<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Carlito;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Courier New";}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.E-MailFormatvorlage19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=DE link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>Hi,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>I think you should have 2 DNSMASQ instances running, one for each interface. So each one only registers their own known DHCP clients (I assume the DHCP is also different for both subnets) and also returns them. You just need to make DNSMASQ bind to the interfaces directly (see bind-interfaces) option.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>Uwe<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><p class=MsoNormal>-----<o:p></o:p></p><p class=MsoNormal>Uwe Schindler<o:p></o:p></p><p class=MsoNormal>Achterdiek 19, D-28357 Bremen<o:p></o:p></p><p class=MsoNormal><a href="https://www.thetaphi.de"><span style='color:blue'>https://www.thetaphi.de</span></a><o:p></o:p></p><p class=MsoNormal>eMail: uwe@thetaphi.de<o:p></o:p></p></div><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b>From:</b> Dnsmasq-discuss <dnsmasq-discuss-bounces@lists.thekelleys.org.uk> <b>On Behalf Of </b>Koos Pol<br><b>Sent:</b> Saturday, December 21, 2019 9:11 AM<br><b>To:</b> dnsmasq-discuss@lists.thekelleys.org.uk<br><b>Subject:</b> [Dnsmasq-discuss] How to prevent LAN DNS for remote guests<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-family:"Carlito",serif'>Hi,<br><br>I'm setting up my openwrt modem as an internet gateway for remote guests.<br>The modem is running openvpn and dnsmasq.<br>The guests arrive at their own interface (tun1 = openvpn) with a different subnet. Guest > LAN forwarding is disabled in the firewall for security reasons.<br>However, once the guests have connected, dnsmasq will resolve the LAN for them. Although guests won't be able to connect to anything on the LAN (forwarding is off) they are still able to go on a fishing expedition thanks to DNS. I don't want to turn off DNS completely. So </span><code><span style='font-size:10.0pt'>--except-interface=tun1</span></code><span style='font-family:"Carlito",serif'> is not an option. <br>So, for anything connecting to tun1, how can I enable DNS resolving the internet space, while preventing resolving my LAN?<br><br>Thanks!<br>Koos</span><o:p></o:p></p></div></div></body></html>