<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Thanks - that's actually what I am currently doing - using this
to hijack DNS traffic on my other vlan (with nftables, though).
Still, it would be ideal to have dnsmasq to allow not to listen to
DNS on certain interfaces.<br>
</p>
<div class="moz-cite-prefix">在 2023/4/21 上午 2:58, Uwe Schindler 写道:<br>
</div>
<blockquote type="cite"
cite="mid:31b0d548-40bf-dea8-f123-4645ac3fbf32@thetaphi.de">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>Hi,</p>
<p>as a workaround you can do something like this:</p>
<p>Let the alternative DNS server run on another port, like 1053.
Then for all vlan interfaces that should use the alternative
server include a PREROUTING iptables rule to redirect the post
just on those interfaces to port 1053. DNS will announce itsself
on the DHCP, but as the packets get redirected before they reach
dnsmasq, the alternative server takes over.</p>
<p>This will redirect port 53 on interfac<code>e "</code><code
style="margin: 0px; padding: 0px; border: 0px; font-style:
inherit; font-variant: inherit; font-weight: inherit;
font-stretch: inherit; line-height: inherit; font-family:
var(--ff-mono); font-optical-sizing: inherit; font-kerning:
inherit; font-feature-settings: inherit;
font-variation-settings: inherit; font-size:
var(--_pr-code-fs); vertical-align: baseline; box-sizing:
inherit; background-color: transparent; white-space: inherit;
color: var(--black-800); border-radius: 0px;">vlanintf</code>"
to port 1053 on same interface for UDP and TCP (some DNS packets
go via TCP, too). It has rules for both IPv6 and IPv4:<br>
</p>
<pre style="margin: 0px; padding: var(--su12); border: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-variant-alternates: inherit; font-weight: 400; font-stretch: inherit; line-height: var(--lh-md); font-family: var(--ff-mono); font-optical-sizing: inherit; font-kerning: inherit; font-feature-settings: inherit; font-variation-settings: inherit; font-size: var(--fs-body1); vertical-align: baseline; box-sizing: inherit; width: auto; max-height: 600px; overflow: auto; background-color: var(--highlight-bg); border-radius: var(--br-md); overflow-wrap: normal; color: var(--highlight-color); letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;"><code style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: var(--ff-mono); font-optical-sizing: inherit; font-kerning: inherit; font-feature-settings: inherit; font-variation-settings: inherit; font-size: var(--_pr-code-fs); vertical-align: baseline; box-sizing: inherit; background-color: transparent; white-space: inherit; color: var(--black-800); border-radius: 0px;">iptables -A PREROUTING -t nat -i vlanintf -p udp --dport 53 -j REDIRECT --to-port 1053
</code><code style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: var(--ff-mono); font-optical-sizing: inherit; font-kerning: inherit; font-feature-settings: inherit; font-variation-settings: inherit; font-size: var(--_pr-code-fs); vertical-align: baseline; box-sizing: inherit; background-color: transparent; white-space: inherit; color: var(--black-800); border-radius: 0px;">iptables -A PREROUTING -t nat -i </code><code style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: var(--ff-mono); font-optical-sizing: inherit; font-kerning: inherit; font-feature-settings: inherit; font-variation-settings: inherit; font-size: var(--_pr-code-fs); vertical-align: baseline; box-sizing: inherit; background-color: transparent; white-space: inherit; color: var(--black-800); border-radius: 0px;"><code style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: var(--ff-mono); font-optical-sizing: inherit; font-kerning: inherit; font-feature-settings: inherit; font-variation-settings: inherit; font-size: var(--_pr-code-fs); vertical-align: baseline; box-sizing: inherit; background-color: transparent; white-space: inherit; color: var(--black-800); border-radius: 0px;">vlanintf </code>-p tcp --dport 53 -j REDIRECT --to-port 1053</code>
<code style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: var(--ff-mono); font-optical-sizing: inherit; font-kerning: inherit; font-feature-settings: inherit; font-variation-settings: inherit; font-size: var(--_pr-code-fs); vertical-align: baseline; box-sizing: inherit; background-color: transparent; white-space: inherit; color: var(--black-800); border-radius: 0px;">ip6tables -A PREROUTING -t nat -i </code><code style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: var(--ff-mono); font-optical-sizing: inherit; font-kerning: inherit; font-feature-settings: inherit; font-variation-settings: inherit; font-size: var(--_pr-code-fs); vertical-align: baseline; box-sizing: inherit; background-color: transparent; white-space: inherit; color: var(--black-800); border-radius: 0px;"><code style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: var(--ff-mono); font-optical-sizing: inherit; font-kerning: inherit; font-feature-settings: inherit; font-variation-settings: inherit; font-size: var(--_pr-code-fs); vertical-align: baseline; box-sizing: inherit; background-color: transparent; white-space: inherit; color: var(--black-800); border-radius: 0px;">vlanintf </code>-p udp --dport 53 -j REDIRECT --to-port 1053</code>
