Sample Header Ad - 728x90

forward *.vm dns requests from local dnsmasq to libvirt's dnsmasq

1 vote
1 answer
25 views
libvirt dnsmasq dig
I have a custom dnsmasq instance running locally as my main dns provider and I want to forward *.vm requests to libvirt's instance of dnsmasq, but there's something wrong with my local network configuration. This dig request used to work: 
$ virsh list
 Id   Name          State
-----------------------------
 1    recovery.vm   running

$ dig @192.168.122.1 recovery.vm.
;; communications error to 192.168.122.1#53: timed out

; > DiG 9.20.10 > @192.168.122.1 recovery.vm.
; (1 server found)
;; global options: +cmd
;; no servers could be reached
I think it is strange that is says "no servers could be reached", instead of the usual "NXDOMAIN" response. I know for a fact dnsmasq is running... 
sudo lsof -nP -iTCP -sTCP:LISTEN | grep dnsmasq
dnsmasq    1579       nobody   6u  IPv4  27785      0t0  TCP 192.168.122.1:53 (LISTEN)
dnsmasq   19342      dnsmasq   5u  IPv4 236233      0t0  TCP 127.0.0.1:53 (LISTEN)
dnsmasq   19342      dnsmasq   7u  IPv6 236235      0t0  TCP [::1]:53 (LISTEN)
SO libvirt's dnsmasq is definitely running with pid=1579, but for some reason, dig cannot reach it... I am not sure what could be happening here. 
$ sudo nft list ruleset
table ip libvirt_network {
	chain forward {
		type filter hook forward priority filter; policy accept;
		counter packets 178240 bytes 171747714 jump guest_cross
		counter packets 178240 bytes 171747714 jump guest_input
		counter packets 65829 bytes 3589986 jump guest_output
	}

	chain guest_output {
		ip saddr 192.168.122.0/24 iif "virbr0" counter packets 0 bytes 0 accept
		iif "virbr0" counter packets 0 bytes 0 reject
	}

	chain guest_input {
		oif "virbr0" ip daddr 192.168.122.0/24 ct state established,related counter packets 0 bytes 0 accept
		oif "virbr0" counter packets 0 bytes 0 reject
	}

	chain guest_cross {
		iif "virbr0" oif "virbr0" counter packets 0 bytes 0 accept
	}

	chain guest_nat {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 192.168.122.0/24 ip daddr 224.0.0.0/24 counter packets 0 bytes 0 return
		ip saddr 192.168.122.0/24 ip daddr 255.255.255.255 counter packets 0 bytes 0 return
		meta l4proto tcp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
		meta l4proto udp ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade to :1024-65535
		ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter packets 0 bytes 0 masquerade
	}
}
table ip6 libvirt_network {
	chain forward {
		type filter hook forward priority filter; policy accept;
		counter packets 0 bytes 0 jump guest_cross
		counter packets 0 bytes 0 jump guest_input
		counter packets 0 bytes 0 jump guest_output
	}

	chain guest_output {
	}

	chain guest_input {
	}

	chain guest_cross {
	}

	chain guest_nat {
		type nat hook postrouting priority srcnat; policy accept;
	}
}

$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Looking for suggestions on how to fix it or further investigate, please. Thank you.
Asked by thiago (133 rep)
Jun 30, 2025, 10:57 AM
Last activity: Jul 4, 2025, 11:57 AM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "libvirt"
More questions tagged "dnsmasq"
More questions tagged "dig"
Footer Ad - 728x90