NM, dnsmasq & systemd-resolved...

Morgan Read mstuff at read.org.nz
Tue Jul 1 14:48:21 UTC 2025 

Hello NM List,

I am running dnsmasq under NM.  I have recently attempted a 
configuration of NM, dnsmasq and resolved to have them 'play nice' 
together because systemd-resolved is required (perhaps desired) by 
Tailscale.

I have restricted dnsmasq to the local lan device (bridge0) with address 
192.168.1.40.

The upstream route to the Internet is on wan device (bond0) with address 
192.168.9.2.

I have systemd-resolved running in its primary linked mode:
```
[admin at server ~]$ ls -lh /etc/resolv.conf
lrwxrwxrwx. 1 root root 37 Jun 23 21:38 /etc/resolv.conf -> 
/run/systemd/resolve/stub-resolv.conf
```

I believe (hope/ wish) I have done what is necessary to succeed.  I may 
have succeeded, but the output of dnsmasq running under NM leads me to 
suspect otherwise:
```
       CGroup: /system.slice/NetworkManager.service
               ├─374497 /usr/sbin/NetworkManager --no-daemon
               └─374545 /usr/sbin/dnsmasq --no-resolv 
--keep-in-foreground --no-hosts --bind-interfaces 
--pid-file=/run/NetworkManager/dnsmasq.pid --listen-address=127.0.0.1 
--cache-size=400 --clear-on-reload --conf-file=/dev/null 
--enable-dbus=org.freedesktop.NetworkManager.dnsmasq 
--conf-dir=/etc/NetworkManager/dnsmasq.d
```
The part of the reported dnsmasq config I take offence to is 
`--listen-address=127.0.0.1` and my question is, where on earth is this 
coming from?

The output of:
```
find -L /etc/NetworkManager/ /etc/systemd/resolved.conf 
/etc/systemd/resolved.conf.d/ /etc/resolv.conf  -type f -printf 
'---next-file->>>: %p\n\n' -exec cat {} \; -printf '\n' > /tmp/output.txt
```
Is attached.  Are there any other files that I should included (and so, 
perhaps, a quick lead to an answer to my primary question)?

Links to discussions relevant to this post, most recent first:
https://issues.redhat.com/browse/RHEL-61202?focusedId=27455987&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-27455987
https://forums.rockylinux.org/t/network-nightmare-nah-not-really/13244

Many thanks for your time,
M
-- 
Morgan Read
Grande Bretagne
-------------- next part --------------
---next-file->>>: /etc/NetworkManager/conf.d/dhcp-client.conf

### Added by root 01.10.2023
[main]
#dhcp=dhclient
dhcp=internal

---next-file->>>: /etc/NetworkManager/conf.d/crc-nm-dnsmasq.conf

[main]
dns=dnsmasq

---next-file->>>: /etc/NetworkManager/conf.d/00-use-dnsmasq.conf

# /etc/NetworkManager/conf.d/00-use-dnsmasq.conf #
# This enabled the dnsmasq plugin.
### https://docs.fedoraproject.org/en-US/fedora-server/administration/dnsmasq/
### https://fedoramagazine.org/using-the-networkmanagers-dnsmasq-plugin/
### See also https://access.redhat.com/solutions/2189401#nm-helper

[main]
dns=dnsmasq

---next-file->>>: /etc/NetworkManager/conf.d/rc-manager-symlink.conf

### symlink: If /etc/resolv.conf is instead a symlink, NetworkManager will leave it alone. Unless the symlink points to
### the internal file /run/NetworkManager/resolv.conf, in which case the symlink will be updated to emit an inotify notification.
[main]
rc-manager=symlink
### Additionally, send the connection DNS configuration to systemd-resolved. Defaults to "true".
### Note that this setting has no effect if the main dns plugin is already systemd-resolved. It is complementary to the dns
### setting to configure systemd-resolved alongside the main plugin.
### If systemd-resolved is enabled, either via this setting or the main DNS plugin, the connectivity check resolves the hostname
### per-device.
systemd-resolved=true

