Dnsmasq times out querying upstream dns for local lookup?

Ask Fedora
22

Thanks @hmmsjan and @vgaetera - I’ll try to answer some questions. I’ve got to say, if this isn’t going right over my head, it’s certainly skimming my bald patch… but, I really appreciate the input!
So:-

[admin@server ~]$ sudo systemctl status systemd-resolved.service
Unit systemd-resolved.service could not be found.

me@myoldmachine:~$ sudo systemctl status systemd-resolved.service
Unit systemd-resolved.service could not be found.
Re /etc/nsswitch.conf 
[admin@server ~]$ cat /etc/nsswitch.conf
# Generated by authselect on Sat Aug  3 22:30:20 2024
# Do not modify this file manually.

# If you want to make changes to nsswitch.conf please modify
# /etc/authselect/user-nsswitch.conf and run 'authselect apply-changes'.
#
# Note that your changes may not be applied as they may be
# overwritten by selected profile. Maps set in the authselect
# profile takes always precedence and overwrites the same maps
# set in the user file. Only maps that are not set by the profile
# are applied from the user file.
#
# For example, if the profile sets:
#     passwd: sss files
# and /etc/authselect/user-nsswitch.conf contains:
#     passwd: files
#     hosts: files dns
# the resulting generated nsswitch.conf will be:
#     passwd: sss files # from profile
#     hosts: files dns  # from user file

passwd:     files sss systemd
group:      files sss systemd
netgroup:   sss files
automount:  sss files
services:   sss files

# Included from /etc/authselect/user-nsswitch.conf

#
# /etc/nsswitch.conf
#
# Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# Valid databases are: aliases, ethers, group, gshadow, hosts,
# initgroups, netgroup, networks, passwd, protocols, publickey,
# rpc, services, and shadow.
#
# Valid service provider entries include (in alphabetical order):
#
#	compat			Use /etc files plus *_compat pseudo-db
#	db			Use the pre-processed /var/db files
#	dns			Use DNS (Domain Name Service)
#	files			Use the local files in /etc
#	hesiod			Use Hesiod (DNS) for user lookups
#
# See `info libc 'NSS Basics'` for more information.
#
# Commonly used alternative service providers (may need installation):
#
#	ldap			Use LDAP directory server
#	myhostname		Use systemd host names
#	mymachines		Use systemd machine names
#	mdns*, mdns*_minimal	Use Avahi mDNS/DNS-SD
#	resolve			Use systemd resolved resolver
#	sss			Use System Security Services Daemon (sssd)
#	systemd			Use systemd for dynamic user option
#	winbind			Use Samba winbind support
#	wins			Use Samba wins support
#	wrapper			Use wrapper module for testing
#
# Notes:
#
# 'sssd' performs its own 'files'-based caching, so it should generally
# come before 'files'.
#
# WARNING: Running nscd with a secondary caching service like sssd may
# 	   lead to unexpected behaviour, especially with how long
# 	   entries are cached.
#
# Installation instructions:
#
# To use 'db', install the appropriate package(s) (provide 'makedb' and
# libnss_db.so.*), and place the 'db' in front of 'files' for entries
# you want to be looked up first in the databases, like this:
#
# passwd:    db files
# shadow:    db files
# group:     db files

# In order of likelihood of use to accelerate lookup.
shadow:     files
hosts:      files dns myhostname

aliases:    files
ethers:     files
gshadow:    files
# Allow initgroups to default to the setting for group.
# initgroups: files
networks:   files dns
protocols:  files
publickey:  files
rpc:        files
[admin@server ~]$

And:

me@myoldmachine:~$ cat /etc/nsswitch.conf
# Generated by authselect on Thu Sep  5 23:17:48 2024
# Do not modify this file manually.

# If you want to make changes to nsswitch.conf please modify
# /etc/authselect/user-nsswitch.conf and run 'authselect apply-changes'.
#
# Note that your changes may not be applied as they may be
# overwritten by selected profile. Maps set in the authselect
# profile takes always precedence and overwrites the same maps
# set in the user file. Only maps that are not set by the profile
# are applied from the user file.
#
# For example, if the profile sets:
#     passwd: sss files
# and /etc/authselect/user-nsswitch.conf contains:
#     passwd: files
#     hosts: files dns
# the resulting generated nsswitch.conf will be:
#     passwd: sss files # from profile
#     hosts: files dns  # from user file

passwd:     files sss systemd
group:      files sss systemd
netgroup:   sss files
automount:  sss files
services:   sss files

# Included from /etc/authselect/user-nsswitch.conf

#
# /etc/nsswitch.conf
#
# Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# Valid databases are: aliases, ethers, group, gshadow, hosts,
# initgroups, netgroup, networks, passwd, protocols, publickey,
# rpc, services, and shadow.
#
# Valid service provider entries include (in alphabetical order):
#
#	compat			Use /etc files plus *_compat pseudo-db
#	db			Use the pre-processed /var/db files
#	dns			Use DNS (Domain Name Service)
#	files			Use the local files in /etc
#	hesiod			Use Hesiod (DNS) for user lookups
#
# See `info libc 'NSS Basics'` for more information.
#
# Commonly used alternative service providers (may need installation):
#
#	ldap			Use LDAP directory server
#	myhostname		Use systemd host names
#	mymachines		Use systemd machine names
#	mdns*, mdns*_minimal	Use Avahi mDNS/DNS-SD
#	resolve			Use systemd resolved resolver
#	sss			Use System Security Services Daemon (sssd)
#	systemd			Use systemd for dynamic user option
#	winbind			Use Samba winbind support
#	wins			Use Samba wins support
#	wrapper			Use wrapper module for testing
#
# Notes:
#
# 'sssd' performs its own 'files'-based caching, so it should generally
# come before 'files'.
#
# WARNING: Running nscd with a secondary caching service like sssd may
# 	   lead to unexpected behaviour, especially with how long
# 	   entries are cached.
#
# Installation instructions:
#
# To use 'db', install the appropriate package(s) (provide 'makedb' and
# libnss_db.so.*), and place the 'db' in front of 'files' for entries
# you want to be looked up first in the databases, like this:
#
# passwd:    db files
# shadow:    db files
# group:     db files

# In order of likelihood of use to accelerate lookup.
shadow:     files
hosts:      files mdns4_minimal [NOTFOUND=return] dns myhostname

aliases:    files
ethers:     files
gshadow:    files
# Allow initgroups to default to the setting for group.
# initgroups: files
networks:   files dns
protocols:  files
publickey:  files
rpc:        files
me@myoldmachine:~$
Re /etc/resolve.conf 
[admin@server ~]$ cat /etc/resolv.conf
# Generated by NetworkManager
search office.lan
nameserver 127.0.0.1
options edns0 trust-ad
[admin@server ~]$

me@myselfoldmachine:~$ cat /etc/resolv.conf
# resolv.conf(5) file generated by tailscale
# For more info, see https://tailscale.com/s/resolvconf-overwrite
# DO NOT EDIT THIS FILE BY HAND -- CHANGES WILL BE OVERWRITTEN

nameserver 100.100.100.100
search tail89da8b.ts.net office.lan
me@myselfoldmachine:~$

I have installed tailscale recently on both machines - it’s not running on the server, but do have it running on and off on mymachine.

DHCP seems to be working for all clients - I have server with static address on 192.168.1.40 but also included as static leases because I understand that dnsmasq returns DNS queries for hosts known to its DHCP service. The server is the router btw - I wanted to bond two Ethernet links to the Internet to double my speed, which is why I went to the Setting up dnsmasq - a lightweight DHCP and DNS server howto in the first place.

If dnsmasq is providing DNS service to 192.168.1.0/24 is that not correct? The Internet uplink is bond0 with a static address of 192.168.9.2 and has nothing (I hope) to do with dnsmasq. Perhaps listen address should be 192.168.1.40 - but, iirc it listens to 127.0.0.1 because that’s the DNS listed in /etc/resolv.conf?

Hmm, yes - when I first set up dnsmasq (with 192.168.0.0/24) I had in mind to set up IPv6 locally with a view to it working if/ when I got an IPv6 Internet service - I may have gone astray there. Perhaps what’s needed is for me to go back and sort out the IPv6 set up… (But, that might not answer some of the questions.)

/etc/hosts 
[admin@server ~]$ cat /etc/hosts
127.0.0.1        localhost localhost.localdomain localhost4 localhost4.localdomain4
::1              localhost localhost.localdomain localhost6 localhost6.localdomain6

# Added by root
192.168.1.40     server
192.168.1.30     fritzbox
# End of root section

# Added by CRC
192.168.130.11   api.crc.testing canary-openshift-ingress-canary.apps-crc.testing console-openshift-console.apps-crc.testing default-route-openshift-image-registry.apps-crc.testing downloads-openshift-console.apps-crc.testing oauth-openshift.apps-crc.testing
# End of CRC section
[admin@server ~]$

btw, the fritzbox isn’t doing DNS or DHCP - just WiFi and VoIP.

I hope I’ve answered some of the questions…

23

Thanks for sharing the configurations. It excludes things, but does not reveal the problem, I think. In any case, systemd-resolved is not active and even not in /etc/nsswitch.conf. But if properly configured, it even should not harm.

The active dnsmasq should listen on 127.0.0.1 and 192.168.1.40. I have to check why it does not work in my case. Standard it serves as local cache on 127.0.0.1, that’s the way NetworkManager starts it.

NetworkManager starts dnsmasq with a number of options and dbus control, so control of dnsmasq is partly out of hands. Because I did not get dhcp, I started with "dnsmasq -C /path/to/configfile. You could consider to get dnsmasq out of NetworkManager, install the config in standard location and “systemctl start dnsmasq”

dnsmasq serves IPv4 an IPv6 names in /etc/hosts, so putting them in dhcp fixation is not necessary. But then they should be out of DHCP range.

There are two remarkable things in config:

server=/apps-crc.testing/192.168.130.11
server=/crc.testing/192.168.130.11
server=/libvirt.office.lan/192.168.122.1

but if I understand correctly, they are not consulted for office.lan

So for me still not clear where ping is waiting for and where the AAAA query goes to.

24

Yes, both the VMs and crc run separate instances of dnsmasq - if I understand correctly… and create their own set up in /etc/NetworkManager/dnsmasq.d . libvirt.office.lan seemed something sensible (iirc) after consulting a couple of howtos: Auto DNS for libvirt guests and the one in the OP.

