[Dnsmasq-discuss] dnsmasq opens DHCP server ports on all interfaces instead of just on the interface(s) defined in interface= setting

Nicolas Cavallari nicolas.cavallari at green-communications.fr
Sat Mar 8 08:02:53 UTC 2025 

On 07/03/2025 12:18, jean-christophe manciot wrote:
> Hello Nicolas,
> The choices made for dnsmasq sound overly complex, peculiar and
> subject to incompatibilities with the vast majority of other
> softwares.
> What's wrong with listening only on a single interface when asked to?

Your ss outputs with interface=eth0 clearly indicates dnsmasq is 
listening on eth0 only ("0.0.0.0%eth0:67") so i don't understand why you 
are complaining.

But still, you cannot compare a DHCP server with some random basic TCP 
server. A DHCP server has to be interface-aware, has to send and receive 
broadcast and unicast, and even has to send unicast to IP addresses that 
don't exist (no reply to ARP). The ISC DHCP server/client even use 
packet sockets for that purpose. I don't know what Kea uses.

> For instance, when nginx is configured to be listening only on the
> loopback interface, it does not "take over" all interfaces but listen
> only on 127.0.0.1 and ::1.

Wrong, nginx does not have an option to bind a socket to a device. It 
can only bind to addresses, which is just filtering on the destination 
address.

If you tell nginx to bind to 192.168.1.1 then it will accept connections 
to 192.168.1.1 regardless of the network interface it came from. 
127.0.0.1 is just a bit special because the kernel will by default drop 
packets to 127.0/8 received from a (non-lo) network device, but there is 
a sysctl knob to change that.

> Furthermore, there is another issue I just discovered when using the
> listen-address= option instead of interface=
> listen-address=192.168.1.1
> ...
> ss --all --numeric --processes --tcp --udp --oneline | sort -V | full
> | grep dnsmasq
> udp   UNCONN    0      0
> 0.0.0.0:67                                   0.0.0.0:*
> users:(("dnsmasq",pid=3485870,fd=4))

I suspect this option is only for DNS. Maybe the documentation should be 
updated. Likely dnsmasq would stop receiving broadcast if it bound 
itself to the 192.168.1.1 address.

More information about the Dnsmasq-discuss mailing list