[Dnsmasq-discuss] DNS Upstream routing
Ian Bonham
bon at ianbonham.co.uk
Tue Mar 15 13:55:04 UTC 2022
Hi folks,
SINCERE apologies for the delay reply, I got promoted at work and things
have been a bit hectic!
A great idea using IPtables, thanks for the pointer! I should have thought
of that. I get that the DNS returns will be unencrypted, but I just want to
experiment with passing the initial query encrypted. I'm just l;earning all
this stuff.
Thank you for the pointers though, and again, apologies for such a tardy
reply,
Ian
On Tue, 8 Mar 2022 at 16:51, Petr Menšík <pemensik at redhat.com> wrote:
> Hi Ian,
>
> I think you can do this by turning off resolv.conf parsing (--no-resolv)
> and using --servers=1.1.1.1 at vpn0 --servers=1.0.0.1 at vpn0 explicitly. That
> might work if outgoing packets are properly NATed or accepted as they
> are. Replace vpn with interface name of wireguard.
>
> Alternative might be adding route for just those resolvers. Something like:
>
> ip route add 1.0.0.0/8 via $WIREGW
>
> Though it is just runtime change, I don't know correct change. $WIREGW
> would be the same remote IP on the gw, used by configured IP range on
> the VPN.
>
> It should be noted such traffic is very similar to DNS over TLS/HTTPS.
> It would hide DNS queries, but even HTTPS traffic usually leaks domain
> names in unecrypted certificates parts. It may not work enough. I would
> use VPN for all traffic if privacy should be archieved. Securing DNS
> only is rarely sufficient.
>
> Just my 2 cents.
>
> Cheers,
>
> Petr
>
> On 3/7/22 16:26, Ian Bonham wrote:
> > Hi Everyone,
> >
> > I can't thank you enough for the work on DNSMASQ, it's an utterly
> > brilliant piece of software. I'm amazed at the flexibility it gives me
> > in securing my home network, thank you all who put in so much effort.
> >
> > Gushing aside, I'm stuck on one config I can't figure out though, so I
> > wonder if anyone could advise please? My server is routing everything
> > perfectly, and DNSMASQ is sitting there diligently dealing with DHCP
> > and DNS, and I have DNSSEC enabled for upstream requests (off to
> > 1.1.1.1 or 1.0.0.1). However I'd quite like to route the upstream DNS
> > requests over a Wireguard VPN, which is on another interface.
> >
> > Is there a way to tell DNSMASQ to do it's upstream DNS requests over
> > an alternative interface, rather than the standard (unencrypted)
> > interface? Once the data are cached in DNSMASQ internally it's fine,
> > that's on my internal network and the clients query it. It's the
> > upstream requests I'm interested in routing privately over my VPN.
> >
> > Any advice? Many thanks,
> >
> > Bon
> >
> >
> > _______________________________________________
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss at lists.thekelleys.org.uk
> > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>
> --
> Petr Menšík
> Software Engineer
> Red Hat, http://www.redhat.com/
> email: pemensik at redhat.com
> PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20220315/71cec25d/attachment.htm>
More information about the Dnsmasq-discuss
mailing list