Hello,
I am trying to prevent dnsmasq from listening to DNS requests that might be addressed to the router on its WAN leg. This WAN leg is in an rfc1918 network, the firewalling rules are less strict there than on the public Internet.
In LuCI, "DHCP and DNS" > "General Settings", I have configured the option "Exclude interfaces = wan". In the file /tmp/etc/dnsmasq.conf.cfg01411c, LuCI translates it as "except-interface=eth2", which seems to be correct. On my router, eth2 is indeed the WAN interface.
However, when I dig the router's WAN address from the WAN subnet, I keep getting responses to my DNS queries. It keeps forwarding them and responding. The only observed difference is that now it no longer resolves locally defined hostnames.
The "except-interface" option does not seem to prohibit listening to DNS requests. So what is its use? Is there any way I can disallow the DNS server from listening to requests on this interface, other than with a specific firewalling rule?
It doesn't prohibit, it limits the interfaces the server is bound and listening. However if you allow the input from one zone to the device itself in the firewall configuration, then this means that any router interface can be used, not just the ones belonging to the zone.
So if you want to limit the dnsmasq on one interface, use the firewall as it was originally configured.
In the case detailed here, is the lack of hostname resolution an expected effect of the "except-interface" option? More generally, what is the use case for the dnsmasq "except-interface" option on a router?
I also restarted dnsmasq (as suggested by frollic), without observing any change. This is in line with your explanation.