Can't ping hostnames (only IP's) with dnscrypt + dnsmasq on Arch

Discussion in 'all things UNIX' started by zakazak, Jan 20, 2016.

  1. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Hey there,

    maybe someone here can help me fixing my issue. I recently installed dnscrypt on my Arch setup and configured my already-installed dnsmasq (for caching) to work with dnscrypt.

    At first it worked just fine and I could dig/ping every hostname and everything worked as it should. After a reboot I noticed that I couldn't resolve hostnames anymore. I can ping IP's directly but when ping/dig a hostname I get "unknown host" as answer/output.

    I followed the wiki: https://wiki.archlinux.org/index.php/DNSCrypt

    1.) pacman -S dnscrypt-proxy dnsmasq
    2.) I am using NetworkManager and Network-Manager-applet (GNOME) in which I changed the dns server of my current connection to 127.0.0.1 (but that shouldn't even matter, see the settings below):

    systemctl edit dnscrypt-proxy.socket:
    Code:
    [Socket]
    ListenStream=
    ListenDatagram=
    ListenStream=127.0.0.1:40
    ListenDatagram=127.0.0.1:40
    
    /etc/dnsmasq.conf:
    Code:
    no-resolv
    server=127.0.0.1#40
    listen-address=127.0.0.1
    cache-size=1000
    
    To run dnsmasq with networkmanager:
    /etc/NetworkManager/NetworkManager.conf
    Code:
    [main]
    plugins=keyfile
    dhcp=dhclient
    #dns=default
    dns=dnsmasq
    
    ## Set static hostname
    #[keyfile]
    #hostname=foobar
    
    ## HTTP-based connectivity check
    #[connectivity]
    #uri=http://nmcheck.gnome.org/check_network_status.txt
    #interval=100
    
    And since dnsmasq via networkmanager uses its own configuration file I re-created the dnsmasq.conf for networkmanager as well:
    nano /etc/NetworkManager/dnsmasq.d/cache:
    Code:
    cache-size=1000
    no-resolv
    server=127.0.0.1#40
    listen-address=127.0.0.1
    
    /etc/systemd/system/multi-user.target.wants/dnscrypt-proxy.service:
    Code:
    [Unit]
    Description=DNSCrypt client proxy
    Requires=dnscrypt-proxy.socket
    
    [Install]
    Also=dnscrypt-proxy.socket
    WantedBy=multi-user.target
    
    [Service]
    Type=simple
    NonBlocking=true
    ExecStart=/usr/bin/dnscrypt-proxy \
              -R cisco
    

    /usr/lib/systemd/system/dnscrypt-proxy.service:
    Code:
    [Unit]
    Description=DNSCrypt client proxy
    Requires=dnscrypt-proxy.socket
    
    [Install]
    Also=dnscrypt-proxy.socket
    WantedBy=multi-user.target
    
    [Service]
    Type=simple
    NonBlocking=true
    ExecStart=/usr/bin/dnscrypt-proxy \
              -R cisco
    
    And here is the output of dnscrypt-proxy.service and .socket:

    Code:
    sneida@_____:~$ sudo systemctl status dnscrypt-proxy.service -l
    [sudo] password for sneida: 
    * dnscrypt-proxy.service - DNSCrypt client proxy
       Loaded: loaded (/usr/lib/systemd/system/dnscrypt-proxy.service; disabled; vendor preset: disabled)
       Active: active (running) since Tue 2016-01-19 19:04:16 CET; 30min ago
     Main PID: 446 (dnscrypt-proxy)
        Tasks: 1 (limit: 512)
       CGroup: /system.slice/dnscrypt-proxy.service
               `-446 /usr/bin/dnscrypt-proxy -R cisco
    