DHCP range is from x.y.z.50 to 250, but I can pull the server out of the DHCP config - I had a feeling from OpenWRT stuff that it helped with DNS resolution if it was in the dnsmasq DHCP config

In /etc/NetworkManager/dnsmasq.d/01-DNS-office-lan.conf I have:

interface=lo
interface=bridge0

Which produces this:

Useful information

[admin@server dnsmasq.d]$ sudo ss -ltup | grep dnsmasq
[sudo] password for admin:
udp UNCONN 0 0 127.0.0.1:domain 0.0.0.0:* users:((“dnsmasq”,pid=1629679,fd=8))
udp UNCONN 0 0 192.168.1.40:domain 0.0.0.0:* users:((“dnsmasq”,pid=1629679,fd=6))
udp UNCONN 0 0 192.168.130.1:domain 0.0.0.0:* users:((“dnsmasq”,pid=3519,fd=5))
udp UNCONN 0 0 192.168.122.1:domain 0.0.0.0:* users:((“dnsmasq”,pid=3276,fd=5))
udp UNCONN 0 0 0.0.0.0%bridge0:bootps 0.0.0.0:* users:((“dnsmasq”,pid=1629679,fd=4))
udp UNCONN 0 0 0.0.0.0%crc:bootps 0.0.0.0:* users:((“dnsmasq”,pid=3519,fd=3))
udp UNCONN 0 0 0.0.0.0%virbr0:bootps 0.0.0.0:* users:((“dnsmasq”,pid=3276,fd=3))
udp UNCONN 0 0 [::1]:domain [::]:* users:((“dnsmasq”,pid=1629679,fd=12))
udp UNCONN 0 0 [fe80::2ef3:7b72:c9f6:4b90]%bridge0:domain [::]:* users:((“dnsmasq”,pid=1629679,fd=10))
tcp LISTEN 0 32 192.168.130.1:domain 0.0.0.0:* users:((“dnsmasq”,pid=3519,fd=6))
tcp LISTEN 0 32 127.0.0.1:domain 0.0.0.0:* users:((“dnsmasq”,pid=1629679,fd=9))
tcp LISTEN 0 32 192.168.1.40:domain 0.0.0.0:* users:((“dnsmasq”,pid=1629679,fd=7))
tcp LISTEN 0 32 192.168.122.1:domain 0.0.0.0:* users:((“dnsmasq”,pid=3276,fd=6))
tcp LISTEN 0 32 [fe80::2ef3:7b72:c9f6:4b90]%bridge0:domain [::]:* users:((“dnsmasq”,pid=1629679,fd=11))
tcp LISTEN 0 32 [::1]:domain [::]:* users:((“dnsmasq”,pid=1629679,fd=13))
[admin@server dnsmasq.d]$

Which I should credit here. Actually, looking back, I see I should also credit @vgaetera for that - @vgaetera’s suggestions are next in line…

ssh exhibits the same symptoms as nslookup and ping

I think spending some time making sense of the IPv6 set up might help

25

It’s also worth checking pgrep as mentioned above to determine active dnsmasq instances and their runtime options and compare their PIDs with the output of ss.

In addition, you can test AAAA records filtering, although I’m still curious about DNS query logging as it might help identify the cause of the problem.

26

I remember, ssh took forever.

But that makes the problem easier:
“ssh -4” does not do the AAAA record lookup, in contrast with “ping -4”
And it does not do the reverse lookup, so it looks like somewhere somehow the AAAA lookup gets into the wild.

But your setup looks perfect. Restricting to udp domain,
pid 1629679 listens on 127.0.0.1, 192.168.1.40, ::1 and bridge0 ipv6 link-local,
pid 3519 on 192.168.130.1
pid 3276 on 192.168.122.1

So a AAAA request on LAN enters 1629679, finds that server.office.lan exists and belongs to office.lan and returns an empty record. I see no way to go outside or form a loop, especially because NetworkManager starts dnsmasq with no-resolv.

Another quesion: in the NetworkManager setup of bridge0, are there DNS servers specified? I assume they are stored in the serverlist via dbus.

27

@vgaetera I actually checked pgrep with the last batch of tests, but thought I’d try not to mix up who I’m running tests for :slight_smile:

So, here we go with post 1/2 (hit the character limit with only one post):-

For `pgrep -f -a dnsmasq` 
[admin@server ~]$ pgrep -f -a dnsmasq
3276 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
3278 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
3519 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/crc.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
3520 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/crc.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper
2369268 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/run/NetworkManager/dnsmasq.pid --listen-address=127.0.0.1 --cache-size=400 --clear-on-reload --conf-file=/dev/null --enable-dbus=org.freedesktop.NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d
[admin@server ~]$

Hmm, I wonder why libvirt is running two dnsmasq instances each for ‘default’ and ‘crc’?

Following this little howto here’s logging for NM’s instance of dnsmasq (I didn’t see any change to what systemctl status reports as the flags for NM’s instance of dnsmasq, but it seemed to produce output when log-queries was included in conf file under /etc/NetworkManager/dnsmasq.d and not when not included… so, I guess logging was enabled).

For `nslookup server.office.lan 127.0.0.1` 
[admin@server dnsmasq.d]$ sudo tail -F /var/log/messages | grep dnsmasq
Sep 13 14:16:03 server dnsmasq[2369268]: cached location.services.mozilla.com is <CNAME>
Sep 13 14:16:03 server dnsmasq[2369268]: cached prod.classify-client.prod.webservices.mozgcp.net is NODATA-IPv6
Sep 13 14:16:07 server dnsmasq[2369268]: query[A] bam.nr-data.net from 192.168.1.141
Sep 13 14:16:07 server dnsmasq[2369268]: cached bam.nr-data.net is <CNAME>
Sep 13 14:16:07 server dnsmasq[2369268]: cached bam.cell.nr-data.net is <CNAME>
Sep 13 14:16:07 server dnsmasq[2369268]: cached fastly-tls12-bam.nr-data.net is 162.247.243.29
Sep 13 14:16:07 server dnsmasq[2369268]: query[AAAA] bam.nr-data.net from 192.168.1.141
Sep 13 14:16:07 server dnsmasq[2369268]: cached bam.nr-data.net is <CNAME>
Sep 13 14:16:07 server dnsmasq[2369268]: cached bam.cell.nr-data.net is <CNAME>
Sep 13 14:16:07 server dnsmasq[2369268]: cached fastly-tls12-bam.nr-data.net is ::ffff:162.247.243.29
Sep 13 14:16:15 server dnsmasq[2369268]: query[A] server.office.lan from 127.0.0.1
Sep 13 14:16:15 server dnsmasq[2369268]: /etc/hosts server.office.lan is 192.168.1.40
Sep 13 14:16:15 server dnsmasq[2369268]: query[AAAA] server.office.lan from 127.0.0.1
Sep 13 14:16:15 server dnsmasq[2369268]: forwarded server.office.lan to 1.1.1.1
Sep 13 14:16:15 server dnsmasq[2369268]: forwarded server.office.lan to 1.0.0.1
Sep 13 14:16:16 server dnsmasq[2369268]: query[A] d.la1-core1.sfdc-lywfpd.salesforceliveagent.com from 192.168.1.141
Sep 13 14:16:16 server dnsmasq[2369268]: forwarded d.la1-core1.sfdc-lywfpd.salesforceliveagent.com to 1.1.1.1
Sep 13 14:16:16 server dnsmasq[2369268]: reply d.la1-core1.sfdc-lywfpd.salesforceliveagent.com is <CNAME>
Sep 13 14:16:16 server dnsmasq[2369268]: reply la1-core1.sfdc-lywfpd.salesforceliveagent.com is 44.230.68.225
Sep 13 14:16:16 server dnsmasq[2369268]: reply la1-core1.sfdc-lywfpd.salesforceliveagent.com is 52.34.120.199
Sep 13 14:16:16 server dnsmasq[2369268]: reply la1-core1.sfdc-lywfpd.salesforceliveagent.com is 52.42.129.124
Sep 13 14:16:16 server dnsmasq[2369268]: query[AAAA] d.la1-core1.sfdc-lywfpd.salesforceliveagent.com from 192.168.1.141
Sep 13 14:16:16 server dnsmasq[2369268]: cached d.la1-core1.sfdc-lywfpd.salesforceliveagent.com is <CNAME>
Sep 13 14:16:16 server dnsmasq[2369268]: forwarded d.la1-core1.sfdc-lywfpd.salesforceliveagent.com to 1.1.1.1
Sep 13 14:16:16 server dnsmasq[2369268]: reply d.la1-core1.sfdc-lywfpd.salesforceliveagent.com is <CNAME>
Sep 13 14:16:16 server dnsmasq[2369268]: reply la1-core1.sfdc-lywfpd.salesforceliveagent.com is NODATA-IPv6
Sep 13 14:16:17 server dnsmasq[2369268]: query[A] bam.nr-data.net from 192.168.1.141
Sep 13 14:16:17 server dnsmasq[2369268]: cached bam.nr-data.net is <CNAME>
Sep 13 14:16:17 server dnsmasq[2369268]: cached bam.cell.nr-data.net is <CNAME>
Sep 13 14:16:17 server dnsmasq[2369268]: cached fastly-tls12-bam.nr-data.net is 162.247.243.29
Sep 13 14:16:17 server dnsmasq[2369268]: query[AAAA] bam.nr-data.net from 192.168.1.141
Sep 13 14:16:17 server dnsmasq[2369268]: cached bam.nr-data.net is <CNAME>
Sep 13 14:16:17 server dnsmasq[2369268]: cached bam.cell.nr-data.net is <CNAME>
Sep 13 14:16:17 server dnsmasq[2369268]: cached fastly-tls12-bam.nr-data.net is ::ffff:162.247.243.29
Sep 13 14:16:17 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:16:17 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:16:17 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:16:17 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:16:17 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:16:17 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:16:17 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:16:17 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:16:20 server dnsmasq[2369268]: query[AAAA] server.office.lan from 127.0.0.1
Sep 13 14:16:20 server dnsmasq[2369268]: forwarded server.office.lan to 1.1.1.1
Sep 13 14:16:20 server dnsmasq[2369268]: forwarded server.office.lan to 1.0.0.1
Sep 13 14:16:20 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:16:20 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:16:20 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:16:20 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:16:20 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:16:20 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:16:21 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:16:21 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:16:24 server dnsmasq[2369268]: query[A] discussion.fedoraproject.org from 192.168.1.141
Sep 13 14:16:24 server dnsmasq[2369268]: cached discussion.fedoraproject.org is <CNAME>
Sep 13 14:16:24 server dnsmasq[2369268]: cached fedoraproject.hosted-by-discourse.com is 184.105.99.43
Sep 13 14:16:24 server dnsmasq[2369268]: query[AAAA] discussion.fedoraproject.org from 192.168.1.141
Sep 13 14:16:24 server dnsmasq[2369268]: cached discussion.fedoraproject.org is <CNAME>
Sep 13 14:16:24 server dnsmasq[2369268]: cached fedoraproject.hosted-by-discourse.com is 2602:fd3f:3:ff01::2b
Sep 13 14:16:25 server dnsmasq[2369268]: query[AAAA] server.office.lan from 127.0.0.1
Sep 13 14:16:25 server dnsmasq[2369268]: forwarded server.office.lan to 1.1.1.1
Sep 13 14:16:25 server dnsmasq[2369268]: forwarded server.office.lan to 1.0.0.1
Sep 13 14:16:25 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:16:25 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:16:25 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:16:25 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:16:25 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:16:25 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:16:26 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:16:26 server setroubleshoot[2376477]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:16:27 server dnsmasq[2369268]: query[A] bam.nr-data.net from 192.168.1.141
Sep 13 14:16:27 server dnsmasq[2369268]: cached bam.nr-data.net is <CNAME>
Sep 13 14:16:27 server dnsmasq[2369268]: cached bam.cell.nr-data.net is <CNAME>
Sep 13 14:16:27 server dnsmasq[2369268]: cached fastly-tls12-bam.nr-data.net is 162.247.243.29
Sep 13 14:16:27 server dnsmasq[2369268]: query[AAAA] bam.nr-data.net from 192.168.1.141
Sep 13 14:16:27 server dnsmasq[2369268]: cached bam.nr-data.net is <CNAME>
Sep 13 14:16:27 server dnsmasq[2369268]: cached bam.cell.nr-data.net is <CNAME>
Sep 13 14:16:27 server dnsmasq[2369268]: cached fastly-tls12-bam.nr-data.net is ::ffff:162.247.243.29
^C
[admin@server dnsmasq.d]$

