After upgrading to Ubuntu 16.04 dnsmasq fails to answer quires from subnets other then it's interfaces belong to. I wonder if there is an option that allows to add trusted subnets?
Here is the log message
Ignoring query from non-local network
-
very similar question: superuser.com/q/1255211/208765– myrddCommented May 8, 2018 at 12:02
Add a comment
|
1 Answer
From the v2.69 changelog:
Add --local-service. Accept DNS queries only from hosts
whose address is on a local subnet, ie a subnet for which
an interface exists on the server. This option
only has effect if there are no --interface --except-interface,
--listen-address or --auth-server options. It is intended
to be set as a default on installation, to allow
unconfigured installations to be useful but also safe from
being used for DNS amplification attacks.
So, the fix is to make sure you don't have the local-service option in any conf files (including any pre-installed ones such as in /usr/local/etc/dnsmasq.conf) and include one of the above listed options in your conf file. E.g. --interface=eth0
.
-
with no --local-service option it will answer any requests, I need an option that allows me to white list some subnets. Commented Mar 6, 2017 at 11:55
-
1Check the man page, there are options to exclude certain interfaces from listening. I don't know how you can exclude responses to certain networks though. You may need to do that with iptables and probably warrants a different question, rather than discussing it here.– DarrenCommented Mar 6, 2017 at 12:00
-
@Darren You say it's necessary to «make sure you don't have the local-service option in any conf files (including any pre-installed ones such as in /usr/local/etc/dnsmasq.conf)», but it isn't. The man page says:
This option only has effect if there are no --interface --except-interface, --listen-address or --auth-server options
. BTW, to listen on all interfaces, use--interface=*
.– myrddCommented May 8, 2018 at 12:01 -
@myrdd, OK, well this was over a year ago so I can't tell you what my line of thinking was. Possible I mis-read something.– DarrenCommented May 8, 2018 at 12:17
-
@Darren okay, I felt free to edit your answer to reflect my suggestion. (hope this is ok.)– myrddCommented May 8, 2018 at 15:03