I am running Rocky Linux 8.8, fully updated, and installed Unbound to use it instead of Dnsmasq.
Basically, Dnsmasq has been disabled, I configured Unbound with its conf file, enabled it so it will be present at startup and made a change so that resolv.conf is linked to a manually configured conf file that sets 127.0.0.1 as the dns - ie. the same address Unbound is listening to.
However, Dnsmasq keeps starting, even if when I check its status with systemctl, the status is marked as disabled ; the same is also confirmed when logging into Cockpit.
I am not an advanced user so I suppose I may have missed something, your help would be welcome!
When you say “starts”, do you mean that systemctl shows the dnsmasq.service to run, or that you see dnsmasq process (with ps, etc)?
For example, libvirtd.service that might be included in install does have virtual network “default” defined and that does run one instance of dnsmasq as DHCP and DNS for that subnet (i.e. for VMs in it).
Another thing is that is NetworkManager is configured to use dnsmasq for name resolution, then that too starts an instance of dnsmasq. (You would know if you had done that.)
There are thus multiple reasons why there can be dnsmasq processes even when dnsmasq.service is not running.
Actually, your message brought me back on track as I kind of completely forgot that key inputs for the answer would be in systemctl status for the visible dnsmasq PID, I was only doing the command “systemctl status dnsmasq” as this is the service name that was shown in netstat - sorry for that :-/
Having looked at the status of that PID, dnsmasq, while disabled, is actually started by libvirtd.service. Further details in the output also show that it is active about DHCP.
This leads to the two following questions please:
if this dnsmasq process runs (started by libvirtà , unbound doesn’t work. I have to kill dnsmasq and then unbound works as a dns. Is there something I can do to have unbound as dns (I configured it also in NetworkManager) without having to kill dnsmasq at start up?
this case may be contributing to another issue I have, with Gnome Boxes. I have already used Boxes on another install, but this time I have applied CIS hardening with Openscap. If I want to start a new VM, the new VM windows crashes, even when dnsmasq / librvirt is running. Any suggestion please at the services or other parameters I would have to check in this case ?
Disclaimer: I don’t know unbound, openscap, nor Gnome Boxes.
The dnsmasq started by libvirtd for a virtual subnet does “serve” only that subnet. (Libvirtd can have multiple “networks” and hence multiple instances of dnsmasq simultaneously.) The “default” network shows as “virbr0” bridge interface on the host.
Lets assume that the virbr0 is already up, when unbound starts. Dnsmasq does listen on a port of virbr0.
If the unbound attempts to listen that port (dns) on every existing interface, then it obviously fails on virbr0.
Lets assume that the unbound starts before libvirtd. There is no virbr0 to listen on. When libvirtd starts that creates virbr0, either dnsmasq can start on it (and all is well initially) or the unbound detects new interface and attempts to listen on that too (which is not ok).
Is there a way to tell the unbound to listen only on specific interfaces?
If NetworkManager is set to start dnsmasq for name resolution for the host, then the config of that instance is limited to listen only on 127.0.0.1 (the loopback interface). (I have customized such config so that that dnsmasq does listen select physical interface too and act as DHCP and DNS for other machines. I don’t have virbr0 in use at all – rather bridged networks.)
@jlehtone back to say that thanks to yout messages, I got a better understanding of that situation. As to libvirtd, I may actually not need it for my use case, so I disabled it : things seems to be working fine, no dnsmasq at startup and unbound doing its dns stuff.