Struggling with pihole-FTL

shoka · December 30, 2019, 11:04pm

Background.
Host is:
Linux namepi 4.19.66-v7+ #1253 SMP Thu Aug 15 11:49:46 BST 2019 armv7l GNU/Linux

Interfaces are:

dummy0: flags=195<UP,BROADCAST,RUNNING,NOARP>  mtu 1500
        inet 192.168.55.1  netmask 255.255.255.252  broadcast 192.168.55.3
        ether 6e:44:fa:3f:e1:ae  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8630  bytes 2167005 (2.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

dummy1: flags=195<UP,BROADCAST,RUNNING,NOARP>  mtu 1500
        inet 192.168.55.9  netmask 255.255.255.252  broadcast 192.168.55.11
        ether d2:03:f6:d2:9f:b5  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8629  bytes 2166628 (2.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.25.25.146  netmask 255.255.255.0  broadcast 172.25.25.255
        ether b8:27:eb:30:ff:62  txqueuelen 1000  (Ethernet)
        RX packets 284338  bytes 36022763 (34.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 269243  bytes 134584201 (128.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 16536  bytes 1934380 (1.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 16536  bytes 1934380 (1.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

unbound is configured on dummy1, NSD on dummy 2.

I have a working configuration for dnsmasq that answers on 127.0.0.1 and 172.25.25.146.

attempting to start pihole-FTL, rather than dnsmasq gets error

● pihole-FTL.service - LSB: pihole-FTL daemon
   Loaded: loaded (/etc/init.d/pihole-FTL; generated; vendor preset: enabled)
   Active: inactive (dead) since Mon 2019-12-30 20:02:21 GMT; 3s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 4452 ExecStop=/etc/init.d/pihole-FTL stop (code=exited, status=0/SUCCESS)
  Process: 4289 ExecStart=/etc/init.d/pihole-FTL start (code=exited, status=0/SUCCESS)

Dec 30 19:44:46 namepi systemd[1]: Starting LSB: pihole-FTL daemon...
Dec 30 19:44:46 namepi pihole-FTL[4289]: Not running
Dec 30 19:44:46 namepi su[4318]: Successful su for pihole by root
Dec 30 19:44:46 namepi su[4318]: + ??? root:pihole
Dec 30 19:44:46 namepi su[4318]: pam_unix(su:session): session opened for user pihole by (uid=0)
Dec 30 19:44:47 namepi pihole-FTL[4289]: dnsmasq: failed to create listening socket for port 53: Address already in use
Dec 30 19:44:47 namepi systemd[1]: Started LSB: pihole-FTL daemon.

no name resolution for the network or localhost, except by explicitly invoking one of the other nameservers.

With dnsmasq started and pihole-FTL stopped:

netadmin@namepi:/var/log $ sudo netstat -ltunp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      616/lighttpd        
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      4485/dnsmasq        
tcp        0      0 172.25.25.146:53        0.0.0.0:*               LISTEN      4485/dnsmasq        
tcp        0      0 192.168.55.9:53         0.0.0.0:*               LISTEN      826/unbound         
tcp        0      0 192.168.55.1:53         0.0.0.0:*               LISTEN      498/nsd             
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      603/sshd            
tcp        0      0 127.0.0.1:8952          0.0.0.0:*               LISTEN      498/nsd             
tcp        0      0 127.0.0.1:8953          0.0.0.0:*               LISTEN      826/unbound         
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      31052/systemd-resol 
tcp        0      0 0.0.0.0:5900            0.0.0.0:*               LISTEN      541/vncserver-x11-c 
udp        0      0 0.0.0.0:35291           0.0.0.0:*                           344/avahi-daemon: r 
udp        0      0 127.0.0.1:53            0.0.0.0:*                           4485/dnsmasq        
udp        0      0 172.25.25.146:53        0.0.0.0:*                           4485/dnsmasq        
udp        0      0 127.0.0.53:53           0.0.0.0:*                           31052/systemd-resol 
udp        0      0 192.168.55.9:53         0.0.0.0:*                           826/unbound         
udp        0      0 192.168.55.1:53         0.0.0.0:*                           498/nsd             
udp        0      0 172.25.25.146:68        0.0.0.0:*                           181/systemd-network 
udp        0      0 0.0.0.0:68              0.0.0.0:*                           496/dhcpcd          
udp        0   1408 0.0.0.0:55450           0.0.0.0:*                           385/rsyslogd        
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           344/avahi-daemon: r 
udp        0      0 0.0.0.0:5355            0.0.0.0:*                           31052/systemd-resol

