[Dnsmasq-discuss] stop hostnames from "leaking" between ip ranges

Christoffer Gurell christoffer.gurell at gmail.com
Mon Aug 10 17:58:06 BST 2015


On Mon, Aug 10, 2015 at 5:46 PM, Carlos Carvalho <carlos at fisica.ufpr.br> wrote:
> Christoffer Gurell (christoffer.gurell at gmail.com) wrote on Mon, Aug 10, 2015 at 09:11:49AM BRT:
>> I am trying to use one machine as a firewall for multiple 192.168.x.x
>> ip ranges that should not be aware of each other. I have the following
>> config:
>>
>> domain-needed
>> server=8.8.8.8
>> expand-hosts
>> domain=apa # never used but needed for dhcp-fqdn to not give and error
>> dhcp-fqdn
>> domain=foo.com,192.168.100.0/24,local
>> domain=bar.com,192.168.101.0/24,local
>> localise-queries
>> dhcp-range=192.168.100.50,192.168.100.250,12h
>> dhcp-range=192.168.101.50,192.168.101.250,12h
>>
>> This seems to work. I get two ip ranges on different ethernet devices.
>> clients get ip and can do dns lookups. client can also have the same
>> hostname as they will be added with the fqdn (foo.com or bar.com).
>>
>> So far so good. The only issue I have is that hosts on one net can do
>> dns lookups with names on the other.
>> For example. host with name host1.foo.com with ip 192.168.100.100 can
>> do lookups and get ip/hostname of host1.bar.com or 192.168.101.100.
>>
>> Is there any way i can prevent this?
>
> If don't think so.

Bummer!

>
>> I need the ip ranges to be isolated and not leak names between the different
>> nets. I need it to work as if I had two firewalls, one for each ip range
>> running an instance of dnsmasq on each.
>
> You can run 2 dnsmasq instances, with separate configurations and
> bind-interfaces so that each instance only listens on one interface. Not the
> most elegant solution but effective because dnsmasq configs are so easy to
> keep/build. Currently I do this for split-horizon: one instance does all
> internal dns, another instance only listens on the external interface and only
> publishes the external IPs. The zone-publish instance is compiled with all
> unneeded features removed, so the binary is very small and doesn't use any
> library except libc6.

Yes. Running two instances would work but this is a really messy
solution. Especially since i am setting this up for an office "hotel"
where each room contains a different company that needs internet but
needs to be isolated from the other customers. I would have to run A
LOT of dnsmasq instances :(



More information about the Dnsmasq-discuss mailing list