DnsMasq not working after updating to OPNSense 25.

Started by trigg3r, May 13, 2025, 02:27:00 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
May 13, 2025, 02:27:00 PM
I upgraded OPNSense from 24.x to 25.1.6.

After rebooting, the DnsMasq service is stopped and the only way to start it is from command line. This is the situation:

From terminal, via ssh:
- command service dnsmasq onestart correctly starts the service and DNS works (but after a reboot the service goes back to being stopped)

From WebUI:
- it is not possible to start the service (but logs do not show any message ...)
- it is not possible to deactivate the service (or rather: it automatically reactivate when I try to start Unbound service)
- it is not possible to change the service port (53)


I would like to thank anyone who can help me solve this problem.

Versions:
OPNsense 25.1.6_4-amd64
FreeBSD 14.2-RELEASE-p3
OpenSSL 3.0.16
May 13, 2025, 02:38:36 PM #1
What does the dnsmasq logfile say?
Hardware:
DEC740
May 13, 2025, 05:04:12 PM #2
Thanks @Cedrik

Here are the logs files: today and yesterday, after the upgrade. These are the ones from yesterday that seem more relevant to me:

Code Select
<30>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="1"] started, version 2.90 cachesize 10000
<30>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="2"] compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset auth cryptohash DNSSEC loop-detect no-inotify dumpfile
<28>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="3"] LOUD WARNING: listening on <my pub IP>.198 may accept requests via interfaces other than igb2
<28>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="4"] LOUD WARNING: listening on <my pub IP>.197 may accept requests via interfaces other than igb2
<28>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="5"] LOUD WARNING: listening on <my pub IP>.196 may accept requests via interfaces other than igb2
<28>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="6"] LOUD WARNING: listening on <my pub IP>.195 may accept requests via interfaces other than igb2
<28>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="7"] LOUD WARNING: listening on <my pub IP>.194 may accept requests via interfaces other than igb2
<28>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="8"] LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS amplification attacks via these interface(s)
<30>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="9"] reading /etc/resolv.conf
<28>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="10"] ignoring nameserver 127.0.0.1 - local interface
<30>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="11"] using nameserver 1.1.1.1#53
<30>1 2025-05-12T22:38:11+02:00 gw.mydomain.com dnsmasq 39500 - [meta sequenceId="12"] using nameserver 8.8.8.8#53
May 13, 2025, 07:16:32 PM #3
I dont see anything failing in the logs, just SIGTERM which means it was cleanly shutdown.

If it doesnt start I would expect

a port overlap with a different service,

or strict interface binding in the advanced general options of dnsmasq,

or an issue with the configuration file (though these would be logged and we dont see that).

Hardware:
DEC740
May 14, 2025, 08:17:56 AM #4
Since I can't disable or modify DnsMasq from WebUI, can you tell me which are the terminal commands to disable and reset DnsMasq and which to enable/run Unbond?

Thanks again for your help.
May 14, 2025, 09:41:44 AM #5
It's a bit strange that you cannot change the configuration of dnsmasq from the GUI.

Can you tell me if there are any errors in "System: Log Files: Backend".

Search for "template", set to "Error", set timeframe to "Last week".

---------

There is no simple way to reset a model from the GUI yet, so you would have to download the config.xml file from "System - Configuration - Backups", search for the dnsmasq section and e.g. change the enabled from 1 to 0 and then restore that.
Hardware:
DEC740
May 14, 2025, 10:35:03 AM #6 Last Edit: May 14, 2025, 10:49:50 AM by trigg3r
I'm going to check ... In the meantime, I'll report some checks I've done now. (see my post below ...)


May 14, 2025, 10:37:14 AM #7 Last Edit: May 14, 2025, 10:48:34 AM by meyergru
Please upload your pictures to the forum. This is only possible via "Reply", not with "Quick Reply". Your pictures do not load and many people do not trust external hosting sites, either.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
May 14, 2025, 10:40:54 AM #8 Last Edit: May 14, 2025, 10:48:13 AM by trigg3r
I tried to stop DNSMASQ and start UNBOUND from the terminal:
opnsense_dns_1.PNG

WebUI says DNSMASQ is active but stopped:
opnsense_dns_2.PNG
opnsense_dns_3.PNG
opnsense_dns_4.PNG

Apparently from WebUI it is not possible to edit services settings. Could it be some r/w permission problem for configuration files?
May 14, 2025, 10:41:28 AM #9
Quote from: meyergru on May 14, 2025, 10:37:14 AMPlease upload your pictures to the forum. This is only possible via "Reply", not with "Quick Reply". Your pictures do not load any many people do not trust external hosting sites, either.

Thank you very much :)
May 14, 2025, 10:55:36 AM #10
Quote from: Monviech (Cedrik) on May 14, 2025, 09:41:44 AMCan you tell me if there are any errors in "System: Log Files: Backend".
Search for "template", set to "Error", set timeframe to "Last week".

no errors
May 14, 2025, 10:56:00 AM #11
Services like DNSmasq and Unbound, have to bind to some port.

Usually, port 53 is the one that your local resolver should listen on. When you employ two DNS servers, one has to go on another port and specific requests are being forwarded to that. Often, port 5353 is recommended for this, but mDNS also runs on that, so I prefer 5454.

Thus, when you switch back and forth between DNS services, you always will have to change the ports. However, you must consider than only one service can run on the same port, so you first must disable one service, configure the other one to run on the old port of service one, then change the port of service two and restart it. You should see such conflicts in the specific service's logs. Also, when you cascade services, you also will want to reconfigure the forwarding as well.

Basically, the switching of roles is a multi-step process that must be carried out in the correct order.

BTW: Depending on what you do, you might lose DNS during those steps, so be prepared to access your OpnSense via its IP, not via DNS name...
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
May 14, 2025, 11:03:19 AM #12
Quote from: Monviech (Cedrik) on May 14, 2025, 09:41:44 AMThere is no simple way to reset a model from the GUI yet, so you would have to download the config.xml file from "System - Configuration - Backups", search for the dnsmasq section and e.g. change the enabled from 1 to 0 and then restore that.

Replacing DNSMASQ with UNBOUND should be enough with these changes, right?

Code Select
    <unboundplus version="1.0.12">
      <general>
        <enabled>1</enabled>

and:

Code Select
        <enable>0</enable>
  </dnsmasq>
May 14, 2025, 12:29:09 PM #13
Yeah if you do that change and reboot dnsmasq should not start anymore, but unbound will.
Hardware:
DEC740
May 14, 2025, 04:17:50 PM #14
Quote from: Monviech (Cedrik) on May 14, 2025, 12:29:09 PMYeah if you do that change and reboot dnsmasq should not start anymore, but unbound will.

I'll try tonight. It's still strange that:
- I can't even edit the port on which to run DNSMASQ
- the WebUI doesn't detect the status of the services after I stopped/started them and disabled/enabled them from the terminal

Is it possible to uninstall or at least reset DNSMSQ?
Print
Go Up Pages1 2
User actions