My present theory is that pihole-FTL is not honoring the
bind-interfaces
listen-address=172.25.25.146
listen-address=127.0.0.1

So I tried removing the INTERFACE=eth0 from setupVars.conf, as dnsmasq seems to take that define as licence to baind all interfaces, but without changing matters.

Dec 30 20:51:47 namepi pihole-FTL[5779]: dnsmasq: failed to create listening socket for port 53: Address already in use

But

netadmin@namepi:/etc/pihole $ sudo netstat -ltunp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      616/lighttpd        
tcp        0      0 192.168.55.9:53         0.0.0.0:*               LISTEN      826/unbound         
tcp        0      0 192.168.55.1:53         0.0.0.0:*               LISTEN      498/nsd             
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      603/sshd            
tcp        0      0 127.0.0.1:8952          0.0.0.0:*               LISTEN      498/nsd             
tcp        0      0 127.0.0.1:8953          0.0.0.0:*               LISTEN      826/unbound         
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      31052/systemd-resol 
tcp        0      0 0.0.0.0:5900            0.0.0.0:*               LISTEN      541/vncserver-x11-c 
udp        0      0 0.0.0.0:35291           0.0.0.0:*                           344/avahi-daemon: r 
udp        0      0 127.0.0.53:53           0.0.0.0:*                           31052/systemd-resol 
udp        0      0 192.168.55.9:53         0.0.0.0:*                           826/unbound         
udp        0      0 192.168.55.1:53         0.0.0.0:*                           498/nsd             
udp        0      0 172.25.25.146:68        0.0.0.0:*                           181/systemd-network 
udp        0      0 0.0.0.0:68              0.0.0.0:*                           496/dhcpcd          
udp        0   1408 0.0.0.0:55450           0.0.0.0:*                           385/rsyslogd        
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           344/avahi-daemon: r 
udp        0      0 0.0.0.0:5355            0.0.0.0:*                           31052/systemd-resol

and of course no name resolution.

netadmin@namepi:/etc/pihole $ pihole -v
  Pi-hole version is v4.3.2 (Latest: ERROR)
  AdminLTE version is v4.3.2 (Latest: ERROR)
  FTL version is v4.3.1 (Latest: ERROR)

netadmin@namepi:/etc/pihole $

netadmin@namepi:/etc/pihole $ cat /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)"
NAME="Raspbian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
VERSION_CODENAME=stretch
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

Why does pihole-FTL/dnsmasq not behaves as dnsmasq installed directly.

Is there some config option I'm missing to tell pihole-FTL to attempt to bind only the actual interface address and the loopdack address, and not see conflicts with other nameservers on other interfaces on the same box...

I've read and digested "pihole_FTL wont start?" I think most of the questions asked there are answered above.

Help appreciated.

Harry

jfb · December 30, 2019, 11:11pm

Pi-Hole (pihole-FTL specifically) contains dnsmasq embedded in the code, and this instance needs to be running on port 53. Your existing instance of dnsmasq is interfering on this port.

