Help with dnsmasq instances

Hello all,
i'm trying to create a second dns instance to be used on a specific network, that should not be able to resolve anything but a whitelist of domains.
Well, i'm stuck far from my target :slight_smile:
I tried creating the two instances in this way:

  • the first instance should receive requests from all interfaces but IOT (so i did not put a interface option, just a notinterface IOT)
  • the second one receives from only IOT, so i just excluded "lo", and added the option noresolv


  • i can no longer resolve local names without local domain
  • only one local domain works (lan, not iot)
  • i'm not even sure that the second instance works (how can i?), given that clients on IOT network still can resolve hosts.and they also seem to read the adblock list of domains. But logread shows no errors

as you can see, i still have neither tried to whitelist some domains :slight_smile:

Can you help me?

config dnsmasq 'dns_default'
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option nonwildcard '1'
        option resolvfile '/tmp/resolv.conf.d/'
        option confdir '/mnt/sda1/tmp/adblock/dns'
        option notinterface 'iot'

config dnsmasq 'dns_iot'
        option interface 'iot'
        option notinterface 'lo'
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/iot/'
        option domain 'iot'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option nonwildcard '1'
        option noresolv

Is it possible to bind each instance to specific interfaces, as well as excluding each instance from specific interfaces?

Replace option with list as implemented here:
Multiple DHCP/DNS server/forwarder instances

1 Like

missed that! but sadly it's the same :frowning:

Edit: ok, i found out that interface name IS case sensitive :slight_smile: now it seems i can get the two instances to work, but i can't understand why the "noresolv" option does not work.
i expected the dns server to resolve only local hosts, am i wrong?

ok it seems the option noresolv is not taking me to any result.
so i just gave a different config file where all is blacklisted and only good domains are whitelisted, and it seems to work.
Now i'd like to use the allowed domains to create firewall rules, i think it should be done with am i right?
@vgaetera it seems to me you wrote the help page, but i installed the ipset-dns package and i can't see anything in network-firewall-traffic rules to manage it, can you give me any hint? thanks :slight_smile:

ipset dnsmasq-full


list ipset '/,yourIPSET6'

then create firewall.user or whatever to match that set and do whatever...

i already have ipset installed, but only the "normal" dnsmasq
The help page seems not to require the full package, is it?
Can i replace the normal dnsmask with the full one with the same config?

only full has ipset support (afiak but ipset-dns method may/likely is different to what I posted above that is designed for use with upstream server directive)...

yes... binaries are safely interchangable if you have space

1 Like

oh ok, so this is a different method, intresting.
Is it mandatory to list all needed domains in the

list ipset '/,yourIPSET6'

i have an external whitelist, it would be a nightmare to list everything here..


just use a confdir directive and dump a single file there in masq format...

vgaetera will probably advise which of the two methods is better for that use case...

you are definitely overstimating me, but i'll try to understand what a "confdir directive" is and also a "masq format" :slight_smile:

	option confdir '/tmp/secondmasqinstance.d'
cat <<'EOF' > /tmp/second.d/ipsets

suspect this method is lighter than ipset-dns... but i've never tried that...

sorry, i can't get this
i'm already using the confdir to provide my second dns instance with the whitelist of allowed domains, but how can this list end inside a ipset list that - it seems? - has different format?
my whitelist has this format:


the ipset list should be this, right?


yes... in the method i've shown you can use your existing confdir/file... and masq will populate those ipsets for you for use in firewall rules... maybe hold off on that method until you've tried ipset-dns first...

the ipset-dns method I suspect is for 'whitelisting' within the masq dns response process... go with that probably if you want control over things at the resolution phase... the fundamentals are similar...

[root@dca632 /usbstick 45°]# opkg list | grep ipset-dns
ipset-dns - 2017-10-08-ade2cf88-1 - The ipset-dns daemon is a lightweight DNS forwarding server that adds all resolved IPs to a given netfilter ipset. It is designed to be used in conjunction with dnsmasq's upstream server directive.  Practical use cases include routing over a given gateway traffic for particular web services or webpages that do not have a priori predictable IP addresses and instead rely on dizzying arrays of DNS resolutions.

still overstimating me, but i appreciate a lot since this is interesting :slight_smile:
so in the dhcp config file i can leave the confdir with my specific whitelist, but do i need to add also a list ipset something? or how can i get dnsmasq to create the list?
and (sorry) where the hell do i find the ipset list in the firewall luci interface? :slight_smile:
with this method is dnsmasq also creating the list (so, resolving all domains) at startup?
one more thanks

iptables -I FORWARD -i ethOTHER -o WAN -m set --match-set list4 dst -j ACCEPT
iptables -I FORWARD -i ethOTHER -o WAN -j DROP

etc. etc.

You have specified the option name, but missing the option value:

yes i saw :frowning:
but basically i got the result with the whitelist file, how would it be different with the noresolv?
now i'm stuck with the ipset list :slight_smile:

You don't really need to use firewall for that.
Just remove the noresolv option and then enable DNS filtering.

1 Like

sure, but in this case i'd need to create an accept firewall allowing clients to widely access wan.
Now i'm quite satisfied by the dns resolving behaviour (i get ip address only for whitelisted domains), and i'd like to create firewall rules to allow access only to the whitelisted domains.
Can i do that with dns-ipset? (or with the method @anon50098793 described)
I think so, isn't it?