---next-file->>>: /etc/NetworkManager/dnsmasq.d/02-DHCP-office-lan.conf

# /etc/NetworkManager/dnsmasq.d/02-DHCP-office-lan.conf
# This file sets up DHCP for the private local net domain office.lan
### https://docs.fedoraproject.org/en-US/fedora-server/administration/dnsmasq/

# The domain the DHCP part of dnsmasq is responsible for:
domain=office.lan,192.168.1.0/24,local

# interfaces to listen on
interface=bridge0

# general DHCP stuff (options, see RFC 2132)
# 1: subnet masq
# 3: default router
# 6: DNS server
# 12: hostname
# 15: DNS domain (unneeded with option 'domain')
# 28: broadcast address

dhcp-authoritative
dhcp-option=1,255.255.255.0
dhcp-option=3,192.168.1.40
dhcp-option=6,192.168.1.40

# Assign fixed IP addresses based on MAC address
dhcp-host=B4:B5:2F:??:??:??,ILOCZJ2320B32,192.168.1.41,6h
dhcp-host=DC:39:6F:??:??:??,fritzbox,192.168.1.30,6h
dhcp-host=00:00:74:??:??:??,printer,192.168.1.120,6h
dhcp-host=C2:0A:7A:??:??:??,mymachine,192.168.1.140,6h
dhcp-host=B0:25:AA:??:??:??,mymachine,192.168.1.141,6h
dhcp-host=F4:4D:AD:??:??:??,mymachine,192.168.1.142,6h
dhcp-host=5C:E0:C5:??:??:??,myoldmachine,192.168.1.150,6h
dhcp-host=60:B7:6E:??:??:??,myphone,192.168.1.160,6h
dhcp-host=B0:72:BF:??:??:??,myphone-gs7,192.168.1.161,6h

# Assign dynamically IP addresses to interface to listen on
# Range for distributed addresses, tagged <int> for further references dhcp-range=tag:enp2s0,10.10.10.150,10.10.10.200,24h
dhcp-range=192.168.1.50,192.168.1.250,6h

---next-file->>>: /etc/NetworkManager/dnsmasq.d/01-DNS-office-lan.conf

# /etc/NetworkManager/dnsmasq.d/01-DNS-office-lan.conf
# This file sets up DNS for the private local net domain office.lan
### https://docs.fedoraproject.org/en-US/fedora-server/administration/dnsmasq/
### https://fedoramagazine.org/using-the-networkmanagers-dnsmasq-plugin/

### Setup for working with `systemd-resolved` on interface `lo`.
# This option forces dnsmasq to really bind only the interfaces it is listening on, otherwise also dnsmasq binds the wildcard addre>
bind-interfaces
# Do not listen on the specified interface.
except-interface=lo
# Listen on the given IP address.  If no `interface` option is given, but `listen-address` is, dnsmasq will not automatically liste>
listen-address=192.168.1.40
# Don't read /etc/resolv.conf. Get upstream servers only from the command line or the dnsmasq configuration file. 
no-resolv
# Don't read the hostnames in /etc/hosts.
no-hosts

# File where to find the list of IP - hostname mapping
addn-hosts=/etc/dnsmasq.hosts
#addn-hosts=/etc/hosts ### Commented out for working with `systemd-resolved`.

domain-needed
bogus-priv

# Automatically add <domain> to simple names in a hosts-file.
expand-hosts

# Interfaces to listen on
#interface=lo ### Commented out for working with `systemd-resolved`.
interface=bridge0
# In case of a bridge don't use the attached server virtual ethernet interface

# The below defines a Wildcard DNS Entry.
#address=/.localnet/10.10.10.zzz

# Tells dnsmasq that a domain is local
# It may answer queries from /etc/hosts or DHCP but should never forward queries
# `local` is a synonym for `server` to make configuration files clearer
local=/office.lan/192.168.1.40

### A declaration with no interfaces or address simply specifies the primary external nameserver.
### https://discussion.fedoraproject.org/t/dnsmasq-times-out-querying-upstream-dns-for-local-lookup/130870/52
#auth-server=office.lan
### Commented out following close reading of `man` entry - it appears to require a 'globally accessible IP address' and an 'external DNS server', see under 'AUTHORITATIVE CONFIGURATION'