Stop and disable your existing dnsmasq process(es) and then start pihole-FTL with sudo service pihole-FTL start

shoka · December 31, 2019, 1:00pm

I'm not trying to run dnsmasq and pihole-FTL concurrently. I realize that pihole-FTL is a derivative of dnsmasq. The info regarding dnsmasq is simply to demonstrate that dnsmasq can be configured to function as I require, but that config does not provide the management hooks that pihole-FTL should provide. The conflict for port 53 is because unbound and NSD are running, on other (virtual) interfaces on the pi. Without the bind-interfaces directive dnsmasq also sees this conflict, but works correctly with that command present. Using the same config, pihole-FTL still conflicts. The second netstat above is taken with pihole-FTL running in the broken config. It shows no listener bound to 172.25.25.146:53. pihole-FTP mis-concludes that there is already a listener on that port, and refuses to bind it. I believe somewhere pihole-FTL is attempting to bind 0.0.0.0:53, (all :53 ports on all interfaces) and is getting a conflict on that bind attempt. unmodified dnsmasq copes with that situation.

ps this is shiny new buster so the start and stop commands are
systemctl start pihole-FTL[.service]
systemctl stop pihole-FTL[.service]

jfb · December 31, 2019, 2:07pm

Now I understand the problem - a bit slow was I on the first reading.

Where are you putting the bind-interfaces configuration line for pihole-FTL? In /etc/dnsmasq.d?

The sudo service stop/start/status commands work equally well in Buster. These commands are consistent with what we use in the documentation for FTL.

pi@Pi-3B:/etc/dnsmasq.d $ systemctl status pihole-FTL
● pihole-FTL.service - LSB: pihole-FTL daemon
   Loaded: loaded (/etc/init.d/pihole-FTL; generated)
   Active: active (exited) since Tue 2019-12-31 08:01:16 CST; 1min 47s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 19023 ExecStart=/etc/init.d/pihole-FTL start (code=exited, status=0/SUCCESS)

Dec 31 08:01:15 Pi-3B systemd[1]: Starting LSB: pihole-FTL daemon...
Dec 31 08:01:15 Pi-3B pihole-FTL[19023]: Not running
Dec 31 08:01:16 Pi-3B su[19074]: (to pihole) root on none
Dec 31 08:01:16 Pi-3B su[19074]: pam_unix(su:session): session opened for user pihole by (uid=0)
Dec 31 08:01:16 Pi-3B pihole-FTL[19023]: FTL started!
Dec 31 08:01:16 Pi-3B su[19074]: pam_unix(su:session): session closed for user pihole
Dec 31 08:01:16 Pi-3B systemd[1]: Started LSB: pihole-FTL daemon.

pi@Pi-3B:/etc/dnsmasq.d $ sudo service pihole-FTL status
● pihole-FTL.service - LSB: pihole-FTL daemon
   Loaded: loaded (/etc/init.d/pihole-FTL; generated)
   Active: active (exited) since Tue 2019-12-31 08:01:16 CST; 2min 1s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 19023 ExecStart=/etc/init.d/pihole-FTL start (code=exited, status=0/SUCCESS)

Dec 31 08:01:15 Pi-3B systemd[1]: Starting LSB: pihole-FTL daemon...
Dec 31 08:01:15 Pi-3B pihole-FTL[19023]: Not running
Dec 31 08:01:16 Pi-3B su[19074]: (to pihole) root on none
Dec 31 08:01:16 Pi-3B su[19074]: pam_unix(su:session): session opened for user pihole by (uid=0)
Dec 31 08:01:16 Pi-3B pihole-FTL[19023]: FTL started!
Dec 31 08:01:16 Pi-3B su[19074]: pam_unix(su:session): session closed for user pihole
Dec 31 08:01:16 Pi-3B systemd[1]: Started LSB: pihole-FTL daemon.

shoka · December 31, 2019, 2:18pm

netadmin@namepi:/etc/dnsmasq.d $ ls
01-pihole.conf  02-pihole.conf  README
netadmin@namepi:/etc/dnsmasq.d $

netadmin@namepi:/etc/dnsmasq.d $ cat *.conf

# Pi-hole: A black hole for Internet advertisements
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# Dnsmasq config for Pi-hole's FTLDNS
#
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.

