dnsmasq is spamming my journal

ewaller · 2019-11-09 01:38:02

ewaller@odin/home/ewaller % journalctl -b | grep  'reading /etc/resolv.conf' | wc
   1937   13559  120094
ewaller@odin/home/ewaller % uptime
 17:31:51 up  3:05,  1 user,  load average: 1.22, 1.00, 0.95
ewaller@odin/home/ewaller %

The messages are:

Nov 08 17:35:59 odin dnsmasq[20426]: reading /etc/resolv.conf
Nov 08 17:35:59 odin dnsmasq[20426]: using nameserver 127.0.0.53#53

A mean of 23 reports per minute seems a bit excessive. Any suggestions?

ugjka · 2019-11-09 04:51:30

Rough workaround is to forward all logs to /dev/null in the service unit file

StandardOutput=null
StandardError=null

ewaller · 2019-11-09 05:03:54

ugjka wrote:

Rough workaround is to forward all logs to /dev/null in the service unit file

StandardOutput=null
StandardError=null

Yeah. I'll keep that in my vest pocket in case I cannot find a proper solution.
But thanks, I had not looked into redirecting service output like that. Seems like a nice tool to but into the war chest.

ugjka · 2019-11-09 05:14:18

apparently you can do this too StandardOutput=file:YOUR_ABSPATH_FILENAME.log

koffeinfriedhof · 2019-11-09 12:34:04

Hi!

Do you have log-queries=extra in use? I do not have these massive requests from dnsmasq. Perhaps something is spamming the resolv.conf-file without changing content. Do you use the resolvconf oder systemd-resolved package?

ewaller · 2019-11-09 16:17:27

koffeinfriedhof wrote:

Do you use the resolvconf oder systemd-resolved package?

Yes.

ewaller@odin/home/ewaller[130] % systemctl list-unit-files --state=enabled
UNIT FILE                              STATE
org.cups.cupsd.path                    enabled
acpid.service                          enabled
autovt@.service                        enabled
blueman-mechanism.service              enabled
bluetooth.service                      enabled
cups-browsed.service                   enabled
dbus-org.bluez.service                 enabled
dbus-org.freedesktop.network1.service  enabled
dbus-org.freedesktop.resolve1.service  enabled
dbus-org.freedesktop.timesync1.service enabled
dhcpcd.service                         enabled
getty@.service                         enabled
hddtemp.service                        enabled
hpfall.service                         enabled
org.cups.cupsd.service                 enabled
sshd.service                           enabled
systemd-networkd-wait-online.service   enabled
systemd-networkd.service               enabled
systemd-resolved.service               enabled
systemd-timesyncd.service              enabled
org.cups.cupsd.socket                  enabled
systemd-networkd.socket                enabled
remote-fs.target                       enabled

23 unit files listed.
ewaller@odin/home/ewaller %

Interesting. That led me to this....

ewaller@odin/home/ewaller % ll /etc/resolv.conf
lrwxrwxrwx 1 root root 37 Sep 27 08:09 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf
ewaller@odin/home/ewaller % ll /run/systemd/resolve/stub-resolv.conf
-rw-r--r-- 1 systemd-resolve systemd-resolve 719 Nov  9 08:12 /run/systemd/resolve/stub-resolv.conf
ewaller@odin/home/ewaller % ll /run/systemd/resolve/stub-resolv.conf
-rw-r--r-- 1 systemd-resolve systemd-resolve 719 Nov  9 08:13 /run/systemd/resolve/stub-resolv.conf
ewaller@odin/home/ewaller %

As can be seen, /etc/resolv.conf is a link. And, behold, the destination file seems to be being constantly updated.