# Specifies DNS domains for the DHCP server.
domain=office.lan

# Upstream public net DNS server (max.three)
server=1.1.1.1
server=1.0.0.1

# Don't poll /etc/resolv.conf for changes
no-poll

# For debugging purposes, log each DNS query as it passes through dnsmasq.
log-queries
# As per @vgaetera suggestion here https://discussion.fedoraproject.org/t/dnsmasq-times-out-querying-upstream-dns-for-local-lookup/130870/25
#filter-AAAA

---next-file->>>: /etc/NetworkManager/dnsmasq.d/crc.conf

server=/apps-crc.testing/192.168.130.11
server=/crc.testing/192.168.130.11

---next-file->>>: /etc/NetworkManager/dnsmasq.d/libvirt-office-lan.conf

### References:
### https://liquidat.wordpress.com/2017/03/03/howto-automated-dns-resolution-for-kvmlibvirt-guests-with-a-local-domain/
### https://docs.fedoraproject.org/en-US/fedora-server/administration/dnsmasq/
# /etc/NetworkManager/dnsmasq.d/libvirt-office-lan.conf

# This file directs dnsmasq to forward any request to resolve
# names under the .libvirt.office.lan domain to 192.168.122.1, the
# local libvirt DNS server default address.
server=/libvirt.office.lan/192.168.122.1

---next-file->>>: /etc/NetworkManager/system-connections/enp3s4f1.nmconnection

[connection]
id=enp3s4f1
uuid=6a20f88c-0b92-4a21-97ee-2557efe59101
type=ethernet
controller=bond0
interface-name=enp3s4f1
port-type=bond
timestamp=1726425072
zone=public

[ethernet]

---next-file->>>: /etc/NetworkManager/system-connections/enp3s4f0.nmconnection

[connection]
id=enp3s4f0
uuid=c63886e1-9cc7-3542-afba-6d52927be35f
type=ethernet
autoconnect-priority=-999
controller=bond0
interface-name=enp3s4f0
port-type=bond
timestamp=1726425072
zone=public

[ethernet]

---next-file->>>: /etc/NetworkManager/system-connections/bond0.nmconnection

[connection]
id=bond0-wan
uuid=46d68e2e-e9bf-4f63-8fef-2b05441ec73f
type=bond
autoconnect-ports=1
interface-name=bond0
timestamp=1750627295

[ethernet]
cloned-mac-address=B4:B5:2F:5B:17:8E

[bond]
arp_interval=100
arp_ip_target=192.168.9.1
downdelay=0
miimon=100
mode=balance-rr
updelay=0

[ipv4]
address1=192.168.9.2/24
dns=192.168.1.40;1.1.1.1;1.0.0.1;
gateway=192.168.9.1
method=manual

[ipv6]
addr-gen-mode=default
method=auto

[proxy]

---next-file->>>: /etc/NetworkManager/system-connections/bridge0-port0.nmconnection

[connection]
id=bridge0-port0
uuid=ad5f615e-7398-4740-a852-492b04a7b9be
type=ethernet
controller=bridge0
interface-name=ens6f0
port-type=bridge
timestamp=1727007828
zone=internal

[ethernet]

[bridge-port]

---next-file->>>: /etc/NetworkManager/system-connections/bridge0-port1.nmconnection

[connection]
id=bridge0-port1
uuid=04f25206-74d9-493a-a564-705fea93c6e6
type=ethernet
controller=bridge0
interface-name=ens6f1
port-type=bridge
timestamp=1727007828
zone=internal

[ethernet]

[bridge-port]

---next-file->>>: /etc/NetworkManager/system-connections/bridge0-port2.nmconnection

[connection]
id=bridge0-port2
uuid=e2614e1b-7725-42eb-b127-026e253f9657
type=ethernet
controller=bridge0
interface-name=ens6f2
port-type=bridge
timestamp=1727007828
zone=internal

