Can dnsmasq be used as a local DNS server, and have dnsmasq forward queries to the local systemd-resolved service?

You didn't specify what version of Ubuntu you're using. The following is based on Ubuntu 24.04 Server.

If I understand what you want to do correctly, you want to setup Dnsmasq as your primary DNS resolver on the localhost and use systemd-resolved as it's forwarding server instead of any uplink servers. Thus, you want systemd-resolved to forward to any uplink servers but not cache any queries. You ultimately want caching to be left to Dnsmasq.

So, a few things need to be done:

1. Configure Dnsmasq:
   • Listen at 127.0.0.1 on port 53
   • Do not look at /etc/resolv.conf for any nameservers
   • Use systemd-resolved as its forwarding server, which in turn uses any uplink servers provided via DHCP.
2. Configure /etc/resolv.conf:
   • Define 127.0.0.1 as a nameserver. Although Dnsmasq will not be referencing this file, it is referenced by many applications when doing a DNS query. For example, dig and ping. So you want those applications to query Dnsmasq via 127.0.0.1.
3. Configure systemd-resolved:
   • Disable the Stub resolver at 127.0.0.53 on port 53
   • Listen at 127.0.0.1 on port 5353
   • Do not cache any queries

Assuming Dnsmasq is already installed, start by stopping both systemd-resolved and dnsmasq:

sudo systemctl stop systemd-resolved
sudo systemctl stop dnsmasq

1. Configure dnsmasq

• Edit /etc/default/dnsmasq and define the following:

  # If the resolvconf package is installed, dnsmasq will use its output
  # rather than the contents of /etc/resolv.conf to find upstream
  # nameservers. Uncommenting this line inhibits this behaviour.
  # Note that including a "resolv-file=<filename>" line in
  # /etc/dnsmasq.conf is not enough to override resolvconf if it is
  # installed: the line below must be uncommented.
  IGNORE_RESOLVCONF=yes
  
  # If the resolvconf package is installed, dnsmasq will tell resolvconf
  # to use dnsmasq under 127.0.0.1 as the system's default resolver.
  # Uncommenting this line inhibits this behaviour.
  DNSMASQ_EXCEPT="lo"
  
  

  Both of these need to be defined even though the resolvconf application is not installed by default on Ubuntu 24.04 Server. This is due to /sbin/resolvconf being a symlink to /bin/resolvectl. For more information, see the Note below.

• Edit /etc/dnsmasq.conf and define the following:

  # If you don't want dnsmasq to read /etc/resolv.conf or any other
  # file, getting its servers from this file instead (see below), then
  # uncomment this.
  no-resolv
  
  # If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
  # files for changes and re-read them then uncomment this.
  no-poll
  
  # Add other name servers here, with domain specs if they are for
  # non-public domains.
  server=127.0.0.1#5353
  
  # Or which to listen on by address (remember to include 127.0.0.1 if
  # you use this.)
  listen-address=127.0.0.1
  
  # On systems which support it, dnsmasq binds the wildcard address,
  # even when it is listening on only some interfaces. It then discards
  # requests that it shouldn't reply to. This has the advantage of
  # working even when interfaces come and go and change address. If you
  # want dnsmasq to really bind only the interfaces it is listening on,
  # uncomment this option. About the only time you may need this is when
  # running another nameserver on the same machine.
  bind-interfaces
  

  bind-interfaces is defined so that the service does not listening on all addresses on all interfaces. This setup is for the service to only listen on the loopback interface and no external interfaces. Additionally, the service is only listening on 127.0.0.1:53 instead of 0.0.0.0:53.

  From the Dnsmasq manpage:

  -z, --bind-interfaces

  On systems which support it, dnsmasq binds the wildcard address, even when it is listening on only some interfaces. It then discards requests that it shouldn't reply to. This has the advantage of working even when interfaces come and go and change address. This option forces dnsmasq to really bind only the interfaces it is listening on. About the only time when this is useful is when running another nameserver (or another instance of dnsmasq) on the same machine. Setting this option also enables multiple instances of dnsmasq which provide DHCP service to run in the same machine.

