Custom DNS port not working with DNSMASQ full

20315 root      2048 S    {dnsmasq} /sbin/ujail -t 5 -n dnsmasq -u -l -r /bin/
20316 root      2048 S    {dnsmasq} /sbin/ujail -t 5 -n dnsmasq -u -l -r /bin/
20318 dnsmasq   9472 S    /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.kids_dns
20319 dnsmasq   3040 S    /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.adults_dn
20457 root      1096 S    grep dnsm

root@OpenWrt:~# logread -e dnsmasq
Fri Jul 14 00:24:07 2023 daemon.info dnsmasq[1]: exiting on receipt of SIGTERM
Fri Jul 14 00:24:07 2023 daemon.info dnsmasq[1]: exiting on receipt of SIGTERM
Fri Jul 14 00:24:17 2023 daemon.info dnsmasq[1]: started, version 2.89 cachesize 150
Fri Jul 14 00:24:17 2023 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
Fri Jul 14 00:24:17 2023 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Fri Jul 14 00:24:17 2023 daemon.warn dnsmasq[1]: warning: interface Kids_lan does not currently exist
Fri Jul 14 00:24:17 2023 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.1.100 -- 192.168.1.249, lease time 12h
Fri Jul 14 00:24:17 2023 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5054
Fri Jul 14 00:24:17 2023 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5053
Fri Jul 14 00:24:17 2023 daemon.info dnsmasq[1]: using only locally-known addresses for adults_lan
Fri Jul 14 00:24:17 2023 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Fri Jul 14 00:24:17 2023 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.adults_dns - 21 names
Fri Jul 14 00:24:17 2023 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.kids_dns - 14 names
Fri Jul 14 00:24:17 2023 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Fri Jul 14 00:24:18 2023 daemon.info dnsmasq[1]: started, version 2.89 cachesize 150
Fri Jul 14 00:24:18 2023 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
Fri Jul 14 00:24:18 2023 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Fri Jul 14 00:24:18 2023 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.2.100 -- 192.168.2.249, lease time 12h
Fri Jul 14 00:24:18 2023 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5054
Fri Jul 14 00:24:18 2023 daemon.info dnsmasq[1]: using nameserver 127.0.0.1#5053
Fri Jul 14 00:24:18 2023 daemon.info dnsmasq[1]: using only locally-known addresses for pandi.co.zw
Fri Jul 14 00:24:18 2023 daemon.info dnsmasq[1]: using only locally-known addresses for 5wh.co.zw
Fri Jul 14 00:24:18 2023 daemon.info dnsmasq[1]: using only locally-known addresses for dns-asia.wugui.zone
Fri Jul 14 00:24:18 2023 daemon.info dnsmasq[1]: using only locally-known addresses for dns.wugui.zone
Fri Jul 14 00:24:18 2023 daemon.info dnsmasq[1]: using only locally-known addresses for luxdiscount.zone
Fri Jul 14 00:24:18 2023 daemon.info dnsmasq[1]: using only locally-known addresses for werfoxt.node.cloudlets.zone
Fri Jul 14 00:24:18 2023 daemon.info dnsmasq[1]: using only locally-known addresses for trtjust.node.cloudlets.zone
Fri Jul 14 00:24:18 2023 daemon.info dnsmasq[1]: using only locally-known addresses for suplive-live-owa-com.node.cloudlets.zone
Fri Jul 14 00:24:18 2023 daemon.info dnsmasq[1]: using 110901 more local addresses
Fri Jul 14 00:24:18 2023 daemon.info dnsmasq[1]: using 750 more nameservers
Fri Jul 14 00:24:19 2023 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Fri Jul 14 00:24:19 2023 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.adults_dns - 21 names
Fri Jul 14 00:24:19 2023 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.kids_dns - 14 names
Fri Jul 14 00:24:19 2023 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Fri Jul 14 00:24:24 2023 daemon.warn dnsmasq-dhcp[1]: no address range available for DHCP request via br-adults_lan
Fri Jul 14 00:26:38 2023 daemon.warn dnsmasq-dhcp[1]: no address range available for DHCP request via br-adults_lan
Fri Jul 14 00:28:46 2023 daemon.warn dnsmasq-dhcp[1]: no address range available for DHCP request via br-adults_lan

that is by design to make the dns span interfaces

I thought that might be your rationale, but figured I should ask anyway. And I'm not convinced it's correct.

Here's my reasoning:

You have one Kids interface in the Kids firewall zone, and one Adults interface in the Adults zone. Any adult device joining the kids network will be in the Kids firewall zone and subject to the Kids firewall policies. And vice-versa.

So, your firewall draws a distinction between the two networks. And so should your dnsmasq configuration.

