[Dnsmasq-discuss] Implement --no-dns-interface?

Uwe Schindler uwe at thetaphi.de
Fri Apr 21 06:58:42 UTC 2023 

Hi,

as a workaround you can do something like this:

Let the alternative DNS server run on another port, like 1053. Then for 
all vlan interfaces that should use the alternative server include a 
PREROUTING iptables rule to redirect the post just on those interfaces 
to port 1053. DNS will announce itsself on the DHCP, but as the packets 
get redirected before they reach dnsmasq, the alternative server takes over.

This will redirect port 53 on interfac|e "||vlanintf|" to port 1053 on 
same interface for UDP and TCP (some DNS packets go via TCP, too). It 
has rules for both IPv6 and IPv4:

|iptables -A PREROUTING -t nat -i vlanintf -p udp --dport 53 -j REDIRECT 
--to-port 1053 ||iptables -A PREROUTING -t nat -i |||vlanintf |-p tcp --dport 53 -j REDIRECT --to-port 1053|
|ip6tables -A PREROUTING -t nat -i |||vlanintf |-p udp --dport 53 -j REDIRECT --to-port 1053|
|ip6tables -A PREROUTING -t nat -i |||vlanintf |-p tcp --dport 53 -j REDIRECT --to-port 1053|

Hope that helps,
Uwe
||

Am 21.04.2023 um 03:18 schrieb Tony Zhou:
> Hi,
>
> I am running dnsmasq 2.86 on openwrt, and have multiple vlans in my 
> network. dnsmasq works great for dhcp purposes (for both dynamic and 
> static leases) that I need for all interfaces/vlans. However, some of 
> the vlans I do not need/want to have dnsmasq providing dns, but 
> another dns server for content filtering purposes.
>
> I'd prefer to keep both dns servers on the same host/router, but the 
> way dnsmasq works, either binding to interfaces, or wildcard, binds to 
> all port 53, so that the 2nd dns server can't bind.
>
> It appears that when dnsmasq is set to bind to interfaces, it has to 
> either offer both dns and dhcp, or skip dhcp by "--no-dhcp-interface" 
> argument, but there is no counterpart "--no-dns-interface".
>
> Setting port=0 disables dns service on all interfaces, which is not 
> what I wanted as well.
>
> I did found there were two discussions regarding this:
>
> https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2011q4/005335.html 
>
>
> https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q3/015429.html 
>
>
> Running two instances of dnsmasq doesn't resolve this issue, since I 
> still rely on dnsmasq's dhcp.
>
>
> Thanks.
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

-- 
Uwe Schindler
Achterdiek 19, D-28357 Bremen
https://www.thetaphi.de
eMail:uwe at thetaphi.de
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20230421/fda9229d/attachment-0001.htm>

More information about the Dnsmasq-discuss mailing list