Need help configuring dnsmasq

Hello,

I have NextcloudPi running on a Pi3. My router doesn’t do NAT loopback so I get the routers homepage when I try to access the NCP websites from within my local network.

I am trying to get dnsmasq working… it works for a while then stops working even though I didn’t change any configurations. I just want it to help me access the NCP websites from within my LAN. I don’t care about cache or dhcp or any other features.

I set it up using the nextcloudpi-config in the TUI but it doesn’t work. My understanding is all the config can be done within /etc/dnsmasq,conf (if you have the no-resolv line) so I open that in Nano and have tried many changes… restarting dnsmasq and rebooting the pi and the router and my Windows 7 laptop but I haven’t been able to find a config that keeps working.

My router is at: 192.168.1.254. I set the primary DNS of my router to 192.168.1.124 which is the local ip addr of my Pi running NCP.

Can someone post me a /etc/dnsmasq.conf file that should work on my system for my use case?

Maybe dnsmasq is overkill for my needs… I realize that I can simply add the local ip of my Pi to the Windows hosts file and that seems to do the job but I’ve spent a week on this now and really want to know why dnsmasq is not working for me!

I have looked at the syslog and done a netstat which shows dnsmasq does run on port 53 and is using 192.168.1.254 as a nameserver. Nevertheless I keep getting this error when I try to load the site in Google Chrome:

Clicking on “Proceed to my.domain.com unsafe” at the bottom brings me to my routers homepage with it’s external ip address displayed in the url address bar.

Any help gratefully appreciated. Thank you,

Flex

@FlexMcMurphy The mentioned warning has nothing to do with dnsmasq nor DNS resolution at all. It means that the accessed server "my.domain.com" provides a TLS certificate but it cannot be verified because the relating CA certificate cannot be found on your client thus the certificate chain cannot be verified. You should make sure that you use e.g. an official certificate from Let’s Encrypt, or install the correct CA certificate if you’re using a self-signed one.

Hello,

Thank you. I have installed an SSL cert for that domain that I got from LetsEncrypt.

The reason why I think this is a dnsmasq problem is because the NCP sites work fine when I type in my.domain.com from outside my LAN. I don’t get any SSL cert problem. So Port forwarding is set up correctly. I tested it from work and if I set up a Wifi hotspot from my phone so I don’t have to go through my home router then it works without changing anything else.

My knowledge is limited but my router doesn’t do NAT loopback so I’m assuming that the TLS cert cannot be verified because the request for my.domain.com is resolved to the external ip address of my router, and even though port forwarding is set up correctly, it isn’t able to map to the internal ip address of the Pi3 on my LAN that the NCP website is running on.

Explanation of NAT Loopback from: Is NAT Loopback on my router a security problem?
"NAT loopback... where a machine on the LAN is able to access another machine on the LAN via the external IP address of the LAN/router (with port forwarding set up on the router to direct requests to the appropriate machine on the LAN). Without NAT loopback you must use the internal IP address of the device when on the LAN."

Unless I’m missing something else, this is why I’m thinking it must be a set up issue with the config of dnsmasq.

Here is my /etc/dnsmasq.conf:

interface=eth0
no-dhcp-interface=eth0
domain-needed # Never forward plain names (without a dot or domain part)
bogus-priv # Never forward addresses in the non-routed address spaces.
no-poll # Don’t poll for changes in /etc/resolv.conf
no-resolv # Don’t use /etc/resolv.conf or any other file
cache-size=500
listen-address=127.0.0.1
server=192.168.1.254
address=/my.domain.com/192.168.1.124 # This is optional if we add it to /etc/hosts

Lots of other config files can control dnsmasq like:

/etc/resolv.conf
/etc/hosts
/etc/default/dnsmasq
/var/run/dnsmasq/resolv.conf

… but my understanding is none of those files matter because of [no-resolv] in dnsmasq.conf. Maybe I’m wrong here?

After every change to /etc/dnsmasq.conf I do a /etc/init.d/dnsmasq restart
I use >> dnsmasq --test and look in /var/log/syslog to see if dnsmasq is working which it seems to be:

For >> dnsmasq --test

root@nextcloudpi:/home/pi# dnsmasq --test
dnsmasq: syntax check OK.

Other debugging steps I make are:

Right now I don’t care that I just deleted the whole log so I can only see the dnsmasq information !!

Here is what is in my daemon.log…

The log shows dnsmasq listening on port 53 (correct) to the nameserver which is the local ip of my router… my understanding is this is set up correctly because I have set the local ip of my pi3 to be the primary dns on that router… maybe I am wrong here?

Here is the output of >> netstat -tupln

dnsmasq is listening on Port 53 (tcp and tcp6)

Sorry for this LONG post but if I give all my information maybe I can get the solution faster? Anyone using dnsmasq in a simple way like me could you post your /etc/dnsmasq.conf file please?

