[Dnsmasq-discuss] stop hostnames from "leaking" between ip ranges

Christoffer Gurell christoffer.gurell at gmail.com
Mon Aug 10 17:58:06 BST 2015

On Mon, Aug 10, 2015 at 5:46 PM, Carlos Carvalho <carlos at fisica.ufpr.br> wrote:
> Christoffer Gurell (christoffer.gurell at gmail.com) wrote on Mon, Aug 10, 2015 at 09:11:49AM BRT:
>> I am trying to use one machine as a firewall for multiple 192.168.x.x
>> ip ranges that should not be aware of each other. I have the following
>> config:
>> domain-needed
>> server=
>> expand-hosts
>> domain=apa # never used but needed for dhcp-fqdn to not give and error
>> dhcp-fqdn
>> domain=foo.com,,local
>> domain=bar.com,,local
>> localise-queries
>> dhcp-range=,,12h
>> dhcp-range=,,12h
>> This seems to work. I get two ip ranges on different ethernet devices.
>> clients get ip and can do dns lookups. client can also have the same
>> hostname as they will be added with the fqdn (foo.com or bar.com).
>> So far so good. The only issue I have is that hosts on one net can do
>> dns lookups with names on the other.
>> For example. host with name host1.foo.com with ip can
>> do lookups and get ip/hostname of host1.bar.com or
>> Is there any way i can prevent this?
> If don't think so.


>> I need the ip ranges to be isolated and not leak names between the different
>> nets. I need it to work as if I had two firewalls, one for each ip range
>> running an instance of dnsmasq on each.
> You can run 2 dnsmasq instances, with separate configurations and
> bind-interfaces so that each instance only listens on one interface. Not the
> most elegant solution but effective because dnsmasq configs are so easy to
> keep/build. Currently I do this for split-horizon: one instance does all
> internal dns, another instance only listens on the external interface and only
> publishes the external IPs. The zone-publish instance is compiled with all
> unneeded features removed, so the binary is very small and doesn't use any
> library except libc6.

Yes. Running two instances would work but this is a really messy
solution. Especially since i am setting this up for an office "hotel"
where each room contains a different company that needs internet but
needs to be isolated from the other customers. I would have to run A
LOT of dnsmasq instances :(

More information about the Dnsmasq-discuss mailing list