Dnsmasq excluding/including interfaces

hbr · February 12, 2017, 8:22am

I want to exclude some interfaces from being used by dnsmasq but I am not sure which names to actually add to the config (since there are many names for the same interfaces and the documentation doesn't give an example).

Do I have to use the actual interface/vlan names (eg. eth0/eth0.1/eth1,/eth1.2/...) or the names from the LEDE config (eg. lan/br-lan/wan/wan6/...)?

Or does adding ethX automatically include all interfaces belonging to it (e.g. add eth1 -> eth1.2/wan/wan6 are excluded too without adding them specifically)?

hbr · February 22, 2017, 6:52pm

Anyone?

stangri · February 22, 2017, 11:18pm

I'm not sure if you can do it with device names, but you can certainly do it with interface names, like: uci set dhcp.lan.ignore=1. I hope it helps.

InkblotAdmirer · February 23, 2017, 2:55am

In my /etc/config/dhcp file I have something like this:

`config dnsmasq`
      list interface 'lan'
      list notinterface 'vpn'

dnsmasq will hand out IPs on lan but not vpn. The interfaces in the above section are pulled from the following section names (i.e. config dhcp 'lan')

Is that what you're looking for?

hbr · February 23, 2017, 6:17pm

Yes that should be excactly what was I was looking for, thanks!

hbr · February 26, 2017, 6:58pm

In case anyone else is looking for this:

All interface names from "etc/config/network" seem to work (e.g. config interface 'lan', config interface 'lan4', ...), even if there is no DHCP configuration for them.

Noticed since I forgot to add my "lan4" interface to the included ones and DNS resolution stopped working on "lan4" for a day.

People on "lan4" were not amused

angenoir · August 21, 2018, 8:27am

Hello.

Any idea what this does not work for me ?

I'm using LEDE Reboot 17.01.4

I've these interfaces

# ifconfig
br-lan
    inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0

eth0      
    inet addr:192.168.2.2  Bcast:192.168.2.255  Mask:255.255.255.0

eth2      
    inet addr:192.168.1.60  Bcast:192.168.1.255  Mask:255.255.255.0

In /etc/config/dhcp I have this

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'
        option nonwildcard '0'
        list interface 'lan'
        list notinterface 'dedicated'

Dnsmasq is started this way

/usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg02411c -k -x /var/run/dnsmasq/dnsmasq.cfg02411c.pid

In '/var/etc/dnsmasq.conf.cfg02411c' I have

interface=br-lan
except-interface=eth2

Which is good, but it stills listen on eth2

# nmap -p 53 192.168.1.60
Host is up (0.00052s latency).
PORT   STATE SERVICE
53/tcp open  domain

I've try everything, with only "interface" or only "except-interface", in config/dhcp or directly in dnsmasq.conf but nothing works, Dnsmasq seems to ignore these settings.

I'm stuck on this since yesterday and it's driving me crazy.

Thanks for your help.

angenoir · August 21, 2018, 8:40am

Ok, I made progress.

Looking (deeper in) the man page

I've found this

-z, --bind-interfaces
On systems which support it, dnsmasq binds the wildcard address, even when it is listening on only some interfaces. It then discards requests that it shouldn't reply to. This has the advantage of working even when interfaces come and go and change address. This option forces dnsmasq to really bind only the interfaces it is listening on. About the only time when this is useful is when running another nameserver (or another instance of dnsmasq) on the same machine. Setting this option also enables multiple instances of dnsmasq which provide DHCP service to run in the same machine.

So I've modified /etc/init.d/dnsmasq and added --bind-interfaces manually

procd_set_param command $PROG --bind-interfaces -C $CONFIGFILE -k -x /var/run/dnsmasq/dnsmasq."${cfg}".pid

And it works !

# nmap -p 53 192.168.1.60
Host is up (0.00048s latency).
PORT   STATE  SERVICE
53/tcp closed domain

Next, I've found how to specify this option in the config (rather than modifying the init script!), it's just about adding the line

bind-interfaces

in /etc/dnsmasq.conf

and voila ... solved

So good to know, in summary:
if you really want to listen only on the specified interface(s), add "bind-interfaces" in dnsmasq.conf

jow · August 21, 2018, 8:47am

a) you can use /etc/dnsmasq.conf to supply additional native arguments (add a sole line bind-interfaces there)
b) I suggest to prefer (--)bind-dynamic over (--)bind-interfaces
c) The bind-dynamic option can be set in uci using option nonwildcard 1

angenoir · August 21, 2018, 8:49am

Ok. Thanks for pointing that

igorek3 · December 7, 2018, 7:14am

DHCP doesn't work with
option nonwildcard 1

open.nya · April 19, 2021, 10:16am

Does anybody knows is dnsmasq UCI config (/etc/config/dhcp) supports wildcard interface names (tun+) or NOT?
I mean can I write something like (tun+) this and would it work?

config dnsmasq
      option notinterface 'tun+'

I really need to exclude all VPN interfaces because DNSMASQ is trying to bind to all of them as they appear in the system.
I do not know for what purpose dnsmasq is doing this with every tunnel iface, it's very strange.

EDIT:

Answering to myself

According to dnsmasq MAN page:

A  simple  wildcard,  consisting  of a trailing '*',
can be used in --interface and --except-interface options.

I have tested the following syntax:

config dnsmasq
      list notinterface 'tun*'
      list notinterface 'wg*'

Works perfectly, no more bindings to VPN ifaces.

system · April 29, 2021, 10:16am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.