• Start dnsmasq service and check it's status:

  $ sudo systemctl start dnsmasq
  $ systemctl status dnsmasq
  
  ● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
       Loaded: loaded (/usr/lib/systemd/system/dnsmasq.service; enabled; preset: enabled)
       Active: active (running) since Thu 2024-11-07 04:12:28 UTC; 7min ago
      Process: 5741 ExecStartPre=/usr/share/dnsmasq/systemd-helper checkconfig (code=exited, status=0/SUCCESS)
      Process: 5746 ExecStart=/usr/share/dnsmasq/systemd-helper exec (code=exited, status=0/SUCCESS)
      Process: 5753 ExecStartPost=/usr/share/dnsmasq/systemd-helper start-resolvconf (code=exited, status=0/SUCCESS)
     Main PID: 5752 (dnsmasq)
        Tasks: 1 (limit: 9327)
       Memory: 740.0K (peak: 2.5M)
          CPU: 20ms
       CGroup: /system.slice/dnsmasq.service
               └─5752 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -I lo -r /run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service --trust-anchor=.,20326,8,2,>
  
  Nov 07 04:12:28 ubuntu24server systemd[1]: Starting dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server...
  Nov 07 04:12:28 ubuntu24server dnsmasq[5752]: started, version 2.90 cachesize 150
  Nov 07 04:12:28 ubuntu24server dnsmasq[5752]: compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC loop-detect inotify dumpfi>
  Nov 07 04:12:28 ubuntu24server dnsmasq[5752]: warning: ignoring resolv-file flag because no-resolv is set
  Nov 07 04:12:28 ubuntu24server dnsmasq[5752]: using nameserver 127.0.0.1#5353
  Nov 07 04:12:28 ubuntu24server dnsmasq[5752]: read /etc/hosts - 8 names
  Nov 07 04:12:28 ubuntu24server systemd[1]: Started dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server.
  

• Check that it's listening on port 53 at 127.0.0.1:

  $ sudo netstat -tlpn
  Active Internet connections (only servers)
  Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
  tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      5752/dnsmasq        
  tcp6       0      0 :::22                   :::*  
  

2. Create new /etc/resolv.conf

• Remove /etc/resolv.conf

  sudo rm /etc/resolv.conf
  

• Create a new /etc/resolv.conf with the Dnsmasq nameserver:

  echo "nameservers 127.0.0.1" | sudo tee /etc/resolv.conf
  

3. Configure systemd-resolved

• Edit /etc/systemd/resolved.conf and define the following:

  DNSStubListener=no
  DNSStubListenerExtra=127.0.0.1:5353
  Cache=no
  

  This disables the Stub listener for systemd-resolved at 127.0.0.53:53 and allows it to listen on address 127.0.0.1:5353.

  From the resolved.conf(5) man page:

  DNSStubListenerExtra=
     Takes an IPv4 or IPv6 address to listen on. The address may be optionally prefixed with a protocol name ("udp" or "tcp") separated with ":". If the protocol is not specified, the service
     will listen on both UDP and TCP. It may be also optionally suffixed by a numeric port number with separator ":". When an IPv6 address is specified with a port number, then the address
     must be in the square brackets. If the port is not specified, then the service uses port 53. Note that this is independent of the primary DNS stub configured with DNSStubListener=, and
     only configures additional sockets to listen on. This option can be specified multiple times. If an empty string is assigned, then the all previous assignments are cleared. Defaults to
     unset.
  

• Start systemd-resolved service and check it's status:

  $ sudo systemctl start systemd-resolved
  $ systemctl status systemd-resolved
  ● systemd-resolved.service - Network Name Resolution
       Loaded: loaded (/usr/lib/systemd/system/systemd-resolved.service; enabled; preset: enabled)
       Active: active (running) since Thu 2024-11-07 05:10:31 UTC; 22s ago
         Docs: man:systemd-resolved.service(8)
               man:org.freedesktop.resolve1(5)
               https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
               https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
     Main PID: 6093 (systemd-resolve)
       Status: "Processing requests..."
        Tasks: 1 (limit: 9327)
       Memory: 2.6M (peak: 3.0M)
          CPU: 33ms
       CGroup: /system.slice/systemd-resolved.service
               └─6093 /usr/lib/systemd/systemd-resolved
  
