resolv.conf keeps getting overwritten when dnsmasq is restarted, breaking dnsmasq

Question

I'm running Debian Jessie and I'm trying to configure dnsmasq as a caching DNS server. I used a guide to come up with the following /etc/dnsmasq.conf:

listen-address=127.0.0.1
bind-interfaces
domain-needed
bogus-priv
no-hosts
dns-forward-max=150
cache-size=1000
neg-ttl=3600
resolv-file=/etc/resolv.dnsmasq
no-poll

Doing sudo service dnsmasq restart fails and it won't start, telling me

Mar 26 17:13:01 user dnsmasq[26743]: dnsmasq: syntax check OK.
Mar 26 17:13:01 user dnsmasq[26746]: dnsmasq: only one resolv.conf file allowed in no-poll mode.

Ok, kind of strange that a config straight out of a guide failed. I'll just remove the no-poll option to see if it works. This time it starts just fine, but DNS resolution is clearly failing. Relevant files:

/etc/resolv.conf:

nameserver 127.0.0.1

/etc/resolv.dnsmasq:

nameserver 8.8.8.8

/var/run/dnsmasq/resolv.conf:

nameserver 127.0.0.1

The third file appears to be dnsmasq's live resolv.conf file, because adding a nameserver line to it while dnsmasq is already running causes DNS resolution to immediate start working. So it looks like it ignored my /etc/resolv.dnsmasq. I also tried adding a nameserver line to my /etc/resolv.conf and removing the resolv-file line in /etc/dnsmasq.conf, but it gets overwritted immediately to what you see above upon doing sudo service dnsmasq restart.

What is going on with dnsmasq and do I configure dnsmasq as a caching DNS server?

Answer 1

There appears to be a bug in the start-up script for dnsmasq that uses resolvconf to clobber the local resolver if the local loopback interface is not explicitly except-ed in the /etc/defaults/dnsmasq file.

The short answer is that you can add...

DNSMASQ_EXCEPT=lo

to /etc/defaults/dnsmasq to solve the problem.

For more info, see this question...

https://raspberrypi.stackexchange.com/questions/37439/proper-way-to-prevent-dnsmasq-from-overwriting-dns-server-list-supplied-by-dhcp

Answer 2

bigjosh is right - except there's been an update to dnsmasq, and there's now an option at the end of /etc/default/dnsmasq which you can un-hash:

IGNORE_RESOLVCONF=yes

Answer 3

Don't use

resolv-file=/etc/resolv.dnsmasq

Put dns server into dnsmasq.conf, like

server=/localnet/192.168.0.1 # change ip for your ip-server
server=8.8.8.8
server=8.8.4.4

And add into dnsmasq.conf

no-resolv

Answer 4

If you just want a caching-only DNS server and nothing else fancy that dnsmasq can do, you'd be better off installing either lwresd or unbound and using the stock default configuration which gives you a caching-only DNS server. Then you just set /etc/resolv.conf to use "nameserver 127.0.0.1" and you're done.

The nice thing is these two packages do not mess around with what's in /etc/resolv.conf like dnsmasq does and is thus a cleaner solution IMHO. You can also usually remove the resolvconf package so nothing messes around with /etc/resolv.conf.

FYI, dnsmasq has gotten rather complicated, too many bells and whistles and is just causing pain for most people anymore. Violates KISS in my book.