I upgraded OPNSense from 24.x to 25.1.6.
After rebooting, the DnsMasq service is stopped and the only way to start it is from command line. This is the situation:
From terminal, via ssh:
- command service dnsmasq onestart correctly starts the service and DNS works (but after a reboot the service goes back to being stopped)
From WebUI:
- it is not possible to start the service (but logs do not show any message ...)
- it is not possible to deactivate the service (or rather: it automatically reactivate when I try to start Unbound service)
- it is not possible to change the service port (53)
I would like to thank anyone who can help me solve this problem.
Versions:
OPNsense 25.1.6_4-amd64
FreeBSD 14.2-RELEASE-p3
OpenSSL 3.0.16
What does the dnsmasq logfile say?
Thanks @Cedrik
Here are the logs files: today (https://filebin.net/1y2b2r6lpmowqgo4/dnsmasq_latest.log) and yesterday (https://filebin.net/1y2b2r6lpmowqgo4/dnsmasq_20250512.log), after the upgrade. These are the ones from yesterday that seem more relevant to me:
<30>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="1"] started, version 2.90 cachesize 10000
<30>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="2"] compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset auth cryptohash DNSSEC loop-detect no-inotify dumpfile
<28>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="3"] LOUD WARNING: listening on <my pub IP>.198 may accept requests via interfaces other than igb2
<28>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="4"] LOUD WARNING: listening on <my pub IP>.197 may accept requests via interfaces other than igb2
<28>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="5"] LOUD WARNING: listening on <my pub IP>.196 may accept requests via interfaces other than igb2
<28>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="6"] LOUD WARNING: listening on <my pub IP>.195 may accept requests via interfaces other than igb2
<28>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="7"] LOUD WARNING: listening on <my pub IP>.194 may accept requests via interfaces other than igb2
<28>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="8"] LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS amplification attacks via these interface(s)
<30>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="9"] reading /etc/resolv.conf
<28>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="10"] ignoring nameserver 127.0.0.1 - local interface
<30>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="11"] using nameserver 1.1.1.1#53
<30>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="12"] using nameserver 8.8.8.8#53
I dont see anything failing in the logs, just SIGTERM which means it was cleanly shutdown.
If it doesnt start I would expect
a port overlap with a different service,
or strict interface binding in the advanced general options of dnsmasq,
or an issue with the configuration file (though these would be logged and we dont see that).
Since I can't disable or modify DnsMasq from WebUI, can you tell me which are the terminal commands to disable and reset DnsMasq and which to enable/run Unbond?
Thanks again for your help.
It's a bit strange that you cannot change the configuration of dnsmasq from the GUI.
Can you tell me if there are any errors in "System: Log Files: Backend".
Search for "template", set to "Error", set timeframe to "Last week".
---------
There is no simple way to reset a model from the GUI yet, so you would have to download the config.xml file from "System - Configuration - Backups", search for the dnsmasq section and e.g. change the enabled from 1 to 0 and then restore that.
I'm going to check ... In the meantime, I'll report some checks I've done now. (see my post below ...)
Please upload your pictures to the forum. This is only possible via "Reply", not with "Quick Reply". Your pictures do not load and many people do not trust external hosting sites, either.
I tried to stop DNSMASQ and start UNBOUND from the terminal:
opnsense_dns_1.PNG
WebUI says DNSMASQ is active but stopped:
opnsense_dns_2.PNG
opnsense_dns_3.PNG
opnsense_dns_4.PNG
Apparently from WebUI it is not possible to edit services settings. Could it be some r/w permission problem for configuration files?
Quote from: meyergru on May 14, 2025, 10:37:14 AMPlease upload your pictures to the forum. This is only possible via "Reply", not with "Quick Reply". Your pictures do not load any many people do not trust external hosting sites, either.
Thank you very much :)
Quote from: Monviech (Cedrik) on May 14, 2025, 09:41:44 AMCan you tell me if there are any errors in "System: Log Files: Backend".
Search for "template", set to "Error", set timeframe to "Last week".
no errors
Services like DNSmasq and Unbound, have to bind to some port.
Usually, port 53 is the one that your local resolver should listen on. When you employ two DNS servers, one has to go on another port and specific requests are being forwarded to that. Often, port 5353 is recommended for this, but mDNS also runs on that, so I prefer 5454.
Thus, when you switch back and forth between DNS services, you always will have to change the ports. However, you must consider than only one service can run on the same port, so you first must disable one service, configure the other one to run on the old port of service one, then change the port of service two and restart it. You should see such conflicts in the specific service's logs. Also, when you cascade services, you also will want to reconfigure the forwarding as well.
Basically, the switching of roles is a multi-step process that must be carried out in the correct order.
BTW: Depending on what you do, you might lose DNS during those steps, so be prepared to access your OpnSense via its IP, not via DNS name...
Quote from: Monviech (Cedrik) on May 14, 2025, 09:41:44 AMThere is no simple way to reset a model from the GUI yet, so you would have to download the config.xml file from "System - Configuration - Backups", search for the dnsmasq section and e.g. change the enabled from 1 to 0 and then restore that.
Replacing DNSMASQ with UNBOUND should be enough with these changes, right?
<unboundplus version="1.0.12">
<general>
<enabled>1</enabled>
and:
<enable>0</enable>
</dnsmasq>
Yeah if you do that change and reboot dnsmasq should not start anymore, but unbound will.
Quote from: Monviech (Cedrik) on May 14, 2025, 12:29:09 PMYeah if you do that change and reboot dnsmasq should not start anymore, but unbound will.
I'll try tonight. It's still strange that:
- I can't even edit the port on which to run DNSMASQ
- the WebUI doesn't detect the status of the services after I stopped/started them and disabled/enabled them from the terminal
Is it possible to uninstall or at least reset DNSMSQ?
# pluginctl -f dnsmasq
Cheers,
Franco
I exported and re-imported the modified config.xml file.
After rebooting the OPNSense WebUI shows Unbound running and DnsMsq stopped, but ...
- checking from the terminal: both are stopped!
- I ping a hostname from a PC and it respond, so name resolution seems to work somehow ...
- but any changes made from the WebUI have no effect: I can change the override settings for the hosts or start/stop Unbound/DnsMaq ... nothing happens
It seems that the WebUI fro this two services is totally disconnected from the operating system settings.
What do you suggest I try?
How do you check from the terminal?
Quote from: Patrick M. Hausen on May 15, 2025, 12:37:13 PMHow do you check from the terminal?
root@gw:~ # service dnsmasq status
dnsmasq is not running.
root@gw:~ # service unbound status
unbound is not running.
OPNsense does not use rcng aka "service" - that's why I asked.
What version are you even using? "service dnsmasq status" should also work on 25.1.6 but it's not a given for older service integrations.
# configctl unbound status
# configctl dnsmasq status
These should work regardless because they use the same channel as the service widget ;)
Cheers,
Franco
It's fine for me to switch to Unbound. What commands should I run to check unbound service status and start it?
What seems strange to me is that, for example, if I change the IP address of a hostname in the unbound configuration, I expect that a ping to this hostname will return the new IP, but this does not happen...
Are you talking abozt changing an override or an ISC DHCP reservation or DHCP lease? Does a DHCP reservation/lease exist and you have to respective options in Unbound activated?
1. DHCP leases only time out after the lease expires. Until then, they are still visbile in Unbound if active.
2. DHCP static reservations will only be changed / detected when Unbound is restarted.
3. Generally, your client machines cache DNS answers. On Windows, you can clear that cache via "ipconfig /flushdns".