###############################################################################
#      FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE.      #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
#                                                                             #
#        IF YOU WISH TO CHANGE THE UPSTREAM SERVERS, CHANGE THEM IN:          #
#                      /etc/pihole/setupVars.conf                             #
#                                                                             #
#        ANY OTHER CHANGES SHOULD BE MADE IN A SEPARATE CONFIG FILE           #
#                    WITHIN /etc/dnsmasq.d/yourname.conf                      #
###############################################################################

addn-hosts=/etc/pihole/gravity.list
addn-hosts=/etc/pihole/black.list
addn-hosts=/etc/pihole/local.list


localise-queries


no-resolv



cache-size=10000

log-queries
log-facility=/var/log/pihole.log
local-ttl=2
log-async

# Pi-hole: A black hole for Internet advertisements
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# Dnsmasq config for Pi-hole's FTLDNS
#
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.

###############################################################################
#        This file contains additional directives for pihole-FTL              #
# to integrate with the unbound and NSD nameservers also active on this Pi    #
#                                                                             #
#        IF YOU WISH TO CHANGE THE UPSTREAM SERVERS, CHANGE THEM IN:          #
#                      /etc/pihole/setupVars.conf                             #
###############################################################################

bind-interfaces
listen-address=172.25.25.146
listen-address=127.0.0.1
server=192.168.55.9
no-dhcp-interface=eth0
no-dhcp-interface=dummy0
no-dhcp-interface=dummy1

no bind-interfaces file explicitly, bind commans are in 02-pihole.conf.

I know the upstart compatibility commands still work, but presumably they will go away someday... (I loved upstart, not a great fan of systemd, but the world seems set on it)

edited by DL6ER: Added formatting for readability

DL6ER · December 31, 2019, 4:01pm

Please forgive me when I'm asking the same questions again, that were already asked, but your question is (in simplified form):

Why does
sudo service dnsmasq start
work while
sudo service pihole-FTL start
doesn't?

If this is your question, then I have to say: Well, they should be identical. We ship dnsmasq v2.80 within pihole-FTL, what is the version of your locally installed dnsmasq?

No, it will read /etc/dnsmasq.conf and behave as instructed in there. Typically, this file contains the hint to read also everything in /etc/dnsmasq.d. You may want to check this. However, as dnsmasq and pihole-FTL should use the same config file (said /etc/dnsmasq.conf), they should behave exactly identical. setupVars.conf and others are not affecting anything here.

shoka · December 31, 2019, 4:51pm

Checking what is installed...

netadmin@namepi:/etc/unbound/unbound.conf.d $ sudo apt list --installed | grep dnsmasq

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

dnsmasq/stable,now 2.76-5+rpt1+deb9u1 all [installed]
dnsmasq-base/stable,now 2.76-5+rpt1+deb9u1 armhf [installed,automatic]

and:

netadmin@namepi:/etc/unbound/unbound.conf.d $ sudo apt list --installed | grep pihole*

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

netadmin@namepi:/etc/unbound/unbound.conf.d $

I installed the dnsmasq package from the default raspbian repository.
Looks like your install script does not do all the install package dance.

However:

netadmin@namepi:/etc/unbound/unbound.conf.d $ pihole -v
  Pi-hole version is v4.3.2 (Latest: v4.3.2)
  AdminLTE version is v4.3.2 (Latest: v4.3.2)
  FTL version is v4.3.1 (Latest: v4.3.1)

netadmin@namepi:/etc/unbound/unbound.conf.d $

So that is a possible source of discrepancies.
Does that list tell you the version of dnsmasq embedded in pihole-FTL ?

Thanks for the help so far.

Harry

DanSchaper · December 31, 2019, 5:07pm

Installing dnsmasq will break things. pihole-FTL is all that is needed.

