18.7 R1 and R2 dnsmasq problem

[agh1701]

dnsmasq is missing localhost, all interfaces to bind to.  Only LAN and WAN are available.  the default LAN binding seems to be ALL.  This prevents packages such as dnscrypt from working as it needs to be bound to 127.0.0.2.  dnscrypt will not bind because dnsmasq is already bound.

For now I switched to unbound which I can set the interface binding correctly.

[franco]

Not sure I understand completely, but there was a similar problem reported:

https://github.com/opnsense/core/issues/2562

We'll have Dnsmasq bind to loopback addresses in either case now. resolv.conf did not cope correctly.


Cheers,
Franco

[agh1701]

Simply put,  dnsmasq now binds to all local loopback address 127.0.0.1, 127.0.0.2 ... etc.  in 18.1 you could select only bind to localhost or loopback 127.0.0.1.  the problem is that it is binding to all loopback addresses.

we must have the ability to bind to LAN and only localhost 127.0.0.1.  If that's what the patch does than cool.

[franco]

Ok, I think I understand. Still, "all" was always binding all addresses. The only thing that changes is we lost "loopback", but you can retain this by selecting "LAN" or whatever, just not "all".

You can try the patch easily using this command:

# opnsense-patch 188b098


Cheers,
Franco

[agh1701]

That is the problem LAN behaves as ALL.  It is also binding to any additional localhost virtual IP's defined.

I have not tried the patch yet.  tiring to find time.

[agh1701]

No dice on the patch.  the LAN option is still binding to all localhosts.

[franco]

> the LAN option is still binding to all localhosts.

There seems to be omitted context here. What is your lo0 ifconfig output? Are you manipulating lo0 addresses?


Cheers,
Franco

[agh1701]

Code: [Select]

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
        inet 127.0.0.2 netmask 0xffffffff
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
The problem is dnsmasq is also binding to 127.0.0.2

127.0.0.2 is defined as an Virtual IP:
Mode: IP Alias
Interface: Localhost
address: 127.0.0.2

This was done to have dnscrypt-proxy bind to 127.0.0.2.  however, dnsmasq binds to it first and I can not stop it.
Under 18.1 I was able to control binding by check marking LAN and Localhost(not check marking ALL) and checking strict interface binding.  this prevented dnsmasq from binding to 127.0.0.2.
There is no longer a Localhost to select so the only check markable option is LAN.  it seems like LAN is acting as ALL

[franco]

Ok, listen, Dnsmasq will *always* be using localhost no matter which setting, but in 18.7 it will not use any other IPv4 than 127.0.0.1. You need to set it to LAN in order to achieve this. We still need 127.0.0.1 for local resolving.


Cheers,
Franco

[agh1701]

Yes, I agree.  how do I stop it from binding to 127.0.0.2 like I was able to in 18.1.  also keep in mid that I am able to configure unbound to not use 127.0.0.2

[franco]

It will be fixed in 18.7 next week.


Cheers,
Franco

[agh1701]

Thanks Franco!