Disable dnsmasq on wan

diversity · August 29, 2022, 6:46am

I tried disabling the dnsmasq process from hogging port 53 on the wan and wan6 interface.
By going into LUCI -> Network -> DHCP and DNS. and then adding wan and wan6 to the 'exclude interfaces' field

But when running netstat -tulpn on the cli the public ip address::53 are still listed under DNS (also after a restart)

How do I prevent dnsmasq from running there so that I can port forward WAN 53 to DEVICE 51820

psherman · August 29, 2022, 7:19am

The default firewall prevents all connections from the wan. You don’t need to do anything more.

Meanwhile, I have no idea why you want to use port 53 for wireguard, but I’d you are forwarding, just create a port forwarding rule with the souce-destination port 53 on the wan zone to your host at port 51820

diversity · August 29, 2022, 7:50am

I need to make sure my wireguard is accessible when I am sharing my mobile internet connection.
And as any good mobile provider secretly does, mine blocks most all ports. Only a hand full are allowed but good look figuring out which as it is undocumented and support requests are ignored.

Hence I need to try udp 53 first as that is DNS and should n9to be blocked by the ISP else risk the mobile internet not working for most to begin with.

slh · August 29, 2022, 8:15am

Most consumer ISPs block port 53 incoming for residential services, to combat DNS amplification attacks via misbehaving routers.

diversity · August 29, 2022, 8:30am

I am almost certain my office ISP does not block anything. they pride them selfs with that.

I am almost certain my mobile ISP blocks most all ports.

I really would like to give udp 53 a try but as dnsmasq is hogging that port on the wan and wan6 interface I can't even give that a try.

frollic · August 29, 2022, 8:50am

hnyman · August 29, 2022, 1:25pm

It is likely about the DNS client (resolving addresses from upstream internet), not about the DHCP client or server.

You might want to configure dnsmasq to listen for DNS answers at a different port that the default 53.
From dnsmasq manual https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

-p, --port=
Listen on instead of the standard DNS port (53). Setting this to zero completely disables DNS function, leaving only DHCP and/or TFTP.

grrr2 · August 29, 2022, 5:00pm

1) in file /etc/config/dhcp

# in this config section
config dnsmasq
  []
  # add the ip address of the interface you want dnsmasq to bind to
  # probably you want to listen on loopback interface too
  list listen_address '127.0.0.1' 
  list listen_address '<ip adddress>'

# save then restart service
$ service dnsmasq restart

# verify
netstat -nlp | grep 53

2) by default firewall blocks all incoming traffic via wan 
hence you need to setup port forward