DL6ER · December 31, 2019, 5:14pm

Yes, it is v2.80

Just to make sure:

sudo service dnsmasq stop
sudo service pihole-FTL restart

doesn't work?

shoka · December 31, 2019, 5:15pm

Sorry I'm not good at formatting this
this is from a debug script run from the admin interface:

*** [ DIAGNOSING ]: Ports in use
[192.168.55.1:53] is in use by pihole-FTL
127.0.0.1:8952 nsd (IPv4)
*:5900 vncserver- (IPv4)
[192.168.55.1:53] is in use by pihole-FTL
127.0.0.1:8952 nsd (IPv4)
[192.168.55.1:53] is in use by pihole-FTL
127.0.0.1:8952 nsd (IPv4)
*:22 sshd (IPv4)
[*:80] is in use by lighttpd
[172.25.25.146:53] is in use by pihole-FTL
[127.0.0.1:53] is in use by pihole-FTL
[192.168.55.9:53] is in use by pihole-FTL
127.0.0.1:8953 unbound (IPv4)
*:5355 systemd-re (IPv4)

This is with dnsmasq, not pihole-FTL running, as every time I swap to pihole-FTP, nameservice breaks, and the network is using that pi for nameservice . I need to minimize the intrusion of testing.

Those ports at 192.168.55.x are in use by unbound and NSD. 172.25.25.146 and 127.0.0.1 are bound to dnsmasq, so could reasonably be reported as owned by pihole-FTL

Is there a package available for dnsmasq v2.80 that I can install and test, as this looks to me like differences in the behaviour of the different versions of dnsmasq ?

Harry

DL6ER · December 31, 2019, 5:19pm

Your debug script output shows pihole-FTL which is correct. You should not use dnsmasq and only use pihole-FTL as it is more powerful but can do the same thing, otherwise.

I don't know. You could try compiling/installing dnsmasq from source but we should rather look at just getting pihole-FTL running for you. (I know for sure that there is no difference between dnsmasq v2.80 and the DNS server inside pihole-FTL because I wrote the majority of the code )

jfb · December 31, 2019, 6:13pm

Another handy command to get the dnsmasq version is

dig chaos txt version.bind +short
"dnsmasq-pi-hole-2.80"

jfb · December 31, 2019, 6:17pm

If you select a block of text and format as "preformatted text", it cleans up nicely.

Example:

systemctl start pihole-FTL[.service]
systemctl stop pihole-FTL[.service]

shoka · December 31, 2019, 6:51pm

The script is wrong. pihole-FTP is not running. It has also mis-identified the nameservers that are actually running.

This is the port status with a functional nameservice ie with dnsmasq running.
note the interfaces and ports bound to NSD and unbound. This is the status when I ran that dignostic, because its the only one that gives a functional nameservice.

netadmin@namepi:/etc/unbound/unbound.conf.d $ sudo netstat -ltunp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      616/lighttpd        
tcp        0      0 192.168.55.9:53         0.0.0.0:*               LISTEN      26553/unbound       
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      6080/dnsmasq        
tcp        0      0 172.25.25.146:53        0.0.0.0:*               LISTEN      6080/dnsmasq        
tcp        0      0 192.168.55.1:53         0.0.0.0:*               LISTEN      498/nsd             
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      603/sshd            
tcp        0      0 127.0.0.1:8952          0.0.0.0:*               LISTEN      498/nsd             
tcp        0      0 127.0.0.1:8953          0.0.0.0:*               LISTEN      26553/unbound       
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      31052/systemd-resol 
tcp        0      0 0.0.0.0:5900            0.0.0.0:*               LISTEN      541/vncserver-x11-c 
udp        0      0 0.0.0.0:35291           0.0.0.0:*                           344/avahi-daemon: r 
udp        0      0 192.168.55.9:53         0.0.0.0:*                           26553/unbound       
udp        0      0 127.0.0.1:53            0.0.0.0:*                           6080/dnsmasq        
udp        0      0 172.25.25.146:53        0.0.0.0:*                           6080/dnsmasq        
udp        0      0 127.0.0.53:53           0.0.0.0:*                           31052/systemd-resol 
udp        0      0 192.168.55.1:53         0.0.0.0:*                           498/nsd             
udp        0      0 172.25.25.146:68        0.0.0.0:*                           181/systemd-network 
udp        0      0 0.0.0.0:68              0.0.0.0:*                           496/dhcpcd          
udp        0   1408 0.0.0.0:55450           0.0.0.0:*                           385/rsyslogd        
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           344/avahi-daemon: r 
udp        0      0 0.0.0.0:5355            0.0.0.0:*                           31052/systemd-resol

