Home/Insights/Networking

Troubleshooting dnsmasq Service Not Loading DNS Servers from /etc/resolv.conf After Reboot

conf after reboot. Verify the resolver file source, service startup order, and competing network-management services before forcing static DNS settings.

Quick Read

  • Symptom: conf after reboot. Verify the resolver file source, service startup order, and competing network-management services before forcing static DNS settings.
  • Check first: Capture the affected source, destination, protocol, port, DNS name, VLAN or subnet, and exact error before changing policy.
  • Risk: Changes system state

Symptoms

The dnsmasq service fails to load DNS servers specified in the /etc/resolv.conf file after a system reboot.

Environment

Linux-based systems running dnsmasq as a DNS forwarder and DHCP server.

Most Likely Causes

The dnsmasq service may not be configured to read the /etc/resolv.conf file correctly, or the file may not be populated with the expected DNS server entries during the boot process.

What to Check First

  1. Capture the affected source, destination, protocol, port, DNS name, VLAN or subnet, and exact error before changing policy.
  2. Verify path, name resolution, authentication, and firewall policy separately so one symptom does not hide multiple failures.
  3. Check whether the issue is isolated to one client, one subnet, one VPN profile, or every path.

Fix Steps

  1. Check dnsmasq configuration file

    Verify that the dnsmasq configuration file is set up to read from /etc/resolv.conf.

    Example pattern only. Adjust for your environment before running.

    cat /etc/dnsmasq.conf | grep 'resolv-file'
cat /etc/dnsmasq.conf | grep 'no-resolv'
  2. Modify dnsmasq configuration if necessary

    If the configuration does not include the correct settings, edit the dnsmasq configuration file to ensure it reads from /etc/resolv.conf.

    Safe to run: read-only

    sudo nano /etc/dnsmasq.conf
# Ensure the following lines are present:
no-resolv
resolv-file=/etc/resolv.conf
  3. Check /etc/resolv.conf content

    Ensure that /etc/resolv.conf contains valid nameserver entries.

    Example pattern only. Adjust for your environment before running.

    cat /etc/resolv.conf
  4. Update /etc/resolv.conf if necessary

    If /etc/resolv.conf is empty or incorrect, update it with valid DNS server entries.

    Safe to run: read-only

    sudo nano /etc/resolv.conf
# Add valid nameserver entries, for example:
nameserver 8.8.8.8
nameserver 8.8.4.4
  5. Restart dnsmasq service

    After making changes, restart the dnsmasq service to apply the new configuration.

    Changes system state: review before running

    sudo systemctl restart dnsmasq
  6. Check dnsmasq service status

    Verify that the dnsmasq service is running without errors.

    Safe to run: read-only

    sudo systemctl status dnsmasq
  7. Test DNS resolution

    Test DNS resolution to ensure that dnsmasq is functioning correctly.

    Example pattern only. Adjust for your environment before running.

    dig @127.0.0.1 example.com
nslookup example.com 127.0.0.1

Validation

  • The same client and network path can reach the target after the change.
  • Firewall, VPN, DHCP, DNS, or switch logs show allowed traffic or successful negotiation instead of the prior failure.
  • A second path check confirms that the fix did not open unintended access or break another subnet.

Logs to Check

  • Firewall, VPN, DNS, DHCP, or switch logs for the failing timestamp.
  • Client resolver, route table, VPN client, or browser/network diagnostics.
  • Packet capture or flow logs when policy and routing disagree.

Rollback and Escalation

  • Export or screenshot the original policy, route, resolver, or interface configuration before changing it.
  • Remove temporary allow rules, test DNS records, or route changes after validation.
  • Restore the previous VPN profile, firewall rule, or switch configuration if reachability worsens.

Escalate When

  • Escalate if the same error persists after rollback and a clean retry from the original failing path.
  • Escalate if logs show authorization, data loss, certificate, replication, or production availability risk outside the local service owner scope.

Edge Cases

  • If dnsmasq is not installed, install it using 'sudo apt install dnsmasq'.
  • If the system uses a different DNS management service (like systemd-resolved), ensure it is not conflicting with dnsmasq.

Notes from the Field

  • Most network incidents need source and destination evidence. A successful test from an admin laptop does not prove the affected client path is fixed.
  • For VPN and firewall changes, keep the blast radius narrow and time-box any temporary allow rule.