Sadly, I am at work on this beautiful autumn Saturday morning -- I'll look into this when I get home this afternoon.

koffeinfriedhof · 2019-11-10 12:55:39

Try to stop it and use a static resolv.conf-file as dnsmasq should resolve dns requests.
systemctl stop systemd-resolved

and nameserver 127.0.0.1 as content in /etc/resolv.conf. If you want other systems in your local network to use dnsmasq the resolv.conf-file must contain the (static) ip of your server too, e.g. nameserver 192.168.1.50.

Watch the logs and if spamming stopped, you may disable the service. If you need either systemd-resolved and dnsmasq, search for configuration examples how to do this.

Another (simpler) way is to prevent dnsmasq to read the file. Just put no-resolve in the /etc/dnsmasq.conf file.

ewaller · 2019-11-10 17:17:05

Good points. Thanks.
For now, I have changed to one of the other four modes of operation by changing the link for /etc/resolv.conf

ewaller@odin/home/ewaller % ll /etc/resolv.conf
lrwxrwxrwx 1 root root 28 Nov  9 13:06 /etc/resolv.conf -> /usr/lib/systemd/resolv.conf
ewaller@odin/home/ewaller %

The spam is gone. At least the dnsmasq spam, that is. I still have spam from the endless attacks on ssh from China, Iran, India, and Virginia

Not marking this as solved as I would like to revert to the recommended mode of operation.

progandy · 2019-11-10 17:19:31

For what reason do you wish to use dnsmasq?

You could also look if systemd-resolved is sending dbus notifications about changed DNS settings in the same interval.
https://www.freedesktop.org/wiki/Softwa … /resolved/

sudo busctl monitor org.freedesktop.resolve1

Last edited by progandy (2019-11-10 17:36:58)

ewaller · 2019-11-10 19:04:46

progandy wrote:

For what reason do you wish to use dnsmasq?

Don't really know that I want to. What I do want is systemd-resolved as described here https://wiki.archlinux.org/index.php/Sy … solved#DNS

I see that dnsmasq is an optional for Networkmanger, libvert, and blueman. I might have installed it for libvirt. Let me try removing dnsmasq and see if I break anything.

As to busctl, yeah, it is posting messages at about the rate I would expect for the spam.

progandy · 2019-11-10 19:18:54

ewaller wrote:

I see that dnsmasq is an optional for Networkmanger, libvert, and blueman. I might have installed it for libvirt. Let me try removing dnsmasq and see if I break anything.

I guess it is used as a combined DNS/DHCP server for those networks where your arch linux becomes the gateway.

As to busctl, yeah, it is posting messages at about the rate I would expect for the spam.

So for some reason systemd-resolved is spamming DNS updates. That should probably be fixed, but I have no idea if that is a bug in resolved or if it recieves bogus signals from something else.

koffeinfriedhof · 2019-11-11 09:12:16

ewaller wrote:

… I might have installed it for libvirt…

Yes, libvirt uses dnsmasq for networking on clients (every client gets an own dnsmasq-instance running, see Libvirtd_and_dnsmasq). Removing the package could break networking of clients.

Arch Linux

#1 2019-11-09 01:38:02

dnsmasq is spamming my journal

#2 2019-11-09 04:51:30

Re: dnsmasq is spamming my journal

#3 2019-11-09 05:03:54

Re: dnsmasq is spamming my journal

#4 2019-11-09 05:14:18

Re: dnsmasq is spamming my journal

#5 2019-11-09 12:34:04

Re: dnsmasq is spamming my journal

#6 2019-11-09 16:17:27

Re: dnsmasq is spamming my journal

#7 2019-11-10 12:55:39

Re: dnsmasq is spamming my journal

#8 2019-11-10 17:17:05

Re: dnsmasq is spamming my journal

#9 2019-11-10 17:19:31

Re: dnsmasq is spamming my journal

#10 2019-11-10 19:04:46

Re: dnsmasq is spamming my journal

#11 2019-11-10 19:18:54

Re: dnsmasq is spamming my journal

#12 2019-11-11 09:12:16

Re: dnsmasq is spamming my journal

Board footer