@rainemak so it seems that the fix to get dnsmasq working is to just get the /etc/resolv.conf accessible by it? I’m thinking how this could be handled. I understand that just modifying the rpm package won’t help but maybe?
Today I tried to install dnsmasq on Xperia 10 / SFOS 4.4.0.72 and result still was that Browser had no more network access. Unfortunately also the Mobile Access Point was broken, so on a laptop that was connected, browser also did not work any more.
Only deinstalling dnsmask brought browser and tethering back, will check again tomorrow and report more details.
I tried this on a Xperia 10 / SFOS 4.4.0.72, that I just use as Internet access point for the house (W)LAN, but the problem still persists. With installed ‘dnsmasq’, Browser doesn’t work on the phone and also not on the laptop connected to the Mobile Access Point!
I tried a lot of things in the last two days but couldn’t find any way to make it work.
Is there any solution meanwhile? I really would like to have some services that dnsmasq provide on my ‘gateway’ phone, but ironically dnsmasq breaks just the Mobile Access Point, while ‘the rest’ of the phone still works fine.
What can I try next to solve the problem? Does anyone know?
Found the solution by learning about dnsmasq and experiment:
in /etc/dnsmasq.conf
uncomment the following line (line 124):
#bind-interfaces
AND
from line 111, following the example there, I added:
listen-address=127.0.0.1
listen-address=192.168.0.1
(192.168.0.1 according with my Tethering address range defined in /etc/connman/main.conf )
Have now tested and Browser on the phone works now fine as also on the laptop.
Another way to work around this may be the tricks layed out in the Arch wiki here:
https://wiki.archlinux.org/title/ConnMan#Avoiding_conflicts_with_local_DNS_server
https://wiki.archlinux.org/title/ConnMan#/etc/resolv.conf
Browser now works fine but I read about dnsmasq’s ability to block unwanted domains from routing, so I added for experiment e.g.
address=/g**gle.com/127.0.0.1
and tried also
address=/g**gle.com/
and
local=/g**gle.com/
but it didn’t block if I call this address with browser, website is still displayed.
Does ‘connman’ provide a DNS in parallel, that is doing the DNS query in parallel to dnsmasq despite the address (URL) is blocked there?
How can I disable DNS resolution in connman, to only use dnsmasq for this and not override the blacklist?
edit: Browser is noteable faster now and on some websites some (unwanted) elements are no more displayed. But if calling a ‘blacklisted’ website directly, it will be displayed anyway. What can be the reason?
The address formulation seems odd to me, specially the /
before g**gle.
Just as a guess:
If you add https://www.
or just www.
?
No, I don’t think so. I followed exactly the syntax descriptions in the comment lines of /etc/dnsmasq.conf and a check didn’t report any error:
[root@gateway defaultuser]# dnsmasq --test
dnsmasq: syntax check OK.
[root@gateway defaultuser]#
(‘gateway’ is the host name of my Xperia 10 that I use as Internet access point for the home network)
The comments say that the server names (URLs) include all subdomains.
In fact, now webpages load faster and Sailfish Browser did no more crash from overload after this modification, but despite the ‘blocked’ URLs are still visible if directly typed into the address line of Browser on the SF phone and also on the laptop connected to the Mobile Access Point. I would expect an ‘unknown address’ report or opening a ‘startpage’ query (startpage is the standard search engine of Sailfish Browser and also Firefox on the laptop).
Yes, connman provides a dns proxy listening on port 53 on local address.
if you run connmanctl services
, you get a list of connections services like:
*A0 SSID1 wifi_XXXXXX_managed_psk
*A SSID2 wifi_YYYYYY_managed_psk
and if your run connmanctl services wifi_XXXXXX_managed_psk
, you get:
/net/connman/service/wifi_XXXXX_managed_psk
Type = wifi
Security = [ psk, wps ]
State = online
Strength = 60
Favorite = True
Immutable = False
AutoConnect = True
Name = SSID1
BSSID = xxxxxxxxxxx
MaxRate = 54000000
Frequency = 5180
EncryptionMode = aes
Ethernet = [ Method=auto, Interface=wlan0, Address=xxxxxxxxxxxx, MTU=1500 ]
Hidden = False
EAP =
Phase2 =
CACert =
CACertFile =
DomainSuffixMatch =
ClientCert =
ClientCertFile =
PrivateKey =
PrivateKeyFile =
PrivateKeyPassphrase =
AnonymousIdentity =
IPv4 = [ Method=dhcp, Address=192.168.1.10, Netmask=255.255.255.0, Gateway=192.168.1.1 ]
IPv4.Configuration = [ Method=dhcp ]
IPv6 = [ ]
IPv6.Configuration = [ Method=auto, Privacy=disabled ]
Nameservers = [ 192.168.1.1 ]
Nameservers.Configuration = [ ]
Timeservers = [ 0.sailfishos.pool.ntp.org, 1.sailfishos.pool.ntp.org, 2.sailfishos.pool.ntp.org, 3.sailfishos.pool.ntp.org ]
Timeservers.Configuration = [ ]
Domains = [ home ]
Domains.Configuration = [ ]
Proxy = [ Method=direct ]
Proxy.Configuration = [ ]
Provider = [ ]
Available = True
Saved = True
Access =
DefaultAccess = sailfish:1;ClearProperty(*)|Connect()|Disconnect()|Remove()|ResetCounters()=deny;group(privileged)=allow
You can change dns (as root) with:
connmanctl config wifi_XXXXXX_managed_psk --nameservers <dns>
Yes:
[root@xperia ~]# netstat -anup | grep 53
udp 0 0 127.0.0.1:53 0.0.0.0:* 4418/connmand
Just add ‘-r’ to connmand’s command line:
[root@xperia connman]# connmand --help
...
