Dnsmasq excluding/including interfaces


#1

I want to exclude some interfaces from being used by dnsmasq but I am not sure which names to actually add to the config (since there are many names for the same interfaces and the documentation doesn't give an example).

Do I have to use the actual interface/vlan names (eg. eth0/eth0.1/eth1,/eth1.2/...) or the names from the LEDE config (eg. lan/br-lan/wan/wan6/...)?

Or does adding ethX automatically include all interfaces belonging to it (e.g. add eth1 -> eth1.2/wan/wan6 are excluded too without adding them specifically)?


#2

Anyone? :cry:


#3

I'm not sure if you can do it with device names, but you can certainly do it with interface names, like: uci set dhcp.lan.ignore=1. I hope it helps.


#4

In my /etc/config/dhcp file I have something like this:

`config dnsmasq`
      list interface 'lan'
      list notinterface 'vpn'

dnsmasq will hand out IPs on lan but not vpn. The interfaces in the above section are pulled from the following section names (i.e. config dhcp 'lan')

Is that what you're looking for?


#5

Yes that should be excactly what was I was looking for, thanks!


#6

In case anyone else is looking for this:

All interface names from "etc/config/network" seem to work (e.g. config interface 'lan', config interface 'lan4', ...), even if there is no DHCP configuration for them.

Noticed since I forgot to add my "lan4" interface to the included ones and DNS resolution stopped working on "lan4" for a day.

People on "lan4" were not amused :laughing:


#7

Hello.

Any idea what this does not work for me ? :frowning:

I'm using LEDE Reboot 17.01.4

I've these interfaces

# ifconfig
br-lan
    inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0

eth0      
    inet addr:192.168.2.2  Bcast:192.168.2.255  Mask:255.255.255.0

eth2      
    inet addr:192.168.1.60  Bcast:192.168.1.255  Mask:255.255.255.0

In /etc/config/dhcp I have this

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        option nonwildcard '0'
        list interface 'lan'
        list notinterface 'dedicated'

Dnsmasq is started this way

/usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg02411c -k -x /var/run/dnsmasq/dnsmasq.cfg02411c.pid

In '/var/etc/dnsmasq.conf.cfg02411c' I have

interface=br-lan
except-interface=eth2

Which is good, but it stills listen on eth2

# nmap -p 53 192.168.1.60
Host is up (0.00052s latency).
PORT   STATE SERVICE
53/tcp open  domain

I've try everything, with only "interface" or only "except-interface", in config/dhcp or directly in dnsmasq.conf but nothing works, Dnsmasq seems to ignore these settings.

I'm stuck on this since yesterday and it's driving me crazy.

Thanks for your help.


#8

Ok, I made progress.

Looking (deeper in) the man page

I've found this

-z, --bind-interfaces
On systems which support it, dnsmasq binds the wildcard address, even when it is listening on only some interfaces. It then discards requests that it shouldn't reply to. This has the advantage of working even when interfaces come and go and change address. This option forces dnsmasq to really bind only the interfaces it is listening on. About the only time when this is useful is when running another nameserver (or another instance of dnsmasq) on the same machine. Setting this option also enables multiple instances of dnsmasq which provide DHCP service to run in the same machine.

So I've modified /etc/init.d/dnsmasq and added --bind-interfaces manually

procd_set_param command $PROG --bind-interfaces -C $CONFIGFILE -k -x /var/run/dnsmasq/dnsmasq."${cfg}".pid

And it works !

# nmap -p 53 192.168.1.60
Host is up (0.00048s latency).
PORT   STATE  SERVICE
53/tcp closed domain

Next, I've found how to specify this option in the config (rather than modifying the init script!), it's just about adding the line

bind-interfaces

in /etc/dnsmasq.conf

and voila ... solved :slight_smile:

So good to know, in summary:
if you really want to listen only on the specified interface(s), add "bind-interfaces" in dnsmasq.conf


#9

a) you can use /etc/dnsmasq.conf to supply additional native arguments (add a sole line bind-interfaces there)
b) I suggest to prefer (--)bind-dynamic over (--)bind-interfaces
c) The bind-dynamic option can be set in uci using option nonwildcard 1


#10

Ok. Thanks for pointing that :slight_smile:


#11

DHCP doesn't work with
option nonwildcard 1