >
> > > > To test your DNS proxy:
> > > > dig @127.0.0.1 -p 6053 <somedomain.com> ANY
> > >
> > > werner@X10DAi-01:~$ dig +short @127.0.0.1 -p 6053 www.baidu.com ANY
> > > www.a.shifen.com.
> > > werner@X10DAi-01:~$ pgrep -ax dnsproxy
> > > 21355 ./dnsproxy -v -l 127.0.0.1 --port=6053 --all-servers -u
> > > tls://8.8.4.4 -u tls://8.8.8.8 -u tls://1.0.0.1 -u tls://1.1.1.1 -u
> > > tls://9.9.9.9 -u tls://9.9.9.10 -u tls://149.112.112.10
> > > werner@X10DAi-01:~$ pgrep -ax dnsmasq
> > > 21369 /usr/local/sbin/dnsmasq --port=6054
> > > --servers-file=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/servers-file/cn
> > > -C /home/werner/Public/anti-gfw/dns/dnsmasq/conf/cn-dns.conf
> > > 21380 /usr/local/sbin/dnsmasq --port=53 -c10240
> > > --server=127.0.0.1#6053
> > > --conf-dir=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/conf-dir,*.conf
> > > -C /home/werner/Public/anti-gfw/dns/dnsmasq/conf/dnsmasq.conf
> > >
> > > As you can see, this step can be completed successfully.
> > >
> > > >
> > > > If that is working as intended, then test Dnsmasq:
> > > > dig @127.0.0.1 <somedomain.com> ANY
> > >
> > > werner@X10DAi-01:~$ dig +short @127.0.0.1 www.baidu.com ANY
> > > ;; connection timed out; no servers could be reached
> >
> > Another strange thing I noticed that is, if I run the testing for this
> > step like the following, the problem reported here won't happen:
> >
> > werner@X10DAi-01:~$ dig +short @127.0.0.1 www.baidu.com
> > www.a.shifen.com.
> > 220.181.38.149
> > 220.181.38.150
> > werner@X10DAi-01:~$ pgrep -ax dnsmasq
> > 3539 /usr/local/sbin/dnsmasq --port=6054
> > --servers-file=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/servers-file/cn
> > -C /home/werner/Public/anti-gfw/dns/dnsmasq/conf/cn-dns.conf
> > 3556 /usr/local/sbin/dnsmasq --port=53 -c10240 --server=127.0.0.1#6053
> > --conf-dir=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/conf-dir,*.conf
> > --hostsdir=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/hostsdir -C
> > /home/werner/Public/anti-gfw/dns/dnsmasq/conf/dnsmasq.conf
> >
> > As you can see, withou using the ANY keyword in the dig query command,
> > the problem will not appear. I still can't figure the reason.
>
> Some further notes on this problem:
>
> 1. The problem will appear for the following settings /etc/resolv.conf:
>
> nameserver 127.0.0.1
> or
> nameserver 127.0.0.53
>
> 2. If I first disable the systemd-resolvd and then do the testing
> mentioned in this step, the problem still will happen and more
> strangely, the systemd-resolvd will be re-enabled. See following for
> more info:
>
> werner@X10DAi-01:~$ systemctl is-active systemd-resolved.service
> active
> werner@X10DAi-01:~$ sudo systemctl stop systemd-resolved.service
> werner@X10DAi-01:~$ systemctl is-active systemd-resolved.service
> inactive
>
> werner@X10DAi-01:~$ pgrep -ax dnsmasq
> 16571 /usr/local/sbin/dnsmasq --port=6054
> --servers-file=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/servers-file/cn
> -C /home/werner/Public/anti-gfw/dns/dnsmasq/conf/cn-dns.conf
> 16582 /usr/local/sbin/dnsmasq --port=53 -c10240
> --server=127.0.0.1#6053
> --conf-dir=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/conf-dir,*.conf
> -C /home/werner/Public/anti-gfw/dns/dnsmasq/conf/dnsmasq.conf
> werner@X10DAi-01:~$ dig www.baidu.com ANY @127.0.0.1
> ^Cwerner@X10DAi-01:~$ ^C
> werner@X10DAi-01:~$ pgrep -ax dnsmasq
> 16571 /usr/local/sbin/dnsmasq --port=6054
> --servers-file=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/servers-file/cn
> -C /home/werner/Public/anti-gfw/dns/dnsmasq/conf/cn-dns.conf
> 16582 /usr/local/sbin/dnsmasq --port=53 -c10240
> --server=127.0.0.1#6053
> --conf-dir=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/conf-dir,*.conf
> -C /home/werner/Public/anti-gfw/dns/dnsmasq/conf/dnsmasq.conf
> 16728 /usr/local/sbin/dnsmasq --port=53 -c10240
> --server=127.0.0.1#6053
> --conf-dir=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/conf-dir,*.conf
> -C /home/werner/Public/anti-gfw/dns/dnsmasq/conf/dnsmasq.conf
> 16729 /usr/local/sbin/dnsmasq --port=6054
> --servers-file=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/servers-file/cn
> -C /home/werner/Public/anti-gfw/dns/dnsmasq/conf/cn-dns.conf
> werner@X10DAi-01:~$ systemctl is-active systemd-resolved.service
> active
Further testing again:
Even I don't use the dnsasmq resolver in systemd, the problem still
will appear. See following for more info:
$ resolvectl status | grep 'DNS Server'
Current DNS Server: 114.114.114.114
DNS Servers: 114.114.114.114
DNS Servers: 114.114.114.114
Current DNS Server: 114.114.114.114
DNS Servers: 114.114.114.114
DNS Servers: 114.114.114.114
werner@X10DAi-01:~$ pgrep -ax dnsmasq
26163 /usr/local/sbin/dnsmasq --port=6054
--servers-file=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/servers-file/cn
-C /home/werner/Public/anti-gfw/dns/dnsmasq/conf/cn-dns.conf
26174 /usr/local/sbin/dnsmasq --port=53 -c10240
--server=127.0.0.1#6053
--conf-dir=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/conf-dir,*.conf
--hostsdir=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/hostsdir -C
/home/werner/Public/anti-gfw/dns/dnsmasq/conf/dnsmasq.conf
werner@X10DAi-01:~$ dig www.baidu.com ANY @127.0.0.1
^C
werner@X10DAi-01:~$ pgrep -ax dnsmasq
26163 /usr/local/sbin/dnsmasq --port=6054
--servers-file=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/servers-file/cn
-C /home/werner/Public/anti-gfw/dns/dnsmasq/conf/cn-dns.conf
26174 /usr/local/sbin/dnsmasq --port=53 -c10240
--server=127.0.0.1#6053
--conf-dir=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/conf-dir,*.conf
--hostsdir=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/hostsdir -C
/home/werner/Public/anti-gfw/dns/dnsmasq/conf/dnsmasq.conf
40020 /usr/local/sbin/dnsmasq --port=53 -c10240
--server=127.0.0.1#6053
--conf-dir=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/conf-dir,*.conf
--hostsdir=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/hostsdir -C
/home/werner/Public/anti-gfw/dns/dnsmasq/conf/dnsmasq.conf
40021 /usr/local/sbin/dnsmasq --port=6054
--servers-file=/home/werner/Public/anti-gfw/dns/dnsmasq/conf/servers-file/cn
-C /home/werner/Public/anti-gfw/dns/dnsmasq/conf/cn-dns.conf
So, I think there should some bugs in dnsmasq corresponding to this problem.
Regardes,
HY
--
Hongyi Zhao <hongyi.z...@gmail.com>
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
