6

I'm trying to use dnsmasq on Ubuntu 20.04 and I get a port clash on port 53 with systemd-resolved. So I've found a few suggestions on solutions, but they seem to be dated or not applicable to my case.

If I disable systemd-resolved, everything comes to a crawl because I seem to be waiting for a timeout on:

sudo: unable to resolve host ubuntu: Temporary failure in name resolution

So basically any command I type takes 20 seconds or so.

I guess I need something like the suggestion to put dns=default in /etc/NetworkManager/NetworkManager.conf like suggestion in https://askubuntu.com/a/907249. However, this file doesn't exist and is not part of the package anymore:

$ dpkg -S /etc/NetworkManager/NetworkManager.conf
dpkg-query: no path found matching pattern /etc/NetworkManager/NetworkManager.conf

So I post this as a 20.04-titled question instead of adding to 20+ comments there…

If I disable systemd-resolve I can start dnsmasq but everything still comes to a crawl with that "Temporary failure in name resolution" error and if I look at dnsmasq status it seems it has problems too:

ubuntu@ubuntu:~$ sudo systemctl status dnsmasq.service
sudo: unable to resolve host ubuntu: Temporary failure in name resolution
● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
     Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2020-10-22 11:20:35 UTC; 1min 8s ago
    Process: 36231 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited, status=0/SUCCESS)
    Process: 36232 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited, status=0/SUCCESS)
    Process: 36241 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf (code=exited, status=0/S>
   Main PID: 36240 (dnsmasq)
      Tasks: 1 (limit: 9024)
     CGroup: /system.slice/dnsmasq.service
             └─36240 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d,.dpkg->

Oct 22 11:20:35 ubuntu dnsmasq[36240]: using nameserver 127.0.0.53#53
Oct 22 11:20:35 ubuntu dnsmasq[36240]: read /etc/hosts - 7 addresses
Oct 22 11:20:35 ubuntu systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
Oct 22 11:20:37 ubuntu dnsmasq[36240]: Maximum number of concurrent DNS queries reached (max: 150)
Oct 22 11:20:48 ubuntu dnsmasq[36240]: Maximum number of concurrent DNS queries reached (max: 150)
Oct 22 11:20:57 ubuntu dnsmasq[36240]: Maximum number of concurrent DNS queries reached (max: 150)
Oct 22 11:21:07 ubuntu dnsmasq[36240]: Maximum number of concurrent DNS queries reached (max: 150)
Oct 22 11:21:17 ubuntu dnsmasq[36240]: Maximum number of concurrent DNS queries reached (max: 150)
Oct 22 11:21:27 ubuntu dnsmasq[36240]: Maximum number of concurrent DNS queries reached (max: 150)
Oct 22 11:21:37 ubuntu dnsmasq[36240]: Maximum number of concurrent DNS queries reached (max: 150)

Is it so that dnsmasq now delegates to non-running 127.0.0.53:53 according to above logs?

With systemd-resolved running I had:

$ sudo ss -lp "sport = :domain"
Netid     State      Recv-Q      Send-Q           Local Address:Port             Peer Address:Port     Process
udp       UNCONN     0           0                127.0.0.53%lo:domain                0.0.0.0:*         users:(("systemd-resolve",pid=36111,fd=12))
tcp       LISTEN     0           4096             127.0.0.53%lo:domain                0.0.0.0:*         users:(("systemd-resolve",pid=36111,fd=13))

And with systemd-resolved disabled but dnsmasq running I have:

sudo ss -lp "sport = :domain"
sudo: unable to resolve host ubuntu: Temporary failure in name resolution
Netid State  Recv-Q Send-Q Local Address:Port    Peer Address:Port Process
udp   UNCONN 18432  0            0.0.0.0:domain       0.0.0.0:*     users:(("dnsmasq",pid=36240,fd=4))
udp   UNCONN 0      0               [::]:domain          [::]:*     users:(("dnsmasq",pid=36240,fd=6))
tcp   LISTEN 0      32           0.0.0.0:domain       0.0.0.0:*     users:(("dnsmasq",pid=36240,fd=5))
tcp   LISTEN 0      32              [::]:domain          [::]:*     users:(("dnsmasq",pid=36240,fd=7))

I have:

$ cat /etc/resolv.conf | grep nameserver
nameserver 127.0.0.53
Viktor Hedefalk
  • 161
  • 1
  • 1
  • 5
  • Port 53 on which IP address? – JdeBP Oct 22 '20 at 10:59
  • dnsmasq just says: "failed to create listening socket for port 53: Address already in use", but I'm sure 127.0.0.53. Coming from: https://askubuntu.com/a/1170073. ss -lp "sport = :domain" says systemd-resolve. And after disabling that service, I _can_ start dnsmasq but my system becomes unusable. – Viktor Hedefalk Oct 22 '20 at 11:17
  • As an aside: You should use the `--full` option to `systemctl`. https://unix.stackexchange.com/a/50771/5132 – JdeBP Oct 22 '20 at 12:07
  • Also you need to tell people in detail what your goal with dnsmasq is. If you actually want to provide service in the way that you are doing, the answer is quite different to the case where you _do not_ want to provide dnsmasq service to any other machines on your LAN. Answerers need to know what answer to give. https://unix.stackexchange.com/q/222264/5132 is also a related question. – JdeBP Oct 22 '20 at 12:10

2 Answers2

9

By default, systemd-resolved provides a "validating DNS/DNSSEC stub resolver" on "IP address 127.0.0.53", port 53. You can verify this:

$ sudo netstat -tulpn | grep LISTEN

tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      787/systemd-resolve 
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      787/systemd-resolve 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      923/sshd: /usr/sbin 
tcp6       0      0 :::5355                 :::*                    LISTEN      787/systemd-resolve 
tcp6       0      0 :::22                   :::*                    LISTEN      923/sshd: /usr/sbin

Since port 53 is the default for DNS traffic, as you've pointed out that's where your conflict exists.

systemd-resolved can be configured to work in a few different ways, and the stub resolver can even be disabled entirely.

/etc/systemd/resolved.conf.d is one of those handy directories that allow you to break up configuration in to multiple files. On some distributions this directory may not yet exist, so:

[ -d /etc/systemd/resolved.conf.d ] || mkdir -p /etc/systemd/resolved.conf.d

Next we create the file /etc/systemd/resolved.conf.d/10-make-dns-work.conf in which we'll override the default configuration in /etc/systemd/resolved.conf:

printf "%s\n%s\n" '[Resolve]' 'DNSStubListener=no' | sudo tee /etc/systemd/resolved.conf.d/10-make-dns-work.conf

Now we have:

$ cat /etc/systemd/resolved.conf.d/10-make-dns-work.conf

[Resolve]
DNSStubListener=no

After changing config, we need to restart systemd-resolved:

$ sudo systemctl restart systemd-resolved

Now take a look at where systemd-resolved is listening:

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2494/sshd           
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      8033/systemd-resolv 
tcp6       0      0 :::22                   :::*                    LISTEN      2494/sshd           
tcp6       0      0 :::5355                 :::*                    LISTEN      8033/systemd-resolv

dnsmasq should now be able to listen on port 53.

If you want to revert these changes, just delete the config file you added:

sudo rm /etc/systemd/resolved.conf.d/10-make-dns-work.conf
sudo systemctl restart systemd-resolved
mainmachine
  • 126
  • 1
  • 6
  • I get a message: Editing "/etc/systemd/system/systemd-resolved.service.d/override.conf" canceled: temporary file is empty. – ironic May 19 '22 at 23:19
  • Sounds like you tried to save it without adding the lines specified: `[Resolve] DNSStubListener=no` – mainmachine May 23 '22 at 15:36
  • This answer does not work for me. After all specified actions `systemd-resolved` is still using the 53 port. – mathway Jun 19 '22 at 15:10
  • 1
    You need to edit `/etc/systemd/resolved.conf` directly. See this https://ubuntu-mate.community/t/systemd-resolved-does-not-recognize-resolve-category-solved/16708 – ostefano Aug 17 '22 at 18:09
  • @ostefano - You are absolutely correct - I've rewritten my answer and apologize for the error! – mainmachine Aug 18 '22 at 20:16
1

You really don't need to mess with systemd-resolved. Add 'bind-dynamic' or 'bind-interfaces' to dnsmasq.conf. This way you can leave systemd-resolved alone and running along-side dnsmasq. The dnsmasq man page suggests bind-dymanic for any Linux system that supports it, which Ubuntu does. In use, I can't see any difference they both work. ...just watch out for any 'listen-address=' directives stopping dnsmasq on reboot. In my case, on a pi4 running Ubuntu 20.04 the local IP address of the pi and openVpn server address (different subnet same machine) don't exist when dnsmasq tries to start. I solved this by editing the dnsmasq service file to start after the openVpn service to make sure the IP address was available to bind to by dnsmasq on startup.

Adam84
  • 11
  • 2