Dnsmasq: failed to create listening socket for port 53: Address already in use

Hi guys,

I am using the latest version on PiHole on my RaspberryPi3B. It was working perfectly fine, until I decided to use dnscrypt-proxy with Cisco Umbrella. It was working without any issues for a couple of days after the configuration, but today, I had to restart the Pi and since then, I see these errors.

I tried stopping dnscrypt-proxy and then restarting pihole-FTL but that still does not help.

pi@raspberrypi:/opt/dnscrypt-proxy $ systemctl status pihole-FTL● pihole-FTL.service - LSB: pihole-FTL daemon
   Loaded: loaded (/etc/init.d/pihole-FTL; generated)
   Active: active (exited) since Thu 2020-12-31 15:14:39 IST; 3min 6s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 1260 ExecStart=/etc/init.d/pihole-FTL start (code=exited, status=0/SUCCESS)

Dec 31 15:14:36 raspberrypi systemd[1]: Starting LSB: pihole-FTL daemon...
Dec 31 15:14:36 raspberrypi pihole-FTL[1260]: Not running
Dec 31 15:14:36 raspberrypi su[1279]: (to pihole) root on none
Dec 31 15:14:36 raspberrypi su[1279]: pam_unix(su:session): session opened for user pihole by (uid=0)
Dec 31 15:14:38 raspberrypi pihole-FTL[1260]: dnsmasq: failed to create listening socket for port 53: Address already in use
Dec 31 15:14:39 raspberrypi systemd[1]: Started LSB: pihole-FTL daemon.

pi@raspberrypi:~ $ sudo netstat -nltup | grep 'Proto\|:53 \|:67 \|:80 \|:471 \|:5053'
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:5053          0.0.0.0:*               LISTEN      360/dnscrypt-proxy  
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      653/lighttpd        
tcp        0      0 127.0.2.1:53            0.0.0.0:*               LISTEN      1/init              
tcp6       0      0 :::80                   :::*                    LISTEN      653/lighttpd        
udp        0      0 127.0.0.1:5053          0.0.0.0:*                           360/dnscrypt-proxy  
udp        0      0 127.0.2.1:53            0.0.0.0:*                           1/init              
pi@raspberrypi:~ $

Expected Behaviour:

PiHole should work without interruptions.

Actual Behaviour:

pihole-FTL is failing with the error raspberrypi pihole-FTL[1541]: dnsmasq: failed to create listening socket for port 53: Address already in use

Debug Token:

I am even unable to upload the logs

[✓] ** FINISHED DEBUGGING! **

    * The debug log can be uploaded to tricorder.pi-hole.net for sharing with developers only.
    * For more information, see: https://pi-hole.net/2016/11/07/crack-our-medical-tricorder-win-a-raspberry-pi-3/
    * If available, we'll use openssl to upload the log, otherwise it will fall back to netcat.

[?] Would you like to upload the log? [y/N] y
    * Using curl for transmission.
    * curl failed, falling back to netcat for transmission.
nc: getaddrinfo for host "tricorder.pi-hole.net" port 9999: Temporary failure in name resolution
[✗]  There was an error uploading your debug log.
   * Please try again or contact the Pi-hole team for assistance.
   * A local copy of the debug log can be found at: /var/log/pihole_debug.log

So, I've attached the logs here. Can you please tell me what needs to be done so that I can ensure dnscrypt and I don't see this issue? thanks

pihole_debug.txt (77.3 KB)

I assume you did something in the dnscrypt-proxy setup that created a conflict with Pi-hole which needs port 53 on all interfaces/addresses to serve DNS as expected. Can you point us to the guide you used?

For instance, I just looked at the first result Google showed me for dnscrypt-proxy with pi-hole and there we see something like:

Under List of Local addresses change the port number to something you like, above 1024. I'm using 5350 in this example. Pi-Hole will be using port 53 (standard for DNS), so that's why we must use a custom port number for DNSCrypt.

listen_addresses = ['127.0.0.1:5350', '[::1]:5350']

and later on

8C. Configuring Pi-Hole for DNSCrypt

1. Login to the Pi-Hole console (http:// RPIAddress/ admin). Go to Settings, DNS. Uncheck all upstream DNS servers and enter 127.0.0.1#5350 in Custom 1 (IPv4) and tick the box. For IPv6, enter ::1#5350 If you are running a VPN server on your Raspberry Pi, you will likely need to change the listening behavior to listen on all interfaces. Save the change.

