[Dnsmasq-discuss] DNSMasq, DHCP, Shorewall, and Proxy Arp

Steve H. steve at csquaredtech.com
Mon Feb 4 22:49:46 GMT 2008

On Monday 04 February 2008 05:41:35 am richardvoigt at gmail.com wrote:
> You haven't done anything different in the dnsmasq configuration from
> someone using relay agents, which is by far the more common scenario,
> and which requires that same validation.
Again, I just don't understand _why_ that validation is _required_.  At a 
certain point, isn't 'because the user took a number of steps to make me do 
this' a good enough reason (ie 'give the user enough rope to hang 
themselves').  I have explicitly allowed dhcp on an interface, I have 
explicitly configured a range I'd like DNSMasq to serve, and I have 
explicitly set an i.p. address for the client (via /etc/hosts).  It just 
seems like that should be enough to convince dnsmasq that I really _want_ 

> Most people in your situation (wanting some nodes on internal networks
> to not use up public addresses) choose to use static 1:1 NAT, which
> dnsmasq, iptables, routing would support out of the box.  You've
> already played so many tricks with the routing that it'd hard to see
> how you're going to make things work without either more and more
> tricks, or else ripping up the entire configuration and using a
> straightforward, well-supported networking design in its place.

Actually, I'm doing the opposite.  Internal nodes _ARE_ using up public 
addresses (which is what I want).  From what I've read, static nat would 
require more network voodoo in this scenario then proxy arp.  For instance, 
my _internal_ network is a perfectly normal routed network with 1 i.p. per 
machine.   The i.p. on the machine matches the 'public' i.p. address the rest 
of the world sees.  I don't have to maintain 'internal' and 'external' names,  
nor do I have worry about keeping 2 sets of zone files in sync.  DnsMasq, 
iptables, and routing work 'out of the box' - heck, thats what the network is 
built on (and has been for over a year).  I don't see how my existing setup 
can be anymore 'straight forward' or 'well supported' - each client gets 1 
route to the gateway network, and a default route thru the firewall.  Thats 
pretty simple to me..  Static nat just seems to require more housekeeping.

Finally, the issues I'm have with DNSMasq, are _due_ to DNSMAsq.  They are 
a 'feature' - it's not a problem with my routing or my network.  
DNSMasq 'sees' the dhcp requests from all the clients - it just decides it 
shouldn't touch them.  This is a perfectly valid design decision, but it is 
_not_ due to 'tricks' or 'problems' with my network setup.  Mr. Kelley simply 
decided DNSMasq should be conservative, and provide as many safeguards as 

Anyway, trying to bring this conversation back on topic.  If I have 4 sub-nets 
configured to relay dhcp requests to 1 interface with DNSMAsq bound to it, 
does that interface require an I.P. address from all 4 subnets ? (i.e. will I 
have the same problem with dhcp relays? )


More information about the Dnsmasq-discuss mailing list