Multiple DNS servers listening on different addresses

This is what I'm trying to do: is normal, unfiltered dnsmasq is https-dns-proxy forwarded to a filtered upstream DNS server

Then I can use tags in dnsmasq to assign the appropriate DNS server, depending on whether I want the device to get filtered or unfiltered DNS responses. This DHCP tagging is easy to do.

the relevant snippet of /etc/config/dhcp
config tag 'pihole'
	list dhcp_option '6,'

config host
	option name 'laptop'
	option dns '1'
	option ip ''
	option mac 'FF:FF:FF:FF:FF:00'

config host
	option name 'kids-laptop'
	option dns '1'
	option ip ''
	option mac 'FF:FF:FF:FF:FF:01'
	option tag 'pihole'

I am having a problem, though. When creating an IP alias to put two addresses on my LAN interface, in the modern Linux style, they are both put on the same interface, so dnsmasq listens on both of the addresses:

ip addr show br-lan
44: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether ff:ff:ff:ff:ff:03 brd ff:ff:ff:ff:ff:ff
    inet brd scope global br-lan
       valid_lft forever preferred_lft forever
    inet brd scope global secondary br-lan
       valid_lft forever preferred_lft forever
the relevant snippet of /etc/config/networks
config interface 'lan'
        option proto 'static'
        option ipaddr ''
        option netmask ''
        option ip6assign '64'
        option stp '1'
        option ip6hint '00'
        option device 'br-lan'

config device                          
        option name 'br-lan'           
        option type 'bridge'           
        list ports 'eth1.1'            
config interface 'lan2'                
        option device '@lan'           
        option proto 'static'          
        option ipaddr ''  
        option netmask ''

Because both addresses are on the same interface, I can't use notinterface to tell dnsmasq to ignore the second address. There also doesn't seem to be a uci method of setting the dnsmasq option listen-address.

Is there a way to put the secondary IP address on a separate interface, so then I can use notinterface to force dnsmasq to ignore it?

Failing that, is there a uci method of creating files in /tmp/dnsmasq.d/ so I can put a bunch of listen-address lines?

Or, am I on the wrong track, and there is a better way to run two different DNS resolvers?

How about assign your "service" addresses on lo instead?
To assign multiple addresses on an interface you can also just simple use list ipaddr <IP>/<mask> within the interface stanza (and remove option netmask).

Edit: I got you wrong... You may want an secondary loopback interface or dummy interface. Then you can assign address and create your DNAT rule and exclude that interface for dnsmasq?

I'm not sure how having a (locally) routable IP address on lo would work.

Yes, that is pretty much what I ended up doing, but just recycling an alias of the wan interface.

I got it working, but it will take a bit of explaining:

My cable modem is on the address, so in order to be able to access the modems status page I have an IP address assigned as an alias to the wan interface.

I do not care if dnsmasq is listening on wan, and in fact would prefer it to not listen there. To prevent it listening I added to /etc/config/dhcp

list notinterface 'eth0.2'
option nonwildcard '1'

(or just remove option nonwildcard)

Now dnsmasq will not be listening on, which leaves it available for https-dns-proxy to listen on it:

option bootstrap_dns ','
option resolver_url 'https://filter.dns/dns-query'
option listen_addr ''
option listen_port '53'

Now I can add my DHCP tag as described in the first post, and assign the as the DNS server for some of my DHCP clients.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.