[admin@server ~]$ nslookup server.office.lan 127.0.0.1
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:	server.office.lan
Address: 192.168.1.40
;; connection timed out; no servers could be reached


[admin@server ~]$
For `nslookup printer.office.lan 127.0.0.1` 
[admin@server dnsmasq.d]$ sudo tail -F /var/log/messages | grep dnsmasq
Sep 13 14:23:10 server dnsmasq[2369268]: cached bam.cell.nr-data.net is <CNAME>
Sep 13 14:23:10 server dnsmasq[2369268]: cached fastly-tls12-bam.nr-data.net is ::ffff:162.247.243.29
Sep 13 14:23:20 server dnsmasq[2369268]: query[A] bam.nr-data.net from 192.168.1.141
Sep 13 14:23:20 server dnsmasq[2369268]: cached bam.nr-data.net is <CNAME>
Sep 13 14:23:20 server dnsmasq[2369268]: cached bam.cell.nr-data.net is <CNAME>
Sep 13 14:23:20 server dnsmasq[2369268]: cached fastly-tls12-bam.nr-data.net is 162.247.243.29
Sep 13 14:23:20 server dnsmasq[2369268]: query[AAAA] bam.nr-data.net from 192.168.1.141
Sep 13 14:23:20 server dnsmasq[2369268]: cached bam.nr-data.net is <CNAME>
Sep 13 14:23:20 server dnsmasq[2369268]: cached bam.cell.nr-data.net is <CNAME>
Sep 13 14:23:20 server dnsmasq[2369268]: cached fastly-tls12-bam.nr-data.net is ::ffff:162.247.243.29
Sep 13 14:23:27 server dnsmasq[2369268]: query[A] printer.office.lan from 127.0.0.1
Sep 13 14:23:27 server dnsmasq[2369268]: forwarded printer.office.lan to 1.1.1.1
Sep 13 14:23:27 server dnsmasq[2369268]: forwarded printer.office.lan to 1.0.0.1
Sep 13 14:23:30 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:23:30 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:23:30 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:23:30 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:23:30 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:23:30 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:23:30 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:23:30 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:23:30 server dnsmasq[2369268]: query[A] bam.nr-data.net from 192.168.1.141
Sep 13 14:23:30 server dnsmasq[2369268]: cached bam.nr-data.net is <CNAME>
Sep 13 14:23:30 server dnsmasq[2369268]: cached bam.cell.nr-data.net is <CNAME>
Sep 13 14:23:30 server dnsmasq[2369268]: cached fastly-tls12-bam.nr-data.net is 162.247.243.29
Sep 13 14:23:30 server dnsmasq[2369268]: query[AAAA] bam.nr-data.net from 192.168.1.141
Sep 13 14:23:30 server dnsmasq[2369268]: cached bam.nr-data.net is <CNAME>
Sep 13 14:23:30 server dnsmasq[2369268]: cached bam.cell.nr-data.net is <CNAME>
Sep 13 14:23:30 server dnsmasq[2369268]: cached fastly-tls12-bam.nr-data.net is ::ffff:162.247.243.29
Sep 13 14:23:32 server dnsmasq[2369268]: query[A] printer.office.lan from 127.0.0.1
Sep 13 14:23:32 server dnsmasq[2369268]: forwarded printer.office.lan to 1.1.1.1
Sep 13 14:23:32 server dnsmasq[2369268]: forwarded printer.office.lan to 1.0.0.1
Sep 13 14:23:33 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:23:33 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:23:33 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:23:33 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:23:33 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:23:33 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:23:34 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:23:34 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:23:34 server dnsmasq[2369268]: query[A] discussion.fedoraproject.org from 192.168.1.141
Sep 13 14:23:34 server dnsmasq[2369268]: cached discussion.fedoraproject.org is <CNAME>
Sep 13 14:23:34 server dnsmasq[2369268]: cached fedoraproject.hosted-by-discourse.com is 184.105.99.43
Sep 13 14:23:34 server dnsmasq[2369268]: query[AAAA] discussion.fedoraproject.org from 192.168.1.141
Sep 13 14:23:34 server dnsmasq[2369268]: cached discussion.fedoraproject.org is <CNAME>
Sep 13 14:23:34 server dnsmasq[2369268]: cached fedoraproject.hosted-by-discourse.com is 2602:fd3f:3:ff01::2b
Sep 13 14:23:37 server dnsmasq[2369268]: query[A] printer.office.lan from 127.0.0.1
Sep 13 14:23:37 server dnsmasq[2369268]: forwarded printer.office.lan to 1.1.1.1
Sep 13 14:23:37 server dnsmasq[2369268]: forwarded printer.office.lan to 1.0.0.1
Sep 13 14:23:38 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:23:38 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:23:38 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:23:38 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:23:38 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:23:38 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:23:39 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:23:39 server setroubleshoot[2376987]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:23:40 server dnsmasq[2369268]: query[A] bam.nr-data.net from 192.168.1.141
Sep 13 14:23:40 server dnsmasq[2369268]: cached bam.nr-data.net is <CNAME>
Sep 13 14:23:40 server dnsmasq[2369268]: cached bam.cell.nr-data.net is <CNAME>
Sep 13 14:23:40 server dnsmasq[2369268]: cached fastly-tls12-bam.nr-data.net is 162.247.243.29
Sep 13 14:23:40 server dnsmasq[2369268]: query[AAAA] bam.nr-data.net from 192.168.1.141
Sep 13 14:23:40 server dnsmasq[2369268]: cached bam.nr-data.net is <CNAME>
Sep 13 14:23:40 server dnsmasq[2369268]: cached bam.cell.nr-data.net is <CNAME>
Sep 13 14:23:40 server dnsmasq[2369268]: cached fastly-tls12-bam.nr-data.net is ::ffff:162.247.243.29
^C
[admin@server dnsmasq.d]$

[admin@server ~]$ nslookup printer.office.lan 127.0.0.1
;; connection timed out; no servers could be reached


[admin@server ~]$

I’m a puzzled why that didn’t return anything - perhaps because ‘printer’ is a 20 year old Ricoh… Perhaps, because I had the printer switched off… Here’s the same for ‘fritzbox’:
[continued next post 2/2]

1 Like
28

[post 2/2]

For `nslookup fritzbox.office.lan 127.0.0.1` 
[admin@server dnsmasq.d]$ sudo tail -F /var/log/messages | grep dnsmasq
Sep 13 14:46:14 server dnsmasq[2369268]: cached discussion.fedoraproject.org is <CNAME>
Sep 13 14:46:14 server dnsmasq[2369268]: cached fedoraproject.hosted-by-discourse.com is 2602:fd3f:3:ff01::2b
Sep 13 14:46:15 server dnsmasq[2369268]: query[A] bam.nr-data.net from 192.168.1.141
Sep 13 14:46:15 server dnsmasq[2369268]: cached bam.nr-data.net is <CNAME>
Sep 13 14:46:15 server dnsmasq[2369268]: cached bam.cell.nr-data.net is <CNAME>
Sep 13 14:46:15 server dnsmasq[2369268]: cached fastly-tls12-bam.nr-data.net is 162.247.243.29
Sep 13 14:46:15 server dnsmasq[2369268]: query[AAAA] bam.nr-data.net from 192.168.1.141
Sep 13 14:46:15 server dnsmasq[2369268]: cached bam.nr-data.net is <CNAME>
Sep 13 14:46:15 server dnsmasq[2369268]: cached bam.cell.nr-data.net is <CNAME>
Sep 13 14:46:15 server dnsmasq[2369268]: cached fastly-tls12-bam.nr-data.net is ::ffff:162.247.243.29
Sep 13 14:46:18 server dnsmasq[2369268]: query[A] fritzbox.office.lan from 127.0.0.1
Sep 13 14:46:18 server dnsmasq[2369268]: /etc/hosts fritzbox.office.lan is 192.168.1.30
Sep 13 14:46:18 server dnsmasq[2369268]: query[AAAA] fritzbox.office.lan from 127.0.0.1
Sep 13 14:46:18 server dnsmasq[2369268]: forwarded fritzbox.office.lan to 1.1.1.1
Sep 13 14:46:18 server dnsmasq[2369268]: forwarded fritzbox.office.lan to 1.0.0.1
Sep 13 14:46:20 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:46:20 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:46:20 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:46:20 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:46:20 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:46:20 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:46:20 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:46:20 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:46:22 server dnsmasq[2369268]: query[A] location.services.mozilla.com from 192.168.1.141
Sep 13 14:46:22 server dnsmasq[2369268]: forwarded location.services.mozilla.com to 1.1.1.1
Sep 13 14:46:22 server dnsmasq[2369268]: query[AAAA] location.services.mozilla.com from 192.168.1.141
Sep 13 14:46:22 server dnsmasq[2369268]: forwarded location.services.mozilla.com to 1.1.1.1
Sep 13 14:46:22 server dnsmasq[2369268]: reply location.services.mozilla.com is <CNAME>
Sep 13 14:46:22 server dnsmasq[2369268]: reply prod.classify-client.prod.webservices.mozgcp.net is 35.190.72.216
Sep 13 14:46:22 server dnsmasq[2369268]: reply location.services.mozilla.com is <CNAME>
Sep 13 14:46:22 server dnsmasq[2369268]: reply prod.classify-client.prod.webservices.mozgcp.net is NODATA-IPv6
Sep 13 14:46:23 server dnsmasq[2369268]: query[AAAA] fritzbox.office.lan from 127.0.0.1
Sep 13 14:46:23 server dnsmasq[2369268]: forwarded fritzbox.office.lan to 1.1.1.1
Sep 13 14:46:23 server dnsmasq[2369268]: forwarded fritzbox.office.lan to 1.0.0.1
Sep 13 14:46:23 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:46:23 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:46:23 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:46:23 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:46:23 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:46:23 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:46:24 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:46:24 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:46:25 server dnsmasq[2369268]: query[A] bam.nr-data.net from 192.168.1.141
Sep 13 14:46:25 server dnsmasq[2369268]: cached bam.nr-data.net is <CNAME>
Sep 13 14:46:25 server dnsmasq[2369268]: cached bam.cell.nr-data.net is <CNAME>
Sep 13 14:46:25 server dnsmasq[2369268]: cached fastly-tls12-bam.nr-data.net is 162.247.243.29
Sep 13 14:46:25 server dnsmasq[2369268]: query[AAAA] bam.nr-data.net from 192.168.1.141
Sep 13 14:46:25 server dnsmasq[2369268]: cached bam.nr-data.net is <CNAME>
Sep 13 14:46:25 server dnsmasq[2369268]: cached bam.cell.nr-data.net is <CNAME>
Sep 13 14:46:25 server dnsmasq[2369268]: cached fastly-tls12-bam.nr-data.net is ::ffff:162.247.243.29
Sep 13 14:46:27 server dnsmasq[2369268]: query[A] discussion.fedoraproject.org from 192.168.1.141
Sep 13 14:46:27 server dnsmasq[2369268]: cached discussion.fedoraproject.org is <CNAME>
Sep 13 14:46:27 server dnsmasq[2369268]: cached fedoraproject.hosted-by-discourse.com is 184.105.99.43
Sep 13 14:46:27 server dnsmasq[2369268]: query[AAAA] discussion.fedoraproject.org from 192.168.1.141
Sep 13 14:46:27 server dnsmasq[2369268]: cached discussion.fedoraproject.org is <CNAME>
Sep 13 14:46:27 server dnsmasq[2369268]: cached fedoraproject.hosted-by-discourse.com is 2602:fd3f:3:ff01::2b
Sep 13 14:46:28 server dnsmasq[2369268]: query[AAAA] fritzbox.office.lan from 127.0.0.1
Sep 13 14:46:28 server dnsmasq[2369268]: forwarded fritzbox.office.lan to 1.1.1.1
Sep 13 14:46:28 server dnsmasq[2369268]: forwarded fritzbox.office.lan to 1.0.0.1
Sep 13 14:46:28 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:46:28 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:46:28 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:46:28 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:46:28 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:46:28 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 13 14:46:29 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 13 14:46:29 server setroubleshoot[2379545]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
^C
[admin@server dnsmasq.d]$

