[Dnsmasq-discuss] dnsmasq opens DHCP server ports on all interfaces instead of just on the interface(s) defined in interface= setting

jean-christophe manciot actionmystique at gmail.com
Fri Mar 7 11:22:17 UTC 2025 

In the last 2 examples, I forgot to mention that 'bind-interfaces' is
of course used.

On Fri, Mar 7, 2025 at 12:18 PM jean-christophe manciot
<actionmystique at gmail.com> wrote:
>
> Hello Nicolas,
> The choices made for dnsmasq sound overly complex, peculiar and
> subject to incompatibilities with the vast majority of other
> softwares.
> What's wrong with listening only on a single interface when asked to?
>
> For instance, when nginx is configured to be listening only on the
> loopback interface, it does not "take over" all interfaces but listen
> only on 127.0.0.1 and ::1.
>
> Furthermore, there is another issue I just discovered when using the
> listen-address= option instead of interface=
> listen-address=192.168.1.1
> ...
> ss --all --numeric --processes --tcp --udp --oneline | sort -V | full
> | grep dnsmasq
> udp   UNCONN    0      0
> 0.0.0.0:67                                   0.0.0.0:*
> users:(("dnsmasq",pid=3485870,fd=4))
>
> instead of
> interface=eth0
> ...
> ss --all --numeric --processes --tcp --udp --oneline | sort -V | full
> | grep dnsmasq
> udp   UNCONN    0      0
> 0.0.0.0%eth0:67                                   0.0.0.0:*
> users:(("dnsmasq",pid=3542561,fd=4))
>
> In this example, using the listen-address= option results in dnsmasq
> listening on **all** addresses instead of just the eth0 interface with
> the interface= option.
>
> On Fri, Mar 7, 2025 at 9:39 AM Nicolas Cavallari
> <Nicolas.Cavallari at green-communications.fr> wrote:
> >
> > On 06/03/2025 17:10, jean-christophe manciot wrote:
> > > ubuntu oracular
> > > linux 6.12.0-15-generic
> > > dnsmasq 2.90-4 or 2.90-7
> > >
> > > With the following specific configuration in /etc/dnsmasq.conf:
> > > port=0
> > > interface=eth0
> > > bind-interfaces
> > > dhcp-range=192.168.1.2,192.168.1.254
> > >
> > > I get:
> > > # /usr/bin/netstat -tunpevaW | grep dnsmasq
> > > udp 0 0 0.0.0.0:67 0.0.0.0:* 0 19371604 3877093/dnsmasq
> > >
> > > which contradicts your own documentation (please read until the end):
> >
> > This line does not indicate that dnsmasq does not bind to an interface. It only
> > indicates that dnsmasq does not bind to a specific address. On Linux, the two
> > are separate, since it uses a weak host model.  Binding to an address is useless
> > considering DHCP is mostly broadcast.
> >
> > netstat is also deprecated. Use ss instead, which shows the bound device in the
> > "Local Address" column, e.g. "0.0.0.0%eth0:67".
> >
> > > # If you want dnsmasq to listen for DHCP and DNS requests only on
> > > # specified interfaces (and the loopback) give the name of the
> > > # interface (eg eth0) here.
> > > # Repeat the line for more than one interface.
> > > # interface=
> > >
> > > # On systems which support it, dnsmasq binds the wildcard address,
> > > # even when it is listening on only some interfaces. It then discards
> > > # requests that it shouldn't reply to. This has the advantage of
> > > # working even when interfaces come and go and change address. If you
> > > # want dnsmasq to really bind only the interfaces it is listening on,
> > > # uncomment this option. About the only time you may need this is when
> > > # running another nameserver on the same machine.
> > > # bind-interfaces
> > >
> > > So, bind-interfaces is not applied as it takes over all interfaces.
> >  >
> >  > This dnsmasq issue prevents the coexistence with other DHCP server(s)
> >  > such as kea as it binds to **all** interfaces and prevent other
> >  > servers from listening on the interface(s) they are setup for.
> >
> > The documentation is correct, dnsmasq uses SO_BINDTODEVICE when the option is
> > specified, as well as SO_REUSEADDR and SO_REUSEPORT.
> >
> > >
> > > Then kea-dhcp4-server refuses to start on any other interface with the message:
> > > DHCPSRV_OPEN_SOCKET_FAIL failed to open socket: Failed to open socket
> > > on interface virbr1, reason: failed to bind fallback socket to address
> > > 192.168.2.1, port 67, reason: Address already in use - is another DHCP
> > > server running?
> >
> > You need to check if they really bind to an interface and if they set
> > SO_REUSEADDR/SO_REUSEPORT.
> >
> > The details of what combination of sockets Linux allows is a bit complicated.
> > The first 300 lines of net/ipv4/inet_connection_sock.c deals with this.
>
>
>
> --
> Jean-Christophe



-- 
Jean-Christophe

More information about the Dnsmasq-discuss mailing list