Thank you,

Flex

I do think that you don’t seem to realize, that your client will need to have your dnsmasq service configured as its DNS host. Otherwise, your client would still reach out to your router, which presumeably provides the DNS service for your local LAN.

Usually, one would configure a complete local DNS service using bind or some other DNS servers, but those are quite complex, whereas dnsmasq is pretty easy to configure.

Anyway, you will need your DHCP server, which will presumeably again, will be your router, to provide the IP of your dnsmasq server to your clients as their DNS resolver.

Hello,

Thanks for your response budy.

I have set the primary DNS server of my router to be the local ip address of my Pi on which dnsmasq (and the NextCloudPi webserver) is running. I’m hoping this will make my router, provide the IP of my dnsmasq server to my clients as their DNS resolver. Therefore I could access my.domain.com from within my LAN.

I’m glad to see you consider dnsmasq easy to configure. Could you critique my dnsmasq config file? Anything wrong in there do you think? taking my use case into account.

Thank you,

Flex

Hi Flex,

I never used dnsmasq that way, but it would seen from your dnsmasq config file, that it will only respond to queries from the localhost (itself) via 127.0.0.1.

Thus, you will need to tweak that such, that it listens on its own ip address. You can do this by also configuring the dnsmasq’s own ip address as an additional listen-address entry.

Cheers,
budy

Hello again,

I tried what you suggested but it didn’t solve the problem. Typing my.domain.com into my Chrome browser brings me to my routers homepage when I try it from within my LAN. When I connect to a Wifi hotspot using my phones 4G connection (so the request originates from outside my LAN) this time my.domain.com works perfectly.

/etc/dnsmasq.conf

interface=eth0		# eth0 is the ethernet interface
domain-needed		# Never forward plain names (without a dot or domain part)
bogus-priv		# Never forward addresses in the non-routed address spaces.
no-poll			# Don't poll for changes in /etc/resolv.conf
no-resolv		# Don't use /etc/resolv.conf or any other file
no-hosts		# Don't use /etc/hosts

cache-size=500 

server=192.168.1.254
listen-address=127.0.0.1
listen-address=192.168.1.124

# These are optional if we add them to /etc/hosts
address=/my.domain.com/192.168.1.124

bind-interfaces

Contents of /var/log/daemon.log

The nameserver it is using is: 192.168.1.254 (my router)

Netstat showing what dnsmasq is listening in on:

nslookup on my.domain.com (not sure why there is a timeout?)

You probably figured out that my actual domain name is different but I’m substituting in this made up one.

This is the dig command on my.domain.com

You would expect the “A record” to resolve to the external IP address of my router because that’s how I have it set up with my domain name provider. However the output here seems to suggest that dnsmasq is working to make my.domain.com resolve to the local ip address of the Pi… [address=/my.domain.com/192.168.1.124] I wonder should the SERVER be 192.168.1.254#53 (my router) and not 127.0.0.1#53 ??

This nslookup suggests that dnsmasq is working just fine:

So it’s probably something small that makes my.domain.com resolve to the external ip address of the router rather than 192.168.1.124. Maybe I need to do DHCP within dnsmasq on the PI rather than on the router for this to work?

Any advice gratefully appreciated,

Flex

Check if the firewall on your RPi is prohibiting traffic on port 53… Issue a

iptables -L

and post the result.

Hello,

I guess I don’t have a firewall running on my Pi:

I disabled the Windows 7 firewall and the router firewall and still no joy.

I’m thinking it might be some setting in my router or if I had the Pi do all the dhcp maybe it would work.

Cheers,

Flex

I’d go with np-poll and no-resolve disabled…

You shoud then remove or comment this line:

server=192.168.1.254

in the dnsmasq config. I’d rather have my resolv.conf set up acordingly.

/etc/resolv.conf should have it’s nameservers in this order

nameserver=127.0.0.1
nameserver=192.168.1.254

You will probably also want to have in /etc/resolv.conf

domain=domain.com
search=domain.com

Then use nslookup again on your Windows host to query your dnsmasq service:

nslookup my.domain.com -server=192.168.1.124

Hello !

My understanding is that you can put all the config you need into /etc/dnsmasq.conf and that’s why I left [no-resolv] in there, to stop it looking at /etc/resolv.conf. Anyway I did what you suggested… unfortunately I’m getting the same result… Chrome gives the same screen as in my first post above.

/etc/hosts

127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

127.0.1.1 nextcloudpi
192.168.1.124 my.domain.com

/etc/dnsmasq.conf

interface=eth0		# eth0 is the ethernet interface
domain-needed		# Never forward plain names (without a dot or domain part)
bogus-priv		# Never forward addresses in the non-routed address spaces.
#no-poll		# Don't poll for changes in /etc/resolv.conf
#no-resolv		# Don't use /etc/resolv.conf or any other file
#no-hosts		# Don't use /etc/hosts

cache-size=500 

#server=192.168.1.254
listen-address=127.0.0.1
listen-address=192.168.1.124

# These are optional if we add them to /etc/hosts
address=/my.domain.com/192.168.1.124

/etc/resolv.conf

nameserver 127.0.0.1
nameserver=192.168.1.254
domain=domain.com
search=domain.com

Now I restart dnsmasq and look at its log output…

'>> grep ‘dnsmasq’ /var/log/daemon.log

dnsmasq starts up OK and uses two nameservers, not sure where it gets the IPv6 one from.

’ >> nslookup my.domain.com -server 192.168.1.124

You see, it resolves to the external ip addr of my router and not the local ip address of the pi that is running dnsmasq and the NextCloudPi website.

By the way after this if I go in to /etc/resolv.conf its contents will be updated to:

> # Generated by resolvconf
> nameserver 127.0.0.1

So the DNS request that should be resolved to a local ip is instead resolved to the external ip of the router.

Just to confuse things even more. It did actually randomly start working for a few minutes. When I was using dnsmasq.conf only. The only change I made was to uncomment [no-hosts] (and uncommented the domain in /etc/hosts) so it would include the contents of /etc/hosts then after I restarted dnsmasq it worked for a while! I experimented a bit to try to understand more by rebooting the router, the Pi and my laptop and still it was working… then I stopped dnsmasq service just to check if adding the line [192.168.1.124 my.domain.com] to /etc/hosts was enough… it wasn’t. Then when I restarted dnsmasq I got the same error in Chrome. There’s a Gremlin in my LAN playing games !

Thanks for your help so far,

Flex

By the way, here is the log output around the time it randomly started working then stopped…

I don’t know if this is significant at all… just I had never seen that message - “nameserver refused to do a recursive query”. Apparently it indicates a misconfiguration of dnsmasq: Disabling “Recursive Query Refusal Detection”

Cheers,

Flex

Hmm…maybe this blog post provides you with the needed information so setup dnsmasq foryour local LAN:

https://blogging.dragon.org.uk/howto-setup-dnsmasq-as-dns-dhcp/

You would probably on di the DNS stuff and leave the DHCP stuff out. That setup also works only with the /etc/dnsmasq.conf, /etc/hosts and leaves /etc/resolv.conf alone.

I suggest to use pihole. When you already went this Way

Hello,

For anyone interested I found a solution to this problem. Here is a link to a thread at RaspberryPi.org where all the gory details are given with great verbosity.

In summary:

1. I was trying to access the NextCloudPi on a Pi on the same LAN as my Windows 7 laptop using a domain name that was resolving to the external ip address of my router rather than the local ip address of the pi running NCP and dnsmasq.
2. I think this was because my router isn’t able to do NAT Loopback at all.
3. dnsmasq was set up correctly all along…
4. Such is my current understanding: The reason was because Windows 7 prefers IPv6 over IPv4. I changed the Primary DNS server in my router to be the local IP of my Pi but nevertheless the ipconfig /all command in Windows showed it was (likely?) sending all requests through my router to an IPv6 DNS server with preference over the dnsmasq IPv4 DNS server so requests were never going to my Pi, which has dnsmasq running on it, where they would have been redirected by dnsmasq to the local ip of my Pi.
5. One solution was to turn off IPv6 altogether in the router and this did solve the problem.
6. Another solution was to switch the IPv6 addressing type in my router to SLAAC… I don’t know why this works it just does.
7. I am thinking of giving my Pi a static IPv6 address because dnsmasq can be configured to be an IPv6 DNS server… just to see if it will then play nice with my router under IPv6 (at least on my LAN).

Thank you to everyone who helped me,

Flex

wow that was a hard one… thanks for sharing the solution!

The router supplied by my ISP (Sagemcom) does not have SLAAC as an option. I was able to “work around” this issue to some extent by using a forced vpn connection on the pc trying to reach the Nextcloud to go outside my network and then come back in. However this is not a very good solution as my vpn connection is no where as fast as a direct connection and I will probably need to work on the pc client to force it to use the vpn.

I had nearly the exact same situation as OP. DuckDNS is my dynamic DNS provider, and I configured dnsmasq with ncp-config and pointed my router to my RPI’s local IP for the DNS server. Worked fine for a little while and then spontaneously stopped–xxxx.duckdns.org wouldn’t resolve from inside my LAN.

After reading about the IPv6 issues near the bottom of this thread, I disabled the IPv6 firewall on my router, and everything’s worked fine ever since. Thanks for the tip!

EDIT: Thanks also to @nachoparker for making nextcloudpi so feature-packed and noob-friendly