However, dnsmasq *should* contact dnscrypt-proxy.
Let's debug. Please comment out "dns=dnsmasq"; reboot; ensure that dnsmasq is listening at 127.0.1.1; ensure that dnscrypt-proxy is listening at 127.0.0.2; run
and then post the output ofCode:echo "nameserver 127.0.0.2" | resolvconf -a lo.dnscrypt-proxy
Code:ls -l /etc/resolv.conf cat /etc/resolv.conf ls -l /run/resolvconf ls -l /run/resolvconf/interface for F in /run/resolvconf/interface/* ; do echo "=== $F ===" ; cat "$F" ; done ls -l /etc/resolvconf/resolv.conf.d for F in /etc/resolvconf/resolv.conf.d/* ; do echo "=== $F ===" ; cat "$F" ; done cat /etc/default/resolvconf ls -l /var/run/dnsmasq cat /var/run/dnsmasq/resolv.conf
Last edited by jdthood; May 18th, 2013 at 07:46 PM. Reason: Add a couple of commands to run
I think this is the key point. There should be a "correct" way to get resolvconf to add a second line to this file, but I can't find any documentation on it.If /etc/resolv.conf contains "nameserver 127.0.1.1" because dnsmasq is running then (in the standard resolvconf configuration) you won't see any changes in /etc/resolv.conf because resolvconf doesn't list nameserver addresses after any loopback address.As I pointed out, it is necessary to disable to the NetworkManager-controlled dnsmasq and install a separate dnsmasq in order to have a custom configuration in 12.04. My initial two posts are a how-to guide for getting dnsmasq and dnscrypt-proxy to work together in 12.04; it is not possible to use the NetworkManager-controlled dnsmasq with DNSCrypt in 12.04.(This doesn't mean that adding nameserver information via the connection editor is ineffective, though. If things are working properly, then, if the NetworkManager-controlled nameserver is running, nameserver information added via the connection editor is transmitted to the NetworkManager-controlled nameserver that is listening at that loopback address. This goes via /run/nm-dns-dnsmasq.conf in Ubuntu 12.04, or via D-Bus in Ubuntu 12.10 or later.)
It should, when configured to do so (it cannot auto-magically do so), but it doesn't. There is a place in dnsmasq's config file to add other DNS servers, but then it never actually forwards queries to them. So, it is necessary to have two lines in resolv.conf: one for the DNS cache (dnsmasq) and another for the secure DNS resolver (dnscrypt-proxy). There is no other way for this to work in 12.04.It isn't needed there because the glibc resolver should contact dnsmasq (at 127.0.1.1) and not dnscrypt-proxy.
However, dnsmasq *should* contact dnscrypt-proxy.
Please go over what I've posted again; this is exactly what I recommended. Commenting out "dns=dnsmasq" and installing a separate, configurable, dsnmasq is the only way to get dnsmasq and dnscrypt-proxy working together in 12.04, which is why I wrote a how-to guide on setting them up as such.Let's debug. Please comment out "dns=dnsmasq"; reboot; ensure that dnsmasq is listening at 127.0.1.1; ensure that dnscrypt-proxy is listening at 127.0.0.2; run
Code:echo "nameserver 127.0.0.2" | resolvconf -a lo.dnscrypt-proxy
When I ran that command, nothing was added to resolv.conf and DNS queries do not resolve. There should be a "correct" way to get resolvconf to add a second line to /etc/resolv.conf.
I'll get you that output next time I'm at home. I think it's important to note here: I posted my how-to guide after doing considerable testing and diagnostics myself. The things I said don't work, really don't work in 12.04; if someone wants to use dnsmasq with dnscrypt in 12.04 they will (most likely) have do it as I posted. From what you've posted, I take it that much more of the "new way" is properly implemented in 12.10, which means users of 12.10 need a different (and much shorter) guide.and then post the output of
Code:ls -l /etc/resolv.conf cat /etc/resolv.conf ls -l /run/resolvconf ls -l /run/resolvconf/interface for F in /run/resolvconf/interface/* ; do echo "=== $F ===" ; cat "$F" ; done ls -l /etc/resolvconf/resolv.conf.d for F in /etc/resolvconf/resolv.conf.d/* ; do echo "=== $F ===" ; cat "$F" ; done cat /etc/default/resolvconf
There's only really one point that needs debugging for me:
Why doesn't dnsmasq use DNS servers specified in it's configuration file?