  Nov 07 05:10:31 ubuntu24server systemd[1]: Starting systemd-resolved.service - Network Name Resolution...
  Nov 07 05:10:31 ubuntu24server systemd-resolved[6093]: Positive Trust Anchors:
  Nov 07 05:10:31 ubuntu24server systemd-resolved[6093]: . IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
  Nov 07 05:10:31 ubuntu24server systemd-resolved[6093]: Negative trust anchors: home.arpa 10.in-addr.arpa 16.172.in-addr.arpa 17.172.in-addr.arpa 18.172.in-addr.arpa 19.172.in-addr.arpa 20.172.in-addr.arp>
  Nov 07 05:10:31 ubuntu24server systemd-resolved[6093]: Using system hostname 'ubuntu24server'.
  Nov 07 05:10:31 ubuntu24server systemd[1]: Started systemd-resolved.service - Network Name Resolution.
  

• Check that it's listening on port 5353 at 127.0.0.1:

  $ sudo netstat -tlpn
  Active Internet connections (only servers)
  Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
  tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      5752/dnsmasq        
  tcp        0      0 127.0.0.1:5353          0.0.0.0:*               LISTEN      6093/systemd-resolv 
  tcp6       0      0 :::22                   :::*  
  

Testing

Run a query. If configured correctly, the query should resolve.

$ dig -4 google.com

; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> -4 google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23611
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.            IN  A

;; ANSWER SECTION:
google.com.     266 IN  A   142.250.68.14

;; AUTHORITY SECTION:
google.com.     266 IN  NS  ns4.google.com.
google.com.     266 IN  NS  ns1.google.com.
google.com.     266 IN  NS  ns2.google.com.
google.com.     266 IN  NS  ns3.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.     266 IN  AAAA    2001:4860:4802:32::a
ns1.google.com.     266 IN  A   216.239.32.10
ns2.google.com.     266 IN  AAAA    2001:4860:4802:34::a
ns3.google.com.     266 IN  AAAA    2001:4860:4802:36::a
ns4.google.com.     266 IN  AAAA    2001:4860:4802:38::a
ns4.google.com.     266 IN  A   216.239.38.10
ns3.google.com.     266 IN  A   216.239.36.10
ns2.google.com.     266 IN  A   216.239.34.10

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Nov 07 06:36:05 UTC 2024
;; MSG SIZE  rcvd: 303

To test that it's going through systemd-resolved you need to restart Dnsmasq to clear the cache and then stop systemd-resolved before re-running the query.

I emphasize this, because systemd-resolved will start whenever Dnsmasq is restarted. See Note below.

Therefore:

• Restart Dnsmasq to clear the cache

  • sudo systemctl restart dnsmasq

• Stop systemd-resolved

  • sudo systemctl stop systemd-resolved

• Check that systemd-resolved is not running

  • systemctl status systemd-resolved or ps -aux | grep systemd-resolved

• Re-run query. It should time out.

  $ dig -4 google.com
  ;; communications error to 127.0.0.1#53: timed out
  ;; communications error to 127.0.0.1#53: timed out
  ;; communications error to 127.0.0.1#53: timed out
  
  ; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> -4 google.com
  ;; global options: +cmd
  ;; no servers could be reached
  

Caching

The original question asked to disable caching within systemd-resolved and leave it exclusively to Dnsmasq. While this can be done, there might be a benefit to switching it around the other way. As @kos indicated in a comment, systemd-resolved is also queried via D-Bus, which would be able to take advantage of caching if it was enabled for systemd-resolved.

Therefore, it's very easy to configure this so that caching is enabled for systemd-resolved and caching is disabled for Dnsmasq.

• Edit /etc/dnsmasq.conf and define the following to disable cache for Dnsmasq:

  cache-size=0
  

  Per the Dnsmasq manpage:

   -c, --cache-size=<cachesize>
   Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching. Note: huge cache size impacts performance.
  