[ethernet]

[bridge-port]

---next-file->>>: /etc/NetworkManager/system-connections/bridge0-port3.nmconnection

[connection]
id=bridge0-port3
uuid=41e40344-986b-4c16-baf7-6d023ef03045
type=ethernet
controller=bridge0
interface-name=ens6f3
port-type=bridge
timestamp=1727007828
zone=internal

[ethernet]

[bridge-port]

---next-file->>>: /etc/NetworkManager/system-connections/bridge0.nmconnection

[connection]
id=bridge0-lan
uuid=9b722122-7aa4-43bf-81b7-115cc6df3c6d
type=bridge
autoconnect-ports=1
interface-name=bridge0
timestamp=1750621893
zone=internal

[ethernet]

[bridge]

[ipv4]
address1=192.168.1.40/24
method=manual

[ipv6]
addr-gen-mode=default
method=auto

[proxy]

---next-file->>>: /etc/NetworkManager/NetworkManager.conf

# Configuration file for NetworkManager.
#
# See "man 5 NetworkManager.conf" for details.
#
# The directories /usr/lib/NetworkManager/conf.d/ and /run/NetworkManager/conf.d/
# can contain additional .conf snippets installed by packages. These files are
# read before NetworkManager.conf and have thus lowest priority.
# The directory /etc/NetworkManager/conf.d/ can contain additional .conf
# snippets. Those snippets are merged last and overwrite the settings from this main
# file.
#
# The files within one conf.d/ directory are read in asciibetical order.
#
# You can prevent loading a file /usr/lib/NetworkManager/conf.d/NAME.conf
# by having a file NAME.conf in either /run/NetworkManager/conf.d/ or /etc/NetworkManager/conf.d/.
# Likewise, snippets from /run can be prevented from loading by placing
# a file with the same name in /etc/NetworkManager/conf.d/.
#
# If two files define the same key, the one that is read afterwards will overwrite
# the previous one.

[main]
#plugins=keyfile,ifcfg-rh

[logging]
# When debugging NetworkManager, enabling debug logging is of great help.
#
# Logfiles contain no passwords and little sensitive information. But please
# check before posting the file online. You can also personally hand over the
# logfile to a NM developer to treat it confidential. Meet us on #nm on Libera.Chat.
#
# You can also change the log-level at runtime via
#   $ nmcli general logging level TRACE domains ALL
# However, usually it's cleaner to enable debug logging
# in the configuration and restart NetworkManager so that
# debug logging is enabled from the start.
#
# You will find the logfiles in syslog, for example via
#   $ journalctl -u NetworkManager
#
# Please post full logfiles for bug reports without pre-filtering or truncation.
# Also, for debugging the entire `journalctl` output can be interesting. Don't
# limit unnecessarily with `journalctl -u`. Exceptions are if you are worried
# about private data. Check before posting logfiles!
#
# Note that debug logging of NetworkManager can be quite verbose. Some messages
# might be rate-limited by the logging daemon (see RateLimitIntervalSec, RateLimitBurst
# in man journald.conf). Please disable rate-limiting before collecting debug logs!
#
#level=TRACE
#domains=ALL

---next-file->>>: /etc/systemd/resolved.conf

#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it under the
#  terms of the GNU Lesser General Public License as published by the Free
#  Software Foundation; either version 2.1 of the License, or (at your option)
#  any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file, or by creating "drop-ins" in
# the resolved.conf.d/ subdirectory. The latter is generally recommended.
# Defaults can be restored by simply deleting this file and all drop-ins.
#
# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
#
# See resolved.conf(5) for details.

[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
#DNS=
#FallbackDNS=
#Domains=
#DNSSEC=no
#DNSOverTLS=no
#MulticastDNS=no
#LLMNR=resolve
#Cache=yes
#CacheFromLocalhost=no
#DNSStubListener=yes
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no

---next-file->>>: /etc/resolv.conf

# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad
search .

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/networkmanager/attachments/20250701/abeb9810/attachment.sig>

More information about the Networkmanager mailing list