An answer to that question would resolve everything else you are asking me about, and possibly shorten my how-to for 12.04.
ls -l /etc/resolv.confSymlinked where it should be.Code:lrwxrwxrwx 1 root root 29 Apr 14 2012 /etc/resolv.conf -> ../run/resolvconf/resolv.conf
cat /etc/resolv.confJust like it is in my how-to.Code:# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.1.1 #dnsmasq nameserver 127.0.0.2 #dnscrypt-proxy nameserver 127.0.1.1
ls -l /run/resolvconfNothing unusual here.Code:total 4 -rw-r--r-- 1 root root 0 May 19 15:26 enable-updates drwxr-xr-x 2 root root 100 May 19 15:26 interface -rw-r--r-- 1 root root 240 May 19 15:26 resolv.conf
ls -l /run/resolvconf/interfaceLooks ok to me.Code:total 8 -rw-r--r-- 1 root root 21 May 19 15:26 lo.dnsmasq -rw-r--r-- 1 root root 42 May 19 15:26 NetworkManager
for F in /run/resolvconf/interface/* ; do echo "=== $F ===" ; cat "$F" ; doneNetworkManager probably extracts those from resolv.conf, as they are not specified anywhere else.Code:=== /run/resolvconf/interface/lo.dnsmasq === nameserver 127.0.1.1 === /run/resolvconf/interface/NetworkManager === nameserver 127.0.1.1 nameserver 127.0.0.2
ls -l /etc/resolvconf/resolv.conf.dI modified head with gedit, so there's a backup file.Code:total 8 -rw-r--r-- 1 root root 0 May 13 12:34 base -rw-r--r-- 1 root root 219 May 16 05:44 head -rw-r--r-- 1 root root 221 May 16 05:41 head~ -rw-r--r-- 1 root root 0 Jan 4 06:31 tail
for F in /etc/resolvconf/resolv.conf.d/* ; do echo "=== $F ===" ; cat "$F" ; doneNothing to see here really, except the changes I made to head to get DNS to resolve.Code:=== /etc/resolvconf/resolv.conf.d/base === === /etc/resolvconf/resolv.conf.d/head === # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.1.1 #dnsmasq nameserver 127.0.0.2 #dnscrypt-proxy === /etc/resolvconf/resolv.conf.d/head~ === === /etc/resolvconf/resolv.conf.d/tail ===
cat /etc/default/resolvconfNothing there.Code:cat: /etc/default/resolvconf: No such file or directory
ls -l /var/run/dnsmasqAs expected.Code:total 8 -rw-r--r-- 1 root root 5 May 19 15:26 dnsmasq.pid -rw-r--r-- 1 root root 42 May 19 15:26 resolv.conf
cat /var/run/dnsmasq/resolv.confThe servers are not in the same order as the real resolv.conf they've been extracted from. My understanding is that it doesn't matter unless I specifiy the "strict-order" option for dnsmasq.Code:nameserver 127.0.0.2 nameserver 127.0.1.1
First let me say that I appreciate what you are trying to do. It's good that you were able to get dnsmasq and dnscrypt working together in daisy chain with the former (dnsmasq, first stage) caching and forwarding queries to the latter (dnscrypt, second stage).
I believe, however, that the way you implemented things was less than ideal, regardless of whether the base system is Ubuntu 12.04 or 12.10. What I would like to do is continue to work with you to implement things as well as the base system allows. When we have done this we will know exactly how to package dnscrypt properly for Ubuntu.
When I replied to your original post I just tried to address a few parenthetical remarks you made and to answer the questions that you asked in your post. The discussion that followed was a bit confusing, but now I think I know why. I have just gone back and re-read the whole thread and I now realize that I overlooked the most important problem of all. You are under the impression that the NetworkManager-controlled dnsmasq instance can be used in the "first stage", in the same role as dnsmasq server — or, rather, could be used as the first stage if it were possible to customize its configuration (as it is possible in Ubuntu 12.10). But this is not supported, even in Ubuntu 12.10. NetworkManager feeds its slave dnsmasq instance with the nameserver addresses it knows about that are associated with external network connections. When you enter addresses into the "DNS servers" field in the connection editor, those addresses are meant to be external addresses accessible over the connection in question. Entering loopback addresses into the "DNS servers" field is not supported.
Note that daisy chaining dnsmasq server instance to the NetworkManager-controlled dnsmasq instance is supported. Obtaining this in Ubuntu 12.04 requires some manual configuration of dnsmasq server because in Ubuntu 12.04 the NetworkManager-controlled dnsmasq instance listens at 127.0.0.1 which conflicts with dnsmasq server in its default configuration. Obtaining the dnsmasq-dnsmasq daisy chain in Ubuntu 12.10 requires only the installation of the dnsmasq package; after it's installed, dnsmasq server listens at 127.0.0.1 in bind-interfaces mode and forwards queries to nm-dnsmasq at 127.0.1.1.
Now let's turn to your debugging output. It looks as if you didn't follow my instructions exactly — you didn't run the line with "resolvconf -a lo.dnscrypt-proxy", otherwise there would be a file named "lo.dnscrypt-proxy" in /run/resolvconf/interface/ — but this probably doesn't matter because I think we have found the most important problem.
Looking at the debugging output I see that DNS queries will follow paths like the following.
