[Dnsmasq-discuss] stop hostnames from "leaking" between ip ranges

Carlos Carvalho carlos at fisica.ufpr.br
Mon Aug 10 16:46:32 BST 2015

Christoffer Gurell (christoffer.gurell at gmail.com) wrote on Mon, Aug 10, 2015 at 09:11:49AM BRT:
> I am trying to use one machine as a firewall for multiple 192.168.x.x
> ip ranges that should not be aware of each other. I have the following
> config:
> domain-needed
> server=
> expand-hosts
> domain=apa # never used but needed for dhcp-fqdn to not give and error
> dhcp-fqdn
> domain=foo.com,,local
> domain=bar.com,,local
> localise-queries
> dhcp-range=,,12h
> dhcp-range=,,12h
> This seems to work. I get two ip ranges on different ethernet devices.
> clients get ip and can do dns lookups. client can also have the same
> hostname as they will be added with the fqdn (foo.com or bar.com).
> So far so good. The only issue I have is that hosts on one net can do
> dns lookups with names on the other.
> For example. host with name host1.foo.com with ip can
> do lookups and get ip/hostname of host1.bar.com or
> Is there any way i can prevent this?

If don't think so.

> I need the ip ranges to be isolated and not leak names between the different
> nets. I need it to work as if I had two firewalls, one for each ip range
> running an instance of dnsmasq on each.

You can run 2 dnsmasq instances, with separate configurations and
bind-interfaces so that each instance only listens on one interface. Not the
most elegant solution but effective because dnsmasq configs are so easy to
keep/build. Currently I do this for split-horizon: one instance does all
internal dns, another instance only listens on the external interface and only
publishes the external IPs. The zone-publish instance is compiled with all
unneeded features removed, so the binary is very small and doesn't use any
library except libc6.

More information about the Dnsmasq-discuss mailing list