[Dnsmasq-discuss] Does the --interface option to dnsmasq also apply to incoming broadcast DHCP requests?

Simon Kelley simon at thekelleys.org.uk
Thu Nov 30 12:13:00 UTC 2023 


On 29/11/2023 23:09, Chris Friesen via Dnsmasq-discuss wrote:
> Hi,
> 
> I was just wondering whether the --interface and --except-interface 
> options to dnsmasq would also apply to messages like DHCPDISCOVER and 
> DHCPREQUEST which are broadcast to 255.255.255.255.
> 
> In my particular case I have an existing dnsmasq instance that is 
> running, and I want to add a second dnsmasq instance to handle DHCP 
> requests coming from a specific subset of interfaces.   I don't want the 
> primary dnsmasq instance to see the requests coming in on those 
> interfaces, and I don't want the second dnsmasq instance to see requests 
> coming in on the other interfaces.
> 
> As a concrete example, suppose I have network interfaces eth0/eth1/eth2 
> and I have instance A of dnsmasq which is run as "dnsmasq 
> --except-interface eth2", and instance B of dnsmasq which is run as 
> "dnsmasq --interface eth2 --except-interface lo".
> 
> If a broadcast DHCPDISCOVER or DHCPREQUEST comes in on eth0/eth1 which 
> dnsmasq instance(s) will see it?
> 
> If a broadcast DHCPDISCOVER or DHCPREQUEST comes in on eth2 which 
> dnsmasq instance(s) will see it?
> 
> If a broadcast DHCPDISCOVER or DHCPREQUEST is emitted by an entity on 
> the local host which dnsmasq instance(s) will see it?
> 
> Thanks,
> 
> Chris Friesen
> 

As you've surmised, making more than one dnsmasq/DHCP instance on a 
server work is tricky.

It can be done, but only in a very specific way.

Each dnsmasq instance must be configured to serve exactly one interface, 
using the --interface config option.

Under these circumstances, dnsmasq will log

DHCP, sockets bound exclusively to interface <interface>

at startup.

Your example will not work, because your instance A is binding to more 
than one interface. To fix this you need to start separate dnsmasq 
instances for eth0 and eth1, or you need to bridge eth0 and eth1 to 
single bridge interface and configure dnsmasq to listen on that.


The reason behind this is that the dnsmasq DHCP subsystem uses one 
socket, which listens on the wildcard address (so that broadcasts to 
255.255.255.255 arrive, amongst other reasons.) In the "exactly one 
interface" state, dnsmasq can also bind that socket to a physical 
interface, using the SO_BINDTODEVICE socket option, which allows  the 
multiple-server setup to work. SO_BINDTODEVICE only allows one device, 
hence the one interface limitation.


Cheers,

Simon.

More information about the Dnsmasq-discuss mailing list