Did you follow similar steps to ensure dnscrypt-proxy does not want to take the DNS port from Pi-hole?

Hi, thank you for your reply. Yes, that is in fact the exact guide which I followed

I am attaching the dnscrypt-proxy configuration file here.

dnscrypt-proxy.txt (23.1 KB)

Yes, made dnscrypt-proxy listen on port 5053 as configured, further as per the service as well:

pi@raspberrypi:/opt/dnscrypt-proxy $ systemctl status dnscrypt-proxy
● dnscrypt-proxy.service - Encrypted/authenticated DNS proxy
   Loaded: loaded (/etc/systemd/system/dnscrypt-proxy.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2020-12-31 17:28:13 IST; 2s ago
 Main PID: 10387 (dnscrypt-proxy)
    Tasks: 8 (limit: 2062)
   CGroup: /system.slice/dnscrypt-proxy.service
           └─10387 /opt/dnscrypt-proxy/dnscrypt-proxy -config dnscrypt-proxy.toml

Dec 31 17:28:13 raspberrypi dnscrypt-proxy[10387]: [2020-12-31 17:28:13] [NOTICE] dnscrypt-proxy 2.0.44
Dec 31 17:28:13 raspberrypi dnscrypt-proxy[10387]: [2020-12-31 17:28:13] [NOTICE] Network connectivity detected
Dec 31 17:28:13 raspberrypi dnscrypt-proxy[10387]: [2020-12-31 17:28:13] [NOTICE] Now listening to 127.0.0.1:5053 [UDP]
**Dec 31 17:28:13 raspberrypi dnscrypt-proxy[10387]: [2020-12-31 17:28:13] [NOTICE] Now listening to 127.0.0.1:5053 [TCP]
Dec 31 17:28:13 raspberrypi dnscrypt-proxy[10387]: [2020-12-31 17:28:13] [WARNING] Systemd sockets are untested and unsupport
Dec 31 17:28:13 raspberrypi dnscrypt-proxy[10387]: [2020-12-31 17:28:13] [NOTICE] Wiring systemd TCP socket #0, dnscrypt-prox
Dec 31 17:28:13 raspberrypi dnscrypt-proxy[10387]: [2020-12-31 17:28:13] [NOTICE] Wiring systemd UDP socket #1, dnscrypt-prox
Dec 31 17:28:13 raspberrypi dnscrypt-proxy[10387]: [2020-12-31 17:28:13] [NOTICE] Source [relays] loaded
Dec 31 17:28:13 raspberrypi dnscrypt-proxy[10387]: [2020-12-31 17:28:13] [NOTICE] Source [public-resolvers] loaded
Dec 31 17:28:13 raspberrypi dnscrypt-proxy[10387]: [2020-12-31 17:28:13] [NOTICE] Firefox workaround initialized

Further, I know dnscrypt-proxy is listening on 5053. Here's the ports when the service is stopped, and once the service is started:

pi@raspberrypi:/opt/dnscrypt-proxy $ sudo systemctl stop dnscrypt-proxy
Warning: Stopping dnscrypt-proxy.service, but it can still be activated by:
  dnscrypt-proxy.socket
pi@raspberrypi:/opt/dnscrypt-proxy $ netstat -nltup | grep 'Proto\|:53 \|:67 \|:80 \|:471 \|:5053'
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.2.1:53            0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
udp        0      0 127.0.2.1:53            0.0.0.0:*                           -                   
pi@raspberrypi:/opt/dnscrypt-proxy $ sudo systemctl start dnscrypt-proxy
pi@raspberrypi:/opt/dnscrypt-proxy $ netstat -nltup | grep 'Proto\|:53 \|:67 \|:80 \|:471 \|:5053'
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:5053          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.2.1:53            0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
udp        0      0 127.0.0.1:5053          0.0.0.0:*                           -                   
udp        0      0 127.0.2.1:53            0.0.0.0:*                           -

I did configure on the PiHole Admin > Settings > DNS as 127.0.0.1#5053, and I had saved it. This was working perfectly fine until I did the restart. I knew dnscrypt was also doing it's job, because the queries were being encrypted, so I know that it was working fine, until I did the restart of the pi.

