Dnsmasq

I wrote earlier about how I had to do some configuration of my DNS to get dnsmasq and resolved to work well together. With it working well I’m able to use dnsmasq, resolved, and network manager together to do local development while also detecting network changes nicely.

Recently I noticed I would occasionally get the dreaded question-mark network icon: “?” I did some digging around and it was related to Ubuntu’s Network Connectivity check. Several posts out there simply say to disable the check by going to Settings -> Privacy and turning Connectivity Checking to “Off.”

But by disabling connectivity checking, I don’t get the automatic prompt to connect through a captive portal (like at my local library). I wanted to actually fix the problem, so I needed to understand what the problem was.

Continue reading →

Troubleshooting

Ubuntu uses the URL http://connectivity-check.ubuntu.com/ by default for connectivity checking. I went to the command line to see if there were any problems using curl while on my wired network:

$ curl -v http://connectivity-check.ubuntu.com/
*   Trying 35.222.85.5...
* TCP_NODELAY set
* connect to 35.222.85.5 port 80 failed: Connection timed out
*   Trying 35.224.99.156...
* TCP_NODELAY set
* Connected to connectivity-check.ubuntu.com (35.224.99.156) port 80 (#0)
> GET / HTTP/1.1
> Host: connectivity-check.ubuntu.com
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 204 No Content
< Date: Wed, 09 Dec 2020 16:02:34 GMT
< Server: Apache/2.4.18 (Ubuntu)
< X-NetworkManager-Status: online
< 
* Connection #0 to host connectivity-check.ubuntu.com left intact

Everything seemed to work out in the end, but you can see that the first request failed so it had to fall back to the secondary address. This whole request took 122 seconds.

The problem is, the default connectivity check interval is 120 seconds. So after the first one times out Network Manager flags the computer as offline. Apps like Spotify recognize the offline network status and stop working – despite being actually connected to the internet.

Alternate Endpoints

I could roll-my-own Network Manager connectivity endpoint – but I found an easier solution: use the default Debian endpoint.

The Debian default URL is http://network-test.debian.org/nm which has 3 IPs listed (for fall back) and it is much faster. All I had to do was add this file:

sudo vi /etc/NetworkManager/conf.d/11-connectivity.conf

[connectivity]
uri=http://network-test.debian.org/nm
interval=300

I gave it a little longer interval – 5 minutes instead of 2. It’s probably not necessary as their service responds much faster, but I want to avoid the question-mark-of-no-connectivity as much as possible but still retain features like captive portal detection.

Restart after you’ve saved that file and you should be good to go!

← Summary Only

I had a weird problem recently that I solved, and it was mostly due to my mis-configuring of my Ubuntu laptop. I finally figured it out when setting up my new Dell XPS Developer Edition laptop, so I wanted to share.

The situation: I would go to my local library and couldn’t connect to their wireless internet. But if I disabled dnsmasq and restarted the network-manager service, it would work fine.

What I didn’t realize was happening is dnsmasq was taking over local DNS control from the systemd-resolved service. What is systemd-resolved and why is it important? The man page reads:

systemd-resolved is a system service that provides network name resolution to local applications. It implements a caching and validating DNS/DNSSEC stub resolver, as well as an LLMNR and MulticastDNS resolver and responder.

My library uses a captive portal. When you connect to their network it brings up a page that makes you agree before actually being able to use the network. systemd-resolved has all the know-how to handle that – dnsmasq doesn’t.

I love dnsmasq and don’t want to lose it’s functionality. I want to use both the system resolved (pronounced resolve-D) and dnsmasq. Here’s how to have your cake and eat it too.

Continue reading →

DNSMasq via NetworkManager

To use the dnsmasq plugin that is installed with NetworkManager, I just needed to add the bold line to the main section of NetworkManager.conf via sudo vi /etc/NetworkManager/NetworkManager.conf

[main]
plugins=ifupdown,keyfile
dns=dnsmasq

Local sites

This section is optional, I do it to create a local domain name that only exists on my local computer for web development purposes. Anything that ends in .test resolves to localhost. Also, I use a loopback IP address for my .test addresses in case I need to access them through a virtual machine (usually to test IE).

