[Dnsmasq-discuss] dnsmasq forwarding queries over VPN/IPSec

Simon Kelley simon at thekelleys.org.uk
Mon Sep 28 16:30:51 BST 2009

Ken Bantoft wrote:
> On 28-Sep-09, at 11:12 AM, Simon Kelley wrote:
>> Ken Bantoft wrote:
>>> On 28-Sep-09, at 11:03 AM, Simon Kelley wrote:
>>>> Ken Bantoft wrote:
>>>>> Hi,
>>>>> I've run into a case where I'd like dnsmasq to forward queries over 
>>>>> an  IPSec VPN tunnel to nameservers on the far side, but this 
>>>>> doesn't seem  to work as expected.
>>>>> I've got 2 Interfaces - br-lan ( and ppp0 (PPPoE -  
>>>>> 216.x.x.x).  IPsec is terminated on the same machine, so it has a  
>>>>> tunnel from to
>>>>> dnsmasq is set to forward all queries to 10.x.x.10 and 10.x.y.10  
>>>>> nameservers, which are across the tunnel in the datacenter.  What 
>>>>> I'm  seeing with tcpdump is the requests going out the ppp0 
>>>>> interface, with  the 216.x.x.x IP address.  I've tried a variety of 
>>>>> options (bind- interfaces, listen-address), as I really want 
>>>>> dnsmasq to bind only to  the br-lan interface, and use that address 
>>>>> as the Source IP for the  forwarded queries, but no combination 
>>>>> I've tried does the trick.
>>>>> Any suggestions?
>>>> Stop dnsmasq from looking for servers in /etc/resolv.conf with
>>>> no-resolv
>>>> in /etc/dnsmasq.conf and then specify them using "server=" lines in 
>>>> /etc/dnsmasq.conf like this
>>>> server=10.x.x.10 at br-lan
>>>> server=10.x.y.10 at br-lan
>>>> We've been here before....
>>> That was my 1st step... so I do see it sending the requests to 
>>> 10.x.x.10 and 10.x.y.10 as expected - just out the wrong interface...
>>> Ken
>> If this a routing problem? Dnsmasq can control the source address of 
>> the packets, and the destination address is straightforward, but it 
>> can't control how the kernel routes the packets: do you have a route  
>> to via the tunnel?
> No route - it's Linux Kernel netkey IPsec stack, so no nice ipsec0 
> interface - it's all done with the ip xfrm policies... which might be 
> causing some grief, but it's difficult to tell.  Any debugging options 
> for dnsmasq to have it printout the packets before it puts them on a wire?
Oh, you're well outside my comfort zone now. No debugging options, but 
strace might help - you can see the system calls that send the packets. 
You can set the source address for packets with something like:

server=10.x.x.10 at, that might work where binding to an 
interface doesn't.



More information about the Dnsmasq-discuss mailing list