From 188b098110acd4eaee360edb3bba53b2fb39845a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 19 Jul 2018 21:38:52 +0200
Subject: [PATCH] dnsmasq: always listen on loopback, resolv.conf must know

PR: https://github.com/opnsense/core/issues/2562
---
 src/etc/inc/plugins.inc.d/dnsmasq.inc | 6 ++++--
 src/etc/inc/system.inc                | 7 ++++---
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/etc/inc/plugins.inc.d/dnsmasq.inc b/src/etc/inc/plugins.inc.d/dnsmasq.inc
index f8f0b8afa..1d231fb81 100644
--- a/src/etc/inc/plugins.inc.d/dnsmasq.inc
+++ b/src/etc/inc/plugins.inc.d/dnsmasq.inc
@@ -118,9 +118,11 @@ function dnsmasq_configure_do($verbose = false)
     }
 
     if (isset($config['dnsmasq']['interface'])) {
-        $addresses = array('127.0.0.1', '::1');
+        $interfaces = explode(',', $config['dnsmasq']['interface']);
+        $interfaces[] = 'lo0';
+        $addresses = array();
 
-        foreach (explode(',', $config['dnsmasq']['interface']) as $interface) {
+        foreach ($interfaces as $interface) {
             foreach (legacy_getall_interface_addresses(get_real_interface($interface)) as $tmpaddr) {
                 $tmpaddr = explode('/', $tmpaddr)[0];
                 /* no support for link-local address with scope specified */
diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc
index ee785a976..523fea00e 100644
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@@ -157,9 +157,10 @@ function system_resolvconf_generate($verbose = false)
         $resolvconf = "domain {$syscfg['domain']}\n";
     }
 
-    if (((isset($config['dnsmasq']['enable']) && (empty($config['dnsmasq']['interface']) || in_array("lo0", explode(",", $config['dnsmasq']['interface']))))
-      || (isset($config['unbound']['enable'])) && (empty($config['unbound']['active_interface']) || in_array("lo0", explode(",", $config['unbound']['active_interface']))))
-      && !isset($config['system']['dnslocalhost'])) {
+    /* XXX Unbound should always bind to loopback like Dnsmasq */
+    if (!isset($config['system']['dnslocalhost']) && (isset($config['dnsmasq']['enable']) ||
+      (isset($config['unbound']['enable']) && (empty($config['unbound']['active_interface']) ||
+      in_array('lo0', explode(',', $config['unbound']['active_interface'])))))) {
         $resolvconf .= "nameserver 127.0.0.1\n";
     }