Then add this file, by running sudo vi /etc/NetworkManager/dnsmasq.d/01-dot-test.conf

address=/test/10.254.254.254

Why do I use .test? See this post.

Chaining DNSMasq & resolveconf

To really make things work I wanted to keep both resolved and dnsmasq working together in tandem. I found the answer in this thread on ubuntuforums.org. resolved just needs to know to use dnsmasq as its upstream provider. You can do this by adding the following bold lines via sudo vi /etc/systemd/resolved.conf

[Resolve]
DNS=127.0.1.1
FallbackDNS=127.0.1.1
Domains=lan local test

The Domains line is present in Ubuntu 18.04 as lan local and it works like that. In 20.04 it is not present, but needs to be there with your dnsmasq domain(s) (test in my case) in order to pass queries for that domain to dnsmasq upstream – otherwise resolved ignores them.

You can restart network-manager and systemd-resolved services to apply your changes, or simply reboot your system.

Test it out

To make sure that it’s working, first check your resolv.conf file by running cat /etc/resolv.conf

# This file is managed by man:systemd-resolved(8). Do not edit.
...
# Run "systemd-resolve --status" to see details about the uplink DNS servers
# currently in use.
...

nameserver 127.0.0.53
...

This file should be managed by resolved and use the resolved IP of 127.0.0.53. Then use the hint given in that file to check the upstream server: systemd-resolve --status

Global
         DNS Servers: 127.0.1.1
          DNSSEC NTA: 10.in-addr.arpa
                      ...
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Ping a couple of domain names, both local and remote, and you should be good to go!

← Summary Only

I set up a new testing environment for IE11 through VirtualBox on my computer running Ubuntu. But I couldn’t get to any of my sites that are served by the Ubuntu host. I had to do some tricks to get this working on my old work Mac, and the same principle applies for Ubuntu.

Continue reading →

On my Ubuntu system, I use Dnsmasq for local DNS so I can test sites locally like client1.test, client2.test, etc. Normally those fake top-level domains resolve to a localhost IP: 127.0.0.1. But when you bring VirtualBox into the mix, the host and the guest both have their own notions of localhost. We need a common ground to communicate on. This is solved with a loopback alias.

Loopback Alias

A loopback alias is just another IP that you can assign to your localhost loopback device. To add one, add the following to your network interfaces configuration file:

sudo vi /etc/network/interfaces

auto lo:0
iface lo:0 inet static
	address 10.254.254.254
	network 10.0.0.0
	netmask 255.255.255.255

sudo service networking restart

Now instead of having your fake TLDs resolve to 127.0.0.1, we need them to resolve to our loopback alias address – 10.254.254.254. Depending if you’re using Dnsmasq with or without NetworkManager, you can edit/add the following file (respectively):

sudo vi /etc/NetworkManager/dnsmasq.d/01_localhost
OR
sudo vi /etc/dnsmasq.d/01_localhost

address=/test/10.254.254.254

sudo service network-manager restart

VirtualBox Networking

Lastly, we just need to tell our VirtualBox guest to use the DNS from our host system. These instructions work for both OSX and Linux hosts: https://serverfault.com/questions/453185/vagrant-virtualbox-dns-10-0-2-3-not-working/453260

I’m using the 2nd option to make the guest use the host’s DNS settings:

VBoxManage modifyvm "VM name" --natdnshostresolver1 on

Test everything out by starting your VM guest and pinging 10.254.254.254 for network connectivity. Then try to ping a .test domain from the guest. If it looks good you should be able to load a .test domain through Internet Explorer on the guest OS.

← Summary Only

This is part three of a three part series covering Dnsmasq’s uses regarding:

Local Development DNS
Local Area Network (LAN) DNS
Virtual Private Network (VPN) routing

IT savvy business often use a Virtual Private Network (VPN) connection to allow employees to connect to the (normally internal) work network while they’re traveling or working from home. Many VPNs (once connected) act at the default gateway for your computer. This is effectively like unplugging your computer from your local network and plugging it in at your workplace. This is probably for security reasons, and it’s certainly a simple configuration for most, as your computer is truly now on a remote network as if you were at your desk at work. But for some, this is becomes a restriction, and we’ll examine some cases and a workaround.