<code style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: var(--ff-mono); font-optical-sizing: inherit; font-kerning: inherit; font-feature-settings: inherit; font-variation-settings: inherit; font-size: var(--_pr-code-fs); vertical-align: baseline; box-sizing: inherit; background-color: transparent; white-space: inherit; color: var(--black-800); border-radius: 0px;">ip6tables -A PREROUTING -t nat -i </code><code style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: var(--ff-mono); font-optical-sizing: inherit; font-kerning: inherit; font-feature-settings: inherit; font-variation-settings: inherit; font-size: var(--_pr-code-fs); vertical-align: baseline; box-sizing: inherit; background-color: transparent; white-space: inherit; color: var(--black-800); border-radius: 0px;"><code style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: var(--ff-mono); font-optical-sizing: inherit; font-kerning: inherit; font-feature-settings: inherit; font-variation-settings: inherit; font-size: var(--_pr-code-fs); vertical-align: baseline; box-sizing: inherit; background-color: transparent; white-space: inherit; color: var(--black-800); border-radius: 0px;">vlanintf </code>-p tcp --dport 53 -j REDIRECT --to-port 1053</code>
Hope that helps,
Uwe
<code style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: var(--ff-mono); font-optical-sizing: inherit; font-kerning: inherit; font-feature-settings: inherit; font-variation-settings: inherit; font-size: var(--_pr-code-fs); vertical-align: baseline; box-sizing: inherit; background-color: transparent; white-space: inherit; color: var(--black-800); border-radius: 0px;"></code></pre>
<div class="moz-cite-prefix">Am 21.04.2023 um 03:18 schrieb Tony
Zhou:<br>
</div>
<blockquote type="cite"
cite="mid:1ad8f011-019f-938d-ba93-df9af42ed382@gmail.com">Hi, <br>
<br>
I am running dnsmasq 2.86 on openwrt, and have multiple vlans in
my network. dnsmasq works great for dhcp purposes (for both
dynamic and static leases) that I need for all interfaces/vlans.
However, some of the vlans I do not need/want to have dnsmasq
providing dns, but another dns server for content filtering
purposes. <br>
<br>
I'd prefer to keep both dns servers on the same host/router, but
the way dnsmasq works, either binding to interfaces, or
wildcard, binds to all port 53, so that the 2nd dns server can't
bind. <br>
<br>
It appears that when dnsmasq is set to bind to interfaces, it
has to either offer both dns and dhcp, or skip dhcp by
"--no-dhcp-interface" argument, but there is no counterpart
"--no-dns-interface". <br>
<br>
Setting port=0 disables dns service on all interfaces, which is
not what I wanted as well. <br>
<br>
I did found there were two discussions regarding this: <br>
<br>
<a class="moz-txt-link-freetext"
href="https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2011q4/005335.html"
moz-do-not-send="true">https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2011q4/005335.html</a>
<br>
<br>
<a class="moz-txt-link-freetext"
href="https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q3/015429.html"
moz-do-not-send="true">https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q3/015429.html</a>
<br>
<br>
Running two instances of dnsmasq doesn't resolve this issue,
since I still rely on dnsmasq's dhcp. <br>
<br>
<br>
Thanks. <br>
<br>
<br>
<br>
_______________________________________________ <br>
Dnsmasq-discuss mailing list <br>
<a class="moz-txt-link-abbreviated moz-txt-link-freetext"
href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk"
moz-do-not-send="true">Dnsmasq-discuss@lists.thekelleys.org.uk</a>
<br>
<a class="moz-txt-link-freetext"
href="https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss"
moz-do-not-send="true">https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss</a>
<br>
</blockquote>
<pre class="moz-signature" cols="72">--
Uwe Schindler
Achterdiek 19, D-28357 Bremen
<a class="moz-txt-link-freetext" href="https://www.thetaphi.de" moz-do-not-send="true">https://www.thetaphi.de</a>
eMail: <a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:uwe@thetaphi.de" moz-do-not-send="true">uwe@thetaphi.de</a></pre>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Dnsmasq-discuss mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk">Dnsmasq-discuss@lists.thekelleys.org.uk</a>
<a class="moz-txt-link-freetext" href="https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss">https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss</a>
</pre>
</blockquote>
</body>
</html>