Setting Up DNS - kxr/ocp4_setup_upi_kvm GitHub Wiki

In order for the script to bring up an OpenShift cluster, it expects the DNS on the host to be managed via dnsmasq. Even though the requirement is very simple, it can get complicated for various reasons, such as:

  • dnsmasq can conflict with libvirtd's internal dnsmasq.
  • There are multiple ways to setup dnsmasq e.g, you can use NetworkManager's built-in dnsmasq or setup a separate dnsmasq service.
  • On modern linux distributions, DNS/resolv.conf on the host is being controlled by systemd-resolved.

I will provide some explanation and recommendations on how to setup dnsmasq correctly in different scenarios.

Setup dnsmasq

You can either use NetworkManager's built-in dnsmasq or setup a separate dnsmasq service on the host. pick either one:

  1. NetworkManger's built-in dnsmasq:

    If the network on the host is managed by NetworkManager, using NetworkManager's built-in dnsmasq is the easiest option. If you are not using NetworkManager or want to have a separate dnsmasq, feel free to skip this and see the next option.

    • Make sure NetworkManager is active and managing the interfaces on the host. You can see the interfaces managed by NetworkManager by running nmcli con show:

      # nmcli con show
      NAME         UUID                                  TYPE      DEVICE      
      eno1         97fd1651-dc94-33d7-a94c-f4c9f7ef3f2a  ethernet  eno1        
      eno2         97931ba2-7fff-3a57-99d9-68dea204e28f  ethernet  --          
      eno3         6aceeb7b-e8dd-3f94-bbb7-8ccdbc871613  ethernet  --          
      eno4         251ee987-436c-3ab0-a907-66861f9dc575  ethernet  --    
    • Enable NetworkManager's dnsmasq:

      echo -e "[main]\ndns=dnsmasq" > /etc/NetworkManager/conf.d/nm-dns.conf
      systemctl restart NetworkManager
    • You should now see a NetworkManager generated /etc/resolv.conf with the first nameserver pointing to

      # Generated by NetworkManager
      options edns0 trust-ad
    • If you don't see this and instead find a systemd-resolved generated resolv.conf with nameserver pointing to, don't worry and see the section about systemd-resolved below.

  2. Seperate dnsmasq service:

    If for whatever reason, you don't want to use NetworkManager's dnsmasq, you can always setup a separate dnsmasq service.

    • You can install dnsmasq easily as it is commonly available on all the common linux distributions.

      For Red Hat based distributions like RHEL or Fedora you can install dnsmaq using yum:

      yum -y install dnsmasq

      For Ubuntu/Debian based distributions you can install dnsmasq using apg-get:

      apt-get -y install dnsmasq
    • To avoid any conflicts, limit dnsmasq to only bind/listen on localhost/ interface. You can do this by:

      echo "interface=lo" > /etc/dnsmasq.d/int-lo.conf
    • Start and enable the dnsmasq service:

      systemctl start dnsmasq
      systemctl enable dnsmasq
    • This is it. You can now add nameserver in your /etc/resolv.conf (keep it above any other nameserver line). However, if your /etc/resolv.conf is generated by systemd-resolved and the nameserver is pointing to, see the systemd-resolved section below.


Modern Linux distributions use systemd-resolved by default and if this is the case, it is important to make systemd-resolved aware of our dnsmasq. When systemd-resolved is active on a host, you will see that /etc/resolv.conf is symlinked to /run/systemd/resolve/stub-resolv.conf with the following content:

# This file is managed by man:systemd-resolved(8). Do not edit.
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
# Run "systemd-resolve --status" to see details about the uplink DNS servers
# currently in use.
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

options edns0

You should not edit this file manually as it will be over-written by systemd-resolved. You simply need to make systemd-resolved aware of your dnsmasq.

  1. If you are using NetworkManager's dnsmasq:

    • Append the following lines in /etc/systemd/resolved.conf:

    • Restart systemd-resolved:

      systemctl restart systemd-resolved
  2. If you are using separate dnsmaq:

    • Append the following lines in /etc/systemd/resolved.conf:

    • Tell dnsmasq to use /run/systemd/resolve/resolv.conf instead of the default /etc/resolv.conf (to avoid circular loop):

      echo "resolv-file=/run/systemd/resolve/resolv.conf" > /etc/dnsmasq.d/resolved.conf
    • Restart dnsmasq and systemd-resolved:

      systemctl restart dnsmasq
      systemctl restart systemd-resolved

If for some reason, systemd-resolved is giving you trouble, you can always disable it:

  • Stop and disable systemd-resolved service:

    systemctl stop systemd-resolved
    systemctl disable systemd-resolved
  • Remove the /etc/resolv.conf symlink:

    rm /etc/resolv.conf
  • Restart the networking service on the host so that /etc/resolv.conf gets generated. For example if you are using NetworkManager:

    systemctl restart NetworkManager