Continue reading →

Let’s say I’m connected to the VPN. All of my internet traffic goes through the VPN which is a thousand miles away. If I’m streaming a local radio station, that’s a long way to go out-and-back for something that is truly local. In addition, all of my local network resources are less usable because the VPN has instructed my computer to use the VPN’s DNS servers, so I can now only access them by IP.

It is possible to be connected to the VPN and still have access to local resources, and route (non-VPN) traffic though your normal gateway. Your VPN administrator might say this is poses a security risk, but s/he’ll be none the wiser if you don’t let on.

This configuration is for Dnsmasq and NetworkManager, which is used by Ubuntu & Fedora. But there’s no reason the concepts here can’t be applied to other Linux distributions and/or OSX.

VPN Gateway

Connect to your VPN per normal using NetworkManager. Once you’re connected you can probably deduce the default gateway by looking at output from running a traceroute to a known computer on the VPN (such as the nameserver – see below).

$ traceroute 10.20.0.26
traceroute to 10.20.0.26 (10.20.0.26), 30 hops max, 60 byte packets
 1  * * *
 2  10.20.44.253 (10.20.44.253)  101.294 ms  101.715 ms  102.610 ms
 3  10.20.0.26 (10.20.0.26)  100.205 ms  101.022 ms  101.486 ms

The first IP is likely the VPN’s default gateway, 10.20.44.253 in this case.

VPN Name Servers

You’ll also want to grab the name servers for your VPN. You can probably just inspect your /etc/resolv.conf file for this information:

$ cat /etc/resolv.conf
...
nameserver 10.20.0.26

Add new VPN connection

With this information at hand, disconnect from the VPN and create a new VPN connection in NetworkManager that is essentially the same as the existing one. Name the new connection something that indicates it’s custom (we’ll use this name later). In NetworkManager on the IPv4 Settings tab, set the Method to Automatic (VPN) addresses only:

Then click the Routes… button. In the Routes dialog you’ll want to put in the network information for your work, using the information you deduced using traceroute. My VPN addresses are all 10.x.x.x, and the VPN gateway is 10.20.44.253. So I added a line to the route table like this:

You can find the network address and netmask from the Private Network table on Wikipedia. The metric number should be fine at 10. Check the boxes to ignore obtained routes and to only use this network for resources contained within.

That gets you essentially halfway there, you can connect to the VPN and only requests for resources with network addresses that are part of the VPN will be routed through the VPN connection, everything else will gateway through your normal ISP. You can (and probably should) test this configuration by connecting to the VPN and ping-ing or traceroute-ing to a computer on the VPN (such as the nameserver) just to make sure the custom routing established is indeed working. Once routing is working, we need to fix the DNS as it’s kind of useless without it.

Create a NetworkManager dispatcher.d script to start Dnsmasq

In /etc/NetworkManager/dispatcher.d add a file called 05vpn:

#!/bin/sh

if [ "$2" = "vpn-up" ]; then
        CONN_NAME=`/usr/bin/nm-tool | grep VPN | sed 's/^.*\[\(.*\)\].*$/\1/'`
        if [ "$CONN_NAME" = "VPN Custom" ]; then
                /etc/init.d/dnsmasq start
        fi
fi

if [  "$2" = "vpn-down" ]; then
        /etc/init.d/dnsmasq stop
fi

Set the comparison to $CONN_NAME to the name of your new VPN connection. After saving the file, set it to be executable:

$ sudo chmod 755 /etc/NetworkManager/dispatcher.d/05vpn

The /etc/NetworkManager/dispatcher.d files are executed whenever a network interface goes up or down. The 05vpn file will start/stop Dnsmasq when the “custom” VPN connection is turned on/off.