Then I stop dnsmasq, using your preferred command...


netadmin@namepi:/etc/unbound/unbound.conf.d $ sudo service dnsmasq stop

the port status after the command:

netadmin@namepi:/etc/unbound/unbound.conf.d $ sudo netstat -ltunp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      616/lighttpd        
tcp        0      0 192.168.55.9:53         0.0.0.0:*               LISTEN      26553/unbound       
tcp        0      0 192.168.55.1:53         0.0.0.0:*               LISTEN      498/nsd             
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      603/sshd            
tcp        0      0 127.0.0.1:8952          0.0.0.0:*               LISTEN      498/nsd             
tcp        0      0 127.0.0.1:8953          0.0.0.0:*               LISTEN      26553/unbound       
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      31052/systemd-resol 
tcp        0      0 0.0.0.0:5900            0.0.0.0:*               LISTEN      541/vncserver-x11-c 
udp        0      0 0.0.0.0:35291           0.0.0.0:*                           344/avahi-daemon: r 
udp        0      0 192.168.55.9:53         0.0.0.0:*                           26553/unbound       
udp        0      0 127.0.0.53:53           0.0.0.0:*                           31052/systemd-resol 
udp        0      0 192.168.55.1:53         0.0.0.0:*                           498/nsd             
udp        0      0 172.25.25.146:68        0.0.0.0:*                           181/systemd-network 
udp        0      0 0.0.0.0:68              0.0.0.0:*                           496/dhcpcd          
udp        0   1408 0.0.0.0:55450           0.0.0.0:*                           385/rsyslogd        
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           344/avahi-daemon: r 
udp        0      0 0.0.0.0:5355            0.0.0.0:*                           31052/systemd-resol

note as expected the bindings to 172.25.25.146 and 127.0.0.1 disappear.

netadmin@namepi:/etc/unbound/unbound.conf.d $ sudo service pihole-FTL restart

netadmin@namepi:/var/log $ sudo service  pihole-FTL status
● pihole-FTL.service - LSB: pihole-FTL daemon
   Loaded: loaded (/etc/init.d/pihole-FTL; generated; vendor preset: enabled)
   Active: active (exited) since Tue 2019-12-31 18:21:04 GMT; 9s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 29058 ExecStop=/etc/init.d/pihole-FTL stop (code=exited, status=0/SUCCESS)
  Process: 29700 ExecStart=/etc/init.d/pihole-FTL start (code=exited, status=0/SUCCESS)

Dec 31 18:21:03 namepi systemd[1]: Starting LSB: pihole-FTL daemon...
Dec 31 18:21:03 namepi pihole-FTL[29700]: Not running
Dec 31 18:21:04 namepi su[29729]: Successful su for pihole by root
Dec 31 18:21:04 namepi su[29729]: + ??? root:pihole
Dec 31 18:21:04 namepi su[29729]: pam_unix(su:session): session opened for user pihole by (uid=0)
Dec 31 18:21:04 namepi pihole-FTL[29700]: **dnsmasq: failed to create listening socket for port 53: Address already in use**
Dec 31 18:21:04 namepi systemd[1]: Started LSB: pihole-FTL daemon.