I assume that dnscrypt is somehow configured to know the OpenDNS nameserver addresses. Is that right? (I have no experience with dnscrypt.)Code:glibc resolver -------------> 127.0.1.1 dnsmasq server -------------> 127.0.0.2 dnscrypt ----> OpenDNS \ / \ / \ \-----------------<--------------- / / ------------------------>-------------------
Update: I have started reading the dnscrypt docs and found:So dnscrypt-proxy can forward to servers other than OpenDNS — but those servers would of course have to support the DNSCrypt protocol.DNSCrypt comes pre-configured for OpenDNS, although the --resolver-address=<ip>:<port>, --provider-name=<certificate provider FQDN> and --provider-key=<provider public key> can be specified in order to change the default settings.
That dnsmasq server has 127.0.1.1 as both a forwarding address and as its listen address is bad. This tells dnsmasq to loop queries back to itself. This is a consequence of 127.0.1.1 being included in a "DNS servers" field for a connection.
You should have something like the following instead.
(127.0.0.1 is the IPv4 address of the loopback device and one of the addresses that dnsmasq server listens at by default. For dnscrypt you can choose any address in 127/8 but 127.0.1.1 is not a particularly good choice since that the address used by nm-dnsmasq.)Code:glibc resolver -------> 127.0.0.1 dnsmasq server --------> 127.0.0.2 dnscrypt ----> OpenDNS
To achieve this:
* Configure the external network connection with the NetworkManager connection editor. Select "Method: Automatic (DHCP) addresses only" and ensure that all the "DNS server" fields are empty.
* Back up any dnsmasq configuration files you changed and don't want to lose. Purge the dnsmasq package (which will delete those configuration files) and reinstall it. This will restore dnsmasq server to the factory configuration wherein it listens at all addresses.
* Enable dnsmasq "bind-interfaces" mode: uncomment the "bind-interfaces" line in /etc/dnsmasq.conf.
* Also set "cache-size=1000" in dnsmasq if desired.
* Back up any resolvconf configuration files you changed and don't want to lose. Purge the resolvconf package (which will delete those configuration files) and reinstall it. This will restore resolvconf to the factory configuration where it contains no non-comment lines in /etc/resolvconf/resolv.conf.d/head.
* Configure dnscrypt to listen at 127.0.0.2.
* Ensure that dnscrypt is listening at 127.0.0.2 and forwards queries to the OpenDNS nameservers.
* DoCode:host www.google.com 127.0.0.2
* Check that you can now resolve names via dnsmasq at 127.0.0.1.Code:echo "nameserver 127.0.0.2" | resolvconf -a lo.dnscrypt-proxy
Code:host www.microsoft.com 127.0.0.1After doing all this, please post the debugging output again.Code:host www.ubuntu.com
Even if this works then we aren't finished quite yet. We need to change the dnscrypt initscript to run "resolvconf -a lo.dnscrypt-proxy" on start and "resolvconf -d lo.dnscrypt-proxy" on stop. And we should probably enhance dnsmasq's resolvconf hook script to be dnscrypt-aware.Code:cat /etc/NetworkManager/NetworkManager.conf ls -l /etc/resolv.conf cat /etc/resolv.conf ls -l /run/resolvconf ls -l /run/resolvconf/interface for F in /run/resolvconf/interface/* ; do echo "=== $F ===" ; cat "$F" ; done ls -l /etc/resolvconf/resolv.conf.d for F in /etc/resolvconf/resolv.conf.d/* ; do echo "=== $F ===" ; cat "$F" ; done cat /etc/default/resolvconf ls -l /var/run/dnsmasq cat /var/run/dnsmasq/resolv.conf
P.S. You should probably delete the updates in your original post where you say that in Ubuntu 12.10 you can configure the NetworkManager-controlled dnsmasq instance to play the same role as the dnsmasq server instance.
Last edited by jdthood; May 19th, 2013 at 07:40 PM.
Oh, i see. Yeah, we could be discussing a refit for the currently supplied dnsmasq. I hoped it had happened in 12.10, as it has in Arch, but alas no. I will get on straightening out those notes after work. I will re-lable them as "theoretical configuration"
I'll also get that last output; i guess i missed a line!
I don't really understand about dnsmasq looping into itself: shouldn't it do so as a cache? The path is similar to what you said:
DNSQuery->out; ->dnsmasq: in cache?; yes-> return ip; no-> forward to dnscrypt-proxy; ->dnscrypt-proxy->OpenDNS(mutex communication over the proxy;->return ip;
I have filed a report in the Debian bug tracking system where I wish for automagic integration of dnsmasq with dnscrypt-proxy: http://bugs.debian.org/709179. The Debian maintainer has already agreed to implement this integration. This means that we should have the integration implemented within, say, a month, in Debian unstable. The support will appear in Ubuntu the next time after that that Ubuntu syncs from Debian unstable, which means 13.10 or 14.04.
Last edited by jdthood; May 21st, 2013 at 04:44 PM.
I just noticed that there's an ITP for dnscrypt-proxy in the Debian BTS (http://bugs.debian.org/692320). I have submitted a request that this future package support resolvconf.
Once this is done and resolvconf/dnscrypt-proxy support has been added to dnsmasq (http://bugs.debian.org/709179) everything should just work.
Resolvconf itself doesn't need to be changed (http://bugs.debian.org/709258).