[Dnsmasq-discuss] dnsmasq opens DHCP server ports on all interfaces instead of just on the interface(s) defined in interface= setting

[Nicolas Cavallari]

On 06/03/2025 17:10, jean-christophe manciot wrote:
> ubuntu oracular
> linux 6.12.0-15-generic
> dnsmasq 2.90-4 or 2.90-7
> 
> With the following specific configuration in /etc/dnsmasq.conf:
> port=0
> interface=eth0
> bind-interfaces
> dhcp-range=192.168.1.2,192.168.1.254
> 
> I get:
> # /usr/bin/netstat -tunpevaW | grep dnsmasq
> udp 0 0 0.0.0.0:67 0.0.0.0:* 0 19371604 3877093/dnsmasq
> 
> which contradicts your own documentation (please read until the end):

This line does not indicate that dnsmasq does not bind to an interface. It only 
indicates that dnsmasq does not bind to a specific address. On Linux, the two 
are separate, since it uses a weak host model.  Binding to an address is useless 
considering DHCP is mostly broadcast.

netstat is also deprecated. Use ss instead, which shows the bound device in the 
"Local Address" column, e.g. "0.0.0.0%eth0:67".

> # If you want dnsmasq to listen for DHCP and DNS requests only on
> # specified interfaces (and the loopback) give the name of the
> # interface (eg eth0) here.
> # Repeat the line for more than one interface.
> # interface=
> 
> # On systems which support it, dnsmasq binds the wildcard address,
> # even when it is listening on only some interfaces. It then discards
> # requests that it shouldn't reply to. This has the advantage of
> # working even when interfaces come and go and change address. If you
> # want dnsmasq to really bind only the interfaces it is listening on,
> # uncomment this option. About the only time you may need this is when
> # running another nameserver on the same machine.
> # bind-interfaces
> 
> So, bind-interfaces is not applied as it takes over all interfaces.
 >
 > This dnsmasq issue prevents the coexistence with other DHCP server(s)
 > such as kea as it binds to **all** interfaces and prevent other
 > servers from listening on the interface(s) they are setup for.

The documentation is correct, dnsmasq uses SO_BINDTODEVICE when the option is 
specified, as well as SO_REUSEADDR and SO_REUSEPORT.

> 
> Then kea-dhcp4-server refuses to start on any other interface with the message:
> DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: Failed to open socket
> on interface virbr1, reason: failed to bind fallback socket to address
> 192.168.2.1, port 67, reason: Address already in use - is another DHCP
> server running?

You need to check if they really bind to an interface and if they set 
SO_REUSEADDR/SO_REUSEPORT.

The details of what combination of sockets Linux allows is a bit complicated. 
The first 300 lines of net/ipv4/inet_connection_sock.c deals with this.