• Edit /etc/systemd/resolved.conf and comment out as follows to re-enable caching for systemd-resolved, which is the default setting:

   #Cache=no
  

Note

Whenever the Dnsmasq service is stopped and started, the service calls a helper script, /usr/share/dnsmasq/systemd-helper. This references another file, /usr/share/dnsmasq/init-system-common. Whenever Dnsmasq is stopped, /sbin/resolvconf is called with the following:

stop_resolvconf()
{
    if [ -x /sbin/resolvconf ] ; then
        /sbin/resolvconf -d lo.${NAME}${INSTANCE:+.${INSTANCE}}
    fi
    return 0
}

Notice that /sbin/resolvconf is called, and as I mentioned earlier, /sbin/resolvconf is a symlink to /bin/resolvctl.

$ ls -l /sbin/resolvconf
lrwxrwxrwx 1 root root 17 Aug  8 14:51 /sbin/resolvconf -> ../bin/resolvectl

Therefore, since resolvectl is a component of systemd-resolved, it will start systemd-resolved. More info can be found here.

I mention this, because when testing, you'll find that systemd-resolved will start automatically without you knowing it.

Interestingly, /sbin/resolvconf is also called when starting Dnsmasq service.

start_resolvconf()
{
# If interface "lo" is explicitly disabled in /etc/default/dnsmasq
# Then dnsmasq won't be providing local DNS, so don't add it to
# the resolvconf server set.
    for interface in ${DNSMASQ_EXCEPT}; do
        [ ${interface} = lo ] && return
    done

    # Also skip this if DNS functionality is disabled in /etc/dnsmasq.conf
    if grep -qs '^port=0' /etc/dnsmasq.conf; then
        return
    fi

    if [ -x /sbin/resolvconf ] ; then
        echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.${NAME}${INSTANCE:+.${INSTANCE}}
    fi
    return 0
}

But if you recall, we defined DNSMASQ_EXCEPT="lo" in /etc/default/dnsmasq. As such, /sbin/resolvconf isn't called when starting Dnsmasq but would be if this wasn't defined.

If you've ever seen the following error when looking at the output of systemctl status dnsmasq, this is because DNSMASQ_EXCEPT="lo" is not defined(commented out) and it's trying to register DNS settings associated with the loopback device, which it can't do.

Nov 07 05:40:23 ubuntu24server resolvconf[6445]: Dropped protocol specifier '.dnsmasq' from 'lo.dnsmasq'. Using 'lo' (ifindex=1).
Nov 07 05:40:23 ubuntu24server resolvconf[6445]: Failed to set DNS configuration: Link lo is loopback device.

This error can be seen by running the command directly:

$ echo "nameserver 127.0.0.1" | sudo /sbin/resolvconf -a lo
Failed to set DNS configuration: Link lo is loopback device.

Edit: A much more elaborate answer was given above Original answer below

Yep, it seemed to work.

I.e., I did this:

In /etc/systemd/resolved.conf.d/dnsmasqcompatibility.conf:

[Resolve]
DNSStubListener=no
DNSStubListenerExtra=127.0.0.1:5053

And in /etc/dnsmasq.conf:

server=127.0.0.1#5053

By typing this in a terminal host www.google.com 127.0.0.1, I got this:

Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

www.google.com has address .......
www.google.com has IPv6 address ......

And this was in /var/log/dnsmasq.log:

 query[A] www.google.com from 127.0.0.1
 forwarded www.google.com to 127.0.0.1#5053
 reply www.google.com is .....

(and so on)

I could also confirm that by stopping the systemd-resolved service, DNS lookups timed out.

I should probably also add no-resolv to /etc/dnsmasq.conf, to force all queries to be passed to port 5053, but I don't know if that would make any difference since it would be using the DNS servers known to systemd-resolved anyway, regardless if the IP addresses were taken from a file or from a second DNS server (via forwarded query).

Let systemd-resolved handle DHCP servers and use server=127.0.0.53 in Dnsmasq. Have /etc/resolv.conf pointed to 127.0.0.1 where Dnsmasq is listening. But you would hit issues of systemd-resolved, for example buggy DNSSec validation. You have been warned.