[Dnsmasq-discuss] dnsmasq opens DHCP server ports on all interfaces instead of just on the interface(s) defined in interface= setting

jean-christophe manciot actionmystique at gmail.com
Tue Mar 11 17:04:00 UTC 2025 

> The ISC DHCP server/client even use
> packet sockets for that purpose. I don't know what Kea uses.
ISC announced the End of Life for the older ISC DHCP system in 2022.
Kea is the new ISC DHCP server. I believe it does not qualify as "some
random basic TCP
server" as you put it.

On Sat, Mar 8, 2025 at 9:02 AM Nicolas Cavallari
<nicolas.cavallari at green-communications.fr> wrote:
>
> On 07/03/2025 12:18, jean-christophe manciot wrote:
> > Hello Nicolas,
> > The choices made for dnsmasq sound overly complex, peculiar and
> > subject to incompatibilities with the vast majority of other
> > softwares.
> > What's wrong with listening only on a single interface when asked to?
>
> Your ss outputs with interface=eth0 clearly indicates dnsmasq is
> listening on eth0 only ("0.0.0.0%eth0:67") so i don't understand why you
> are complaining.
>
> But still, you cannot compare a DHCP server with some random basic TCP
> server. A DHCP server has to be interface-aware, has to send and receive
> broadcast and unicast, and even has to send unicast to IP addresses that
> don't exist (no reply to ARP). The ISC DHCP server/client even use
> packet sockets for that purpose. I don't know what Kea uses.
>
> > For instance, when nginx is configured to be listening only on the
> > loopback interface, it does not "take over" all interfaces but listen
> > only on 127.0.0.1 and ::1.
>
> Wrong, nginx does not have an option to bind a socket to a device. It
> can only bind to addresses, which is just filtering on the destination
> address.
>
> If you tell nginx to bind to 192.168.1.1 then it will accept connections
> to 192.168.1.1 regardless of the network interface it came from.
> 127.0.0.1 is just a bit special because the kernel will by default drop
> packets to 127.0/8 received from a (non-lo) network device, but there is
> a sysctl knob to change that.
>
> > Furthermore, there is another issue I just discovered when using the
> > listen-address= option instead of interface=
> > listen-address=192.168.1.1
> > ...
> > ss --all --numeric --processes --tcp --udp --oneline | sort -V | full
> > | grep dnsmasq
> > udp   UNCONN    0      0
> > 0.0.0.0:67                                   0.0.0.0:*
> > users:(("dnsmasq",pid=3485870,fd=4))
>
> I suspect this option is only for DNS. Maybe the documentation should be
> updated. Likely dnsmasq would stop receiving broadcast if it bound
> itself to the 192.168.1.1 address.



-- 
Jean-Christophe

More information about the Dnsmasq-discuss mailing list