4

I'm running Arch Linux with NetworkManager and dnsmasq set up. It all seems to work fine, except that I try to use the new CloudFlare 1.1.1.1 DNS, but the resolver keeps using the DNS that is advertised by my router. The nameservers seem to be added, including my router's IP, see below:

Apr 04 20:02:56 tdewolff dnsmasq[22337]: setting upstream servers from DBus
Apr 04 20:02:56 tdewolff dnsmasq[22337]: using nameserver 2606:4700:4700::1001#53
Apr 04 20:02:56 tdewolff dnsmasq[22337]: using nameserver 2606:4700:4700::1111#53
Apr 04 20:02:56 tdewolff dnsmasq[22337]: using nameserver 1.0.0.1#53
Apr 04 20:02:56 tdewolff dnsmasq[22337]: using nameserver 1.1.1.1#53
Apr 04 20:02:56 tdewolff dnsmasq[22337]: using nameserver 192.168.1.254#53(via wlp4s0)
Apr 04 20:02:56 tdewolff dnsmasq[22337]: using nameserver fe80::1%wlp4s0#53
Apr 04 20:02:56 tdewolff dnsmasq[22337]: cleared cache

Using nmcli dev show consistently shows:

IP4.DNS[1]:                             192.168.1.254
IP6.DNS[1]:                             fe80::1

but I want to use the CloudFlare DNSs regardless of the local network (and not have to change the connection settings for every network). How can I change the order of DNS look-up, or disable the router's resolver? I've tried adding strict-order to /etc/NetworkManager/dnsmasq.d/local but to no avail.

Taco de Wolff
  • 153
  • 1
  • 1
  • 7

2 Answers2

8

I'm not using dnsmasq, but I had a similar issue. The solution for me was:

  • Put the DNS servers you want in /etc/resolv.conf (ref)

    # IPv4 nameservers: 
nameserver 1.1.1.1
nameserver 1.0.0.1
# IPv6 nameservers:
nameserver 2606:4700:4700::1111
nameserver 2606:4700:4700::1001

  • Tell NetworkManager not to modify your /etc/resolv.conf by writing in your /etc/NetworkManager/NetworkManager.conf (ref)

    [main]
dns=none

Probably restart NetworkManager etc. afterward. If you do nmcli dev show it shows the DNS server reported by the router:

IP4.DNS[1]:                             192.168.50.1

But if you use nslookup (from bind-tools in Arch), it looks like 1.1.1.1 is actually used for the query:

» nslookup google.com
Server:     1.1.1.1
Address:    1.1.1.1#53

Non-authoritative answer:
Name:   google.com
Address: 172.217.9.238
Name:   google.com
Address: 2607:f8b0:4006:801::200e

UPDATE: config with dnsmasq

I tried out a config with dnsmasq. NetworkManager has a dnsmasq plugin that you can use by putting into /etc/NetworkManager/NetworkManager.conf the following:

[main]
dns=dnsmasq

This will start dnsmasq with NetworkManager and put 127.0.0.1 into /etc/resolv.conf (ref). However, I did not do it this way because then dnsmasq isn't managed by systemctl and you don't automatically end up with logging in journalctl (maybe there is some way around this).

Instead, I used the following config (ref):

  • /etc/NetworkManager/NetworkManager.conf:

    [main]
dns=none

  • /etc/resolv.conf:

    nameserver 127.0.0.1

  • /etc/resolv.dnsmasq.conf:

     # IPv4 nameservers: 
 nameserver 1.0.0.1
 # IPv6 nameservers:
 nameserver 2606:4700:4700::1111
 nameserver 2606:4700:4700::1001

  • /etc/dnsmasq.conf:

     resolv-file=/etc/resolv.dnsmasq.conf
 log-queries

Restart NetworkManager and dnsmasq. Now, verify your local nameservers didn't get overwritten:

» cat /etc/resolv.conf
nameserver 127.0.0.1

We can also question NetworkManager:

» cat /run/NetworkManager/resolv.conf 
# Generated by NetworkManager
nameserver 192.168.50.1

» nmcli dev show
...
IP4.DNS[1]:                             192.168.50.1

But those entries are seemingly just indicating what the router has reported, not necessarily what will actually be used for a query, because if we do drill google.com, we see that 127.0.0.1 was in fact used:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Fri Apr 20 11:32:59 2018
;; MSG SIZE  rcvd: 44

Also, if you put log-queries into /etc/dnsmasq.conf as shown above, you see in journalctl after running drill stackoverflow.com twice:

dnsmasq[27679]: query[A] stackoverflow.com from 127.0.0.1
dnsmasq[27679]: forwarded stackoverflow.com to 1.0.0.1
dnsmasq[27679]: reply stackoverflow.com is 151.101.1.69
dnsmasq[27679]: reply stackoverflow.com is 151.101.65.69
dnsmasq[27679]: reply stackoverflow.com is 151.101.129.69
dnsmasq[27679]: reply stackoverflow.com is 151.101.193.69
dnsmasq[27679]: query[A] stackoverflow.com from 127.0.0.1
dnsmasq[27679]: cached stackoverflow.com is 151.101.193.69
dnsmasq[27679]: cached stackoverflow.com is 151.101.129.69
dnsmasq[27679]: cached stackoverflow.com is 151.101.65.69
dnsmasq[27679]: cached stackoverflow.com is 151.101.1.69

The first time it asked 1.0.0.1, the second time it found the result in the cache. You can remove log-queries from dnsmasq.conf if satisfied.

tsj
  • 208
  • 1
  • 4
  • Thanks, this sounds easy enough, but I was hoping something with dnsmasq as well. I quite like the DNS caching + `1.1.1.1` DNS server combination, in theory that should be the fastest. – Taco de Wolff Apr 13 '18 at 23:43
  • It is fast indeed. – tsj Apr 20 '18 at 15:51
  • Thanks for the update! That works really well. I've also set `cache-size=1000` in `/etc/dnsmasq.conf` to actually enable caching. – Taco de Wolff May 10 '18 at 00:59
  • Just a note: you can use the `dnsmasq` module of NetworkManager directly and get the same logging capability. You can do it as follows (the same procedure for any other long command line option, the name of the file doesn't really matter, but they're alphabetically processed): `echo "log-queries" >> /etc/NetworkManager/dnsmasq.d/00-log`. Note that the logs will be under the `NetworkManager` systemd unit. – jmon12 Jan 24 '22 at 12:07
1

A slightly better way, in that it simplifies NetworkManager management, is to use a symlink for /etc/resolv.conf. This is the default in my distro (Fedora), which you can check in your disto by looking at the dns option in man 5 NetworkManager.conf.

Define cloudflare as the authoritative DNS by first creating a file (I used /usr/local/etc/resolv.cloudflare.conf) containing the cloudflare DNS's:

# IPv4 nameservers: 
nameserver 1.1.1.1
nameserver 1.0.0.1
# IPv6 nameservers:
nameserver 2606:4700:4700::1111
nameserver 2606:4700:4700::1001

Then symlink to that file, removing the existing file.

sudo rm /etc/resolv.conf sudo ln -s /usr/local/etc/resolv.cloudflare.conf /etc/resolv.conf

At this point, you can verify that the nameserver is doing the right thing by

$ dig google.com

; <<>> DiG 9.11.2-P1-RedHat-9.11.2-1.P1.fc26 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41906
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
;; QUESTION SECTION:
;google.com.            IN  A

;; ANSWER SECTION:
google.com.     185 IN  A   172.217.9.238

;; Query time: 10 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Apr 12 18:00:37 EDT 2018
;; MSG SIZE  rcvd: 55

Note: If your distro's NetworkManager has a different default for the dns= variable, then update it to include the following.

[main]
dns=symlink

Then, NetworkManager will not update resolve.conf if you make /etc/resolve.conf a symlink,

Poynter
  • 11
  • 1