[admin@server ~]$ nslookup fritzbox.office.lan 127.0.0.1
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:	fritzbox.office.lan
Address: 192.168.1.30
;; connection timed out; no servers could be reached


[admin@server ~]$

There seems to be a lot of chatter from SELinux… … …

And, now I know the printer is on, it’s nslookup is producing a result for it too-

For `nslookup printer.office.lan 127.0.0.1` 
[admin@server ~]$ nslookup printer.office.lan 127.0.0.1
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:	printer.office.lan
Address: 192.168.1.120
;; connection timed out; no servers could be reached


[admin@server ~]$

Here’s the rest:-

For 'grep -e ^hosts: /etc/nsswitch.conf' 
[admin@server ~]$ sudo grep -e ^hosts: /etc/nsswitch.conf
hosts:      files dns myhostname
[admin@server ~]$
For 'grep -v -e ^# /etc/resolv.conf' 
[admin@server ~]$ grep -v -e ^# /etc/resolv.conf
search office.lan
nameserver 127.0.0.1
options edns0 trust-ad
[admin@server ~]$
For 'sudo ss -lnpAinet | grep -e dnsmasq -e :53' 
[admin@server ~]$ sudo ss -lnpAinet | grep -e dnsmasq -e :53
udp   UNCONN 0      0                                127.0.0.1:53         0.0.0.0:*    users:(("dnsmasq",pid=2369268,fd=8))                      
udp   UNCONN 0      0                             192.168.1.40:53         0.0.0.0:*    users:(("dnsmasq",pid=2369268,fd=6))                      
udp   UNCONN 0      0                            192.168.130.1:53         0.0.0.0:*    users:(("dnsmasq",pid=3519,fd=5))                         
udp   UNCONN 0      0                            192.168.122.1:53         0.0.0.0:*    users:(("dnsmasq",pid=3276,fd=5))                         
udp   UNCONN 0      0                          0.0.0.0%bridge0:67         0.0.0.0:*    users:(("dnsmasq",pid=2369268,fd=4))                      
udp   UNCONN 0      0                              0.0.0.0%crc:67         0.0.0.0:*    users:(("dnsmasq",pid=3519,fd=3))                         
udp   UNCONN 0      0                           0.0.0.0%virbr0:67         0.0.0.0:*    users:(("dnsmasq",pid=3276,fd=3))                         
udp   UNCONN 0      0                                  0.0.0.0:5353       0.0.0.0:*    users:(("avahi-daemon",pid=1945,fd=12))                   
udp   UNCONN 0      0                                     [::]:53985         [::]:*    users:(("avahi-daemon",pid=1945,fd=15))                   
udp   UNCONN 0      0                                    [::1]:53            [::]:*    users:(("dnsmasq",pid=2369268,fd=12))                     
udp   UNCONN 0      0      [fe80::2ef3:7b72:c9f6:4b90]%bridge0:53            [::]:*    users:(("dnsmasq",pid=2369268,fd=10))                     
udp   UNCONN 0      0                                     [::]:5353          [::]:*    users:(("avahi-daemon",pid=1945,fd=13))                   
tcp   LISTEN 0      32                           192.168.130.1:53         0.0.0.0:*    users:(("dnsmasq",pid=3519,fd=6))                         
tcp   LISTEN 0      32                               127.0.0.1:53         0.0.0.0:*    users:(("dnsmasq",pid=2369268,fd=9))                      
tcp   LISTEN 0      32                            192.168.1.40:53         0.0.0.0:*    users:(("dnsmasq",pid=2369268,fd=7))                      
tcp   LISTEN 0      32                           192.168.122.1:53         0.0.0.0:*    users:(("dnsmasq",pid=3276,fd=6))                         
tcp   LISTEN 0      32     [fe80::2ef3:7b72:c9f6:4b90]%bridge0:53            [::]:*    users:(("dnsmasq",pid=2369268,fd=11))                     
tcp   LISTEN 0      32                                   [::1]:53            [::]:*    users:(("dnsmasq",pid=2369268,fd=13))                     
[admin@server ~]$

HTH (Me! :laughing:)
Thanks

1 Like
29

Apparently it starts a dnsmasq instance for each virtual network as root without port binding, which forks another instance running as a restricted user and binds service ports.

This indicates the current DHCP lease expired or lost by the server and/or the client did not renew it in time for some reason.
BTW, the dnsmasq init script in OpenWrt automatically creates static DNS records for DHCP entries to make it work even for offline clients.

It is recommended to rule out possible issues with incorrect labels:

sudo fixfiles -F onboot
sudo reboot

After relabeling, collect the proper denial messages if the issue persists:

sudo setenforce 0
nslookup server.office.lan 127.0.0.1
nslookup printer.office.lan 127.0.0.1
journalctl -b _AUDIT_TYPE_NAME=AVC

Using permissive mode helps bypass the lockdown to easier trace the problem.

This looks like the local option is ignored perhaps due to incorrect SELinux labels.

1 Like
30

As simple user, I think “local=/office.lan/” means that no query at all for office.lan has to leave the building. May be it makes sense to compare version numbers, there are some fairly recent bug reports about dnsmasq.
I have dnsmasq-2.90-3.fc41.x86_64

Another strange thing: from here, Cloudfare is so kind to answer server.office.lan with NXDOMAIN, so why a communication error ?
Unless SELinux interferes indeed.
In my version, a “local” assigned domain stays inside.

1 Like
31

I guess that’s where the notion to included the manual static addresses in the list of DHCP leases assigned static addresses came from.

For `nslookup server.office.lan 127.0.0.1` 
[admin@server ~]$ sudo tail -F /var/log/messages | grep dnsmasq
Sep 14 16:16:01 server dnsmasq[4215]: reply prod.classify-client.prod.webservices.mozgcp.net is NODATA-IPv6
Sep 14 16:16:05 server dnsmasq[4215]: query[A] bam.nr-data.net from 192.168.1.141
Sep 14 16:16:05 server dnsmasq[4215]: cached bam.nr-data.net is <CNAME>
Sep 14 16:16:05 server dnsmasq[4215]: cached bam.cell.nr-data.net is <CNAME>
Sep 14 16:16:05 server dnsmasq[4215]: cached fastly-tls12-bam.nr-data.net is 162.247.243.29
Sep 14 16:16:05 server dnsmasq[4215]: query[AAAA] bam.nr-data.net from 192.168.1.141
Sep 14 16:16:05 server dnsmasq[4215]: cached bam.nr-data.net is <CNAME>
Sep 14 16:16:05 server dnsmasq[4215]: cached bam.cell.nr-data.net is <CNAME>
Sep 14 16:16:05 server dnsmasq[4215]: cached fastly-tls12-bam.nr-data.net is ::ffff:162.247.243.29
Sep 14 16:16:15 server dnsmasq[4215]: query[A] server.office.lan from 127.0.0.1
Sep 14 16:16:15 server dnsmasq[4215]: /etc/hosts server.office.lan is 192.168.1.40
Sep 14 16:16:15 server dnsmasq[4215]: query[AAAA] server.office.lan from 127.0.0.1
Sep 14 16:16:15 server dnsmasq[4215]: forwarded server.office.lan to 1.1.1.1
Sep 14 16:16:15 server dnsmasq[4215]: forwarded server.office.lan to 1.0.0.1
Sep 14 16:16:15 server dnsmasq[4215]: forwarded server.office.lan to 1.1.1.1
Sep 14 16:16:15 server dnsmasq[4215]: forwarded server.office.lan to 1.0.0.1
Sep 14 16:16:15 server dnsmasq[4215]: query[A] bam.nr-data.net from 192.168.1.141
Sep 14 16:16:15 server dnsmasq[4215]: cached bam.nr-data.net is <CNAME>
Sep 14 16:16:15 server dnsmasq[4215]: cached bam.cell.nr-data.net is <CNAME>
Sep 14 16:16:15 server dnsmasq[4215]: cached fastly-tls12-bam.nr-data.net is 162.247.243.29
Sep 14 16:16:15 server dnsmasq[4215]: query[AAAA] bam.nr-data.net from 192.168.1.141
Sep 14 16:16:15 server dnsmasq[4215]: cached bam.nr-data.net is <CNAME>
Sep 14 16:16:15 server dnsmasq[4215]: cached bam.cell.nr-data.net is <CNAME>
Sep 14 16:16:15 server dnsmasq[4215]: cached fastly-tls12-bam.nr-data.net is ::ffff:162.247.243.29
Sep 14 16:16:16 server dnsmasq[4215]: query[A] location.services.mozilla.com from 192.168.1.141
Sep 14 16:16:16 server dnsmasq[4215]: cached location.services.mozilla.com is <CNAME>
Sep 14 16:16:16 server dnsmasq[4215]: cached prod.classify-client.prod.webservices.mozgcp.net is 35.190.72.216
Sep 14 16:16:16 server dnsmasq[4215]: query[AAAA] location.services.mozilla.com from 192.168.1.141
Sep 14 16:16:16 server dnsmasq[4215]: cached location.services.mozilla.com is <CNAME>
Sep 14 16:16:16 server dnsmasq[4215]: cached prod.classify-client.prod.webservices.mozgcp.net is NODATA-IPv6
Sep 14 16:16:18 server setroubleshoot[100582]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 14 16:16:18 server setroubleshoot[100582]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 14 16:16:20 server dnsmasq[4215]: query[AAAA] server.office.lan from 127.0.0.1
Sep 14 16:16:20 server dnsmasq[4215]: forwarded server.office.lan to 1.1.1.1
Sep 14 16:16:20 server dnsmasq[4215]: forwarded server.office.lan to 1.0.0.1
Sep 14 16:16:20 server dnsmasq[4215]: forwarded server.office.lan to 1.1.1.1
Sep 14 16:16:20 server dnsmasq[4215]: forwarded server.office.lan to 1.0.0.1
Sep 14 16:16:21 server setroubleshoot[100582]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 14 16:16:21 server setroubleshoot[100582]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 14 16:16:22 server dnsmasq[4215]: query[A] discussion.fedoraproject.org from 192.168.1.141
Sep 14 16:16:22 server dnsmasq[4215]: cached discussion.fedoraproject.org is <CNAME>
Sep 14 16:16:22 server dnsmasq[4215]: cached fedoraproject.hosted-by-discourse.com is 184.105.99.43
Sep 14 16:16:22 server dnsmasq[4215]: query[AAAA] discussion.fedoraproject.org from 192.168.1.141
Sep 14 16:16:22 server dnsmasq[4215]: cached discussion.fedoraproject.org is <CNAME>
Sep 14 16:16:22 server dnsmasq[4215]: cached fedoraproject.hosted-by-discourse.com is 2602:fd3f:3:ff01::2b
Sep 14 16:16:25 server dnsmasq[4215]: query[AAAA] server.office.lan from 127.0.0.1
Sep 14 16:16:25 server dnsmasq[4215]: forwarded server.office.lan to 1.1.1.1
Sep 14 16:16:25 server dnsmasq[4215]: forwarded server.office.lan to 1.0.0.1
Sep 14 16:16:25 server dnsmasq[4215]: forwarded server.office.lan to 1.1.1.1
Sep 14 16:16:25 server dnsmasq[4215]: forwarded server.office.lan to 1.0.0.1
Sep 14 16:16:25 server dnsmasq[4215]: query[A] bam.nr-data.net from 192.168.1.141
Sep 14 16:16:25 server dnsmasq[4215]: cached bam.nr-data.net is <CNAME>
Sep 14 16:16:25 server dnsmasq[4215]: cached bam.cell.nr-data.net is <CNAME>
Sep 14 16:16:25 server dnsmasq[4215]: cached fastly-tls12-bam.nr-data.net is 162.247.243.29
Sep 14 16:16:25 server dnsmasq[4215]: query[AAAA] bam.nr-data.net from 192.168.1.141
Sep 14 16:16:25 server dnsmasq[4215]: cached bam.nr-data.net is <CNAME>
Sep 14 16:16:25 server dnsmasq[4215]: cached bam.cell.nr-data.net is <CNAME>
Sep 14 16:16:25 server dnsmasq[4215]: cached fastly-tls12-bam.nr-data.net is ::ffff:162.247.243.29
Sep 14 16:16:26 server dnsmasq[4215]: query[A] discussion.fedoraproject.org from 192.168.1.141
Sep 14 16:16:26 server dnsmasq[4215]: cached discussion.fedoraproject.org is <CNAME>
Sep 14 16:16:26 server dnsmasq[4215]: cached fedoraproject.hosted-by-discourse.com is 184.105.99.43
Sep 14 16:16:26 server dnsmasq[4215]: query[AAAA] discussion.fedoraproject.org from 192.168.1.141
Sep 14 16:16:26 server dnsmasq[4215]: cached discussion.fedoraproject.org is <CNAME>
Sep 14 16:16:26 server dnsmasq[4215]: cached fedoraproject.hosted-by-discourse.com is 2602:fd3f:3:ff01::2b
^C
[admin@server ~]$