and the port status confirms this, no listeners on 172.25.25.146 or 127.0.0.1:

netadmin@namepi:/var/log $ sudo netstat -ltunp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      616/lighttpd        
tcp        0      0 192.168.55.9:53         0.0.0.0:*               LISTEN      26553/unbound       
tcp        0      0 192.168.55.1:53         0.0.0.0:*               LISTEN      498/nsd             
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      603/sshd            
tcp        0      0 127.0.0.1:8952          0.0.0.0:*               LISTEN      498/nsd             
tcp        0      0 127.0.0.1:8953          0.0.0.0:*               LISTEN      26553/unbound       
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      31052/systemd-resol 
tcp        0      0 0.0.0.0:5900            0.0.0.0:*               LISTEN      541/vncserver-x11-c 
udp        0      0 0.0.0.0:35291           0.0.0.0:*                           344/avahi-daemon: r 
udp        0      0 192.168.55.9:53         0.0.0.0:*                           26553/unbound       
udp        0      0 127.0.0.53:53           0.0.0.0:*                           31052/systemd-resol 
udp        0      0 192.168.55.1:53         0.0.0.0:*                           498/nsd             
udp        0      0 172.25.25.146:68        0.0.0.0:*                           181/systemd-network 
udp        0      0 0.0.0.0:68              0.0.0.0:*                           496/dhcpcd          
udp        0   1408 0.0.0.0:55450           0.0.0.0:*                           385/rsyslogd        
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           344/avahi-daemon: r 
udp        0      0 0.0.0.0:5355            0.0.0.0:*                           31052/systemd-resol 
netadmin@namepi:/var/log $

To restore nameservice I have to stop pihole-FTL and restart dnsmasq.

I suspect the issue is with dnsmasq v2.80 upstream, not your port, i don't believe it's honoring the "bind-interfaces" directive, or has a bug in that area. Can you look at the code in dnsmasq v2.8. It's possible that that command has been deprecated since to quote "it only matters when running multiple DNS servers"

Harry

DanSchaper · December 31, 2019, 7:44pm

Why are you running dnsmasq and pihole-FTL?

shoka · December 31, 2019, 8:04pm

I'm not. I'm running pihole-FTP or dnsmasq.
The problem is that in my configuration, with multiple nameservers on different addresses on the same box, pihole-FTP is terminally broken, it simply exits claiming that the dns port is occupied, and provides no nameservice. I'm forced to use dnsmasq to provide a viable nameservice, since pihole-FTP is non functional in an environment with more than one nameserver active.

Harry

If anyone suggests further ideas to test,

DanSchaper · December 31, 2019, 8:06pm

If the DNS port is occupied by another daemon then pihole-FTL will fail. There's no change in either dnsmasq or pihole-FTL that will fix that.

shoka · December 31, 2019, 8:18pm

from the top:
I have three interfaces on this Pi, one physical and two virtual.
Each has its own ip address.
The two virtual interfaces have unbound and NSD running on them.
The default dnsmasq version from debian properly honors the

bind-interfaces
listen-address=172.25.25.146
listen-address=127.0.0.1

directives, so restricts itself to those interfaces, which are free.

pihole-FTL does not. In the exact circumstance that dnsmasq functions properly, pihole-FTL errors out and provides no nameservice. I suspect the difference in behavior is because the debian version of dnsmasq is at least one version behind that embedded in pihole-FTL.
As far as I can see pihole-FTL has a bug, presumably inherited from dnsmasq upstream.

shoka · December 31, 2019, 8:20pm

-z, --bind-interfaces
On systems which support it, dnsmasq binds the wildcard address, even when it is listening on only some interfaces. It then discards requests that it shouldn't reply to. This has the advantage of working even when interfaces come and go and change address. This option forces dnsmasq to really bind only the interfaces it is listening on. About the only time when this is useful is when running another nameserver (or another instance of dnsmasq) on the same machine. Setting this option also enables multiple instances of dnsmasq which provide DHCP service to run in the same machine.

shoka · December 31, 2019, 8:25pm

I've checked the release notes for version 2.80 and there is no mention of changes to that directive, which is still included in the current manual.