[Dnsmasq-discuss] DNS Upstream routing

Petr Menšík pemensik at redhat.com
Tue Mar 8 16:25:32 UTC 2022 

Hi Ian,

I think you can do this by turning off resolv.conf parsing (--no-resolv)
and using --servers=1.1.1.1 at vpn0 --servers=1.0.0.1 at vpn0 explicitly. That
might work if outgoing packets are properly NATed or accepted as they
are. Replace vpn with interface name of wireguard.

Alternative might be adding route for just those resolvers. Something like:

ip route add 1.0.0.0/8 via $WIREGW

Though it is just runtime change, I don't know correct change. $WIREGW
would be the same remote IP on the gw, used by configured IP range on
the VPN.

It should be noted such traffic is very similar to DNS over TLS/HTTPS.
It would hide DNS queries, but even HTTPS traffic usually leaks domain
names in unecrypted certificates parts. It may not work enough. I would
use VPN for all traffic if privacy should be archieved. Securing DNS
only is rarely sufficient.

Just my 2 cents.

Cheers,

Petr

On 3/7/22 16:26, Ian Bonham wrote:
> Hi Everyone,
>
> I can't thank you enough for the work on DNSMASQ, it's an utterly
> brilliant piece of software. I'm amazed at the flexibility it gives me
> in securing my home network, thank you all who put in so much effort.
>
> Gushing aside, I'm stuck on one config I can't figure out though, so I
> wonder if anyone could advise please? My server is routing everything
> perfectly, and DNSMASQ is sitting there diligently dealing with DHCP
> and DNS, and I have DNSSEC enabled for upstream requests (off to
> 1.1.1.1 or 1.0.0.1). However I'd quite like to route the upstream DNS
> requests over a Wireguard VPN, which is on another interface. 
>
> Is there a way to tell DNSMASQ to do it's upstream DNS requests over
> an alternative interface, rather than the standard (unencrypted)
> interface? Once the data are cached in DNSMASQ internally it's fine,
> that's on my internal network and the clients query it. It's the
> upstream requests I'm interested in routing privately over my VPN.
>
> Any advice? Many thanks,
>
> Bon
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the Dnsmasq-discuss mailing list