[Dnsmasq-discuss] How to prevent LAN DNS for remote guests

Koos Pol koos2019 at pohw.nl
Sun Dec 22 19:58:59 GMT 2019

That actually makes a lot of sense. I'll see if I can make that work.
Thanks for the suggestion!


Op 22-12-2019 om 16:35 schreef Uwe Schindler:
> Hi,
> I think you should have 2 DNSMASQ instances running, one for each 
> interface. So each one only registers their own known DHCP clients (I 
> assume the DHCP is also different for both subnets) and also returns 
> them. You just need to make DNSMASQ bind to the interfaces directly 
> (see bind-interfaces) option.
> Uwe
> -----
> Uwe Schindler
> Achterdiek 19, D-28357 Bremen
> https://www.thetaphi.de
> eMail: uwe at thetaphi.de
> *From:* Dnsmasq-discuss 
> <dnsmasq-discuss-bounces at lists.thekelleys.org.uk> *On Behalf Of *Koos Pol
> *Sent:* Saturday, December 21, 2019 9:11 AM
> *To:* dnsmasq-discuss at lists.thekelleys.org.uk
> *Subject:* [Dnsmasq-discuss] How to prevent LAN DNS for remote guests
> Hi,
> I'm setting up my openwrt modem as an internet gateway for remote guests.
> The modem is running openvpn and dnsmasq.
> The guests arrive at their own interface (tun1 = openvpn) with a 
> different subnet. Guest > LAN forwarding is disabled in the firewall 
> for security reasons.
> However, once the guests have connected, dnsmasq will resolve the LAN 
> for them. Although guests won't be able to connect to anything on the 
> LAN (forwarding is off) they are still able to go on a fishing 
> expedition thanks to DNS. I don't want to turn off DNS completely. So 
> |--except-interface=tun1|is not an option.
> So, for anything connecting to tun1, how can I enable DNS resolving 
> the internet space, while preventing resolving my LAN?
> Thanks!
> Koos

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20191222/03951ad8/attachment.html>

More information about the Dnsmasq-discuss mailing list