Description of problem: libvirt's dnsmasq instance is automatically configured to manage a domain chosen in the network configuration. It is not, however, configured to avoid forwarding unsatisfied requests to that domain externally. That may cause DNS loops in some particular use cases, among which is one I'll describe next. I'm using NetworkManager, that also sets up it's dnsmasq instance to locally proxy requests to external resolvers. I want libvirt's virtual machines to be accessible by their hostnames from my host system, under the same domain I configured libvirt to serve. To achieve that, I set up the proxy dnsmasq (call it DNS-P) to relay requests to libvirt's dnsmasq (DNS-L) with the following configuration: server=/virt.danielqm.lan/192.168.122.1 libvirt's network is configured as: <network> <name>default</name> <uuid>418506a2-5a6f-410a-a522-ca1bb83ede9c</uuid> <forward mode='nat'/> <bridge name='virbr0' stp='on' delay='0'/> <mac address='52:54:00:a2:53:a9'/> <domain name='virt.danielqm.lan'/> <ip address='192.168.122.1' netmask='255.255.255.0'> <dhcp> <range start='192.168.122.2' end='192.168.122.254'/> </dhcp> </ip> </network> Everything works correctly when requesting valid domains: DNS-P happily forwards the request to DNS-L and gets an answer. Trouble appears when an unknown domain is requested. DNS-P will forward to DNS-L, which will not have an answer, then try to forward to the system resolver, which is DNS-L. That will cause an infinite loop that will exhaust the maximum allowed simultaneous queries of both servers. Observing the dnsmasq configuration generated by libvirt, I notice it does not mark the served domain as local, which would stop any requests to it from being forwarded. Adding the following to the generated configuration would be sufficient to fix the issue as far as I could test it: local=/virt.danielqm.lan/ In addition to the already existing line with: domain=/virt.danielqm.lan/ Version-Release number of selected component (if applicable): libvirt 1.2.18.2-2.fc23 How reproducible: Always Steps to Reproduce: 1. Set up NM's resolver to forward to libvirt's 2. Make a query to an invalid hostname in libvirt's domain Actual results: The two dnsmasq instances DoS each other. Expected results: Loops are avoided and libvirt's DNS responds immediately with not-found for invalid queries of it's configured domain.
This problem was encountered and solved quite awhile back. To eliminate the loop, modify this line in your libvirt network config: <domain name='virt.danielqm.lan'/> to this: <domain name='virt.danielqm.lan' localOnly='yes'/> (use "virsh edit default" to make the change, then when you're done, run "virsh net-destroy default && virsh net-start default". You will need to shutdown and re-start any guest that was using the network at the time.) This changes the dnsmasq setup in exactly the manner you describe. Note that this cannot be done by default due to libvirt's policy of maintaining default behavior of existing functionality in new releases (so as not to break functioning setups), and also because it's probably more likely that the original behavior is what's desired. See: http://www.libvirt.org/formatnetwork.html for more configuration options for libvirt networks.
I looked around the documentation quite a lot and managed to miss it. Sorry for the bogus report, and thanks for the quick response.