I still think it'd be easier not to bother with attempts at segregation based on network, but instead use per-device policies in, say, something like Adguard Home or Pi-hole (I know, I know, I'll keep banging that drum...),

this is just one instance. you should use interface & notinterface complementary , ie:
for adult instance interface adult, notinterface kid, and vice versa. delete port option.
and then you can let clients to use the default dns (&dhcp) instance related to their network, or individually you can force it to use the other dns (but not the other dhcp) via dhcp option.

There's one more way of doing this, set up the adblocked DNS on port 53, and provided the DNS IP of the router for the clients you want to block.

All other clients get DNS IP 1.1.1.1 or 8.8.8.8, or some other public DNS.

What's in the directories /tmp/adults_lan/dnsmasq.d/ and /tmp/kids_lan/dnsmasq.d/? Any chance something in either or both of those directories might also be getting in the way?

I don't think that is correct I have two instances both are listed in luci they are just not bound to specific one there are two seperate dhcp servers thts all working just not dns on any port other than 53.

my log might be missing the rest of the info because dawn logspams.

What does netstat say about open/listening ports?

As an example, here's mine:

root@ea8300:/etc/config# netstat -alnp | grep dnsmasq
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      6355/dnsmasq
tcp        0      0 192.168.140.1:53        0.0.0.0:*               LISTEN      6355/dnsmasq
tcp        0      0 xxx.xxx.xxx.xxx:53      0.0.0.0:*               LISTEN      6355/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      6355/dnsmasq
tcp        0      0 fe80::c641:1eff:fe86:3ce0:53 :::*                    LISTEN      6355/dnsmasq
tcp        0      0 fe80::c641:1eff:fe86:3ce3:53 :::*                    LISTEN      6355/dnsmasq
tcp        0      0 fe80::c441:1eff:fe86:3ce4:53 :::*                    LISTEN      6355/dnsmasq
tcp        0      0 fe80::c641:1eff:fe86:3ce2:53 :::*                    LISTEN      6355/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           6355/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           6355/dnsmasq
udp        0      0 192.168.140.1:53        0.0.0.0:*                           6355/dnsmasq
udp        0      0 xxx.xxx.xxx.xxx:53      0.0.0.0:*                           6355/dnsmasq
udp        0      0 ::1:53                  :::*                                6355/dnsmasq
udp        0      0 fe80::c641:1eff:fe86:3ce0:53 :::*                                6355/dnsmasq
udp        0      0 fe80::c641:1eff:fe86:3ce3:53 :::*                                6355/dnsmasq
udp        0      0 fe80::c441:1eff:fe86:3ce4:53 :::*                                6355/dnsmasq
udp        0      0 fe80::c641:1eff:fe86:3ce2:53 :::*                                6355/dnsmasq
unix  3      [ ]         STREAM     CONNECTED      57707 6355/dnsmasq
unix  2      [ ]         DGRAM                     57709 6355/dnsmasq
root@ea8300:/etc/config#

No that is the the config dir for each dnsmasq instance it is so adblock can work it's magic on the kids lan leaving the adulrts lan alone.

I'm aware, hence the question.

You can use full dnsmasq directives in files in those directories, which you might not be able to do in LuCI / UCI / /etc/config/dhcp. If you've got any directives in those directories which cause conflicts, that may also help to explain the issues your experiencing.

as below i dont really understand below fully but it lists port 5153 as a listening port as well as 53

root@OpenWrt:~# netstat -alnp | grep dnsmasq
tcp        0      0 192.168.1.1:53          0.0.0.0:*               LISTEN      20319/dnsmasq
tcp        0      0 192.168.1.1:5153        0.0.0.0:*               LISTEN      20318/dnsmasq
tcp        0      0 192.168.2.1:5153        0.0.0.0:*               LISTEN      20318/dnsmasq
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      20319/dnsmasq
tcp        0      0 fe80::c64b:d1ff:fe00:474d:53 :::*                    LISTEN      20319/dnsmasq
tcp        0      0 fe80::c64b:d1ff:fe00:474d:5153 :::*                    LISTEN      20318/dnsmasq
tcp        0      0 fe80::c44b:d1ff:fe00:474e:5153 :::*                    LISTEN      20318/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      20319/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           20319/dnsmasq
udp        0      0 192.168.1.1:53          0.0.0.0:*                           20319/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           20318/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           20319/dnsmasq
udp        0      0 192.168.1.1:5153        0.0.0.0:*                           20318/dnsmasq
udp        0      0 192.168.2.1:5153        0.0.0.0:*                           20318/dnsmasq
udp        0      0 ::1:53                  :::*                                20319/dnsmasq
udp        0      0 fe80::c64b:d1ff:fe00:474d:53 :::*                                20319/dnsmasq
udp        0      0 fe80::c64b:d1ff:fe00:474d:5153 :::*                                20318/dnsmasq
udp        0      0 fe80::c44b:d1ff:fe00:474e:5153 :::*                                20318/dnsmasq
unix  2      [ ]         DGRAM      CONNECTED     5581816 20319/dnsmasq       
unix  3      [ ]         STREAM     CONNECTED     5583991 20318/dnsmasq       
unix  3      [ ]         STREAM     CONNECTED     5581814 20319/dnsmasq       
unix  2      [ ]         DGRAM      CONNECTED     5583993 20318/dnsmasq       
root@OpenWrt:~# 

Indeed it does... but look closer.