Configure Dnsmasq for your VPN

Configuring Dnsmasq for your VPN really boils down to adding server entries for every domain that either resides on the VPN, or that you want to route through the VPN. Add a file in /etc/dnsmasq.d for your VPN DNS settings, such as /etc/dnsmasq.d/02_vpn

If your work has it’s own Top Level Domain (TLD), add a server line with the VPN DNS server IP and the TLD:

server=/tld/10.20.0.26

Similarly, if there are certain domains (like your company’s domain name) that act differently when you’re on the VPN, you’ll want to have them route through the VPN:

server=/mywork.com/10.20.0.26

That’s all there is to it. I’ve noticed some (newer) versions of NetworkManager automagically employ Dnsmasq to let you use any LAN resources, but other traffic (such as streaming music) would still go through the VPN.

Happy Hacking!

← Summary Only

This is part two of a three part series covering Dnsmasq’s uses regarding:

In my previous post I covered using Dnsmasq locally to bring some organization to local web development. Now I’d like to cover Dnsmasq’s use on a Local Area Network (LAN), you don’t need to be a developer to appreciate Dnsmasq as we kick it up a notch and spread the love across the network.

Continue reading →

Using Dnsmasq locally is nice and all, but what if you have a home network with multiple computers, each serving different purposes? You probably want them to inter-operate smoothly, and it’s nice to reference things by name rather than having to remember IP addresses.

OpenWrt & Dnsmasq

If you have a computer/server on your network that is on most of the time, this would be an appropriate candidate to run Dnsmasq on. Or, you can do it my preferred way, which is to buy a wireless router that supports OpenWrt (an open-source router firmware) – it includes Dnsmasq. If you decide to use an existing Mac or Unix box on your network to run Dnsmasq, see my first post regarding Dnsmasq installation and configuration, and read the documentation on Dnsmasq’s DHCP options.

For those that go the OpenWrt route, here are some tips on configuring Dnsmasq on OpenWrt Backfire (10.03.1 – latest stable as of 2012). Once your router has the OpenWrt firmware installed and you’ve logged into the web interface, navigate to the DHCP and DNS tab under Network:

The premise behind Dnsmasq is that it not only includes a DNS Server, it also includes a DHCP server. When DCHP is enabled, Dnsmasq will automagically create a DNS name for each computer that connects to the network, based on it’s hostname.

The Server Settings that determine the Top Level Domain (TLD) are Local server and Local domain, set to “lan” in my case. Every host that connects will get a “.lan” domain name. If you look at the list of Active Leases you can imagine each one getting a domain name like lappy64.lan (a play on Strongbad’s Lappy 486), printer.lan, mythtv.lan, etc. In fact, the “.lan” extension is not even needed, hosts can be address simply by their hostname – how easy is that?

For some stubborn devices, which do not report a hostname when asking for an IP address (see those with hostname of “?” in the Active Leases box), the Static Leases section can help out. Once the device is connected, click Add in the Static Leases box, then select the device’s MAC-Address from the list. Under Hostname, type in the name you’d like it to be referenced as, such as “printer.” Give the device a static IP address (something that’s not in the DHCP range specified on the Network > Interfaces > Lan tab – below .50 is probably safe). Save & Apply your changes – you might have to force the device to reconnect in order for it to get the new address.

If you’ve got computers/devices that report a hostname just fine but you’d still like to assign a static IP to, use the Static Leases section in the same way, but leave the hostname field blank.

← Summary Only

Justin Foell

Technology, Bicycling, Hobbies, Kids, Life.

Tag Archives: Dnsmasq

Improved Connection Checking in Ubuntu

Troubleshooting

Alternate Endpoints

Chaining DNSMasq and resolved

DNSMasq via NetworkManager

Local sites

Chaining DNSMasq & resolveconf

Test it out

VirtualBox: connect to Ubuntu host served website

Loopback Alias

Dnsmasq

VirtualBox Networking

(Re)routing VPN traffic with Dnsmasq

VPN Gateway

VPN Name Servers

Add new VPN connection

Create a NetworkManager dispatcher.d script to start Dnsmasq

Configure Dnsmasq for your VPN

Pimp your LAN with OpenWrt & Dnsmasq

OpenWrt & Dnsmasq