3

After upgrading to Ubuntu 16.04 dnsmasq fails to answer quires from subnets other then it's interfaces belong to. I wonder if there is an option that allows to add trusted subnets? Here is the log message Ignoring query from non-local network

Improve this question
1

1 Answer 1

Reset to default
3

From the v2.69 changelog:

    Add --local-service. Accept DNS queries only from hosts 
        whose address is on a local subnet, ie a subnet for which 
        an interface exists on the server. This option
        only has effect if there are no --interface --except-interface,
        --listen-address or --auth-server options. It is intended 
        to be set as a default on installation, to allow
        unconfigured installations to be useful but also safe from 
        being used for DNS amplification attacks.

So, the fix is to make sure you don't have the local-service option in any conf files (including any pre-installed ones such as in /usr/local/etc/dnsmasq.conf) and include one of the above listed options in your conf file. E.g. --interface=eth0.

Improve this answer
8
  • with no --local-service option it will answer any requests, I need an option that allows me to white list some subnets.
    – Edik Mkoyan
    Commented Mar 6, 2017 at 11:55
  • 1
    Check the man page, there are options to exclude certain interfaces from listening. I don't know how you can exclude responses to certain networks though. You may need to do that with iptables and probably warrants a different question, rather than discussing it here.
    – Darren
    Commented Mar 6, 2017 at 12:00
  • @Darren You say it's necessary to «make sure you don't have the local-service option in any conf files (including any pre-installed ones such as in /usr/local/etc/dnsmasq.conf)», but it isn't. The man page says: This option only has effect if there are no --interface --except-interface, --listen-address or --auth-server options. BTW, to listen on all interfaces, use --interface=*.
    – myrdd
    Commented May 8, 2018 at 12:01
  • @myrdd, OK, well this was over a year ago so I can't tell you what my line of thinking was. Possible I mis-read something.
    – Darren
    Commented May 8, 2018 at 12:17
  • @Darren okay, I felt free to edit your answer to reflect my suggestion. (hope this is ok.)
    – myrdd
    Commented May 8, 2018 at 15:03

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .