Can't ping hostnames (only IP's) with dnscrypt + dnsmasq on Arch

Discussion in 'all things UNIX' started by zakazak, Jan 20, 2016.

  1. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    Hey there,

    maybe someone here can help me fixing my issue. I recently installed dnscrypt on my Arch setup and configured my already-installed dnsmasq (for caching) to work with dnscrypt.

    At first it worked just fine and I could dig/ping every hostname and everything worked as it should. After a reboot I noticed that I couldn't resolve hostnames anymore. I can ping IP's directly but when ping/dig a hostname I get "unknown host" as answer/output.

    I followed the wiki: https://wiki.archlinux.org/index.php/DNSCrypt

    1.) pacman -S dnscrypt-proxy dnsmasq
    2.) I am using NetworkManager and Network-Manager-applet (GNOME) in which I changed the dns server of my current connection to 127.0.0.1 (but that shouldn't even matter, see the settings below):

    systemctl edit dnscrypt-proxy.socket:
    Code:
    [Socket]
    ListenStream=
    ListenDatagram=
    ListenStream=127.0.0.1:40
    ListenDatagram=127.0.0.1:40
    
    /etc/dnsmasq.conf:
    Code:
    no-resolv
    server=127.0.0.1#40
    listen-address=127.0.0.1
    cache-size=1000
    
    To run dnsmasq with networkmanager:
    /etc/NetworkManager/NetworkManager.conf
    Code:
    [main]
    plugins=keyfile
    dhcp=dhclient
    #dns=default
    dns=dnsmasq
    
    ## Set static hostname
    #[keyfile]
    #hostname=foobar
    
    ## HTTP-based connectivity check
    #[connectivity]
    #uri=http://nmcheck.gnome.org/check_network_status.txt
    #interval=100
    
    And since dnsmasq via networkmanager uses its own configuration file I re-created the dnsmasq.conf for networkmanager as well:
    nano /etc/NetworkManager/dnsmasq.d/cache:
    Code:
    cache-size=1000
    no-resolv
    server=127.0.0.1#40
    listen-address=127.0.0.1
    
    /etc/systemd/system/multi-user.target.wants/dnscrypt-proxy.service:
    Code:
    [Unit]
    Description=DNSCrypt client proxy
    Requires=dnscrypt-proxy.socket
    
    [Install]
    Also=dnscrypt-proxy.socket
    WantedBy=multi-user.target
    
    [Service]
    Type=simple
    NonBlocking=true
    ExecStart=/usr/bin/dnscrypt-proxy \
              -R cisco
    

    /usr/lib/systemd/system/dnscrypt-proxy.service:
    Code:
    [Unit]
    Description=DNSCrypt client proxy
    Requires=dnscrypt-proxy.socket
    
    [Install]
    Also=dnscrypt-proxy.socket
    WantedBy=multi-user.target
    
    [Service]
    Type=simple
    NonBlocking=true
    ExecStart=/usr/bin/dnscrypt-proxy \
              -R cisco
    
    And here is the output of dnscrypt-proxy.service and .socket:

    Code:
    sneida@_____:~$ sudo systemctl status dnscrypt-proxy.service -l
    [sudo] password for sneida: 
    * dnscrypt-proxy.service - DNSCrypt client proxy
       Loaded: loaded (/usr/lib/systemd/system/dnscrypt-proxy.service; disabled; vendor preset: disabled)
       Active: active (running) since Tue 2016-01-19 19:04:16 CET; 30min ago
     Main PID: 446 (dnscrypt-proxy)
        Tasks: 1 (limit: 512)
       CGroup: /system.slice/dnscrypt-proxy.service
               `-446 /usr/bin/dnscrypt-proxy -R cisco
    
    Jan 19 19:04:16 _____ dnscrypt-proxy[446]: [INFO] - [cisco] does not support Namecoin domains
    Jan 19 19:04:16 _____ dnscrypt-proxy[446]: [WARNING] - [cisco] logs your activity - a different provider might be better a choice if privacy is a concern
    Jan 19 19:04:16 _____ dnscrypt-proxy[446]: [NOTICE] Starting dnscrypt-proxy 1.6.0
    Jan 19 19:04:16 _____ dnscrypt-proxy[446]: [INFO] Generating a new session key pair
    Jan 19 19:04:16 _____ dnscrypt-proxy[446]: [INFO] Done
    Jan 19 19:04:21 _____ dnscrypt-proxy[446]: [INFO] Server certificate #1435874751 received
    Jan 19 19:04:21 _____ dnscrypt-proxy[446]: [INFO] This certificate looks valid
    Jan 19 19:04:21 _____ dnscrypt-proxy[446]: [INFO] Chosen certificate #1435874751 is valid from [2015-07-03] to [2016-07-02]
    Jan 19 19:04:21 _____ dnscrypt-proxy[446]: [INFO] Server key fingerprint is ED19:BFBA:FAFC:9257:DFDC:68C7:69BF:AC24:94CD:743F:3C1D:4966:134D:FE2C:4BDC:F315
    Jan 19 19:04:21 _____ dnscrypt-proxy[446]: [NOTICE] Proxying from 127.0.0.1:40 to 208.67.220.220:443
    sneida@_____:~$ sudo systemctl status dnscrypt-proxy.socket -l
    * dnscrypt-proxy.socket - dnscrypt-proxy listening socket
       Loaded: loaded (/usr/lib/systemd/system/dnscrypt-proxy.socket; enabled; vendor preset: disabled)
      Drop-In: /etc/systemd/system/dnscrypt-proxy.socket.d
               `-override.conf
       Active: active (running) since Tue 2016-01-19 19:04:16 CET; 30min ago
       Listen: 127.0.0.1:40 (Stream)
               127.0.0.1:40 (Datagram)
    
    Jan 19 19:04:16 _____ systemd[1]: Listening on dnscrypt-proxy listening socket.
    
    dnsmasq.service is disabled as NetworkManager is supposed to start it (which is the case), systemctl status dnsmasq.service:
    Code:
    Dnsmasq.service - a lightweight dhcp and caching dns server
    Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; disabled; vendor preset: disabled)
    Active: inactive (dead)
    
    Followed by the complete bash_history, including the point where I did a reboot and everything broke:
    http://pastebin.com/M3Rp80Ag

    -----------------------------------------------------------------------------
    ping archlinux.org gives me "unknown host" :/
    ping ip works though.

    Any ideas? :/ Thanks !
     
  2. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    726
    Hm, I haven't looked very thoroughly into your settings but perhaps this helps. It seems that dnscrpyt-proxy.socket can cause problems so disabling or actually masking it (sudo systemctl mask dnscrypt-proxy.socket) might help.
     
  3. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    Thanks I will give it a try but comparing the status output of dnsmasw in your link with mine it looks like the status of my dnsmasw is not correct?
     
  4. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    726
    Have you followed the steps here?

    FWIW, my NetworkManager.conf looks like this:

    Code:
    [main]
    plugins=keyfile
    dhcp=dhclient
    # dns=default
    dns=none
    I can't really remember why I did that :confused: However, I'm using unbound instead of dnsmasq but that shouldn't make a difference, IMO.
     
  5. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    Yep I already had dnsmasq as cacher configured for some months. And also after installing dnscrypt it still cached fine, until I did a reboot.

    What I just tried:
    I changed the dnsmasq.conf to
    Code:
    no-resolv
    Listen-address: 127.0.0.1
    Cache-size=1000
    
    So I completely left away the server=127.0.0.1#40 (listening to dnscrypt) but I still cant resolve hostnames.

    Which means dnsmasq right now is not touching dnscrypt at all but still cant resolve hostnames?

    @Edit: changing dns=none didn't help :/
     
  6. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    Well looks like I guessed right.. dnsmasq.service is the problem, and the cause of if is libvirt !

    libvirt seems to run its own instance of dnsmasq (with its own configuration) that somehow interferes with dnsmasq's configuration. I have no idea what suddenly breaks all that because I had libvirt + dnsmasq already running for 2-3 months. Any suggestions ?
     
Loading...