[admin@server ~]$ nslookup server.office.lan 127.0.0.1
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:	server.office.lan
Address: 192.168.1.40
;; connection timed out; no servers could be reached


[admin@server ~]$
(Back on the horse...)

After rebooting from the relabel - there was a bit of relabelling - and then going away… I came back to discover the bridge had collapsed; fought for hours, but finally got it back up and stable when I ran back through the dnsmasq howto in the OP and realised I hadn’t reconfigured the firewall when I moved the WAN device to a bond (of two devices) and the LAN device to a bridge (of 4 devices)… One thing I noticed was that the howto says to enable masquerading on both the WAN and LAN, but previously it was only on the WAN. Looking at the policies I did wonder if adding masquerading to the policy would negate the need to add masquarding to ether WAN or LAN? Anyway…

For `nslookup printer.office.lan 127.0.0.1` 
[admin@server ~]$ sudo tail -F /var/log/messages | grep dnsmasq
Sep 16 19:59:19 server dnsmasq[22282]: cached meta.discourse.org is <CNAME>
Sep 16 19:59:19 server dnsmasq[22282]: forwarded meta.discourse.org to 1.1.1.1
Sep 16 19:59:19 server dnsmasq[22282]: query[AAAA] meta.discourse.org from 192.168.1.141
Sep 16 19:59:19 server dnsmasq[22282]: forwarded meta.discourse.org to 1.1.1.1
Sep 16 19:59:19 server dnsmasq[22282]: reply meta.discourse.org is <CNAME>
Sep 16 19:59:19 server dnsmasq[22282]: reply app-cname-target.cdck-prod-meta.discourse.cloud is 52.53.108.46
Sep 16 19:59:19 server dnsmasq[22282]: reply app-cname-target.cdck-prod-meta.discourse.cloud is 52.52.206.48
Sep 16 19:59:19 server dnsmasq[22282]: reply meta.discourse.org is <CNAME>
Sep 16 19:59:19 server dnsmasq[22282]: reply app-cname-target.cdck-prod-meta.discourse.cloud is 2600:1f1c:f40:2402:c8ae:f804:ced7:3ed4
Sep 16 19:59:19 server dnsmasq[22282]: reply app-cname-target.cdck-prod-meta.discourse.cloud is 2600:1f1c:f40:2401:b296:9e45:2b97:d407
Sep 16 19:59:21 server dnsmasq[22282]: query[A] printer.office.lan from 127.0.0.1
Sep 16 19:59:21 server dnsmasq[22282]: DHCP printer.office.lan is 192.168.1.120
Sep 16 19:59:21 server dnsmasq[22282]: query[AAAA] printer.office.lan from 127.0.0.1
Sep 16 19:59:21 server dnsmasq[22282]: forwarded printer.office.lan to 1.1.1.1
Sep 16 19:59:21 server dnsmasq[22282]: forwarded printer.office.lan to 1.0.0.1
Sep 16 19:59:24 server setroubleshoot[133836]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 16 19:59:24 server setroubleshoot[133836]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 16 19:59:25 server dnsmasq[22282]: query[A] rms.api.bbc.co.uk from 192.168.1.141
Sep 16 19:59:25 server dnsmasq[22282]: forwarded rms.api.bbc.co.uk to 1.1.1.1
Sep 16 19:59:25 server dnsmasq[22282]: query[AAAA] rms.api.bbc.co.uk from 192.168.1.141
Sep 16 19:59:25 server dnsmasq[22282]: forwarded rms.api.bbc.co.uk to 1.1.1.1
Sep 16 19:59:25 server dnsmasq[22282]: query[A] rms.api.bbc.co.uk from 192.168.1.141
Sep 16 19:59:25 server dnsmasq[22282]: reply rms.api.bbc.co.uk is <CNAME>
Sep 16 19:59:25 server dnsmasq[22282]: reply d27609m9be2rgo.cloudfront.net is 18.154.84.108
Sep 16 19:59:25 server dnsmasq[22282]: reply d27609m9be2rgo.cloudfront.net is 18.154.84.85
Sep 16 19:59:25 server dnsmasq[22282]: reply d27609m9be2rgo.cloudfront.net is 18.154.84.36
Sep 16 19:59:25 server dnsmasq[22282]: reply d27609m9be2rgo.cloudfront.net is 18.154.84.29
Sep 16 19:59:25 server dnsmasq[22282]: reply rms.api.bbc.co.uk is <CNAME>
Sep 16 19:59:25 server dnsmasq[22282]: reply d27609m9be2rgo.cloudfront.net is 2600:9000:2680:e00:1d:51f8:6200:93a1
Sep 16 19:59:25 server dnsmasq[22282]: reply d27609m9be2rgo.cloudfront.net is 2600:9000:2680:5a00:1d:51f8:6200:93a1
Sep 16 19:59:25 server dnsmasq[22282]: reply d27609m9be2rgo.cloudfront.net is 2600:9000:2680:9e00:1d:51f8:6200:93a1
Sep 16 19:59:25 server dnsmasq[22282]: reply d27609m9be2rgo.cloudfront.net is 2600:9000:2680:1400:1d:51f8:6200:93a1
Sep 16 19:59:25 server dnsmasq[22282]: reply d27609m9be2rgo.cloudfront.net is 2600:9000:2680:f200:1d:51f8:6200:93a1
Sep 16 19:59:25 server dnsmasq[22282]: reply d27609m9be2rgo.cloudfront.net is 2600:9000:2680:600:1d:51f8:6200:93a1
Sep 16 19:59:25 server dnsmasq[22282]: reply d27609m9be2rgo.cloudfront.net is 2600:9000:2680:9c00:1d:51f8:6200:93a1
Sep 16 19:59:25 server dnsmasq[22282]: reply d27609m9be2rgo.cloudfront.net is 2600:9000:2680:6a00:1d:51f8:6200:93a1
Sep 16 19:59:25 server dnsmasq[22282]: query[A] discussion.fedoraproject.org from 192.168.1.141
Sep 16 19:59:25 server dnsmasq[22282]: cached discussion.fedoraproject.org is <CNAME>
Sep 16 19:59:25 server dnsmasq[22282]: cached fedoraproject.hosted-by-discourse.com is 184.105.99.43
Sep 16 19:59:25 server dnsmasq[22282]: query[AAAA] discussion.fedoraproject.org from 192.168.1.141
Sep 16 19:59:25 server dnsmasq[22282]: cached discussion.fedoraproject.org is <CNAME>
Sep 16 19:59:25 server dnsmasq[22282]: cached fedoraproject.hosted-by-discourse.com is 2602:fd3f:3:ff01::2b
Sep 16 19:59:26 server dnsmasq[22282]: query[AAAA] printer.office.lan from 127.0.0.1
Sep 16 19:59:26 server dnsmasq[22282]: forwarded printer.office.lan to 1.1.1.1
Sep 16 19:59:26 server dnsmasq[22282]: forwarded printer.office.lan to 1.0.0.1
Sep 16 19:59:31 server dnsmasq[22282]: query[AAAA] printer.office.lan from 127.0.0.1
Sep 16 19:59:31 server dnsmasq[22282]: forwarded printer.office.lan to 1.1.1.1
Sep 16 19:59:31 server dnsmasq[22282]: forwarded printer.office.lan to 1.0.0.1
Sep 16 19:59:32 server setroubleshoot[133836]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 16 19:59:32 server setroubleshoot[133836]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 16 19:59:35 server dnsmasq[22282]: query[A] discussion.fedoraproject.org from 192.168.1.141
Sep 16 19:59:35 server dnsmasq[22282]: cached discussion.fedoraproject.org is <CNAME>
Sep 16 19:59:35 server dnsmasq[22282]: cached fedoraproject.hosted-by-discourse.com is 184.105.99.43
Sep 16 19:59:35 server dnsmasq[22282]: query[AAAA] discussion.fedoraproject.org from 192.168.1.141
Sep 16 19:59:35 server dnsmasq[22282]: cached discussion.fedoraproject.org is <CNAME>
Sep 16 19:59:35 server dnsmasq[22282]: cached fedoraproject.hosted-by-discourse.com is 2602:fd3f:3:ff01::2b
^C
[admin@server ~]$

[admin@server ~]$ nslookup printer.office.lan 127.0.0.1
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:	printer.office.lan
Address: 192.168.1.120
;; connection timed out; no servers could be reached