    Jan 19 19:04:16 _____ dnscrypt-proxy[446]: [INFO] - [cisco] does not support Namecoin domains
    Jan 19 19:04:16 _____ dnscrypt-proxy[446]: [WARNING] - [cisco] logs your activity - a different provider might be better a choice if privacy is a concern
    Jan 19 19:04:16 _____ dnscrypt-proxy[446]: [NOTICE] Starting dnscrypt-proxy 1.6.0
    Jan 19 19:04:16 _____ dnscrypt-proxy[446]: [INFO] Generating a new session key pair
    Jan 19 19:04:16 _____ dnscrypt-proxy[446]: [INFO] Done
    Jan 19 19:04:21 _____ dnscrypt-proxy[446]: [INFO] Server certificate #1435874751 received
    Jan 19 19:04:21 _____ dnscrypt-proxy[446]: [INFO] This certificate looks valid
    Jan 19 19:04:21 _____ dnscrypt-proxy[446]: [INFO] Chosen certificate #1435874751 is valid from [2015-07-03] to [2016-07-02]
    Jan 19 19:04:21 _____ dnscrypt-proxy[446]: [INFO] Server key fingerprint is ED19:BFBA:FAFC:9257:DFDC:68C7:69BF:AC24:94CD:743F:3C1D:4966:134D:FE2C:4BDC:F315
    Jan 19 19:04:21 _____ dnscrypt-proxy[446]: [NOTICE] Proxying from 127.0.0.1:40 to 208.67.220.220:443
    sneida@_____:~$ sudo systemctl status dnscrypt-proxy.socket -l
    * dnscrypt-proxy.socket - dnscrypt-proxy listening socket
       Loaded: loaded (/usr/lib/systemd/system/dnscrypt-proxy.socket; enabled; vendor preset: disabled)
      Drop-In: /etc/systemd/system/dnscrypt-proxy.socket.d
               `-override.conf
       Active: active (running) since Tue 2016-01-19 19:04:16 CET; 30min ago
       Listen: 127.0.0.1:40 (Stream)
               127.0.0.1:40 (Datagram)
    
    Jan 19 19:04:16 _____ systemd[1]: Listening on dnscrypt-proxy listening socket.
    
    dnsmasq.service is disabled as NetworkManager is supposed to start it (which is the case), systemctl status dnsmasq.service:
    Code:
    Dnsmasq.service - a lightweight dhcp and caching dns server
    Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; disabled; vendor preset: disabled)
    Active: inactive (dead)
    
    Followed by the complete bash_history, including the point where I did a reboot and everything broke:
    http://pastebin.com/M3Rp80Ag

    -----------------------------------------------------------------------------
    ping archlinux.org gives me "unknown host" :/
    ping ip works though.

    Any ideas? :/ Thanks !
     
  2. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Hm, I haven't looked very thoroughly into your settings but perhaps this helps. It seems that dnscrpyt-proxy.socket can cause problems so disabling or actually masking it (sudo systemctl mask dnscrypt-proxy.socket) might help.
     
  3. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Thanks I will give it a try but comparing the status output of dnsmasw in your link with mine it looks like the status of my dnsmasw is not correct?
     
  4. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Have you followed the steps here?

    FWIW, my NetworkManager.conf looks like this:

    Code:
    [main]
    plugins=keyfile
    dhcp=dhclient
    # dns=default
    dns=none
    I can't really remember why I did that :confused: However, I'm using unbound instead of dnsmasq but that shouldn't make a difference, IMO.
     
  5. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Yep I already had dnsmasq as cacher configured for some months. And also after installing dnscrypt it still cached fine, until I did a reboot.

    What I just tried:
    I changed the dnsmasq.conf to
    Code:
    no-resolv
    Listen-address: 127.0.0.1
    Cache-size=1000
    
    So I completely left away the server=127.0.0.1#40 (listening to dnscrypt) but I still cant resolve hostnames.

    Which means dnsmasq right now is not touching dnscrypt at all but still cant resolve hostnames?

    @Edit: changing dns=none didn't help :/
     
  6. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Well looks like I guessed right.. dnsmasq.service is the problem, and the cause of if is libvirt !

    libvirt seems to run its own instance of dnsmasq (with its own configuration) that somehow interferes with dnsmasq's configuration. I have no idea what suddenly breaks all that because I had libvirt + dnsmasq already running for 2-3 months. Any suggestions ?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.