Second, despite stopping the dnscrypt-proxy service, I'm unable to start the pihole-FTL service.

pihole-FTL complains that something else is listening on 53, but as per the netstart output, it doesn't look like anything else is listening on 127.0.0.1 - 53. Does dnsmasq use 127.0.0.1:53? or does it use some other IP on port 53?

According to your output, there is indeed something else listening on port 53:

It doesn't matter on which address this is listening, only the port is relevant. This process, whatever it may be, is the problematic one here. I was just assuming it could have been from the dnscrypt-proxy setup because this would have been easier to solve. Instead, you'll need to find out what this is. It was already listed here:

I haven't seen this before, but it may be systemd-resolved but this is more of a wild guess than anything else.

Try

sudo service systemd-resolved stop
pihole restartdns

Thank you,

here's a set of outputs that I just tried:

pi@raspberrypi:~ $ sudo lsof -i :53
COMMAND     PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
systemd       1 root   62u  IPv4  13167      0t0  TCP 127.0.2.1:domain (LISTEN)
systemd       1 root   63u  IPv4  13169      0t0  UDP 127.0.2.1:domain 
dnscrypt- 10477 root   10u  IPv4  13167      0t0  TCP 127.0.2.1:domain (LISTEN)
dnscrypt- 10477 root   11u  IPv4  13169      0t0  UDP 127.0.2.1:domain 
pi@raspberrypi:~ $ 
pi@raspberrypi:~ $ 
pi@raspberrypi:~ $ sudo systemctl status systemd-resolved
● systemd-resolved.service - Network Name Resolution
   Loaded: loaded (/lib/systemd/system/systemd-resolved.service; disabled; vendor preset: enabled)
  Drop-In: /usr/lib/systemd/system/systemd-resolved.service.d
           └─resolvconf.conf
   Active: inactive (dead)
     Docs: man:systemd-resolved.service(8)
           https://www.freedesktop.org/wiki/Software/systemd/resolved
           https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
           https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
pi@raspberrypi:~ $ 
pi@raspberrypi:~ $ sudo systemctl stop systemd-resolved

I just tried to restartdns but that didn't help

What should a correct output of sudo lsof -i :53 look like?

thank you

Did you run the stop command on systemd-resolved ?

doesn't necessarily means its offline/disabled.

Could you also search :53 in the log file of dnscrypt-proxy to ensure it is only taking the correct port? Because it shouldn't have showed up in your output above.

Without Pi-hole running? Empty.

thank you, yes, I did "stop" it towards the end, you may see the last command that I entered

No, I meant the correct output of sudo lsof -i :53 with pihole running

It depends on the addresses your Pi-hole has, my output looks like

$ sudo lsof -i :53
COMMAND      PID   USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
pihole-FT 246259 pihole   10u  IPv4 1394683      0t0  UDP pi.hole:domain 
pihole-FT 246259 pihole   11u  IPv4 1394684      0t0  TCP pi.hole:domain (LISTEN)
pihole-FT 246259 pihole   12u  IPv4 1394685      0t0  UDP localhost:domain 
pihole-FT 246259 pihole   13u  IPv4 1394686      0t0  TCP localhost:domain (LISTEN)
pihole-FT 246259 pihole   14u  IPv6 1394687      0t0  UDP [fe80::34a:a7bb:aaaa:200f]:domain 
pihole-FT 246259 pihole   15u  IPv6 1394688      0t0  TCP [fe80::34a:a7bb:aaaa:200f]:domain (LISTEN)
pihole-FT 246259 pihole   16u  IPv6 1395713      0t0  UDP ip6-localhost:domain 
pihole-FT 246259 pihole   17u  IPv6 1395714      0t0  TCP ip6-localhost:domain (LISTEN)

Have a few:

dig @127.0.2.1 chaos txt version.bind

pstree -ap

systemctl status systemd-resolved

Search in below two after a reboot for DNS, 127.0.2.1 or port 53:

systemctl

journalctl

The slash / key allows one to enter search criteria with above ones.

EDIT: aha you already researched into if systemd-resolved was active/enabled.
Was a bit slow typing
It says below its disabled:

Doesnt mean some other process wont be able to call on this one.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.