Skip to content

How to fix DNS resolving problem in libvirt guest

Situation: dnsmasq is running on host machine and listens on 192.168.122.1:53 (both TCP and UDP), but resolving in guest machine doesn't work. When dig command shows "status: REFUSED" while querying 192.168.122.1 from inside VM like this

# dig srv.myex.zone @192.168.122.1
 
; <<>> DiG 9.16.23-RH <<>> srv.myex.zone @192.168.122.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 49818
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;srv.myex.zone.                 IN      A
 
;; Query time: 0 msec
;; SERVER: 192.168.122.1#53(192.168.122.1)
;; WHEN: Wed Jun 11 10:27:42 CDT 2025
;; MSG SIZE  rcvd: 42

we should check /var/lib/libvirt/dnsmasq/default.conf config-file. Most probably, it has no-resolv directive in it:

##WARNING:  THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
##OVERWRITTEN AND LOST.  Changes to this configuration should be made using:
##    virsh net-edit default
## or other application using the libvirt API.
##
## dnsmasq conf file created by libvirt
strict-order
no-resolv
pid-file=/run/libvirt/network/default.pid
except-interface=lo
bind-dynamic
interface=virbr0
dhcp-range=192.168.122.2,192.168.122.254,255.255.255.0
dhcp-no-override
dhcp-authoritative
dhcp-lease-max=253
dhcp-hostsfile=/var/lib/libvirt/dnsmasq/default.hostsfile
addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts

And if it really there, that's the cause of our problem. With no-resolv enabled, it won’t forward the query to an upstream DNS servers, resulting in a REFUSED response because it has no answer and is not allowed to query upstream. As comments above state, we can't just edit the file, because our changes will be lost soon (after reboot, for example). The proper way to fix this is:

  1. virsh net-edit default
    add inside <network> tag this lines:

      <dns>
    <forwarder addr='1.1.1.1'/>
    <forwarder addr='8.8.4.4'/>
  </dns>
  2. virsh net-destroy default
  3. virsh net-start default

After this file /var/lib/libvirt/dnsmasq/default.conf will contain new lines

server=1.1.1.1
server=8.8.4.4

and no-resolv will not have any effect anymore.

Похожие заметки:

  1. How to prevent libvirt from adding iptables rules for guest NAT networks

Posted in *nix.

Tagged with , .

rev="post-2005" No comments

By Admin 11.06.2025

0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

You must be logged in to post a comment.

«