-r, --nodnsproxy Don't enable DNS Proxy
If that’s a good idea is an entirely different topic. In walled gardens that block DNS queries to outside servers, only connman will know the working server’s IP.
In what file shall I add (or uncomment) this line?
edit: Is it /etc/connman/main.conf? There are also other config files like firewall.conf, connman-vpn.conf and vpn-dbus-access.conf. What file is the right one?
Walled garden… yes, a little, to have my peace from unwanted data traffic to and from some unwanted tracking + advertising servers and so on. This makes browser slow, maybe leads sometimes or often to the Sailfish Browsers OOM problem, and last but not least, privacy…
systemctl status connman
shows you the location of its service configuration. On my Jolla it’s /usr/lib/systemd/system/connman.service
.
The line starting with ExecStart
contains the command used to start connmand and there are two environment variables at the end that might hold additional parameters. There are two lines defining possible locations:
EnvironmentFile=-/etc/sysconfig/connman
EnvironmentFile=-/var/lib/environment/connman/*.conf
So you can e.g. define SYSCONF_ARGS=-r
in /etc/sysconfig/connman
or in a file like /var/lib/environment/connman/no_dns_proxy.conf
. Or you edit the unit file itself, but that won’t survive an update.
I’m doing something similar but use a DNS server hosted at home. A small service on my phone waits on the system bus for connection changes and reconfigures connman to use my DNS server instead of the default provided by an operator. You just have to be aware, that that will break connectivity in some networks, that want to avoid DNS tunneling.
The file
sftp://defaultuser@gateway/usr/lib/systemd/system/connman.service.d/01-prevent-start.conf
looks suitable, shall I try to insert a line
-r, --nodnsproxy Don't enable DNS Proxy
there? And can this break the VPN? If this is a risk then I should better deny myself this experiment…
Let’s briefly run to a full sequence of commands, all executed as user root
. The output is often truncated.
# netstat -nplu | grep 53
udp 0 0 127.0.0.1:53 0.0.0.0:* 1234/connmand
i.e. connman is listening on the DNS port.
# zypper in dnsmasq
# systemctl restart dnsmasq
# systemctl status dnsmasq
...
dnsmasq[32559]: failed to create listening socket for port 53: Address already in use
...
dnsmasq didn’t start since connmand already claimed port 53.
# echo "SYSCONF_ARGS=-r" > /var/lib/environment/connman/no_dns_proxy.conf
# systemctl restart connman
# netstat -nplu | grep 53
No listening server any more on port 53 …
# systemctl restart dnsmasq
# systemctl status dnsmasq
...
Active: active (running)
...
Now dnsmasq
is up and running.
To revert the whole transaction, stop and disable dnsmasq, remove /var/lib/environment/connman/no_dns_proxy.conf
, and restart connman
.
That’s hard to answer from here. DNS and VPN is always a pain. If everything is routed through the VPN and the parent DNS is reachable, you should be fine. For cases with multiple company networks with their own DNS servers responsible for different domains and connected via different VPNs I’ve even extended my dnsmock.
With developer mode enabled the changes are easily rolled back though.
Two ways:
systemctl edit --full connman.service
(as root)
and edit the ExecStart
line
This will create a systemd service override in /etc/systemd/system/connman.service
.
Or:
mkdir -p /var/lib/environment/connman/
echo 'CONNMAN_ARGS="$CONNMAN_ARGS --nodnsproxy"' > /var/lib/environment/connman/no-dns.conf
Not tested either variant, but reading the .service file that is how that should work.
Thank you @nephros ! Network is back again and it works now fine!
I checked if there are entries in /etc/resolv.conf and there were 3 ‘nameserver x.x.x.x’ entries.
Then I added the ‘-r’ using the systemctl edit --full connman.service
command and executed a
systemctl restart connman
and a
systemctl restart dnsmasq
Now everything works as expected, some content in various websites is no more displayed, that shows me that some outgoing requests are successfully blocked. The rest is much faster now.
Thank you so much @nephros , @martinh and @phklrz !
edit: Now I checked /etc/systemd/system/connman.service
again and there was no -r
visible. So I inserted it manually by vi editor to be sure that the effect of the command systemctl edit --full connman.service
will really remain permanently. Then I had to restart ‘connman’ by systemctl restart connman
and turn ‘Mobile access point’ on again. I hope the change will now remain permanently.
Where can I find the DNS addresses, that connman originally uses? I searched for hours and can’t find it any more.
Connman creates a symlink /etc/resolv.conf instead of text file that points to connman resolv.conf files.
This is what I want to know, what connman resolv.conf file it is, where the DNS server addresses are. In a lot of connman conf files I found, I couldn’t find any DNS server address. But some time ago I saw somewhere that this entry exists, but have no idea where this was.
edit: there is no information inside except
# Generated by Connection Manager nameserver ::1 nameserver 127.0.0.1
so, not very helpful.
This thread is more appropriate.
It looks interesting and like dnsmasq is taking control over DNS from DHCP. Stop dnsmasq and then restart connman, you should see DNS’s from router then.