[admin@server ~]$
For `nslookup fritzbox.office.lan 127.0.0.1` 
[admin@server ~]$ sudo tail -F /var/log/messages | grep dnsmasq
Sep 16 20:11:30 server dnsmasq[22282]: reply ichef.bbci.co.uk is <CNAME>
Sep 16 20:11:30 server dnsmasq[22282]: reply ichef.bbci.co.uk.edgekey.net is <CNAME>
Sep 16 20:11:30 server dnsmasq[22282]: reply e3891.dscg.akamaiedge.net is 2a02:26f0:fd00:1195::f33
Sep 16 20:11:30 server dnsmasq[22282]: reply e3891.dscg.akamaiedge.net is 2a02:26f0:fd00:11a5::f33
Sep 16 20:11:30 server dnsmasq[22282]: reply e3891.dscg.akamaiedge.net is 2a02:26f0:fd00:118e::f33
Sep 16 20:11:30 server dnsmasq[22282]: reply e3891.dscg.akamaiedge.net is 2a02:26f0:fd00:1193::f33
Sep 16 20:11:30 server dnsmasq[22282]: reply e3891.dscg.akamaiedge.net is 2a02:26f0:fd00:119a::f33
Sep 16 20:11:30 server dnsmasq[22282]: reply ichef.bbci.co.uk is <CNAME>
Sep 16 20:11:30 server dnsmasq[22282]: reply ichef.bbci.co.uk.edgekey.net is <CNAME>
Sep 16 20:11:30 server dnsmasq[22282]: reply e3891.dscg.akamaiedge.net is 2.23.160.114
Sep 16 20:11:41 server dnsmasq[22282]: query[A] fritzbox.office.lan from 127.0.0.1
Sep 16 20:11:41 server dnsmasq[22282]: /etc/hosts fritzbox.office.lan is 192.168.1.30
Sep 16 20:11:41 server dnsmasq[22282]: query[AAAA] fritzbox.office.lan from 127.0.0.1
Sep 16 20:11:41 server dnsmasq[22282]: forwarded fritzbox.office.lan to 1.1.1.1
Sep 16 20:11:41 server dnsmasq[22282]: forwarded fritzbox.office.lan to 1.0.0.1
Sep 16 20:11:44 server setroubleshoot[134823]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 16 20:11:44 server setroubleshoot[134823]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 16 20:11:46 server dnsmasq[22282]: query[AAAA] fritzbox.office.lan from 127.0.0.1
Sep 16 20:11:46 server dnsmasq[22282]: forwarded fritzbox.office.lan to 1.1.1.1
Sep 16 20:11:46 server dnsmasq[22282]: forwarded fritzbox.office.lan to 1.0.0.1
Sep 16 20:11:47 server setroubleshoot[134823]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t. For complete SELinux messages run: sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
Sep 16 20:11:47 server setroubleshoot[134823]: SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq#012# semodule -X 300 -i my-dnsmasq.pp#012
Sep 16 20:11:50 server dnsmasq[22282]: query[A] discussion.fedoraproject.org from 192.168.1.141
Sep 16 20:11:50 server dnsmasq[22282]: cached discussion.fedoraproject.org is <CNAME>
Sep 16 20:11:50 server dnsmasq[22282]: cached fedoraproject.hosted-by-discourse.com is 184.105.99.43
Sep 16 20:11:50 server dnsmasq[22282]: query[AAAA] discussion.fedoraproject.org from 192.168.1.141
Sep 16 20:11:50 server dnsmasq[22282]: cached discussion.fedoraproject.org is <CNAME>
Sep 16 20:11:50 server dnsmasq[22282]: forwarded discussion.fedoraproject.org to 1.0.0.1
Sep 16 20:11:50 server dnsmasq[22282]: forwarded discussion.fedoraproject.org to 1.1.1.1
Sep 16 20:11:50 server dnsmasq[22282]: forwarded discussion.fedoraproject.org to 1.1.1.1
Sep 16 20:11:50 server dnsmasq[22282]: forwarded discussion.fedoraproject.org to 1.0.0.1
Sep 16 20:11:50 server dnsmasq[22282]: reply discussion.fedoraproject.org is <CNAME>
Sep 16 20:11:50 server dnsmasq[22282]: reply fedoraproject.hosted-by-discourse.com is 2602:fd3f:3:ff01::2b
Sep 16 20:11:51 server dnsmasq[22282]: query[AAAA] fritzbox.office.lan from 127.0.0.1
Sep 16 20:11:51 server dnsmasq[22282]: forwarded fritzbox.office.lan to 1.1.1.1
Sep 16 20:11:51 server dnsmasq[22282]: forwarded fritzbox.office.lan to 1.0.0.1
Sep 16 20:11:53 server dnsmasq[22282]: query[A] play.googleapis.com from 127.0.0.1
Sep 16 20:11:53 server dnsmasq[22282]: forwarded play.googleapis.com to 1.1.1.1
Sep 16 20:11:53 server dnsmasq[22282]: reply play.googleapis.com is 216.239.34.223
Sep 16 20:11:53 server dnsmasq[22282]: reply play.googleapis.com is 216.239.38.223
Sep 16 20:11:53 server dnsmasq[22282]: reply play.googleapis.com is 216.239.32.223
Sep 16 20:11:53 server dnsmasq[22282]: reply play.googleapis.com is 216.239.36.223
Sep 16 20:11:55 server dnsmasq[22282]: query[A] discussion.fedoraproject.org from 192.168.1.141
Sep 16 20:11:55 server dnsmasq[22282]: cached discussion.fedoraproject.org is <CNAME>
Sep 16 20:11:55 server dnsmasq[22282]: cached fedoraproject.hosted-by-discourse.com is 184.105.99.43
Sep 16 20:11:55 server dnsmasq[22282]: query[AAAA] discussion.fedoraproject.org from 192.168.1.141
Sep 16 20:11:55 server dnsmasq[22282]: cached discussion.fedoraproject.org is <CNAME>
Sep 16 20:11:55 server dnsmasq[22282]: cached fedoraproject.hosted-by-discourse.com is 2602:fd3f:3:ff01::2b
^C
[admin@server ~]$

[admin@server ~]$ nslookup fritzbox.office.lan 127.0.0.1
Server:		127.0.0.1
Address:	127.0.0.1#53

Name:	fritzbox.office.lan
Address: 192.168.1.30
;; connection timed out; no servers could be reached


[admin@server ~]$

So, after the relabel and in permissive mode, nslookup was returning an A record immediately, but then timing out waiting for AAAA record - but before, it ‘felt’ like it wasn’t returning the A record until after timing out waiting for the AAAA record. BUT, this could just be my imagination, because I missed all the elephants…

Here’s:

[admin@server ~]$ sudo journalctl -b _AUDIT_TYPE_NAME=AVC
-- No entries --
[admin@server ~]$

And, I have:
dnsmasq-2.85-16.el9_4.x86_64
Ah!!! Busted! Cheap assed rhel user squatting on fedora discussion… :face_with_open_eyes_and_hand_over_mouth:

[admin@server ~]$ dnsmasq --version
Dnsmasq version 2.85  Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus no-UBus no-i18n IDN2 DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth cryptohash DNSSEC loop-detect inotify dumpfile

This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.
[admin@server ~]$
Here's `sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f` 
[admin@server ~]$ sealert -l 2f365b39-173e-426a-a1c8-4ab80387b92f
SELinux is preventing /usr/sbin/dnsmasq from create access on the socket labeled dnsmasq_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that dnsmasq should be allowed create access on socket labeled dnsmasq_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq
# semodule -X 300 -i my-dnsmasq.pp


Additional Information:
Source Context                system_u:system_r:dnsmasq_t:s0
Target Context                system_u:system_r:dnsmasq_t:s0
Target Objects                Unknown [ socket ]
Source                        dnsmasq
Source Path                   /usr/sbin/dnsmasq
Port                          <Unknown>
Host                          server
Source RPM Packages           dnsmasq-2.85-16.el9_4.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.1.35-2.el9_4.2.noarch
Local Policy RPM              selinux-policy-targeted-38.1.35-2.el9_4.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     server
Platform                      Linux server 5.14.0-427.31.1.el9_4.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Fri Aug 9 14:06:03 EDT 2024 x86_64
                              x86_64
Alert Count                   25742
First Seen                    2024-07-14 14:12:08 BST
Last Seen                     2024-09-16 19:00:28 BST
Local ID                      2f365b39-173e-426a-a1c8-4ab80387b92f

Raw Audit Messages
type=AVC msg=audit(1726509628.210:3386): avc:  denied  { create } for  pid=22282 comm="dnsmasq" scontext=system_u:system_r:dnsmasq_t:s0 tcontext=system_u:system_r:dnsmasq_t:s0 tclass=socket permissive=1


type=SYSCALL msg=audit(1726509628.210:3386): arch=x86_64 syscall=socket success=no exit=EAFNOSUPPORT a0=0 a1=2 a2=0 a3=560db2b41960 items=0 ppid=22094 pid=22282 auid=4294967295 uid=996 gid=992 euid=996 suid=996 fsuid=996 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm=dnsmasq exe=/usr/sbin/dnsmasq subj=system_u:system_r:dnsmasq_t:s0 key=(null)

Hash: dnsmasq,dnsmasq_t,dnsmasq_t,socket,create

[admin@server ~]$

I did:

[admin@server ~]$ sudo su
[sudo] password for admin: 
[root@server admin]# ausearch -c 'dnsmasq' --raw | audit2allow -M my-dnsmasq
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-dnsmasq.pp

