Re: NetworkManager OpenVPN DNS returns REFUSED

On Thu, 2017-03-23 at 09:54 +0100, Beniamino Galvani wrote:
What does it mean that the local DNS service is returning REFUSED?  How
can I debug this further?  Or, does anyone know how to fix it?

You can enable logging of queries in dnsmasq with:

 echo log-queries > /etc/NetworkManager/dnsmasq.d/log-queries
 killall -HUP NetworkManager

After this, you should see in logs queries sent by dnsmasq and
responses from name servers.

Thank you for this info.  I see that when this problem is happening I
get a single line in the log:

   query[A] from

and that's it, nothing else.  It seems that dnsmasq sends the REFUSED
response without even trying to pass along the request any further. 
When things are working properly, I get a set of responses in the log
for each lookup including forwarding to the upstream DNS server and the
final answer.

Also a belated, but heartfelt, thank-you to Thomas Haller for his reply
to a similar question I asked last November; his email had a wealth of
fantastic information for debugging NM issues and I still refer to it

Which dnsmasq version are you using? There was a bug in the way
dnsmasq cached sockets for queries that caused problems when the VPN
interface is recreated by kernel with a different ifindex; see [1] [2]
for more details. This could be the cause of the problem you see.

After I sent my email I realized I had forgotten to include dnsmasq
info.  I'm using 2.76 (Ubuntu package dnsmasq-base 2.76-4).  From what I
can tell the fixes you refer to are not available in any dnsmasq release
yet but will be in the next release (2.77), and the version I have does
not backport this patch.

I will try building a dnsmasq with this patch applied and see if it

FWIW, I'm currently working around this issue by adding a script to
/etc/NetworkManager/dispatcher.d that sends a SIGHUP to NetworkManager. 
It seems to work, although it's obviously not ideal.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]