Hi folks, SINCERE apologies for the delay reply, I got promoted at work and things have been a bit hectic!
A great idea using IPtables, thanks for the pointer! I should have thought of that. I get that the DNS returns will be unencrypted, but I just want to experiment with passing the initial query encrypted. I'm just l;earning all this stuff. Thank you for the pointers though, and again, apologies for such a tardy reply, Ian On Tue, 8 Mar 2022 at 16:51, Petr Menšík <pemen...@redhat.com> wrote: > Hi Ian, > > I think you can do this by turning off resolv.conf parsing (--no-resolv) > and using --servers=1.1.1.1@vpn0 --servers=1.0.0.1@vpn0 explicitly. That > might work if outgoing packets are properly NATed or accepted as they > are. Replace vpn with interface name of wireguard. > > Alternative might be adding route for just those resolvers. Something like: > > ip route add 1.0.0.0/8 via $WIREGW > > Though it is just runtime change, I don't know correct change. $WIREGW > would be the same remote IP on the gw, used by configured IP range on > the VPN. > > It should be noted such traffic is very similar to DNS over TLS/HTTPS. > It would hide DNS queries, but even HTTPS traffic usually leaks domain > names in unecrypted certificates parts. It may not work enough. I would > use VPN for all traffic if privacy should be archieved. Securing DNS > only is rarely sufficient. > > Just my 2 cents. > > Cheers, > > Petr > > On 3/7/22 16:26, Ian Bonham wrote: > > Hi Everyone, > > > > I can't thank you enough for the work on DNSMASQ, it's an utterly > > brilliant piece of software. I'm amazed at the flexibility it gives me > > in securing my home network, thank you all who put in so much effort. > > > > Gushing aside, I'm stuck on one config I can't figure out though, so I > > wonder if anyone could advise please? My server is routing everything > > perfectly, and DNSMASQ is sitting there diligently dealing with DHCP > > and DNS, and I have DNSSEC enabled for upstream requests (off to > > 1.1.1.1 or 1.0.0.1). However I'd quite like to route the upstream DNS > > requests over a Wireguard VPN, which is on another interface. > > > > Is there a way to tell DNSMASQ to do it's upstream DNS requests over > > an alternative interface, rather than the standard (unencrypted) > > interface? Once the data are cached in DNSMASQ internally it's fine, > > that's on my internal network and the clients query it. It's the > > upstream requests I'm interested in routing privately over my VPN. > > > > Any advice? Many thanks, > > > > Bon > > > > > > _______________________________________________ > > Dnsmasq-discuss mailing list > > Dnsmasq-discuss@lists.thekelleys.org.uk > > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss > > -- > Petr Menšík > Software Engineer > Red Hat, http://www.redhat.com/ > email: pemen...@redhat.com > PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss >
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