[root@server admin]# semodule -X 300 -i my-dnsmasq.pp
[root@server admin]#
And now, no more selinux denials 
[admin@server ~]$ sudo tail -F /var/log/messages | grep dnsmasq
Sep 16 21:25:42 server dnsmasq[22282]: cached d27609m9be2rgo.cloudfront.net is 2600:9000:2680:6000:1d:51f8:6200:93a1
Sep 16 21:25:42 server dnsmasq[22282]: cached d27609m9be2rgo.cloudfront.net is 2600:9000:2680:e800:1d:51f8:6200:93a1
Sep 16 21:25:42 server dnsmasq[22282]: cached d27609m9be2rgo.cloudfront.net is 2600:9000:2680:ba00:1d:51f8:6200:93a1
Sep 16 21:25:42 server dnsmasq[22282]: cached d27609m9be2rgo.cloudfront.net is 2600:9000:2680:1400:1d:51f8:6200:93a1
Sep 16 21:25:42 server dnsmasq[22282]: cached d27609m9be2rgo.cloudfront.net is 2600:9000:2680:ee00:1d:51f8:6200:93a1
Sep 16 21:25:42 server dnsmasq[22282]: reply rms.api.bbc.co.uk is <CNAME>
Sep 16 21:25:42 server dnsmasq[22282]: reply d27609m9be2rgo.cloudfront.net is 18.154.84.29
Sep 16 21:25:42 server dnsmasq[22282]: reply d27609m9be2rgo.cloudfront.net is 18.154.84.108
Sep 16 21:25:42 server dnsmasq[22282]: reply d27609m9be2rgo.cloudfront.net is 18.154.84.36
Sep 16 21:25:42 server dnsmasq[22282]: reply d27609m9be2rgo.cloudfront.net is 18.154.84.85
Sep 16 21:25:48 server dnsmasq[22282]: query[A] fritzbox.office.lan from 127.0.0.1
Sep 16 21:25:48 server dnsmasq[22282]: /etc/hosts fritzbox.office.lan is 192.168.1.30
Sep 16 21:25:48 server dnsmasq[22282]: query[AAAA] fritzbox.office.lan from 127.0.0.1
Sep 16 21:25:48 server dnsmasq[22282]: forwarded fritzbox.office.lan to 1.1.1.1
Sep 16 21:25:48 server dnsmasq[22282]: forwarded fritzbox.office.lan to 1.0.0.1
Sep 16 21:25:52 server dnsmasq[22282]: query[A] as-dash-uk-live.akamaized.net from 192.168.1.141
Sep 16 21:25:52 server dnsmasq[22282]: forwarded as-dash-uk-live.akamaized.net to 1.0.0.1
Sep 16 21:25:52 server dnsmasq[22282]: query[AAAA] as-dash-uk-live.akamaized.net from 192.168.1.141
Sep 16 21:25:52 server dnsmasq[22282]: forwarded as-dash-uk-live.akamaized.net to 1.0.0.1
Sep 16 21:25:52 server dnsmasq[22282]: reply as-dash-uk-live.akamaized.net is <CNAME>
Sep 16 21:25:52 server dnsmasq[22282]: reply a901.w5.akamai.net is NODATA-IPv6
Sep 16 21:25:52 server dnsmasq[22282]: reply as-dash-uk-live.akamaized.net is <CNAME>
Sep 16 21:25:52 server dnsmasq[22282]: reply a901.w5.akamai.net is 92.123.142.145
Sep 16 21:25:52 server dnsmasq[22282]: reply a901.w5.akamai.net is 92.123.143.243
Sep 16 21:25:53 server dnsmasq[22282]: query[AAAA] fritzbox.office.lan from 127.0.0.1
Sep 16 21:25:53 server dnsmasq[22282]: forwarded fritzbox.office.lan to 1.1.1.1
Sep 16 21:25:53 server dnsmasq[22282]: forwarded fritzbox.office.lan to 1.0.0.1
Sep 16 21:25:58 server dnsmasq[22282]: query[AAAA] fritzbox.office.lan from 127.0.0.1
Sep 16 21:25:58 server dnsmasq[22282]: forwarded fritzbox.office.lan to 1.1.1.1
Sep 16 21:25:58 server dnsmasq[22282]: forwarded fritzbox.office.lan to 1.0.0.1
Sep 16 21:25:58 server dnsmasq[22282]: query[A] discussion.fedoraproject.org from 192.168.1.141
Sep 16 21:25:58 server dnsmasq[22282]: cached discussion.fedoraproject.org is <CNAME>
Sep 16 21:25:58 server dnsmasq[22282]: cached fedoraproject.hosted-by-discourse.com is 184.105.99.43
Sep 16 21:25:58 server dnsmasq[22282]: query[AAAA] discussion.fedoraproject.org from 192.168.1.141
Sep 16 21:25:58 server dnsmasq[22282]: cached discussion.fedoraproject.org is <CNAME>
Sep 16 21:25:58 server dnsmasq[22282]: cached fedoraproject.hosted-by-discourse.com is 2602:fd3f:3:ff01::2b
Sep 16 21:26:03 server dnsmasq[22282]: query[A] discussion.fedoraproject.org from 192.168.1.141
Sep 16 21:26:03 server dnsmasq[22282]: cached discussion.fedoraproject.org is <CNAME>
Sep 16 21:26:03 server dnsmasq[22282]: cached fedoraproject.hosted-by-discourse.com is 184.105.99.43
Sep 16 21:26:03 server dnsmasq[22282]: query[AAAA] discussion.fedoraproject.org from 192.168.1.141
Sep 16 21:26:03 server dnsmasq[22282]: cached discussion.fedoraproject.org is <CNAME>
Sep 16 21:26:03 server dnsmasq[22282]: cached fedoraproject.hosted-by-discourse.com is 2602:fd3f:3:ff01::2b
Sep 16 21:26:06 server dnsmasq[22282]: query[A] discussion.fedoraproject.org from 192.168.1.141
Sep 16 21:26:06 server dnsmasq[22282]: cached discussion.fedoraproject.org is <CNAME>
Sep 16 21:26:06 server dnsmasq[22282]: cached fedoraproject.hosted-by-discourse.com is 184.105.99.43
Sep 16 21:26:06 server dnsmasq[22282]: query[AAAA] discussion.fedoraproject.org from 192.168.1.141
Sep 16 21:26:06 server dnsmasq[22282]: cached discussion.fedoraproject.org is <CNAME>
Sep 16 21:26:06 server dnsmasq[22282]: cached fedoraproject.hosted-by-discourse.com is 2602:fd3f:3:ff01::2b
^[cSep 16 21:26:08 server dnsmasq[22282]: query[A] discussion.fedoraproject.org from 192.168.1.141
Sep 16 21:26:08 server dnsmasq[22282]: cached discussion.fedoraproject.org is <CNAME>
Sep 16 21:26:08 server dnsmasq[22282]: cached fedoraproject.hosted-by-discourse.com is 184.105.99.43
Sep 16 21:26:08 server dnsmasq[22282]: query[AAAA] discussion.fedoraproject.org from 192.168.1.141
Sep 16 21:26:08 server dnsmasq[22282]: cached discussion.fedoraproject.org is <CNAME>
Sep 16 21:26:08 server dnsmasq[22282]: cached fedoraproject.hosted-by-discourse.com is 2602:fd3f:3:ff01::2b
^C
[admin@server ~]$

But, the delay persists… EXCEPT for ping with host name only - without the local domain name (I added some timeings):

[21:46:28] [admin@server ~]$ ping server
PING server (192.168.1.40) 56(84) bytes of data.
64 bytes from server (192.168.1.40): icmp_seq=1 ttl=64 time=0.074 ms
64 bytes from server (192.168.1.40): icmp_seq=2 ttl=64 time=0.091 ms
64 bytes from server (192.168.1.40): icmp_seq=3 ttl=64 time=0.086 ms
^C
--- server ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2032ms
rtt min/avg/max/mdev = 0.074/0.083/0.091/0.007 ms
[21:46:34] [admin@server ~]$ ping server.office.lan
PING server.office.lan (192.168.1.40) 56(84) bytes of data.
64 bytes from server (192.168.1.40): icmp_seq=1 ttl=64 time=0.079 ms
64 bytes from server (192.168.1.40): icmp_seq=2 ttl=64 time=0.082 ms
64 bytes from server (192.168.1.40): icmp_seq=3 ttl=64 time=0.094 ms
^C
--- server.office.lan ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2033ms
rtt min/avg/max/mdev = 0.079/0.085/0.094/0.006 ms
[21:47:02] [admin@server ~]$

Also, pinging from my oldmachine from the network is delayed for both host name only and host with domain name…

That’s be more than one post. [Oh, no it won’t.]
Thanks!

32

This is going to be a deep dive. Took the source RPM from Alma9, and build it in Fedora 41.

dnsmasq --version
Dnsmasq version 2.85 Copyright (c) 2000-2021 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus no-UBus no-i18n IDN2 DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth cryptohash DNSSEC loop-detect inotify dumpfile

rpm -q dnsmasq
dnsmasq-2.85-16.fc41.x86_64

Started outside of NetworkManager, it seems to do what it is expected to do:
sep 17 08:08:44 pcbeneden dnsmasq[6626]: config server.office.lan is NODATA-IPv6

No SELinux issues, but here I have the Fedora41 policies of course.

There is one risk in your setup, depending how you create the libvirt dnsmasq:
if you ask from VM some AAAA for some.libvirt.office.lan, it asks 127.0.0.1, which asks libvirt dnsmasq, which asks 127.0.0.1. I ended with two dnsmasqs 100% cpu, loud fans and communication errors. The libvirt dnsmasq should strictly contain libvirt.office.lan as local.

So no solution yet, those SELinux errors are strange but I do not know how to handle and apparently with setenforce 0 it still does not work. It looks like a very subtile bug.

33

Pinging includes resolving that expands single-label hostnames with search domains and queries your dnsmasq for A and AAAA records, assuming this is your exclusive resolver, but dnsmasq ignores the local option for some reason and forwards the AAAA query to the upstream resolvers which obviously ignore queries to non-public domains, thus it timeouts.

It looks broken for both A and AAAA queries in your case.

Replicating your setup, the working local option should result in the following log:

dnsmasq[3127]: using only locally-known addresses for office.lan
dnsmasq[3127]: using only locally-known addresses for 1.168.192.in-addr.arpa
dnsmasq[3127]: using only locally-known addresses for office.lan
...
dnsmasq[3127]: query[A] test.office.lan from 127.0.0.1
dnsmasq[3127]: config test.office.lan is NXDOMAIN
dnsmasq[3127]: query[AAAA] test.office.lan from 127.0.0.1
dnsmasq[3127]: config test.office.lan is NXDOMAIN

And the PID should be the same as what ss returns for 127.0.0.1:53 TCP and UDP.

BTW, I recommend removing this to avoid some unexpected collisions:

Then restart the service and check the log:

sudo systemctl restart NetworkManager.service 
ls -l -a -R -Z /etc/NetworkManager/dnsmasq.d
journalctl --no-pager -b -u NetworkManager.service | grep -e locally
34

@hmmsjan and @vgaetera, having slept on this and briefly before I do more digging latter:
1/ This problem was introduced when I changed the local subnet from 192.168.0.0/24 to 192.168.1.0.24;
2/ Perhaps the difference in ping behaviour is relevant, this returns immediately and isn’t expanded:

But, this - from another machine - is expanded and times out:

[12:46:58] me@myoldmachine:~$ ping server
PING server.office.lan (192.168.1.40) 56(84) bytes of data.
64 bytes from server.office.lan (192.168.1.40): icmp_seq=1 ttl=64 time=1.72 ms
64 bytes from server.office.lan (192.168.1.40): icmp_seq=2 ttl=64 time=2.36 ms
64 bytes from server.office.lan (192.168.1.40): icmp_seq=3 ttl=64 time=2.23 ms
^C
--- server.office.lan ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.718/2.104/2.362/0.278 ms
[12:47:26] me@myoldmachine:~$ server.office.lan
PING server.office.lan (192.168.1.40) 56(84) bytes of data.
64 bytes from server.office.lan (192.168.1.40): icmp_seq=1 ttl=64 time=1.67 ms
64 bytes from server.office.lan (192.168.1.40): icmp_seq=2 ttl=64 time=2.57 ms
64 bytes from server.office.lan (192.168.1.40): icmp_seq=3 ttl=64 time=1.23 ms
^C
--- server.office.lan ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 1.230/1.822/2.567/0.556 ms
[12:47:56] me@myoldmachine:~$

?

35

It starts resolving with the files backend before dns:

I recommend to focus on debugging the NetworkManager/dnsmasq startup log.

36

Thx. M

37

I consider the change of 192.168.0.0/24 to 192.168.1.0/24 as a minor change, as long as every file involved in this change has the new number. The clients probably get everything via DHCP and cannot be blamed. I do not know which rhel version you have. The last alma is from May 2024, so may be you’re testing the new subnet, but in fact the new dnsmasq version…

I replicated your setup in a Rocky 9 VM with the same dnsmasq verstion, and libvirt in namespaces instead of VM. I cannot reproduce the problem, the only thing is the libvirt config. If the VM dnsmasq’s are configured by “virsh net-edit”, they might have their input from 127.0.0.1 and thus the main dnsmasq. This has the risk of loops. Symptom: dnsmsasq processes eating 100% CPU. I think it’s better to configure the bridges for VM’s manually with dnsmasq config based on your main one, thus with input from external servers and strictly limited to the domain they serve with “local=” But, as said, I do not see a AAAA requests going outside, so still do not know the exact cause of the problem.