You've got both adults_lan and kids_lan interfaces defined in both dnsmasq instances (you explained why previously). Adult DNS listens on 53, and Kid DNS listens on 5153. But only 5153 is listening on both interfaces in your netstat output. Notice that 53 only appears on one interface, not both.

that is by design as i dont want the kids to use port 53 as adblock is not active on that interface

Perhaps, but not according to your configuration.

If the adults_dns dnsmasq instance listens on port 53, and that same instance is bound to both adults_lan and kids_lan, then you should see 53 listening on both interfaces.

Whether that's desirable or not according to your goals is beside the point. Based on your apparent configuration, that's what should be happening. And it isn't, for some reason.

still don't understand why you want to mix your networks, what is the expected value?

with a config like this:

config dnsmasq 'adult'
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option port '54'
        option logqueries '1'
        option logdhcp '1'
        list interface br-lan
        list notinterface br-guest

config dnsmasq 'kid'
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/kid/'
        option domain 'kid'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option port '54'
        option logqueries '1'
        option logdhcp '1'
        list notinterface br-lan
        list interface br-guest

config dhcp 'adult_dhcp'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option instance 'adult'

config dhcp 'kid_dhcp'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option instance 'kid'

i have this simple netstat:

~# netstat -nlp| grep dnsm
tcp        0      0 10.0.0.1:54             0.0.0.0:*               LISTEN      7854/dnsmasq
tcp        0      0 127.0.0.1:54            0.0.0.0:*               LISTEN      7853/dnsmasq
tcp        0      0 10.20.0.1:54            0.0.0.0:*               LISTEN      7853/dnsmasq
tcp        0      0 fe80::20c:29ff:fe7e:3df5:54 :::*                    LISTEN      7854/dnsmasq
tcp        0      0 ::1:54                  :::*                    LISTEN      7853/dnsmasq
tcp        0      0 fe80::20c:29ff:fe7e:3df5:54 :::*                    LISTEN      7853/dnsmasq
udp        0      0 127.0.0.1:54            0.0.0.0:*                           7854/dnsmasq
udp        0      0 10.0.0.1:54             0.0.0.0:*                           7854/dnsmasq
udp        0      0 127.0.0.1:54            0.0.0.0:*                           7853/dnsmasq
udp        0      0 10.20.0.1:54            0.0.0.0:*                           7853/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           7854/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           7853/dnsmasq
udp        0      0 ::1:54                  :::*                                7854/dnsmasq
udp        0      0 fe80::20c:29ff:fe7e:3df5:54 :::*                                7854/dnsmasq
udp        0      0 ::1:54                  :::*                                7853/dnsmasq
udp        0      0 fe80::20c:29ff:fe7e:3df5:54 :::*                                7853/dnsmasq

for each network there is one dedicated dnsmasq instance.

so, what you are trying to achieve exactly with your mixed approach?

Your logread extract shows some potential issues with DHCP. So, here's a suggestion for a test: take DHCP out of the mix.

Configure a client with a static IP address and gateway in the Adult LAN, along with the Adult DNS server. Then see if DNS resolution (and blocking) works.

Then repeat the test, this time with a static IP address and gateway in the Kids LAN, along with the Kids DNS server.

For the avoidance of doubt, connect to the Adults AP / SSID for the Adult test, and connect to the Kids AP / SSID for the Kid test.

ok a bug ?
It is not listed as a not interface that i thought it was.
you are right port 53 should be on the 192.168.2.1 instance

I only have repurposed old routers/ ap's setup as access points on the farm as they dont have vlan functions otherwise i would set that up.

no dns resolution works on the kids lan with a static or dhcp adddress
but if i change the port to 53 everything starts working again

ok, that's what you did. but why you want both networks to use both dnsmasq instance?

you have adult and kid users so you want kid users to have filtered dns access (using adblock). so far ok.
you created two networks: two interfaces with different ip addresses and put them respective firewall zone. so far ok.
you created the two dnsmasq instances one with parental controlled adblock filtering. so far ok.

and your next step was to add both dnsmasq to both network which i don't get: why you don't keep using the separation of networks idea you used so far?

sorry, no offense at all, just i don't get it.