On Sat, Apr 22, 2023 at 10:19:02AM -0400, Tony Zhou wrote: > 在 2023/4/21 上午 2:58, Uwe Schindler 写道: > > Am 21.04.2023 um 03:18 schrieb Tony Zhou: > > > Hi, > > > > > > I am running dnsmasq 2.86 on openwrt, and have multiple vlans in my > > > network. dnsmasq works great for dhcp purposes (for both dynamic and > > > static leases) that I need for all interfaces/vlans. However, some > > > of the vlans I do not need/want to have dnsmasq providing dns, but > > > another dns server for content filtering purposes. > > > > > > I'd prefer to keep both dns servers on the same host/router, but the > > > way dnsmasq works, either binding to interfaces, or wildcard, binds > > > to all port 53, so that the 2nd dns server can't bind. > > > > > > It appears that when dnsmasq is set to bind to interfaces, it has to > > > either offer both dns and dhcp, or skip dhcp by > > > "--no-dhcp-interface" argument, but there is no counterpart > > > "--no-dns-interface". > > > > > > Setting port=0 disables dns service on all interfaces, which is not > > > what I wanted as well. > > > > > > I did found there were two discussions regarding this: > > > > > > https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2011q4/005335.html > > > > > > > > > https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q3/015429.html > > > > > > > > > Running two instances of dnsmasq doesn't resolve this issue, since I > > > still rely on dnsmasq's dhcp. > > > > > > > as a workaround you can do something like this: > > > > Let the alternative DNS server run on another port, like 1053. Then for > > all vlan interfaces that should use the alternative server include a > > PREROUTING iptables rule to redirect the post just on those interfaces > > to port 1053. DNS will announce itsself on the DHCP, but as the packets > > get redirected before they reach dnsmasq, the alternative server takes > > over. > > > > This will redirect port 53 on interfac|e "||vlanintf|" to port 1053 on > > same interface for UDP and TCP (some DNS packets go via TCP, too). It > > has rules for both IPv6 and IPv4: > > > > iptables -A PREROUTING -t nat -i vlanintf -p udp --dport 53 -j REDIRECT > > --to-port 1053 > > iptables -A PREROUTING -t nat -i vlanintf -p tcp --dport 53 -j REDIRECT > > --to-port 1053 > > ip6tables -A PREROUTING -t nat -i vlanintf -p udp --dport 53 -j REDIRECT > > --to-port 1053 > > ip6tables -A PREROUTING -t nat -i vlanintf -p tcp --dport 53 -j REDIRECT > > --to-port 1053 > > > > Hope that helps, > Thanks - that's actually what I am currently doing - using this to hijack > DNS traffic on my other vlan (with nftables, though).
Consider to share the nftables version with us. > Still, it would be ideal to have dnsmasq to allow not to listen to DNS on > certain interfaces. ?? Groeten Geert Stappers -- Silence is hard to parse _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