38

Hi @vgaetera and @hmmsjan final(ish) post…
Last log posted here:

Unfortunately, I’ve just turned on persistent logging so the more distant past is gone.

Highlights from that are here 
Sep 22 13:41:46 server dnsmasq[2041]: chown of PID file /run/NetworkManager/dnsmasq.pid failed: Operation not permitted

Sep 22 13:41:46 server dnsmasq[2041]: ignoring nameserver 127.0.0.1 - local interface
Sep 22 13:41:46 server dnsmasq[2041]: ignoring nameserver 127.0.0.1 - local interface
Sep 22 13:41:46 server dnsmasq[2041]: ignoring nameserver 127.0.0.1 - local interface

Sep 22 13:41:46 server dnsmasq[2041]: ignoring nameserver 127.0.0.1 - local interface
Sep 22 13:41:46 server dnsmasq[2041]: ignoring nameserver 127.0.0.1 - local interface
Sep 22 13:41:46 server dnsmasq[2041]: ignoring nameserver 127.0.0.1 - local interface

Sep 22 13:41:46 server dnsmasq[2041]: ignoring nameserver 127.0.0.1 - local interface

I’ve let it run to the last of the local machines to take a DHCP lease.

Tidying up some missed questions:

Yes - the bridge kept collapsing on reboot when configured with nmtui but configued via cockpit it seems to be stable - no idea why the difference:

`nmcli device show bridge0` 
[admin@server ~]$ sudo nmcli device show bridge0
GENERAL.DEVICE:                         bridge0
GENERAL.TYPE:                           bridge
GENERAL.HWADDR:                         2C:44:FD:89:99:B8
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (connected)
GENERAL.CONNECTION:                     bridge0
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/8
IP4.ADDRESS[1]:                         192.168.1.40/24
IP4.GATEWAY:                            --
IP4.ROUTE[1]:                           dst = 192.168.1.0/24, nh = 0.0.0.0, mt = 425
IP4.DNS[1]:                             127.0.0.1
IP4.DNS[2]:                             1.1.1.1
IP4.DNS[3]:                             1.0.0.1
IP4.SEARCHES[1]:                        office.lan
IP6.ADDRESS[1]:                         fe80::2f3f:7d3:6bd3:8b69/64
IP6.GATEWAY:                            --
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 1024
[admin@server ~]$

Adding filter-AAAA to /etc/NetworkManager/dnsmasq.d/01-DNS-office-lan.conf produced this on:

`systemctl restart NetworkManager.service` 
Sep 24 22:34:36 server NetworkManager[211689]: dnsmasq: bad option at line 38 of /etc/NetworkManager/dnsmasq.d/01-DNS-office-lan.co>
Sep 24 22:34:36 server dnsmasq[211689]: bad option at line 38 of /etc/NetworkManager/dnsmasq.d/01-DNS-office-lan.conf
Sep 24 22:34:36 server dnsmasq[211689]: FAILED to start up
Sep 24 22:34:36 server NetworkManager[211349]: <warn>  [1727213676.9391] dnsmasq: spawn: dnsmasq process 211689 exited with error: >
Sep 24 22:34:36 server NetworkManager[211349]: <info>  [1727213676.9392] dnsmasq: starting /usr/sbin/dnsmasq
Sep 24 22:34:36 server NetworkManager[211690]: dnsmasq: bad option at line 38 of /etc/NetworkManager/dnsmasq.d/01-DNS-office-lan.co>
Sep 24 22:34:36 server dnsmasq[211690]: bad option at line 38 of /etc/NetworkManager/dnsmasq.d/01-DNS-office-lan.conf
Sep 24 22:34:36 server dnsmasq[211690]: FAILED to start up
Sep 24 22:34:36 server NetworkManager[211349]: <warn>  [1727213676.9433] dnsmasq: spawn: dnsmasq process 211690 exited with error: >
Sep 24 22:34:36 server NetworkManager[211349]: <warn>  [1727213676.9434] dnsmasq[8c1d114ecce6a736]: dnsmasq dies and gets respawned>

So, I undid that.

`journalctl --no-pager -b -u NetworkManager.service | grep -e locally` 
[admin@server ~]$ journalctl --no-pager -b -u NetworkManager.service | grep -e locally
Sep 22 13:41:46 server dnsmasq[2041]: using only locally-known addresses for domain office.lan
Sep 22 13:41:46 server dnsmasq[2041]: using only locally-known addresses for domain 1.168.192.in-addr.arpa
Sep 22 13:41:46 server dnsmasq[2041]: using only locally-known addresses for domain office.lan
Sep 22 13:41:46 server dnsmasq[2041]: using only locally-known addresses for domain office.lan
Sep 22 13:41:46 server dnsmasq[2041]: using only locally-known addresses for domain 1.168.192.in-addr.arpa
Sep 22 13:41:46 server dnsmasq[2041]: using only locally-known addresses for domain office.lan
Sep 22 13:41:46 server dnsmasq[2041]: using only locally-known addresses for domain office.lan
Sep 22 13:41:46 server dnsmasq[2041]: using only locally-known addresses for domain 1.168.192.in-addr.arpa
Sep 22 13:41:46 server dnsmasq[2041]: using only locally-known addresses for domain office.lan
Sep 24 22:36:36 server dnsmasq[211765]: using only locally-known addresses for domain office.lan
Sep 24 22:36:36 server dnsmasq[211765]: using only locally-known addresses for domain 1.168.192.in-addr.arpa
Sep 24 22:36:36 server dnsmasq[211765]: using only locally-known addresses for domain office.lan
Sep 24 22:36:36 server dnsmasq[211765]: using only locally-known addresses for domain office.lan
Sep 24 22:36:36 server dnsmasq[211765]: using only locally-known addresses for domain 1.168.192.in-addr.arpa
Sep 24 22:36:36 server dnsmasq[211765]: using only locally-known addresses for domain office.lan
Sep 24 22:43:10 server dnsmasq[212145]: using only locally-known addresses for domain office.lan
Sep 24 22:43:10 server dnsmasq[212145]: using only locally-known addresses for domain 1.168.192.in-addr.arpa
Sep 24 22:43:10 server dnsmasq[212145]: using only locally-known addresses for domain office.lan
Sep 24 22:43:10 server dnsmasq[212145]: using only locally-known addresses for domain office.lan
Sep 24 22:43:10 server dnsmasq[212145]: using only locally-known addresses for domain 1.168.192.in-addr.arpa
Sep 24 22:43:10 server dnsmasq[212145]: using only locally-known addresses for domain office.lan
Sep 24 22:51:58 server dnsmasq[212693]: using only locally-known addresses for domain office.lan
Sep 24 22:51:58 server dnsmasq[212693]: using only locally-known addresses for domain 1.168.192.in-addr.arpa
Sep 24 22:51:58 server dnsmasq[212693]: using only locally-known addresses for domain office.lan
Sep 24 22:51:58 server dnsmasq[212693]: using only locally-known addresses for domain office.lan
Sep 24 22:51:58 server dnsmasq[212693]: using only locally-known addresses for domain 1.168.192.in-addr.arpa
Sep 24 22:51:58 server dnsmasq[212693]: using only locally-known addresses for domain office.lan
[admin@server ~]$

Bugs filed here:
https://issues.redhat.com/browse/RHEL-59988
And, here:
https://issues.redhat.com/browse/RHEL-60003
Anything added (corrected…) to those bugs might be helpful.

Very many thanks for all the help shining a torch in this deep dark rabbit warren!

1 Like
39

Unfortunately, filter-AAAA is not yet implemented in your dnsmasq version, so that explains the dnsmasq startup failure.

The nameservers are double defined, both in NetworkManager and dnsmasq.
But adding them to my config does not make difference, only the “socket” SELinux errors appear, so may be dnsmasq is not able to fetch info from NetworkManager, which does not harm in this case because the info is in it’s own config file.

I do not see any problem in the github log, all domains are directed to the proper nameserver. Ignoring 127.0.0.1 is correct because it provides it’s own output. I would expect this warning be suppressed by “no-resolv” option.

Would be difficult to reproduce at RH with this complex set-up.

The only thing I see which I do not expect is that dnsmasq contacts all defined nameservers, including the IPv6 one (I have IP6) But that could be misunderstanding on my side of multiple nameservers configured.
According to manpage, “-all-servers” should be specified for this.

40

NetworkManager must be pushing DNS related settings to dnsmasq over DBus, overriding the local option:

Make sure to remove search domains from your connection settings:

You can also run dnsmasq as a separate service to avoid DBus interference.

41

ignoring 127.0.0.1 disappears if you remove 127.0.0.1 as nameserver in NetworkManager. Normally, the nameservers are, without systemd-resolved, written into /etc/resolv.conf, but using dnsmasq, only 127.0.0.1 should be in /etc/resolv.conf and the defined nameservers are pushed by Dbus to dnsmasq. Pushing 127.0.0.1 creates a short circuit correctly ignored by dnsmasq.

@vgaetera The nameservers are pushed via DBus by design to dnsmasq, and doubled in this case because they are already in dnsmasq’s config, but would this overwrite the “local=/office.lan/” option? I still cannot reproduce it in Rocky 9 VM.

Oops: I can reproduce it partly, but get a correct answer:

Sep 25 09:25:30 server dnsmasq[2728]: query[A] server.office.lan from 192.168.1.140
Sep 25 09:25:30 server dnsmasq[2728]: /etc/hosts server.office.lan is 192.168.1.40
Sep 25 09:25:30 server dnsmasq[2728]: query[AAAA] server.office.lan from 192.168.1.140
Sep 25 09:25:30 server dnsmasq[2728]: forwarded server.office.lan to 1.1.1.1
Sep 25 09:25:30 server dnsmasq[2728]: forwarded server.office.lan to 1.0.0.1
Sep 25 09:25:30 server dnsmasq[2728]: reply server.office.lan is NODATA-IPv6

It looks like the search domain “office.lan” in NetworkManager is the culprit !!

SELinux is also very busy after dns data entered in nmcli, but you have to enter one DNS in NetworkManager otherwise dnsmasq does not start.

May be better to use the config standalone with “dnsmasq -C configfile” to prevent NetworkManager manipulating the config.

Confirmed: the search domain in NetworkManager causes AAAA requests to server.office.lan to go outside. Strange.

Addition: dbus-monitor shows calls from NetworkManager to dnsmasq “SetServersEx”. The documentation tells that this defines a nameserver plus the domain it is used for.
So the combination “1.1.1.1 + office.lan” means use 1.1.1.1 for office.lan.
This is completely contradictory to what I expect as I interpret search domain office.lan as search “server” as “server” and “server.office.lan”
Either I do not understand it or NetworkManager does not understand it…

Added: Me to blame, it is documented in the nmcli/nm-setting documentation. If a dns plugin is used which supports split-dns, the function of ipv4.dns and ipv4.dns-search arrays change: they specify the nameserver and the domain which it serves. So @vgaetera is right: remove the dns-related settings from NetworkManager. Unfortunately, you need a DNS otherwise dnsmasq does not start. But do not specify search domains, only in /etc/resolv.conf.
Very tricky.