Thanks - that's actually what I am currently doing - using this to
hijack DNS traffic on my other vlan (with nftables, though). Still, it
would be ideal to have dnsmasq to allow not to listen to DNS on certain
interfaces.
在 2023/4/21 上午 2:58, Uwe Schindler 写道:
Hi,
as a workaround you can do something like this:
Let the alternative DNS server run on another port, like 1053. Then
for all vlan interfaces that should use the alternative server include
a PREROUTING iptables rule to redirect the post just on those
interfaces to port 1053. DNS will announce itsself on the DHCP, but as
the packets get redirected before they reach dnsmasq, the alternative
server takes over.
This will redirect port 53 on interfac|e "||vlanintf|" to port 1053 on
same interface for UDP and TCP (some DNS packets go via TCP, too). It
has rules for both IPv6 and IPv4:
|iptables -A PREROUTING -t nat -i vlanintf -p udp --dport 53 -j
REDIRECT --to-port 1053 ||iptables -A PREROUTING -t nat -i |||vlanintf |-p tcp --dport 53 -j REDIRECT --to-port 1053|
|ip6tables -A PREROUTING -t nat -i |||vlanintf |-p udp --dport 53 -j REDIRECT
--to-port 1053|
|ip6tables -A PREROUTING -t nat -i |||vlanintf |-p tcp --dport 53 -j REDIRECT
--to-port 1053|
Hope that helps,
Uwe
||
Am 21.04.2023 um 03:18 schrieb Tony Zhou:
Hi,
I am running dnsmasq 2.86 on openwrt, and have multiple vlans in my
network. dnsmasq works great for dhcp purposes (for both dynamic and
static leases) that I need for all interfaces/vlans. However, some of
the vlans I do not need/want to have dnsmasq providing dns, but
another dns server for content filtering purposes.
I'd prefer to keep both dns servers on the same host/router, but the
way dnsmasq works, either binding to interfaces, or wildcard, binds
to all port 53, so that the 2nd dns server can't bind.
It appears that when dnsmasq is set to bind to interfaces, it has to
either offer both dns and dhcp, or skip dhcp by "--no-dhcp-interface"
argument, but there is no counterpart "--no-dns-interface".
Setting port=0 disables dns service on all interfaces, which is not
what I wanted as well.
I did found there were two discussions regarding this:
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2011q4/005335.html
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q3/015429.html
Running two instances of dnsmasq doesn't resolve this issue, since I
still rely on dnsmasq's dhcp.
Thanks.
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
--
Uwe Schindler
Achterdiek 19, D-28357 Bremen
https://www.thetaphi.de
eMail:u...@thetaphi.de
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
