I have multiple interfaces separate from the default LAN. I know I can have configure multiple domains within dnsmasq's conf file, but I think it's unnecessary and overkill in my case.
What I want to do is simply prevent clients connected to said interfaces to not resolve the default local domain, i.e. lan, but be free to do query regular WAN domains. Is there any simple way to accomplish this?
First possible method I could think of is, configure dnsmasq to ignore local domain requests from specified interfaces, but I don't know how, or even if it can be configured so.
Second possible method: specifying DNS upstream DNS resolver for each interface. I don't want to do it since, of course, the local dnsmasq cache will be bypassed and I've HTTPS DNS Proxy configured for upstream encrypted DNS. Also since I've multiple interfaces, I don't want to manually configure DNS for each of them instead of a global default. This will be my last resort if there's no other viable methods.
There are a few ways one could achieve this goal...
My recommendation would be to specify public DNS servers via DHCP option 6 in the DHCP server configuration for the guest network. This will tell the clients to use the specified servers, although they are not required to honor this (typically, clients that don't honor it may have other DHCP servers that are preferred, and it won't typically look for local DNS in that case). That said, you can then prevent the guests from accessing the DNS server on your router (the preferred method here would be to drop/reject input on the firewall zone to which the guest network is associated, then accept only DHCP).
Why do you want that to be the last resort? It is actualy the most straight forward approach. Is the HTTPS DNS proxy and encrypted DNS really a requirement for your guest network?
Other methods would involve running multiple instances of dnsmasq -- those are much more involved but certianly technically possible and valid -- just look that up in the forums and you'll see how that can be done. But what I suggested is the easiest and cleanest method.
I do understand it's the most straightforward approach, but I want to insist on enforcing encrypted DNS is because my internet connection is being shared (which is why I don't want them to query LAN resources even if firewall denies access). And, living in an authoritarian state, I really don't want their plain-text DNS queries to be associated with us. Not implying they're accessing banned/forbidden resources, but in case they are. Also not implying we're targeted for surveillance or anything, just for my personal peace of mind because "just in case".
Aware of this method, but it is very cumbersome and nontrivial amount of work to do such a small thing. I might have actually done this if it was easy to do on LuCi with sane defaults; manually doing this means I need to study dnsmasq settings and all that.
Oh well, since these are the only two methods, I'll see if can arse myself to get another dnsmasq instance or just raise the white flag.
I've been thinking: since HTTPS DNS Proxy listens on ports 5053, 5054, etc, is there anyway to port forward 53 on guest interface to localhost 5053? Would that work
Can you show me an example of one? AFAICT, the equivalent of redirect seems to be port forwarding on LuCi, but psherman already said it's not.
And even if I were to do it over shell, how should I redirect? There's already basically a guest DNS allow rule on the firewall, should I remove that and only have a redirect?
A port forward in Luci is named redirect in UCI. Just different terminology, same result, DNAT.
The redirects are applied earlier than the allow rules. So if you have them both, the allow rule is not needed.
Thanks for the clarification. Do you think the redirect rule in screenshot would work? The DNS proxy listens on localhost:5053, not clear to me if that 5053 would apply to all interfaces.
LuCi is only letting me choose from a dropdown list of static and DHCP lease addresses. I suppose I must defer to UCI if I want to change it to 127.0.0.1.
What do you mean? If I don't change internal IP, and change port to 53, wouldn't I be redirecting to 10.0.0.1:53 which is already how clients on rent zone does DNS?
Oh wow, I completely missed that somehow. Thank you, this is exactly what I wanted to do. Marking your comment as solved, but I'll try it later when I can test and quickly revert if I did mess up somehow.
