On Thu, Mar 28, 2024 at 03:50:57PM +0100, Buck Horn via Dnsmasq-discuss wrote:
> On 28.03.24 14:28, Chris Green wrote:
> > ... and another system, also running dnsmasq version 2.90:-
> >
> > chris@t470$ nmap 192.168.1.128 | grep 53
> > 53/tcp open domain
> > chris@t470
> >
> >
> > So why are they acting differently and, possibly more to the point,
> > how do I make dnsmasq listen only on the loopback address?
>
>
> Hi Chris,
>
> you are just probing for port 53, without information about the process
> handling that port, so it could be another resolver on the same machine
> (e.g. systemd-resolved, or a dnsmasq instance controlled by
> NetworkManager) that hogs port 53.
>
>
> You may want to consider using something like sudo ss -tulpn sport = 53
> to see what is actually listening.
>
I did try stopping dnsmasq and then nothing was listening on port 53.
However, just to prove it:-
root@backup:~# ss -tulpn sport = 53
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:53 0.0.0.0:*
users:(("dnsmasq",pid=1826,fd=4))
udp UNCONN 0 0 [::]:53 [::]:*
users:(("dnsmasq",pid=1826,fd=6))
tcp LISTEN 0 32 0.0.0.0:53 0.0.0.0:*
users:(("dnsmasq",pid=1826,fd=5))
tcp LISTEN 0 32 [::]:53 [::]:*
users:(("dnsmasq",pid=1826,fd=7))
>
> For listening on 127.0.0.1 only, you probably should consider to
> explicitly state that as listen-address:
> (quoting https://dnsmasq.org/docs/dnsmasq-man.html)
>
> -a, --listen-address=<ipaddr>
>
> Listen on the given IP address(es). Both --interface and
> --listen-address options may be given, in which case the set of both
> interfaces and addresses is used. Note that if no --interface option is
> given, but --listen-address is, dnsmasq will not automatically listen on
> the loopback interface. To achieve this, its IP address, 127.0.0.1, must
> be explicitly given as a --listen-address option.
>
That doesn't work! /etc/dnsmasq.conf is now:-
#
#
# Default dnsmasq configuration file, with this configuration file dnsmasq
# provides only local DNS caching and no DHCP. This file is used on nearly
# all my systems which are ever on the home LAN.
#
#
# Set to listen only on the loopback address.
#
listen-address=127.0.0.1
#
#
# This sets the upstream server[s] to the one[s] set by Network Manager,
# usually automatically using DHCP from the ISP's (or my) DHCP/DNS server.
# If we're on the home LAN the resolv-file will set the nameserver to
# 192.168.1.1, if away from home it will be the ISP's nameserver[s].
#
resolv-file=/run/NetworkManager/no-stub-resolv.conf
... and, after restarting dnsmasq:-
chris$ nmap 192.168.1.4 | grep 53
53/tcp open domain
chris$
Plus, why does it work (as the dnsmasq man page entry for listen says it should)
on one system but not on another almost identical system?
--
Chris Green
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
