Dnsmasq excluding/including interfaces

I want to exclude some interfaces from being used by dnsmasq but I am not sure which names to actually add to the config (since there are many names for the same interfaces and the documentation doesn't give an example).

Do I have to use the actual interface/vlan names (eg. eth0/eth0.1/eth1,/eth1.2/...) or the names from the LEDE config (eg. lan/br-lan/wan/wan6/...)?

Or does adding ethX automatically include all interfaces belonging to it (e.g. add eth1 -> eth1.2/wan/wan6 are excluded too without adding them specifically)?

Anyone? :cry:

I'm not sure if you can do it with device names, but you can certainly do it with interface names, like: uci set dhcp.lan.ignore=1. I hope it helps.

1 Like

In my /etc/config/dhcp file I have something like this:

`config dnsmasq`
      list interface 'lan'
      list notinterface 'vpn'

dnsmasq will hand out IPs on lan but not vpn. The interfaces in the above section are pulled from the following section names (i.e. config dhcp 'lan')

Is that what you're looking for?

1 Like

Yes that should be excactly what was I was looking for, thanks!

In case anyone else is looking for this:

All interface names from "etc/config/network" seem to work (e.g. config interface 'lan', config interface 'lan4', ...), even if there is no DHCP configuration for them.

Noticed since I forgot to add my "lan4" interface to the included ones and DNS resolution stopped working on "lan4" for a day.

People on "lan4" were not amused :laughing:


Any idea what this does not work for me ? :frowning:

I'm using LEDE Reboot 17.01.4

I've these interfaces

# ifconfig
    inet addr:  Bcast:  Mask:

    inet addr:  Bcast:  Mask:

    inet addr:  Bcast:  Mask:

In /etc/config/dhcp I have this

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        option nonwildcard '0'
        list interface 'lan'
        list notinterface 'dedicated'

Dnsmasq is started this way

/usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg02411c -k -x /var/run/dnsmasq/dnsmasq.cfg02411c.pid

In '/var/etc/dnsmasq.conf.cfg02411c' I have


Which is good, but it stills listen on eth2

# nmap -p 53
Host is up (0.00052s latency).
53/tcp open  domain

I've try everything, with only "interface" or only "except-interface", in config/dhcp or directly in dnsmasq.conf but nothing works, Dnsmasq seems to ignore these settings.

I'm stuck on this since yesterday and it's driving me crazy.

Thanks for your help.

Ok, I made progress.

Looking (deeper in) the man page

I've found this

-z, --bind-interfaces
On systems which support it, dnsmasq binds the wildcard address, even when it is listening on only some interfaces. It then discards requests that it shouldn't reply to. This has the advantage of working even when interfaces come and go and change address. This option forces dnsmasq to really bind only the interfaces it is listening on. About the only time when this is useful is when running another nameserver (or another instance of dnsmasq) on the same machine. Setting this option also enables multiple instances of dnsmasq which provide DHCP service to run in the same machine.

So I've modified /etc/init.d/dnsmasq and added --bind-interfaces manually

procd_set_param command $PROG --bind-interfaces -C $CONFIGFILE -k -x /var/run/dnsmasq/dnsmasq."${cfg}".pid

And it works !

# nmap -p 53
Host is up (0.00048s latency).
53/tcp closed domain

Next, I've found how to specify this option in the config (rather than modifying the init script!), it's just about adding the line


in /etc/dnsmasq.conf

and voila ... solved :slight_smile:

So good to know, in summary:
if you really want to listen only on the specified interface(s), add "bind-interfaces" in dnsmasq.conf

a) you can use /etc/dnsmasq.conf to supply additional native arguments (add a sole line bind-interfaces there)
b) I suggest to prefer (--)bind-dynamic over (--)bind-interfaces
c) The bind-dynamic option can be set in uci using option nonwildcard 1

1 Like

Ok. Thanks for pointing that :slight_smile:

DHCP doesn't work with
option nonwildcard 1

Does anybody knows is dnsmasq UCI config (/etc/config/dhcp) supports wildcard interface names (tun+) or NOT?
I mean can I write something like (tun+) this and would it work?

config dnsmasq
      option notinterface 'tun+'

I really need to exclude all VPN interfaces because DNSMASQ is trying to bind to all of them as they appear in the system.
I do not know for what purpose dnsmasq is doing this with every tunnel iface, it's very strange.


Answering to myself :wink:

According to dnsmasq MAN page:

A  simple  wildcard,  consisting  of a trailing '*',
can be used in --interface and --except-interface options.

I have tested the following syntax:

config dnsmasq
      list notinterface 'tun*'
      list notinterface 'wg*'

Works perfectly, no more bindings to VPN ifaces.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.