2

Recently, after a dist-upgrade to Debian 9.0, I happened to notice that danted (a socks v5 proxy server) and stunnel4 (an SSL/TLS tunneling service) services can not resolve domain names.

In danted logs:

request was not performed due to error: could not resolve hostname "www.google.com": Name or service not known

In stunnel logs:

Error resolving "www.stunnel.org": Neither nodename nor servname known (EAI_NONAME)

If I change the system user that the service is running under (for danted it is proxy, and for stunnel is stunnel4), to root and restart the service, it works fine.

  • ordinary users can ping/resolve domain names.
  • /etc/nsswitch.conf and /etc/resolv.conf are world readable.

  • even suing to system user, you can ping/resolve domain names:

    # su - -s /bin/sh -c "getent ahosts  www.stunnel.org" proxy 
207.192.69.165  STREAM linode.mirt.net
207.192.69.165  DGRAM  
...

  • the content of resolv.conf:

    nameserver 127.0.0.1
nameserver 8.8.8.8
nameserver 208.67.222.222
nameserver 208.67.220.220

    I use dnsmasq.

I'm not sure, what to do next.

sasanj
  • 117
  • 3
  • what is the content of your `/etc/resolv.conf` ? – GAD3R Jul 03 '17 at 14:55
  • updated to add the content of the `resolv.conf`. – sasanj Jul 04 '17 at 15:52
  • so user ``danted`` do not have access to network? Could be either selinux or iptables -m owner issue. Disable selinux and check your iptables -l – user996142 Jul 04 '17 at 16:04
  • selinux is disabled, and there is no owner checking in iptables. – sasanj Jul 04 '17 at 16:35
  • one thing though, `stunnel` works under the system user `stunnel4`, it just cannot resolve domain names ( mostly for it's socks v5 functionality ). – sasanj Jul 04 '17 at 16:43
  • Hypothesis: service is started before resolv.conf is populated, and does not subsequently call `res_init()`. Can you rule this out, by showing that keeping the user as `stunnel4` and restarting it still causes DNS failures? Other services like ssh have `After=network.service` in the service file, but I don't think stunnel4 does. – sourcejedi Jul 04 '17 at 17:46
  • Put google DNS then openDNS on the top of your `resolv.conf` file . The `nameserver 127.0.0.1` on the bottom. – GAD3R Jul 04 '17 at 23:15
  • 1
    @sourcejedi restarting services did not help. I tried it multiple time. – sasanj Jul 05 '17 at 11:19
  • 1
    @GAD3R I did that, even I turned off the dnsmasq service, but still no luck. – sasanj Jul 05 '17 at 11:20

0 Answers0